Merge pull request #9603 from paulmey/disable-password

[azure-arm] Disable ssh password authentication unless password is explicitly specified
2020-07-17 09:32:38 -07:00 · 2020-07-17 09:32:38 -07:00 · 8964367eb5
parent 0883e185a2 708ca1c126
commit 8964367eb5
17 changed files with 108 additions and 43 deletions
--- a/builder/azure/arm/config.go
+++ b/builder/azure/arm/config.go
@ -697,10 +697,10 @@ func setUserNamePassword(c *Config) error {
 	}
 	c.UserName = c.Comm.SSHUsername

-	if c.Comm.SSHPassword == "" {
-		c.Comm.SSHPassword = c.Password
+	// if user has an explicit wish to use an SSH password, we'll set it
+	if c.Comm.SSHPassword != "" {
+		c.Password = c.Comm.SSHPassword
 	}
-	c.Password = c.Comm.SSHPassword

 	if c.Comm.Type == "ssh" {
 		return nil
--- a/builder/azure/arm/config_test.go
+++ b/builder/azure/arm/config_test.go
@ -71,8 +71,8 @@ func TestConfigUserNameOverride(t *testing.T) {
 	if c.Password != c.tmpAdminPassword {
 		t.Errorf("Expected 'Password' to be set to generated password, but found %q!", c.Password)
 	}
-	if c.Comm.SSHPassword != c.tmpAdminPassword {
-		t.Errorf("Expected 'c.Comm.SSHPassword' to be set to generated password, but found %q!", c.Comm.SSHPassword)
+	if c.Comm.SSHPassword != "" {
+		t.Errorf("Expected 'c.Comm.SSHPassword' to be empty, but found %q!", c.Comm.SSHPassword)
 	}
 	if c.UserName != "override_username" {
 		t.Errorf("Expected 'UserName' to be set to 'override_username', but found %q!", c.UserName)
@ -2093,6 +2093,14 @@ func getPackerCommunicatorConfiguration() map[string]string {
 	return config
 }

+func getPackerSSHPasswordCommunicatorConfiguration() map[string]string {
+	config := map[string]string{
+		"ssh_password": "superS3cret",
+	}
+
+	return config
+}
+
 func TestConfigShouldRejectMalformedUserAssignedManagedIdentities(t *testing.T) {
 	config := map[string]interface{}{
 		"capture_name_prefix":    "ignore",
--- a/builder/azure/arm/template_factory.go
+++ b/builder/azure/arm/template_factory.go
@ -55,10 +55,16 @@ func GetVirtualMachineDeployment(config *Config) (*resources.Deployment, error)

 	switch config.OSType {
 	case constants.Target_Linux:
-		builder.BuildLinux(config.sshAuthorizedKey)
+		err = builder.BuildLinux(config.sshAuthorizedKey, config.Comm.SSHPassword == "") // if ssh password is not explicitly specified, disable password auth
+		if err != nil {
+			return nil, err
+		}
 	case constants.Target_Windows:
 		osType = compute.Windows
-		builder.BuildWindows(config.tmpKeyVaultName, config.tmpWinRMCertificateUrl)
+		err = builder.BuildWindows(config.tmpKeyVaultName, config.tmpWinRMCertificateUrl)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if len(config.UserAssignedManagedIdentities) != 0 {
@ -68,9 +74,15 @@ func GetVirtualMachineDeployment(config *Config) (*resources.Deployment, error)
 	}

 	if config.ImageUrl != "" {
-		builder.SetImageUrl(config.ImageUrl, osType, config.diskCachingType)
+		err = builder.SetImageUrl(config.ImageUrl, osType, config.diskCachingType)
+		if err != nil {
+			return nil, err
+		}
 	} else if config.CustomManagedImageName != "" {
-		builder.SetManagedDiskUrl(config.customManagedImageID, config.managedImageStorageAccountType, config.diskCachingType)
+		err = builder.SetManagedDiskUrl(config.customManagedImageID, config.managedImageStorageAccountType, config.diskCachingType)
+		if err != nil {
+			return nil, err
+		}
 	} else if config.ManagedImageName != "" && config.ImagePublisher != "" {
 		imageID := fmt.Sprintf("/subscriptions/%s/providers/Microsoft.Compute/locations/%s/publishers/%s/ArtifactTypes/vmimage/offers/%s/skus/%s/versions/%s",
 			config.ClientConfig.SubscriptionID,
@ -92,38 +104,62 @@ func GetVirtualMachineDeployment(config *Config) (*resources.Deployment, error)
 				config.SharedGallery.ImageVersion)
 		}

