Implement fallback to WireServer when deploying SSH keys

azurelinuxagent/pa/provision/default.py

@@ -37,6 +37,7 @@
 from azurelinuxagent.common.exception import ProvisionError, ProtocolError, \
     OSUtilError
 from azurelinuxagent.common.osutil import get_osutil
+from azurelinuxagent.common.protocol.goal_state import GoalState, GoalStateProperties
 from azurelinuxagent.common.protocol.restapi import ProvisionStatus
 from azurelinuxagent.common.protocol.util import get_protocol_util
 from azurelinuxagent.common.version import AGENT_NAME
@@ -240,9 +241,34 @@ def config_user_account(self, ovfenv):
         logger.info("Configure sshd")
         self.osutil.conf_sshd(ovfenv.disable_ssh_password_auth)
 
+        self._download_ssh_keys(ovfenv)
         self.deploy_ssh_pubkeys(ovfenv)
         self.deploy_ssh_keypairs(ovfenv)
 
+    def _download_ssh_keys(self, ovfenv):
+        #
+        # We need to download the Certificates package from the Wireserver if any public key in ovfenv.xml has only a thumbprint (i.e. no value for the key) or if any key pairs need to be installed
+        #
+        download_certificates = any(value is None and thumbprint is not None for _, thumbprint, value in ovfenv.ssh_pubkeys) or len(ovfenv.ssh_keypairs) > 0
+        if not download_certificates:
+            return
+
+        #
+        # Try to download the certificates a few times but continue execution if all attempts fail. The code that deploys the SSH keys will report that as a provisioning error.
+        #
+        max_attempts = 5
+        for attempt in range(max_attempts):
+            try:
+                protocol = self.protocol_util.get_protocol(init_goal_state=False)
+                _ = GoalState(protocol.client, goal_state_properties=GoalStateProperties.Certificates)
+                return
+            except Exception as e:
+                if attempt < max_attempts - 1:
+                    logger.warn("Unable to download certificates; will retry after a short delay: {0}", ustr(e))
+                    time.sleep(30)
+                else:
+                    logger.error("Unable to download certificates: {0}", ustr(e))
+
     def save_customdata(self, ovfenv):
         customdata = ovfenv.customdata
         if customdata is None:

tests/data/ovf-env-2.xml

@@ -16,12 +16,6 @@
               <Value>ssh-rsa AAAANOTAREALKEY== foo@bar.local</Value>
             </PublicKey>
           </PublicKeys>
-          <KeyPairs>
-            <KeyPair>
-              <Fingerprint>EB0C0AB4B2D5FC35F2F0658D19F44C8283E2DD62</Fingerprint>
-              <Path>$HOME/UserName/.ssh/id_rsa</Path>
-            </KeyPair>
-          </KeyPairs>
         </SSH>
         <CustomData>CustomData</CustomData>
       </LinuxProvisioningConfigurationSet>

tests/data/ovf-env-4.xml

@@ -16,12 +16,6 @@
               <Value>ssh-rsa AAAANOTAREALKEY== foo@bar.local</Value>
             </PublicKey>
           </PublicKeys>
-          <KeyPairs>
-            <KeyPair>
-              <Fingerprint>EB0C0AB4B2D5FC35F2F0658D19F44C8283E2DD62</Fingerprint>
-              <Path>$HOME/UserName/.ssh/id_rsa</Path>
-            </KeyPair>
-          </KeyPairs>
         </SSH>
         <CustomData>CustomData</CustomData>
       </LinuxProvisioningConfigurationSet>

tests/data/ovf-env.xml

@@ -16,12 +16,6 @@
               <Value>ssh-rsa AAAANOTAREALKEY== foo@bar.local</Value>
             </PublicKey>
           </PublicKeys>
-          <KeyPairs>
-            <KeyPair>
-              <Fingerprint>EB0C0AB4B2D5FC35F2F0658D19F44C8283E2DD62</Fingerprint>
-              <Path>$HOME/UserName/.ssh/id_rsa</Path>
-            </KeyPair>
-          </KeyPairs>
         </SSH>
         <CustomData>CustomData</CustomData>
       </LinuxProvisioningConfigurationSet>

