Clean up ssh pubkey handling

First pass was a bit shoddy. Now, we:

  * fail gracefully if new api keys are found
  * add all api keys as originally intended

Additionally, pruned some dead code paths that clippy started to find.
Thanks, clippy!

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Innisfree changelog
 
+## 0.2.16 (in progress)
+
+* Bugfix: add all API pubkeys, not just the first
+* Dev only: don't error out on tests if no API key is present
+* Dev only: prune unused fields from structs (thanks, clippy!)
+
 ## 0.2.15
 
 * Add all pre-existing SSH pubkeys from DO account to server

TODO.md

@@ -43,6 +43,9 @@
 * [x] SSH commands don't seem to report failure
 * [x] Wire up floating ip
 * [x] Wg command should fail
+* [x] Tests should not error without API!
+- [x] SSH pubkey lookup should fail gracefully
+- [x] SSH pubkey lookup should merge all keys, not just the first, from API
 
 ## Dev QOL
 * [x] Support local ip service forwarding (i.e. no-proxy)

src/error.rs

@@ -15,5 +15,6 @@ custom_error! {pub InnisfreeError
     IpNetAssignment{source: ipnet::AddrParseError} = "Failed to find unclaimed IP address",
     IpAddrAssignment{source: std::net::AddrParseError} = "Failed to find unclaimed IP address",
     ApiError{source: serde_json::Error} = "Could not parse JSON from API response",
+    ConfigError{source: std::env::VarError} = "DigitalOcean API token not set",
     Unknown = "unknown error",
 }

src/manager.rs

@@ -10,8 +10,7 @@ use tokio::signal;
 #[derive(Debug)]
 pub struct InnisfreeManager {
     pub services: Vec<ServicePort>,
-    dest_ip: IpAddr,
-    floating_ip: Option<String>,
+    // dest_ip: IpAddr,
     pub server: InnisfreeServer,
     pub name: String,
     pub wg: WireguardManager,
@@ -28,8 +27,7 @@ impl InnisfreeManager {
         Ok(InnisfreeManager {
             name: tunnel_name.to_owned(),
             services: server.services.to_vec(),
-            dest_ip: "127.0.0.1".parse().unwrap(),
-            floating_ip: None,
+            // dest_ip: "127.0.0.1".parse().unwrap(),
             server,
             wg,
         })

src/server/cloudinit.rs

@@ -74,11 +74,22 @@ pub async fn generate_user_data(
     };
     cloud_config.write_files.push(nginx);
 
-    let acct_auth_keys = get_all_keys().await?;
-    cloud_config.users[0].ssh_authorized_keys = vec![
-        ssh_client_keypair.public.to_string(),
-        acct_auth_keys[0].public_key.to_owned(),
-    ];
+    // Build list of pubkeys to add to cloudinit. There may be no keys
+    // returned from the API, e.g. during testing. That's fine,
+    // we'll just use the one we generated.
+    let mut cloud_config_ssh_keys = vec![ssh_client_keypair.public.to_string()];
+    match get_all_keys().await {
+        Ok(r) => {
+            for k in r {
+                cloud_config_ssh_keys.extend(vec![k.public_key.to_owned()]);
+            }
+        }
+        Err(e) => {
+            warn!("No SSH pubkeys found via API: {}", e);
+        }
+    }
+
+    cloud_config.users[0].ssh_authorized_keys = cloud_config_ssh_keys;
 
     let cc_rendered: String = serde_yaml::to_string(&cloud_config).unwrap();
     let cc_rendered_no_header = &cc_rendered.as_bytes()[4..];

src/server/mod.rs

@@ -40,9 +40,9 @@ pub struct InnisfreeServer {
     pub services: Vec<ServicePort>,
     pub ssh_client_keypair: SshKeypair,
     pub ssh_server_keypair: SshKeypair,
-    wg_mgr: WireguardManager,
+    // wg_mgr: WireguardManager,
     droplet: Droplet,
-    name: String,
+    // name: String,
 }
 
 impl InnisfreeServer {
@@ -62,9 +62,9 @@ impl InnisfreeServer {
             services,
             ssh_client_keypair,
             ssh_server_keypair,
-            wg_mgr,
+            // wg_mgr,
             droplet,
-            name: name.to_string(),
+            // name: name.to_string(),
         })
     }
     pub fn ipv4_address(&self) -> IpAddr {
@@ -89,7 +89,7 @@ impl InnisfreeServer {
 #[derive(Debug, Deserialize)]
 struct Droplet {
     id: u32,
-    name: String,
+    // name: String,
     status: String,
     networks: HashMap<String, Vec<HashMap<String, String>>>,
     // The API takes a list, but we only care about 1 key,

src/server/ssh_key.rs

@@ -18,7 +18,7 @@ pub struct DigitalOceanSshKey {
 }
 
 pub async fn get_all_keys() -> Result<Vec<DigitalOceanSshKey>, InnisfreeError> {
-    let api_key = env::var("DIGITALOCEAN_API_TOKEN").expect("DIGITALOCEAN_API_TOKEN not set.");
+    let api_key = env::var("DIGITALOCEAN_API_TOKEN")?;
     let request_url = DO_API_BASE_URL.to_owned() + "/account/keys";
     let client = reqwest::Client::new();
     debug!("Fetching SSH account public keys");

src/wg.rs

@@ -90,13 +90,13 @@ impl WireguardDevice {
 #[derive(Debug, Clone)]
 pub struct WireguardManager {
     pub wg_local_ip: IpAddr,
-    wg_local_name: String,
-    wg_local_host: WireguardHost,
+    // wg_local_name: String,
+    // wg_local_host: WireguardHost,
     pub wg_local_device: WireguardDevice,
 
     pub wg_remote_ip: IpAddr,
-    wg_remote_name: String,
-    wg_remote_host: WireguardHost,
+    // wg_remote_name: String,
+    // wg_remote_host: WireguardHost,
     pub wg_remote_device: WireguardDevice,
 }
 
@@ -128,25 +128,25 @@ impl WireguardManager {
         };
 
         let wg_local_device = WireguardDevice {
-            name: wg_local_name.to_owned(),
+            name: wg_local_name,
             interface: wg_local_host.clone(),
             peer: wg_remote_host.clone(),
         };
         let wg_remote_device = WireguardDevice {
-            name: wg_remote_name.to_owned(),
-            interface: wg_remote_host.clone(),
-            peer: wg_local_host.clone(),
+            name: wg_remote_name,
+            interface: wg_remote_host,
+            peer: wg_local_host,
         };
 
         Ok(WireguardManager {
             wg_local_ip,
-            wg_local_name,
-            wg_local_host,
+            // wg_local_name,
+            // wg_local_host,
             wg_local_device,
 
             wg_remote_ip,
-            wg_remote_name,
-            wg_remote_host,
+            // wg_remote_name,
+            // wg_remote_host,
             wg_remote_device,
         })
     }