feat: [#225] validate SSH key paths must be absolute

Author: josecelano

src/application/command_handlers/create/config/environment_config.rs

@@ -121,7 +121,7 @@ impl EnvironmentCreationConfig {
     ///
     /// # Examples
     ///
-    /// ```rust
+    /// ```no_run
     /// use torrust_tracker_deployer_lib::application::command_handlers::create::config::{
     ///     EnvironmentCreationConfig, EnvironmentSection, SshCredentialsConfig,
     ///     ProviderSection, LxdProviderSection
@@ -195,7 +195,7 @@ impl EnvironmentCreationConfig {
     ///
     /// # Examples
     ///
-    /// ```rust
+    /// ```no_run
     /// use torrust_tracker_deployer_lib::application::command_handlers::create::config::{
     ///     EnvironmentCreationConfig, EnvironmentSection, SshCredentialsConfig,
     ///     ProviderSection, LxdProviderSection
@@ -611,17 +611,18 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_success_auto_generated_instance_name() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "dev".to_string(),
                 instance_name: None, // Auto-generate
             },
-            SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
-                "torrust".to_string(),
-                22,
-            ),
+            SshCredentialsConfig::new(private_key_path, public_key_path, "torrust".to_string(), 22),
             default_lxd_provider("torrust-profile-dev"),
             TrackerSection::default(),
         );
@@ -640,17 +641,18 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_success_custom_instance_name() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "prod".to_string(),
                 instance_name: Some("my-custom-instance".to_string()),
             },
-            SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
-                "torrust".to_string(),
-                22,
-            ),
+            SshCredentialsConfig::new(private_key_path, public_key_path, "torrust".to_string(), 22),
             default_lxd_provider("torrust-profile-prod"),
             TrackerSection::default(),
         );
@@ -667,17 +669,18 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_invalid_environment_name() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "Invalid_Name".to_string(), // uppercase - invalid
                 instance_name: None,
             },
-            SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
-                "torrust".to_string(),
-                22,
-            ),
+            SshCredentialsConfig::new(private_key_path, public_key_path, "torrust".to_string(), 22),
             default_lxd_provider("torrust-profile"),
             TrackerSection::default(),
         );
@@ -695,17 +698,18 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_invalid_instance_name() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "dev".to_string(),
                 instance_name: Some("invalid-".to_string()), // ends with dash - invalid
             },
-            SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
-                "torrust".to_string(),
-                22,
-            ),
+            SshCredentialsConfig::new(private_key_path, public_key_path, "torrust".to_string(), 22),
             default_lxd_provider("torrust-profile"),
             TrackerSection::default(),
         );
@@ -724,17 +728,18 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_invalid_profile_name() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "dev".to_string(),
                 instance_name: None,
             },
-            SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
-                "torrust".to_string(),
-                22,
-            ),
+            SshCredentialsConfig::new(private_key_path, public_key_path, "torrust".to_string(), 22),
             ProviderSection::Lxd(LxdProviderSection {
                 profile_name: "invalid-".to_string(), // ends with dash - invalid
             }),
@@ -754,14 +759,20 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_invalid_username() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "dev".to_string(),
                 instance_name: None,
             },
             SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
+                private_key_path,
+                public_key_path,
                 "123invalid".to_string(), // starts with number - invalid
                 22,
             ),
@@ -782,14 +793,19 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_private_key_not_found() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "dev".to_string(),
                 instance_name: None,
             },
             SshCredentialsConfig::new(
                 "/nonexistent/key".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
+                public_key_path,
                 "torrust".to_string(),
                 22,
             ),
@@ -810,13 +826,18 @@ mod tests {
 
     #[test]
     fn test_convert_to_environment_params_public_key_not_found() {
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "dev".to_string(),
                 instance_name: None,
             },
             SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
+                private_key_path,
                 "/nonexistent/key.pub".to_string(),
                 "torrust".to_string(),
                 22,
@@ -840,18 +861,18 @@ mod tests {
     fn test_integration_with_environment_new() {
         // This test verifies that the converted parameters work with Environment::new()
         use crate::domain::Environment;
+        use std::env;
+
+        let project_root = env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
+        let private_key_path = format!("{project_root}/fixtures/testing_rsa");
+        let public_key_path = format!("{project_root}/fixtures/testing_rsa.pub");
 
         let config = EnvironmentCreationConfig::new(
             EnvironmentSection {
                 name: "test-env".to_string(),
                 instance_name: None,
             },
-            SshCredentialsConfig::new(
-                "fixtures/testing_rsa".to_string(),
-                "fixtures/testing_rsa.pub".to_string(),
-                "torrust".to_string(),
-                22,
-            ),
+            SshCredentialsConfig::new(private_key_path, public_key_path, "torrust".to_string(), 22),
             default_lxd_provider("torrust-profile-test-env"),
             TrackerSection::default(),
         );

src/application/command_handlers/create/config/errors.rs

@@ -46,6 +46,14 @@ pub enum CreateConfigError {
     #[error("SSH public key file not found: {path}")]
     PublicKeyNotFound { path: PathBuf },
 
