fix(tls): bypass N_TTY 4096-byte limit for certificate input prompts#807
Draft
hemanthnakkina wants to merge 1 commit into
Draft
fix(tls): bypass N_TTY 4096-byte limit for certificate input prompts#807hemanthnakkina wants to merge 1 commit into
hemanthnakkina wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses Linux N_TTY canonical-mode input truncation (4095 chars) that breaks pasting long base64-encoded certificate/CA-chain material into interactive prompts, by introducing a TTY-specific input stream that temporarily disables ICANON while reading.
Changes:
- Add
_read_line_no_icanon(),LargeInputStreamWrapper, andLargeInputPromptQuestionto bypass canonical-mode truncation for large pasted inputs. - Switch certificate-related prompts in TLS and loadbalancer features to use
LargeInputPromptQuestion. - Add unit/integration-style tests validating long-input behavior, ICANON-only clearing, and terminal restoration.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| sunbeam-python/sunbeam/core/questions.py | Introduces large-input TTY reading (ICANON off) and routes Question.ask() through an overridable input stream. |
| sunbeam-python/sunbeam/features/tls/common.py | Uses LargeInputPromptQuestion for certificate prompt to avoid truncation. |
| sunbeam-python/sunbeam/features/loadbalancer/feature.py | Uses LargeInputPromptQuestion for certificate/CA certificate/CA chain prompts. |
| sunbeam-python/tests/unit/sunbeam/core/test_questions.py | Adds coverage for large-input stream behavior and PTY-based truncation demonstration tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The Linux kernel N_TTY line discipline silently truncates input pasted into a terminal at 4095 characters in canonical (ICANON) mode. Base64-encoded CA chains with multiple intermediate CAs routinely exceed this limit, causing 'Unable to encode CA chain' errors. Add LargeInputStreamWrapper and LargeInputPromptQuestion to sunbeam/core/questions.py. When stdin is a TTY, the new stream clears only the ICANON termios flag before reading, bypassing the N_TTY 4096-byte buffer limit. All other terminal behaviour is preserved: ECHO (user sees their paste), ISIG (Ctrl+C works), and IEXTEN remain set. Terminal settings are always restored in a finally block. Switch certificate, ca-certificate, and ca-chain prompts in sunbeam/features/tls/common.py and sunbeam/features/loadbalancer/feature.py to use LargeInputPromptQuestion. All other prompts are unaffected. Add unit tests covering _read_line_no_icanon(), LargeInputStreamWrapper, and LargeInputPromptQuestion: input beyond 4096 chars, ICANON-only clearing, terminal restore on success and KeyboardInterrupt, backspace handling, non-TTY fallback, and preseed/accept_defaults paths. Closes: https://bugs.launchpad.net/snap-openstack/+bug/2155219 Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Hemanth Nakkina <hemanth.nakkina@canonical.com>
hemanthnakkina
force-pushed
the
fix-ca-chain-tty-truncation
branch
from
b4be140 to
41dffbc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Linux kernel N_TTY line discipline silently truncates input pasted into a terminal at 4095 characters in canonical (ICANON) mode. Base64-encoded CA chains with multiple intermediate CAs routinely exceed this limit, causing 'Unable to encode CA chain' errors.
Add LargeInputStreamWrapper and LargeInputPromptQuestion to sunbeam/core/questions.py. When stdin is a TTY, the new stream clears only the ICANON termios flag before reading, bypassing the N_TTY 4096-byte buffer limit. All other terminal behaviour is preserved: ECHO (user sees their paste), ISIG (Ctrl+C works), and IEXTEN remain set. Terminal settings are always restored in a finally block.
Switch certificate, ca-certificate, and ca-chain prompts in sunbeam/features/tls/common.py and
sunbeam/features/loadbalancer/feature.py to use
LargeInputPromptQuestion. All other prompts are unaffected.
Add unit tests covering _read_line_no_icanon(), LargeInputStreamWrapper, and LargeInputPromptQuestion: input beyond 4096 chars, ICANON-only clearing, terminal restore on success and KeyboardInterrupt, backspace handling, non-TTY fallback, and preseed/accept_defaults paths.
Closes: https://bugs.launchpad.net/snap-openstack/+bug/2155219
Assisted-By: Claude Sonnet 4.6 noreply@anthropic.com