-		builder.SetSharedGalleryImage(config.Location, imageID, config.diskCachingType)
+		err = builder.SetSharedGalleryImage(config.Location, imageID, config.diskCachingType)
+		if err != nil {
+			return nil, err
+		}
 	} else {
-		builder.SetMarketPlaceImage(config.ImagePublisher, config.ImageOffer, config.ImageSku, config.ImageVersion, config.diskCachingType)
+		err = builder.SetMarketPlaceImage(config.ImagePublisher, config.ImageOffer, config.ImageSku, config.ImageVersion, config.diskCachingType)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if config.OSDiskSizeGB > 0 {
-		builder.SetOSDiskSizeGB(config.OSDiskSizeGB)
+		err = builder.SetOSDiskSizeGB(config.OSDiskSizeGB)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if len(config.AdditionalDiskSize) > 0 {
 		isManaged := config.CustomManagedImageName != "" || (config.ManagedImageName != "" && config.ImagePublisher != "") || config.SharedGallery.Subscription != ""
-		builder.SetAdditionalDisks(config.AdditionalDiskSize, config.tmpDataDiskName, isManaged, config.diskCachingType)
+		err = builder.SetAdditionalDisks(config.AdditionalDiskSize, config.tmpDataDiskName, isManaged, config.diskCachingType)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if config.customData != "" {
-		builder.SetCustomData(config.customData)
+		err = builder.SetCustomData(config.customData)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if config.PlanInfo.PlanName != "" {
-		builder.SetPlanInfo(config.PlanInfo.PlanName, config.PlanInfo.PlanProduct, config.PlanInfo.PlanPublisher, config.PlanInfo.PlanPromotionCode)
+		err = builder.SetPlanInfo(config.PlanInfo.PlanName, config.PlanInfo.PlanProduct, config.PlanInfo.PlanPublisher, config.PlanInfo.PlanPromotionCode)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if config.VirtualNetworkName != "" && DefaultPrivateVirtualNetworkWithPublicIp != config.PrivateVirtualNetworkWithPublicIp {
-		builder.SetPrivateVirtualNetworkWithPublicIp(
+		err = builder.SetPrivateVirtualNetworkWithPublicIp(
 			config.VirtualNetworkResourceGroupName,
 			config.VirtualNetworkName,
 			config.VirtualNetworkSubnetName)
+		if err != nil {
+			return nil, err
+		}
 	} else if config.VirtualNetworkName != "" {
-		builder.SetVirtualNetwork(
+		err = builder.SetVirtualNetwork(
 			config.VirtualNetworkResourceGroupName,
 			config.VirtualNetworkName,
 			config.VirtualNetworkSubnetName)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if config.AllowedInboundIpAddresses != nil && len(config.AllowedInboundIpAddresses) >= 1 && config.Comm.Port() != 0 {
@ -140,7 +176,11 @@ func GetVirtualMachineDeployment(config *Config) (*resources.Deployment, error)
 		}
 	}

-	builder.SetTags(&config.AzureTags)
+	err = builder.SetTags(&config.AzureTags)
+	if err != nil {
+		return nil, err
+	}
+
 	doc, _ := builder.ToJSON()
 	return createDeploymentParameters(*doc, params)
 }
--- a/builder/azure/arm/template_factory_test.TestPlanInfo01.approved.json
+++ b/builder/azure/arm/template_factory_test.TestPlanInfo01.approved.json
@ -149,10 +149,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestPlanInfo02.approved.json
+++ b/builder/azure/arm/template_factory_test.TestPlanInfo02.approved.json
@ -153,10 +153,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment04.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment04.approved.json
@ -126,10 +126,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment06.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment06.approved.json
@ -141,10 +141,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment08.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment08.approved.json
@ -126,10 +126,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment10.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment10.approved.json
@ -104,10 +104,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment12.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment12.approved.json
@ -126,10 +126,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment14.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment14.approved.json
@ -127,10 +127,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/arm/template_factory_test.go
+++ b/builder/azure/arm/template_factory_test.go
@ -108,7 +108,10 @@ func TestVirtualMachineDeployment03(t *testing.T) {
 	m["image_version"] = "ImageVersion"

 	var c Config
-	c.Prepare(m, getPackerConfiguration())
+	_, err := c.Prepare(m, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
+	if err != nil {
+		t.Fatal(err)
+	}
 	deployment, err := GetVirtualMachineDeployment(&c)
 	if err != nil {
 		t.Fatal(err)
@ -168,7 +171,7 @@ func TestVirtualMachineDeployment05(t *testing.T) {
 	}