+    /// SSH private key path must be absolute
+    #[error("SSH private key path must be absolute: {path:?}")]
+    RelativePrivateKeyPath { path: PathBuf },
+
+    /// SSH public key path must be absolute
+    #[error("SSH public key path must be absolute: {path:?}")]
+    RelativePublicKeyPath { path: PathBuf },
+
     /// Invalid SSH port (must be 1-65535)
     #[error("Invalid SSH port: {port} (must be between 1 and 65535)")]
     InvalidPort { port: u16 },
@@ -201,6 +209,66 @@ impl CreateConfigError {
                  3. Ensure you have read permissions on the file\n\
                  4. Generate public key from private key if needed: ssh-keygen -y -f <private_key> > <public_key>"
             }
+            Self::RelativePrivateKeyPath { .. } => {
+                // Note: Can't use format! in const context, so we use a static message
+                // The actual path will be shown in the error message itself
+                "SSH private key path must be absolute.\n\
+                 \n\
+                 SSH key paths must be absolute to ensure they work correctly across\n\
+                 different working directories and command invocations.\n\
+                 \n\
+                 Fix:\n\
+                 1. Convert relative path to absolute path:\n\
+                 \n\
+                 Use the `realpath` command to get the absolute path:\n\
+                 \n\
+                 realpath <your-relative-path>\n\
+                 \n\
+                 Example:\n\
+                 - Current (relative): fixtures/testing_rsa\n\
+                 - Command: realpath fixtures/testing_rsa\n\
+                 - Result: /home/user/project/fixtures/testing_rsa\n\
+                 \n\
+                 2. Update your configuration file with the absolute path\n\
+                 \n\
+                 3. Alternative approaches:\n\
+                 - Use ~ for home directory (e.g., ~/.ssh/id_rsa)\n\
+                 - Use environment variables (e.g., $HOME/.ssh/id_rsa)\n\
+                 \n\
+                 Why absolute paths?\n\
+                 - Commands may run from different working directories\n\
+                 - Environment state persists paths that must remain valid\n\
+                 - Multi-command workflows (create → provision → configure)"
+            }
+            Self::RelativePublicKeyPath { .. } => {
+                "SSH public key path must be absolute.\n\
+                 \n\
+                 SSH key paths must be absolute to ensure they work correctly across\n\
+                 different working directories and command invocations.\n\
+                 \n\
+                 Fix:\n\
+                 1. Convert relative path to absolute path:\n\
+                 \n\
+                 Use the `realpath` command to get the absolute path:\n\
+                 \n\
+                 realpath <your-relative-path>\n\
+                 \n\
+                 Example:\n\
+                 - Current (relative): fixtures/testing_rsa.pub\n\
+                 - Command: realpath fixtures/testing_rsa.pub\n\
+                 - Result: /home/user/project/fixtures/testing_rsa.pub\n\
+                 \n\
+                 2. Update your configuration file with the absolute path\n\
+                 \n\
+                 3. Alternative approaches:\n\
+                 - Use ~ for home directory (e.g., ~/.ssh/id_rsa.pub)\n\
+                 - Use environment variables (e.g., $HOME/.ssh/id_rsa.pub)\n\
+                 \n\
+                 Why absolute paths?\n\
+                 - Commands may run from different working directories\n\
+                 - Environment state persists paths that must remain valid\n\
+                 - Multi-command workflows (create → provision → configure)"
+            }
             Self::InvalidPort { .. } => {
                 "Invalid SSH port number.\n\
                  \n\

src/application/command_handlers/create/config/mod.rs

@@ -50,7 +50,7 @@
 //!
 //! ## Usage Example
 //!
-//! ```rust
+//! ```no_run
 //! use torrust_tracker_deployer_lib::application::command_handlers::create::config::{
 //!     EnvironmentCreationConfig, EnvironmentSection, SshCredentialsConfig,
 //!     ProviderSection, LxdProviderSection