feat(instance): get rdp password and decrypt it (#3680)

Codelax · web-flow · commit a66ee3dfef47 · 2024-06-06T09:09:26.000Z
diff --git a/cmd/scw/testdata/test-all-usage-instance-server-get-rdp-password-usage.golden b/cmd/scw/testdata/test-all-usage-instance-server-get-rdp-password-usage.golden
@@ -0,0 +1,20 @@
+🎲🎲🎲 EXIT CODE: 0 🎲🎲🎲
+🟥🟥🟥 STDERR️️ 🟥🟥🟥️
+Get your server rdp and decrypt it using your ssh key
+
+USAGE:
+  scw instance server get-rdp-password <server-id ...> [arg=value ...]
+
+ARGS:
+  server-id             Server ID to connect to
+  [key=~/.ssh/id_rsa]   Path of the SSH key used to decrypt the rdp password
+  [zone=fr-par-1]       Zone to target. If none is passed will use default zone from the config
+
+FLAGS:
+  -h, --help   help for get-rdp-password
+
+GLOBAL FLAGS:
+  -c, --config string    The path to the config file
+  -D, --debug            Enable debug mode
+  -o, --output string    Output format: json or human, see 'scw help output' for more info (default "human")
+  -p, --profile string   The config profile to use
diff --git a/cmd/scw/testdata/test-all-usage-instance-server-usage.golden b/cmd/scw/testdata/test-all-usage-instance-server-usage.golden
@@ -19,6 +19,7 @@ AVAILABLE COMMANDS:
   detach-volume    Detach a volume from its server
   enable-routed-ip Migrate server to IP mobility
   get              Get an Instance
+  get-rdp-password Get your server rdp and decrypt it using your ssh key
   list             List all Instances
   list-actions     List Instance actions
   reboot           Reboot server
diff --git a/docs/commands/instance.md b/docs/commands/instance.md
@@ -60,6 +60,7 @@ This API allows you to manage your Instances.
   - [Detach a volume from its server](#detach-a-volume-from-its-server)
   - [Migrate server to IP mobility](#migrate-server-to-ip-mobility)
   - [Get an Instance](#get-an-instance)
+  - [Get your server rdp and decrypt it using your ssh key](#get-your-server-rdp-and-decrypt-it-using-your-ssh-key)
   - [List all Instances](#list-all-instances)
   - [List Instance actions](#list-instance-actions)
   - [Reboot server](#reboot-server)
@@ -1922,6 +1923,27 @@ scw instance server get 94ededdf-358d-4019-9886-d754f8a2e78d
 
 
 
+### Get your server rdp and decrypt it using your ssh key
+
+
+
+**Usage:**
+
+```
+scw instance server get-rdp-password <server-id ...> [arg=value ...]
+```
+
+
+**Args:**
+
+| Name |   | Description |
+|------|---|-------------|
+| server-id | Required | Server ID to connect to |
+| key | Default: `~/.ssh/id_rsa` | Path of the SSH key used to decrypt the rdp password |
+| zone | Default: `fr-par-1` | Zone to target. If none is passed will use default zone from the config |
+
+
+
 ### List all Instances
 
 List all Instances in a specified Availability Zone, e.g. `fr-par-1`.
diff --git a/internal/namespaces/instance/v1/custom.go b/internal/namespaces/instance/v1/custom.go
@@ -193,6 +193,7 @@ func GetCommands() *core.Commands {
 		sshConfigInstallCommand(),
 		sshListKeysCommand(),
 		sshRemoveKeyCommand(),
+		instanceServerGetRdpPassword(),
 	))
 
