Merge pull request #568 from weng271190436/weweng/validateSshKey

k8s-ci-robot · web-flow · commit 6a820e03f2ca · 2020-04-27T17:02:04.000-07:00
Move AzureMachine SSHPublicKey validation to webhook
diff --git a/api/v1alpha3/azuremachine_default.go b/api/v1alpha3/azuremachine_default.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+)
+
+// SetDefaultSSHPublicKey sets the default SSHPublicKey for an AzureMachine
+func (m *AzureMachine) SetDefaultSSHPublicKey() error {
+	sshKeyData := m.Spec.SSHPublicKey
+	if sshKeyData == "" {
+		privateKey, perr := rsa.GenerateKey(rand.Reader, 2048)
+		if perr != nil {
+			return errors.Wrap(perr, "Failed to generate private key")
+		}
+
+		publicRsaKey, perr := ssh.NewPublicKey(&privateKey.PublicKey)
+		if perr != nil {
+			return errors.Wrap(perr, "Failed to generate public key")
+		}
+		m.Spec.SSHPublicKey = string(ssh.MarshalAuthorizedKey(publicRsaKey))
+	}
+
+	return nil
+}
diff --git a/api/v1alpha3/azuremachine_default_test.go b/api/v1alpha3/azuremachine_default_test.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestAzureMachine_SetDefaultSSHPublicKey(t *testing.T) {
+	g := NewWithT(t)
+
+	type test struct {
+		machine *AzureMachine
+	}
+
+	existingPublicKey := "testpublickey"
+	publicKeyExistTest := test{machine: createMachineWithSSHPublicKey(t, existingPublicKey)}
+	publicKeyNotExistTest := test{machine: createMachineWithSSHPublicKey(t, "")}
+
+	err := publicKeyExistTest.machine.SetDefaultSSHPublicKey()
+	g.Expect(err).To(BeNil())
+	g.Expect(publicKeyExistTest.machine.Spec.SSHPublicKey).To(Equal(existingPublicKey))
+
+	err = publicKeyNotExistTest.machine.SetDefaultSSHPublicKey()
+	g.Expect(err).To(BeNil())
+	g.Expect(publicKeyNotExistTest.machine.Spec.SSHPublicKey).To(Not(BeEmpty()))
+}
+
+func createMachineWithSSHPublicKey(t *testing.T, sshPublicKey string) *AzureMachine {
+	return &AzureMachine{
+		Spec: AzureMachineSpec{
+			SSHPublicKey: sshPublicKey,
+			Image: &Image{
+				SharedGallery: &AzureSharedGalleryImage{
+					SubscriptionID: "SUB123",
+					ResourceGroup:  "RG123",
+					Name:           "NAME123",
+					Gallery:        "GALLERY1",
+					Version:        "1.0.0",
+				},
+			},
+		},
+	}
+}
diff --git a/api/v1alpha3/azuremachine_validation.go b/api/v1alpha3/azuremachine_validation.go
@@ -0,0 +1,34 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"golang.org/x/crypto/ssh"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// ValidateSSHKey validates an SSHKey
+func ValidateSSHKey(sshKey string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if _, _, _, _, err := ssh.ParseAuthorizedKey([]byte(sshKey)); err != nil {
+		allErrs = append(allErrs, field.Required(fldPath, "the SSH public key is not valid"))
+		return allErrs
+	}
+
+	return allErrs
+}
diff --git a/api/v1alpha3/azuremachine_validation_test.go b/api/v1alpha3/azuremachine_validation_test.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	"golang.org/x/crypto/ssh"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func TestAzureMachine_ValidateSSHKey(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name    string
+		sshKey  string
+		wantErr bool
+	}{
+		{
+			name:    "valid ssh key",
+			sshKey:  generateSSHPublicKey(),
+			wantErr: false,
+		},
+		{
+			name:    "invalid ssh key",
+			sshKey:  "invalid ssh key",
+			wantErr: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := ValidateSSHKey(tc.sshKey, field.NewPath("sshPublicKey"))
+			if tc.wantErr {
+				g.Expect(err).ToNot(HaveLen(0))
+			} else {
+				g.Expect(err).To(HaveLen(0))
+			}
+		})
+	}
+}
+
+func generateSSHPublicKey() string {
+	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
+	publicRsaKey, _ := ssh.NewPublicKey(&privateKey.PublicKey)
+	return string(ssh.MarshalAuthorizedKey(publicRsaKey))
+}
diff --git a/api/v1alpha3/azuremachine_webhook.go b/api/v1alpha3/azuremachine_webhook.go
@@ -49,13 +49,25 @@ func (m *AzureMachine) ValidateCreate() error {
 			m.Name, errs)
 	}
 
+	if errs := ValidateSSHKey(m.Spec.SSHPublicKey, field.NewPath("sshPublicKey")); len(errs) > 0 {
+		return apierrors.NewInvalid(
+			GroupVersion.WithKind("AzureMachine").GroupKind(),
+			m.Name, errs)
+	}
+
 	return nil
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (m *AzureMachine) ValidateUpdate(old runtime.Object) error {
 	machinelog.Info("validate update", "name", m.Name)
 
