Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-11-13 17:11:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

AB#2046 : Add option to create SSH users for the first coordinator upon initialization (#133)

Browse source 
* Move `file`, `ssh` and `user` packages to internal
* Rename `SSHKey` to `(ssh.)UserKey`
* Rename KeyValue / Publickey to PublicKey
* Rename SSH key file from "debugd" to "ssh-keys"
* Add CreateSSHUsers function to Core
* Call CreateSSHUsers users on first control-plane node, when defined in config

Tests:
* Make StubUserCreator add entries to /etc/passwd
* Add NewLinuxUserManagerFake for unit tests
* Add unit tests & adjust existing ones to changes
This commit is contained in:
Nils Hanke 2022-05-16 17:32:00 +02:00 committed by GitHub
parent 5dc2e71d80
commit 68092f27dd
63 changed files with 879 additions and 554 deletions
Download patch file Download diff file Expand all files Collapse all files

8
debugd/cdbg/cmd/deploy.go
View file

@ -8,16 +8,16 @@ import (
"log"
"net"
"github.com/edgelesssys/constellation/cli/file"
"github.com/edgelesssys/constellation/debugd/cdbg/config"
"github.com/edgelesssys/constellation/debugd/cdbg/state"
"github.com/edgelesssys/constellation/debugd/coordinator"
"github.com/edgelesssys/constellation/debugd/debugd"
depl "github.com/edgelesssys/constellation/debugd/debugd/deploy"
pb "github.com/edgelesssys/constellation/debugd/service"
"github.com/edgelesssys/constellation/debugd/ssh"
configc "github.com/edgelesssys/constellation/internal/config"
"github.com/edgelesssys/constellation/internal/constants"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"github.com/edgelesssys/constellation/internal/file"
statec "github.com/edgelesssys/constellation/internal/state"
"github.com/spf13/afero"
"github.com/spf13/cobra"
@ -105,7 +105,7 @@ type deployOnEndpointInput struct {
debugdEndpoint string
coordinatorPath string
reader fileToStreamReader
authorizedKeys []ssh.SSHKey
authorizedKeys []ssh.UserKey
systemdUnits []depl.SystemdUnit
}
@ -126,7 +126,7 @@ func deployOnEndpoint(ctx context.Context, in deployOnEndpointInput) error {
for _, key := range in.authorizedKeys {
pbKeys = append(pbKeys, &pb.AuthorizedKey{
Username: key.Username,
KeyValue: key.KeyValue,
KeyValue: key.PublicKey,
})
}
authorizedKeysResponse, err := client.UploadAuthorizedKeys(ctx, &pb.UploadAuthorizedKeysRequest{Keys: pbKeys}, grpc.WaitForReady(true))

6
debugd/cdbg/config/config.go
View file

@ -5,9 +5,9 @@ import (
"fmt"
"io/fs"
"github.com/edgelesssys/constellation/cli/file"
"github.com/edgelesssys/constellation/debugd/debugd/deploy"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"github.com/edgelesssys/constellation/internal/file"
)
// CDBGConfig describes the constellation-cli config file.
@ -17,7 +17,7 @@ type CDBGConfig struct {
// ConstellationDebugdConfig is the cdbg specific configuration.
type ConstellationDebugdConfig struct {
AuthorizedKeys []ssh.SSHKey `yaml:"authorizedKeys"`
AuthorizedKeys []ssh.UserKey `yaml:"authorizedKeys"`
CoordinatorPath string `yaml:"coordinatorPath"`
SystemdUnits []deploy.SystemdUnit `yaml:"systemdUnits,omitempty"`
}

7
debugd/debugd/cmd/debugd/debugd.go
View file

@ -13,6 +13,8 @@ import (
"github.com/edgelesssys/constellation/debugd/debugd/metadata/cloudprovider"
"github.com/edgelesssys/constellation/debugd/debugd/metadata/fallback"
"github.com/edgelesssys/constellation/debugd/debugd/server"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"github.com/edgelesssys/constellation/internal/deploy/user"
"github.com/spf13/afero"
"golang.org/x/net/context"
)
@ -20,9 +22,10 @@ import (
func main() {
wg := &sync.WaitGroup{}
streamer := coordinator.NewFileStreamer(afero.NewOsFs())
fs := afero.NewOsFs()
streamer := coordinator.NewFileStreamer(fs)
serviceManager := deploy.NewServiceManager()
ssh := deploy.NewSSHAccess(afero.NewOsFs())
ssh := ssh.NewSSHAccess(user.NewLinuxUserManager(fs))
ctx, cancel := context.WithCancel(context.Background())
defer cancel()

