Merge pull request juju#17749 from tlm/juju-6342-authorized-keys-tests

jujubot · web-flow · commit 065aad349795 · 2024-07-17T03:22:04.000+01:00
juju#17749 This PR adds BASH tests for asserting authorised key functionality. We are doing this so as we move the CRUD and authorised keys functions over to DQlite in 4.0 we can have some certainty around how things operate and that the core contracts have been maintained. This PR is required by juju#17602 I also made a quick change to the authorized key worker so that logging on key changes is always at info now and not debug. @hpidcock and myself believed that this should always be info for security auditing purposes. ## Checklist - [x] Code style: imports ordered, good names, simple structure, etc - [x] Comments saying why design decisions were made - ~[ ] Go unit tests, with comments saying what you're testing~ - [x] [Integration tests](https://github.com/juju/juju/tree/main/tests), with comments saying what you're testing - ~[ ] [doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages~ ## QA steps ```bash cd tests ./main.sh authorizedkeys ``` ## Documentation changes N/A ## Links **Jira card:** JUJU-6342
diff --git a/tests/main.sh b/tests/main.sh
@@ -41,6 +41,7 @@ import_subdir_files includes
 # Please keep these in alphabetic order.
 TEST_NAMES="agents \
             appdata \
+            authorized_keys \
             backup \
             bootstrap \
             branches \
diff --git a/tests/suites/authorized_keys/machine.sh b/tests/suites/authorized_keys/machine.sh
@@ -0,0 +1,41 @@
+run_machine_ssh() {
+	# Echo out to ensure nice output to the test suite.
+	echo
+
+	# Add a new machine for the test to assert sshing into.
+	juju add-machine -n 1
+	wait_for_machine_agent_status "0" "started"
+
+	# Generate a new ssh key pair for this test.
+	ssh_key_file="${TEST_DIR}/machine-ssh-key"
+	ssh_key_file_pub="${ssh_key_file}.pub"
+	ssh-keygen -t ed25519 -f "$ssh_key_file" -C "isgreat@juju.is" -P ""
+
+	# Add the SSH key and see that it comes back out in the list of user keys.
+	juju add-ssh-key "$(cat $ssh_key_file_pub)"
+
+	# Watch the debug log for the agent to assert that a key has been added to
+	# the machine.
+	timeout 5m juju debug-log --tail | grep -m 1 'adding ssh keys to authorized keys' || true
+
+	# Check that the test can ssh to the machine with the new keypair and run a
+	# command.
+	check_contains "$(juju ssh 0 -i \"${ssh_key_file}\" echo foobar)" "foobar"
+}
+
+# test_machine_ssh is responsible for testing that adding authorized keys to a
+# model traverse through the controller and down to the machine agents. After
+# this has happened ssh access to a machine should be granted for the owner of
+# the newly added public key.
+test_machine_ssh() {
+	if [ "$(skip 'test_machine_ssh')" ]; then
+		echo "==> TEST SKIPPED: authorized keys machine ssh"
+		return
+	fi
+
+	(
+		set_verbosity
+
+		run "run_machine_ssh"
+	)
+}
diff --git a/tests/suites/authorized_keys/task.sh b/tests/suites/authorized_keys/task.sh
@@ -0,0 +1,20 @@
+test_authorized_keys() {
+	if [ "$(skip 'test_authorized_keys')" ]; then
+		echo "==> TEST SKIPPED: authorized_keys"
+		return
+	fi
+
+	set_verbosity
+
+	echo "==> Checking for dependencies"
+	check_dependencies juju
+
+	log_file="${TEST_DIR}/authorized_keys.log"
+
+	ensure "authorizedkeys" "$log_file"
+
+	test_user_ssh_keys
+	test_machine_ssh
+
+	destroy_controller "authorizedkeys"
+}
diff --git a/tests/suites/authorized_keys/user.sh b/tests/suites/authorized_keys/user.sh
@@ -0,0 +1,39 @@
+run_user_ssh_keys() {
+	# Echo out to ensure nice output to the test suite.
+	echo
+
+	ssh_key_file="${TEST_DIR}/juju-ssh-key"
+	ssh_key_file_pub="${ssh_key_file}.pub"
+
+	ssh-keygen -t ed25519 -f "$ssh_key_file" -C "isgreat@juju.is" -P ""
+	fingerprint=$(ssh-keygen -E md5 -lf "${ssh_key_file_pub}" | cut -f 2 -d ' ' | cut -f 2- -d ':')
+
+	# Add the SSH key and see that it comes back out in the list of user keys.
+	juju add-ssh-key "$(cat $ssh_key_file_pub)"
+	check_contains "$(juju ssh-keys)" "$fingerprint"
+
+	# Remove the SSH key by fingerprint
+	juju remove-ssh-key "${fingerprint}"
+	check_not_contains "$(juju ssh-keys)" "${fingerprint}"
+
+	# Add the SSH key and see that it comes back out in the list of user keys.
+	juju add-ssh-key "$(cat $ssh_key_file_pub)"
+	check_contains "$(juju ssh-keys)" "$fingerprint"
+
+	# Remove the SSH key by comment
+	juju remove-ssh-key isgreat@juju.is
+	check_not_contains "$(juju ssh-keys)" "${fingerprint}"
+}
+
+test_user_ssh_keys() {
+	if [ "$(skip 'test_user_ssh_keys')" ]; then
+		echo "==> TEST SKIPPED: authorized keys user ssh keys"
+		return
+	fi
+
+	(
+		set_verbosity
+
+		run "run_user_ssh_keys"
+	)
+}
diff --git a/worker/authenticationworker/worker.go b/worker/authenticationworker/worker.go
@@ -123,8 +123,8 @@ func (kw *keyupdaterWorker) Handle(_ <-chan struct{}) error {
 	deleted := kw.jujuKeys.Difference(newJujuKeys)
 	added := newJujuKeys.Difference(kw.jujuKeys)
 	if added.Size() > 0 || deleted.Size() > 0 {
-		logger.Debugf("adding ssh keys to authorised keys: %v", added)
-		logger.Debugf("deleting ssh keys from authorised keys: %v", deleted)
+		logger.Infof("adding ssh keys to authorised keys: %v", added)
+		logger.Infof("deleting ssh keys from authorised keys: %v", deleted)
 		if err = kw.writeSSHKeys(newKeys); err != nil {
 			err = errors.Annotate(err, "updating ssh keys")
 			logger.Infof(err.Error())
