X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b16f84a8c5562cd5c3939e8c445dc86df2be2d4b..66a089434f38163273c3a5b9138f9c4347873b69:/lib/dispatchcloud/worker/verify.go

diff --git a/lib/dispatchcloud/worker/verify.go b/lib/dispatchcloud/worker/verify.go
index e22c85d009..559bb28973 100644
--- a/lib/dispatchcloud/worker/verify.go
+++ b/lib/dispatchcloud/worker/verify.go
@@ -9,7 +9,7 @@ import (
 	"errors"
 	"fmt"
 
-	"git.curoverse.com/arvados.git/lib/cloud"
+	"git.arvados.org/arvados.git/lib/cloud"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -21,13 +21,21 @@ var (
 	instanceSecretLength   = 40 // hex digits
 )
 
-type tagVerifier struct {
+type TagVerifier struct {
 	cloud.Instance
+	Secret         string
+	ReportVerified func(cloud.Instance)
 }
 
-func (tv tagVerifier) VerifyHostKey(pubKey ssh.PublicKey, client *ssh.Client) error {
-	expectSecret := tv.Instance.Tags()[tagKeyInstanceSecret]
-	if err := tv.Instance.VerifyHostKey(pubKey, client); err != cloud.ErrNotImplemented || expectSecret == "" {
+func (tv TagVerifier) InitCommand() cloud.InitCommand {
+	return cloud.InitCommand(fmt.Sprintf("umask 0177 && echo -n %q >%s", tv.Secret, instanceSecretFilename))
+}
+
+func (tv TagVerifier) VerifyHostKey(pubKey ssh.PublicKey, client *ssh.Client) error {
+	if tv.ReportVerified != nil {
+		tv.ReportVerified(tv.Instance)
+	}
+	if err := tv.Instance.VerifyHostKey(pubKey, client); err != cloud.ErrNotImplemented || tv.Secret == "" {
 		// If the wrapped instance indicates it has a way to
 		// verify the key, return that decision.
 		return err
@@ -49,7 +57,7 @@ func (tv tagVerifier) VerifyHostKey(pubKey ssh.PublicKey, client *ssh.Client) er
 	if err != nil {
 		return err
 	}
-	if stdout.String() != expectSecret {
+	if stdout.String() != tv.Secret {
 		return errBadInstanceSecret
 	}
 	return nil