fix: address Copilot review feedback on MAAS deploy and inventory

- Quote ssh_bastion value in proxy command to handle spaces/special chars
- Use os.environ instead of shell interpolation for network_filter in
  get_ip() to prevent potential code injection
- Deduplicate hosts in inventory when machine has both old and aliased
  tags (e.g., both kube-master and kube_control_plane)
- Validate MAAS_API_KEY format (exactly 3 colon-separated parts) in
  maas_auth_header()

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Douglas Holt <dholt@nvidia.com>

Author: dholt

scripts/maas_deploy.sh

@@ -69,7 +69,7 @@ load_config() {
                 api_url)     [[ -z "${MAAS_API_URL:-}" ]]  && MAAS_API_URL="$value" ;;
                 api_key)     [[ -z "${MAAS_API_KEY:-}" ]]   && MAAS_API_KEY="$value" ;;
                 ssh_user)    [[ -z "${MAAS_SSH_USER:-}" ]]  && MAAS_SSH_USER="$value" ;;
-                ssh_bastion) [[ -z "${MAAS_SSH_PROXY:-}" ]] && MAAS_SSH_PROXY="ssh -W %h:%p -q ${value}" ;;
+                ssh_bastion) [[ -z "${MAAS_SSH_PROXY:-}" ]] && MAAS_SSH_PROXY="ssh -W %h:%p -q \"${value}\"" ;;
                 network)     [[ -z "${MAAS_NETWORK:-}" ]]   && MAAS_NETWORK="$value" ;;
                 machines)    [[ -z "${MAAS_MACHINES:-}" ]]  && MAAS_MACHINES="$value" ;;
             esac
@@ -149,8 +149,12 @@ parse_args() {
 # --- MAAS API Helpers ---------------------------------------------------------
 
 maas_auth_header() {
-    local consumer_key token_key token_secret
-    IFS=':' read -r consumer_key token_key token_secret <<< "$MAAS_API_KEY"
+    local consumer_key token_key token_secret extra
+    IFS=':' read -r consumer_key token_key token_secret extra <<< "$MAAS_API_KEY"
+    if [[ -n "${extra:-}" || -z "${consumer_key}" || -z "${token_key}" || -z "${token_secret}" ]]; then
+        echo "ERROR: MAAS_API_KEY must be in format consumer_key:token_key:token_secret" >&2
+        exit 1
+    fi
     local nonce timestamp
     nonce=$(python3 -c "import uuid; print(uuid.uuid4().hex)")
     timestamp=$(date +%s)
@@ -191,11 +195,10 @@ print(m['status'])
 
 get_ip() {
     local system_id="$1"
-    local network_filter="${MAAS_NETWORK:-}"
-    maas_get "/machines/${system_id}/" | python3 -c "
-import json, sys
+    maas_get "/machines/${system_id}/" | MAAS_NETWORK="${MAAS_NETWORK:-}" python3 -c "
+import json, os, sys
 m = json.load(sys.stdin)
-network = '${network_filter}'
+network = os.environ.get('MAAS_NETWORK', '')
 for iface in m.get('interface_set', []):
     for link in iface.get('links', []):
         ip = link.get('ip_address', '')

scripts/maas_inventory.py

@@ -242,7 +242,8 @@ def build_inventory(config):
                 inventory[group] = {"hosts": [], "vars": {}}
             elif "hosts" not in inventory[group]:
                 inventory[group]["hosts"] = []
-            inventory[group]["hosts"].append(hostname)
+            if hostname not in inventory[group]["hosts"]:
+                inventory[group]["hosts"].append(hostname)
 
     return inventory