573 lines
27 KiB
Diff
573 lines
27 KiB
Diff
From 8e168f17b0c138d589f7b3bea4a4b6fcc8e5e03f Mon Sep 17 00:00:00 2001
|
|
From: Eduardo Otubo <otubo@redhat.com>
|
|
Date: Wed, 6 Mar 2019 14:20:18 +0100
|
|
Subject: azure: Filter list of ssh keys pulled from fabric
|
|
|
|
RH-Author: Eduardo Otubo <otubo@redhat.com>
|
|
Message-id: <20190306142018.8902-1-otubo@redhat.com>
|
|
Patchwork-id: 84807
|
|
O-Subject: [RHEL-7.7 cloud-init PATCH] azure: Filter list of ssh keys pulled from fabric
|
|
Bugzilla: 1684040
|
|
RH-Acked-by: Cathy Avery <cavery@redhat.com>
|
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
|
|
From: "Jason Zions (MSFT)" <jasonzio@microsoft.com>
|
|
|
|
commit 34f54360fcc1e0f805002a0b639d0a84eb2cb8ee
|
|
Author: Jason Zions (MSFT) <jasonzio@microsoft.com>
|
|
Date: Fri Feb 22 13:26:31 2019 +0000
|
|
|
|
azure: Filter list of ssh keys pulled from fabric
|
|
|
|
The Azure data source is expected to expose a list of
|
|
ssh keys for the user-to-be-provisioned in the crawled
|
|
metadata. When configured to use the __builtin__ agent
|
|
this list is built by the WALinuxAgentShim. The shim
|
|
retrieves the full set of certificates and public keys
|
|
exposed to the VM from the wireserver, extracts any
|
|
ssh keys it can, and returns that list.
|
|
|
|
This fix reduces that list of ssh keys to just the
|
|
ones whose fingerprints appear in the "administrative
|
|
user" section of the ovf-env.xml file. The Azure
|
|
control plane exposes other ssh keys to the VM for
|
|
other reasons, but those should not be added to the
|
|
authorized_keys file for the provisioned user.
|
|
|
|
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
---
|
|
cloudinit/sources/DataSourceAzure.py | 13 +-
|
|
cloudinit/sources/helpers/azure.py | 109 +++++++++----
|
|
.../azure/parse_certificates_fingerprints | 4 +
|
|
tests/data/azure/parse_certificates_pem | 152 ++++++++++++++++++
|
|
tests/data/azure/pubkey_extract_cert | 13 ++
|
|
tests/data/azure/pubkey_extract_ssh_key | 1 +
|
|
.../test_datasource/test_azure_helper.py | 71 +++++++-
|
|
7 files changed, 322 insertions(+), 41 deletions(-)
|
|
create mode 100644 tests/data/azure/parse_certificates_fingerprints
|
|
create mode 100644 tests/data/azure/parse_certificates_pem
|
|
create mode 100644 tests/data/azure/pubkey_extract_cert
|
|
create mode 100644 tests/data/azure/pubkey_extract_ssh_key
|
|
|
|
diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
|
|
index 7dbeb04c..2062ca5d 100644
|
|
--- a/cloudinit/sources/DataSourceAzure.py
|
|
+++ b/cloudinit/sources/DataSourceAzure.py
|
|
@@ -627,9 +627,11 @@ class DataSourceAzure(sources.DataSource):
|
|
if self.ds_cfg['agent_command'] == AGENT_START_BUILTIN:
|
|
self.bounce_network_with_azure_hostname()
|
|
|
|
+ pubkey_info = self.cfg.get('_pubkeys', None)
|
|
metadata_func = partial(get_metadata_from_fabric,
|
|
fallback_lease_file=self.
|
|
- dhclient_lease_file)
|
|
+ dhclient_lease_file,
|
|
+ pubkey_info=pubkey_info)
|
|
else:
|
|
metadata_func = self.get_metadata_from_agent
|
|
|
|
@@ -642,6 +644,7 @@ class DataSourceAzure(sources.DataSource):
|
|
"Error communicating with Azure fabric; You may experience."
|
|
"connectivity issues.", exc_info=True)
|
|
return False
|
|
+
|
|
util.del_file(REPORTED_READY_MARKER_FILE)
|
|
util.del_file(REPROVISION_MARKER_FILE)
|
|
return fabric_data
|
|
@@ -909,13 +912,15 @@ def find_child(node, filter_func):
|
|
def load_azure_ovf_pubkeys(sshnode):
|
|
# This parses a 'SSH' node formatted like below, and returns
|
|
# an array of dicts.
|
|
- # [{'fp': '6BE7A7C3C8A8F4B123CCA5D0C2F1BE4CA7B63ED7',
|
|
- # 'path': 'where/to/go'}]
|
|
+ # [{'fingerprint': '6BE7A7C3C8A8F4B123CCA5D0C2F1BE4CA7B63ED7',
|
|
+ # 'path': '/where/to/go'}]
|
|
#
|
|
# <SSH><PublicKeys>
|
|
- # <PublicKey><Fingerprint>ABC</FingerPrint><Path>/ABC</Path>
|
|
+ # <PublicKey><Fingerprint>ABC</FingerPrint><Path>/x/y/z</Path>
|
|
# ...
|
|
# </PublicKeys></SSH>
|
|
+ # Under some circumstances, there may be a <Value> element along with the
|
|
+ # Fingerprint and Path. Pass those along if they appear.
