src/main/java/com/gitblit/transport/ssh/LdapKeyManager.java - gitblit - Git at Google

 /*
  * Copyright 2016 gitblit.com.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and limitations under
  * the License.
  */
 package com.gitblit.transport.ssh;

 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

 import org.apache.sshd.common.config.keys.KeyUtils;
 import org.apache.sshd.common.util.GenericUtils;
 import org.apache.sshd.server.config.keys.AuthorizedKeyEntry;

 import com.gitblit.IStoredSettings;
 import com.gitblit.Keys;
 import com.gitblit.Constants.AccessPermission;
 import com.gitblit.ldap.LdapConnection;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.StringUtils;
 import com.google.common.base.Joiner;
 import com.google.inject.Inject;
 import com.unboundid.ldap.sdk.BindResult;
 import com.unboundid.ldap.sdk.ResultCode;
 import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;

 /**
  * LDAP-only public key manager
  *
  * Retrieves public keys from user's LDAP entries. Using this key manager,
  * no SSH keys can be edited, i.e. added, removed, permissions changed, etc.
  *
  * This key manager supports SSH key entries in LDAP of the following form:
  * [<prefix>:] [<options>] <type> <key> [<comment>]
  * This follows the required form of entries in the authenticated_keys file,
  * with an additional optional prefix. Key entries must have a key type
  * (like "ssh-rsa") and a key, and may have a comment at the end.
  *
  * An entry may specify login options as specified for the authorized_keys file.
  * The 'environment' option may be used to set the permissions for the key
  * by setting a 'gbPerm' environment variable. The key manager will interpret
  * such a environment variable option and use the set permission string to set
  * the permission on the key in Gitblit. Example:
  *   environment="gbPerm=V",pty ssh-rsa AAAxjka.....dv= Clone only key
  * Above entry would create a RSA key with the comment "Clone only key" and
  * set the key permission to CLONE. All other options are ignored.
  *
  * In Active Directory SSH public keys are sometimes stored in the attribute
  * 'altSecurityIdentity'. The attribute value is usually prefixed by a type
  * identifier. LDAP entries could have the following attribute values:
  *   altSecurityIdentity: X.509: ADKEJBAKDBZUPABBD...
  *   altSecurityIdentity: SshKey: ssh-dsa AAAAknenazuzucbhda...
  * This key manager supports this by allowing an optional prefix to identify
  * SSH keys. The prefix to be used should be set in the 'realm.ldap.sshPublicKey'
  * setting by separating it from the attribute name with a colon, e.g.:
  *    realm.ldap.sshPublicKey = altSecurityIdentity:SshKey
  *
  * @author Florian Zschocke
  *
  */
 public class LdapKeyManager extends IPublicKeyManager {

 	/**
 	 * Pattern to find prefixes like 'SSHKey:' in key entries.
 	 * These prefixes describe the type of an altSecurityIdentity.
 	 * The pattern accepts anything but quote and colon up to the
 	 * first colon at the start of a string.
 	 */
 	private static final Pattern PREFIX_PATTERN = Pattern.compile("^([^\":]+):");
 	/**
 	 * Pattern to find the string describing Gitblit permissions for a SSH key.
 	 * The pattern matches on a string starting with 'gbPerm', matched case-insensitive,
 	 * followed by '=' with optional whitespace around it, followed by a string of
 	 * upper and lower case letters and '+' and '-' for the permission, which can optionally
 	 * be enclosed in '"' or '\"' (only the leading quote is matched in the pattern).
 	 * Only the group describing the permission is a capturing group.
 	 */
 	private static final Pattern GB_PERM_PATTERN = Pattern.compile("(?i:gbPerm)\\s*=\\s*(?:\\\\\"|\")?\\s*([A-Za-z+-]+)");


 	private final IStoredSettings settings;


 	@Inject
 	public LdapKeyManager(IStoredSettings settings) {
 		this.settings = settings;
 	}


