From 9c6f6043f086b247d5b996bcfff68bb8cd413fee Mon Sep 17 00:00:00 2001
From: James Rhodes <jrhodes@redpointsoftware.com.au>
Date: Thu, 5 Dec 2013 08:17:23 +1100
Subject: [PATCH] Update preallocated hosts to use Passphrase credentials

Summary: Depends on D7695.  This updates preallocated hosts to use Passphrase credentials.  Due to the way SSH private key text credentials work (the TempFile disappears before SSH commands can be executed), this only supports file-based private keys at the moment.

Test Plan:
Created a Passphrase credential for a file-based SSH key.  Allocated a resource with:

```
bin/drydock create-resource --blueprint 1 --name "My Linux Host" --attributes platform=linux,host=localhost,port=22,path=/var/drydock,credential=2
```

and successfully leased it.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley

CC: Korvin, epriestley, aran

Maniphest Tasks: T4111, T1049

Differential Revision: https://secure.phabricator.com/D7697
---
 ...reallocatedHostBlueprintImplementation.php |  7 ++--
 .../command/DrydockSSHCommandInterface.php    | 40 +++++++++++--------
 2 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php b/src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php
index 03a381c3d6..c8f974973a 100644
--- a/src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php
+++ b/src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php
@@ -41,12 +41,12 @@ final class DrydockPreallocatedHostBlueprintImplementation
     // we have all the information we need.
     PhutilTypeSpec::checkMap(
       $resource->getAttributesForTypeSpec(
-        array('platform', 'host', 'port', 'user', 'path')),
+        array('platform', 'host', 'port', 'credential', 'path')),
       array(
         'platform' => 'string',
         'host' => 'string',
         'port' => 'string', // Value is a string from the command line
-        'user' => 'string',
+        'credential' => 'string',
         'path' => 'string',
       ));
     $v_platform = $resource->getAttribute('platform');
@@ -103,8 +103,7 @@ final class DrydockPreallocatedHostBlueprintImplementation
           ->setConfiguration(array(
             'host' => $resource->getAttribute('host'),
             'port' => $resource->getAttribute('port'),
-            'user' => $resource->getAttribute('user'),
-            'ssh-keyfile' => $resource->getAttribute('ssh-keyfile'),
+            'credential' => $resource->getAttribute('credential'),
             'platform' => $resource->getAttribute('platform')));
     }
 
diff --git a/src/applications/drydock/interface/command/DrydockSSHCommandInterface.php b/src/applications/drydock/interface/command/DrydockSSHCommandInterface.php
index 5d981778cf..ab0dd94e3e 100644
--- a/src/applications/drydock/interface/command/DrydockSSHCommandInterface.php
+++ b/src/applications/drydock/interface/command/DrydockSSHCommandInterface.php
@@ -22,23 +22,31 @@ final class DrydockSSHCommandInterface extends DrydockCommandInterface {
     // NOTE: The "-t -t" is for psuedo-tty allocation so we can "sudo" on some
     // systems, but maybe more trouble than it's worth?
 
-    $keyfile = $this->getConfig('ssh-keyfile');
-    if (!empty($keyfile)) {
-      return new ExecFuture(
-        'ssh -t -t -o StrictHostKeyChecking=no -p %s -i %s %s@%s -- %s',
-        $this->getConfig('port'),
-        $this->getConfig('ssh-keyfile'),
-        $this->getConfig('user'),
-        $this->getConfig('host'),
-        $full_command);
-    } else {
-      return new ExecFuture(
-        'ssh -t -t -o StrictHostKeyChecking=no -p %s %s@%s -- %s',
-        $this->getConfig('port'),
-        $this->getConfig('user'),
-        $this->getConfig('host'),
-        $full_command);
+    $credential = id(new PassphraseCredentialQuery())
+      ->setViewer(PhabricatorUser::getOmnipotentUser())
+      ->withIDs(array($this->getConfig('credential')))
+      ->needSecrets(true)
+      ->executeOne();
+
+    // FIXME: We can't use text-based SSH files here because the TempFile goes
+    // out of scope after this function ends and thus the file gets removed
+    // before it can be used.
+    if ($credential->getCredentialType() !==
+      PassphraseCredentialTypeSSHPrivateKeyFile::CREDENTIAL_TYPE) {
+      throw new Exception("Only private key file credentials are supported.");
     }
+
+    $ssh_key = PassphraseSSHKey::loadFromPHID(
+      $credential->getPHID(),
+      PhabricatorUser::getOmnipotentUser());
+
+    return new ExecFuture(
+      'ssh -t -t -o StrictHostKeyChecking=no -p %s -i %s %s@%s -- %s',
+      $this->getConfig('port'),
+      $ssh_key->getKeyfileEnvelope()->openEnvelope(),
+      $credential->getUsername(),
+      $this->getConfig('host'),
+      $full_command);
   }
 
 }