(bugfix) Improve SSH credential validation feedback

Normalize pasted private keys before validation and detect common SSH credential mistakes, including public keys pasted into the private key field and public keys that do not match the supplied private key. Translate OpenSSH libcrypto parse failures into a clearer user-facing message and disable browser spellcheck/autocomplete on SSH key fields. Document the native update flow as git pull followed by the non-interactive installer so deployments refresh cleanly.
2026-05-19 18:35:39 +02:00
parent 38f946d1c4
commit c7cfb603b0
3 changed files with 91 additions and 8 deletions
--- a/src/pobsync_backend/tests/test_views.py
+++ b/src/pobsync_backend/tests/test_views.py
@@ -135,6 +135,43 @@ class ViewTests(TestCase):
        self.assertContains(response, "Invalid SSH private key")
        self.assertFalse(SshCredential.objects.exists())

+    def test_ssh_credentials_view_rejects_public_key_in_private_key_field(self) -> None:
+        self.client.force_login(self.staff_user)
+
+        response = self.client.post(
+            reverse("create_ssh_credential"),
+            {
+                "name": "bad-key",
+                "private_key": "ssh-ed25519 AAAATEST root@backup",
+                "public_key": "",
+                "known_hosts": "",
+                "notes": "",
+            },
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "This looks like a public key")
+        self.assertFalse(SshCredential.objects.exists())
+
+    def test_ssh_credentials_view_rejects_mismatched_public_key(self) -> None:
+        self.client.force_login(self.staff_user)
+
+        with patch("pobsync_backend.forms.validate_ssh_private_key", return_value="ssh-ed25519 AAAADERIVED derived"):
+            response = self.client.post(
+                reverse("create_ssh_credential"),
+                {
+                    "name": "bad-key",
+                    "private_key": "PRIVATE KEY",
+                    "public_key": "ssh-ed25519 AAAAOTHER root@backup",
+                    "known_hosts": "",
+                    "notes": "",
+                },
+            )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Public key does not match")
+        self.assertFalse(SshCredential.objects.exists())
+
    def test_ssh_credentials_view_updates_existing_key(self) -> None:
        self.client.force_login(self.staff_user)
        credential = SshCredential.objects.create(name="backup-key", private_key="OLD KEY")