Skip to content

SSH CA cert feature SAT-28038 #20453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lhellebr wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

SSH CA cert feature SAT-28038 #20453

lhellebr wants to merge 1 commit into from
+212 −1

Conversation

@lhellebr
Copy link
Contributor

@lhellebr lhellebr commented Dec 9, 2025

No description provided.

@lhellebr lhellebr requested a review from adamlazik1 December 9, 2025 14:41
@lhellebr lhellebr requested a review from a team as a code owner December 9, 2025 14:41
@lhellebr lhellebr added the No-CherryPick PR doesnt need CherryPick to previous branches label Dec 9, 2025
sourcery-ai[bot]
sourcery-ai bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • In register_host, lce and cv are treated as objects with .id attributes but are initialized from cli_factory helpers (which usually return dict-like data); consider consistently using either dict keys or attributes (e.g. lce['id'] / cv['id']) to avoid type/attribute mismatches.
  • The three test_positive_ssh_ca_* tests share substantial setup and assertion logic (CA creation, host registration, invocation, and log checks); consider extracting common helpers/fixtures to reduce duplication and make intent clearer.
  • When constructing InstallerCommand for foreman_proxy_plugin_remote_execution_script_ssh_host_ca_public_key, you wrap the certificate value in extra quotes (f'"{host_ca_cert}"'); consider passing the raw value and letting InstallerCommand handle quoting to avoid subtle shell-escaping issues.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- In `register_host`, `lce` and `cv` are treated as objects with `.id` attributes but are initialized from `cli_factory` helpers (which usually return dict-like data); consider consistently using either dict keys or attributes (e.g. `lce['id']` / `cv['id']`) to avoid type/attribute mismatches.
- The three `test_positive_ssh_ca_*` tests share substantial setup and assertion logic (CA creation, host registration, invocation, and log checks); consider extracting common helpers/fixtures to reduce duplication and make intent clearer.
- When constructing `InstallerCommand` for `foreman_proxy_plugin_remote_execution_script_ssh_host_ca_public_key`, you wrap the certificate value in extra quotes (`f'"{host_ca_cert}"'`); consider passing the raw value and letting `InstallerCommand` handle quoting to avoid subtle shell-escaping issues.

## Individual Comments

### Comment 1
<location> `tests/foreman/destructive/test_remoteexecution.py:249-148` </location>
<code_context>
+    )
+
+
+def log_compare(satellite, host):
+    return host.execute(
+        f'[ $(( $(cat /root/saved_sshd_log) + 1 )) -eq $(journalctl -u sshd | grep {satellite.ip} | grep " CA " | wc -l) ]'
+    ).status
+
+
</code_context>

<issue_to_address>
**suggestion:** Clarify and/or assert more explicitly what `log_compare` is checking to avoid fragile log-count based assertions

This helper assumes `journalctl | grep {satellite.ip} | grep " CA " | wc -l` increases by exactly 1 between `log_save` and the job run, which is brittle: concurrent SSH activity in shared environments can match the same pattern, and log rotation/truncation can change counts independently of this test.

Please consider either matching a more specific pattern (e.g., including a unique test-run identifier) or parsing `journalctl` output and asserting that at least one new relevant line appears, rather than enforcing an exact count change. If you keep this approach, add a brief comment showing the expected `sshd` log line so the dependency is explicit.

Suggested implementation:

```python
def log_save(satellite, host):
    # We track sshd log entries for CA-based publickey auth from the satellite IP.
    # Expected log line (simplified example):
    #   "Accepted publickey for <user> from <satellite_ip> ... ssh2: RSA-CERT ID ... CA ..."
    host.execute(
        f'journalctl -u sshd | grep "{satellite.ip}" | grep "Accepted publickey" | grep " CA " | wc -l > /root/saved_sshd_log'
    )

```

```python
def log_compare(satellite, host):
    """Check that at least one new CA-based sshd log entry appears for the satellite since log_save().

    Compares the current count of sshd log lines matching:
        satellite.ip + "Accepted publickey" + " CA "
    with the count stored by log_save(). Returns the exit status of the check command
    (0 for success, non-zero for failure).
    """
    return host.execute(
        f'[ $(journalctl -u sshd | grep "{satellite.ip}" | grep "Accepted publickey" | grep " CA " | wc -l) -gt $(cat /root/saved_sshd_log) ]'
    ).status


from robottelo.config import get_credentials

```
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@lhellebr lhellebr marked this pull request as draft December 10, 2025 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@adamlazik1 adamlazik1 Awaiting requested review from adamlazik1

Assignees

@lhellebr lhellebr

Labels

Do Not Merge No-CherryPick PR doesnt need CherryPick to previous branches

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lhellebr