Add authorized_keys manager

ilia-db · ilia-db · commit d95fc1dd2b8d · 2025-10-27T13:20:20.000+01:00
diff --git a/experimental/ssh/internal/server/authorized_keys.go b/experimental/ssh/internal/server/authorized_keys.go
@@ -0,0 +1,63 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/databricks/cli/experimental/ssh/internal/keys"
+	"github.com/databricks/cli/libs/log"
+	"github.com/databricks/databricks-sdk-go"
+)
+
+type AuthorizedKeysManager struct {
+	mu          sync.Mutex
+	filePath    string
+	client      *databricks.WorkspaceClient
+	secretScope string
+	addedKeys   map[string]bool
+}
+
+func NewAuthorizedKeysManager(client *databricks.WorkspaceClient, filePath, secretScope string) *AuthorizedKeysManager {
+	return &AuthorizedKeysManager{
+		filePath:    filePath,
+		client:      client,
+		secretScope: secretScope,
+		addedKeys:   make(map[string]bool),
+	}
+}
+
+// Adds a public key from secrets scope to the authorized_keys file.
+// If the key has already been added, this is a no-op.
+func (akm *AuthorizedKeysManager) AddKey(ctx context.Context, publicKeyName string) error {
+	akm.mu.Lock()
+	defer akm.mu.Unlock()
+
+	if akm.addedKeys[publicKeyName] {
+		log.Infof(ctx, "Public key %s already added, skipping", publicKeyName)
+		return nil
+	}
+
+	log.Infof(ctx, "Adding public key from secret: %s", publicKeyName)
+	clientPublicKey, err := keys.GetSecret(ctx, akm.client, akm.secretScope, publicKeyName)
+	if err != nil {
+		return fmt.Errorf("failed to get client public key: %w", err)
+	}
+
+	authKeys, err := os.OpenFile(akm.filePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o600)
+	if err != nil {
+		return fmt.Errorf("failed to open authorized keys file: %w", err)
+	}
+	defer authKeys.Close()
+
+	content := strings.TrimSpace(string(clientPublicKey))
+	_, err = authKeys.WriteString("\n" + content)
+	if err != nil {
+		return err
+	}
+
+	akm.addedKeys[publicKeyName] = true
+	return nil
+}
diff --git a/experimental/ssh/internal/server/authorized_keys_test.go b/experimental/ssh/internal/server/authorized_keys_test.go
@@ -0,0 +1,200 @@
+package server
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+
+	"github.com/databricks/databricks-sdk-go/experimental/mocks"
+	mockWorkspace "github.com/databricks/databricks-sdk-go/experimental/mocks/service/workspace"
+	"github.com/databricks/databricks-sdk-go/service/workspace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type testSetup struct {
+	ctx          context.Context
+	authKeysPath string
+	mockClient   *mocks.MockWorkspaceClient
+	secretsAPI   *mockWorkspace.MockSecretsInterface
+	manager      *AuthorizedKeysManager
+}
+
+func setupTest(t *testing.T) *testSetup {
+	ctx := context.Background()
+	tempDir := t.TempDir()
+	authKeysPath := filepath.Join(tempDir, "authorized_keys")
+
+	m := mocks.NewMockWorkspaceClient(t)
+	secretsAPI := m.GetMockSecretsAPI()
+	manager := NewAuthorizedKeysManager(m.WorkspaceClient, authKeysPath, "test-scope")
+
+	return &testSetup{
+		ctx:          ctx,
+		authKeysPath: authKeysPath,
+		mockClient:   m,
+		secretsAPI:   secretsAPI,
+		manager:      manager,
+	}
+}
+
+func (s *testSetup) mockGetSecret(keyName, publicKey string) {
+	encodedKey := base64.StdEncoding.EncodeToString([]byte(publicKey))
+	s.secretsAPI.EXPECT().GetSecret(s.ctx, workspace.GetSecretRequest{
+		Scope: "test-scope",
+		Key:   keyName,
+	}).Return(&workspace.GetSecretResponse{
+		Value: encodedKey,
+	}, nil)
+}
+
+func (s *testSetup) mockGetSecretOnce(keyName, publicKey string) {
+	encodedKey := base64.StdEncoding.EncodeToString([]byte(publicKey))
+	s.secretsAPI.EXPECT().GetSecret(s.ctx, workspace.GetSecretRequest{
+		Scope: "test-scope",
+		Key:   keyName,
+	}).Return(&workspace.GetSecretResponse{
+		Value: encodedKey,
+	}, nil).Once()
+}
+
+func (s *testSetup) mockGetSecretError(keyName string, err error) {
+	s.secretsAPI.EXPECT().GetSecret(s.ctx, workspace.GetSecretRequest{
+		Scope: "test-scope",
+		Key:   keyName,
+	}).Return(nil, err)
+}
+
+func TestAuthorizedKeysManager_AddKey_Success(t *testing.T) {
+	s := setupTest(t)
+	publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC... test@example.com"
