Blob Blame History Raw
From 68f058e8d20a499f74bc78af8e0c6a90ca57ae20 Mon Sep 17 00:00:00 2001
From: Thomas Stringer <thstring@microsoft.com>
Date: Mon, 26 Apr 2021 09:41:38 -0400
Subject: [PATCH 5/7] Azure: Retrieve username and hostname from IMDS (#865)

RH-Author: Eduardo Otubo <otubo@redhat.com>
RH-MergeRequest: 18: Add support for userdata on Azure from IMDS
RH-Commit: [5/7] 6a768d31e63e5f00dae0fad2712a7618d62b0879 (otubo/cloud-init-src)
RH-Bugzilla: 2042351
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

This change allows us to retrieve the username and hostname from
IMDS instead of having to rely on the mounted OVF.
---
 cloudinit/sources/DataSourceAzure.py          | 149 ++++++++++++++----
 tests/unittests/test_datasource/test_azure.py |  87 +++++++++-
 2 files changed, 205 insertions(+), 31 deletions(-)

diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
index 39e67c4f..6d7954ee 100755
--- a/cloudinit/sources/DataSourceAzure.py
+++ b/cloudinit/sources/DataSourceAzure.py
@@ -5,6 +5,7 @@
 # This file is part of cloud-init. See LICENSE file for license information.
 
 import base64
+from collections import namedtuple
 import contextlib
 import crypt
 from functools import partial
@@ -25,6 +26,7 @@ from cloudinit.net import device_driver
 from cloudinit.net.dhcp import EphemeralDHCPv4
 from cloudinit import sources
 from cloudinit.sources.helpers import netlink
+from cloudinit import ssh_util
 from cloudinit import subp
 from cloudinit.url_helper import UrlError, readurl, retry_on_url_exc
 from cloudinit import util
@@ -80,7 +82,12 @@ AGENT_SEED_DIR = '/var/lib/waagent'
 IMDS_TIMEOUT_IN_SECONDS = 2
 IMDS_URL = "http://169.254.169.254/metadata"
 IMDS_VER_MIN = "2019-06-01"
-IMDS_VER_WANT = "2020-09-01"
+IMDS_VER_WANT = "2020-10-01"
+
+
+# This holds SSH key data including if the source was
+# from IMDS, as well as the SSH key data itself.
+SSHKeys = namedtuple("SSHKeys", ("keys_from_imds", "ssh_keys"))
 
 
 class metadata_type(Enum):
@@ -391,6 +398,8 @@ class DataSourceAzure(sources.DataSource):
         """Return the subplatform metadata source details."""
         if self.seed.startswith('/dev'):
             subplatform_type = 'config-disk'
+        elif self.seed.lower() == 'imds':
+            subplatform_type = 'imds'
         else:
             subplatform_type = 'seed-dir'
         return '%s (%s)' % (subplatform_type, self.seed)
@@ -433,9 +442,11 @@ class DataSourceAzure(sources.DataSource):
 
         found = None
         reprovision = False
+        ovf_is_accessible = True
         reprovision_after_nic_attach = False
         for cdev in candidates:
             try:
+                LOG.debug("cdev: %s", cdev)
                 if cdev == "IMDS":
                     ret = None
                     reprovision = True
@@ -462,8 +473,18 @@ class DataSourceAzure(sources.DataSource):
                 raise sources.InvalidMetaDataException(msg)
             except util.MountFailedError:
                 report_diagnostic_event(
-                    '%s was not mountable' % cdev, logger_func=LOG.warning)
-                continue
+                    '%s was not mountable' % cdev, logger_func=LOG.debug)
+                cdev = 'IMDS'
+                ovf_is_accessible = False
+                empty_md = {'local-hostname': ''}
+                empty_cfg = dict(
+                    system_info=dict(
+                        default_user=dict(
+                            name=''
+                        )
+                    )
+                )
+                ret = (empty_md, '', empty_cfg, {})
 
