From 04fe8327676ec6dcd10dde4db461aa1b4bfce881 Mon Sep 17 00:00:00 2001 From: Pankti Shah <58618433+panktishah26@users.noreply.github.com> Date: Thu, 12 Oct 2023 10:10:53 -0700 Subject: [PATCH] Strip comments from ssh authorized key from the controller using mutating webhook (#6799) --- pkg/api/v1alpha1/tinkerbellmachineconfig.go | 17 ++++++++++ .../tinkerbellmachineconfig_webhook.go | 2 ++ .../tinkerbellmachineconfig_webhook_test.go | 33 +++++++++++++++++++ 3 files changed, 52 insertions(+) diff --git a/pkg/api/v1alpha1/tinkerbellmachineconfig.go b/pkg/api/v1alpha1/tinkerbellmachineconfig.go index 1750e721d7bd..da3cdac9c32f 100644 --- a/pkg/api/v1alpha1/tinkerbellmachineconfig.go +++ b/pkg/api/v1alpha1/tinkerbellmachineconfig.go @@ -3,7 +3,9 @@ package v1alpha1 import ( "fmt" "net/url" + "strings" + "golang.org/x/crypto/ssh" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -114,3 +116,18 @@ func setTinkerbellMachineConfigDefaults(machineConfig *TinkerbellMachineConfig) machineConfig.Spec.OSFamily = Bottlerocket } } + +func normalizeSSHKeys(machineConfig *TinkerbellMachineConfig) { + _ = stripCommentsFromSSHKeys(machineConfig) +} + +func stripCommentsFromSSHKeys(machine *TinkerbellMachineConfig) error { + public, _, _, _, err := ssh.ParseAuthorizedKey([]byte(machine.Spec.Users[0].SshAuthorizedKeys[0])) + if err != nil { + return err + } + + machine.Spec.Users[0].SshAuthorizedKeys[0] = strings.TrimSpace(string(ssh.MarshalAuthorizedKey(public))) + + return nil +} diff --git a/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook.go b/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook.go index c704d4cf34f9..0c307525bda2 100644 --- a/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook.go +++ b/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook.go @@ -45,6 +45,8 @@ var _ webhook.Defaulter = &TinkerbellMachineConfig{} func (r *TinkerbellMachineConfig) Default() { tinkerbellmachineconfiglog.Info("Setting up Tinkerbell Machine Config defaults", klog.KObj(r)) r.SetDefaults() + tinkerbellmachineconfiglog.Info("Normalize SSHKeys by removing comments from the keys", klog.KObj(r)) + normalizeSSHKeys(r) } // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. diff --git a/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook_test.go b/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook_test.go index 938eef8f1334..367ba017a664 100644 --- a/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook_test.go +++ b/pkg/api/v1alpha1/tinkerbellmachineconfig_webhook_test.go @@ -1,6 +1,7 @@ package v1alpha1_test import ( + "fmt" "testing" . "github.com/onsi/gomega" @@ -149,6 +150,38 @@ func TestTinkerbellMachineConfigDefaultOSFamily(t *testing.T) { g.Expect(mOld.Spec.OSFamily).To(Equal(v1alpha1.Bottlerocket)) } +func TestTinkerbellMachineConfigMutateSSHKey(t *testing.T) { + sshKey := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuWn+GtgUe/g85l4SqSsGCV56CXZzqktKX/hYAl7MwO" + mOld := v1alpha1.CreateTinkerbellMachineConfig(func(mc *v1alpha1.TinkerbellMachineConfig) { + mc.Spec.Users = []v1alpha1.UserConfiguration{ + { + Name: "user", + SshAuthorizedKeys: []string{fmt.Sprintf("%s abc@xyz.com", sshKey)}, + }, + } + }) + + mOld.Default() + g := NewWithT(t) + g.Expect(mOld.Spec.Users[0].SshAuthorizedKeys[0]).To(Equal(sshKey)) +} + +func TestTinkerbellMachineConfigMutateSSHKeyNotMutated(t *testing.T) { + sshKey := "ssh incorrect Key abc@xyz.com" + mOld := v1alpha1.CreateTinkerbellMachineConfig(func(mc *v1alpha1.TinkerbellMachineConfig) { + mc.Spec.Users = []v1alpha1.UserConfiguration{ + { + Name: "user", + SshAuthorizedKeys: []string{sshKey}, + }, + } + }) + + mOld.Default() + g := NewWithT(t) + g.Expect(mOld.Spec.Users[0].SshAuthorizedKeys[0]).To(Equal(sshKey)) +} + func TestTinkerbellMachineConfigValidateUpdateFailUsers(t *testing.T) { machineConfigOld := v1alpha1.CreateTinkerbellMachineConfig() machineConfigNew := v1alpha1.CreateTinkerbellMachineConfig(func(mc *v1alpha1.TinkerbellMachineConfig) {