|
|
results = find_child(sshnode, lambda n: n.localName == "PublicKeys")
|
|
if len(results) == 0:
|
|
return []
|
|
diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py
|
|
index e5696b1f..2829dd20 100644
|
|
--- a/cloudinit/sources/helpers/azure.py
|
|
+++ b/cloudinit/sources/helpers/azure.py
|
|
@@ -138,9 +138,36 @@ class OpenSSLManager(object):
|
|
self.certificate = certificate
|
|
LOG.debug('New certificate generated.')
|
|
|
|
- def parse_certificates(self, certificates_xml):
|
|
- tag = ElementTree.fromstring(certificates_xml).find(
|
|
- './/Data')
|
|
+ @staticmethod
|
|
+ def _run_x509_action(action, cert):
|
|
+ cmd = ['openssl', 'x509', '-noout', action]
|
|
+ result, _ = util.subp(cmd, data=cert)
|
|
+ return result
|
|
+
|
|
+ def _get_ssh_key_from_cert(self, certificate):
|
|
+ pub_key = self._run_x509_action('-pubkey', certificate)
|
|
+ keygen_cmd = ['ssh-keygen', '-i', '-m', 'PKCS8', '-f', '/dev/stdin']
|
|
+ ssh_key, _ = util.subp(keygen_cmd, data=pub_key)
|
|
+ return ssh_key
|
|
+
|
|
+ def _get_fingerprint_from_cert(self, certificate):
|
|
+ """openssl x509 formats fingerprints as so:
|
|
+ 'SHA1 Fingerprint=07:3E:19:D1:4D:1C:79:92:24:C6:A0:FD:8D:DA:\
|
|
+ B6:A8:BF:27:D4:73\n'
|
|
+
|
|
+ Azure control plane passes that fingerprint as so:
|
|
+ '073E19D14D1C799224C6A0FD8DDAB6A8BF27D473'
|
|
+ """
|
|
+ raw_fp = self._run_x509_action('-fingerprint', certificate)
|
|
+ eq = raw_fp.find('=')
|
|
+ octets = raw_fp[eq+1:-1].split(':')
|
|
+ return ''.join(octets)
|
|
+
|
|
+ def _decrypt_certs_from_xml(self, certificates_xml):
|
|
+ """Decrypt the certificates XML document using the our private key;
|
|
+ return the list of certs and private keys contained in the doc.
|
|
+ """
|
|
+ tag = ElementTree.fromstring(certificates_xml).find('.//Data')
|
|
certificates_content = tag.text
|
|
lines = [
|
|
b'MIME-Version: 1.0',
|
|
@@ -151,32 +178,30 @@ class OpenSSLManager(object):
|
|
certificates_content.encode('utf-8'),
|
|
]
|
|
with cd(self.tmpdir):
|
|
- with open('Certificates.p7m', 'wb') as f:
|
|
- f.write(b'\n'.join(lines))
|
|
out, _ = util.subp(
|
|
- 'openssl cms -decrypt -in Certificates.p7m -inkey'
|
|
+ 'openssl cms -decrypt -in /dev/stdin -inkey'
|
|
' {private_key} -recip {certificate} | openssl pkcs12 -nodes'
|
|
' -password pass:'.format(**self.certificate_names),
|
|
- shell=True)
|
|
- private_keys, certificates = [], []
|
|
+ shell=True, data=b'\n'.join(lines))
|
|
+ return out
|
|
+
|
|
+ def parse_certificates(self, certificates_xml):
|
|
+ """Given the Certificates XML document, return a dictionary of
|
|
+ fingerprints and associated SSH keys derived from the certs."""
|
|
+ out = self._decrypt_certs_from_xml(certificates_xml)
|
|
current = []
|
|
+ keys = {}
|
|
for line in out.splitlines():
|
|
current.append(line)
|
|
if re.match(r'[-]+END .*?KEY[-]+$', line):
|
|
- private_keys.append('\n'.join(current))
|
|
+ # ignore private_keys
|
|
current = []
|
|
elif re.match(r'[-]+END .*?CERTIFICATE[-]+$', line):
|
|
- certificates.append('\n'.join(current))
|
|
+ certificate = '\n'.join(current)
|
|
+ ssh_key = self._get_ssh_key_from_cert(certificate)
|
|
+ fingerprint = self._get_fingerprint_from_cert(certificate)
|
|
+ keys[fingerprint] = ssh_key
|
|
current = []
|
|
- keys = []
|
|
- for certificate in certificates:
|
|
- with cd(self.tmpdir):
|
|
- public_key, _ = util.subp(
|
|
- 'openssl x509 -noout -pubkey |'
|
|
- 'ssh-keygen -i -m PKCS8 -f /dev/stdin',
|
|
- data=certificate,
|
|
- shell=True)
|
|
- keys.append(public_key)
|
|
return keys
|
|
|
|
|
|
@@ -206,7 +231,6 @@ class WALinuxAgentShim(object):
|
|
self.dhcpoptions = dhcp_options
|
|
self._endpoint = None
|
|
self.openssl_manager = None
|
|
- self.values = {}
|
|
self.lease_file = fallback_lease_file
|
|
|
|
def clean_up(self):
|
|
@@ -328,8 +352,9 @@ class WALinuxAgentShim(object):
|
|
LOG.debug('Azure endpoint found at %s', endpoint_ip_address)
|
|
return endpoint_ip_address
|
|
|
|
- def register_with_azure_and_fetch_data(self):
|
|
- self.openssl_manager = OpenSSLManager()
|
|
+ def register_with_azure_and_fetch_data(self, pubkey_info=None):
|
|
+ if self.openssl_manager is None:
|
|
+ self.openssl_manager = OpenSSLManager()
|
|
http_client = AzureEndpointHttpClient(self.openssl_manager.certificate)
|
|
LOG.info('Registering with Azure...')
