FIX: Keep private theme key secret from user (#18106)

The generate RSA key and import theme routes worked separate from each
other. The RSA key returned both the public and private key and it was
the frontend which posted the private key back to the server. With this
commit, only the public key is necessary as the server keeps a map of
public and private keys that is used to get the private key back from
a public key.

spec/requests/admin/themes_controller_spec.rb

@@ -16,8 +16,9 @@ RSpec.describe Admin::ThemesController do
       post "/admin/themes/generate_key_pair.json"
       expect(response.status).to eq(200)
       json = response.parsed_body
-      expect(json["private_key"]).to include("RSA PRIVATE KEY")
+      expect(json["private_key"]).to eq(nil)
       expect(json["public_key"]).to include("ssh-rsa ")
+      expect(Discourse.redis.get("ssh_key_#{json["public_key"]}")).not_to eq(nil)
     end
   end
 
@@ -139,6 +140,26 @@ RSpec.describe Admin::ThemesController do
       expect(response.status).to eq(201)
     end
 
+    it 'can lookup a private key by public key' do
+      Discourse.redis.setex('ssh_key_abcdef', 1.hour, 'rsa private key')
+
+      ThemeStore::GitImporter.any_instance.stubs(:import!)
+      RemoteTheme.stubs(:extract_theme_info).returns(
+        'name' => 'discourse-brand-header',
+        'component' => true
+      )
+      RemoteTheme.any_instance.stubs(:update_from_remote)
+
+      post '/admin/themes/import.json', params: {
+        remote: '    https://github.com/discourse/discourse-brand-header.git       ',
+        public_key: 'abcdef',
+      }
+
+      expect(RemoteTheme.last.private_key).to eq('rsa private key')
+
+      expect(response.status).to eq(201)
+    end
+
     it 'imports a theme' do
       post "/admin/themes/import.json", params: { theme: theme_json_file }
       expect(response.status).to eq(201)