kitchen-oci 1.28.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 56fb93970dffa638ea0fe9d0f731618cdef737f6174edf7e138fda037217dcbb
-  data.tar.gz: 66ee4bef763c835c93077ae53527bf83ddaa65ec4493098830bb92caa515ab29
+  metadata.gz: 106a6d1ccf47752842daaddc79bc644b71bb5ff27da42f1bf30e4271aa2fb946
+  data.tar.gz: 50d21fcc7ab88eb9af0546f3d97c62798621967b96c3190b5ceceee3548c1923
 SHA512:
-  metadata.gz: d0c9ed658be5c469223f4d5a6a4aeba1fbc9a77f09f0972cc6d1b2c9394a7fc19da039b45799dbfbfaf2ddd8125e2766ceb89c66b3572a144a53c0fec2a66e91
-  data.tar.gz: aac64963fb6ef43b1d2768e21d44cea2b84ac60d42c6ee260bdfeb31ebdc0b295f358d823a7c943109c562d906218cfa79552225edb48dbdb6289c08524edeb3
+  metadata.gz: cbd4b274c32c38bdb2203fc53ca2218aad402c917c969343bfe05d27436d13be6195399469b30163c3127fe343f4f43d29a6fe2b87f20f233f639dc5b5a0c20c
+  data.tar.gz: 4405307075b1181534c5f55630fd48b76f05ec0c920b8366049c57c71ec4be2e264956a70b274490e1c3b3dc5de38f81f59c739b7526e213ef67bedb5746c77f

data/lib/kitchen/driver/oci/instance/compute.rb

@@ -81,13 +81,6 @@ module Kitchen
             )
           end
 
-          # Adds the instance options property to the launch details.
-          def instance_options
-            return if config[:instance_options].empty?
-
-            launch_details.instance_options = OCI::Core::Models::InstanceOptions.new(config[:instance_options])
-          end
-
           # Adds the source_details property to the launch_details for an instance that is being created from a boot volume.
           def instance_source_via_boot_volume
             return unless config[:boot_volume_id]

data/lib/kitchen/driver/oci/instance/dbaas.rb

@@ -69,7 +69,7 @@ module Kitchen
           end
 
           # Adds the ssh_public_keys property to the launch_details.
-          def pubkey
+          def ssh_public_keys
             result = []
             result << read_public_key
             launch_details.ssh_public_keys = result

data/lib/kitchen/driver/oci/instance.rb

@@ -28,8 +28,10 @@ module Kitchen
         require_relative "models/compute"
         require_relative "models/dbaas"
         require_relative "instance/common"
+        require_relative "mixin/ssh_keys"
 
         include CommonLaunchDetails
+        include Mixin::SshKeys
 
         def initialize(opts = {})
           super()
@@ -97,59 +99,6 @@ module Kitchen
           !subnet.prohibit_public_ip_on_vnic
         end
 
-        # Returns the location of the public ssh key.
-        #
-        # @return [String]
-        def public_key_file
-          if config[:ssh_keygen]
-            "#{config[:kitchen_root]}/.kitchen/.ssh/#{config[:instance_name]}_rsa.pub"
-          else
-            config[:ssh_keypath]
-          end
-        end
-
-        # Returns the name of the private key file.
-        #
-        # @return [String]
-        def private_key_file
-          public_key_file.gsub(".pub", "")
-        end
-
-        # Generates an RSA key pair to be used to SSH to the instance and updates the state with the full path to the private key.
-        def gen_key_pair
-          FileUtils.mkdir_p("#{config[:kitchen_root]}/.kitchen/.ssh")
-          rsa_key = OpenSSL::PKey::RSA.new(4096)
-          write_private_key(rsa_key)
-          write_public_key(rsa_key)
-          state.store(:ssh_key, private_key_file)
-        end
-
-        # Writes the private key.
-        #
-        # @param rsa_key [OpenSSL::PKey::RSA] the generated RSA key.
-        def write_private_key(rsa_key)
-          File.open(private_key_file, "wb") { |k| k.write(rsa_key.to_pem) }
-          File.chmod(0600, private_key_file)
-        end
-
-        # Writes the encoded private key as a public key.
-        #
-        # @param rsa_key [OpenSSL::PKey::RSA] the generated RSA key.
-        def write_public_key(rsa_key)
-          File.open(public_key_file, "wb") { |k| k.write("ssh-rsa #{encode_private_key(rsa_key)} #{config[:instance_name]}") }
-          File.chmod(0600, public_key_file)
-        end
-
-        # Encodes the private key.
-        #
-        # @param rsa_key [OpenSSL::PKey::RSA] the generated RSA key.
-        def encode_private_key(rsa_key)
-          prefix = "#{[7].pack("N")}ssh-rsa"
-          exponent = rsa_key.e.to_s(0)
-          modulus = rsa_key.n.to_s(0)
-          ["#{prefix}#{exponent}#{modulus}"].pack("m0")
-        end
-
         # Generates a random password.
         #
         # @param special_chars [Array] an array of special characters to include in the random password.