25
debugd/debugd/deploy/createuser/create_user.go
View file

@ -1,25 +0,0 @@
package createuser
import (
"context"
"fmt"
"os/exec"
)
type Unix struct{}
// reference: https://man7.org/linux/man-pages/man8/useradd.8.html#EXIT_VALUES
const exitCodeUsernameAlreadyInUse = 9
// CreateUser creates a new user with sudo access. Returns successfully if creation succeeds or user existed already.
func (u Unix) CreateUser(ctx context.Context, username string) error {
cmd := exec.CommandContext(ctx, "useradd", "-m", "-G", "wheel,sudo", username)
if err := cmd.Run(); err != nil {
// do not fail if user already exists
if exitError, ok := err.(*exec.ExitError); ok && exitError.ExitCode() == exitCodeUsernameAlreadyInUse {
return nil
}
return fmt.Errorf("creating a new user failed: %w", err)
}
return nil
}

84
debugd/debugd/deploy/linux_user.go
View file

@ -1,84 +0,0 @@
package deploy
import (
"context"
"errors"
"fmt"
"strconv"
"github.com/edgelesssys/constellation/debugd/debugd/deploy/createuser"
"github.com/edgelesssys/constellation/debugd/debugd/deploy/passwd"
"github.com/spf13/afero"
)
// ErrUserDoesNotExist is returned by GetLinuxUser if a linux user does not exist yet.
var ErrUserDoesNotExist = errors.New("user does not exist")
type passwdParser interface {
Parse(fs afero.Fs) (passwd.Entries, error)
}
type userCreator interface {
CreateUser(ctx context.Context, username string) error
}
// LinuxUser holds relevant information about a linux user (subset of /etc/passwd).
type LinuxUser struct {
Username string
Home string
Uid int
Gid int
}
// LinuxUserManager can retrieve information on linux users and create new users.
type LinuxUserManager struct {
fs afero.Fs
passwd passwdParser
creator userCreator
}
// NewLinuxUserManager creates a new LinuxUserManager.
func NewLinuxUserManager(fs afero.Fs) *LinuxUserManager {
return &LinuxUserManager{
fs: fs,
passwd: passwd.Passwd{},
creator: createuser.Unix{},
}
}
// getLinuxUser tries to find an existing linux user in /etc/passwd.
func (l *LinuxUserManager) getLinuxUser(username string) (LinuxUser, error) {
entries, err := l.passwd.Parse(l.fs)
if err != nil {
return LinuxUser{}, err
}
if _, ok := entries[username]; !ok {
return LinuxUser{}, ErrUserDoesNotExist
}
entry := entries[username]
uid, err := strconv.Atoi(entry.Uid)
if err != nil {
return LinuxUser{}, fmt.Errorf("failed to parse users uid: %w", err)
}
gid, err := strconv.Atoi(entry.Gid)
if err != nil {
return LinuxUser{}, fmt.Errorf("failed to parse users gid: %w", err)
}
return LinuxUser{
Username: username,
Home: entry.Home,
Uid: uid,
Gid: gid,
}, nil
}
// EnsureLinuxUserExists will try to create the user specified by username and call GetLinuxUser to retrieve user information.
func (l *LinuxUserManager) EnsureLinuxUserExists(ctx context.Context, username string) (LinuxUser, error) {
// try to create user (even if it already exists)
if err := l.creator.CreateUser(ctx, username); err != nil {
return LinuxUser{}, err
}
return l.getLinuxUser(username)
}

