From 68f058e8d20a499f74bc78af8e0c6a90ca57ae20 Mon Sep 17 00:00:00 2001

From: Thomas Stringer <thstring@microsoft.com>

Date: Mon, 26 Apr 2021 09:41:38 -0400

Subject: [PATCH 5/7] Azure: Retrieve username and hostname from IMDS (#865)

RH-Author: Eduardo Otubo <otubo@redhat.com>

RH-MergeRequest: 18: Add support for userdata on Azure from IMDS

RH-Commit: [5/7] 6a768d31e63e5f00dae0fad2712a7618d62b0879 (otubo/cloud-init-src)

RH-Bugzilla: 2042351

RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>

RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

This change allows us to retrieve the username and hostname from

IMDS instead of having to rely on the mounted OVF.

---

 cloudinit/sources/DataSourceAzure.py          | 149 ++++++++++++++----

 tests/unittests/test_datasource/test_azure.py |  87 +++++++++-

 2 files changed, 205 insertions(+), 31 deletions(-)

diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py

index 39e67c4f..6d7954ee 100755

--- a/cloudinit/sources/DataSourceAzure.py

+++ b/cloudinit/sources/DataSourceAzure.py

@@ -5,6 +5,7 @@

 # This file is part of cloud-init. See LICENSE file for license information.

 import base64

+from collections import namedtuple

 import contextlib

 import crypt

 from functools import partial

@@ -25,6 +26,7 @@ from cloudinit.net import device_driver

 from cloudinit.net.dhcp import EphemeralDHCPv4

 from cloudinit import sources

 from cloudinit.sources.helpers import netlink

+from cloudinit import ssh_util

 from cloudinit import subp

 from cloudinit.url_helper import UrlError, readurl, retry_on_url_exc

 from cloudinit import util

@@ -80,7 +82,12 @@ AGENT_SEED_DIR = '/var/lib/waagent'

 IMDS_TIMEOUT_IN_SECONDS = 2

 IMDS_URL = "http://169.254.169.254/metadata"

 IMDS_VER_MIN = "2019-06-01"

-IMDS_VER_WANT = "2020-09-01"

+IMDS_VER_WANT = "2020-10-01"

+

+

+# This holds SSH key data including if the source was

+# from IMDS, as well as the SSH key data itself.

+SSHKeys = namedtuple("SSHKeys", ("keys_from_imds", "ssh_keys"))

 class metadata_type(Enum):

@@ -391,6 +398,8 @@ class DataSourceAzure(sources.DataSource):

         """Return the subplatform metadata source details."""

         if self.seed.startswith('/dev'):

             subplatform_type = 'config-disk'

+        elif self.seed.lower() == 'imds':

+            subplatform_type = 'imds'

         else:

             subplatform_type = 'seed-dir'

         return '%s (%s)' % (subplatform_type, self.seed)

@@ -433,9 +442,11 @@ class DataSourceAzure(sources.DataSource):

         found = None

         reprovision = False

+        ovf_is_accessible = True

         reprovision_after_nic_attach = False

         for cdev in candidates:

             try:

+                LOG.debug("cdev: %s", cdev)

                 if cdev == "IMDS":

                     ret = None

                     reprovision = True

@@ -462,8 +473,18 @@ class DataSourceAzure(sources.DataSource):

                 raise sources.InvalidMetaDataException(msg)

             except util.MountFailedError:

                 report_diagnostic_event(

-                    '%s was not mountable' % cdev, logger_func=LOG.warning)

-                continue

+                    '%s was not mountable' % cdev, logger_func=LOG.debug)

+                cdev = 'IMDS'

+                ovf_is_accessible = False

+                empty_md = {'local-hostname': ''}

+                empty_cfg = dict(

+                    system_info=dict(

+                        default_user=dict(

+                            name=''

+                        )

+                    )

+                )

