Simple validation of the id and the authorized keys.

cmd/agent/sshauthorizedkeys.go

@@ -29,7 +29,7 @@ func readSshPublicKeys(fileName string) ([]ssh.PublicKey, error) {
 	}
 	defer file.Close()
 
-	res := make([]ssh.PublicKey, 10)
+	res := make([]ssh.PublicKey, 0)
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
 		lineText := scanner.Text()
@@ -37,6 +37,7 @@ func readSshPublicKeys(fileName string) ([]ssh.PublicKey, error) {
 		if ind >= 0 {
 			lineText = lineText[:ind]
 		}
+		log.Println("Reading public key " + lineText)
 		lineText = strings.Trim(lineText, "")
 		if lineText == "" {
 			continue

cmd/converge/convergeaccess.go

@@ -3,7 +3,6 @@ package main
 import (
 	"converge/pkg/models"
 	"converge/pkg/server/converge"
-	"log"
 	"net/http"
 	"regexp"
 	"strings"
@@ -14,9 +13,7 @@ func getConvergeAccess(r *http.Request, sshRemoteUser string) models.ConvergeAcc
 	pattern := regexp.MustCompile("^(.*)/usage$")
 	matches := pattern.FindStringSubmatch(r.URL.Path)
 	contextPath := ""
-	if len(matches) != 2 {
+	if len(matches) == 2 {
-		log.Printf("Cannot determine context path for %s, assumming it is empty", r.URL.Path)
-	} else {
 		contextPath = matches[1]
 	}
 

cmd/converge/usage.go

@@ -2,9 +2,12 @@ package main
 
 import (
 	"converge/pkg/server/templates"
+	"fmt"
+	"github.com/gliderlabs/ssh"
 	"math/rand"
 	"net/http"
 	"os"
+	"regexp"
 	"strconv"
 	"strings"
 )
@@ -18,11 +21,12 @@ func generateCLIExammple(w http.ResponseWriter, r *http.Request) {
 	ids := r.Form["rendez-vous-id"]
 	id := ""
 	if len(ids) > 0 {
-		id = ids[0]
+		id = strings.TrimSpace(ids[0])
 	}
 	if id == "" {
 		id = strconv.Itoa(rand.Int() % 1000000)
 	}
+
 	remoteShells := r.Form["remote-shell"]
 	localShells := r.Form["local-shell"]
 	keysString := r.FormValue("ssh-keys")
@@ -36,6 +40,29 @@ func generateCLIExammple(w http.ResponseWriter, r *http.Request) {
 	access := getConvergeAccess(r, getAgentSshUser())
 
 	usageInputs := templates.NewUsageInputs(id, sshPublicKeys, remoteShells, localShells)
+	matched, _ := regexp.MatchString("^[a-zA-Z0-9-_]+$", id)
+	if !matched {
+		usageInputs.ErrorMessages = append(usageInputs.ErrorMessages, "ID may consist only of alphanumeric characters, '-', and '_'")
+	}
+	validPubKeys := 0
+	for index, pubkey := range sshPublicKeys {
+		_, _, _, _, err := ssh.ParseAuthorizedKey([]byte(pubkey))
+		if err != nil {
+			keysummary := pubkey
+			if len(pubkey) > 45 {
+				keysummary = keysummary[:20] + " ... " + keysummary[len(pubkey)-20:]
+			}
+			usageInputs.ErrorMessages = append(usageInputs.ErrorMessages,
+				fmt.Sprintf("ssh public key %d: %s: %s", index, keysummary, err.Error()))
+		} else {
+			validPubKeys++
+		}
+	}
+	if validPubKeys == 0 {
+		usageInputs.ErrorMessages = append(usageInputs.ErrorMessages,
+			"No valid public keys configured, password authentication will be used which is less secure.")
+	}
+
 	err = templates.ShellUsage(access, usageInputs).Render(r.Context(), w)
 	if err != nil {
 		http.Error(w, err.Error(), 500)

pkg/server/templates/usage.templ

@@ -5,6 +5,13 @@ import "converge/pkg/models"
 
 templ AgentUsage(access models.ConvergeAccess, usageInputs UsageInputs) {
     <div>
+
+    for _, message := range usageInputs.ErrorMessages {
+    <div class="alert alert-danger" role="alert">
+      {message}
+    </div>
+    }
+
     <h2>Downloading and running the agent</h2>
 
     <p>

pkg/server/templates/usageinputs.go

@@ -5,8 +5,10 @@ import (
 )
 
 type UsageInputs struct {
-	Id           string
+	Id            string
-	SshKeys      []string
+	SshKeys       []string
+	ErrorMessages []string
+
 	RemoteShells map[string]bool
 	LocalShells  map[string]bool
 }
@@ -43,3 +45,10 @@ func addSshKeys(shell string, keys []string) string {
 	}
 	return res + "       "
 }
+
+func formControlTextClass(message string) string {
+	if message == "" {
+		return "form-control"
+	}
+	return "form-control is-invalid"
+}