Connect to Arc Servers (Azure#3929)

* Moving SSHArc changes from private repo to the public repo * Fix linter exclusions * Added license header to constants file * Fixed the local user parameter options for the config command * Changed --local-user-name to --local-user for the config command * Host for arc servers on config is not rg-vm instead of just vm
Sneezry · Oct 13, 2021 · 78264f6 · 78264f6
1 parent a25ce5c
commit 78264f6
Show file tree

Hide file tree

Showing 41 changed files with 10,366 additions and 158 deletions.
diff --git a/linter_exclusions.yml b/linter_exclusions.yml
@@ -2120,6 +2120,11 @@ ssh vm:
     ssh_args:
       rule_exclusions:
         - no_positional_parameters
+ssh arc:
+  parameters:
+    ssh_args:
+      rule_exclusions:
+        - no_positional_parameters
 storage account create:
   parameters:
     hierarchical_namespace:

diff --git a/src/ssh/HISTORY.md b/src/ssh/HISTORY.md
@@ -1,5 +1,11 @@
 Release History
 ===============
+0.1.7
+-----
+* Add support for connecting to Arc Servers using AAD issued certificates.
+* Add support for connecting to local users on Azure VMs and Arc Server using certs-based, key-based, and password-based authentication
+* Add --ssh-client-path, --resource-id, --local-user, --cert-file, and --delete-privkey arguments.
+
 0.1.6
 -----
 * Add support for direct MSAL usage in newer Azure CLI (beta currently)
@@ -41,4 +47,4 @@ Release History
 
 0.1.0
 -----
-* Initial release.
+* Initial release.
diff --git a/src/ssh/azext_ssh/_client_factory.py b/src/ssh/azext_ssh/_client_factory.py
@@ -0,0 +1,36 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+
+def cf_connectedmachine_cl(cli_ctx, *_):
+    from azure.cli.core.commands.client_factory import get_mgmt_service_client
+    from azext_ssh.vendored_sdks.connectedmachine import ConnectedMachine
+    return get_mgmt_service_client(cli_ctx,
+                                   ConnectedMachine)
+
+
+def cf_machine(cli_ctx, *_):
+    return cf_connectedmachine_cl(cli_ctx).machines
+
+
+def cf_machine_extension(cli_ctx, *_):
+    return cf_connectedmachine_cl(cli_ctx).machine_extensions
+
+
+def cf_private_link_scope(cli_ctx, *_):
+    return cf_connectedmachine_cl(cli_ctx).private_link_scopes
+
+
+def cf_private_link_resource(cli_ctx, *_):
+    return cf_connectedmachine_cl(cli_ctx).private_link_resources
+
+
+def cf_private_endpoint_connection(cli_ctx, *_):
+    return cf_connectedmachine_cl(cli_ctx).private_endpoint_connections
diff --git a/src/ssh/azext_ssh/_help.py b/src/ssh/azext_ssh/_help.py
@@ -7,17 +7,18 @@
 
 helps['ssh'] = """
     type: group
-    short-summary: SSH into resources (Azure VMs, etc) using AAD issued openssh certificates
+    short-summary: SSH into resources (Azure VMs, Arc servers, etc) using AAD issued openssh certificates.
 """
 