142
debugd/debugd/deploy/linux_user_test.go
View file

@ -1,142 +0,0 @@
package deploy
import (
"context"
"errors"
"testing"
"github.com/edgelesssys/constellation/debugd/debugd/deploy/passwd"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetLinuxUser(t *testing.T) {
username := "user"
testCases := map[string]struct {
userCreator *stubUserCreator
passwdContents string
wantErr bool
wantUser LinuxUser
}{
"get works": {
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
wantErr: false,
wantUser: LinuxUser{
Username: "user",
Home: "/home/user",
Uid: 1000,
Gid: 1000,
},
},
"user does not exist": {
userCreator: &stubUserCreator{},
passwdContents: "",
wantErr: true,
},
"parse fails": {
userCreator: &stubUserCreator{},
passwdContents: "invalid contents\n",
wantErr: true,
},
"invalid uid": {
userCreator: &stubUserCreator{},
passwdContents: "user:x:invalid:1000:user:/home/user:/bin/bash\n",
wantErr: true,
},
"invalid gid": {
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:invalid:user:/home/user:/bin/bash\n",
wantErr: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
fs := afero.NewMemMapFs()
assert.NoError(afero.WriteFile(fs, "/etc/passwd", []byte(tc.passwdContents), 0o755))
manager := LinuxUserManager{
fs: fs,
passwd: passwd.Passwd{},
creator: tc.userCreator,
}
user, err := manager.getLinuxUser(username)
if tc.wantErr {
assert.Error(err)
return
}
require.NoError(err)
assert.Equal(tc.wantUser, user)
})
}
}
func TestEnsureLinuxUserExists(t *testing.T) {
username := "user"
testCases := map[string]struct {
userCreator *stubUserCreator
passwdContents string
wantErr bool
wantUser LinuxUser
}{
"create works": {
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
wantErr: false,
wantUser: LinuxUser{
Username: "user",
Home: "/home/user",
Uid: 1000,
Gid: 1000,
},
},
"create fails": {
userCreator: &stubUserCreator{
createUserErr: errors.New("create fails"),
},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
wantErr: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
fs := afero.NewMemMapFs()
assert.NoError(afero.WriteFile(fs, "/etc/passwd", []byte(tc.passwdContents), 0o755))
manager := LinuxUserManager{
fs: fs,
passwd: passwd.Passwd{},
creator: tc.userCreator,
}
user, err := manager.EnsureLinuxUserExists(context.Background(), username)
if tc.wantErr {
assert.Error(err)
return
}
require.NoError(err)
assert.Equal(tc.wantUser, user)
assert.ElementsMatch([]string{username}, tc.userCreator.usernames)
})
}
}
type stubUserCreator struct {
usernames []string
createUserErr error
}
func (s *stubUserCreator) CreateUser(ctx context.Context, username string) error {
s.usernames = append(s.usernames, username)
return s.createUserErr
}

28
debugd/debugd/deploy/passwd/passwd.go
View file

@ -1,28 +0,0 @@
package passwd
import (
"github.com/spf13/afero"
"github.com/willdonnelly/passwd"
)
// An Entry contains all the fields for a specific user. Re-exported to allow other module to only import this passwd module.
type Entries map[string]passwd.Entry
type Passwd struct{}
// Parse opens the '/etc/passwd' file and parses it into a map from usernames to Entries.
func (p Passwd) Parse(fs afero.Fs) (Entries, error) {
return p.parseFile(fs, "/etc/passwd")
}
// parseFile opens the file and parses it into a map from usernames to Entries.
func (p Passwd) parseFile(fs afero.Fs, path string) (Entries, error) {
file, err := fs.Open(path)
if err != nil {
return nil, err
}
defer file.Close()
entries, err := passwd.ParseReader(file)
return Entries(entries), err
}

66
debugd/debugd/deploy/passwd/passwd_test.go
View file

@ -1,66 +0,0 @@
package passwd
import (
"testing"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestParse(t *testing.T) {
filename := "/etc/passwd"
testCases := map[string]struct {
passwdContents string
createFile bool
wantEntries Entries
wantErr bool
}{
"parse works": {
passwdContents: "root:x:0:0:root:/root:/bin/bash\n",
createFile: true,
wantEntries: Entries{
"root": {
Pass: "x",
Uid: "0",
Gid: "0",
Gecos: "root",
Home: "/root",
Shell: "/bin/bash",
},
},
wantErr: false,
},
"passwd is corrupt": {
passwdContents: "too:few:fields\n",
createFile: true,
wantErr: true,
},
"file does not exist": {
createFile: false,
wantErr: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
fs := afero.NewMemMapFs()
if tc.createFile {
assert.NoError(afero.WriteFile(fs, filename, []byte(tc.passwdContents), 0o644))
}
passwd := Passwd{}
entries, err := passwd.Parse(fs)
if tc.wantErr {
assert.Error(err)
return
}
require.NoError(err)
assert.Equal(tc.wantEntries, entries)
})
}
}