tests/data/ovf-env_key_pair.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Environment xmlns="http://schemas.dmtf.org/ovf/environment/1" xmlns:oe="http://schemas.dmtf.org/ovf/environment/1" xmlns:wa="http://schemas.microsoft.com/windowsazure" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <wa:ProvisioningSection>
+      <wa:Version>1.0</wa:Version>
+      <LinuxProvisioningConfigurationSet xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <ConfigurationSetType>LinuxProvisioningConfiguration</ConfigurationSetType>
+        <HostName>HostName</HostName>
+        <UserName>UserName</UserName>
+        <UserPassword>UserPassword</UserPassword>
+        <DisableSshPasswordAuthentication>false</DisableSshPasswordAuthentication>
+        <SSH>
+          <KeyPairs>
+            <KeyPair>
+              <Fingerprint>EB0C0AB4B2D5FC35F2F0658D19F44C8283E2DD62</Fingerprint>
+              <Path>$HOME/UserName/.ssh/id_rsa</Path>
+            </KeyPair>
+          </KeyPairs>
+        </SSH>
+        <CustomData>CustomData</CustomData>
+      </LinuxProvisioningConfigurationSet>
+    </wa:ProvisioningSection>
+    <wa:PlatformSettingsSection>
+		<wa:Version>1.0</wa:Version>
+		<wa:PlatformSettings>
+			<wa:KmsServerHostname>kms.core.windows.net</wa:KmsServerHostname>
+			<wa:ProvisionGuestAgent>false</wa:ProvisionGuestAgent>
+			<wa:GuestAgentPackageName xsi:nil="true"/>
+			<wa:RetainWindowsPEPassInUnattend>true</wa:RetainWindowsPEPassInUnattend>
+			<wa:RetainOfflineServicingPassInUnattend>true</wa:RetainOfflineServicingPassInUnattend>
+			<wa:PreprovisionedVm>false</wa:PreprovisionedVm>
+		</wa:PlatformSettings>
+	</wa:PlatformSettingsSection>
+ </Environment>

tests/data/ovf-env_public_key.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Environment xmlns="http://schemas.dmtf.org/ovf/environment/1" xmlns:oe="http://schemas.dmtf.org/ovf/environment/1" xmlns:wa="http://schemas.microsoft.com/windowsazure" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <wa:ProvisioningSection>
+      <wa:Version>1.0</wa:Version>
+      <LinuxProvisioningConfigurationSet xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <ConfigurationSetType>LinuxProvisioningConfiguration</ConfigurationSetType>
+        <HostName>HostName</HostName>
+        <UserName>UserName</UserName>
+        <UserPassword>UserPassword</UserPassword>
+        <DisableSshPasswordAuthentication>false</DisableSshPasswordAuthentication>
+        <SSH>
+          <PublicKeys>
+            <PublicKey>
+              <Fingerprint>EB0C0AB4B2D5FC35F2F0658D19F44C8283E2DD62</Fingerprint>
+              <Path>$HOME/UserName/.ssh/authorized_keys</Path>
+              <Value>ssh-rsa AAAANOTAREALKEY== foo@bar.local</Value>
+            </PublicKey>
+          </PublicKeys>
+        </SSH>
+        <CustomData>CustomData</CustomData>
+      </LinuxProvisioningConfigurationSet>
+    </wa:ProvisioningSection>
+    <wa:PlatformSettingsSection>
+		<wa:Version>1.0</wa:Version>
+		<wa:PlatformSettings>
+			<wa:KmsServerHostname>kms.core.windows.net</wa:KmsServerHostname>
+			<wa:ProvisionGuestAgent>false</wa:ProvisionGuestAgent>
+			<wa:GuestAgentPackageName xsi:nil="true"/>
+			<wa:RetainWindowsPEPassInUnattend>true</wa:RetainWindowsPEPassInUnattend>
+			<wa:RetainOfflineServicingPassInUnattend>true</wa:RetainOfflineServicingPassInUnattend>
+			<wa:PreprovisionedVm>false</wa:PreprovisionedVm>
+		</wa:PlatformSettings>
+	</wa:PlatformSettingsSection>
+ </Environment>

