From 97de0b20f767ad6e79904fbc2419a485f59e2cc2 Mon Sep 17 00:00:00 2001
From: Richard Bishop <richard.bishop@snowflake.com>
Date: Tue, 28 Oct 2025 11:12:28 -0700
Subject: [PATCH] Use SSH certificates for connection to tail logs

SSH certificates have the benefit of having time range validity builtin.

Testing:
- Verified cb logs and cb scopes work
---
 src/cb/logs.cr    | 7 ++++++-
 src/cb/tempkey.cr | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/cb/logs.cr b/src/cb/logs.cr
index 8b71017..2edb1cb 100644
--- a/src/cb/logs.cr
+++ b/src/cb/logs.cr
@@ -20,7 +20,12 @@ module CB
 
       socket = TCPSocket.new(tk.host, 22, connect_timeout: 1)
       ssh = SSH2::Session.new(socket)
-      ssh.login_with_data("cormorant", tk.private_key, tk.public_key)
+
+      if tk.certificate.presence
+        ssh.login_with_data("cormorant", tk.private_key, tk.certificate.to_s)
+      else
+        ssh.login_with_data("cormorant", tk.private_key, tk.public_key)
+      end
 
       ch = ssh.open_session
       ch.shell
diff --git a/src/cb/tempkey.cr b/src/cb/tempkey.cr
index 8626801..1e752e0 100644
--- a/src/cb/tempkey.cr
+++ b/src/cb/tempkey.cr
@@ -1,5 +1,5 @@
 module CB
-  record Tempkey, host : String, private_key : String, public_key : String, cluster_id : String, team_id : String, expires_at : Time do
+  record Tempkey, host : String, private_key : String, public_key : String, certificate : String?, cluster_id : String, team_id : String, expires_at : Time do
     Cacheable.include key: cluster_id
 
     def self.for_cluster(cluster_id : Identifier, client) : Tempkey