 	@Override
 	public String toString() {
 		return getClass().getSimpleName();
 	}

 	@Override
 	public LdapKeyManager start() {
 		log.info(toString());
 		return this;
 	}

 	@Override
 	public boolean isReady() {
 		return true;
 	}

 	@Override
 	public LdapKeyManager stop() {
 		return this;
 	}

 	@Override
 	protected boolean isStale(String username) {
 		// always return true so we gets keys from LDAP every time
 		return true;
 	}

 	@Override
 	protected List<SshKey> getKeysImpl(String username) {
 		try (LdapConnection conn = new LdapConnection(settings)) {
 			if (conn.connect()) {
 				log.info("loading ssh key for {} from LDAP directory", username);

 				BindResult bindResult = conn.bind();
 				if (bindResult == null) {
 					conn.close();
 					return null;
 				}

 				// Search the user entity

 				// Support prefixing the key data, e.g. when using altSecurityIdentities in AD.
 				String pubKeyAttribute = settings.getString(Keys.realm.ldap.sshPublicKey, "sshPublicKey");
 				String pkaPrefix = null;
 				int idx = pubKeyAttribute.indexOf(':');
 				if (idx > 0) {
 					pkaPrefix = pubKeyAttribute.substring(idx +1);
 					pubKeyAttribute = pubKeyAttribute.substring(0, idx);
 				}

 				SearchResult result = conn.searchUser(getSimpleUsername(username), Arrays.asList(pubKeyAttribute));
 				conn.close();

 				if (result != null && result.getResultCode() == ResultCode.SUCCESS) {
 					if ( result.getEntryCount() > 1) {
 						log.info("Found more than one entry for user {} in LDAP. Cannot retrieve SSH key.", username);
 						return null;
 					} else if ( result.getEntryCount() < 1) {
 						log.info("Found no entry for user {} in LDAP. Cannot retrieve SSH key.", username);
 						return null;
 					}

 					// Retrieve the SSH key attributes
 					SearchResultEntry foundUser = result.getSearchEntries().get(0);
 					String[] attrs = foundUser.getAttributeValues(pubKeyAttribute);
 					if (attrs == null ||attrs.length == 0) {
 						log.info("found no keys for user {} under attribute {} in directory", username, pubKeyAttribute);
 						return null;
 					}


 					// Filter resulting list to match with required special prefix in entry
 					List<GbAuthorizedKeyEntry> authorizedKeys = new ArrayList<>(attrs.length);
 					Matcher m = PREFIX_PATTERN.matcher("");
 					for (int i = 0; i < attrs.length; ++i) {
 						// strip out line breaks
 						String keyEntry = Joiner.on("").join(attrs[i].replace("\r\n", "\n").split("\n"));
 						m.reset(keyEntry);
 						try {
 							if (m.lookingAt()) { // Key is prefixed in LDAP
 								if (pkaPrefix == null) {
 									continue;
 								}
 								String prefix = m.group(1).trim();
 								if (! pkaPrefix.equalsIgnoreCase(prefix)) {
 									continue;
 								}
 								String s = keyEntry.substring(m.end()); // Strip prefix off
 								authorizedKeys.add(GbAuthorizedKeyEntry.parseAuthorizedKeyEntry(s));

 							} else { // Key is not prefixed in LDAP
 								if (pkaPrefix != null) {
 									continue;
 								}
 								String s = keyEntry; // Strip prefix off
 								authorizedKeys.add(GbAuthorizedKeyEntry.parseAuthorizedKeyEntry(s));
 							}
 						} catch (IllegalArgumentException e) {
 							log.info("Failed to parse key entry={}:", keyEntry, e.getMessage());
 						}
 					}