             report_diagnostic_event("Found provisioning metadata in %s" % cdev,
                                     logger_func=LOG.debug)
@@ -490,6 +511,10 @@ class DataSourceAzure(sources.DataSource):
                 self.fallback_interface,
                 retries=10
             )
+            if not imds_md and not ovf_is_accessible:
+                msg = 'No OVF or IMDS available'
+                report_diagnostic_event(msg)
+                raise sources.InvalidMetaDataException(msg)
             (md, userdata_raw, cfg, files) = ret
             self.seed = cdev
             crawled_data.update({
@@ -498,6 +523,21 @@ class DataSourceAzure(sources.DataSource):
                 'metadata': util.mergemanydict(
                     [md, {'imds': imds_md}]),
                 'userdata_raw': userdata_raw})
+            imds_username = _username_from_imds(imds_md)
+            imds_hostname = _hostname_from_imds(imds_md)
+            imds_disable_password = _disable_password_from_imds(imds_md)
+            if imds_username:
+                LOG.debug('Username retrieved from IMDS: %s', imds_username)
+                cfg['system_info']['default_user']['name'] = imds_username
+            if imds_hostname:
+                LOG.debug('Hostname retrieved from IMDS: %s', imds_hostname)
+                crawled_data['metadata']['local-hostname'] = imds_hostname
+            if imds_disable_password:
+                LOG.debug(
+                    'Disable password retrieved from IMDS: %s',
+                    imds_disable_password
+                )
+                crawled_data['metadata']['disable_password'] = imds_disable_password  # noqa: E501
             found = cdev
 
             report_diagnostic_event(
@@ -676,6 +716,13 @@ class DataSourceAzure(sources.DataSource):
 
     @azure_ds_telemetry_reporter
     def get_public_ssh_keys(self):
+        """
+        Retrieve public SSH keys.
+        """
+
+        return self._get_public_ssh_keys_and_source().ssh_keys
+
+    def _get_public_ssh_keys_and_source(self):
         """
         Try to get the ssh keys from IMDS first, and if that fails
         (i.e. IMDS is unavailable) then fallback to getting the ssh
@@ -685,30 +732,50 @@ class DataSourceAzure(sources.DataSource):
         advantage, so this is a strong preference. But we must keep
         OVF as a second option for environments that don't have IMDS.
         """
+
         LOG.debug('Retrieving public SSH keys')
         ssh_keys = []
+        keys_from_imds = True
+        LOG.debug('Attempting to get SSH keys from IMDS')
         try:
-            raise KeyError(
-                "Not using public SSH keys from IMDS"
-            )
-            # pylint:disable=unreachable
             ssh_keys = [
                 public_key['keyData']
                 for public_key
                 in self.metadata['imds']['compute']['publicKeys']
             ]
-            LOG.debug('Retrieved SSH keys from IMDS')
+            for key in ssh_keys:
+                if not _key_is_openssh_formatted(key=key):
+                    keys_from_imds = False
+                    break
+
+            if not keys_from_imds:
+                log_msg = 'Keys not in OpenSSH format, using OVF'
+            else:
+                log_msg = 'Retrieved {} keys from IMDS'.format(
+                    len(ssh_keys)
+                    if ssh_keys is not None
+                    else 0
+                )
         except KeyError:
             log_msg = 'Unable to get keys from IMDS, falling back to OVF'
+            keys_from_imds = False
+        finally:
             report_diagnostic_event(log_msg, logger_func=LOG.debug)
+
+        if not keys_from_imds:
+            LOG.debug('Attempting to get SSH keys from OVF')
             try:
                 ssh_keys = self.metadata['public-keys']
-                LOG.debug('Retrieved keys from OVF')
+                log_msg = 'Retrieved {} keys from OVF'.format(len(ssh_keys))
             except KeyError:
                 log_msg = 'No keys available from OVF'
+            finally:
                 report_diagnostic_event(log_msg, logger_func=LOG.debug)
 