+                ret = (empty_md, '', empty_cfg, {})

             report_diagnostic_event("Found provisioning metadata in %s" % cdev,

                                     logger_func=LOG.debug)

@@ -490,6 +511,10 @@ class DataSourceAzure(sources.DataSource):

                 self.fallback_interface,

                 retries=10

             )

+            if not imds_md and not ovf_is_accessible:

+                msg = 'No OVF or IMDS available'

+                report_diagnostic_event(msg)

+                raise sources.InvalidMetaDataException(msg)

             (md, userdata_raw, cfg, files) = ret

             self.seed = cdev

             crawled_data.update({

@@ -498,6 +523,21 @@ class DataSourceAzure(sources.DataSource):

                 'metadata': util.mergemanydict(

                     [md, {'imds': imds_md}]),

                 'userdata_raw': userdata_raw})

+            imds_username = _username_from_imds(imds_md)

+            imds_hostname = _hostname_from_imds(imds_md)

+            imds_disable_password = _disable_password_from_imds(imds_md)

+            if imds_username:

+                LOG.debug('Username retrieved from IMDS: %s', imds_username)

+                cfg['system_info']['default_user']['name'] = imds_username

+            if imds_hostname:

+                LOG.debug('Hostname retrieved from IMDS: %s', imds_hostname)

+                crawled_data['metadata']['local-hostname'] = imds_hostname

+            if imds_disable_password:

+                LOG.debug(

+                    'Disable password retrieved from IMDS: %s',

+                    imds_disable_password

+                )

+                crawled_data['metadata']['disable_password'] = imds_disable_password  # noqa: E501

             found = cdev

             report_diagnostic_event(

@@ -676,6 +716,13 @@ class DataSourceAzure(sources.DataSource):

     @azure_ds_telemetry_reporter

     def get_public_ssh_keys(self):

+        """

+        Retrieve public SSH keys.

+        """

+

+        return self._get_public_ssh_keys_and_source().ssh_keys

+

+    def _get_public_ssh_keys_and_source(self):

         """

         Try to get the ssh keys from IMDS first, and if that fails

         (i.e. IMDS is unavailable) then fallback to getting the ssh

@@ -685,30 +732,50 @@ class DataSourceAzure(sources.DataSource):

         advantage, so this is a strong preference. But we must keep

         OVF as a second option for environments that don't have IMDS.

         """

+

         LOG.debug('Retrieving public SSH keys')

         ssh_keys = []

+        keys_from_imds = True

+        LOG.debug('Attempting to get SSH keys from IMDS')

         try:

-            raise KeyError(

-                "Not using public SSH keys from IMDS"

-            )

-            # pylint:disable=unreachable

             ssh_keys = [

                 public_key['keyData']

                 for public_key

                 in self.metadata['imds']['compute']['publicKeys']

             ]

-            LOG.debug('Retrieved SSH keys from IMDS')

+            for key in ssh_keys:

+                if not _key_is_openssh_formatted(key=key):

+                    keys_from_imds = False

+                    break

+

+            if not keys_from_imds:

+                log_msg = 'Keys not in OpenSSH format, using OVF'

+            else:

+                log_msg = 'Retrieved {} keys from IMDS'.format(

+                    len(ssh_keys)

+                    if ssh_keys is not None

+                    else 0

+                )

         except KeyError:

             log_msg = 'Unable to get keys from IMDS, falling back to OVF'

+            keys_from_imds = False

+        finally:

             report_diagnostic_event(log_msg, logger_func=LOG.debug)

+

+        if not keys_from_imds:

+            LOG.debug('Attempting to get SSH keys from OVF')

             try:

                 ssh_keys = self.metadata['public-keys']

-                LOG.debug('Retrieved keys from OVF')

+                log_msg = 'Retrieved {} keys from OVF'.format(len(ssh_keys))

             except KeyError:

                 log_msg = 'No keys available from OVF'

+            finally:

                 report_diagnostic_event(log_msg, logger_func=LOG.debug)