+
+	s.mockGetSecret("test-key", publicKey)
+
+	err := s.manager.AddKey(s.ctx, "test-key")
+	require.NoError(t, err)
+
+	content, err := os.ReadFile(s.authKeysPath)
+	require.NoError(t, err)
+	assert.Contains(t, string(content), publicKey)
+	assert.True(t, s.manager.addedKeys["test-key"])
+}
+
+func TestAuthorizedKeysManager_AddKey_Deduplication(t *testing.T) {
+	s := setupTest(t)
+	publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC... test@example.com"
+
+	s.mockGetSecretOnce("test-key", publicKey)
+
+	err := s.manager.AddKey(s.ctx, "test-key")
+	require.NoError(t, err)
+
+	contentAfterFirst, err := os.ReadFile(s.authKeysPath)
+	require.NoError(t, err)
+
+	err = s.manager.AddKey(s.ctx, "test-key")
+	require.NoError(t, err)
+
+	contentAfterSecond, err := os.ReadFile(s.authKeysPath)
+	require.NoError(t, err)
+
+	assert.Equal(t, string(contentAfterFirst), string(contentAfterSecond))
+	occurrences := strings.Count(string(contentAfterSecond), publicKey)
+	assert.Equal(t, 1, occurrences)
+}
+
+func TestAuthorizedKeysManager_AddKey_GetSecretError(t *testing.T) {
+	s := setupTest(t)
+
+	s.mockGetSecretError("missing-key", errors.New("secret not found"))
+
+	err := s.manager.AddKey(s.ctx, "missing-key")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to get client public key")
+	assert.False(t, s.manager.addedKeys["missing-key"])
+}
+
+func TestAuthorizedKeysManager_AddKey_FileWriteError(t *testing.T) {
+	s := setupTest(t)
+	publicKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC... test@example.com"
+
+	s.mockGetSecret("test-key", publicKey)
+	s.manager = NewAuthorizedKeysManager(s.mockClient.WorkspaceClient, "/nonexistent/directory/authorized_keys", "test-scope")
+
+	err := s.manager.AddKey(s.ctx, "test-key")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to open authorized keys file")
+	assert.False(t, s.manager.addedKeys["test-key"])
+}
+
+func TestAuthorizedKeysManager_AddKey_ThreadSafety(t *testing.T) {
+	s := setupTest(t)
+	const numGoroutines = 10
+	const numKeysPerGoroutine = 10
+
+	expectedKeys := make([]string, 0, numGoroutines*numKeysPerGoroutine)
+	for i := range numGoroutines {
+		for j := range numKeysPerGoroutine {
+			keyName := fmt.Sprintf("key-%d-%d", i, j)
+			publicKey := fmt.Sprintf("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC%d%d test@example.com", i, j)
+			s.mockGetSecret(keyName, publicKey)
+			expectedKeys = append(expectedKeys, publicKey)
+		}
+	}
+
+	var wg sync.WaitGroup
+	for i := range numGoroutines {
+		wg.Go(func() {
+			for j := range numKeysPerGoroutine {
+				keyName := fmt.Sprintf("key-%d-%d", i, j)
+				err := s.manager.AddKey(s.ctx, keyName)
+				assert.NoError(t, err)
+			}
+		})
+	}
+
+	wg.Wait()
+
+	assert.Equal(t, numGoroutines*numKeysPerGoroutine, len(s.manager.addedKeys))
+
+	content, err := os.ReadFile(s.authKeysPath)
+	require.NoError(t, err)
+
+	lines := strings.Split(strings.TrimSpace(string(content)), "\n")
+	for _, publicKey := range expectedKeys {
+		assert.Contains(t, lines, publicKey)
+	}
+}
+
+func TestAuthorizedKeysManager_AddKey_MultipleKeys(t *testing.T) {
+	s := setupTest(t)
+	keys := map[string]string{
+		"key1": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1 user1@example.com",
+		"key2": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2 user2@example.com",
+		"key3": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3 user3@example.com",
+	}
+
+	for keyName, publicKey := range keys {
+		s.mockGetSecret(keyName, publicKey)
+	}
+
+	for keyName := range keys {
+		err := s.manager.AddKey(s.ctx, keyName)
+		require.NoError(t, err)
+	}
+
+	content, err := os.ReadFile(s.authKeysPath)
+	require.NoError(t, err)
+
+	for _, publicKey := range keys {
+		assert.Contains(t, string(content), publicKey)
+	}
+
+	assert.Equal(t, len(keys), len(s.manager.addedKeys))
+}
diff --git a/experimental/ssh/internal/server/server.go b/experimental/ssh/internal/server/server.go
@@ -69,14 +69,15 @@ func Run(ctx context.Context, client *databricks.WorkspaceClient, opts ServerOpt
 		return fmt.Errorf("failed to save Jupyter init script: %w", err)
 	}
 
