Validate SSH host keys in GoGetter when SSHKnownHosts is provided

Add SSHKnownHosts []byte to Auth. When set, goGitGetter passes it to
fleetssh.CreateKnownHostsCallBack so the SSH host key is verified
against the provided data. When not set, InsecureIgnoreHostKey is kept
as the default, matching Fleet's existing policy in pkg/git/netutils.go
and gitcloner.

Previously the implementation unconditionally used InsecureIgnoreHostKey,
so a caller providing known_hosts data had no way to enforce strict
host-key checks.

Add GetGogsKnownHostEntry to integrationtests/utils to extract the
container's ECDSA host key. Add two bundlereader integration tests:
one that clones successfully with the correct known_host entry, and
one that fails when a wrong key is supplied.

Author: thardeck

integrationtests/bundlereader/getcontent_test.go

@@ -239,6 +239,47 @@ var _ = Describe("GetContent fetches files from a git repository", Label("networ
 			Expect(err).NotTo(HaveOccurred())
 			Expect(files).To(HaveKey("README.md"))
 		})
+
+		It("returns the repository files when a correct known host entry is provided", func() {
+			privateKey, err := os.ReadFile(tmpKeyFile)
+			Expect(err).NotTo(HaveOccurred())
+
+			knownHost, err := utils.GetGogsKnownHostEntry(context.Background(), container)
+			Expect(err).NotTo(HaveOccurred())
+
+			source := fmt.Sprintf("%s/%s/%s", sshBase, utils.GogsUser, repoName)
+			Eventually(func() error {
+				_, err = bundlereader.GetContent(
+					context.Background(), GinkgoT().TempDir(), source, "",
+					bundlereader.Auth{SSHPrivateKey: privateKey, SSHKnownHosts: []byte(knownHost)}, false, nil,
+				)
+				return err
+			}, timeout, interval).Should(Succeed())
+
+			files, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(), source, "",
+				bundlereader.Auth{SSHPrivateKey: privateKey, SSHKnownHosts: []byte(knownHost)}, false, nil,
+			)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(files).To(HaveKey("README.md"))
+		})
+
+		It("fails when a wrong known host entry is provided", func() {
+			privateKey, err := os.ReadFile(tmpKeyFile)
+			Expect(err).NotTo(HaveOccurred())
+
+			// A valid-looking but wrong known_hosts entry: the key is for github.com, not our gogs server.
+			wrongKnownHost := "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
+
+			source := fmt.Sprintf("%s/%s/%s", sshBase, utils.GogsUser, repoName)
+			Eventually(func() error {
+				_, err = bundlereader.GetContent(
+					context.Background(), GinkgoT().TempDir(), source, "",
+					bundlereader.Auth{SSHPrivateKey: privateKey, SSHKnownHosts: []byte(wrongKnownHost)}, false, nil,
+				)
+				return err
+			}, timeout, interval).Should(HaveOccurred())
+		})
 	})
 })
 

integrationtests/utils/gogs.go

@@ -190,3 +190,30 @@ func CreateGogsContainerWithHTTPS(ctx context.Context, assetPath string) (testco
 
 	return container, caBundle, client, nil
 }
+
+// GetGogsKnownHostEntry reads the container's SSH ECDSA host public key and returns
+// a known_hosts format line suitable for use with CreateKnownHostsCallBack.
+func GetGogsKnownHostEntry(ctx context.Context, container testcontainers.Container) (string, error) {
+	port, err := container.MappedPort(ctx, GogsSSHPort)
+	if err != nil {
+		return "", err
+	}
+	host, err := container.Host(ctx)
+	if err != nil {
+		return "", err
+	}
+	pubKeyReader, err := container.CopyFileFromContainer(ctx, "/data/ssh/ssh_host_ecdsa_key.pub")
+	if err != nil {
+		return "", err
+	}
+	defer pubKeyReader.Close()
+	pubKeyBytes, err := io.ReadAll(pubKeyReader)
+	if err != nil {
+		return "", err
+	}
+	fields := strings.Fields(string(pubKeyBytes))
+	if len(fields) < 2 {
+		return "", fmt.Errorf("unexpected known_hosts key format: %q", string(pubKeyBytes))
+	}
+	return fmt.Sprintf("[%s]:%s %s %s", host, port.Port(), fields[0], fields[1]), nil
+}

internal/bundlereader/auth.go

@@ -18,6 +18,7 @@ type Auth struct {
 	Password           string `json:"password,omitempty"`
 	CABundle           []byte `json:"caBundle,omitempty"`
 	SSHPrivateKey      []byte `json:"sshPrivateKey,omitempty"`
+	SSHKnownHosts      []byte `json:"sshKnownHosts,omitempty"`
 	InsecureSkipVerify bool   `json:"insecureSkipVerify,omitempty"`
 	BasicHTTP          bool   `json:"basicHTTP,omitempty"`
 	// remember to update Hash() when adding/modifying fields
@@ -46,6 +47,7 @@ func (a Auth) Hash() string {
 		[]byte(a.Password),
 		a.CABundle,
 		a.SSHPrivateKey,
+		a.SSHKnownHosts,
 		{toByte(a.InsecureSkipVerify)},
 		{toByte(a.BasicHTTP)},
 	} {

internal/bundlereader/gitgetter.go

@@ -18,6 +18,7 @@ import (
 	httpgit "github.com/go-git/go-git/v5/plumbing/transport/http"
 	gossh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/hashicorp/go-getter/v2"
+	fleetssh "github.com/rancher/fleet/internal/ssh"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -243,8 +244,16 @@ func (g *goGitGetter) setAuth(opts *gogit.CloneOptions, u *url.URL, sshKeyPEM []
 		if err != nil {
 			return fmt.Errorf("parsing SSH private key: %w", err)
 		}
-		//nolint:gosec // G106: InsecureIgnoreHostKey matches go-getter's prior behaviour
-		pubKeys.HostKeyCallback = ssh.InsecureIgnoreHostKey()
+		if len(g.auth.SSHKnownHosts) > 0 {
+			pubKeys.HostKeyCallback, err = fleetssh.CreateKnownHostsCallBack(g.auth.SSHKnownHosts)
+			if err != nil {
+				return fmt.Errorf("creating known_hosts callback: %w", err)
+			}
+		} else {
+			//nolint:gosec // G106: InsecureIgnoreHostKey is the default when no known_hosts
+			// are provided, matching Fleet's behaviour in pkg/git/netutils.go and gitcloner.
+			pubKeys.HostKeyCallback = ssh.InsecureIgnoreHostKey()
+		}
 		opts.Auth = pubKeys
 		return nil
 	}