|
|
attempts = 0
|
|
@@ -347,16 +372,37 @@ class WALinuxAgentShim(object):
|
|
attempts += 1
|
|
LOG.debug('Successfully fetched GoalState XML.')
|
|
goal_state = GoalState(response.contents, http_client)
|
|
- public_keys = []
|
|
- if goal_state.certificates_xml is not None:
|
|
+ ssh_keys = []
|
|
+ if goal_state.certificates_xml is not None and pubkey_info is not None:
|
|
LOG.debug('Certificate XML found; parsing out public keys.')
|
|
- public_keys = self.openssl_manager.parse_certificates(
|
|
+ keys_by_fingerprint = self.openssl_manager.parse_certificates(
|
|
goal_state.certificates_xml)
|
|
- data = {
|
|
- 'public-keys': public_keys,
|
|
- }
|
|
+ ssh_keys = self._filter_pubkeys(keys_by_fingerprint, pubkey_info)
|
|
self._report_ready(goal_state, http_client)
|
|
- return data
|
|
+ return {'public-keys': ssh_keys}
|
|
+
|
|
+ def _filter_pubkeys(self, keys_by_fingerprint, pubkey_info):
|
|
+ """cloud-init expects a straightforward array of keys to be dropped
|
|
+ into the user's authorized_keys file. Azure control plane exposes
|
|
+ multiple public keys to the VM via wireserver. Select just the
|
|
+ user's key(s) and return them, ignoring any other certs.
|
|
+ """
|
|
+ keys = []
|
|
+ for pubkey in pubkey_info:
|
|
+ if 'value' in pubkey and pubkey['value']:
|
|
+ keys.append(pubkey['value'])
|
|
+ elif 'fingerprint' in pubkey and pubkey['fingerprint']:
|
|
+ fingerprint = pubkey['fingerprint']
|
|
+ if fingerprint in keys_by_fingerprint:
|
|
+ keys.append(keys_by_fingerprint[fingerprint])
|
|
+ else:
|
|
+ LOG.warning("ovf-env.xml specified PublicKey fingerprint "
|
|
+ "%s not found in goalstate XML", fingerprint)
|
|
+ else:
|
|
+ LOG.warning("ovf-env.xml specified PublicKey with neither "
|
|
+ "value nor fingerprint: %s", pubkey)
|
|
+
|
|
+ return keys
|
|
|
|
def _report_ready(self, goal_state, http_client):
|
|
LOG.debug('Reporting ready to Azure fabric.')
|
|
@@ -373,11 +419,12 @@ class WALinuxAgentShim(object):
|
|
LOG.info('Reported ready to Azure fabric.')
|
|
|
|
|
|
-def get_metadata_from_fabric(fallback_lease_file=None, dhcp_opts=None):
|
|
+def get_metadata_from_fabric(fallback_lease_file=None, dhcp_opts=None,
|
|
+ pubkey_info=None):
|
|
shim = WALinuxAgentShim(fallback_lease_file=fallback_lease_file,
|
|
dhcp_options=dhcp_opts)
|
|
try:
|
|
- return shim.register_with_azure_and_fetch_data()
|
|
+ return shim.register_with_azure_and_fetch_data(pubkey_info=pubkey_info)
|
|
finally:
|
|
shim.clean_up()
|
|
|
|
diff --git a/tests/data/azure/parse_certificates_fingerprints b/tests/data/azure/parse_certificates_fingerprints
|
|
new file mode 100644
|
|
index 00000000..f7293c56
|
|
--- /dev/null
|
|
+++ b/tests/data/azure/parse_certificates_fingerprints
|
|
@@ -0,0 +1,4 @@
|
|
+ECEDEB3B8488D31AF3BC4CCED493F64B7D27D7B1
|
|
+073E19D14D1C799224C6A0FD8DDAB6A8BF27D473
|
|
+4C16E7FAD6297D74A9B25EB8F0A12808CEBE293E
|
|