data/lib/kitchen/driver/oci/mixin/actions.rb

@@ -25,6 +25,17 @@ module Kitchen
         #
         # @author Justin Steele <justin.steele@oracle.com>
         module Actions
+          # Creates the OCI config and API clients.
+          #
+          # @param action [Symbol] the name of the method that called this method.
+          # @return [Oci::Config, Oci::Api]
+          def auth(action)
+            oci = Oci::Config.new(config)
+            api = Oci::Api.new(oci.config, config)
+            oci.compartment if action == :create
+            [oci, api]
+          end
+
           # Launches an instance.
           #
           # @param state [Hash] (see Kitchen::StateFile)
@@ -33,6 +44,8 @@ module Kitchen
             state_details = inst.launch
             state.merge!(state_details)
             instance.transport.connection(state).wait_until_ready
+            instance_options(state, inst)
+            are_legacy_imds_endpoints_disbled?(state, inst)
           end
 
           # Executes the post script on the instance.
@@ -68,6 +81,36 @@ module Kitchen
             end
           end
 
+          # Applies instance options.
+          #
+          # @param state [Hash] (see Kitchen::StateFile)
+          # @param inst [Class] the specific class of instance being rebooted.
+          def instance_options(state, inst)
+            return unless instance_options?
+
+            inst.logger.info("Applying the following instance options:")
+            config[:instance_options].each { |o, v| inst.logger.info("- #{o}: #{v}") }
+            inst.api.compute.update_instance(state[:server_id], OCI::Core::Models::UpdateInstanceDetails.new(instance_options: OCI::Core::Models::InstanceOptions.new(config[:instance_options])))
+          end
+
+          # Attempts to disable IMDSv1 even if not explicitly specified in the config. This is in line with current security guidance from OCI.
+          # Acts as a guard for setting instance options.
+          def instance_options?
+            return false unless config[:instance_type] == "compute"
+
+            config[:instance_options].merge!(are_legacy_imds_endpoints_disabled: true) unless config[:instance_options].key?(:are_legacy_imds_endpoints_disabled)
+            # Basically tell me if there's more stuff in there than `are_legacy_imds_endpoints_disabled: false`. If so, then proceed to setting it.
+            config[:instance_options].reject { |o, v| o == :are_legacy_imds_endpoints_disabled && !v }.any?
+          end
+
+          # Checks if legacy metadata is disabled.
+          def are_legacy_imds_endpoints_disbled?(state, inst)
+            return unless config[:instance_type] == "compute"
+
+            imds = inst.api.compute.get_instance(state[:server_id]).data.instance_options.are_legacy_imds_endpoints_disabled
+            inst.logger.warn("Legacy IMDSv1 endpoint is enabled.") unless imds
+          end
+
           # Reboots an instance.
           #
           # @param state [Hash] (see Kitchen::StateFile)

