fix: respect SSH key options for the root user (#6585)

When no user is provided in the datasource and root login is not
disabled, the root user is configured.  Preserve the provided SSH
key options from user-data for root user in this case.

Before this fix, SSH key options passed in the key line were silently
ignored.
This is what happens:
* `apply_credentials` passes `options=""` to `setup_user_keys`:
  https://github.com/canonical/cloud-init/blob/25.3/cloudinit/config/cc_ssh.py#L257
* `setup_user_keys` receives the empty parameter and passes it to the
  `parse` function:
  https://github.com/canonical/cloud-init/blob/25.3/cloudinit/ssh_util.py#L463
* The `parse` function decides whether options from the key line need to
  be overridden by the `options` parameter. Treat any falsy `options`
  parameter should be treated like `None`, otherwise options from the key
  line are ignored.

Fixes: GH-3868

Author: sbraz

cloudinit/ssh_util.py

@@ -166,7 +166,9 @@ def parse_ssh_key(ent):
             (keytype, base64, comment) = parse_ssh_key(ent)
         except TypeError:
             (keyopts, remain) = self._extract_options(ent)
-            if options is None:
+            # If the options parameter is falsy, use options from the key line
+            # (no override)
+            if not options:
                 options = keyopts
 
             try:

tests/integration_tests/modules/test_ssh_keys_provided.py

@@ -8,6 +8,7 @@
 ``tests/cloud_tests/testcases/modules/ssh_keys_provided.yaml''``.)"""
 
 import pytest
+import yaml
 
 from tests.integration_tests.releases import CURRENT_RELEASE
 
@@ -16,6 +17,7 @@
 disable_root: false
 ssh_authorized_keys:
   - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDXW9Gg5H7ehjdSc6qDzwNtgCy94XYHhEYlXZMO2+FJrH3wfHGiMfCwOHxcOMt2QiXItULthdeQWS9QjBSSjVRXf6731igFrqPFyS9qBlOQ5D29C4HBXFnQggGVpBNJ82IRJv7szbbe/vpgLBP4kttUza9Dr4e1YM1ln4PRnjfXea6T0m+m1ixNb5432pTXlqYOnNOxSIm1gHgMLxPuDrJvQERDKrSiKSjIdyC9Jd8t2e1tkNLY0stmckVRbhShmcJvlyofHWbc2Ca1mmtP7MlS1VQnfLkvU1IrFwkmaQmaggX6WR6coRJ6XFXdWcq/AI2K6GjSnl1dnnCxE8VCEXBlXgFzad+PMSG4yiL5j8Oo1ZVpkTdgBnw4okGqTYCXyZg6X00As9IBNQfZMFlQXlIo4FiWgj3CO5QHQOyOX6FuEumaU13GnERrSSdp9tCs1Qm3/DG2RSCQBWTfcgMcStIvKqvJ3IjFn0vGLvI3Ampnq9q1SHwmmzAPSdzcMA76HyMUA5VWaBvWHlUxzIM6unxZASnwvuCzpywSEB5J2OF+p6H+cStJwQ32XwmOG8pLp1srlVWpqZI58Du/lzrkPqONphoZx0LDV86w7RUz1ksDzAdcm0tvmNRFMN1a0frDs506oA3aWK0oDk4Nmvk8sXGTYYw3iQSkOvDUUlIsqdaO+w==
+  - no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1J77+CrJ8p6/vWCEzuylqJNMHUP/XmeYyGVWb8lnDd root@test-with-options
 ssh_keys:
   rsa_private: |
     -----BEGIN RSA PRIVATE KEY-----
@@ -126,3 +128,15 @@ def test_sshd_config(self, class_client):
         sshd_config = class_client.read_from_file(sshd_config_path).strip()
         for expected_cert in expected_certs:
             assert expected_cert in sshd_config
+
+    def test_authorized_keys_with_options(self, class_client):
+        """Test that SSH authorized key with options is properly persisted."""
+        authorized_keys = (
+            class_client.read_from_file("/root/.ssh/authorized_keys")
+            .strip()
+            .splitlines()
+        )
+
+        # Check that the keys with SSH options are present and enabled
+        for userdata_key in yaml.safe_load(USER_DATA)["ssh_authorized_keys"]:
+            assert userdata_key in authorized_keys

tests/unittests/test_ssh_util.py

@@ -314,6 +314,56 @@ def test_parse(self, ktype, with_comment, with_options):
         else:
             assert key.comment == ""
 
+    @pytest.mark.parametrize("with_options", [True, False])
+    @pytest.mark.parametrize("with_comment", [True, False])
+    @pytest.mark.parametrize("options_parameter", [None, "", 'from="::1"'])
+    @pytest.mark.parametrize("ktype", ["rsa", "ed25519"])
+    def test_parse_with_options_parameter(
+        self, ktype, with_comment, with_options, options_parameter
+    ):
+        """Test options parameter behavior with different values.
+
+        This test specifically validates that the options parameter passed to
+        parse() correctly overrides or is overridden by options in the key
+        line.
+        It is very similar to test_parse() but only runs for 2 key types to
+        avoid having too many parameterized tests.
+        """
+        content = VALID_CONTENT[ktype]
+        comment = "user-%s@host" % ktype
+
+        line_args = []
+        if with_options:
+            line_args.append(TEST_OPTIONS)
+        line_args.extend(
+            [
+                ktype,
+                content,
+            ]
+        )
+        if with_comment:
+            line_args.append(comment)
+        line = " ".join(line_args)
+
+        key = ssh_util.AuthKeyLineParser().parse(
+            line, options=options_parameter
+        )
+
+        assert key.base64 == content
+        assert key.keytype == ktype
+        if options_parameter:
+            # When the options parameter is truthy, override options from line
+            assert key.options == options_parameter
+        elif with_options:
+            # When the options parameter is falsy and line has options,
+            # those are returned
+            assert key.options == TEST_OPTIONS
+        else:
+            # When the options parameter is falsy and the line has no options,
+            # the same falsy value is returned (e.g. None or "")
+            assert key.options == options_parameter
+        assert key.comment == (comment if with_comment else "")
+
     def test_parse_with_options_passed_in(self):
         # test key line with key type and base64 only
         parser = ssh_util.AuthKeyLineParser()