 helps['ssh vm'] = """
     type: command
-    short-summary: SSH into Azure VMs using an ssh certificate
+    short-summary: SSH into Azure VMs or Arc Servers.
+    long-summary: Users can now login using AAD issued certificates or using local user credentials. We recommend login using AAD issued certificates as azure automatically rotate SSH CA keys. To SSH as a local user in the target machine, you must provide the local user name using the --local-user argument.
     examples:
-        - name: Give a resource group and VM to SSH to
+        - name: Give a resource group and VM to SSH using AAD issued certificates
           text: |
-            az ssh vm --resource-group myResourceGroup --vm-name myVm
-        - name: Give the public IP (or hostname) of a VM to SSH to
+            az ssh vm --resource-group myResourceGroup --vm-name myVM
+        - name: Give the public IP (or hostname) of a VM to SSH to SSH using AAD issued certificates
           text: |
             az ssh vm --ip 1.2.3.4
             az ssh vm --hostname example.com
@@ -27,6 +28,18 @@
         - name: Using additional ssh arguments
           text: |
             az ssh vm --ip 1.2.3.4 -- -A -o ForwardX11=yes
+        - name: Give the Resource ID of a VM to SSH using AAD issued certificates. Using the resource ID to identify the target machine is useful when there is an Azure VM and a Arc Server with the same name in the same resource group.
+          text: |
+            az ssh vm --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM
+        - name: Give a local user name to SSH using local user credentials on the target machine using certificate based authentication.
+          text: |
+            az ssh vm --local-user username --ip 1.2.3.4 --certificate-file cert.pub --private-key key
+        - name: Give a local user name to SSH using local user credentials on the target machine using key based authentication.
+          text: |
+            az ssh vm --local-user username --resource-group myResourceGroup --vm-name myVM --private-key-file key
+        - name: Give a local user name to SSH using local user credentials on the target machine using password based authentication.
+          text: |
+            az ssh vm --local-user username --resource-id /subscriptions/mySubsription/resourceGroups/myResourceGroup/providers/Microsoft.HybridCompute/machines/myArcServer
 """
 
 helps['ssh config'] = """
@@ -63,3 +76,28 @@
           text: |
             az ssh cert --public-key-file ./id_rsa.pub --file ./id_rsa-aadcert.pub
 """
+
+helps['ssh arc'] = """
+    type: command
+    short-summary: SSH into Azure Arc Servers
+    long-summary: Users can now login using AAD issued certificates or using local user credentials. We recommend login using AAD issued certificates as azure automatically rotate SSH CA keys. To SSH as a local user in the target machine, you must provide the local user name using the --local-user argument.
+    examples:
+        - name: Give a resource group and Arc Server Name to SSH using AAD issued certificates
+          text: |
+            az ssh arc --resource-group myResourceGroup --vm-name myArcServer
+        - name: Give the Resource ID of an Arc Server to SSH using AAD issued certificates
+          text: |
+            az ssh arc --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.HybridCompute/machines/myArcServer
+        - name: Using a custom private key file
+          text: |
+            az ssh arc --resource-group myResourceGroup --vm-name myArcServer --private-key-file key --public-key-file key.pub
+        - name: Give a local user name to SSH to a local user using certificate-based authentication
+          text: |
+            az ssh arc  --resource-group myResourceGroup --vm-name myArcServer --certificate-file cert.pub --private-key key --local-user name
+        - name: Give a local user name to SSH to a local user using key-based authentication
+          text: |
+            az ssh arc --resource-group myRG --vm-name myVM --local-user name --private-key-file key
+        - name: Give a local user name to SSH to a local user using password-based authentication
+          text: |
+            az ssh arc --resource-id /subscriptions/mySubsription/resourceGroups/myRG/providers/Microsoft.HybridCompute/machines/myArcServer --local-user username
+"""
diff --git a/src/ssh/azext_ssh/_params.py b/src/ssh/azext_ssh/_params.py
@@ -10,25 +10,58 @@ def load_arguments(self, _):
         c.argument('vm_name', options_list=['--vm-name', '--name', '-n'], help='The name of the VM')
         c.argument('ssh_ip', options_list=['--ip', '--hostname'],
                    help='The public (or reachable private) IP address (or hostname) of the VM')
+        c.argument('resource_id', options_list=['--resource-id'], help='The Resource ID of the Azure VM or Arc Server')
         c.argument('public_key_file', options_list=['--public-key-file', '-p'], help='The RSA public key file path')
         c.argument('private_key_file', options_list=['--private-key-file', '-i'], help='The RSA private key file path')
         c.argument('use_private_ip', options_list=['--prefer-private-ip'],
                    help='Will prefer private IP.  Requires connectivity to the private IP.')
+        c.argument('local_user', options_list=['--local-user'],
+                   help='The username for a local user')
+        c.argument('cert_file', options_list=['--certificate-file', '-c'],
+                   help='Path to a certificate file used for authentication when using local user credentials.')
         c.argument('port', options_list=['--port'], help='SSH port')
+        c.argument('ssh_client_path', options_list=['--ssh-client-path'],
+                   help='Path to ssh executable. Default to ssh pre-installed if not provided.')
+        c.argument('delete_privkey', options_list=['--delete-private-key'],
+                   help=('This is an internal argument. This argument is used by Azure Portal to provide a one click '
+                         'SSH login experience in Cloud shell.'),
+                   deprecate_info=c.deprecate(hide=True), action='store_true')
         c.positional('ssh_args', nargs='*', help='Additional arguments passed to OpenSSH')
 