94
debugd/debugd/deploy/ssh.go
View file

@ -1,94 +0,0 @@
package deploy
import (
"context"
"fmt"
"log"
"os"
"sync"
"github.com/edgelesssys/constellation/debugd/debugd/deploy/createuser"
"github.com/edgelesssys/constellation/debugd/debugd/deploy/passwd"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/spf13/afero"
)
// SSHAccess reads ssh public keys from a channel, creates the specified users if required and writes the public keys to the users authorized_keys file.
type SSHAccess struct {
fs afero.Fs
userManager LinuxUserManager
authorized map[string]bool
mux sync.Mutex
}
// NewSSHAccess creates a new SSHAccess.
func NewSSHAccess(fs afero.Fs) *SSHAccess {
return &SSHAccess{
fs: fs,
userManager: LinuxUserManager{
fs: fs,
passwd: passwd.Passwd{},
creator: createuser.Unix{},
},
mux: sync.Mutex{},
authorized: map[string]bool{},
}
}
// alreadyAuthorized checks if key was written to authorized keys before.
func (s *SSHAccess) alreadyAuthorized(sshKey ssh.SSHKey) bool {
_, ok := s.authorized[fmt.Sprintf("%s:%s", sshKey.Username, sshKey.KeyValue)]
return ok
}
// rememberAuthorized marks this key as already written to authorized keys..
func (s *SSHAccess) rememberAuthorized(sshKey ssh.SSHKey) {
s.authorized[fmt.Sprintf("%s:%s", sshKey.Username, sshKey.KeyValue)] = true
}
func (s *SSHAccess) DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.SSHKey) error {
// allow only one thread to write to authorized keys, create users and update the authorized map at a time
s.mux.Lock()
defer s.mux.Unlock()
if s.alreadyAuthorized(sshKey) {
return nil
}
log.Printf("Trying to deploy ssh key for %s\n", sshKey.Username)
user, err := s.userManager.EnsureLinuxUserExists(ctx, sshKey.Username)
if err != nil {
return err
}
// CoreOS uses https://github.com/coreos/ssh-key-dir to search for ssh keys in ~/.ssh/authorized_keys.d/*
sshFolder := fmt.Sprintf("%s/.ssh", user.Home)
authorized_keys_d := fmt.Sprintf("%s/authorized_keys.d", sshFolder)
if err := s.fs.MkdirAll(authorized_keys_d, 0o700); err != nil {
return err
}
if err := s.fs.Chown(sshFolder, user.Uid, user.Gid); err != nil {
return err
}
if err := s.fs.Chown(authorized_keys_d, user.Uid, user.Gid); err != nil {
return err
}
authorizedKeysPath := fmt.Sprintf("%s/debugd", authorized_keys_d)
authorizedKeysFile, err := s.fs.OpenFile(authorizedKeysPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
if err != nil {
return err
}
_, err = authorizedKeysFile.WriteString(fmt.Sprintf("%s %s\n", sshKey.KeyValue, sshKey.Username))
if err != nil {
return err
}
if err := authorizedKeysFile.Close(); err != nil {
return err
}
if err := s.fs.Chown(authorizedKeysPath, user.Uid, user.Gid); err != nil {
return err
}
if err := s.fs.Chmod(authorizedKeysPath, 0o644); err != nil {
return err
}
s.rememberAuthorized(sshKey)
log.Printf("Successfully authorized %s\n", sshKey.Username)
return nil
}