data/lib/kitchen/driver/oci/mixin/ssh_keys.rb

@@ -0,0 +1,212 @@
+# frozen_string_literal: true
+
+#
+# Author:: Justin Steele (<justin.steele@oracle.com>)
+#
+# Copyright (C) 2025, Stephen Pearson
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Kitchen
+  module Driver
+    class Oci
+      module Mixin
+        # SSH key generation mixins.
+        #
+        # @author Justin Steele <justin.steele@oracle.com>
+        module SshKeys
+          # Read in the public ssh key.
+          #
+          # @return [String]
+          def read_public_key
+            if config[:ssh_keygen]
+              logger.info("Generating public/private #{config[:ssh_keytype]} key pair")
+              generate_keys
+            end
+            File.readlines(public_key_file).first.chomp
+          end
+
+          # The location of the private ssh key.
+          #
+          # @return [String]
+          def private_key_file
+            public_key_file.gsub(".pub", "")
+          end
+
+          # The location of the public ssh key.
+          #
+          # @return [String]
+          def public_key_file
+            if config[:ssh_keygen]
+              "#{config[:kitchen_root]}/.kitchen/.ssh/#{config[:instance_name]}_#{config[:ssh_keytype]}.pub"
+            else
+              config[:ssh_keypath]
+            end
+          end
+
+          # Algorithm used when encoding the private and public keys.
+          #
+          # @return [String]
+          def algorithm
+            "ssh-#{config[:ssh_keytype]}"
+          end
+
+          # Generates the public/private key pair in the format specified in the config.
+          def generate_keys
+            FileUtils.mkdir_p("#{config[:kitchen_root]}/.kitchen/.ssh")
+            extend SshKeys.const_get(config[:ssh_keytype].upcase)
+            generate_key_pair
+          end
+
+          # Mixins required to generate a RSA key pair.
+          #
+          # @author Justin Steele <justin.steele@oracle.com>
+          module RSA
+            # Generates an RSA key pair to be used to SSH to the instance and updates the state with the full path to the private key.
+            def generate_key_pair
+              rsa_key = OpenSSL::PKey::RSA.new(4096)
+              write_private_key(rsa_key)
+              write_public_key(rsa_key)
+              state.store(:ssh_key, private_key_file)
+            end
+
+            # Writes the private key.
+            #
+            # @param rsa_key [OpenSSL::PKey::RSA] the generated RSA key.
+            def write_private_key(rsa_key)
+              File.open(private_key_file, "wb") { |k| k.write(rsa_key.to_pem) }
+              File.chmod(0600, private_key_file)
+            end
+
+            # Writes the encoded private key as a public key.
+            #
+            # @param rsa_key [OpenSSL::PKey::RSA] the generated RSA key.
+            def write_public_key(rsa_key)
+              public_key = ["#{[7].pack("N")}#{algorithm}#{rsa_key.e.to_s(0)}#{rsa_key.n.to_s(0)}"].pack("m0")
+              File.open(public_key_file, "wb") { |k| k.write("#{algorithm} #{public_key} #{config[:instance_name]}") }
+              File.chmod(0600, public_key_file)
+            end
+          end
+
+          # Mixins required to generate a ED25519 key pair.
+          #
+          # @author Justin Steele <justin.steele@oracle.com>
+          module ED25519
+            require "ed25519"
+            require "securerandom" unless defined?(SecureRandom)
+
+            # Generates an ED25519 key pair to be used to SSH to the instance and updates the state with the full path to the private key.
+            def generate_key_pair
+              signing_key = Ed25519::SigningKey.generate
+              private_seed = signing_key.to_bytes
+              public_key = signing_key.verify_key.to_bytes
+              write_private_key(public_key, private_seed)
+              write_public_key(public_key)
+              state.store(:ssh_key, private_key_file)
+            end
+
+            # Packs a string as SSH “string” (4-byte len + bytes).
+            #
+            # @param str [String] the portion of the key being packed.
+            # @return [String]
+            def pack_string(str)
+              [str.bytesize].pack("N") + str
+            end
+
+            # Writes the encoded private key.
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            # @param private_seed [String] the byte representation of the <code>Ed25519::SigningKey</code>.
+            def write_private_key(public_key, private_seed)
+              private_key = encode_private_key(public_key, private_seed)
+              File.open(private_key_file, "w") { |f| f.write(private_key) }
+              File.chmod(0600, private_key_file)
+            end
+
+            # Writes the encoded public key.
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            def write_public_key(public_key)
+              pub_key = encode_public_key(public_key)
+              File.open(public_key_file, "w") { |f| f.write(pub_key) }
+              File.chmod(0600, public_key_file)
+            end
+
+            # Encodes the private key.
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            # @param private_seed [String] the byte representation of the <code>Ed25519::SigningKey</code>.
+            # @return [String]
+            def encode_private_key(public_key, private_seed)
+              buf  = header(public_key)
+              priv = private_section(public_key, private_seed)
+              padlen = (-priv.bytesize) & 7
+              priv << (1..padlen).to_a.pack("C*")
+              buf << pack_string(priv)
+              b64 = Base64.strict_encode64(buf).scan(/.{1,70}/).join("\n")
+              "-----BEGIN OPENSSH PRIVATE KEY-----\n#{b64}\n-----END OPENSSH PRIVATE KEY-----\n"
+            end
+
+            # "openssh-key-v1" header: magic, cipher/kdf, nkeys, and the public key blob(s).
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            # @return [String]
+            def header(public_key)
+              [
+                "openssh-key-v1\0",
+                pack_string("none"),  # ciphername
+                pack_string("none"),  # kdfname
+                pack_string(""),      # kdfoptions
+                [1].pack("N"),        # nkeys
+                pack_string(pub_blob(public_key)),
+              ].join
+            end
+
+            # Correct private section: checkints, key fields, comment, padding
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            # @param private_seed [String] the byte representation of the <code>Ed25519::SigningKey</code>.
+            # @return [String]
+            def private_section(public_key, private_seed)
+              checkint = SecureRandom.random_number(2**32)
+              [
+                [checkint, checkint].pack("N*"),
+                pack_string(algorithm),
+                pack_string(public_key),
+                pack_string(private_seed + public_key),
+                pack_string(config[:instance_name] || ""),
+              ].join
+            end
+
+            # Encodes the public key.
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            # @return [String]
+            def encode_public_key(public_key)
+              blob = [algorithm.bytesize].pack("N") + algorithm + [public_key.bytesize].pack("N") + public_key
+              [algorithm, Base64.strict_encode64(blob), config[:instance_name]].compact.join(" ")
+            end
+
+            # SSH public key blob: string keytype + string key (32 bytes).
+            #
+            # @param public_key [String] the byte representation of the <code>Ed25519::VerifyKey</code>.
+            # @return [String]
+            def pub_blob(public_key)
+              pack_string(algorithm) + pack_string(public_key)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/kitchen/driver/oci/models/compute.rb

