feat: generate rsa key pair automatically per instance

Author: justintsteele

README.md

@@ -50,6 +50,7 @@ The following driver parameters are common to both instance types, but are not r
    - `oci_profile_name`, OCI profile to use (default: `DEFAULT`)
    - `oci_config`, Hash of additional `OCI::Config` settings. Allows you to test without an oci config file [[more](#use-without-oci-config-file)]
    - `ssh_keypath`, SSH public key (default: `~/.ssh/id_rsa.pub`)
+   - `ssh_keygen`, Automatically generate the rsa key pair for an instance (default: `false`) [[more](#ssh-keygen)]
    - `post_create_script`, run a script on an instance after deployment
    - `post_create_reboot`, reboot the instance after instance creation (default: `false`)
    - `proxy_url`, Connect via the specified proxy URL [[more](#proxy-support)]
@@ -274,6 +275,26 @@ Alternately, if you simply pass a string to the user_data, it will be base64 enc
     gid: 1000
 ```
 
+## SSH Keygen
+
+The driver can generate an ssh key pair for an instance during creation.  In order to turn this feature on, add the `ssh_keygen` property to the `driver` and set the value to `true`. This can be set in the `driver` section on a 
+per-platform or per-suite basis, but can also be enabled globally for the entire kitchen.yml in the top-level `driver` section.
+
+Ensure that the `transport` section does not contain a path to a private key (the `ssh_key` property). If the `transport` has a value in `ssh_key` property, this will mismatch with the key pair that the driver will create causing your 
+instance creation to be stuck in an endless loop waiting for `transport` to receive a confirmed ssh connection.
+
+The generated key pair is stored in the `.kitchen/.ssh` directory and is named for the instance that generated it so each instance in your `kitchen.yml` can have its own key pair.  
+
+Upon instance termination (`kitchen destroy`), the generated key pair will be removed from the `.kitchen/.ssh` directory along with the state file as should be expected.
+
+```yml
+  driver:
+    ssh_keygen: true
+
+  transport:
+    username: opc
+```
+
 ## Proxy support
 
 If running Kitchen on a private subnet with no public IPs permitted, it may be necessary to connect to the OCI API via a web proxy.  The proxy URL can either be specified on the command line:

lib/kitchen/driver/oci.rb

@@ -64,6 +64,7 @@ class Oci < Kitchen::Driver::Base # rubocop:disable Metrics/ClassLength
       default_config :display_name, nil
       default_keypath = File.expand_path(File.join(%w{~ .ssh id_rsa.pub}))
       default_config :ssh_keypath, default_keypath
+      default_config :ssh_keygen, false
       default_config :post_create_script, nil
       default_config :proxy_url, nil
       default_config :user_data, nil
@@ -180,6 +181,10 @@ def detatch_and_delete_volumes(state, oci, api)
       def terminate(state, inst)
         instance.transport.connection(state).close
         inst.terminate
+        if state[:ssh_key]
+          FileUtils.rm_f(state[:ssh_key])
+          FileUtils.rm_f("#{state[:ssh_key]}.pub")
+        end
       end
     end
   end

lib/kitchen/driver/oci/instance.rb

@@ -96,6 +96,43 @@ def public_ip_allowed?
           !subnet.prohibit_public_ip_on_vnic
         end
 
+        def public_key_file
+          if config[:ssh_keygen]
+            "#{config[:kitchen_root]}/.kitchen/.ssh/#{config[:instance_name]}_rsa.pub"
+          else
+            config[:ssh_keypath]
+          end
+        end
+
+        def private_key_file
+          public_key_file.gsub(".pub", "")
+        end
+
+        def gen_key_pair
+          FileUtils.mkdir_p("#{config[:kitchen_root]}/.kitchen/.ssh")
+          rsa_key = OpenSSL::PKey::RSA.new(4096)
+          write_private_key(rsa_key)
+          write_public_key(rsa_key)
+          state.store(:ssh_key, private_key_file)
+        end
+
+        def write_private_key(rsa_key)
+          File.open(private_key_file, "wb") { |k| k.write(rsa_key.to_pem) }
+          File.chmod(0600, private_key_file)
+        end
+
+        def write_public_key(rsa_key)
+          File.open(public_key_file, "wb") { |k| k.write("ssh-rsa #{encode_private_key(rsa_key)} #{config[:instance_name]}") }
+          File.chmod(0600, public_key_file)
+        end
+
+        def encode_private_key(rsa_key)
+          prefix = "#{[7].pack("N")}ssh-rsa"
+          exponent = rsa_key.e.to_s(0)
+          modulus = rsa_key.n.to_s(0)
+          ["#{prefix}#{exponent}#{modulus}"].pack("m0")
+        end
+
         def random_password(special_chars)
           (Array.new(5) { special_chars.sample } +
             Array.new(5) { ("a".."z").to_a.sample } +

lib/kitchen/driver/oci/instance/dbaas.rb

@@ -61,7 +61,7 @@ def node_count
 
           def pubkey
             result = []
-            result << File.readlines(config[:ssh_keypath]).first.chomp
+            result << read_public_key
             launch_details.ssh_public_keys = result
           end
 

lib/kitchen/driver/oci/models/compute.rb

@@ -159,15 +159,19 @@ def create_vnic_details(name)
           end
 
           def pubkey
-            File.readlines(config[:ssh_keypath]).first.chomp
+            if config[:ssh_keygen]
+              logger.info("Generating public/private rsa key pair")
+              gen_key_pair
+            end
+            File.readlines(public_key_file).first.chomp
           end
 
           def metadata
             md = {}
             inject_powershell
             config[:custom_metadata]&.each { |k, v| md.store(k, v) }
-            md.store("ssh_authorized_keys", pubkey)
-            md.store("user_data", user_data) if config[:user_data] && !config[:user_data].empty?
+            md.store("ssh_authorized_keys", pubkey) unless config[:setup_winrm]
+            md.store("user_data", user_data) if user_data?
             md
           end
 
@@ -182,6 +186,10 @@ def windows_state?
             config[:setup_winrm] && config[:password].nil? && state[:password].nil?
           end
 
+          def user_data?
+            config[:user_data] && !config[:user_data].empty?
+          end
+
           def winrm_ps1
             filename = File.join(__dir__, %w{.. .. .. .. .. tpl setup_winrm.ps1.erb})
             tpl = ERB.new(File.read(filename))

lib/kitchen/driver/oci/models/dbaas.rb

@@ -97,6 +97,14 @@ def hostname_prefix
           def long_hostname_suffix
             [random_string(25 - hostname_prefix.length), random_string(3)].compact.join("-")
           end
+
+          def read_public_key
+            if config[:ssh_keygen]
+              logger.info("Generating public/private rsa key pair")
+              gen_key_pair
+            end
+            File.readlines(public_key_file).first.chomp
+          end
         end
       end
     end

lib/kitchen/driver/oci/volumes.rb

@@ -20,7 +20,7 @@
 module Kitchen
   module Driver
     class Oci
-      # mixin for working with volume and attachments
+      # mixin for working with volumes and attachments
       module Volumes
         def create_and_attach_volumes(config, state, oci, api)
           return if config[:volumes].empty?

lib/kitchen/driver/oci_version.rb

@@ -20,6 +20,6 @@
 module Kitchen
   module Driver
     # Version string for Oracle OCI Kitchen driver
-    OCI_VERSION = "1.25.0"
+    OCI_VERSION = "1.26.0"
   end
 end