120
debugd/debugd/deploy/ssh_test.go
View file

@ -1,120 +0,0 @@
package deploy
import (
"context"
"sync"
"testing"
"github.com/edgelesssys/constellation/debugd/debugd/deploy/passwd"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestDeploySSHAuthorizedKey(t *testing.T) {
authorizedKey := ssh.SSHKey{
Username: "user",
KeyValue: "ssh-rsa testkey",
}
testCases := map[string]struct {
fs afero.Fs
userCreator *stubUserCreator
passwdContents string
alreadyDeployed bool
readonly bool
wantErr bool
wantFile bool
wantFileContents string
}{
"deploy works": {
fs: afero.NewMemMapFs(),
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
wantErr: false,
wantFile: true,
wantFileContents: "ssh-rsa testkey user\n",
},
"appending ssh key works": {
fs: memMapFsWithFile("/home/user/.ssh/authorized_keys.d/debugd", "ssh-rsa preexistingkey user\n"),
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
wantErr: false,
wantFile: true,
wantFileContents: "ssh-rsa preexistingkey user\nssh-rsa testkey user\n",
},
"redeployment avoided": {
fs: afero.NewMemMapFs(),
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
wantErr: false,
alreadyDeployed: true,
wantFile: false,
},
"user does not exist": {
fs: afero.NewMemMapFs(),
userCreator: &stubUserCreator{},
passwdContents: "",
wantErr: true,
},
"readonly fs": {
fs: afero.NewMemMapFs(),
userCreator: &stubUserCreator{},
passwdContents: "user:x:1000:1000:user:/home/user:/bin/bash\n",
readonly: true,
wantErr: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
assert.NoError(afero.WriteFile(tc.fs, "/etc/passwd", []byte(tc.passwdContents), 0o755))
if tc.readonly {
tc.fs = afero.NewReadOnlyFs(tc.fs)
}
authorized := map[string]bool{}
if tc.alreadyDeployed {
authorized["user:ssh-rsa testkey"] = true
}
sshAccess := SSHAccess{
fs: tc.fs,
userManager: LinuxUserManager{
fs: tc.fs,
passwd: passwd.Passwd{},
creator: tc.userCreator,
},
mux: sync.Mutex{},
authorized: authorized,
}
err := sshAccess.DeploySSHAuthorizedKey(context.Background(), authorizedKey)
if tc.wantErr {
assert.Error(err)
return
}
require.NoError(err)
if tc.wantFile {
fileContents, err := afero.ReadFile(tc.fs, "/home/user/.ssh/authorized_keys.d/debugd")
assert.NoError(err)
assert.Equal(tc.wantFileContents, string(fileContents))
} else {
exists, err := afero.Exists(tc.fs, "/home/user/.ssh/authorized_keys.d/debugd")
assert.NoError(err)
assert.False(exists)
}
})
}
}
func memMapFsWithFile(path string, contents string) afero.Fs {
fs := afero.NewMemMapFs()
err := afero.WriteFile(fs, path, []byte(contents), 0o755)
if err != nil {
panic(err)
}
return fs
}

8
debugd/debugd/metadata/cloudprovider/cloudprovider.go
View file

@ -7,7 +7,7 @@ import (
azurecloud "github.com/edgelesssys/constellation/coordinator/cloudprovider/azure"
gcpcloud "github.com/edgelesssys/constellation/coordinator/cloudprovider/gcp"
"github.com/edgelesssys/constellation/coordinator/core"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
)
type providerMetadata interface {
@ -72,16 +72,16 @@ func (f *Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
}
// FetchSSHKeys will query the metadata of the current instance and deploys any SSH keys found.
func (f *Fetcher) FetchSSHKeys(ctx context.Context) ([]ssh.SSHKey, error) {
func (f *Fetcher) FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error) {
self, err := f.metaAPI.Self(ctx)
if err != nil {
return nil, fmt.Errorf("retrieving ssh keys from cloud provider metadata failed: %w", err)
}
keys := []ssh.SSHKey{}
keys := []ssh.UserKey{}
for username, userKeys := range self.SSHKeys {
for _, keyValue := range userKeys {
keys = append(keys, ssh.SSHKey{Username: username, KeyValue: keyValue})
keys = append(keys, ssh.UserKey{Username: username, PublicKey: keyValue})
}
}