@@ -210,23 +210,12 @@ module Kitchen
             )
           end
 
-          # Read in the public ssh key.
-          #
-          # @return [String]
-          def pubkey
-            if config[:ssh_keygen]
-              logger.info("Generating public/private rsa key pair")
-              gen_key_pair
-            end
-            File.readlines(public_key_file).first.chomp
-          end
-
           # Add our special sauce to the instance metadata to be executed by cloud-init.
           def metadata
             md = {}
             inject_powershell
             config[:custom_metadata]&.each { |k, v| md.store(k, v) }
-            md.store("ssh_authorized_keys", pubkey) unless config[:setup_winrm]
+            md.store("ssh_authorized_keys", read_public_key) unless config[:setup_winrm]
             md.store("user_data", user_data) if user_data?
             md
           end

data/lib/kitchen/driver/oci/models/dbaas.rb

@@ -111,17 +111,6 @@ module Kitchen
           def long_hostname_suffix
             [random_string(25 - hostname_prefix.length), random_string(3)].compact.join("-")
           end
-
-          # Read in the public ssh key.
-          #
-          # @return [String]
-          def read_public_key
-            if config[:ssh_keygen]
-              logger.info("Generating public/private rsa key pair")
-              gen_key_pair
-            end
-            File.readlines(public_key_file).first.chomp
-          end
         end
       end
     end

data/lib/kitchen/driver/oci/validations.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+#
+# Author:: Justin Steele (<justin.steele@oracle.com>)
+#
+# Copyright (C) 2025, Stephen Pearson
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Kitchen
+  module Driver
+    class Oci
+      # Execute the defined config validations
+      #
+      # @param message [String] the message to be output to explain the validation.
+      # @param driver [Kitchen::Driver] the instance of the driver.
+      # @raise [UserError]
+      def self.validation_error(message, driver)
+        raise UserError, "#{driver.class}<#{driver.instance.name}>#config#{message}"
+      end
+
+      # Coerces config values to standardized formats.
+      #
+      # @param instance [Kitchen::Instance]
+      def finalize_config!(instance)
+        super
+        %i{instance_type ssh_keytype}.each do |k|
+          config[k] = config[k].downcase
+        end
+      end
+
+      validations[:instance_type] = lambda do |attr, val, driver|
+        validation_error("[:#{attr}] #{val} is not a valid instance_type. must be either compute or dbaas.", driver) unless %w{compute dbaas}.include?(val.downcase)
+      end
+
+      validations[:nsg_ids] = lambda do |attr, val, driver|
+        unless val.nil?
+          validation_error("[:#{attr}] list cannot be longer than 5 items", driver) if val.length > 5
+        end
+      end
+
+      validations[:volumes] = lambda do |attr, val, driver|
+        val.each do |vol_attr|
+          unless ["iscsi", "paravirtual", nil].include?(vol_attr[:type])
+            validation_error("[:#{attr}][:type] #{vol_attr[:type]} is not a valid volume type for #{vol_attr[:name]}", driver)
+          end
+        end
+      end
+
+      validations[:ssh_keytype] = lambda do |attr, val, driver|
+        validation_error("[:#{attr}] #{val} is not a supported ssh key type.", driver) unless %w{rsa ed25519}.include?(val.downcase)
+      end
+    end
+  end
+end

data/lib/kitchen/driver/oci.rb

@@ -34,10 +34,15 @@ module Kitchen
     # @author Stephen Pearson <stephen.pearson@oracle.com>
     class Oci < Kitchen::Driver::Base
       require_relative "oci_version"
+      require_relative "oci/validations"
       require_relative "oci/mixin/actions"
       require_relative "oci/mixin/models"
       require_relative "oci/mixin/volumes"
 
