diff options
Diffstat (limited to 'scripts/testing/lib/testinfra.sh')
| -rw-r--r-- | scripts/testing/lib/testinfra.sh | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/scripts/testing/lib/testinfra.sh b/scripts/testing/lib/testinfra.sh index 0db0ec9..bfcd43a 100644 --- a/scripts/testing/lib/testinfra.sh +++ b/scripts/testing/lib/testinfra.sh @@ -32,20 +32,26 @@ run_testinfra_validation() { step "Running Testinfra validation sweep (advisory)" - # Ephemeral keypair; authorize the pubkey in the VM over the existing channel. - rm -f "$key" "$key.pub" - if ! ssh-keygen -t ed25519 -N "" -q -f "$key"; then - warn "testinfra: ssh-keygen failed - skipping" - return 0 - fi - if ! copy_to_vm "$key.pub" "/tmp/testinfra_key.pub" "$ROOT_PASSWORD"; then - warn "testinfra: pubkey copy failed - skipping" - return 0 - fi - if ! vm_exec "$ROOT_PASSWORD" \ - "mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat /tmp/testinfra_key.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"; then - warn "testinfra: authorizing key in VM failed - skipping" - return 0 + # Prefer the root key the harness already authorized (inject_root_key). It + # survives the sshd prohibit-password hardening, so reuse it rather than + # authorizing a second key. Fall back to minting our own for standalone use. + if [ -n "${ROOT_SSH_KEY:-}" ] && [ -f "${ROOT_SSH_KEY}" ]; then + key="$ROOT_SSH_KEY" + else + rm -f "$key" "$key.pub" + if ! ssh-keygen -t ed25519 -N "" -q -f "$key"; then + warn "testinfra: ssh-keygen failed - skipping" + return 0 + fi + if ! copy_to_vm "$key.pub" "/tmp/testinfra_key.pub" "$ROOT_PASSWORD"; then + warn "testinfra: pubkey copy failed - skipping" + return 0 + fi + if ! vm_exec "$ROOT_PASSWORD" \ + "mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat /tmp/testinfra_key.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"; then + warn "testinfra: authorizing key in VM failed - skipping" + return 0 + fi fi # ssh-config so testinfra connects key-only, no host-key prompt. |