+929130695289B450FE45DCD5F6EF0CDE69865867
|
|
diff --git a/tests/data/azure/parse_certificates_pem b/tests/data/azure/parse_certificates_pem
|
|
new file mode 100644
|
|
index 00000000..3521ea3a
|
|
--- /dev/null
|
|
+++ b/tests/data/azure/parse_certificates_pem
|
|
@@ -0,0 +1,152 @@
|
|
+Bag Attributes
|
|
+ localKeyID: 01 00 00 00
|
|
+ Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
|
|
+Key Attributes
|
|
+ X509v3 Key Usage: 10
|
|
+-----BEGIN PRIVATE KEY-----
|
|
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDlEe5fUqwdrQTP
|
|
+W2oVlGK2f31q/8ULT8KmOTyUvL0RPdJQ69vvHOc5Q2CKg2eviHC2LWhF8WmpnZj6
|
|
+61RL0GeFGizwvU8Moebw5p3oqdcgoGpHVtxf+mr4QcWF58/Fwez0dA4hcsimVNBz
|
|
+eNpBBUIKNBMTBG+4d6hcQBUAGKUdGRcCGEyTqXLU0MgHjxC9JgVqWJl+X2LcAGj5
|
|
+7J+tGYGTLzKJmeCeGVNN5ZtJ0T85MYHCKQk1/FElK+Kq5akovXffQHjlnCPcx0NJ
|
|
+47NBjlPaFp2gjnAChn79bT4iCjOFZ9avWpqRpeU517UCnY7djOr3fuod/MSQyh3L
|
|
+Wuem1tWBAgMBAAECggEBAM4ZXQRs6Kjmo95BHGiAEnSqrlgX+dycjcBq3QPh8KZT
|
|
+nifqnf48XhnackENy7tWIjr3DctoUq4mOp8AHt77ijhqfaa4XSg7fwKeK9NLBGC5
|
|
+lAXNtAey0o2894/sKrd+LMkgphoYIUnuI4LRaGV56potkj/ZDP/GwTcG/R4SDnTn
|
|
+C1Nb05PNTAPQtPZrgPo7TdM6gGsTnFbVrYHQLyg2Sq/osHfF15YohB01esRLCAwb
|
|
+EF8JkRC4hWIZoV7BsyQ39232zAJQGGla7+wKFs3kObwh3VnFkQpT94KZnNiZuEfG
|
|
+x5pW4Pn3gXgNsftscXsaNe/M9mYZqo//Qw7NvUIvAvECgYEA9AVveyK0HOA06fhh
|
|
++3hUWdvw7Pbrl+e06jO9+bT1RjQMbHKyI60DZyVGuAySN86iChJRoJr5c6xj+iXU
|
|
+cR6BVJDjGH5t1tyiK2aYf6hEpK9/j8Z54UiVQ486zPP0PGfT2TO4lBLK+8AUmoaH
|
|
+gk21ul8QeVCeCJa/o+xEoRFvzcUCgYEA8FCbbvInrUtNY+9eKaUYoNodsgBVjm5X
|
|
+I0YPUL9D4d+1nvupHSV2NVmQl0w1RaJwrNTafrl5LkqjhQbmuWNta6QgfZzSA3LB
|
|
+lWXo1Mm0azKdcD3qMGbvn0Q3zU+yGNEgmB/Yju3/NtgYRG6tc+FCWRbPbiCnZWT8
|
|
+v3C2Y0XggI0CgYEA2/jCZBgGkTkzue5kNVJlh5OS/aog+pCvL6hxCtarfBuTT3ed
|
|
+Sje+p46cz3DVpmUpATc+Si8py7KNdYQAm/BJ2be6X+woi9Xcgo87zWgcaPCjZzId
|
|
+0I2jsIE/Gl6XvpRCDrxnGWRPgt3GNP4szbPLrDPiH9oie8+Y9eYYf7G+PZkCgYEA
|
|
+nRSzZOPYV4f/QDF4pVQLMykfe/iH9B/fyWjEHg3He19VQmRReIHCMMEoqBziPXAe
|
|
+onpHj8oAkeer1wpZyhhZr6CKtFDLXgGm09bXSC/IRMHC81klORovyzU2HHfZfCtG
|
|
+WOmIDnU2+0xpIGIP8sztJ3qnf97MTJSkOSadsWo9gwkCgYEAh5AQmJQmck88Dff2
|
|
+qIfJIX8d+BDw47BFJ89OmMFjGV8TNB+JO+AV4Vkodg4hxKpLqTFZTTUFgoYfy5u1
|
|
+1/BhAjpmCDCrzubCFhx+8VEoM2+2+MmnuQoMAm9+/mD/IidwRaARgXgvEmp7sfdt
|
|
+RyWd+p2lYvFkC/jORQtDMY4uW1o=
|
|
+-----END PRIVATE KEY-----
|
|
+Bag Attributes
|
|
+ localKeyID: 02 00 00 00
|
|
+ Microsoft CSP Name: Microsoft Strong Cryptographic Provider
|
|
+Key Attributes
|
|
+ X509v3 Key Usage: 10
|
|
+-----BEGIN PRIVATE KEY-----
|
|
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDlQhPrZwVQYFV4
|
|
+FBc0H1iTXYaznMpwZvEITKtXWACzTdguUderEVOkXW3HTi5HvC2rMayt0nqo3zcd
|
|
+x1eGiqdjpZQ/wMrkz9wNEM/nNMsXntEwxk0jCVNKB/jz6vf+BOtrSI01SritAGZW
|
|
+dpKoTUyztT8C2mA3X6D8g3m4Dd07ltnzxaDqAQIU5jBHh3f/Q14tlPNZWUIiqVTC
|
|
+gDxgAe7MDmfs9h3CInTBX1XM5J4UsLTL23/padgeSvP5YF5qr1+0c7Tdftxr2lwA
|
|
+N3rLkisf5EiLAToVyJJlgP/exo2I8DaIKe7DZzD3Y1CrurOpkcMKYu5kM1Htlbua
