Adding client authentication with public key fuction.

.vscode/settings.json

@@ -12,7 +12,8 @@
   "json.schemas": [
     {
       "fileMatch": [
-        "/templates/**/*.json"
+        "/templates/**/*.json",
+        "/ci/citest/acceptance-test/tests/fixtures/**/*.json"
       ],
       "url": "./schema/v1.json"
     }

api/instance_service.go

@@ -300,11 +300,21 @@ func (s *InstanceAPI) Console(ctx context.Context, in *ConsoleRequest) (*Console
 		return nil, err
 	}
 
-	return &ConsoleReply{
+	res := &ConsoleReply{
 		InstanceId: instanceID,
 		Type:       node.Console.Type,
 		Address:    node.Console.BindAddr,
-	}, nil
+	}
+
+	authAttrs, ok := inst.ResourceTemplate().(model.ConsoleAuthAttributes)
+	if !ok {
+		// Fallback to NONE auth type
+		res.AuthType = model.AuthenticationType_NONE
+	} else {
+		res.AuthType = authAttrs.GetAuthenticationType()
+	}
+
+	return res, nil
 }
 
 func (s *InstanceAPI) sendCommand(ctx context.Context, cmd string, instanceID string) error {

ci/citest/acceptance-test/tests/00_ssh.go

@@ -4,9 +4,10 @@ package tests
 
 import (
 	"bytes"
-	"golang.org/x/crypto/ssh"
 	"testing"
 	"time"
+
+	"golang.org/x/crypto/ssh"
 )
 
 const zookeeper_ip = "10.0.100.10"
@@ -27,6 +28,7 @@ func RunSsh(ip string, cmd string) (*bytes.Buffer, *bytes.Buffer, error) {
 		Auth: []ssh.AuthMethod{
 			ssh.Password("kemumaki"),
 		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 
 	connection, err := ssh.Dial("tcp", ip+":22", sshConfig)

ci/citest/acceptance-test/tests/cmd_console_test.go

@@ -4,6 +4,7 @@ package tests
 
 import (
 	"fmt"
+	"io/ioutil"
 	"strings"
 	"testing"
 	"time"
@@ -21,6 +22,16 @@ func runConsoleCmd(instance_id string, t *testing.T) {
 	RunCmdAndExpectFail(t, "sh", "-c", fmt.Sprintf("openvdc console %s -- false", instance_id))
 }
 
+func TestCmdConsole_ShowOptionAuthenticationNone(t *testing.T) {
+	stdout, _ := RunCmdAndReportFail(t, "openvdc", "run", "centos/7/lxc", `{"authentication_type":"none"}`)
+	instance_id := strings.TrimSpace(stdout.String())
+	WaitInstance(t, 5*time.Minute, instance_id, "RUNNING", []string{"QUEUED", "STARTING"})
+	runConsoleCmd(instance_id, t)
+	runConsoleCmdPiped(instance_id, t)
+	RunCmdWithTimeoutAndReportFail(t, 10, 5, "openvdc", "destroy", instance_id)
+	WaitInstance(t, 5*time.Minute, instance_id, "TERMINATED", nil)
+}
+
 func TestLXCCmdConsole_ShowOption(t *testing.T) {
 	stdout, _ := RunCmdAndReportFail(t, "openvdc", "run", "centos/7/lxc")
 	instance_id := strings.TrimSpace(stdout.String())
@@ -31,6 +42,39 @@ func TestLXCCmdConsole_ShowOption(t *testing.T) {
 	WaitInstance(t, 5*time.Minute, instance_id, "TERMINATED", nil)
 }
 