-        return ssh_keys
+        return SSHKeys(
+            keys_from_imds=keys_from_imds,
+            ssh_keys=ssh_keys
+        )
 
     def get_config_obj(self):
         return self.cfg
@@ -1325,30 +1392,21 @@ class DataSourceAzure(sources.DataSource):
         self.bounce_network_with_azure_hostname()
 
         pubkey_info = None
-        try:
-            raise KeyError(
-                "Not using public SSH keys from IMDS"
-            )
-            # pylint:disable=unreachable
-            public_keys = self.metadata['imds']['compute']['publicKeys']
-            LOG.debug(
-                'Successfully retrieved %s key(s) from IMDS',
-                len(public_keys)
-                if public_keys is not None
+        ssh_keys_and_source = self._get_public_ssh_keys_and_source()
+
+        if not ssh_keys_and_source.keys_from_imds:
+            pubkey_info = self.cfg.get('_pubkeys', None)
+            log_msg = 'Retrieved {} fingerprints from OVF'.format(
+                len(pubkey_info)
+                if pubkey_info is not None
                 else 0
             )
-        except KeyError:
-            LOG.debug(
-                'Unable to retrieve SSH keys from IMDS during '
-                'negotiation, falling back to OVF'
-            )
-            pubkey_info = self.cfg.get('_pubkeys', None)
+            report_diagnostic_event(log_msg, logger_func=LOG.debug)
 
         metadata_func = partial(get_metadata_from_fabric,
                                 fallback_lease_file=self.
                                 dhclient_lease_file,
-                                pubkey_info=pubkey_info,
-                                iso_dev=self.iso_dev)
+                                pubkey_info=pubkey_info)
 
         LOG.debug("negotiating with fabric via agent command %s",
                   self.ds_cfg['agent_command'])
@@ -1404,6 +1462,41 @@ class DataSourceAzure(sources.DataSource):
         return self.metadata.get('imds', {}).get('compute', {}).get('location')
 
 
+def _username_from_imds(imds_data):
+    try:
+        return imds_data['compute']['osProfile']['adminUsername']
+    except KeyError:
+        return None
+
+
+def _hostname_from_imds(imds_data):
+    try:
+        return imds_data['compute']['osProfile']['computerName']
+    except KeyError:
+        return None
+
+
+def _disable_password_from_imds(imds_data):
+    try:
+        return imds_data['compute']['osProfile']['disablePasswordAuthentication'] == 'true'  # noqa: E501
+    except KeyError:
+        return None
+
+
+def _key_is_openssh_formatted(key):
+    """
+    Validate whether or not the key is OpenSSH-formatted.
+    """
+
+    parser = ssh_util.AuthKeyLineParser()
+    try:
+        akl = parser.parse(key)
+    except TypeError:
+        return False
+
+    return akl.keytype is not None
+
+
 def _partitions_on_device(devpath, maxnum=16):
     # return a list of tuples (ptnum, path) for each part on devpath
     for suff in ("-part", "p", ""):
diff --git a/tests/unittests/test_datasource/test_azure.py b/tests/unittests/test_datasource/test_azure.py
index 320fa857..d9817d84 100644
--- a/tests/unittests/test_datasource/test_azure.py
+++ b/tests/unittests/test_datasource/test_azure.py
@@ -108,7 +108,7 @@ NETWORK_METADATA = {
         "zone": "",
         "publicKeys": [
             {
-                "keyData": "key1",
+                "keyData": "ssh-rsa key1",
                 "path": "path1"
             }
         ]
@@ -1761,8 +1761,29 @@ scbus-1 on xpt0 bus 0
         dsrc.get_data()
         dsrc.setup(True)
         ssh_keys = dsrc.get_public_ssh_keys()
-        # Temporarily alter this test so that SSH public keys
-        # from IMDS are *not* going to be in use to fix a regression.
+        self.assertEqual(ssh_keys, ["ssh-rsa key1"])
+        self.assertEqual(m_parse_certificates.call_count, 0)
+
+    @mock.patch(
+        'cloudinit.sources.helpers.azure.OpenSSLManager.parse_certificates')
+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')
+    def test_get_public_ssh_keys_with_no_openssh_format(
+            self,
+            m_get_metadata_from_imds,
+            m_parse_certificates):
+        imds_data = copy.deepcopy(NETWORK_METADATA)
+        imds_data['compute']['publicKeys'][0]['keyData'] = 'no-openssh-format'
+        m_get_metadata_from_imds.return_value = imds_data
+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}
+        odata = {'HostName': "myhost", 'UserName': "myuser"}
+        data = {
+            'ovfcontent': construct_valid_ovf_env(data=odata),
+            'sys_cfg': sys_cfg
+        }
+        dsrc = self._get_ds(data)
+        dsrc.get_data()
+        dsrc.setup(True)
+        ssh_keys = dsrc.get_public_ssh_keys()
         self.assertEqual(ssh_keys, [])
         self.assertEqual(m_parse_certificates.call_count, 0)
 