|
|
+tDkAa2oDAgMBAAECggEAOvdueS9DyiMlCKAeQb1IQosdQOh0l0ma+FgEABC2CWhd
|
|
+0LgjQTBRM6cGO+urcq7/jhdWQ1UuUG4tVn71z7itCi/F/Enhxc2C22d2GhFVpWsn
|
|
+giSXJYpZ/mIjkdVfWNo6FRuRmmHwMys1p0qTOS+8qUJWhSzW75csqJZGgeUrAI61
|
|
+LBV5F0SGR7dR2xZfy7PeDs9xpD0QivDt5DpsZWPaPvw4QlhdLgw6/YU1h9vtm6ci
|
|
+xLjnPRLZ7JMpcQHO8dUDl6FiEI7yQ11BDm253VQAVMddYRPQABn7SpEF8kD/aZVh
|
|
+2Clvz61Rz80SKjPUthMPLWMCRp7zB0xDMzt3/1i+tQKBgQD6Ar1/oD3eFnRnpi4u
|
|
+n/hdHJtMuXWNfUA4dspNjP6WGOid9sgIeUUdif1XyVJ+afITzvgpWc7nUWIqG2bQ
|
|
+WxJ/4q2rjUdvjNXTy1voVungR2jD5WLQ9DKeaTR0yCliWlx4JgdPG7qGI5MMwsr+
|
|
+R/PUoUUhGeEX+o/sCSieO3iUrQKBgQDqwBEMvIdhAv/CK2sG3fsKYX8rFT55ZNX3
|
|
+Tix9DbUGY3wQColNuI8U1nDlxE9U6VOfT9RPqKelBLCgbzB23kdEJnjSlnqlTxrx
|
|
+E+Hkndyf2ckdJAR3XNxoQ6SRLJNBsgoBj/z5tlfZE9/Jc+uh0mYy3e6g6XCVPBcz
|
|
+MgoIc+ofbwKBgQCGQhZ1hR30N+bHCozeaPW9OvGDIE0qcEqeh9xYDRFilXnF6pK9
|
|
+SjJ9jG7KR8jPLiHb1VebDSl5O1EV/6UU2vNyTc6pw7LLCryBgkGW4aWy1WZDXNnW
|
|
+EG1meGS9GghvUss5kmJ2bxOZmV0Mi0brisQ8OWagQf+JGvtS7BAt+Q3l+QKBgAb9
|
|
+8YQPmXiqPjPqVyW9Ntz4SnFeEJ5NApJ7IZgX8GxgSjGwHqbR+HEGchZl4ncE/Bii
|
|
+qBA3Vcb0fM5KgYcI19aPzsl28fA6ivLjRLcqfIfGVNcpW3iyq13vpdctHLW4N9QU
|
|
+FdTaOYOds+ysJziKq8CYG6NvUIshXw+HTgUybqbBAoGBAIIOqcmmtgOClAwipA17
|
|
+dAHsI9Sjk+J0+d4JU6o+5TsmhUfUKIjXf5+xqJkJcQZMEe5GhxcCuYkgFicvh4Hz
|
|
+kv2H/EU35LcJTqC6KTKZOWIbGcn1cqsvwm3GQJffYDiO8fRZSwCaif2J3F2lfH4Y
|
|
+R/fA67HXFSTT+OncdRpY1NOn
|
|
+-----END PRIVATE KEY-----
|
|
+Bag Attributes: <Empty Attributes>
|
|
+subject=/CN=CRP/OU=AzureRT/O=Microsoft Corporation/L=Redmond/ST=WA/C=US
|
|
+issuer=/CN=Root Agency
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIB+TCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDDAtSb290
|
|
+IEFnZW5jeTAeFw0xOTAyMTUxOTA0MDRaFw0yOTAyMTUxOTE0MDRaMGwxDDAKBgNV
|
|
+BAMMA0NSUDEQMA4GA1UECwwHQXp1cmVSVDEeMBwGA1UECgwVTWljcm9zb2Z0IENv
|
|
+cnBvcmF0aW9uMRAwDgYDVQQHDAdSZWRtb25kMQswCQYDVQQIDAJXQTELMAkGA1UE
|
|
+BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIlPjJXzrRih4C
|
|
+k/XsoI01oqo7IUxH3dA2F7vHGXQoIpKCp8Qe6Z6cFfdD8Uj+s+B1BX6hngwzIwjN
|
|
+jE/23X3SALVzJVWzX4Y/IEjbgsuao6sOyNyB18wIU9YzZkVGj68fmMlUw3LnhPbe
|
|
+eWkufZaJCaLyhQOwlRMbOcn48D6Ys8fccOyXNzpq3rH1OzeQpxS2M8zaJYP4/VZ/
|
|
+sf6KRpI7bP+QwyFvNKfhcaO9/gj4kMo9lVGjvDU20FW6g8UVNJCV9N4GO6mOcyqo
|
|
+OhuhVfjCNGgW7N1qi0TIVn0/MQM4l4dcT2R7Z/bV9fhMJLjGsy5A4TLAdRrhKUHT
|
|
+bzi9HyDvAgMBAAEwDQYJKoZIhvcNAQEFBQADAQA=
|
|
+-----END CERTIFICATE-----
|
|
+Bag Attributes
|
|
+ localKeyID: 01 00 00 00
|
|
+subject=/C=US/ST=WASHINGTON/L=Seattle/O=Microsoft/OU=Azure/CN=AnhVo/emailAddress=redacted@microsoft.com
|
|
+issuer=/C=US/ST=WASHINGTON/L=Seattle/O=Microsoft/OU=Azure/CN=AnhVo/emailAddress=redacted@microsoft.com
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIID7TCCAtWgAwIBAgIJALQS3yMg3R41MA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
|
|
+VQQGEwJVUzETMBEGA1UECAwKV0FTSElOR1RPTjEQMA4GA1UEBwwHU2VhdHRsZTES
|
|
+MBAGA1UECgwJTWljcm9zb2Z0MQ4wDAYDVQQLDAVBenVyZTEOMAwGA1UEAwwFQW5o