+func TestLXCCmdConsole_AuthenticationPubkey(t *testing.T) {
+	// Make key pair by ssh-keygen
+	private_key_path := "./testRsa"
+	private_key_path_worng := "./testRsaWorng"
+	_, _, err := RunCmd("ssh-keygen", "-t", "rsa", "-f", private_key_path, "-C", "", "-N", "")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	_, _, err = RunCmd("ssh-keygen", "-t", "rsa", "-f", private_key_path_worng, "-C", "", "-N", "")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	// Read public key
+	data, err := ioutil.ReadFile(private_key_path + ".pub")
+	if err != nil {
+		t.Fatalf("Can not read public key: %s\n", err.Error())
+	}
+	public_key := strings.Replace(string(data), "\n", "", -1)
+	stdout, _ := RunCmdAndReportFail(t, "openvdc", "run", "centos/7/lxc", `{"authentication_type":"pub_key","ssh_public_key":"`+public_key+`"}`)
+
+	// runConsole()
+	instance_id := strings.TrimSpace(stdout.String())
+	WaitInstance(t, 5*time.Minute, instance_id, "RUNNING", []string{"QUEUED", "STARTING"})
+
+	RunCmdAndReportFail(t, "openvdc", "console", instance_id, "-i", private_key_path)
+	RunCmdAndExpectFail(t, "openvdc", "console", instance_id, "-i", private_key_path_worng)
+
+	//vrunConsoleCmdPiped(instance_id, t)
+	RunCmdWithTimeoutAndReportFail(t, 10, 5, "openvdc", "destroy", instance_id)
+	WaitInstance(t, 5*time.Minute, instance_id, "TERMINATED", nil)
+}
+
 func TestQEMUCmdConsole_ShowOption(t *testing.T) {
 	stdout, _ := RunCmdAndReportFail(t, "openvdc", "run", "centos/7/qemu_ga")
 	instance_id := strings.TrimSpace(stdout.String())

ci/citest/acceptance-test/tests/fixtures/lxc_auth_ssh.json

@@ -0,0 +1,14 @@
+{
+  "title": "CentOS7",
+  "template": {
+    "type": "vm/lxc",
+    "lxc_template": {
+      "openvdc": {
+        "distro": "centos",
+        "release": "7"
+      }
+    },
+    "authentication_type": "none"
+  }
+}
+

cmd/openvdc-executor/sshd.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net"
+	"strings"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/axsh/openvdc/hypervisor"
@@ -22,9 +23,61 @@ type SSHServer struct {
 	ctx      context.Context
 }
 
+func getAuthAttrsFromInstance(ctx context.Context, instanceID string) (model.ConsoleAuthAttributes, error) {
+	inst, err := model.Instances(ctx).FindByID(instanceID)
+	if err != nil {
+		log.WithError(err).Errorf("Unknown instance: %s", instanceID)
+		return nil, err
+	}
+	instResource, ok := inst.ResourceTemplate().(model.ConsoleAuthAttributes)
+	if !ok {
+		return nil, errors.Errorf("%T does not support model.ConsoleAuthAttributes", inst.ResourceTemplate())
+	}
+	return instResource, nil
+}
+
 func NewSSHServer(provider hypervisor.HypervisorProvider, ctx context.Context) *SSHServer {
 	config := &ssh.ServerConfig{
-		NoClientAuth: true,
+		PasswordCallback: func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
+			authAttrs, err := getAuthAttrsFromInstance(ctx, conn.User())
+			if err != nil {
+				return nil, err
+			}
+			switch authAttrs.GetAuthenticationType() {
+			case model.AuthenticationType_NONE:
+				return nil, nil
+			case model.AuthenticationType_PUB_KEY:
+				if authAttrs.GetSshPublicKey() != "" {
+					return nil, fmt.Errorf("%s auth type is public key but client configured to password auth", conn.User())
+				}
+			}
+			return nil, fmt.Errorf("%s is using undefind AuthenticationType", conn.User())
+		},
+		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+			authAttrs, err := getAuthAttrsFromInstance(ctx, conn.User())
+			if err != nil {
+				return nil, err
+			}
+			switch authAttrs.GetAuthenticationType() {
+			case model.AuthenticationType_NONE:
+				return nil, nil
+			case model.AuthenticationType_PUB_KEY:
+				zkPubKey := strings.TrimSpace(authAttrs.GetSshPublicKey())
+				var clientPubkey string
+				if key != nil {
+					clientPubkey = strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))
+				}
+
+				if zkPubKey == clientPubkey {
+					return nil, nil
+				} else {
+					log.Errorf("Private key mismatch with database public key")
+					return nil, fmt.Errorf("Private key mismatch with database public key")
+				}
+			default:
+				return nil, fmt.Errorf("Unknown AuthenticationType")
+			}
+		},
 	}
 