 					List<SshKey> keyList = new ArrayList<>(authorizedKeys.size());
 					for (GbAuthorizedKeyEntry keyEntry : authorizedKeys) {
 						try {
 							SshKey key = new SshKey(keyEntry.resolvePublicKey());
 							key.setComment(keyEntry.getComment());
 							setKeyPermissions(key, keyEntry);
 							keyList.add(key);
 						} catch (GeneralSecurityException | IOException e) {
 							log.warn("Error resolving key entry for user {}. Entry={}", username, keyEntry, e);
 						}
 					}
 					return keyList;
 				}
 			}
 		}

 		return null;
 	}


 	@Override
 	public boolean addKey(String username, SshKey key) {
 		return false;
 	}

 	@Override
 	public boolean removeKey(String username, SshKey key) {
 		return false;
 	}

 	@Override
 	public boolean removeAllKeys(String username) {
 		return false;
 	}


 	public boolean supportsWritingKeys(UserModel user) {
 		return false;
 	}

 	public boolean supportsCommentChanges(UserModel user) {
 		return false;
 	}

 	public boolean supportsPermissionChanges(UserModel user) {
 		return false;
 	}


 	private void setKeyPermissions(SshKey key, GbAuthorizedKeyEntry keyEntry) {
 		List<String> env = keyEntry.getLoginOptionValues("environment");
 		if (env != null && !env.isEmpty()) {
 			// Walk over all entries and find one that sets 'gbPerm'. The last one wins.
 			for (String envi : env) {
 				Matcher m = GB_PERM_PATTERN.matcher(envi);
 				if (m.find()) {
 					String perm = m.group(1).trim();
 					AccessPermission ap = AccessPermission.fromCode(perm);
 					if (ap == AccessPermission.NONE) {
 						ap = AccessPermission.valueOf(perm.toUpperCase());
 					}

 					if (ap != null && ap != AccessPermission.NONE) {
 						try {
 							key.setPermission(ap);
 						} catch (IllegalArgumentException e) {
 							log.warn("Incorrect permissions ({}) set for SSH key entry {}.", ap, envi, e);
 						}
 					}
 				}
 			}
 		}
 	}


 	/**
 	 * Returns a simple username without any domain prefixes.
 	 *
 	 * @param username
 	 * @return a simple username
 	 */
 	private String getSimpleUsername(String username) {
 		int lastSlash = username.lastIndexOf('\\');
 		if (lastSlash > -1) {
 			username = username.substring(lastSlash + 1);
 		}

 		return username;
 	}


 	/**
 	 * Extension of the AuthorizedKeyEntry from Mina SSHD with better option parsing.
 	 *
 	 * The class makes use of code from the two methods copied from the original
 	 * Mina SSHD AuthorizedKeyEntry class. The code is rewritten to improve user login
 	 * option support. Options are correctly parsed even if they have whitespace within
 	 * double quotes. Options can occur multiple times, which is needed for example for
 	 * the "environment" option. Thus for an option a list of strings is kept, holding
 	 * multiple option values.
 	 */
 	private static class GbAuthorizedKeyEntry extends AuthorizedKeyEntry {

 		private static final long serialVersionUID = 1L;
 		/**
 		 * Pattern to extract the first part of the key entry without whitespace or only with quoted whitespace.
 		 * The pattern essentially splits the line in two parts with two capturing groups. All other groups
 		 * in the pattern are non-capturing. The first part is a continuous string that only includes double quoted
 		 * whitespace and ends in whitespace. The second part is the rest of the line.
 		 * The first part is at the beginning of the line, the lead-in. For a SSH key entry this can either be
 		 * login options (see authorized keys file description) or the key type. Since options, other than the
 		 * key type, can include whitespace and escaped double quotes within double quotes, the pattern takes
 		 * care of that by searching for either "characters that are not whitespace and not double quotes"
 		 * or "a double quote, followed by 'characters that are not a double quote or backslash, or a backslash
 		 * and then a double quote, or a backslash', followed by a double quote".
 		 */
 		private static final Pattern LEADIN_PATTERN = Pattern.compile("^((?:[^\\s\"]*|(?:\"(?:[^\"\\\\]|\\\\\"|\\\\)*\"))*\\s+)(.+)");
 		/**
 		 * Pattern to split a comma separated list of options.
 		 * Since an option could contain commas (as well as escaped double quotes) within double quotes
 		 * in the option value, a simple split on comma is not enough. So the pattern searches for multiple
 		 * occurrences of:
 		 * characters that are not double quotes or a comma, or
 		 * a double quote followed by: characters that are not a double quote or backslash, or
 		 *                             a backslash and then a double quote, or
 		 *                             a backslash,
 		 *   followed by a double quote.
 		 */
 		private static final Pattern OPTION_PATTERN = Pattern.compile("([^\",]+|(?:\"(?:[^\"\\\\]|\\\\\"|\\\\)*\"))+");

