feat(azure): Support x509 certificate SSH keys from IMDS#6912
Draft
peytonr18 wants to merge 11 commits into
Draft
feat(azure): Support x509 certificate SSH keys from IMDS#6912peytonr18 wants to merge 11 commits into
peytonr18 wants to merge 11 commits into
Conversation
…ete openssl and ssh-keygen functionality
…sity Added extract_x509_certificate() to validate certificates in bundles, integrated validation into parse_certificates(), and toned down debug logs to avoid sounding like failures.
Fold the regex-based certificate parsing into cloudinit.sources.azure.certs so helpers no longer reimplement it, and wire OpenSSLManager.parse_certificates to loop over the helper. Added a regression test that confirms CRLF-mixed bundles still yield every fingerprint + key pair.
…all_certificates to avoid openssl dependency
…and iterate them directly in parse_certificates, replacing the previous loop/find slicing flow. Also clarify is_openssh_formatted behavior by explicitly rejecting embedded CRLF and improving debug messages; update tests and type hints to match the new extraction API.
Azure-generated SSH keys may contain \r\n sequences embedded in the base64 key data (LP: #1910835). Previously, keys with embedded CRLF were rejected outright by is_openssh_formatted(). Instead, sanitize the keys by stripping \r\n before validation so they can be properly written to authorized_keys.
- Use pytest.mark.parametrize, fixtures, and monkeypatch in tests - Remove raw docstring prefix; clarify CRLF deprecation in docstring - Remove redundant _key_is_openssh_formatted wrapper - Simplify sanitize_openssh_key call site and log messages - Reuse variables and constants instead of inline string literals
…ct assertions in azure cert tests
Azure IMDS may deliver SSH public keys in OpenSSH format or as x509 certificates. Previously any non-OpenSSH key caused _get_public_keys_from_imds() to raise and fall back to Wireserver. Inspect each IMDS key individually: keep OpenSSH-formatted keys, convert x509 certificates to OpenSSH format via the certs module, and raise ValueError for unsupported formats (preserving the Wireserver fallback). Conversion failures (openssl/ssh-keygen) are caught and re-raised as ValueError so a malformed certificate falls back gracefully instead of crashing metadata crawl. Adds unit tests for single x509, mixed x509 + OpenSSH, and conversion-failure cases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Commit Message
Changes
DataSourceAzure.py:_get_public_keys_from_imds()now handles keysper-item — OpenSSH keys used as-is, x509 certs converted, other
formats raise
ValueError(preserving Wireserver fallback).tests/.../test_azure.py: added tests for single x509, mixedx509 + OpenSSH, and conversion-failure fallback.
Notes
Merge type