 	return &SSHServer{

cmd/openvdc/cmd/console.go

@@ -3,9 +3,11 @@ package cmd
 import (
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"os"
 	"strings"
+	"time"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/axsh/openvdc/cmd/openvdc/cmd/console"
@@ -21,6 +23,7 @@ import (
 
 func init() {
 	consoleCmd.Flags().Bool("show", false, "Show console information")
+	consoleCmd.Flags().StringP("identity-file", "i", "", "Selects a file from which the identity (private key) for public key authentication is read")
 }
 
 var consoleCmd = &cobra.Command{
@@ -46,6 +49,7 @@ var consoleCmd = &cobra.Command{
 		}
 
 		var res *api.ConsoleReply
+
 		err := util.RemoteCall(func(conn *grpc.ClientConn) error {
 			ic := api.NewInstanceClient(conn)
 			var err error
@@ -56,7 +60,7 @@ var consoleCmd = &cobra.Command{
 			log.WithError(err).Fatal("Failed request to Instance.Console API")
 		}
 
-		info, err := cmd.Flags().GetBool("show")
+		info, _ := cmd.Flags().GetBool("show")
 		switch res.Type {
 		case model.Console_SSH:
 			if info {
@@ -71,8 +75,38 @@ var consoleCmd = &cobra.Command{
 				fmt.Println("")
 				return nil
 			}
-			sshcon := console.NewSshConsole(instanceID, nil)
-			var err error
+
+			var config = &ssh.ClientConfig{
+				Timeout: 5 * time.Second,
+				Auth: []ssh.AuthMethod{
+					ssh.Password(""),
+				},
+				HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+			}
+
+			switch res.AuthType {
+			case model.AuthenticationType_NONE:
+				config.Auth = []ssh.AuthMethod{ssh.Password("")}
+			case model.AuthenticationType_PUB_KEY:
+				identityFile, _ := cmd.Flags().GetString("identity-file")
+				if identityFile == "" {
+					log.Fatalf("Required private key but not setted")
+				}
+
+				// Parse and set indetifyFifle
+				key, err := ioutil.ReadFile(identityFile)
+				if err != nil {
+					log.Fatalf("unable to read private key: %v", err)
+				}
+				// Create the Signer for this private key.
+				signer, err := ssh.ParsePrivateKey(key)
+				if err != nil {
+					log.Fatalf("unable to parse private key: %v", err)
+				}
+				config.Auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}
+			}
+
+			sshcon := console.NewSshConsole(instanceID, config)
 			if len(execArgs) > 0 {
 				err = sshcon.Exec(res.GetAddress(), execArgs)
 			} else {

cmd/openvdc/cmd/console/ssh.go

@@ -23,6 +23,10 @@ func NewSshConsole(instanceID string, config *ssh.ClientConfig) *SshConsole {
 	if config == nil {
 		config = &ssh.ClientConfig{
 			Timeout: 5 * time.Second,
+			Auth: []ssh.AuthMethod{
+				ssh.Password(""),
+			},
+			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 		}
 	}
 	return &SshConsole{

cmd/openvdc/cmd/copy/copy.go

@@ -26,6 +26,10 @@ func NewClient(cr *api.CopyReply) (*Client, error) {
 
 	config := &ssh.ClientConfig{
 		User: cr.GetInstanceId(),
+		Auth: []ssh.AuthMethod{
+			ssh.Password(""),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 
 	return &Client{