feat: adds ssh mode switching; production, maintenance, status and fa…

README.md

@@ -5,10 +5,11 @@ Because root and password login are disabled by default, the TDX machine can onl
 The meta-searcher layer appends:
 - searcher-ssh-key package to meta-confidential-compute layer's cvm-initramfs.bb
 - a new dropbear configuration to meta layer's dropbear that disables password logins
+- production, maintenance, status and failsafe ssh users that trigger mode switching wrapper scripts when logged into
 
 The meta-searcher layer is assigned priority = 30 to override configurations in other layers (meta-confidential-compute = 20).
 
-The searcher-ssh-key package creates the .ssh directory and adds the searcher's SSH pubkey to the authorized_keys file to the princess user.
+The searcher-ssh-key package creates the .ssh directory and adds the searcher's SSH pubkey to the authorized_keys file to the searcher user.
 The shell script is configured to run at the last stage of the init process. 
 
 Note: some local networking commands add a static IP to enable testing via qemu. 
@@ -32,4 +33,4 @@ runqemu cvm-image-azure wic nographic kvm ovmf qemuparams="-m 8G"
 ```
 ssh-keygen -f "/home/ubuntu/.ssh/known_hosts" -R "192.168.7.2"
 ssh -i ~/.ssh/id_rsa_princess [email protected]
-```
+```

recipes-core/images/cvm-initramfs.bbappend

@@ -1 +1 @@
-PACKAGE_INSTALL:append = " dropbear searcher-ssh-key ssh-pubkey-server su-restriction disk-encryption"
+PACKAGE_INSTALL:append = " dropbear searcher-ssh-key ssh-pubkey-server su-restriction disk-encryption production maintenance status failsafe"

recipes-core/ssh-mode-switch/failsafe.bb

@@ -0,0 +1,7 @@
+SUMMARY = "Adds failsafe mode user and script"
+DESCRIPTION = "Creates the failsafe mode user and sets up SSH access with the provided SSH key, limit's the user to execute the failsafe.sh wrapper script"
+
+require ssh-mode-switch.inc
+
+SSH_USER_ID = "1103"
+RDEPENDS:${PN} += "curl"

recipes-core/ssh-mode-switch/files/failsafe.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo "Curling failsafe..."
+curl http://go-bob-firewall:80/failsafe

recipes-core/ssh-mode-switch/files/maintenance.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo "Curling go-bob-firewall maintenance..."
+curl http://go-bob-firewall:80/firewall/maintenance

recipes-core/ssh-mode-switch/files/production.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo "Curling go-bob-firewall production..."
+curl http://go-bob-firewall:80/firewall/production

recipes-core/ssh-mode-switch/files/status.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo "Curling go-bob-firewall status..."
+curl http://go-bob-firewall:80/firewall/status

recipes-core/ssh-mode-switch/maintenance.bb

@@ -0,0 +1,7 @@
+SUMMARY = "Adds maintenance mode user and script"
+DESCRIPTION = "Creates the maintenance mode user and sets up SSH access with the provided SSH key, limit's the user to execute the maintenance.sh wrapper script"
+
+require ssh-mode-switch.inc
+
+SSH_USER_ID = "1101"
+RDEPENDS:${PN} += "curl"

recipes-core/ssh-mode-switch/production.bb

@@ -0,0 +1,7 @@
+SUMMARY = "Adds production mode user and script"
+DESCRIPTION = "Creates the production mode user and sets up SSH access with the provided SSH key, limit's the user to execute the production-mode.sh wrapper script"
+
+require ssh-mode-switch.inc
+
+SSH_USER_ID = "1100"
+RDEPENDS:${PN} += "curl"

recipes-core/ssh-mode-switch/ssh-mode-switch.inc

@@ -0,0 +1,65 @@
+# Generic SSH user setup include file
+# Required variables:
+# - SSH_USER: Username to create
+# - SSH_USER_ID: Numeric user ID
+# - SSH_USER_KEY: SSH public key for the user
+# Optional variables:
+# - SSH_USER_SHELL: Shell for the user (defaults to /bin/sh)
+# - SSH_USER_HOME: Home directory (defaults to /home/${SSH_USER})
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+inherit useradd
+
+SRC_URI = "file://${BPN}.sh"
+
+# Set defaults if not defined
+SSH_USER ?= "${PN}"
+SSH_USER_KEY ?= "${SEARCHER_SSH_KEY}"
+SSH_USER_SHELL ?= "/bin/${PN}"
+SSH_USER_HOME ?= "/home/${SSH_USER}"
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "-m -d ${SSH_USER_HOME} -s ${SSH_USER_SHELL} -u ${SSH_USER_ID} ${SSH_USER}"
+
+python () {
+    # Check if SSH_USER_KEY is set in the environment or in local.conf
+    ssh_key = d.getVar('SSH_USER_KEY')
+
+    if ssh_key is None:
+        # If not set, check the original environment
+        origenv = d.getVar("BB_ORIGENV", False)
+        if origenv:
+            ssh_key = origenv.getVar('SSH_USER_KEY')
+
+    if ssh_key:
+        # If SSH_USER_KEY is set, keep its value
+        d.setVar('SSH_USER_KEY', ssh_key)
+    else:
+        # If SSH_USER_KEY is not set, raise an error
+        bb.fatal("SSH_USER_KEY must be set. Please provide an SSH public key.")
+}
+
+do_install () {
+    install -d ${D}${SSH_USER_HOME}/.ssh
+    echo "${SSH_USER_KEY}" > ${D}${SSH_USER_HOME}/.ssh/authorized_keys
+    chmod 700 ${D}${SSH_USER_HOME}/.ssh
+    chmod 600 ${D}${SSH_USER_HOME}/.ssh/authorized_keys
+    chown -R ${SSH_USER_ID}:${SSH_USER_ID} ${D}${SSH_USER_HOME}
+
+    # Set up .profile to source /etc/profile
+    echo '. /etc/profile' > ${D}${SSH_USER_HOME}/.profile
+    chmod 644 ${D}${SSH_USER_HOME}/.profile
+    chown ${SSH_USER_ID}:${SSH_USER_ID} ${D}${SSH_USER_HOME}/.profile
+
+    # set up wrapper script as user shell
+    install -d ${D}/bin
+    install -m 0555 ${WORKDIR}/${BPN}.sh ${D}${SSH_USER_SHELL}
+}
+
+FILES:${PN} = "${SSH_USER_HOME} \
+               ${SSH_USER_HOME}/.ssh \
+               ${SSH_USER_HOME}/.ssh/authorized_keys \
+               ${SSH_USER_HOME}/.profile \
+	       ${SSH_USER_SHELL}"

recipes-core/ssh-mode-switch/status.bb

@@ -0,0 +1,7 @@
+SUMMARY = "Adds status mode user and script"
+DESCRIPTION = "Creates the status mode user and sets up SSH access with the provided SSH key, limit's the user to execute the status.sh wrapper script"
+
+require ssh-mode-switch.inc
+
+SSH_USER_ID = "1102"
+RDEPENDS:${PN} += "curl"