{Core} Migrate generate_ssh_keys from paramiko to cryptography
#30063
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
️✔️AzureCLI-FullTest
|
️✔️AzureCLI-BreakingChangeTest
|
Collaborator
|
Core |
microsoft-github-policy-service
bot
added
Auto-Assign
Member
Author
|
|
yonzhan
previously approved these changes
Oct 10, 2024
jiasli
changed the title
paramiko dependency from coregenerate_ssh_keys from paramiko to cryptography
jiasli
commented
Oct 10, 2024
|
|
||
|
|
||
| def _open(filename, mode): | ||
| return os.open(filename, flags=os.O_WRONLY | os.O_TRUNC | os.O_CREAT, mode=mode) |
Member
Author
There was a problem hiding this comment.
Setting file mode at creation time avoids the time gap between open and chmod. See #21719
3 tasks
jiasli
commented
Oct 24, 2024
Comment on lines
-66
to
-67
| except (PasswordRequiredException, SSHException, IOError) as e: | ||
| raise CLIError(e) |
Member
Author
There was a problem hiding this comment.
I don't feel the necessity of converting these errors to a CLIError. They should be propagated as it.
This also aligns with azure.cli.command_modules.vm._vm_utils.generate_ssh_keys_ed25519 (#30077):
azure-cli/src/azure-cli/azure/cli/command_modules/vm/_vm_utils.py
Lines 724 to 731 in 8b90393
jiasli
requested review from
bebound,
calvinhzy,
evelyn-ys,
jsntcy,
kairu-ms,
necusjz and
zhoxing-ms
as code owners
jiasli
commented
Oct 25, 2024
Comment on lines
-73
to
-88
| def test_error_raised_when_private_key_file_exists_IOError(self): | ||
| # Create private key file | ||
| private_key_path = self._create_new_temp_key_file(self.private_key) | ||
|
|
||
| with mock.patch('paramiko.RSAKey') as mocked_RSAKey: | ||
| # mock failed RSAKey generation | ||
| mocked_RSAKey.side_effect = IOError("Mocked IOError") | ||
|
|
||
| # assert that CLIError raised when generate_ssh_keys is called | ||
| with self.assertRaises(CLIError): | ||
| public_key_path = private_key_path + ".pub" | ||
| generate_ssh_keys(private_key_path, public_key_path) | ||
|
|
||
| # assert that CLIError raised because of attempt to generate key from private key file. | ||
| mocked_RSAKey.assert_called_once_with(filename=private_key_path) | ||
|
|
Member
Author
There was a problem hiding this comment.
As IOError is no longer caught, this test is meaningless.
zhoxing-ms
reviewed
Oct 25, 2024
| # -----END RSA PRIVATE KEY----- | ||
| private_bytes = private_key.private_bytes( | ||
| encoding=serialization.Encoding.PEM, | ||
| format=serialization.PrivateFormat.TraditionalOpenSSL, |
Contributor
There was a problem hiding this comment.
May I ask why we are using PrivateFormat.TraditionalOpenSSL instead of PrivateFormat.OpenSSH?
Member
Author
There was a problem hiding this comment.
Good question!
PrivateFormat.TraditionalOpenSSL will generate a private key file like:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
while PrivateFormat.OpenSSH will generate a private key file like
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
Using PrivateFormat.TraditionalOpenSSL makes sure there is no breaking change.
Contributor
|
@yanzhudd Could you please help review it as well and do some simple tests? |
yanzhudd
approved these changes
Oct 25, 2024
Contributor
yanzhudd
left a comment
yanzhudd
left a comment
There was a problem hiding this comment.
I used "az vm create" command to verify this command, and it did not generate any unexpected results.
evelyn-ys
approved these changes
Oct 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Migrate
generate_ssh_keysfromparamikotocryptography.https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/ contains some useful examples for working with RSA keys.