← Back to team overview

cloud-init-dev team mailing list archive

Re: [Merge] ~chad.smith/cloud-init:feature/cc-uaclient into cloud-init:master

 

Inline comment around sso auth

Diff comments:

> diff --git a/cloudinit/config/cc_ubuntu_advantage.py b/cloudinit/config/cc_ubuntu_advantage.py
> index 5e082bd..1a95766 100644
> --- a/cloudinit/config/cc_ubuntu_advantage.py
> +++ b/cloudinit/config/cc_ubuntu_advantage.py
> @@ -1,145 +1,170 @@
> -# Copyright (C) 2018 Canonical Ltd.
> -#
>  # This file is part of cloud-init. See LICENSE file for license information.
>  
> -"""Ubuntu advantage: manage ubuntu-advantage offerings from Canonical."""
> +"""ubuntu_advantage: Configure Ubuntu Advantage support entitlements"""
>  
> -import sys
>  from textwrap import dedent
>  
> -from cloudinit import log as logging
>  from cloudinit.config.schema import (
>      get_schema_doc, validate_cloudconfig_schema)
> +from cloudinit import log as logging
>  from cloudinit.settings import PER_INSTANCE
> -from cloudinit.subp import prepend_base_command
>  from cloudinit import util
>  
>  
> -distros = ['ubuntu']
> -frequency = PER_INSTANCE
> +UA_URL = 'https://ubuntu.com/advantage'
>  
> -LOG = logging.getLogger(__name__)
> +distros = ['ubuntu']
>  
>  schema = {
>      'id': 'cc_ubuntu_advantage',
> -    'name': 'Ubuntu Advantage',
> -    'title': 'Install, configure and manage ubuntu-advantage offerings',
> +    'name': 'UbuntuAdvantage',
> +    'title': 'Configure Ubuntu Advantage support entitlements',
>      'description': dedent("""\
> -        This module provides configuration options to setup ubuntu-advantage
> -        subscriptions.
> -
> -        .. note::
> -            Both ``commands`` value can be either a dictionary or a list. If
> -            the configuration provided is a dictionary, the keys are only used
> -            to order the execution of the commands and the dictionary is
> -            merged with any vendor-data ubuntu-advantage configuration
> -            provided. If a ``commands`` is provided as a list, any vendor-data
> -            ubuntu-advantage ``commands`` are ignored.
> -
> -        Ubuntu-advantage ``commands`` is a dictionary or list of
> -        ubuntu-advantage commands to run on the deployed machine.
> -        These commands can be used to enable or disable subscriptions to
> -        various ubuntu-advantage products. See 'man ubuntu-advantage' for more
> -        information on supported subcommands.
> -
> -        .. note::
> -           Each command item can be a string or list. If the item is a list,
> -           'ubuntu-advantage' can be omitted and it will automatically be
> -           inserted as part of the command.
> +        Attach machine to an existing Ubuntu Advantage support contract and
> +        enable or disable support entitlements such as livepatch, ESM,
> +        FIPS, FIPS Updates and CIS Audit tools. When attaching a machine to
> +        Advantage, one can either specify explicit entitlements to enable or
> +        rely on the entitlement default behavior. When no 'entitlements' list
> +        is provided, the default behavior enables both livepatch and esm on
> +        supported Ubuntu environments.
> +        When 'entitlements' list is present, any named entitlement will be
> +        enabled and all absent entitlements will remain disabled.
> +        Note when enabling FIPS or FIPS updates a reboot will occur after
> +        installation completes to ensure the machine is running the
> +        FIPS-compliant kernel.
>          """),
>      'distros': distros,
>      'examples': [dedent("""\
> -        # Enable Extended Security Maintenance using your service auth token
> -        ubuntu-advantage:
> -            commands:
> -              00: ubuntu-advantage enable-esm <token>
> +        # Attach the machine to a Ubuntu Advantage support contract with a
> +        # UA user token obtained from %s.
> +        # Default entitlemtents such as livepatch and esm will automatically
> +        # be enabled after detachment because no entitlements were specified.
> +        ubuntu_advantage:
> +          token: <ua_user_token>
> +    """ % UA_URL), dedent("""\
> +        # Attach the machine to an Ubuntu Advantage support contract using
> +        # Ubuntu SSO with optional two-factor authentication. Default
> +        # entitlements such as livepatch and esm will be enabled if applicable.
> +        ubuntu_advantage:
> +          sso_email: <sso_email>
> +          sso_password: <sso_password_hash>
> +          sso_twofactor: <2fa_code>  # if the sso account requires 2fa

Wouldn't this cause race conditions with your 2fa code expiring? I was under the impression that all accounts required 2fa and as such shouldn't we only accept the token-based method instead?