 		// for options that have no value, "true" is used
 		private Map<String, List<String>> loginOptionsMulti = Collections.emptyMap();


 		List<String> getLoginOptionValues(String option) {
 			return loginOptionsMulti.get(option);
 		}


 		/**
 		 * @param line Original line from an <code>authorized_keys</code> file
 		 * @return {@link GbAuthorizedKeyEntry} or {@code null} if the line is
 		 * {@code null}/empty or a comment line
 		 * @throws IllegalArgumentException If failed to parse/decode the line
 		 * @see #COMMENT_CHAR
 		 */
 		public static GbAuthorizedKeyEntry parseAuthorizedKeyEntry(String line) throws IllegalArgumentException {
 			line = GenericUtils.trimToEmpty(line);
 			if (StringUtils.isEmpty(line) || (line.charAt(0) == COMMENT_CHAR) /* comment ? */) {
 				return null;
 			}

 			Matcher m = LEADIN_PATTERN.matcher(line);
 			if (! m.lookingAt()) {
 				throw new IllegalArgumentException("Bad format (no key data delimiter): " + line);
 			}

 			String keyType = m.group(1).trim();
 			final GbAuthorizedKeyEntry entry;
 			if (KeyUtils.getPublicKeyEntryDecoder(keyType) == null) {  // assume this is due to the fact that it starts with login options
 				entry = parseAuthorizedKeyEntry(m.group(2));
 				if (entry == null) {
 					throw new IllegalArgumentException("Bad format (no key data after login options): " + line);
 				}

 				entry.parseAndSetLoginOptions(keyType);
 			} else {
 				int startPos = line.indexOf(' ');
 				if (startPos <= 0) {
 					throw new IllegalArgumentException("Bad format (no key data delimiter): " + line);
 				}

 				int endPos = line.indexOf(' ', startPos + 1);
 				if (endPos <= startPos) {
 					endPos = line.length();
 				}

 				String encData = (endPos < (line.length() - 1)) ? line.substring(0, endPos).trim() : line;
 				String comment = (endPos < (line.length() - 1)) ? line.substring(endPos + 1).trim() : null;
 				entry = parsePublicKeyEntry(new GbAuthorizedKeyEntry(), encData);
 				entry.setComment(comment);
 			}

 			return entry;
 		}

 		private void parseAndSetLoginOptions(String options) {
 			Matcher m = OPTION_PATTERN.matcher(options);
 			if (! m.find()) {
 				loginOptionsMulti = Collections.emptyMap();
 			}
 			Map<String, List<String>> optsMap = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);

 			do {
 				String p = m.group();
 				p = GenericUtils.trimToEmpty(p);
 				if (StringUtils.isEmpty(p)) {
 					continue;
 				}

 				int pos = p.indexOf('=');
 				String name = (pos < 0) ? p : GenericUtils.trimToEmpty(p.substring(0, pos));
 				CharSequence value = (pos < 0) ? null : GenericUtils.trimToEmpty(p.substring(pos + 1));
 				value = GenericUtils.stripQuotes(value);

 				// For options without value the value is set to TRUE.
 				if (value == null) {
 					value = Boolean.TRUE.toString();
 				}

