From d002b51c1735341c2042040238208aa2f978dd8a Mon Sep 17 00:00:00 2001
From: Clint Byrum <clint@fewbar.com>
Date: Tue, 16 May 2017 09:03:37 -0700
Subject: [PATCH] Add roles for per-build SSH keys

These roles can be used in trusted pre/post playbooks to ensure that
untrusted playbooks never get access to the private SSH key that is
shared between nodes.

Change-Id: I2482da835bcec68bb09b9a73cb45d2f0bc86feb3
---
 .../tasks/create-key-and-replace.yaml         | 20 +++++++++++++++++++
 roles/add-build-sshkey/tasks/main.yaml        |  9 +++++++++
 roles/add-build-sshkey/vars/main.yml          |  1 +
 roles/remove-build-sshkey/tasks/main.yml      |  5 +++++
 4 files changed, 35 insertions(+)
 create mode 100644 roles/add-build-sshkey/tasks/create-key-and-replace.yaml
 create mode 100644 roles/add-build-sshkey/tasks/main.yaml
 create mode 100644 roles/add-build-sshkey/vars/main.yml
 create mode 100644 roles/remove-build-sshkey/tasks/main.yml

diff --git a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
new file mode 100644
index 0000000..5ce52e3
--- /dev/null
+++ b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
@@ -0,0 +1,20 @@
+- name: Create Temp SSH key
+  command: ssh-keygen -t rsa -b 1024 -N '' -f {{ zuul_temp_ssh_key }}
+  delegate_to: localhost
+
+- name: Distribute it to all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    state: present
+    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
+
+- name: Remove all keys from local agent
+  command: ssh-add -d
+  delegate_to: localhost
+
+- name: Add back temp key
+  command: ssh-add {{ zuul_temp_ssh_key }}
+  delegate_to: localhost
+
+- name: Verify we can still SSH to all nodes
+  ping:
diff --git a/roles/add-build-sshkey/tasks/main.yaml b/roles/add-build-sshkey/tasks/main.yaml
new file mode 100644
index 0000000..dc5746b
--- /dev/null
+++ b/roles/add-build-sshkey/tasks/main.yaml
@@ -0,0 +1,9 @@
+- name: Check to see if ssh key was already created for this build
+  stat: "{{ zuul_temp_ssh_key }}"
+  register: zuul_temp_ssh_key_stat
+  delegate_to: localhost
+  failed_when: false
+
+- name: Create a new key in workspace based on build UUID
+  include: create-key-and-replace.yaml
+  when: zuul_temp_ssh_key_stat is defined
diff --git a/roles/add-build-sshkey/vars/main.yml b/roles/add-build-sshkey/vars/main.yml
new file mode 100644
index 0000000..f3b65f7
--- /dev/null
+++ b/roles/add-build-sshkey/vars/main.yml
@@ -0,0 +1 @@
+zuul_temp_ssh_key: "{{ zuul.uuid }}_id_rsa"
diff --git a/roles/remove-build-sshkey/tasks/main.yml b/roles/remove-build-sshkey/tasks/main.yml
new file mode 100644
index 0000000..c7a3375
--- /dev/null
+++ b/roles/remove-build-sshkey/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Remove the build SSH key from all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
+    state: absent