ollama/auth/auth.go

package auth

import (
	"bytes"
	"context"
	"crypto/rand"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"log/slog"
	"os"
	"path/filepath"
	"strings"

	"golang.org/x/crypto/ssh"
)

const defaultPrivateKey = "id_ed25519"

func GetPublicKey() (string, error) {
	home, err := os.UserHomeDir()
	if err != nil {
		return "", err
	}

	keyPath := filepath.Join(home, ".ollama", defaultPrivateKey)
	privateKeyFile, err := os.ReadFile(keyPath)
	if err != nil {
		slog.Info(fmt.Sprintf("Failed to load private key: %v", err))
		return "", err
	}

	privateKey, err := ssh.ParsePrivateKey(privateKeyFile)
	if err != nil {
		return "", err
	}

	publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())

	return strings.TrimSpace(string(publicKey)), nil
}

func NewNonce(r io.Reader, length int) (string, error) {
	nonce := make([]byte, length)
	if _, err := io.ReadFull(r, nonce); err != nil {
		return "", err
	}

	return base64.RawURLEncoding.EncodeToString(nonce), nil
}

func Sign(ctx context.Context, bts []byte) (string, error) {
	home, err := os.UserHomeDir()
	if err != nil {
		return "", err
	}

	keyPath := filepath.Join(home, ".ollama", defaultPrivateKey)
	privateKeyFile, err := os.ReadFile(keyPath)
	if err != nil {
		slog.Info(fmt.Sprintf("Failed to load private key: %v", err))
		return "", err
	}

	privateKey, err := ssh.ParsePrivateKey(privateKeyFile)
	if err != nil {
		return "", err
	}

	// get the pubkey, but remove the type
	publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())
	parts := bytes.Split(publicKey, []byte(" "))
	if len(parts) < 2 {
		return "", errors.New("malformed public key")
	}

	signedData, err := privateKey.Sign(rand.Reader, bts)
	if err != nil {
		return "", err
	}

	// signature is <pubkey>:<signature>
	return fmt.Sprintf("%s:%s", bytes.TrimSpace(parts[1]), base64.StdEncoding.EncodeToString(signedData.Blob)), nil
}
Move hub auth out to new package 2024-02-06 04:59:52 +08:00			`package auth`
Token auth (#314) 2023-08-11 02:34:25 +08:00
			`import (`
			`"bytes"`
add maximum retries when pushing (#334) 2023-08-12 06:41:55 +08:00			`"context"`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`"crypto/rand"`
			`"encoding/base64"`
lint 2024-08-02 05:52:15 +08:00			`"errors"`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`"fmt"`
			`"io"`
Mechanical switch from log to slog A few obvious levels were adjusted, but generally everything mapped to "info" level. 2024-01-19 02:52:01 +08:00			`"log/slog"`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`"os"`
fix mkdir on windows 2023-09-20 00:36:30 +08:00			`"path/filepath"`
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-05-01 02:02:08 +08:00			`"strings"`
Token auth (#314) 2023-08-11 02:34:25 +08:00
			`"golang.org/x/crypto/ssh"`
Move hub auth out to new package 2024-02-06 04:59:52 +08:00			`)`

rerefactor 2024-02-15 03:29:49 +08:00			`const defaultPrivateKey = "id_ed25519"`
Token auth (#314) 2023-08-11 02:34:25 +08:00
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-05-01 02:02:08 +08:00			`func GetPublicKey() (string, error) {`
auth: fix problems with the ollama keypairs (#12373) * auth: fix problems with the ollama keypairs This change adds several fixes including: - reading in the pubkey files correctly - fixing the push unit test to create a keypair file in a temp directory - not return 500 errors for normal status error 2025-09-23 14:20:20 +08:00			`home, err := os.UserHomeDir()`
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-05-01 02:02:08 +08:00			`if err != nil {`
			`return "", err`
			`}`

auth: fix problems with the ollama keypairs (#12373) * auth: fix problems with the ollama keypairs This change adds several fixes including: - reading in the pubkey files correctly - fixing the push unit test to create a keypair file in a temp directory - not return 500 errors for normal status error 2025-09-23 14:20:20 +08:00			`keyPath := filepath.Join(home, ".ollama", defaultPrivateKey)`
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-05-01 02:02:08 +08:00			`privateKeyFile, err := os.ReadFile(keyPath)`
			`if err != nil {`
			`slog.Info(fmt.Sprintf("Failed to load private key: %v", err))`
			`return "", err`
			`}`

			`privateKey, err := ssh.ParsePrivateKey(privateKeyFile)`
			`if err != nil {`
			`return "", err`
			`}`

			`publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())`

			`return strings.TrimSpace(string(publicKey)), nil`
			`}`

rerefactor 2024-02-15 03:29:49 +08:00			`func NewNonce(r io.Reader, length int) (string, error) {`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`nonce := make([]byte, length)`
rerefactor 2024-02-15 03:29:49 +08:00			`if _, err := io.ReadFull(r, nonce); err != nil {`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`return "", err`
			`}`
use url.URL 2023-08-22 09:38:31 +08:00
rerefactor 2024-02-15 03:29:49 +08:00			`return base64.RawURLEncoding.EncodeToString(nonce), nil`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`}`

rerefactor 2024-02-15 03:29:49 +08:00			`func Sign(ctx context.Context, bts []byte) (string, error) {`
auth: fix problems with the ollama keypairs (#12373) * auth: fix problems with the ollama keypairs This change adds several fixes including: - reading in the pubkey files correctly - fixing the push unit test to create a keypair file in a temp directory - not return 500 errors for normal status error 2025-09-23 14:20:20 +08:00			`home, err := os.UserHomeDir()`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`if err != nil {`
fix: nil pointer dereference 2023-10-21 07:52:48 +08:00			`return "", err`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`}`
fix response on token error 2024-02-08 03:00:06 +08:00
auth: fix problems with the ollama keypairs (#12373) * auth: fix problems with the ollama keypairs This change adds several fixes including: - reading in the pubkey files correctly - fixing the push unit test to create a keypair file in a temp directory - not return 500 errors for normal status error 2025-09-23 14:20:20 +08:00			`keyPath := filepath.Join(home, ".ollama", defaultPrivateKey)`
rerefactor 2024-02-15 03:29:49 +08:00			`privateKeyFile, err := os.ReadFile(keyPath)`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`if err != nil {`
rerefactor 2024-02-15 03:29:49 +08:00			`slog.Info(fmt.Sprintf("Failed to load private key: %v", err))`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`return "", err`
			`}`

rerefactor 2024-02-15 03:29:49 +08:00			`privateKey, err := ssh.ParsePrivateKey(privateKeyFile)`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`if err != nil {`
			`return "", err`
			`}`

			`// get the pubkey, but remove the type`
rerefactor 2024-02-15 03:29:49 +08:00			`publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())`
			`parts := bytes.Split(publicKey, []byte(" "))`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`if len(parts) < 2 {`
lint 2024-08-02 05:52:15 +08:00			`return "", errors.New("malformed public key")`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`}`

rerefactor 2024-02-15 03:29:49 +08:00			`signedData, err := privateKey.Sign(rand.Reader, bts)`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`if err != nil {`
			`return "", err`
			`}`

			`// signature is <pubkey>:<signature>`
rerefactor 2024-02-15 03:29:49 +08:00			`return fmt.Sprintf("%s:%s", bytes.TrimSpace(parts[1]), base64.StdEncoding.EncodeToString(signedData.Blob)), nil`
Token auth (#314) 2023-08-11 02:34:25 +08:00			`}`