10
debugd/debugd/metadata/cloudprovider/cloudprovider_test.go
View file

@ -6,7 +6,7 @@ import (
"testing"
"github.com/edgelesssys/constellation/coordinator/core"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
@ -70,7 +70,7 @@ func TestFetchSSHKeys(t *testing.T) {
testCases := map[string]struct {
meta stubMetadata
wantKeys []ssh.SSHKey
wantKeys []ssh.UserKey
wantErr bool
}{
"fetch works": {
@ -81,10 +81,10 @@ func TestFetchSSHKeys(t *testing.T) {
SSHKeys: map[string][]string{"bob": {"ssh-rsa bobskey"}},
},
},
wantKeys: []ssh.SSHKey{
wantKeys: []ssh.UserKey{
{
Username: "bob",
KeyValue: "ssh-rsa bobskey",
Username: "bob",
PublicKey: "ssh-rsa bobskey",
},
},
},

4
debugd/debugd/metadata/fallback/fallback.go
View file

@ -3,7 +3,7 @@ package fallback
import (
"context"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
)
// Fetcher implements metadata.Fetcher interface but does not actually fetch cloud provider metadata.
@ -14,7 +14,7 @@ func (f Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
return nil, nil
}
func (f Fetcher) FetchSSHKeys(ctx context.Context) ([]ssh.SSHKey, error) {
func (f Fetcher) FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error) {
// Fallback fetcher does not try to fetch ssh keys
return nil, nil
}

8
debugd/debugd/metadata/scheduler.go
View file

@ -9,13 +9,13 @@ import (
"time"
"github.com/edgelesssys/constellation/debugd/debugd"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
)
// Fetcher retrieves other debugd IPs and SSH keys from cloud provider metadata.
type Fetcher interface {
DiscoverDebugdIPs(ctx context.Context) ([]string, error)
FetchSSHKeys(ctx context.Context) ([]ssh.SSHKey, error)
FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error)
}
// Scheduler schedules fetching of metadata using timers.
@ -122,7 +122,7 @@ func (s *Scheduler) downloadCoordinator(ctx context.Context, ips []string) (succ
}
// deploySSHKeys tries to deploy a list of SSH keys and logs errors encountered.
func (s *Scheduler) deploySSHKeys(ctx context.Context, keys []ssh.SSHKey) {
func (s *Scheduler) deploySSHKeys(ctx context.Context, keys []ssh.UserKey) {
for _, key := range keys {
err := s.ssh.DeploySSHAuthorizedKey(ctx, key)
if err != nil {
@ -137,5 +137,5 @@ type downloader interface {
}
type sshDeployer interface {
DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.SSHKey) error
DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.UserKey) error
}

24
debugd/debugd/metadata/scheduler_test.go
View file

@ -7,7 +7,7 @@ import (
"testing"
"time"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"github.com/stretchr/testify/assert"
)
@ -17,23 +17,23 @@ func TestSchedulerStart(t *testing.T) {
ssh stubSSHDeployer
downloader stubDownloader
timeout time.Duration
wantSSHKeys []ssh.SSHKey
wantSSHKeys []ssh.UserKey
wantDebugdDownloads []string
}{
"scheduler works and calls fetcher functions at least once": {},
"ssh keys are fetched": {
fetcher: stubFetcher{
keys: []ssh.SSHKey{
keys: []ssh.UserKey{
{
Username: "test",
KeyValue: "testkey",
Username: "test",
PublicKey: "testkey",
},
},
},
wantSSHKeys: []ssh.SSHKey{
wantSSHKeys: []ssh.UserKey{
{
Username: "test",
KeyValue: "testkey",
Username: "test",
PublicKey: "testkey",
},
},
},
@ -95,7 +95,7 @@ type stubFetcher struct {
fetchSSHKeysCalls int
ips []string
keys []ssh.SSHKey
keys []ssh.UserKey
discoverErr error
fetchSSHKeysErr error
}
@ -105,18 +105,18 @@ func (s *stubFetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
return s.ips, s.discoverErr
}
func (s *stubFetcher) FetchSSHKeys(ctx context.Context) ([]ssh.SSHKey, error) {
func (s *stubFetcher) FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error) {
s.fetchSSHKeysCalls++
return s.keys, s.fetchSSHKeysErr
}
type stubSSHDeployer struct {
sshKeys []ssh.SSHKey
sshKeys []ssh.UserKey
deployErr error
}
func (s *stubSSHDeployer) DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.SSHKey) error {
func (s *stubSSHDeployer) DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.UserKey) error {
s.sshKeys = append(s.sshKeys, sshKey)
return s.deployErr

