Merge "Create short lived ssh key for enable-ssh-admin.sh"

deployed-server/scripts/enable-ssh-admin.sh

@@ -10,6 +10,7 @@ SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"}
 # this is the intended variable for overriding
 OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"}
 
+SHORT_TERM_KEY_COMMENT="TripleO split stack short term key"
 SLEEP_TIME=5
 
 function overcloud_ssh_hosts_json {
@@ -22,7 +23,7 @@ print(json.dumps(re.split("\s+", sys.stdin.read().strip())))'
 function overcloud_ssh_key_json {
     # we pass the contents to Mistral instead of just path, otherwise
     # the key file would have to be readable for the mistral user
-    cat "$OVERCLOUD_SSH_KEY" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
+    cat "$1" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
 }
 
 function workflow_finished {
@@ -30,6 +31,12 @@ function workflow_finished {
     openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null
 }
 
+function generate_short_term_keys {
+    local tmpdir=$(mktemp -d)
+    ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null
+    echo "$tmpdir"
+}
+
 if [ -z "$OVERCLOUD_HOSTS" ]; then
     echo 'Please set $OVERCLOUD_HOSTS'
     exit 1
@@ -41,7 +48,20 @@ echo "SSH key file: $OVERCLOUD_SSH_KEY"
 echo "Hosts: $OVERCLOUD_HOSTS"
 echo
 
-EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json)}"
+SHORT_TERM_KEY_DIR=$(generate_short_term_keys)
+SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa"
+SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub"
+SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC)
+
+for HOST in $OVERCLOUD_HOSTS; do
+    echo "Inserting TripleO short term key for $HOST"
+    # prepending an extra newline so that if authorized_keys didn't
+    # end with a newline previously, we don't end up garbling it up
+    ssh -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys"
+done
+
+echo "Starting ssh admin enablement workflow"
+EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}"
 EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS")
 echo "$EXECUTION_CREATE_OUTPUT"
 EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }')
@@ -56,5 +76,14 @@ while ! workflow_finished $EXECUTION_ID; do
     sleep $SLEEP_TIME
     echo -n .
 done
+echo  # newline after the previous dots
+
+for HOST in $OVERCLOUD_HOSTS; do
+    echo "Removing TripleO short term key from $HOST"
+    ssh -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys"
+done
+
+echo "Removing short term keys locally"
+rm -r "$SHORT_TERM_KEY_DIR"
 
 echo "Success."