fix: support multiple SSHPubKey records per user

There was one blazing issue with the previous implementation regardless
of the multiple records: we were generating fingerprints by storing
the key into a file and reading it with ssh-keygen. This is absolutely
terrible and was not meant to be left around (it was forgotten, my bad).

Took this opportunity to clean up a few things:
- simplify pubkey validation
- centralize things a bit better

Signed-off-by: Kevin Morris <kevr@0cost.org>

aurweb/models/ssh_pub_key.py

@@ -1,6 +1,3 @@
-import os
-import tempfile
-
 from subprocess import PIPE, Popen
 
 from sqlalchemy.orm import backref, relationship
@@ -15,28 +12,17 @@ class SSHPubKey(Base):
     __mapper_args__ = {"primary_key": [__table__.c.Fingerprint]}
 
     User = relationship(
-        "User", backref=backref("ssh_pub_key", uselist=False),
+        "User", backref=backref("ssh_pub_keys", lazy="dynamic"),
         foreign_keys=[__table__.c.UserID])
 
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
 
 
-def get_fingerprint(pubkey):
-    with tempfile.TemporaryDirectory() as tmpdir:
-        pk = os.path.join(tmpdir, "ssh.pub")
-
-        with open(pk, "w") as f:
-            f.write(pubkey)
-
-        proc = Popen(["ssh-keygen", "-l", "-f", pk], stdout=PIPE, stderr=PIPE)
-        out, err = proc.communicate()
-
-        # Invalid SSH Public Key. Return None to the caller.
-        if proc.returncode != 0:
-            return None
-
-        parts = out.decode().split()
-        fp = parts[1].replace("SHA256:", "")
-
-    return fp
+def get_fingerprint(pubkey: str) -> str:
+    proc = Popen(["ssh-keygen", "-l", "-f", "-"], stdin=PIPE, stdout=PIPE,
+                 stderr=PIPE)
+    out, _ = proc.communicate(pubkey.encode())
+    if proc.returncode:
+        raise ValueError("The SSH public key is invalid.")
+    return out.decode().split()[1].split(":", 1)[1]