-        return ssh_keys

+        return SSHKeys(

+            keys_from_imds=keys_from_imds,

+            ssh_keys=ssh_keys

+        )

     def get_config_obj(self):

         return self.cfg

@@ -1325,30 +1392,21 @@ class DataSourceAzure(sources.DataSource):

         self.bounce_network_with_azure_hostname()

         pubkey_info = None

-        try:

-            raise KeyError(

-                "Not using public SSH keys from IMDS"

-            )

-            # pylint:disable=unreachable

-            public_keys = self.metadata['imds']['compute']['publicKeys']

-            LOG.debug(

-                'Successfully retrieved %s key(s) from IMDS',

-                len(public_keys)

-                if public_keys is not None

+        ssh_keys_and_source = self._get_public_ssh_keys_and_source()

+

+        if not ssh_keys_and_source.keys_from_imds:

+            pubkey_info = self.cfg.get('_pubkeys', None)

+            log_msg = 'Retrieved {} fingerprints from OVF'.format(

+                len(pubkey_info)

+                if pubkey_info is not None

                 else 0

             )

-        except KeyError:

-            LOG.debug(

-                'Unable to retrieve SSH keys from IMDS during '

-                'negotiation, falling back to OVF'

-            )

-            pubkey_info = self.cfg.get('_pubkeys', None)

+            report_diagnostic_event(log_msg, logger_func=LOG.debug)

         metadata_func = partial(get_metadata_from_fabric,

                                 fallback_lease_file=self.

                                 dhclient_lease_file,

-                                pubkey_info=pubkey_info,

-                                iso_dev=self.iso_dev)

+                                pubkey_info=pubkey_info)

         LOG.debug("negotiating with fabric via agent command %s",

                   self.ds_cfg['agent_command'])

@@ -1404,6 +1462,41 @@ class DataSourceAzure(sources.DataSource):

         return self.metadata.get('imds', {}).get('compute', {}).get('location')

+def _username_from_imds(imds_data):

+    try:

+        return imds_data['compute']['osProfile']['adminUsername']

+    except KeyError:

+        return None

+

+

+def _hostname_from_imds(imds_data):

+    try:

+        return imds_data['compute']['osProfile']['computerName']

+    except KeyError:

+        return None

+

+

+def _disable_password_from_imds(imds_data):

+    try:

+        return imds_data['compute']['osProfile']['disablePasswordAuthentication'] == 'true'  # noqa: E501

+    except KeyError:

+        return None

+

+

+def _key_is_openssh_formatted(key):

+    """

+    Validate whether or not the key is OpenSSH-formatted.

+    """

+

+    parser = ssh_util.AuthKeyLineParser()

+    try:

+        akl = parser.parse(key)

+    except TypeError:

+        return False

+

+    return akl.keytype is not None

+

+

 def _partitions_on_device(devpath, maxnum=16):

     # return a list of tuples (ptnum, path) for each part on devpath

     for suff in ("-part", "p", ""):

diff --git a/tests/unittests/test_datasource/test_azure.py b/tests/unittests/test_datasource/test_azure.py

index 320fa857..d9817d84 100644

--- a/tests/unittests/test_datasource/test_azure.py

+++ b/tests/unittests/test_datasource/test_azure.py

@@ -108,7 +108,7 @@ NETWORK_METADATA = {

         "zone": "",

         "publicKeys": [

             {

-                "keyData": "key1",

+                "keyData": "ssh-rsa key1",

                 "path": "path1"

             }

         ]

@@ -1761,8 +1761,29 @@ scbus-1 on xpt0 bus 0

         dsrc.get_data()

         dsrc.setup(True)

         ssh_keys = dsrc.get_public_ssh_keys()

-        # Temporarily alter this test so that SSH public keys

-        # from IMDS are *not* going to be in use to fix a regression.

