triggers: gen ssh keypair outside of activate()

This keeps the private key from ever being exposed to the client.
2015-03-19 14:31:01 -04:00 · 2015-03-19 14:31:01 -04:00 · e6a7156657
commit e6a7156657
parent 93a9e9d01a
2 changed files with 5 additions and 3 deletions
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@ -20,6 +20,7 @@ from data import model
 from auth.permissions import UserAdminPermission, AdministerOrganizationPermission, ReadRepositoryPermission
 from util.names import parse_robot_username
 from util.dockerfileparse import parse_dockerfile
 from util.ssh import generate_ssh_keypair
 logger = logging.getLogger(__name__)
@ -211,6 +212,9 @@ class BuildTriggerActivate(RepositoryParamResource):
      token = model.create_delegate_token(namespace, repository, token_name,
                                          'write')
      # Generate an SSH keypair
      new_config_dict['public_key'], trigger.private_key = generate_ssh_keypair()
      try:
        path = url_for('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid)
        authed_url = _prepare_webhook_url(app.config['PREFERRED_URL_SCHEME'], '$token', token.code,
--- a/endpoints/trigger.py
+++ b/endpoints/trigger.py
@ -525,9 +525,7 @@ class GitHubBuildTrigger(BuildTrigger):
      msg = 'Unable to find GitHub repository for source: %s' % new_build_source
      raise TriggerActivationException(msg)
-    # Generate an SSH keypair and add the public key to the repository.
+    # Add a deploy key to the GitHub repository.
    # TODO(jzelinskie): don't put this in the config! it's not secure!
    config['public_key'], config['private_key'] = generate_ssh_keypair()
    try:
      deploy_key = gh_repo.create_key('Quay.io Builder', config['public_key'])
      config['deploy_key_id'] = deploy_key.id