     with self.argument_context('ssh config') as c:
         c.argument('config_path', options_list=['--file', '-f'], help='The file path to write the SSH config to')
         c.argument('vm_name', options_list=['--vm-name', '--name', '-n'], help='The name of the VM')
         c.argument('ssh_ip', options_list=['--ip'], help='The public IP address (or hostname) of the VM')
+        c.argument('resource_id', options_list=['--resource-id'], help='The Resource ID of the Azure VM or Arc Server')
         c.argument('public_key_file', options_list=['--public-key-file', '-p'], help='The RSA public key file path')
         c.argument('private_key_file', options_list=['--private-key-file', '-i'], help='The RSA private key file path')
         c.argument('use_private_ip', options_list=['--prefer-private-ip'],
                    help='Will use a private IP if available. By default only public IPs are used.')
+        c.argument('local_user', options_list=['--local-user'],
+                   help='The username for a local user')
         c.argument('overwrite', action='store_true', options_list=['--overwrite'],
                    help='Overwrites the config file if this flag is set')
+        c.argument('port', options_list=['--port'], help='Port to connect to on the remote host.')
+        c.argument('cert_file', options_list=['--certificate-file', '-c'], help='Path to certificate file')
 
     with self.argument_context('ssh cert') as c:
         c.argument('cert_path', options_list=['--file', '-f'],
                    help='The file path to write the SSH cert to, defaults to public key path with -aadcert.pub appened')
         c.argument('public_key_file', options_list=['--public-key-file', '-p'], help='The RSA public key file path')
+
+    with self.argument_context('ssh arc') as c:
+        c.argument('vm_name', options_list=['--vm-name', '--name', '-n'], help='The name of the Arc Server')
+        c.argument('public_key_file', options_list=['--public-key-file', '-p'], help='The RSA public key file path')
+        c.argument('private_key_file', options_list=['--private-key-file', '-i'], help='The RSA private key file path')
+        c.argument('local_user', options_list=['--local-user'],
+                   help='The username for a local user')
+        c.argument('cert_file', options_list=['--certificate-file', '-c'], help='Path to certificate file')
+        c.argument('resource_id', options_list=['--resource-id'], help='The Resource ID of the Arc Server')
+        c.argument('port', options_list=['--port'], help='Port to connect to on the remote host.')
+        c.argument('ssh_client_path', options_list=['--ssh-client-path'],
+                   help='Path to ssh executable. Default to ssh pre-installed if not provided.')
+        c.argument('delete_privkey', options_list=['--delete-private-key'],
+                   help=('This is an internal argument. This argument is used by Azure Portal to provide a one click '
+                         'SSH login experience in Cloud shell.'),
+                   deprecate_info=c.deprecate(hide=True), action='store_true')
+        c.positional('ssh_args', nargs='*', help='Additional arguments passed to OpenSSH')
diff --git a/src/ssh/azext_ssh/commands.py b/src/ssh/azext_ssh/commands.py
@@ -10,3 +10,4 @@ def load_command_table(self, _):
         g.custom_command('vm', 'ssh_vm')
         g.custom_command('config', 'ssh_config')
         g.custom_command('cert', 'ssh_cert')
+        g.custom_command('arc', 'ssh_arc')
diff --git a/src/ssh/azext_ssh/constants.py b/src/ssh/azext_ssh/constants.py
@@ -0,0 +1,10 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+CLIENT_PROXY_VERSION = "1.3.017131"
+CLIENT_PROXY_RELEASE = "release10-09-21"
+CLIENT_PROXY_STORAGE_URL = "https://sshproxysa.blob.core.windows.net"
+CLEANUP_TOTAL_TIME_LIMIT_IN_SECONDS = 120
+CLEANUP_TIME_INTERVAL_IN_SECONDS = 10