Extract SSH public key auth into internal/ssh

Centralise SSH private-key loading and public-key auth creation into
internal/ssh so both bundlereader and gitcloner share a single
implementation. pkg/git/netutils.go gains SSHPublicKeysFromFile for
callers in pkg/git that already use a file path directly. Prefer
known_hosts from the secret; fall back to the cluster-wide value.

Add unit tests for NewSSHPublicKeys.

Author: thardeck

internal/ssh/auth.go

@@ -0,0 +1,29 @@
+package ssh
+
+import (
+	gossh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
+	golangssh "golang.org/x/crypto/ssh"
+)
+
+// NewSSHPublicKeys creates a go-git SSH auth method from the given PEM key and
+// optional known_hosts bytes. If knownHosts is empty, InsecureIgnoreHostKey is
+// used as the host key callback, matching Fleet's default behaviour across all
+// git cloning code paths.
+func NewSSHPublicKeys(user string, keyPEM []byte, knownHosts []byte) (*gossh.PublicKeys, error) {
+	pubKeys, err := gossh.NewPublicKeys(user, keyPEM, "")
+	if err != nil {
+		return nil, err
+	}
+	if len(knownHosts) > 0 {
+		pubKeys.HostKeyCallback, err = CreateKnownHostsCallBack(knownHosts)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		//nolint:gosec // G106: InsecureIgnoreHostKey is the intentional fallback
+		// when no known_hosts are provided; matches behaviour across gitcloner,
+		// bundlereader, and pkg/git.
+		pubKeys.HostKeyCallback = golangssh.InsecureIgnoreHostKey()
+	}
+	return pubKeys, nil
+}

internal/ssh/auth_test.go

@@ -0,0 +1,94 @@
+package ssh_test
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"net"
+	"testing"
+
+	golangssh "golang.org/x/crypto/ssh"
+
+	"github.com/rancher/fleet/internal/ssh"
+)
+
+func generateECPrivateKeyPEM(t *testing.T) []byte {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("generating key: %v", err)
+	}
+	der, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		t.Fatalf("marshalling key: %v", err)
+	}
+	return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: der})
+}
+
+func generateKnownHostsEntry(t *testing.T, hostname string) (golangssh.PublicKey, string) {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("generating host key: %v", err)
+	}
+	sshPubKey, err := golangssh.NewPublicKey(&key.PublicKey)
+	if err != nil {
+		t.Fatalf("creating SSH public key: %v", err)
+	}
+	entry := fmt.Sprintf("%s %s", hostname, string(golangssh.MarshalAuthorizedKey(sshPubKey)))
+	return sshPubKey, entry
+}
+
+// fakeAddr implements net.Addr for use in HostKeyCallback tests.
+type fakeAddr struct{ s string }
+
+func (a fakeAddr) Network() string { return "tcp" }
+func (a fakeAddr) String() string  { return a.s }
+
+func TestNewSSHPublicKeys_NoKnownHosts(t *testing.T) {
+	keyPEM := generateECPrivateKeyPEM(t)
+	pubKeys, err := ssh.NewSSHPublicKeys("git", keyPEM, nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pubKeys == nil {
+		t.Fatal("expected non-nil PublicKeys")
+	}
+	// With no known hosts, InsecureIgnoreHostKey must accept any host.
+	if err := pubKeys.HostKeyCallback("any-host:22", fakeAddr{"any-host:22"}, nil); err != nil {
+		t.Fatalf("InsecureIgnoreHostKey should accept any host, got: %v", err)
+	}
+}
+
+func TestNewSSHPublicKeys_WithKnownHosts(t *testing.T) {
+	keyPEM := generateECPrivateKeyPEM(t)
+	hostPubKey, knownHostsEntry := generateKnownHostsEntry(t, "myhost.example.com")
+
+	pubKeys, err := ssh.NewSSHPublicKeys("git", keyPEM, []byte(knownHostsEntry))
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Matching key for the known host must be accepted.
+	addr := &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 22}
+	if err := pubKeys.HostKeyCallback("myhost.example.com:22", addr, hostPubKey); err != nil {
+		t.Fatalf("expected callback to accept matching key, got: %v", err)
+	}
+
+	// An unknown host must be rejected.
+	if err := pubKeys.HostKeyCallback("unknown-host:22", addr, hostPubKey); err == nil {
+		t.Fatal("expected error for unknown host, got nil")
+	}
+}
+
+func TestNewSSHPublicKeys_InvalidKnownHosts(t *testing.T) {
+	keyPEM := generateECPrivateKeyPEM(t)
+	// Malformed known_hosts must be rejected at construction time.
+	_, err := ssh.NewSSHPublicKeys("git", keyPEM, []byte("not-valid-known-hosts @@@@"))
+	if err == nil {
+		t.Fatal("expected error for invalid known_hosts, got nil")
+	}
+}

pkg/git/netutils.go

@@ -9,9 +9,7 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	httpgit "github.com/go-git/go-git/v5/plumbing/transport/http"
-	gossh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	giturls "github.com/rancher/fleet/pkg/git-urls"
-	"golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 
 	fleetgithub "github.com/rancher/fleet/internal/github"
@@ -51,25 +49,15 @@ func GetAuthFromSecret(url string, creds *corev1.Secret, knownHosts string) (tra
 		if err != nil {
 			return nil, err
 		}
-		auth, err := gossh.NewPublicKeys(gitURL.User.Username(), creds.Data[corev1.SSHAuthPrivateKey], "")
+		// Prefer known_hosts from the secret; fall back to the cluster-wide value.
+		knownHostsData := creds.Data["known_hosts"]
+		if len(knownHostsData) == 0 {
+			knownHostsData = []byte(knownHosts)
+		}
+		auth, err := fleetssh.NewSSHPublicKeys(gitURL.User.Username(), creds.Data[corev1.SSHAuthPrivateKey], knownHostsData)
 		if err != nil {
 			return nil, err
 		}
-		switch {
-		case creds.Data["known_hosts"] != nil:
-			auth.HostKeyCallback, err = fleetssh.CreateKnownHostsCallBack(creds.Data["known_hosts"])
-			if err != nil {
-				return nil, err
-			}
-		case len(knownHosts) > 0:
-			auth.HostKeyCallback, err = fleetssh.CreateKnownHostsCallBack([]byte(knownHosts))
-			if err != nil {
-				return nil, err
-			}
-		default:
-			//nolint:gosec // G106: Use of ssh InsecureIgnoreHostKey should be audited
-			auth.HostKeyCallback = ssh.InsecureIgnoreHostKey()
-		}
 		return auth, nil
 	default:
 		auth, err := fleetgithub.GetGithubAppAuthFromSecret(url, creds, GitHubAppGetter)