tests/data/ovf-env_public_key_no_value.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Environment xmlns="http://schemas.dmtf.org/ovf/environment/1" xmlns:oe="http://schemas.dmtf.org/ovf/environment/1" xmlns:wa="http://schemas.microsoft.com/windowsazure" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <wa:ProvisioningSection>
+      <wa:Version>1.0</wa:Version>
+      <LinuxProvisioningConfigurationSet xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <ConfigurationSetType>LinuxProvisioningConfiguration</ConfigurationSetType>
+        <HostName>HostName</HostName>
+        <UserName>UserName</UserName>
+        <UserPassword>UserPassword</UserPassword>
+        <DisableSshPasswordAuthentication>false</DisableSshPasswordAuthentication>
+        <SSH>
+          <PublicKeys>
+            <PublicKey>
+              <Fingerprint>EB0C0AB4B2D5FC35F2F0658D19F44C8283E2DD62</Fingerprint>
+              <Path>$HOME/UserName/.ssh/authorized_keys</Path>
+            </PublicKey>
+          </PublicKeys>
+        </SSH>
+        <CustomData>CustomData</CustomData>
+      </LinuxProvisioningConfigurationSet>
+    </wa:ProvisioningSection>
+    <wa:PlatformSettingsSection>
+		<wa:Version>1.0</wa:Version>
+		<wa:PlatformSettings>
+			<wa:KmsServerHostname>kms.core.windows.net</wa:KmsServerHostname>
+			<wa:ProvisionGuestAgent>false</wa:ProvisionGuestAgent>
+			<wa:GuestAgentPackageName xsi:nil="true"/>
+			<wa:RetainWindowsPEPassInUnattend>true</wa:RetainWindowsPEPassInUnattend>
+			<wa:RetainOfflineServicingPassInUnattend>true</wa:RetainOfflineServicingPassInUnattend>
+			<wa:PreprovisionedVm>false</wa:PreprovisionedVm>
+		</wa:PlatformSettings>
+	</wa:PlatformSettingsSection>
+ </Environment>

tests/pa/test_provision.py

@@ -14,20 +14,23 @@
 #
 # Requires Python 2.6+ and Openssl 1.0+
 #
-
+import contextlib
 import os
 import re
 import unittest
 
 import azurelinuxagent.common.conf as conf
 from azurelinuxagent.common.exception import ProvisionError
 from azurelinuxagent.common.osutil.default import DefaultOSUtil
+from azurelinuxagent.common.protocol.ovfenv import OvfEnv
 from azurelinuxagent.common.protocol.util import OVF_FILE_NAME
 from azurelinuxagent.pa.provision import get_provision_handler
 from azurelinuxagent.pa.provision.cloudinit import CloudInitProvisionHandler
 from azurelinuxagent.pa.provision.default import ProvisionHandler
 from azurelinuxagent.common.utils import fileutil
+from tests.lib import wire_protocol_data
 from tests.lib.tools import AgentTestCase, distros, load_data, MagicMock, Mock, patch
+from tests.lib.mock_wire_protocol import mock_wire_protocol
 
 
 class TestProvision(AgentTestCase):
@@ -377,6 +380,34 @@ def test_get_provision_handler_config_cloudinit(
         self.assertIsInstance(provisioning_handler, CloudInitProvisionHandler, 'Provisioning handler should be cloud-init if agent is set to cloud-init')
 
 
+    @staticmethod
+    @contextlib.contextmanager
+    def _create_provision_handler_with_mock_protocol():
+        handler = ProvisionHandler()
+        handler.protocol_util = Mock()
+
+        with mock_wire_protocol(wire_protocol_data.DATA_FILE, detect_protocol=False) as mock_protocol:
+            handler.protocol_util.get_protocol = Mock(return_value=mock_protocol)
+            yield handler, mock_protocol
+
+    def test_it_should_not_download_certificates_when_the_public_key_has_a_value(self):
+        ovfenv = OvfEnv(load_data("ovf-env_public_key.xml"))
+        with TestProvision._create_provision_handler_with_mock_protocol() as (handler, protocol):
+            handler._download_ssh_keys(ovfenv)
+        self.assertEqual(0, protocol.mock_wire_data.call_counts['certificates'], "The Certificates package should not have been retrieved")
+
+    def test_it_should_download_certificates_when_the_public_key_does_not_have_a_value(self):
+        ovfenv = OvfEnv(load_data("ovf-env_public_key_no_value.xml"))
+        with TestProvision._create_provision_handler_with_mock_protocol() as (handler, protocol):
+            handler._download_ssh_keys(ovfenv)
+        self.assertEqual(1, protocol.mock_wire_data.call_counts['certificates'], "The Certificates package should have been retrieved")
+
+    def test_it_should_download_certificates_when_key_pairs_need_to_be_deployed(self):
+        ovfenv = OvfEnv(load_data("ovf-env_key_pair.xml"))
+        with TestProvision._create_provision_handler_with_mock_protocol() as (handler, protocol):
+            handler._download_ssh_keys(ovfenv)
+        self.assertEqual(1, protocol.mock_wire_data.call_counts['certificates'], "The Certificates package should have been retrieved")
+
 if __name__ == '__main__':
     unittest.main()