|
|
+Vm8xIjAgBgkqhkiG9w0BCQEWE2FuaHZvQG1pY3Jvc29mdC5jb20wHhcNMTkwMjE0
|
|
+MjMxMjQwWhcNMjExMTEwMjMxMjQwWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgM
|
|
+CldBU0hJTkdUT04xEDAOBgNVBAcMB1NlYXR0bGUxEjAQBgNVBAoMCU1pY3Jvc29m
|
|
+dDEOMAwGA1UECwwFQXp1cmUxDjAMBgNVBAMMBUFuaFZvMSIwIAYJKoZIhvcNAQkB
|
|
+FhNhbmh2b0BtaWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
|
+CgKCAQEA5RHuX1KsHa0Ez1tqFZRitn99av/FC0/Cpjk8lLy9ET3SUOvb7xznOUNg
|
|
+ioNnr4hwti1oRfFpqZ2Y+utUS9BnhRos8L1PDKHm8Oad6KnXIKBqR1bcX/pq+EHF
|
|
+hefPxcHs9HQOIXLIplTQc3jaQQVCCjQTEwRvuHeoXEAVABilHRkXAhhMk6ly1NDI
|
|
+B48QvSYFaliZfl9i3ABo+eyfrRmBky8yiZngnhlTTeWbSdE/OTGBwikJNfxRJSvi
|
|
+quWpKL1330B45Zwj3MdDSeOzQY5T2hadoI5wAoZ+/W0+IgozhWfWr1qakaXlOde1
|
|
+Ap2O3Yzq937qHfzEkMody1rnptbVgQIDAQABo1AwTjAdBgNVHQ4EFgQUPvdgLiv3
|
|
+pAk4r0QTPZU3PFOZJvgwHwYDVR0jBBgwFoAUPvdgLiv3pAk4r0QTPZU3PFOZJvgw
|
|
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAVUHZT+h9+uCPLTEl5IDg
|
|
+kqd9WpzXA7PJd/V+7DeDDTkEd06FIKTWZLfxLVVDjQJnQqubQb//e0zGu1qKbXnX
|
|
+R7xqWabGU4eyPeUFWddmt1OHhxKLU3HbJNJJdL6XKiQtpGGUQt/mqNQ/DEr6hhNF
|
|
+im5I79iA8H/dXA2gyZrj5Rxea4mtsaYO0mfp1NrFtJpAh2Djy4B1lBXBIv4DWG9e
|
|
+mMEwzcLCOZj2cOMA6+mdLMUjYCvIRtnn5MKUHyZX5EmX79wsqMTvVpddlVLB9Kgz
|
|
+Qnvft9+SBWh9+F3ip7BsL6Q4Q9v8eHRbnP0ya7ddlgh64uwf9VOfZZdKCnwqudJP
|
|
+3g==
|
|
+-----END CERTIFICATE-----
|
|
+Bag Attributes
|
|
+ localKeyID: 02 00 00 00
|
|
+subject=/CN=/subscriptions/redacted/resourcegroups/redacted/providers/Microsoft.Compute/virtualMachines/redacted
|
|
+issuer=/CN=Microsoft.ManagedIdentity
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIDnTCCAoWgAwIBAgIUB2lauSRccvFkoJybUfIwOUqBN7MwDQYJKoZIhvcNAQEL
|
|
+BQAwJDEiMCAGA1UEAxMZTWljcm9zb2Z0Lk1hbmFnZWRJZGVudGl0eTAeFw0xOTAy
|
|
+MTUxOTA5MDBaFw0xOTA4MTQxOTA5MDBaMIGUMYGRMIGOBgNVBAMTgYYvc3Vic2Ny
|
|
+aXB0aW9ucy8yN2I3NTBjZC1lZDQzLTQyZmQtOTA0NC04ZDc1ZTEyNGFlNTUvcmVz
|
|
+b3VyY2Vncm91cHMvYW5oZXh0cmFzc2gvcHJvdmlkZXJzL01pY3Jvc29mdC5Db21w
|
|
+dXRlL3ZpcnR1YWxNYWNoaW5lcy9hbmh0ZXN0Y2VydDCCASIwDQYJKoZIhvcNAQEB
|
|
+BQADggEPADCCAQoCggEBAOVCE+tnBVBgVXgUFzQfWJNdhrOcynBm8QhMq1dYALNN
|
|
+2C5R16sRU6RdbcdOLke8LasxrK3SeqjfNx3HV4aKp2OllD/AyuTP3A0Qz+c0yxee
|
|
+0TDGTSMJU0oH+PPq9/4E62tIjTVKuK0AZlZ2kqhNTLO1PwLaYDdfoPyDebgN3TuW
|
|
+2fPFoOoBAhTmMEeHd/9DXi2U81lZQiKpVMKAPGAB7swOZ+z2HcIidMFfVczknhSw
|
|
+tMvbf+lp2B5K8/lgXmqvX7RztN1+3GvaXAA3esuSKx/kSIsBOhXIkmWA/97GjYjw
|
|
+Nogp7sNnMPdjUKu6s6mRwwpi7mQzUe2Vu5q0OQBragMCAwEAAaNWMFQwDgYDVR0P
|
|
+AQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYD
|
|
+VR0jBBgwFoAUOJvzEsriQWdJBndPrK+Me1bCPjYwDQYJKoZIhvcNAQELBQADggEB
|
|
+AFGP/g8o7Hv/to11M0UqfzJuW/AyH9RZtSRcNQFLZUndwweQ6fap8lFsA4REUdqe
|
|
+7Quqp5JNNY1XzKLWXMPoheIDH1A8FFXdsAroArzlNs9tO3TlIHE8A7HxEVZEmR4b
|
|
+7ZiixmkQPS2RkjEoV/GM6fheBrzuFn7X5kVZyE6cC5sfcebn8xhk3ZcXI0VmpdT0
|
|
+jFBsf5IvFCIXXLLhJI4KXc8VMoKFU1jT9na/jyaoGmfwovKj4ib8s2aiXGAp7Y38
|
|
