Rebuild and allow user SSH

[FrostyX]

Implementation of fedora-copr/debate#6

Fixes: #2364

[praiskup]

Per @lachmanfrantisek claim, @nforro wants to be the early adopter! :-)

[github-advanced-security]

vcs-diff-lint found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

[FrostyX]

There is still work to be done but can you please do a preliminary review @praiskup? I don't want to sink time in fine-tuning the details without knowing, that the general idea looks good.

What remains to be done:

• There is a lot of valid linter errors that need to be fixed
• Obtaining SSH keys from FAS (or fallback to a general textarea) is not there yet
• I only tested in the docker-compose so far. Still requires some STG testing
• Small bugs (mainly copr-builder show)
• Some conceptual questions code TODOs, I am very much interested in your opinion

[praiskup]

Would it be possible to have this in YAML/JSON format or something...? We
could have things like:
:

---
type: FAS
fas_user: xyzuser

---
type: plaintext
pub_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj5HauAOur/6+...

---
type: online
url: https://github.com/praiskup.keys

We don't have to implement all the options in the web-UI right now, nor in cli.
But we can be "prepared".

[FrostyX]

This sounds reasonable, not done yet.

[FrostyX]

I thought about this and it is probably not needed now. We IMHO still want one big textarea for user input and then parse the different (types of) keys somewhere in our code. Personally, I would do the parsing on backend (we have workers there) or even on builder. Because we can fetch the keys from FAS or URL right after that.

Right now only plaintext and one key is supported, so the value could only be

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj5HauAOur/6+.

Seeing some other comments in the PR, we will probably implement support for multiple keys in this PR, so newline would be separator, e.g.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj5HauAOur/6+.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj5HauAOur/6+.

Once we start to support other methods, the input could be

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj5HauAOur/6+.
FAS:xyzuser
https://github.com/praiskup.keys
GitHub:frostyx

We can always save the blob to the database as is and parse it when needed. That would be consistent with how e.g. copr:// external repositories work.

[praiskup]

Right now only plaintext and one key is supported

Huh, I've successfully tested before with multiple keys :-)

[praiskup]

We IMHO still want one big textarea for user input and then parse the different (types of) keys somewhere in our code.

I'd prefer to have a separate text area in the future, rather than changing the field and start "guessing" the type of input.

My thought was to start doing it right away in the background -- aka giving the user a simple textarea for multi-line key-only input, converting it to the yaml thing in the background, and store into DB. This way we would have open doors for later enhancements without touching the old entries. But I agree that this is rather a nice to have thing, there are many such things.

[praiskup]

This is a very exciting change. Thank you for the progress!

[praiskup]

Can we have the per/user (maybe per arch) limit? I dont remember whether we decided to not implement it..

[FrostyX]

Thank you very much for the review. I updated almost everything but the PR is still WIP.

[FrostyX]

This sounds reasonable, not done yet.

[FrostyX]

Thank you very much for the review @praiskup,
I addressed all your comments. Everything is in a separate commit for the reviewing convenience, I will squash them before merging.

no motd ...

I spent a couple of hours on this before Christmas and wasn't able to set up MOTD on the builders. And then @xsuchy suggested it might be a good idea not having MOTD because of cases like if $(ssh ... cat foo|head -n1) == "foo". So I put in the instructions to run copr-builder help instead.

[praiskup]

if $(ssh ... cat foo|head -n1) == "foo"

But MOTD shouldn't affect stdout:

$ ssh batcave01.iad2.fedoraproject.org echo ahoj
ahoj

[praiskup]

jakub to ping pavel and take a look at motd problems..

[praiskup]

The implication here deserves an inline comment :-)

[praiskup]

Isn't it safer to return empty dict here?

[praiskup]

Nice!

[praiskup]

s/predicate/hasher/?

[praiskup]

You can drop the unused hasher argument I think.

[praiskup]

This seems damn awesome! :-) Can't wait for testing it.

[praiskup]

Small style issue:

[praiskup]

I'm a bit uncertain about the windows-like EOLs, in vim I see:

... praiskup.usersys.redhat.com^M

[praiskup]

I tried to drop .ssh/authorized_keys file - checking what happens :-) - and it just finished the otherwise succeeding build. Is this OK?

[praiskup]

I think we should document here that we must be especially careful about error handling; users may replace the echo or cat commands, and (in theory) cause damage to the backend machine. This deserves documenting IMO (here ore in a later PR).

[praiskup]

I'm thinking ... what if user replaces the remote side (server) rsync binary. Can that trick the backend to download some unwanted stuff?

Ideas?

[FrostyX]

This looks quite dangerous. Should we maybe verify some checksum of the binary, or something like that? Same for the cat commands mentioned above? But maybe that leads to the same issue (i.e. we can't be sure that the checksum tool wasn't tampered with)?

[praiskup]

Just a few comments above, otherwise it seems OK to squash and merge. The motd and other things can be done later.

[FrostyX]

Small style issue:

Do you want the instructions in the "SSH access to the builder" section to be indented to the right?

I'm a bit uncertain about the windows-like EOLs, in vim I see:
... praiskup.usersys.redhat.com^M

Hmm, I haven't encountered this. Where do you see the ^M characters?

[FrostyX]

Don't use run_expensive and check output length and/or timeout.

[FrostyX]

I couldn't use run because it doesn't return the output. So I kept run_expensive and added a timeout for it.

[FrostyX]

Small style issue:

I changed the style a bit.

[praiskup]

Thank you!