Add BOSH properties for configurable diego-sshd SSH algorithms

Add support for landscape operators to configure SSH algorithms for
diego-sshd running in application containers.

New BOSH properties under cc.diego.sshd (configured only in
cloud_controller_ng):
- allowed_ciphers: Comma separated list of allowed SSH cipher algorithms
- allowed_host_key_algorithms: Comma separated list of allowed host key
  algorithms
- allowed_key_exchanges: Comma separated list of allowed key exchange
  algorithms
- allowed_macs: Comma separated list of allowed MAC algorithms

All properties default to empty strings. When empty, diego-sshd uses
its defaults. When configured, the comma-separated values are passed
as command-line flags to diego-sshd.

The properties are exposed via the cloud_controller_internal BOSH link
and consumed by:
- cloud_controller_worker
- cloud_controller_clock
- cc_deployment_updater

Author: philippthun

jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb

@@ -128,6 +128,11 @@ diego:
     send_timeout: <%= p("cc.diego.bbs.send_timeout") %>
     receive_timeout: <%= p("cc.diego.bbs.receive_timeout") %>
   pid_limit: <%= p("cc.diego.pid_limit") %>
+  sshd:
+    allowed_ciphers: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_ciphers") %>"
+    allowed_host_key_algorithms: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_host_key_algorithms") %>"
+    allowed_key_exchanges: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_key_exchanges") %>"
+    allowed_macs: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_macs") %>"
 
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>

jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb

@@ -350,6 +350,11 @@ diego:
     send_timeout: <%= p("cc.diego.bbs.send_timeout") %>
     receive_timeout: <%= p("cc.diego.bbs.receive_timeout") %>
   pid_limit: <%= p("cc.diego.pid_limit") %>
+  sshd:
+    allowed_ciphers: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_ciphers") %>"
+    allowed_host_key_algorithms: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_host_key_algorithms") %>"
+    allowed_key_exchanges: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_key_exchanges") %>"
+    allowed_macs: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_macs") %>"
 
 <% if p("routing_api.enabled") %>
 routing_api:

jobs/cloud_controller_ng/spec

@@ -241,6 +241,10 @@ provides:
   - cc.droplets.connection_config
   - cc.buildpacks.connection_config
   - cc.storage_cli_optional_flags
+  - cc.diego.sshd.allowed_ciphers
+  - cc.diego.sshd.allowed_host_key_algorithms
+  - cc.diego.sshd.allowed_key_exchanges
+  - cc.diego.sshd.allowed_macs
 
 consumes:
 - name: database
@@ -1277,6 +1281,19 @@ properties:
     description: "Maximum pid limit for containerized work running user-provided code"
     default: 1024
 
+  cc.diego.sshd.allowed_ciphers:
+    description: "Comma separated list of allowed SSH cipher algorithms for diego-sshd. If empty, diego-sshd will use its defaults."
+    default: ""
+  cc.diego.sshd.allowed_host_key_algorithms:
+    description: "Comma separated list of allowed SSH host key algorithms for diego-sshd. If empty, diego-sshd will use its defaults."
+    default: ""
+  cc.diego.sshd.allowed_key_exchanges:
+    description: "Comma separated list of allowed SSH key exchange algorithms for diego-sshd. If empty, diego-sshd will use its defaults."
+    default: ""
+  cc.diego.sshd.allowed_macs:
+    description: "Comma separated list of allowed SSH MAC algorithms for diego-sshd. If empty, diego-sshd will use its defaults."
+    default: ""
+
   cc.logcache.host:
     description: "Hostname of the Logcache server"
     default: doppler.service.cf.internal

jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb

@@ -560,6 +560,11 @@ diego:
   enable_declarative_asset_downloads: <%= p("cc.diego.enable_declarative_asset_downloads") %>
   use_privileged_containers_for_running: <%= p("cc.diego.use_privileged_containers_for_running") %>
   use_privileged_containers_for_staging: <%= p("cc.diego.use_privileged_containers_for_staging") %>
+  sshd:
+    allowed_ciphers: "<%= p("cc.diego.sshd.allowed_ciphers") %>"
+    allowed_host_key_algorithms: "<%= p("cc.diego.sshd.allowed_host_key_algorithms") %>"
+    allowed_key_exchanges: "<%= p("cc.diego.sshd.allowed_key_exchanges") %>"
+    allowed_macs: "<%= p("cc.diego.sshd.allowed_macs") %>"
 
 perm:
   enabled: false

jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb

@@ -329,6 +329,11 @@ diego:
     send_timeout: <%= p("cc.diego.bbs.send_timeout") %>
     receive_timeout: <%= p("cc.diego.bbs.receive_timeout") %>
   pid_limit: <%= p("cc.diego.pid_limit") %>
+  sshd:
+    allowed_ciphers: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_ciphers") %>"
+    allowed_host_key_algorithms: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_host_key_algorithms") %>"
+    allowed_key_exchanges: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_key_exchanges") %>"
+    allowed_macs: "<%= link("cloud_controller_internal").p("cc.diego.sshd.allowed_macs") %>"
 
 <% if p("routing_api.enabled") %>
 routing_api:

spec/cloud_controller_ng/cloud_controller_ng_spec.rb

@@ -33,7 +33,13 @@ module Test
                       'username' => 'blobstore-user' } },
                 'diego' =>
                 {
-                  'file_server_url' => 'http://somewhere'
+                  'file_server_url' => 'http://somewhere',
+                  'sshd' => {
+                    'allowed_ciphers' => '',
+                    'allowed_host_key_algorithms' => '',
+                    'allowed_key_exchanges' => '',
+                    'allowed_macs' => ''
+                  }
                 },
                 'database_encryption' =>
                   { 'skip_validation' => false,
@@ -533,6 +539,35 @@ module Test
             end
           end
 
+          describe 'diego.sshd config' do
+            it 'defaults to empty strings' do
+              template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+              expect(template_hash['diego']['sshd']['allowed_ciphers']).to eq('')
+              expect(template_hash['diego']['sshd']['allowed_host_key_algorithms']).to eq('')
+              expect(template_hash['diego']['sshd']['allowed_key_exchanges']).to eq('')
+              expect(template_hash['diego']['sshd']['allowed_macs']).to eq('')
+            end
+
+            context 'when SSH algorithms are configured' do
+              before do
+                merged_manifest_properties['cc']['diego']['sshd'] = {
+                  'allowed_ciphers' => 'cipher-1,cipher-2',
+                  'allowed_host_key_algorithms' => 'hostkeyalg-1,hostkeyalg-2',
+                  'allowed_key_exchanges' => 'kex-1,kex-2',
+                  'allowed_macs' => 'mac-1,mac-2'
+                }
+              end
+
+              it 'renders the configured SSH algorithms' do
+                template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+                expect(template_hash['diego']['sshd']['allowed_ciphers']).to eq('cipher-1,cipher-2')
+                expect(template_hash['diego']['sshd']['allowed_host_key_algorithms']).to eq('hostkeyalg-1,hostkeyalg-2')
+                expect(template_hash['diego']['sshd']['allowed_key_exchanges']).to eq('kex-1,kex-2')
+                expect(template_hash['diego']['sshd']['allowed_macs']).to eq('mac-1,mac-2')
+              end
+            end
+          end
+
           describe 'broker_client_max_async_poll_interval_seconds config' do
             it 'defaults to 86400 seconds' do
               template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))