 				List<String> opts = optsMap.get(name);
 				if (opts == null) {
 					opts = new ArrayList<String>();
 					optsMap.put(name, opts);
 				}
 				opts.add(value.toString());
 			} while(m.find());

 			loginOptionsMulti = optsMap;
 		}
 	}

 }
	/*
	* Copyright 2016 gitblit.com.
	*
	* Licensed under the Apache License, Version 2.0 (the "License"); you may not
	* use this file except in compliance with the License. You may obtain a copy of
	* the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	* License for the specific language governing permissions and limitations under
	* the License.
	*/
	package com.gitblit.transport.ssh;

	import java.io.IOException;
	import java.security.GeneralSecurityException;
	import java.util.ArrayList;
	import java.util.Arrays;
	import java.util.Collections;
	import java.util.List;
	import java.util.Map;
	import java.util.TreeMap;
	import java.util.regex.Matcher;
	import java.util.regex.Pattern;

	import org.apache.sshd.common.config.keys.KeyUtils;
	import org.apache.sshd.common.util.GenericUtils;
	import org.apache.sshd.server.config.keys.AuthorizedKeyEntry;

	import com.gitblit.IStoredSettings;
	import com.gitblit.Keys;
	import com.gitblit.Constants.AccessPermission;
	import com.gitblit.ldap.LdapConnection;
	import com.gitblit.models.UserModel;
	import com.gitblit.utils.StringUtils;
	import com.google.common.base.Joiner;
	import com.google.inject.Inject;
	import com.unboundid.ldap.sdk.BindResult;
	import com.unboundid.ldap.sdk.ResultCode;
	import com.unboundid.ldap.sdk.SearchResult;
	import com.unboundid.ldap.sdk.SearchResultEntry;

	/**
	* LDAP-only public key manager
	*
	* Retrieves public keys from user's LDAP entries. Using this key manager,
	* no SSH keys can be edited, i.e. added, removed, permissions changed, etc.
	*
	* This key manager supports SSH key entries in LDAP of the following form:
	* [<prefix>:] [<options>] <type> <key> [<comment>]
	* This follows the required form of entries in the authenticated_keys file,
	* with an additional optional prefix. Key entries must have a key type
	* (like "ssh-rsa") and a key, and may have a comment at the end.
	*
	* An entry may specify login options as specified for the authorized_keys file.
	* The 'environment' option may be used to set the permissions for the key
	* by setting a 'gbPerm' environment variable. The key manager will interpret
	* such a environment variable option and use the set permission string to set
	* the permission on the key in Gitblit. Example:
	* environment="gbPerm=V",pty ssh-rsa AAAxjka.....dv= Clone only key
	* Above entry would create a RSA key with the comment "Clone only key" and
	* set the key permission to CLONE. All other options are ignored.
	*
	* In Active Directory SSH public keys are sometimes stored in the attribute
	* 'altSecurityIdentity'. The attribute value is usually prefixed by a type
	* identifier. LDAP entries could have the following attribute values:
	* altSecurityIdentity: X.509: ADKEJBAKDBZUPABBD...
	* altSecurityIdentity: SshKey: ssh-dsa AAAAknenazuzucbhda...
	* This key manager supports this by allowing an optional prefix to identify
	* SSH keys. The prefix to be used should be set in the 'realm.ldap.sshPublicKey'
	* setting by separating it from the attribute name with a colon, e.g.:
	* realm.ldap.sshPublicKey = altSecurityIdentity:SshKey
	*
	* @author Florian Zschocke
	*
	*/
	public class LdapKeyManager extends IPublicKeyManager {

	/**
	* Pattern to find prefixes like 'SSHKey:' in key entries.
	* These prefixes describe the type of an altSecurityIdentity.
	* The pattern accepts anything but quote and colon up to the
	* first colon at the start of a string.
	*/
	private static final Pattern PREFIX_PATTERN = Pattern.compile("^([^\":]+):");
	/**
	* Pattern to find the string describing Gitblit permissions for a SSH key.
	* The pattern matches on a string starting with 'gbPerm', matched case-insensitive,
	* followed by '=' with optional whitespace around it, followed by a string of
	* upper and lower case letters and '+' and '-' for the permission, which can optionally
	* be enclosed in '"' or '\"' (only the leading quote is matched in the pattern).
	* Only the group describing the permission is a capturing group.
	*/
	private static final Pattern GB_PERM_PATTERN = Pattern.compile("(?i:gbPerm)\\s=\\s(?:\\\\\"\|\")?\\s*([A-Za-z+-]+)");


	private final IStoredSettings settings;



