From 77bde6f765c20ce5ddee7acbf228f03e537a8879 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jim@acmegating.com>
Date: Thu, 6 May 2021 18:04:31 -0700
Subject: [PATCH] Decrypt project ssh keys in executors

So that we don't store unencrypted ssh private keys in ZK, don't
transmit them in the build request; instead provide info on the
location so the executors can fetch and decrypt them directly.

Change-Id: Ic14848259d5b5b25b29931d85ec373d4435af9b9
---
 tests/unit/test_web.py  | 2 +-
 zuul/executor/common.py | 9 ++++-----
 zuul/executor/server.py | 7 ++++++-
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/tests/unit/test_web.py b/tests/unit/test_web.py
index 516070f8f1..c357dd5dc2 100644
--- a/tests/unit/test_web.py
+++ b/tests/unit/test_web.py
@@ -1122,7 +1122,7 @@ class TestWebSecrets(BaseTestWeb):
             "project1-secret").json()
         self.assertEqual(
             {'secret_name': 'REDACTED'}, resp['playbooks'][0]['secrets'])
-        self.assertEqual('REDACTED', resp['ssh_keys'][0]['key'])
+        self.assertEqual('REDACTED', resp['ssh_keys'][0])
 
 
 class TestInfo(ZuulDBTestCase, BaseTestWeb):
diff --git a/zuul/executor/common.py b/zuul/executor/common.py
index d80a8f6455..0d4bdfb8ec 100644
--- a/zuul/executor/common.py
+++ b/zuul/executor/common.py
@@ -134,12 +134,11 @@ def construct_gearman_params(uuid, sched, nodeset, job, item, pipeline,
     params['ssh_keys'] = []
     if pipeline.post_review:
         if redact_secrets_and_keys:
-            ssh_key = "REDACTED"
+            params['ssh_keys'].append("REDACTED")
         else:
-            ssh_key = item.change.project.private_ssh_key
-        params['ssh_keys'].append(dict(
-            name='%s project key' % item.change.project.canonical_name,
-            key=ssh_key))
+            params['ssh_keys'].append(dict(
+                connection_name=item.change.project.connection_name,
+                project_name=item.change.project.name))
     params['vars'] = job.combined_variables
     params['extra_vars'] = job.extra_variables
     params['host_vars'] = job.host_variables
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index 97682806a9..bf50670057 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -951,7 +951,12 @@ class AnsibleJob(object):
             self.ssh_agent.start()
             self.ssh_agent.add(self.private_key_file)
             for key in self.arguments.get('ssh_keys', []):
-                self.ssh_agent.addData(key['name'], key['key'])
+                private_ssh_key, public_ssh_key = \
+                    self.executor_server.keystore.getProjectSSHKeys(
+                        key['connection_name'],
+                        key['project_name'])
+                name = '%s project key' % (key['project_name'])
+                self.ssh_agent.addData(name, private_ssh_key)
             self.jobdir = JobDir(self.executor_server.jobdir_root,
                                  self.executor_server.keep_jobdir,
                                  str(self.job.unique))