+        self.assertEqual(ssh_keys, ["ssh-rsa key1"])

+        self.assertEqual(m_parse_certificates.call_count, 0)

+

+    @mock.patch(

+        'cloudinit.sources.helpers.azure.OpenSSLManager.parse_certificates')

+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')

+    def test_get_public_ssh_keys_with_no_openssh_format(

+            self,

+            m_get_metadata_from_imds,

+            m_parse_certificates):

+        imds_data = copy.deepcopy(NETWORK_METADATA)

+        imds_data['compute']['publicKeys'][0]['keyData'] = 'no-openssh-format'

+        m_get_metadata_from_imds.return_value = imds_data

+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}

+        odata = {'HostName': "myhost", 'UserName': "myuser"}

+        data = {

+            'ovfcontent': construct_valid_ovf_env(data=odata),

+            'sys_cfg': sys_cfg

+        }

+        dsrc = self._get_ds(data)

+        dsrc.get_data()

+        dsrc.setup(True)

+        ssh_keys = dsrc.get_public_ssh_keys()

         self.assertEqual(ssh_keys, [])

         self.assertEqual(m_parse_certificates.call_count, 0)

@@ -1818,6 +1839,66 @@ scbus-1 on xpt0 bus 0

         self.assertIsNotNone(dsrc.metadata)

         self.assertFalse(dsrc.failed_desired_api_version)

+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')

+    def test_hostname_from_imds(self, m_get_metadata_from_imds):

+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}

+        odata = {'HostName': "myhost", 'UserName': "myuser"}

+        data = {

+            'ovfcontent': construct_valid_ovf_env(data=odata),

+            'sys_cfg': sys_cfg

+        }

+        imds_data_with_os_profile = copy.deepcopy(NETWORK_METADATA)

+        imds_data_with_os_profile["compute"]["osProfile"] = dict(

+            adminUsername="username1",

+            computerName="hostname1",

+            disablePasswordAuthentication="true"

+        )

+        m_get_metadata_from_imds.return_value = imds_data_with_os_profile

+        dsrc = self._get_ds(data)

+        dsrc.get_data()

+        self.assertEqual(dsrc.metadata["local-hostname"], "hostname1")

+

+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')

+    def test_username_from_imds(self, m_get_metadata_from_imds):

+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}

+        odata = {'HostName': "myhost", 'UserName': "myuser"}

+        data = {

+            'ovfcontent': construct_valid_ovf_env(data=odata),

+            'sys_cfg': sys_cfg

+        }

+        imds_data_with_os_profile = copy.deepcopy(NETWORK_METADATA)

+        imds_data_with_os_profile["compute"]["osProfile"] = dict(

+            adminUsername="username1",

+            computerName="hostname1",

+            disablePasswordAuthentication="true"

+        )

+        m_get_metadata_from_imds.return_value = imds_data_with_os_profile

+        dsrc = self._get_ds(data)

+        dsrc.get_data()

+        self.assertEqual(

+            dsrc.cfg["system_info"]["default_user"]["name"],

+            "username1"

+        )

+

+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')

+    def test_disable_password_from_imds(self, m_get_metadata_from_imds):

+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}

+        odata = {'HostName': "myhost", 'UserName': "myuser"}

+        data = {

+            'ovfcontent': construct_valid_ovf_env(data=odata),

+            'sys_cfg': sys_cfg

+        }

+        imds_data_with_os_profile = copy.deepcopy(NETWORK_METADATA)

+        imds_data_with_os_profile["compute"]["osProfile"] = dict(

+            adminUsername="username1",

+            computerName="hostname1",

+            disablePasswordAuthentication="true"

+        )

+        m_get_metadata_from_imds.return_value = imds_data_with_os_profile

+        dsrc = self._get_ds(data)

+        dsrc.get_data()

+        self.assertTrue(dsrc.metadata["disable_password"])

+

 class TestAzureBounce(CiTestCase):

-- 

2.27.0