It also seems more prudent to only accept the token instead of someones password which could be used to control many other aspects of their account.

>      """), dedent("""\
> -        # Enable livepatch by providing your livepatch token
> +        # Attach the machine to an Ubuntu Advantage support contract enabling
> +        # only fips and entitlements. Entitlementswill only be enabled if
> +        # the environment supports said entitlement. Otherwise warnings will
> +        # be logged for incompatible entitlements specified.
>          ubuntu-advantage:
> -            commands:
> -                00: ubuntu-advantage enable-livepatch <livepatch-token>
> -
> -    """), dedent("""\
> -        # Convenience: the ubuntu-advantage command can be omitted when
> -        # specifying commands as a list and 'ubuntu-advantage' will
> -        # automatically be prepended.
> -        # The following commands are equivalent
> -        ubuntu-advantage:
> -            commands:
> -                00: ['enable-livepatch', 'my-token']
> -                01: ['ubuntu-advantage', 'enable-livepatch', 'my-token']
> -                02: ubuntu-advantage enable-livepatch my-token
> -                03: 'ubuntu-advantage enable-livepatch my-token'
> +          token: <ua_user_token>
> +          entitlements:
> +          - fips
> +          - esm
>      """)],
>      'frequency': PER_INSTANCE,
>      'type': 'object',
>      'properties': {
> -        'ubuntu-advantage': {
> +        'ubuntu_advantage': {
>              'type': 'object',
>              'properties': {
> -                'commands': {
> -                    'type': ['object', 'array'],  # Array of strings or dict
> +                'entitlements': {
> +                    'type': 'array',
>                      'items': {
> -                        'oneOf': [
> -                            {'type': 'array', 'items': {'type': 'string'}},
> -                            {'type': 'string'}]
> +                        'type': 'string',
> +                        'enum': ['esm', 'fips', 'fips-updates', 'livepatch',
> +                                 'cis-audit']
>                      },
> -                    'additionalItems': False,  # Reject non-string & non-list
> -                    'minItems': 1,
> -                    'minProperties': 1,
> +                    'minItems': 0
> +                },
> +                'sso_email': {
> +                    'type': 'string',
> +                    'description': 'SSO email for the UA account'
> +                },
> +                'sso_password': {
> +                    'type': 'string',
> +                    'description': 'Hashed SSO password for the UA account'
> +                },
> +                'sso_twofactor': {
> +                    'type': 'string',
> +                    'description':
> +                        'Optional Two-factor authentication code if'
> +                        ' required on this UA account'
> +                },
> +                'token': {
> +                    'type': 'string',
> +                    'description': "A user-token obtained from %s." % UA_URL
>                  }
>              },
> -            'additionalProperties': False,  # Reject keys not in schema
> -            'required': ['commands']
> +            'oneOf': [  # Either sso_* credentials or token, but not both
> +                {'required': ['sso_email', 'sso_password'],
> +                 'not': {'required': ['token']}},
> +                {'required': ['token'],
> +                 'not': {'required': [
> +                             'sso_email', 'sso_password', 'sso_twofactor']}}
> +            ],
> +            'minProperties': 1,  # Either token or sso_* creds must be provided
> +            'additionalProperties': False
>          }
>      }
>  }
>  
> -# TODO schema for 'assertions' and 'commands' are too permissive at the moment.
> -# Once python-jsonschema supports schema draft 6 add support for arbitrary
> -# object keys with 'patternProperties' constraint to validate string values.
> -
