Skip to content

Commit

Permalink
Strip comments from ssh authorized key from the controller using muta…
Browse files Browse the repository at this point in the history
…ting webhook (#6799)
  • Loading branch information
panktishah26 authored Oct 12, 2023
1 parent 6dea173 commit 04fe832
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 0 deletions.
17 changes: 17 additions & 0 deletions pkg/api/v1alpha1/tinkerbellmachineconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package v1alpha1
import (
"fmt"
"net/url"
"strings"

"golang.org/x/crypto/ssh"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -114,3 +116,18 @@ func setTinkerbellMachineConfigDefaults(machineConfig *TinkerbellMachineConfig)
machineConfig.Spec.OSFamily = Bottlerocket
}
}

func normalizeSSHKeys(machineConfig *TinkerbellMachineConfig) {
_ = stripCommentsFromSSHKeys(machineConfig)
}

func stripCommentsFromSSHKeys(machine *TinkerbellMachineConfig) error {
public, _, _, _, err := ssh.ParseAuthorizedKey([]byte(machine.Spec.Users[0].SshAuthorizedKeys[0]))
if err != nil {
return err
}

machine.Spec.Users[0].SshAuthorizedKeys[0] = strings.TrimSpace(string(ssh.MarshalAuthorizedKey(public)))

return nil
}
2 changes: 2 additions & 0 deletions pkg/api/v1alpha1/tinkerbellmachineconfig_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ var _ webhook.Defaulter = &TinkerbellMachineConfig{}
func (r *TinkerbellMachineConfig) Default() {
tinkerbellmachineconfiglog.Info("Setting up Tinkerbell Machine Config defaults", klog.KObj(r))
r.SetDefaults()
tinkerbellmachineconfiglog.Info("Normalize SSHKeys by removing comments from the keys", klog.KObj(r))
normalizeSSHKeys(r)
}

// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
Expand Down
33 changes: 33 additions & 0 deletions pkg/api/v1alpha1/tinkerbellmachineconfig_webhook_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package v1alpha1_test

import (
"fmt"
"testing"

. "github.com/onsi/gomega"
Expand Down Expand Up @@ -149,6 +150,38 @@ func TestTinkerbellMachineConfigDefaultOSFamily(t *testing.T) {
g.Expect(mOld.Spec.OSFamily).To(Equal(v1alpha1.Bottlerocket))
}

func TestTinkerbellMachineConfigMutateSSHKey(t *testing.T) {
sshKey := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuWn+GtgUe/g85l4SqSsGCV56CXZzqktKX/hYAl7MwO"
mOld := v1alpha1.CreateTinkerbellMachineConfig(func(mc *v1alpha1.TinkerbellMachineConfig) {
mc.Spec.Users = []v1alpha1.UserConfiguration{
{
Name: "user",
SshAuthorizedKeys: []string{fmt.Sprintf("%s [email protected]", sshKey)},
},
}
})

mOld.Default()
g := NewWithT(t)
g.Expect(mOld.Spec.Users[0].SshAuthorizedKeys[0]).To(Equal(sshKey))
}

func TestTinkerbellMachineConfigMutateSSHKeyNotMutated(t *testing.T) {
sshKey := "ssh incorrect Key [email protected]"
mOld := v1alpha1.CreateTinkerbellMachineConfig(func(mc *v1alpha1.TinkerbellMachineConfig) {
mc.Spec.Users = []v1alpha1.UserConfiguration{
{
Name: "user",
SshAuthorizedKeys: []string{sshKey},
},
}
})

mOld.Default()
g := NewWithT(t)
g.Expect(mOld.Spec.Users[0].SshAuthorizedKeys[0]).To(Equal(sshKey))
}

func TestTinkerbellMachineConfigValidateUpdateFailUsers(t *testing.T) {
machineConfigOld := v1alpha1.CreateTinkerbellMachineConfig()
machineConfigNew := v1alpha1.CreateTinkerbellMachineConfig(func(mc *v1alpha1.TinkerbellMachineConfig) {
Expand Down

0 comments on commit 04fe832

Please sign in to comment.