	@Inject
	public LdapKeyManager(IStoredSettings settings) {
	this.settings = settings;
	}


	@Override
	public String toString() {
	return getClass().getSimpleName();
	}

	@Override
	public LdapKeyManager start() {
	log.info(toString());
	return this;
	}

	@Override
	public boolean isReady() {
	return true;
	}

	@Override
	public LdapKeyManager stop() {
	return this;
	}

	@Override
	protected boolean isStale(String username) {
	// always return true so we gets keys from LDAP every time
	return true;
	}

	@Override
	protected List<SshKey> getKeysImpl(String username) {
	try (LdapConnection conn = new LdapConnection(settings)) {
	if (conn.connect()) {
	log.info("loading ssh key for {} from LDAP directory", username);

	BindResult bindResult = conn.bind();
	if (bindResult == null) {
	conn.close();
	return null;
	}

	// Search the user entity

	// Support prefixing the key data, e.g. when using altSecurityIdentities in AD.
	String pubKeyAttribute = settings.getString(Keys.realm.ldap.sshPublicKey, "sshPublicKey");
	String pkaPrefix = null;
	int idx = pubKeyAttribute.indexOf(':');
	if (idx > 0) {
	pkaPrefix = pubKeyAttribute.substring(idx +1);
	pubKeyAttribute = pubKeyAttribute.substring(0, idx);
	}

	SearchResult result = conn.searchUser(getSimpleUsername(username), Arrays.asList(pubKeyAttribute));
	conn.close();

	if (result != null && result.getResultCode() == ResultCode.SUCCESS) {
	if ( result.getEntryCount() > 1) {
	log.info("Found more than one entry for user {} in LDAP. Cannot retrieve SSH key.", username);
	return null;
	} else if ( result.getEntryCount() < 1) {
	log.info("Found no entry for user {} in LDAP. Cannot retrieve SSH key.", username);
	return null;
	}

	// Retrieve the SSH key attributes
	SearchResultEntry foundUser = result.getSearchEntries().get(0);
	String[] attrs = foundUser.getAttributeValues(pubKeyAttribute);
	if (attrs == null \|\|attrs.length == 0) {
	log.info("found no keys for user {} under attribute {} in directory", username, pubKeyAttribute);
	return null;
	}


	// Filter resulting list to match with required special prefix in entry
	List<GbAuthorizedKeyEntry> authorizedKeys = new ArrayList<>(attrs.length);
	Matcher m = PREFIX_PATTERN.matcher("");
	for (int i = 0; i < attrs.length; ++i) {
	// strip out line breaks
	String keyEntry = Joiner.on("").join(attrs[i].replace("\r\n", "\n").split("\n"));
	m.reset(keyEntry);
	try {
	if (m.lookingAt()) { // Key is prefixed in LDAP
	if (pkaPrefix == null) {
	continue;
	}
	String prefix = m.group(1).trim();
	if (! pkaPrefix.equalsIgnoreCase(prefix)) {
	continue;
	}
	String s = keyEntry.substring(m.end()); // Strip prefix off
	authorizedKeys.add(GbAuthorizedKeyEntry.parseAuthorizedKeyEntry(s));

	} else { // Key is not prefixed in LDAP
	if (pkaPrefix != null) {
	continue;
	}
	String s = keyEntry; // Strip prefix off
	authorizedKeys.add(GbAuthorizedKeyEntry.parseAuthorizedKeyEntry(s));
	}
	} catch (IllegalArgumentException e) {
	log.info("Failed to parse key entry={}:", keyEntry, e.getMessage());
	}
	}