-	connections := proxy.NewConnectionsManager(opts.MaxClients, opts.ShutdownDelay)
+	authKeysManager := NewAuthorizedKeysManager(client, authKeysPath, opts.SecretScopeName)
 	createServerCommand := func(ctx context.Context, publicKeyName string) (*exec.Cmd, error) {
-		err := updateAuthorizedKeys(ctx, client, authKeysPath, opts.SecretScopeName, publicKeyName)
+		err := authKeysManager.AddKey(ctx, publicKeyName)
 		if err != nil {
 			return nil, fmt.Errorf("failed to store auth key: %w", err)
 		}
 		return createSSHDProcess(ctx, sshdConfigPath), nil
 	}
+	connections := proxy.NewConnectionsManager(opts.MaxClients, opts.ShutdownDelay)
 	http.Handle("/ssh", proxy.NewProxyServer(ctx, connections, createServerCommand))
 	http.HandleFunc("/metadata", serveMetadata)
 	go handleTimeout(ctx, connections.TimedOut, opts.ShutdownDelay)
diff --git a/experimental/ssh/internal/server/sshd.go b/experimental/ssh/internal/server/sshd.go
@@ -43,6 +43,7 @@ func prepareSSHDConfig(ctx context.Context, client *databricks.WorkspaceClient,
 
 	sshdConfig := filepath.Join(sshDir, "sshd_config")
 	authKeysPath := filepath.Join(sshDir, "authorized_keys")
+	// Prepare an empty authorized_keys file, it will be updated each time a new client connects
 	if err := os.WriteFile(authKeysPath, []byte(""), 0o600); err != nil {
 		return "", "", err
 	}
@@ -86,22 +87,6 @@ func prepareSSHDConfig(ctx context.Context, client *databricks.WorkspaceClient,
 	return sshdConfig, authKeysPath, nil
 }
 
-func updateAuthorizedKeys(ctx context.Context, client *databricks.WorkspaceClient, authKeysPath, secretScopeName, publicKeyName string) error {
-	log.Info(ctx, "Using public key secret name:"+publicKeyName)
-	clientPublicKey, err := keys.GetSecret(ctx, client, secretScopeName, publicKeyName)
-	if err != nil {
-		return fmt.Errorf("failed to get client public key: %w", err)
-	}
-	authKeys, err := os.OpenFile(authKeysPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o600)
-	if err != nil {
-		return fmt.Errorf("failed to open authorized keys file: %w", err)
-	}
-	defer authKeys.Close()
-	content := strings.TrimSpace(string(clientPublicKey))
-	_, err = authKeys.WriteString("\n" + content)
-	return err
-}
-
 func createSSHDProcess(ctx context.Context, configPath string) *exec.Cmd {
 	return exec.CommandContext(ctx, "/usr/sbin/sshd", "-f", configPath, "-i")
 }

Original file line number	Diff line number	Diff line change
`@@ -69,14 +69,15 @@ func Run(ctx context.Context, client *databricks.WorkspaceClient, opts ServerOpt`
`69`	`69`	`return fmt.Errorf("failed to save Jupyter init script: %w", err)`
`70`	`70`	`}`
`71`	`71`
`72`		`- connections := proxy.NewConnectionsManager(opts.MaxClients, opts.ShutdownDelay)`
	`72`	`+ authKeysManager := NewAuthorizedKeysManager(client, authKeysPath, opts.SecretScopeName)`
`73`	`73`	`createServerCommand := func(ctx context.Context, publicKeyName string) (*exec.Cmd, error) {`
`74`		`- err := updateAuthorizedKeys(ctx, client, authKeysPath, opts.SecretScopeName, publicKeyName)`
	`74`	`+ err := authKeysManager.AddKey(ctx, publicKeyName)`
`75`	`75`	`if err != nil {`
`76`	`76`	`return nil, fmt.Errorf("failed to store auth key: %w", err)`
`77`	`77`	`}`
`78`	`78`	`return createSSHDProcess(ctx, sshdConfigPath), nil`
`79`	`79`	`}`
	`80`	`+ connections := proxy.NewConnectionsManager(opts.MaxClients, opts.ShutdownDelay)`
`80`	`81`	`http.Handle("/ssh", proxy.NewProxyServer(ctx, connections, createServerCommand))`
`81`	`82`	`http.HandleFunc("/metadata", serveMetadata)`
`82`	`83`	`go handleTimeout(ctx, connections.TimedOut, opts.ShutdownDelay)`