>  __doc__ = get_schema_doc(schema)  # Supplement python help()
>  
> -UA_CMD = "ubuntu-advantage"
> -
> -
> -def run_commands(commands):
> -    """Run the commands provided in ubuntu-advantage:commands config.
> +LOG = logging.getLogger(__name__)
>  
> -     Commands are run individually. Any errors are collected and reported
> -     after attempting all commands.
>  
> -     @param commands: A list or dict containing commands to run. Keys of a
> -         dict will be used to order the commands provided as dict values.
> -     """
> -    if not commands:
> -        return
> -    LOG.debug('Running user-provided ubuntu-advantage commands')
> -    if isinstance(commands, dict):
> -        # Sort commands based on dictionary key
> -        commands = [v for _, v in sorted(commands.items())]
> -    elif not isinstance(commands, list):
> -        raise TypeError(
> -            'commands parameter was not a list or dict: {commands}'.format(
> -                commands=commands))
> -
> -    fixed_ua_commands = prepend_base_command('ubuntu-advantage', commands)
> -
> -    cmd_failures = []
> -    for command in fixed_ua_commands:
> -        shell = isinstance(command, str)
> -        try:
> -            util.subp(command, shell=shell, status_cb=sys.stderr.write)
> -        except util.ProcessExecutionError as e:
> -            cmd_failures.append(str(e))
> -    if cmd_failures:
> -        msg = (
> -            'Failures running ubuntu-advantage commands:\n'
> -            '{cmd_failures}'.format(
> -                cmd_failures=cmd_failures))
> +def configure_ua(token=None, sso_email=None, sso_password=None,
> +                 sso_twofactor=None, entitlements=None):
> +    """Call ua commandline client to attach or enable entitlements."""
> +    sso_auth = any([sso_email, sso_password, sso_twofactor])
> +    error = None
> +    if not any([token, sso_auth]):
> +        error = ('ubuntu_advantage: either token or sso_email and sso_password'
> +                 ' must be provided')
> +    elif token and sso_auth:
> +        error = ('ubuntu_advantage: token and sso credentials cannot both be'
> +                 ' provided')
> +    elif sso_auth and not all([sso_email, sso_password]):
> +        error = ('ubuntu_advantage: both sso_email and sso_password are'
> +                 ' required')
> +    if error:
> +        LOG.error(error)
> +        raise RuntimeError(error)
> +    attach_cmd = ['ua', 'attach']
> +    if token:
> +        attach_cmd.append(token)
> +    else:
> +        attach_cmd.extend(['--email', sso_email, '--password', sso_password])
> +        if sso_twofactor:
> +            attach_cmd.extend(['--otp', sso_twofactor])
> +
> +    entitlement_cmds = []
> +    if entitlements is not None:  # Entitlements explicitly enabled
> +        attach_cmd.append('--no-auto-enable')
> +        entitlement_cmds.extend(
> +            [['ua', 'enable', name] for name in entitlements])
> +
> +    msg = 'Attaching to Ubuntu Advantage. %s' % ' '.join(attach_cmd)
> +    if sso_password:
> +        msg = msg.replace(sso_password, '<REDACTED>')
> +    LOG.debug(msg)
> +    try:
> +        util.subp(attach_cmd)
> +    except util.ProcessExecutionError as e:
> +        error = str(e)
> +        if sso_password:
> +            error = error.replace(sso_password, '<REDACTED>')
> +        msg = 'Failure attaching ubuntu advantage:\n{error}'.format(
> +            error=error)
>          util.logexc(LOG, msg)
>          raise RuntimeError(msg)
> +    for cmd in entitlement_cmds:
> +        try:
> +            util.subp(cmd, capture=True)
> +        except util.ProcessExecutionError as e:
> +            msg = 'Failure enabling ubuntu advantage:\n{error}'.format(
> +                error=str(e))
> +            util.logexc(LOG, msg)
> +            raise RuntimeError(msg)
>  
>  
>  def maybe_install_ua_tools(cloud):


-- 
https://code.launchpad.net/~chad.smith/cloud-init/+git/cloud-init/+merge/362161
Your team cloud-init commiters is requested to review the proposed merge of ~chad.smith/cloud-init:feature/cc-uaclient into cloud-init:master.


References