Add Nova get-password support

[rickard-von-essen]

Add support to get a encrypted administrative password for a server through a GET on: /v2.1/{tenant_id}/servers/{server_id}/os-server-password optionally decrypting the password if a private key is supplied.

The same operation with OpenStack CLI is done with: nova get-password <server_id> [private_key.pem]

[jrperritt]

Looking good. Just a few questions/comments above.

[rickard-von-essen]

Is an OpenStack password guaranteed to be of type RSA? If not, we should probably have privateKey be of type crypto.PrivateKey. Then down in decryptPassword we can switch on the type of privateKey to figure out the correct decryption scheme.

The Nova CLI does:

openssl rsautl -decrypt -inkey <private_key>

See https://github.com/openstack/python-novaclient/blob/1d08e651956d1333e3d6a54edd33008b964ad1dd/novaclient/crypto.py#L30

Which I interpret as RSA only.

[rickard-von-essen]

I did some more testing around non-RSA keys. openssl rsautl only works with RSA keys. There is nothing to stop you from uploading a pub key in OpenStack (Kilo) for ECDSA, but trying to us that when launching a Windows instance with it causes cloudbase-init to fail with:

2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init [-] plugin 'SetUserPasswordPlugin' failed with error 'Invalid SSH key'
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init [-] Invalid SSH key
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init Traceback (most recent call last):
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init   File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in _exec_plugin
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init     shared_data)
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init   File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\common\setuserpassword.py", line 163, in execute
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init     self._set_metadata_password(password, service)
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init   File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\common\setuserpassword.py", line 96, in _set_metadata_password
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init     password)
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init   File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\common\setuserpassword.py", line 62, in _encrypt_password
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init     with cm.load_ssh_rsa_public_key(ssh_pub_key) as rsa:
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init   File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\crypt.py", line 153, in load_ssh_rsa_public_key
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init     raise CryptException('Invalid SSH key')
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init cloudbaseinit.utils.crypt.CryptException: Invalid SSH key
2016-02-17 10:11:16.383 1388 ERROR cloudbaseinit.init 

And no password is set.

So I guess my conclusion is that OpenStack Nova CLI and cloudbase-init currently dosen't support anything else than RSA.

@jrperritt What do you say, speculatively implement support for other encryption algorithms or leave it as it is?

[jrperritt]

Thanks for testing. It looks like just RSA is allowed, so I think what you have is fine.

[jrperritt]

For the failing TravisCI build, I think just adding // +build fixtures to the top of results_test.go should fix it.

[rickard-von-essen]

For the failing TravisCI build, I think just adding // +build fixtures to the top of results_test.go should fix it.

That didn't help.. For some reason it won't go get golang.org/x/crypto/ssh

[jrperritt]

If you can you pull down and push the updated .travis.yaml to this PR, I think that should work.

[jrperritt]

OK, it looks like it works for Go versions >= 1.4. +2