 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
@ -235,7 +238,7 @@ func TestVirtualMachineDeployment07(t *testing.T) {
 	}

 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
@ -312,7 +315,7 @@ func TestVirtualMachineDeployment09(t *testing.T) {
 	}

 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
@ -387,7 +390,7 @@ func TestVirtualMachineDeployment11(t *testing.T) {
 	}

 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/builder/azure/common/template/template_builder.go
+++ b/builder/azure/common/template/template_builder.go
@ -43,7 +43,7 @@ func NewTemplateBuilder(template string) (*TemplateBuilder, error) {
 	}, nil
 }

-func (s *TemplateBuilder) BuildLinux(sshAuthorizedKey string) error {
+func (s *TemplateBuilder) BuildLinux(sshAuthorizedKey string, disablePasswordAuthentication bool) error {
 	resource, err := s.getResourceByType(resourceVirtualMachine)
 	if err != nil {
 		return err
@ -61,6 +61,11 @@ func (s *TemplateBuilder) BuildLinux(sshAuthorizedKey string) error {
 		},
 	}

+	if disablePasswordAuthentication {
+		profile.LinuxConfiguration.DisablePasswordAuthentication = to.BoolPtr(true)
+		profile.AdminPassword = nil
+	}
+
 	s.osType = compute.Linux
 	return nil
 }
--- a/builder/azure/common/template/template_builder_test.TestBuildLinux00.approved.json
+++ b/builder/azure/common/template/template_builder_test.TestBuildLinux00.approved.json
@ -126,10 +126,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/common/template/template_builder_test.TestBuildLinux02.approved.json
+++ b/builder/azure/common/template/template_builder_test.TestBuildLinux02.approved.json
@ -87,10 +87,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/common/template/template_builder_test.TestSetIdentity00.approved.json
+++ b/builder/azure/common/template/template_builder_test.TestSetIdentity00.approved.json
@ -132,10 +132,10 @@
          ]
        },
        "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
          "adminUsername": "[parameters('adminUsername')]",
          "computerName": "[parameters('vmName')]",
          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
            "ssh": {
              "publicKeys": [
                {
--- a/builder/azure/common/template/template_builder_test.go
+++ b/builder/azure/common/template/template_builder_test.go
@ -15,7 +15,7 @@ func TestBuildLinux00(t *testing.T) {
 		t.Fatal(err)
 	}

-	err = testSubject.BuildLinux("--test-ssh-authorized-key--")
+	err = testSubject.BuildLinux("--test-ssh-authorized-key--", true)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -43,7 +43,7 @@ func TestBuildLinux01(t *testing.T) {
 		t.Fatal(err)
 	}

-	err = testSubject.BuildLinux("--test-ssh-authorized-key--")
+	err = testSubject.BuildLinux("--test-ssh-authorized-key--", false)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -71,9 +71,18 @@ func TestBuildLinux02(t *testing.T) {
 		t.Fatal(err)
 	}

-	testSubject.BuildLinux("--test-ssh-authorized-key--")
-	testSubject.SetImageUrl("http://azure/custom.vhd", compute.Linux, compute.CachingTypesReadWrite)
-	testSubject.SetOSDiskSizeGB(100)
+	err = testSubject.BuildLinux("--test-ssh-authorized-key--", true)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = testSubject.SetImageUrl("http://azure/custom.vhd", compute.Linux, compute.CachingTypesReadWrite)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = testSubject.SetOSDiskSizeGB(100)
+	if err != nil {
+		t.Fatal(err)
+	}

 	err = testSubject.SetVirtualNetwork("--virtual-network-resource-group--", "--virtual-network--", "--subnet-name--")
 	if err != nil {
@ -189,7 +198,7 @@ func TestSharedImageGallery00(t *testing.T) {
 		t.Fatal(err)
 	}

-	err = testSubject.BuildLinux("--test-ssh-authorized-key--")
+	err = testSubject.BuildLinux("--test-ssh-authorized-key--", false)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -218,7 +227,7 @@ func TestNetworkSecurityGroup00(t *testing.T) {
 		t.Fatal(err)
 	}

-	err = testSubject.BuildLinux("--test-ssh-authorized-key--")
+	err = testSubject.BuildLinux("--test-ssh-authorized-key--", false)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -251,7 +260,7 @@ func TestSetIdentity00(t *testing.T) {
 		t.Fatal(err)
 	}

-	if err = testSubject.BuildLinux("--test-ssh-authorized-key--"); err != nil {
+	if err = testSubject.BuildLinux("--test-ssh-authorized-key--", true); err != nil {
 		t.Fatal(err)
 	}