Azure · dongsupark · Mar 18, 2024 · Mar 14, 2024 · Mar 14, 2024 · Mar 15, 2024
diff --git a/libazureinit/src/distro.rs b/libazureinit/src/distro.rs
@@ -1,9 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-use std::io::Write;
 use std::process::Command;
-use std::process::Stdio;
 
 pub trait Distribution {
     fn create_user(
@@ -60,32 +58,11 @@ impl Distribution for Distributions {
                         Err(err) => return Err(err.to_string()),
                     };
                 } else {
-                    let input = format!("{}:{}", username, password);
-
-                    let mut output = Command::new("chpasswd")
-                        .stdin(Stdio::piped())
-                        .stdout(Stdio::null())
-                        .stderr(Stdio::inherit())
-                        .spawn()
-                        .expect("Failed to run chpasswd.");
-
-                    let mut stdin =
-                        output.stdin.as_ref().ok_or("Failed to open stdin")?;
-
-                    stdin.write_all(input.as_bytes()).map_err(|error| {
-                        format!("Failed to write to stdin: {}", error)
-                    })?;
-
-                    let status = output.wait().map_err(|error| {
-                        format!("Failed to wait for stdin command: {}", error)
-                    })?;
-
-                    if !status.success() {
-                        return Err(format!(
-                            "Chpasswd command failed with exit code {}",
-                            status.code().unwrap_or(-1)
-                        ));
-                    }
+                    // creating user with a non-empty password is not allowed.
+                    return Err(
+                        "Failed to create user with non-empty password"
+                            .to_string(),
+                    );
                 }
 
                 Ok(0)

diff --git a/libazureinit/src/imds.rs b/libazureinit/src/imds.rs
@@ -80,7 +80,7 @@ pub fn get_hostname(
     Ok(hostname)
 }
 
-pub fn get_provision_with_password(
+pub fn is_password_authentication_disabled(
     imds_body: &str,
 ) -> Result<bool, Box<dyn std::error::Error>> {
     let data: Value = serde_json::from_str(imds_body)
@@ -101,7 +101,8 @@ pub fn get_provision_with_password(
 #[cfg(test)]
 mod tests {
     use super::{
-        get_hostname, get_provision_with_password, get_ssh_keys, get_username,
+        get_hostname, get_ssh_keys, get_username,
+        is_password_authentication_disabled,
     };
 
     #[test]
@@ -210,37 +211,10 @@ mod tests {
         }"#
         .to_string();
 
-        let provision_with_password = get_provision_with_password(&file_body)
-            .expect("Failed to interpret disablePasswordAuthentication.");
+        let provision_with_password =
+            is_password_authentication_disabled(&file_body)
+                .expect("Failed to interpret disablePasswordAuthentication.");
 
         assert_eq!(provision_with_password, true);
     }
-
-    #[test]
-    fn test_provision_with_password_false() {
-        let file_body = r#"
-        {
-            "compute": {
-              "azEnvironment": "cloud_env",
-              "customData": "",
-              "evictionPolicy": "",
-              "isHostCompatibilityLayerVm": "false",
-              "licenseType": "",
-              "location": "eastus",
-              "name": "AzTux-MinProvAgent-Test-0001",
-              "offer": "0001-com-ubuntu-server-focal",
-              "osProfile": {
-                "adminUsername": "MinProvAgentUser",
-                "computerName": "AzTux-MinProvAgent-Test-0001",
-                "disablePasswordAuthentication": "false"
-              }
-            }
-        }"#
-        .to_string();
-
-        let provision_with_password = get_provision_with_password(&file_body)
-            .expect("Failed to interpret disablePasswordAuthentication.");
-
-        assert_eq!(provision_with_password, false);
-    }
 }
diff --git a/libazureinit/src/media.rs b/libazureinit/src/media.rs
@@ -5,9 +5,7 @@ use std::fs;
 use std::fs::create_dir_all;
 use std::fs::File;
 use std::io::Read;
-use std::io::Write;
 use std::os::unix::fs::PermissionsExt;
-use std::process::Command;
 
 use serde::Deserialize;
 use serde_xml_rs::from_str;
@@ -66,28 +64,6 @@ fn default_preprov_type() -> String {
     "None".to_owned()
 }
 