	List<SshKey> keyList = new ArrayList<>(authorizedKeys.size());
	for (GbAuthorizedKeyEntry keyEntry : authorizedKeys) {
	try {
	SshKey key = new SshKey(keyEntry.resolvePublicKey());
	key.setComment(keyEntry.getComment());
	setKeyPermissions(key, keyEntry);
	keyList.add(key);
	} catch (GeneralSecurityException \| IOException e) {
	log.warn("Error resolving key entry for user {}. Entry={}", username, keyEntry, e);
	}
	}
	return keyList;
	}
	}
	}

	return null;
	}


	@Override
	public boolean addKey(String username, SshKey key) {
	return false;
	}

	@Override
	public boolean removeKey(String username, SshKey key) {
	return false;
	}

	@Override
	public boolean removeAllKeys(String username) {
	return false;
	}


	public boolean supportsWritingKeys(UserModel user) {
	return false;
	}

	public boolean supportsCommentChanges(UserModel user) {
	return false;
	}

	public boolean supportsPermissionChanges(UserModel user) {
	return false;
	}


	private void setKeyPermissions(SshKey key, GbAuthorizedKeyEntry keyEntry) {
	List<String> env = keyEntry.getLoginOptionValues("environment");
	if (env != null && !env.isEmpty()) {
	// Walk over all entries and find one that sets 'gbPerm'. The last one wins.
	for (String envi : env) {
	Matcher m = GB_PERM_PATTERN.matcher(envi);
	if (m.find()) {
	String perm = m.group(1).trim();
	AccessPermission ap = AccessPermission.fromCode(perm);
	if (ap == AccessPermission.NONE) {
	ap = AccessPermission.valueOf(perm.toUpperCase());
	}

	if (ap != null && ap != AccessPermission.NONE) {
	try {
	key.setPermission(ap);
	} catch (IllegalArgumentException e) {
	log.warn("Incorrect permissions ({}) set for SSH key entry {}.", ap, envi, e);
	}
	}
	}
	}
	}
	}


	/**
	* Returns a simple username without any domain prefixes.
	*
	* @param username
	* @return a simple username
	*/
	private String getSimpleUsername(String username) {
	int lastSlash = username.lastIndexOf('\\');
	if (lastSlash > -1) {
	username = username.substring(lastSlash + 1);
	}

	return username;
	}


	/**
	* Extension of the AuthorizedKeyEntry from Mina SSHD with better option parsing.
	*
	* The class makes use of code from the two methods copied from the original
	* Mina SSHD AuthorizedKeyEntry class. The code is rewritten to improve user login
	* option support. Options are correctly parsed even if they have whitespace within
	* double quotes. Options can occur multiple times, which is needed for example for
	* the "environment" option. Thus for an option a list of strings is kept, holding
	* multiple option values.
	*/
	private static class GbAuthorizedKeyEntry extends AuthorizedKeyEntry {

	private static final long serialVersionUID = 1L;
	/**
	* Pattern to extract the first part of the key entry without whitespace or only with quoted whitespace.
	* The pattern essentially splits the line in two parts with two capturing groups. All other groups
	* in the pattern are non-capturing. The first part is a continuous string that only includes double quoted
	* whitespace and ends in whitespace. The second part is the rest of the line.
	* The first part is at the beginning of the line, the lead-in. For a SSH key entry this can either be
	* login options (see authorized keys file description) or the key type. Since options, other than the
	* key type, can include whitespace and escaped double quotes within double quotes, the pattern takes
	* care of that by searching for either "characters that are not whitespace and not double quotes"
	* or "a double quote, followed by 'characters that are not a double quote or backslash, or a backslash
	* and then a double quote, or a backslash', followed by a double quote".
	*/
	private static final Pattern LEADIN_PATTERN = Pattern.compile("^((?:[^\\s\"]\|(?:\"(?:[^\"\\\\]\|\\\\\"\|\\\\)\"))*\\s+)(.+)");
	/**
	* Pattern to split a comma separated list of options.
	* Since an option could contain commas (as well as escaped double quotes) within double quotes
	* in the option value, a simple split on comma is not enough. So the pattern searches for multiple
	* occurrences of:
	* characters that are not double quotes or a comma, or
	* a double quote followed by: characters that are not a double quote or backslash, or
	* a backslash and then a double quote, or
	* a backslash,
	* followed by a double quote.
	*/
	private static final Pattern OPTION_PATTERN = Pattern.compile("([^\",]+\|(?:\"(?:[^\"\\\\]\|\\\\\"\|\\\\)*\"))+");