+      include Kitchen::Driver::Oci::Mixin::Actions
+      include Kitchen::Driver::Oci::Mixin::Models
+      include Kitchen::Driver::Oci::Mixin::Volumes
+
       plugin_version Kitchen::Driver::OCI_VERSION
       kitchen_driver_api_version 2
 
@@ -66,6 +71,7 @@ module Kitchen
       default_keypath = File.expand_path(File.join(%w{~ .ssh id_rsa.pub}))
       default_config :ssh_keypath, default_keypath
       default_config :ssh_keygen, false
+      default_config :ssh_keytype, "rsa"
       default_config :post_create_script, nil
       default_config :proxy_url, nil
       default_config :user_data, nil
@@ -95,28 +101,6 @@ module Kitchen
       # dbaas configs
       default_config :dbaas, {}
 
-      validations[:instance_type] = lambda do |attr, val, driver|
-        validation_error("[:#{attr}] #{val} is not a valid instance_type. must be either compute or dbaas.", driver) unless %w{compute dbaas}.include?(val.downcase)
-      end
-
-      validations[:nsg_ids] = lambda do |attr, val, driver|
-        unless val.nil?
-          validation_error("[:#{attr}] list cannot be longer than 5 items", driver) if val.length > 5
-        end
-      end
-
-      validations[:volumes] = lambda do |attr, val, driver|
-        val.each do |vol_attr|
-          unless ["iscsi", "paravirtual", nil].include?(vol_attr[:type])
-            validation_error("[:#{attr}][:type] #{vol_attr[:type]} is not a valid volume type for #{vol_attr[:name]}", driver)
-          end
-        end
-      end
-
-      def self.validation_error(message, driver)
-        raise UserError, "#{driver.class}<#{driver.instance.name}>#config#{message}"
-      end
-
       # Creates an instance.
       # (see Kitchen::Driver::Base#create)
       #
@@ -145,23 +129,6 @@ module Kitchen
         detatch_and_delete_volumes(state, oci, api)
         terminate(state, inst)
       end
-
-      private
-
-      include Kitchen::Driver::Oci::Mixin::Actions
-      include Kitchen::Driver::Oci::Mixin::Models
-      include Kitchen::Driver::Oci::Mixin::Volumes
-
-      # Creates the OCI config and API clients.
-      #
-      # @param action [Symbol] the name of the method that called this method.
-      # @return [Oci::Config, Oci::Api]
-      def auth(action)
-        oci = Oci::Config.new(config)
-        api = Oci::Api.new(oci.config, config)
-        oci.compartment if action == :create
-        [oci, api]
-      end
     end
   end
 end

data/lib/kitchen/driver/oci_version.rb

@@ -22,6 +22,6 @@ module Kitchen
     # Version string for Oracle OCI Kitchen driver
     #
     # @author Stephen Pearson (<stephen.pearson@oracle.com>)
-    OCI_VERSION = "1.28.0"
+    OCI_VERSION = "2.1.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kitchen-oci
 version: !ruby/object:Gem::Version
-  version: 1.28.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Stephen Pearson
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-05-22 00:00:00.000000000 Z
+date: 2025-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oci
@@ -39,6 +39,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -144,11 +158,13 @@ files:
 - lib/kitchen/driver/oci/instance/dbaas.rb
 - lib/kitchen/driver/oci/mixin/actions.rb
 - lib/kitchen/driver/oci/mixin/models.rb
+- lib/kitchen/driver/oci/mixin/ssh_keys.rb
 - lib/kitchen/driver/oci/mixin/volumes.rb
 - lib/kitchen/driver/oci/models/compute.rb
 - lib/kitchen/driver/oci/models/dbaas.rb
 - lib/kitchen/driver/oci/models/iscsi.rb
 - lib/kitchen/driver/oci/models/paravirtual.rb
+- lib/kitchen/driver/oci/validations.rb
 - lib/kitchen/driver/oci_version.rb
 - tpl/setup_winrm.ps1.erb
 homepage: https://github.com/stephenpearson/kitchen-oci