+	if errs := ValidateSSHKey(m.Spec.SSHPublicKey, field.NewPath("sshPublicKey")); len(errs) > 0 {
+		return apierrors.NewInvalid(
+			GroupVersion.WithKind("AzureMachine").GroupKind(),
+			m.Name, errs)
+	}
+
 	return nil
 }
 
@@ -65,3 +77,13 @@ func (m *AzureMachine) ValidateDelete() error {
 
 	return nil
 }
+
+// Default implements webhookutil.defaulter so a webhook will be registered for the type
+func (m *AzureMachine) Default() {
+	machinelog.Info("default", "name", m.Name)
+
+	err := m.SetDefaultSSHPublicKey()
+	if err != nil {
+		machinelog.Error(err, "SetDefaultSshPublicKey failed")
+	}
+}
diff --git a/api/v1alpha3/azuremachine_webhook_test.go b/api/v1alpha3/azuremachine_webhook_test.go
@@ -22,6 +22,8 @@ import (
 	. "github.com/onsi/gomega"
 )
 
+var validSSHPublicKey = generateSSHPublicKey()
+
 func TestAzureMachine_ValidateCreate(t *testing.T) {
 	g := NewWithT(t)
 
@@ -60,6 +62,21 @@ func TestAzureMachine_ValidateCreate(t *testing.T) {
 			machine: createMachineWithImageByID(t, ""),
 			wantErr: true,
 		},
+		{
+			name:    "azuremachine with valid SSHPublicKey",
+			machine: createMachineWithSSHPublicKey(t, validSSHPublicKey),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachine without SSHPublicKey",
+			machine: createMachineWithSSHPublicKey(t, ""),
+			wantErr: true,
+		},
+		{
+			name:    "azuremachine with invalid SSHPublicKey",
+			machine: createMachineWithSSHPublicKey(t, "invalid ssh key"),
+			wantErr: true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
@@ -73,6 +90,64 @@ func TestAzureMachine_ValidateCreate(t *testing.T) {
 	}
 }
 
+func TestAzureMachine_ValidateUpdate(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name       string
+		oldMachine *AzureMachine
+		machine    *AzureMachine
+		wantErr    bool
+	}{
+		{
+			name:       "azuremachine with valid SSHPublicKey",
+			oldMachine: createMachineWithSSHPublicKey(t, ""),
+			machine:    createMachineWithSSHPublicKey(t, validSSHPublicKey),
+			wantErr:    false,
+		},
+		{
+			name:       "azuremachine without SSHPublicKey",
+			oldMachine: createMachineWithSSHPublicKey(t, ""),
+			machine:    createMachineWithSSHPublicKey(t, ""),
+			wantErr:    true,
+		},
+		{
+			name:       "azuremachine with invalid SSHPublicKey",
+			oldMachine: createMachineWithSSHPublicKey(t, ""),
+			machine:    createMachineWithSSHPublicKey(t, "invalid ssh key"),
+			wantErr:    true,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.machine.ValidateUpdate(tc.oldMachine)
+			if tc.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+		})
+	}
+}
+
+func TestAzureMachine_Default(t *testing.T) {
+	g := NewWithT(t)
+
+	type test struct {
+		machine *AzureMachine
+	}
+
+	existingPublicKey := validSSHPublicKey
+	publicKeyExistTest := test{machine: createMachineWithSSHPublicKey(t, existingPublicKey)}
+	publicKeyNotExistTest := test{machine: createMachineWithSSHPublicKey(t, "")}
+
+	publicKeyExistTest.machine.Default()
+	g.Expect(publicKeyExistTest.machine.Spec.SSHPublicKey).To(Equal(existingPublicKey))
+
+	publicKeyNotExistTest.machine.Default()
+	g.Expect(publicKeyNotExistTest.machine.Spec.SSHPublicKey).To(Not(BeEmpty()))
+}
+
 func createMachineWithSharedImage(t *testing.T, subscriptionID, resourceGroup, name, gallery, version string) *AzureMachine {
 	image := &Image{
 		SharedGallery: &AzureSharedGalleryImage{
@@ -86,7 +161,8 @@ func createMachineWithSharedImage(t *testing.T, subscriptionID, resourceGroup, n
 
 	return &AzureMachine{
 		Spec: AzureMachineSpec{
-			Image: image,
+			Image:        image,
+			SSHPublicKey: validSSHPublicKey,
 		},
 	}
 
@@ -104,7 +180,8 @@ func createMachineWithtMarketPlaceImage(t *testing.T, publisher, offer, sku, ver
 
 	return &AzureMachine{
 		Spec: AzureMachineSpec{
-			Image: image,
+			Image:        image,
+			SSHPublicKey: validSSHPublicKey,
 		},
 	}
 }
@@ -116,7 +193,8 @@ func createMachineWithImageByID(t *testing.T, imageID string) *AzureMachine {
 
 	return &AzureMachine{
 		Spec: AzureMachineSpec{
-			Image: image,
+			Image:        image,
+			SSHPublicKey: validSSHPublicKey,
 		},
 	}
 }
diff --git a/cloud/services/virtualmachines/virtualmachines.go b/cloud/services/virtualmachines/virtualmachines.go