	// for options that have no value, "true" is used
	private Map<String, List<String>> loginOptionsMulti = Collections.emptyMap();


	List<String> getLoginOptionValues(String option) {
	return loginOptionsMulti.get(option);
	}



	/**
	* @param line Original line from an <code>authorized_keys</code> file
	* @return {@link GbAuthorizedKeyEntry} or {@code null} if the line is
	* {@code null}/empty or a comment line
	* @throws IllegalArgumentException If failed to parse/decode the line
	* @see #COMMENT_CHAR
	*/
	public static GbAuthorizedKeyEntry parseAuthorizedKeyEntry(String line) throws IllegalArgumentException {
	line = GenericUtils.trimToEmpty(line);
	if (StringUtils.isEmpty(line) \|\| (line.charAt(0) == COMMENT_CHAR) /* comment ? */) {
	return null;
	}

	Matcher m = LEADIN_PATTERN.matcher(line);
	if (! m.lookingAt()) {
	throw new IllegalArgumentException("Bad format (no key data delimiter): " + line);
	}

	String keyType = m.group(1).trim();
	final GbAuthorizedKeyEntry entry;
	if (KeyUtils.getPublicKeyEntryDecoder(keyType) == null) { // assume this is due to the fact that it starts with login options
	entry = parseAuthorizedKeyEntry(m.group(2));
	if (entry == null) {
	throw new IllegalArgumentException("Bad format (no key data after login options): " + line);
	}

	entry.parseAndSetLoginOptions(keyType);
	} else {
	int startPos = line.indexOf(' ');
	if (startPos <= 0) {
	throw new IllegalArgumentException("Bad format (no key data delimiter): " + line);
	}

	int endPos = line.indexOf(' ', startPos + 1);
	if (endPos <= startPos) {
	endPos = line.length();
	}

	String encData = (endPos < (line.length() - 1)) ? line.substring(0, endPos).trim() : line;
	String comment = (endPos < (line.length() - 1)) ? line.substring(endPos + 1).trim() : null;
	entry = parsePublicKeyEntry(new GbAuthorizedKeyEntry(), encData);
	entry.setComment(comment);
	}

	return entry;
	}

	private void parseAndSetLoginOptions(String options) {
	Matcher m = OPTION_PATTERN.matcher(options);
	if (! m.find()) {
	loginOptionsMulti = Collections.emptyMap();
	}
	Map<String, List<String>> optsMap = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);

	do {
	String p = m.group();
	p = GenericUtils.trimToEmpty(p);
	if (StringUtils.isEmpty(p)) {
	continue;
	}

	int pos = p.indexOf('=');
	String name = (pos < 0) ? p : GenericUtils.trimToEmpty(p.substring(0, pos));
	CharSequence value = (pos < 0) ? null : GenericUtils.trimToEmpty(p.substring(pos + 1));
	value = GenericUtils.stripQuotes(value);

	// For options without value the value is set to TRUE.
	if (value == null) {
	value = Boolean.TRUE.toString();
	}

	List<String> opts = optsMap.get(name);
	if (opts == null) {
	opts = new ArrayList<String>();
	optsMap.put(name, opts);
	}
	opts.add(value.toString());
	} while(m.find());

	loginOptionsMulti = optsMap;
	}
	}

	}