6
debugd/debugd/server/server.go
View file

@ -13,7 +13,7 @@ import (
"github.com/edgelesssys/constellation/debugd/debugd"
"github.com/edgelesssys/constellation/debugd/debugd/deploy"
pb "github.com/edgelesssys/constellation/debugd/service"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"google.golang.org/grpc"
)
@ -37,7 +37,7 @@ func New(ssh sshDeployer, serviceManager serviceManager, streamer streamer) pb.D
func (s *debugdServer) UploadAuthorizedKeys(ctx context.Context, in *pb.UploadAuthorizedKeysRequest) (*pb.UploadAuthorizedKeysResponse, error) {
log.Println("Uploading authorized keys")
for _, key := range in.Keys {
if err := s.ssh.DeploySSHAuthorizedKey(ctx, ssh.SSHKey{Username: key.Username, KeyValue: key.KeyValue}); err != nil {
if err := s.ssh.DeploySSHAuthorizedKey(ctx, ssh.UserKey{Username: key.Username, PublicKey: key.KeyValue}); err != nil {
log.Printf("Uploading authorized keys failed: %v\n", err)
return &pb.UploadAuthorizedKeysResponse{
Status: pb.UploadAuthorizedKeysStatus_UPLOAD_AUTHORIZED_KEYS_FAILURE,
@ -117,7 +117,7 @@ func Start(wg *sync.WaitGroup, serv pb.DebugdServer) {
}
type sshDeployer interface {
DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.SSHKey) error
DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.UserKey) error
}
type serviceManager interface {

20
debugd/debugd/server/server_test.go
View file

@ -12,7 +12,7 @@ import (
"github.com/edgelesssys/constellation/debugd/coordinator"
"github.com/edgelesssys/constellation/debugd/debugd/deploy"
pb "github.com/edgelesssys/constellation/debugd/service"
"github.com/edgelesssys/constellation/debugd/ssh"
"github.com/edgelesssys/constellation/internal/deploy/ssh"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/grpc"
@ -28,7 +28,7 @@ func TestUploadAuthorizedKeys(t *testing.T) {
request *pb.UploadAuthorizedKeysRequest
wantErr bool
wantResponseStatus pb.UploadAuthorizedKeysStatus
wantKeys []ssh.SSHKey
wantKeys []ssh.UserKey
}{
"upload authorized keys works": {
request: &pb.UploadAuthorizedKeysRequest{
@ -40,10 +40,10 @@ func TestUploadAuthorizedKeys(t *testing.T) {
},
},
wantResponseStatus: pb.UploadAuthorizedKeysStatus_UPLOAD_AUTHORIZED_KEYS_SUCCESS,
wantKeys: []ssh.SSHKey{
wantKeys: []ssh.UserKey{
{
Username: "testuser",
KeyValue: "teskey",
Username: "testuser",
PublicKey: "teskey",
},
},
},
@ -58,10 +58,10 @@ func TestUploadAuthorizedKeys(t *testing.T) {
},
ssh: stubSSHDeployer{deployErr: errors.New("ssh key deployment error")},
wantResponseStatus: pb.UploadAuthorizedKeysStatus_UPLOAD_AUTHORIZED_KEYS_FAILURE,
wantKeys: []ssh.SSHKey{
wantKeys: []ssh.UserKey{
{
Username: "testuser",
KeyValue: "teskey",
Username: "testuser",
PublicKey: "teskey",
},
},
},
@ -323,12 +323,12 @@ func TestUploadSystemServiceUnits(t *testing.T) {
}
type stubSSHDeployer struct {
sshKeys []ssh.SSHKey
sshKeys []ssh.UserKey
deployErr error
}
func (s *stubSSHDeployer) DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.SSHKey) error {
func (s *stubSSHDeployer) DeploySSHAuthorizedKey(ctx context.Context, sshKey ssh.UserKey) error {
s.sshKeys = append(s.sshKeys, sshKey)
return s.deployErr

7
debugd/ssh/sshkey.go
View file

@ -1,7 +0,0 @@
package ssh
// SSHKey describes a public ssh key.
type SSHKey struct {
Username string `yaml:"user"`
KeyValue string `yaml:"pubkey"`
}