From 570ebbb8707e9f734f2eef9e37121dc760df640a Mon Sep 17 00:00:00 2001
From: Jonathan Doman <jonathan.doman@intel.com>
Date: Mon, 18 Oct 2021 14:38:45 -0700
Subject: Fix phosphor-deploy-ssh-keys.bbclass

The logic was broken due to lack of quotes around the semicolon
delimiters inside subshell commands. It did not work for single keys nor
multiple keys provided in SSH_KEYS.

This commit adds proper quotes, and also refactors the loop a bit to
reduce repeated commands, reduce indentation, and clarify variables.

Tested:
- Added INHERIT/SSH_KEYS to local.conf as described in script comments.
- Tested with 1 key: "root:/path/to/key.pub" and 2 keys
  "root:/path/to/key.pub;root:/path/to/key2.pub".
- Verified that in all cases keys were added to authorized_keys files
  exactly once by checking rootfs output:
  (build/tmp/work/<machine>/<image>/<version>/rootfs/home/root/.ssh/authorized_keys)

Signed-off-by: Jonathan Doman <jonathan.doman@intel.com>
Change-Id: I58af4e8107daa6447b8276a66fc7c91e346c7dd5
---
 .../classes/phosphor-deploy-ssh-keys.bbclass       | 73 +++++++++++-----------
 1 file changed, 37 insertions(+), 36 deletions(-)

(limited to 'meta-phosphor/classes')

diff --git a/meta-phosphor/classes/phosphor-deploy-ssh-keys.bbclass b/meta-phosphor/classes/phosphor-deploy-ssh-keys.bbclass
index a85d2ac2d..277a55c08 100644
--- a/meta-phosphor/classes/phosphor-deploy-ssh-keys.bbclass
+++ b/meta-phosphor/classes/phosphor-deploy-ssh-keys.bbclass
@@ -1,13 +1,16 @@
 ####
 # Copyright 2020 Hewlett Packard Enterprise Development LP.
-#
+# Copyright 2021 Intel Corporation
 #
 # Add a basic class to add a privileged user from an ssh
 # standpoint and a public key passed as an input parameter
 # from the local.conf file
 # Example:
 # INHERIT += "phosphor-deploy-ssh-keys"
-# SSH_KEYS = "vejmarie:/home/openbmc/openbmc/meta-hpe/keys/test.pub;"
+#
+# SSH_KEYS = "vejmarie:/home/openbmc/openbmc/meta-hpe/keys/test.pub"
+# or
+# SSH_KEYS = "vejmarie:/home/openbmc/openbmc/meta-hpe/keys/test.pub;root:/path/to/id_rsa.pub"
 ####
 
 inherit useradd_base
@@ -15,48 +18,46 @@ inherit useradd_base
 IMAGE_PREPROCESS_COMMAND += "deploy_local_user;"
 
 deploy_local_user () {
-        if [ "${SSH_KEYS}" != "" ]; then
-		group_settings="${SSH_KEYS}"
-		current_setting=`echo $group_settings | cut -d ';' -f1`
-		remaining=`echo $group_settings | cut -d ';' -f2-`
-		while test "x$current_setting" != "x"; do
+	if [ "${SSH_KEYS}" == "" ]; then
+		bbwarn "Trying to deploy SSH keys but input variable is empty (SSH_KEYS)"
+		return
+	fi
 
-			username=`echo ${SSH_KEYS} | awk -F":" '{ print $1}'`
-			key_path=`echo ${SSH_KEYS} | awk -F":" '{ print $2}'`
+	ssh_keys="${SSH_KEYS}"
+	while [ "${ssh_keys}" != "" ]; do
+		current_key=`echo "$ssh_keys" | cut -d ';' -f1`
+		ssh_keys=`echo "$ssh_keys" | cut -s -d ';' -f2-`
 
-			if [ ! -d ${IMAGE_ROOTFS}/home/${username} ]; then
-				perform_useradd "${IMAGE_ROOTFS}" "-R ${IMAGE_ROOTFS} -p '' ${username}"
-			fi
+		username=`echo "$current_key" | awk -F":" '{ print $1}'`
+		key_path=`echo "$current_key" | awk -F":" '{ print $2}'`
 
-			if [ ! -d ${IMAGE_ROOTFS}/home/${username}.ssh/ ]; then
-				install -d ${IMAGE_ROOTFS}/home/${username}/.ssh/
-			fi
+		if [ ! -d ${IMAGE_ROOTFS}/home/${username} ]; then
+			perform_useradd "${IMAGE_ROOTFS}" "-R ${IMAGE_ROOTFS} -p '' ${username}"
+		fi
 
-			if [ ! -f ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys ]; then
-				install -m 0600 ${key_path} ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys
-			else
-				cat ${key_path} >> ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys
-			fi
+		if [ ! -d ${IMAGE_ROOTFS}/home/${username}.ssh/ ]; then
+			install -d ${IMAGE_ROOTFS}/home/${username}/.ssh/
+		fi
 
-			uid=`cat ${IMAGE_ROOTFS}/etc/passwd | grep "${username}:" | awk -F ":" '{print $3}'`
-			guid=`cat ${IMAGE_ROOTFS}/etc/passwd | grep "${username}:" | awk -F ":" '{print $4}'`
+		if [ ! -f ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys ]; then
+			install -m 0600 ${key_path} ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys
+		else
+			cat ${key_path} >> ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys
+		fi
 
-			chown -R ${uid}:${guid} ${IMAGE_ROOTFS}/home/${username}/.ssh
-			chmod 600  ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys
-			chmod 700 ${IMAGE_ROOTFS}/home/${username}/.ssh
+		uid=`cat ${IMAGE_ROOTFS}/etc/passwd | grep "${username}:" | awk -F ":" '{print $3}'`
+		guid=`cat ${IMAGE_ROOTFS}/etc/passwd | grep "${username}:" | awk -F ":" '{print $4}'`
 
-			is_group=`grep "priv-admin" ${IMAGE_ROOTFS}/etc/group || true`
+		chown -R ${uid}:${guid} ${IMAGE_ROOTFS}/home/${username}/.ssh
+		chmod 600  ${IMAGE_ROOTFS}/home/${username}/.ssh/authorized_keys
+		chmod 700 ${IMAGE_ROOTFS}/home/${username}/.ssh
 
-			if [ -z "${is_group}" ]; then
-				perform_groupadd "${IMAGE_ROOTFS}" "-R ${IMAGE_ROOTFS} priv-admin"
-			fi
+		is_group=`grep "priv-admin" ${IMAGE_ROOTFS}/etc/group || true`
 
-			perform_usermod "${IMAGE_ROOTFS}" "-R ${IMAGE_ROOTFS} -a -G priv-admin ${username}"
+		if [ -z "${is_group}" ]; then
+			perform_groupadd "${IMAGE_ROOTFS}" "-R ${IMAGE_ROOTFS} priv-admin"
+		fi
 
-			current_setting=`echo $remaining | cut -d ";" -f1`
-			remaining=`echo $remaining | cut -d ';' -f2-`
-		done
-	else
-		bbwarn "Trying to deploy SSH keys but input variable is empty (SSH_KEYS)"
-	fi
+		perform_usermod "${IMAGE_ROOTFS}" "-R ${IMAGE_ROOTFS} -a -G priv-admin ${username}"
+	done
 }
-- 
cgit v1.2.3