 	return cmds
diff --git a/internal/namespaces/instance/v1/custom_server_rdp.go b/internal/namespaces/instance/v1/custom_server_rdp.go
@@ -0,0 +1,151 @@
+package instance
+
+import (
+	"context"
+	"crypto/rsa"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+
+	iam "github.com/scaleway/scaleway-sdk-go/api/iam/v1alpha1"
+	"github.com/scaleway/scaleway-sdk-go/api/instance/v1"
+	"golang.org/x/crypto/ssh"
+
+	"github.com/scaleway/scaleway-cli/v2/internal/core"
+	"github.com/scaleway/scaleway-cli/v2/internal/interactive"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+)
+
+type instanceServerGetRdpPasswordRequest struct {
+	ServerID string
+	Zone     scw.Zone
+	Key      string
+}
+
+func instanceServerGetRdpPassword() *core.Command {
+	return &core.Command{
+		Short:     `Get your server rdp and decrypt it using your ssh key`,
+		Namespace: "instance",
+		Verb:      "get-rdp-password",
+		Resource:  "server",
+		ArgsType:  reflect.TypeOf(instanceServerGetRdpPasswordRequest{}),
+		ArgSpecs: core.ArgSpecs{
+			{
+				Name:       "server-id",
+				Short:      "Server ID to connect to",
+				Required:   true,
+				Positional: true,
+			},
+			{
+				Name:  "key",
+				Short: "Path of the SSH key used to decrypt the rdp password",
+				Default: func(ctx context.Context) (value string, doc string) {
+					homeDir := core.ExtractUserHomeDir(ctx)
+					return filepath.Join(homeDir, ".ssh/id_rsa"), "~/.ssh/id_rsa"
+				},
+			},
+			core.ZoneArgSpec(),
+		},
+		Run: instanceServerGetRdpPasswordRun,
+	}
+}
+
+func instanceServerGetRdpPasswordRun(ctx context.Context, argsI interface{}) (i interface{}, e error) {
+	args := argsI.(*instanceServerGetRdpPasswordRequest)
+
+	if strings.HasPrefix(args.Key, "~") {
+		args.Key = strings.Replace(args.Key, "~", core.ExtractUserHomeDir(ctx), 1)
+	}
+
+	rawKey, err := os.ReadFile(args.Key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read private key file: %w", err)
+	}
+
+	privateKey, err := parsePrivateKey(ctx, rawKey)
+	if err != nil {
+		return nil, err
+	}
+
+	rsaKey, isRSA := privateKey.(*rsa.PrivateKey)
+	if !isRSA {
+		return nil, fmt.Errorf("expected rsa private key, got %s", reflect.TypeOf(privateKey).String())
+	}
+
+	client := core.ExtractClient(ctx)
+	apiInstance := instance.NewAPI(client)
+	resp, err := apiInstance.GetServer(&instance.GetServerRequest{
+		Zone:     args.Zone,
+		ServerID: args.ServerID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if resp.Server.AdminPasswordEncryptedValue == nil {
+		return nil, fmt.Errorf("rdp password is nil")
+	}
+
+	encryptedRdpPassword, err := base64.StdEncoding.DecodeString(*resp.Server.AdminPasswordEncryptedValue)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64 encoded rdp password: %w", err)
+	}
+
+	password, err := rsa.DecryptPKCS1v15(nil, rsaKey, encryptedRdpPassword)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt rdp password: %w", err)
+	}
+
+	sshKeyDescription := ""
+	if resp.Server.AdminPasswordEncryptionSSHKeyID != nil {
+		iamAPI := iam.NewAPI(client)
+		key, err := iamAPI.GetSSHKey(&iam.GetSSHKeyRequest{
+			SSHKeyID: *resp.Server.AdminPasswordEncryptionSSHKeyID,
+		})
+		if err == nil {
+			sshKeyDescription = key.Name
+		}
+	}
+
+	return struct {
+		Username          string
+		Password          string
+		SSHKeyID          *string
+		SSHKeyDescription string
+	}{
+		Username:          "Administrator",
+		Password:          string(password),
+		SSHKeyID:          resp.Server.AdminPasswordEncryptionSSHKeyID,
+		SSHKeyDescription: sshKeyDescription,
+	}, err
+}
+
+func parsePrivateKey(ctx context.Context, key []byte) (any, error) {
+	privateKey, err := ssh.ParseRawPrivateKey(key)
+	if err == nil {
+		return privateKey, err
+	}
+	// Key may need a passphrase
+	missingPassphraseError := &ssh.PassphraseMissingError{}
+	if !errors.As(err, &missingPassphraseError) {
+		return nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	passphrase, err := interactive.PromptPasswordWithConfig(&interactive.PromptPasswordConfig{
+		Ctx:    ctx,
+		Prompt: "passphrase",
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to read input: %w", err)
+	}
+
+	privateKey, err = ssh.ParseRawPrivateKeyWithPassphrase(key, []byte(passphrase))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	return privateKey, nil
+}