-pub fn mount_media() {
-    let _mount_media = Command::new("mount")
-        .arg("-o")
-        .arg("ro")
-        .arg("/dev/sr0")
-        .arg("/run/azure-init/tmp/")
-        .status()
-        .expect("Failed to execute mount command.");
-}
-
-pub fn remove_media() {
-    let _unmount_media = Command::new("umount")
-        .arg("/run/azure-init/tmp/")
-        .status()
-        .expect("Failed to execute unmount command.");
-
-    let _eject_media = Command::new("eject")
-        .arg("/dev/sr0")
-        .status()
-        .expect("Failed to execute eject command.");
-}
-
 pub fn make_temp_directory() -> Result<(), Box<dyn std::error::Error>> {
     let file_path = "/run/azure-init/tmp/";
 
@@ -129,25 +105,6 @@ pub fn parse_ovf_env(
     Ok(environment)
 }
 
-pub fn allow_password_authentication() -> Result<(), Box<dyn std::error::Error>>
-{
-    let file_path = "/etc/ssh/sshd_config.d/40-azure-init.conf";
-    let password_authentication = "PasswordAuthentication yes";
-
-    let mut file =
-        File::create(file_path).expect("Unable to create sshd_config file.");
-    file.write_all(password_authentication.as_bytes())
-        .expect("Unable to write to sshd_config file.");
-
-    let _restart_ssh = Command::new("systemctl")
-        .arg("restart")
-        .arg("ssh")
-        .status()
-        .expect("Failed to execute restart ssh command.");
-
-    Ok(())
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

diff --git a/src/main.rs b/src/main.rs
@@ -10,6 +10,38 @@ use libazureinit::{
 
 const VERSION: &str = env!("CARGO_PKG_VERSION");
 
+fn get_username(
+    imds_body: String,
+) -> Result<String, Box<dyn std::error::Error>> {
+    if imds::is_password_authentication_disabled(&imds_body).map_err(|_| {
+        "Failed to get disable password authentication".to_string()
+    })? {
+        // password authentication is disabled
+        match imds::get_username(imds_body.clone()) {
+            Ok(username) => Ok(username),
+            Err(_err) => Err("Failed to get username".into()),
+        }
+    } else {
+        // password authentication is enabled
+        let ovf_body = media::read_ovf_env_to_string().unwrap();
+        let environment = media::parse_ovf_env(ovf_body.as_str()).unwrap();
+
+        if !environment
+            .provisioning_section
+            .linux_prov_conf_set
+            .password
+            .is_empty()
+        {
+            return Err("password is non-empty".into());
+        }
+
+        Ok(environment
+            .provisioning_section
+            .linux_prov_conf_set
+            .username)
+    }
+}
+
 #[tokio::main]
 async fn main() {
     let mut default_headers = header::HeaderMap::new();
@@ -29,48 +61,17 @@ async fn main() {
         Err(_err) => return,
     };
 
-    let provision_with_password = imds::get_provision_with_password(&imds_body);
-    let disable_authentication = match provision_with_password {
-        Ok(disable_authentication) => disable_authentication,
+    let username = match get_username(imds_body.clone()) {
+        Ok(res) => res,
         Err(_err) => return,
     };
 
-    let username;
-    let mut password = "".to_owned();
-
-    if !disable_authentication {
-        media::make_temp_directory().unwrap();
-
-        media::mount_media();
-
-        let ovf_body = media::read_ovf_env_to_string().unwrap();
-        let environment = media::parse_ovf_env(ovf_body.as_str()).unwrap();
-
-        username = environment
-            .provisioning_section
-            .linux_prov_conf_set
-            .username;
-        password = environment
-            .provisioning_section
-            .linux_prov_conf_set
-            .password;
-
-        let _ = media::allow_password_authentication();
-
-        media::remove_media();
-    } else {
-        let username_result = imds::get_username(imds_body.clone());
-        username = match username_result {
-            Ok(username) => username,
-            Err(_err) => return,
-        };
-    }
-
     let mut file_path = "/home/".to_string();
     file_path.push_str(username.as_str());
 
+    // always pass an empty password
     Distributions::from("ubuntu")
-        .create_user(username.as_str(), password.as_str())
+        .create_user(username.as_str(), "")
         .expect("Failed to create user");
     let _create_directory =
         user::create_ssh_directory(username.as_str(), &file_path).await;

diff --git a/tests/functional_tests.rs b/tests/functional_tests.rs
@@ -67,18 +67,6 @@ async fn main() {
 
     println!("User {} was successfully created", username.as_str());
 
-    println!();
-    println!(
-        "Attempting to create user {} with password",
-        username.as_str()
-    );
-
-    Distributions::from("ubuntu")
-        .create_user("test_user_2", "azureProvisioningAgentPassword")
-        .expect("Failed to create user");
-
-    println!("User {} was successfully created", username.as_str());
-
     println!();
     println!("Attempting to create user's SSH directory");