@@ -1818,6 +1839,66 @@ scbus-1 on xpt0 bus 0
         self.assertIsNotNone(dsrc.metadata)
         self.assertFalse(dsrc.failed_desired_api_version)
 
+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')
+    def test_hostname_from_imds(self, m_get_metadata_from_imds):
+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}
+        odata = {'HostName': "myhost", 'UserName': "myuser"}
+        data = {
+            'ovfcontent': construct_valid_ovf_env(data=odata),
+            'sys_cfg': sys_cfg
+        }
+        imds_data_with_os_profile = copy.deepcopy(NETWORK_METADATA)
+        imds_data_with_os_profile["compute"]["osProfile"] = dict(
+            adminUsername="username1",
+            computerName="hostname1",
+            disablePasswordAuthentication="true"
+        )
+        m_get_metadata_from_imds.return_value = imds_data_with_os_profile
+        dsrc = self._get_ds(data)
+        dsrc.get_data()
+        self.assertEqual(dsrc.metadata["local-hostname"], "hostname1")
+
+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')
+    def test_username_from_imds(self, m_get_metadata_from_imds):
+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}
+        odata = {'HostName': "myhost", 'UserName': "myuser"}
+        data = {
+            'ovfcontent': construct_valid_ovf_env(data=odata),
+            'sys_cfg': sys_cfg
+        }
+        imds_data_with_os_profile = copy.deepcopy(NETWORK_METADATA)
+        imds_data_with_os_profile["compute"]["osProfile"] = dict(
+            adminUsername="username1",
+            computerName="hostname1",
+            disablePasswordAuthentication="true"
+        )
+        m_get_metadata_from_imds.return_value = imds_data_with_os_profile
+        dsrc = self._get_ds(data)
+        dsrc.get_data()
+        self.assertEqual(
+            dsrc.cfg["system_info"]["default_user"]["name"],
+            "username1"
+        )
+
+    @mock.patch(MOCKPATH + 'get_metadata_from_imds')
+    def test_disable_password_from_imds(self, m_get_metadata_from_imds):
+        sys_cfg = {'datasource': {'Azure': {'apply_network_config': True}}}
+        odata = {'HostName': "myhost", 'UserName': "myuser"}
+        data = {
+            'ovfcontent': construct_valid_ovf_env(data=odata),
+            'sys_cfg': sys_cfg
+        }
+        imds_data_with_os_profile = copy.deepcopy(NETWORK_METADATA)
+        imds_data_with_os_profile["compute"]["osProfile"] = dict(
+            adminUsername="username1",
+            computerName="hostname1",
+            disablePasswordAuthentication="true"
+        )
+        m_get_metadata_from_imds.return_value = imds_data_with_os_profile
+        dsrc = self._get_ds(data)
+        dsrc.get_data()
+        self.assertTrue(dsrc.metadata["disable_password"])
+
 
 class TestAzureBounce(CiTestCase):
 
-- 
2.27.0