+UCmY+bJapWom6Piy5Jzi/p/kzMVdJcSa+GqpuFxBoQYEVs2XYVl7cGu/wPM+NToC
|
|
+pkSoWwF1QAnHn0eokR9E1rU=
|
|
+-----END CERTIFICATE-----
|
|
+Bag Attributes: <Empty Attributes>
|
|
+subject=/CN=CRP/OU=AzureRT/O=Microsoft Corporation/L=Redmond/ST=WA/C=US
|
|
+issuer=/CN=Root Agency
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIB+TCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDDAtSb290
|
|
+IEFnZW5jeTAeFw0xOTAyMTUxOTA0MDRaFw0yOTAyMTUxOTE0MDRaMGwxDDAKBgNV
|
|
+BAMMA0NSUDEQMA4GA1UECwwHQXp1cmVSVDEeMBwGA1UECgwVTWljcm9zb2Z0IENv
|
|
+cnBvcmF0aW9uMRAwDgYDVQQHDAdSZWRtb25kMQswCQYDVQQIDAJXQTELMAkGA1UE
|
|
+BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHU9IDclbKVYVb
|
|
+Yuv0+zViX+wTwlKspslmy/uf3hkWLh7pyzyrq70S7qtSW2EGixUPxZS/R8pOLHoi
|
|
+nlKF9ILgj0gVTCJsSwnWpXRg3rhZwIVoYMHN50BHS1SqVD0lsWNMXmo76LoJcjmW
|
|
+vwIznvj5C/gnhU+K7+c3m7AlCyU2wjwpBAEYj7PQs6l/wTqpEiaqC5NytNBd7qp+
|
|
+lYYysVrpa1PFL0Nj4MMZARIfjkiJtL9qDhy9YZeJRQ6q/Fhz0kjvkZnfxixfKF4y
|
|
+WzOfhBrAtpF6oOnuYKk3hxjh9KjTTX4/U8zdLojalX09iyHyEjwJKGlGEpzh1aY7
|
|
+t5btUyvpAgMBAAEwDQYJKoZIhvcNAQEFBQADAQA=
|
|
+-----END CERTIFICATE-----
|
|
diff --git a/tests/data/azure/pubkey_extract_cert b/tests/data/azure/pubkey_extract_cert
|
|
new file mode 100644
|
|
index 00000000..ce9b852d
|
|
--- /dev/null
|
|
+++ b/tests/data/azure/pubkey_extract_cert
|
|
@@ -0,0 +1,13 @@
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIB+TCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDDAtSb290
|
|
+IEFnZW5jeTAeFw0xOTAyMTUxOTA0MDRaFw0yOTAyMTUxOTE0MDRaMGwxDDAKBgNV
|
|
+BAMMA0NSUDEQMA4GA1UECwwHQXp1cmVSVDEeMBwGA1UECgwVTWljcm9zb2Z0IENv
|
|
+cnBvcmF0aW9uMRAwDgYDVQQHDAdSZWRtb25kMQswCQYDVQQIDAJXQTELMAkGA1UE
|
|
+BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHU9IDclbKVYVb
|
|
+Yuv0+zViX+wTwlKspslmy/uf3hkWLh7pyzyrq70S7qtSW2EGixUPxZS/R8pOLHoi
|
|
+nlKF9ILgj0gVTCJsSwnWpXRg3rhZwIVoYMHN50BHS1SqVD0lsWNMXmo76LoJcjmW
|
|
+vwIznvj5C/gnhU+K7+c3m7AlCyU2wjwpBAEYj7PQs6l/wTqpEiaqC5NytNBd7qp+
|
|
+lYYysVrpa1PFL0Nj4MMZARIfjkiJtL9qDhy9YZeJRQ6q/Fhz0kjvkZnfxixfKF4y
|
|
+WzOfhBrAtpF6oOnuYKk3hxjh9KjTTX4/U8zdLojalX09iyHyEjwJKGlGEpzh1aY7
|
|
+t5btUyvpAgMBAAEwDQYJKoZIhvcNAQEFBQADAQA=
|
|
+-----END CERTIFICATE-----
|
|
diff --git a/tests/data/azure/pubkey_extract_ssh_key b/tests/data/azure/pubkey_extract_ssh_key
|
|
new file mode 100644
|
|
index 00000000..54d749ed
|
|
--- /dev/null
|
|
+++ b/tests/data/azure/pubkey_extract_ssh_key
|
|
@@ -0,0 +1 @@
|
|
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHU9IDclbKVYVbYuv0+zViX+wTwlKspslmy/uf3hkWLh7pyzyrq70S7qtSW2EGixUPxZS/R8pOLHoinlKF9ILgj0gVTCJsSwnWpXRg3rhZwIVoYMHN50BHS1SqVD0lsWNMXmo76LoJcjmWvwIznvj5C/gnhU+K7+c3m7AlCyU2wjwpBAEYj7PQs6l/wTqpEiaqC5NytNBd7qp+lYYysVrpa1PFL0Nj4MMZARIfjkiJtL9qDhy9YZeJRQ6q/Fhz0kjvkZnfxixfKF4yWzOfhBrAtpF6oOnuYKk3hxjh9KjTTX4/U8zdLojalX09iyHyEjwJKGlGEpzh1aY7t5btUyvp
|
|
diff --git a/tests/unittests/test_datasource/test_azure_helper.py b/tests/unittests/test_datasource/test_azure_helper.py
|
|
index 26b2b93d..02556165 100644
|
|
--- a/tests/unittests/test_datasource/test_azure_helper.py
|
|
+++ b/tests/unittests/test_datasource/test_azure_helper.py
|
|
@@ -1,11 +1,13 @@
|
|
# This file is part of cloud-init. See LICENSE file for license information.
|
|
|
|
import os
|
|
+import unittest2
|
|
from textwrap import dedent
|
|
|
|
from cloudinit.sources.helpers import azure as azure_helper
|
|
from cloudinit.tests.helpers import CiTestCase, ExitStack, mock, populate_dir
|
|
|
|
+from cloudinit.util import load_file
|
|
from cloudinit.sources.helpers.azure import WALinuxAgentShim as wa_shim
|
|
|
|
GOAL_STATE_TEMPLATE = """\
|
|
@@ -289,6 +291,50 @@ class TestOpenSSLManager(CiTestCase):
|
|
self.assertEqual([mock.call(manager.tmpdir)], del_dir.call_args_list)
|
|
|
|
|
|
+class TestOpenSSLManagerActions(CiTestCase):
|
|
+
|
|
+ def setUp(self):
|
|
+ super(TestOpenSSLManagerActions, self).setUp()
|
|
+
|
|
+ self.allowed_subp = True
|
|
+
|
|
+ def _data_file(self, name):
|
|
+ path = 'tests/data/azure'
|
|
+ return os.path.join(path, name)
|
|
+
|
|
+ @unittest2.skip("todo move to cloud_test")
|
|
+ def test_pubkey_extract(self):
|
|
+ cert = load_file(self._data_file('pubkey_extract_cert'))
|
|
+ good_key = load_file(self._data_file('pubkey_extract_ssh_key'))
|
|
+ sslmgr = azure_helper.OpenSSLManager()
|
|
+ key = sslmgr._get_ssh_key_from_cert(cert)
|
|
+ self.assertEqual(good_key, key)
|
|
+
|
|
+ good_fingerprint = '073E19D14D1C799224C6A0FD8DDAB6A8BF27D473'
|
|
+ fingerprint = sslmgr._get_fingerprint_from_cert(cert)
|
|
+ self.assertEqual(good_fingerprint, fingerprint)
|
|
+
|
|
+ @unittest2.skip("todo move to cloud_test")
|
|
+ @mock.patch.object(azure_helper.OpenSSLManager, '_decrypt_certs_from_xml')
|
|
+ def test_parse_certificates(self, mock_decrypt_certs):
|
|
+ """Azure control plane puts private keys as well as certificates
|
|
+ into the Certificates XML object. Make sure only the public keys
|
|
+ from certs are extracted and that fingerprints are converted to
|
|
+ the form specified in the ovf-env.xml file.
|
|
+ """
|
|
+ cert_contents = load_file(self._data_file('parse_certificates_pem'))
|
|
+ fingerprints = load_file(self._data_file(
|
|
+ 'parse_certificates_fingerprints')
|
|
+ ).splitlines()
|
|
+ mock_decrypt_certs.return_value = cert_contents
|
|
+ sslmgr = azure_helper.OpenSSLManager()
|
|
+ keys_by_fp = sslmgr.parse_certificates('')
|
|
+ for fp in keys_by_fp.keys():
|
|
+ self.assertIn(fp, fingerprints)
|
|
+ for fp in fingerprints:
|
|
+ self.assertIn(fp, keys_by_fp)
|
|
+
|
|
+
|
|
class TestWALinuxAgentShim(CiTestCase):
|
|
|
|
def setUp(self):
|
|
@@ -329,18 +375,31 @@ class TestWALinuxAgentShim(CiTestCase):
|
|
|
|
def test_certificates_used_to_determine_public_keys(self):
|
|
shim = wa_shim()
|
|
- data = shim.register_with_azure_and_fetch_data()
|
|
+ """if register_with_azure_and_fetch_data() isn't passed some info about
|
|
+ the user's public keys, there's no point in even trying to parse
|
|
+ the certificates
|
|
+ """
|
|
+ mypk = [{'fingerprint': 'fp1', 'path': 'path1'},
|
|
+ {'fingerprint': 'fp3', 'path': 'path3', 'value': ''}]
|
|
+ certs = {'fp1': 'expected-key',
|
|
+ 'fp2': 'should-not-be-found',
|
|
+ 'fp3': 'expected-no-value-key',
|
|
+ }
|
|
+ sslmgr = self.OpenSSLManager.return_value
|
|
+ sslmgr.parse_certificates.return_value = certs
|
|
+ data = shim.register_with_azure_and_fetch_data(pubkey_info=mypk)
|
|
self.assertEqual(
|
|
[mock.call(self.GoalState.return_value.certificates_xml)],
|
|
- self.OpenSSLManager.return_value.parse_certificates.call_args_list)
|
|
- self.assertEqual(
|
|
- self.OpenSSLManager.return_value.parse_certificates.return_value,
|
|
- data['public-keys'])
|
|
+ sslmgr.parse_certificates.call_args_list)
|
|
+ self.assertIn('expected-key', data['public-keys'])
|
|
+ self.assertIn('expected-no-value-key', data['public-keys'])
|
|
+ self.assertNotIn('should-not-be-found', data['public-keys'])
|
|
|
|
def test_absent_certificates_produces_empty_public_keys(self):
|
|
+ mypk = [{'fingerprint': 'fp1', 'path': 'path1'}]
|
|
self.GoalState.return_value.certificates_xml = None
|
|
shim = wa_shim()
|
|
- data = shim.register_with_azure_and_fetch_data()
|
|
+ data = shim.register_with_azure_and_fetch_data(pubkey_info=mypk)
|
|
self.assertEqual([], data['public-keys'])
|
|
|
|
def test_correct_url_used_for_report_ready(self):
|
|
--
|
|
2.20.1
|
|
|