aptible-api 0.9.13 → 0.9.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3f50076bb1d7c9974c01a2ead4175981911a9657
-  data.tar.gz: 6a42f11ac1f0ea710c88ee9702f78816dbd08c67
+  metadata.gz: fca6144f0c1ad810abee436b30ed9b3e03df144f
+  data.tar.gz: 137b04d0be16b37453a23fe5d26b974178e7edc5
 SHA512:
-  metadata.gz: d912b54ddad9f65164b1bb0bf1429c1d1b16bef07f3db3b4cf07fd4e4d7bfdbac99871523386c0099cfff06ecfe382520ec47f396eb1794f7c142b63ad8e476c
-  data.tar.gz: f7ffaab3069a67be24ff36804ad70bfa9dfd63f3d2faf5570b46700bb1acbe0b53d639e85b1d1b785b242be77f374c60f2ffcec8070d7bda183ccb4096c36f4d
+  metadata.gz: c6fd7583ad12fc618073bf6fccc4c35bbc4b50836878c37837f166624d8eb47f5da9b79b5ab52ea15fe10657add1b64f4423290a3675395228c8ba992d628548
+  data.tar.gz: f577e098d4e40e56c00f18278e097e486524e5a4699b10519e7141624911274f0b07947f6a39082b18412d847b52a825ebff7b2f263070066821a431d6f7afcf

data/lib/aptible/api/operation.rb

@@ -6,6 +6,8 @@ module Aptible
       belongs_to :account
       belongs_to :resource
 
+      has_many :ssh_portal_connections
+
       field :id
       field :type
       field :status
@@ -40,6 +42,62 @@ module Aptible
       def failed?
         status == 'failed'
       end
+
+      def with_ssh_cmd(private_key_file)
+        # We expect that the public key will be found next to the private key,
+        # which is also what SSH itself expects. If that's not the case, then
+        # we'll just fail. The Aptible CLI will always ensure credentials are
+        # set up properly (other consumers are of course responsible for doing
+        # the same!).
+        public_key_file = "#{private_key_file}.pub"
+
+        private_key = File.read(private_key_file)
+        public_key = File.read(public_key_file)
+
+        connection = create_ssh_portal_connection!(ssh_public_key: public_key)
+        certificate = connection.ssh_certificate_body
+
+        with_temporary_id(private_key, public_key, certificate) do |id_file|
+          cmd = [
+            'ssh',
+            "#{connection.ssh_user}@#{account.bastion_host}",
+            '-p', account.ssh_portal_port.to_s
+          ] + ['-i', id_file]
+
+          # If we aren't allowed to create a pty, then we shouldn't try to
+          # allocate once, or we'll get an awkward error.
+          cmd << '-T' unless connection.ssh_pty
+
+          yield cmd, connection
+        end
+      end
+
+      private
+
+      def with_temporary_id(private_key, public_key, certificate)
+        # Most versions of OpenSSH don't support specifying the SSH certificate
+        # to use when connecting, so we create a temporary directory with the
+        # credentials and the certificate. From a security perspective, the CLI
+        # makes sure to use an Aptible-CLI only SSH key to minimize exposure
+        # should we fail to clean out the temporary directory.
+        Dir.mktmpdir do |dir|
+          private_key_file = File.join(dir, 'id_rsa')
+          public_key_file = "#{private_key_file}.pub"
+          certificate_file = "#{private_key_file}-cert.pub"
+
+          pairs = [
+            [private_key, private_key_file],
+            [public_key, public_key_file],
+            [certificate, certificate_file]
+          ]
+
+          pairs.each do |contents, file|
+            File.open(file, 'w', 0o600) { |f| f.write(contents) }
+          end
+
+          yield private_key_file
+        end
+      end
     end
   end
 end

data/lib/aptible/api/resource.rb

@@ -30,3 +30,4 @@ require 'aptible/api/permission'
 require 'aptible/api/release'
 require 'aptible/api/service'
 require 'aptible/api/vhost'
+require 'aptible/api/ssh_portal_connection'

data/lib/aptible/api/ssh_portal_connection.rb

@@ -0,0 +1,11 @@
+module Aptible
+  module Api
+    class SshPortalConnection < Resource
+      belongs_to :account
+      belongs_to :log_drain
+      belongs_to :operation
+
+      field :action
+    end
+  end
+end

data/lib/aptible/api/version.rb

@@ -1,5 +1,5 @@
 module Aptible
   module Api
-    VERSION = '0.9.13'.freeze
+    VERSION = '0.9.14'.freeze
   end
 end

data/spec/aptible/api/operation_spec.rb

@@ -0,0 +1,89 @@
+require 'spec_helper'
+
+describe Aptible::Api::Operation do
+  describe '#with_ssh_cmd' do
+    shared_examples '#with_ssh_cmd examples' do
+      let(:account) do
+        Aptible::Api::Account.new.tap do |account|
+          account.stub(
+            bastion_host: 'foo-bastion.com',
+            ssh_portal_port: 1022
+          )
+        end
+      end
+
+      let(:ssh_portal_connection) do
+        Aptible::Api::SshPortalConnection.new.tap do |connection|
+          connection.stub(
+            ssh_user: 'foo-user',
+            ssh_certificate_body: 'some certificate',
+            ssh_pty: ssh_pty
+          )
+        end
+      end
+
+      subject do
+        described_class.new.tap do |operation|
+          operation.stub(account: account)
+        end
+      end
+
+      let!(:work_dir) { Dir.mktmpdir }
+      after { FileUtils.remove_entry work_dir }
+
+      let(:private_key_file) { File.join(work_dir, 'id_rsa') }
+      let(:public_key_file) { "#{private_key_file}.pub" }
+
+      before do
+        File.open(private_key_file, 'w') { |f| f.write('some private key') }
+        File.open(public_key_file, 'w') { |f| f.write('some public key') }
+      end
+
+      it 'yields usable SSH connection arguments' do
+        expect(subject).to receive(:create_ssh_portal_connection!)
+          .with(ssh_public_key: 'some public key')
+          .and_return(ssh_portal_connection)
+
+        has_yielded = false
+
+        subject.with_ssh_cmd(private_key_file) do |cmd, connection|
+          _, dest, _, port, _, id_file, = cmd
+
+          expect(dest).to eq('foo-user@foo-bastion.com')
+          expect(port).to eq('1022')
+          expect(File.read(id_file)).to eq('some private key')
+          expect(File.read("#{id_file}.pub")).to eq('some public key')
+          expect(File.read("#{id_file}-cert.pub")).to eq('some certificate')
+
+          expect(File.readable?(id_file)).to be_truthy
+          expect(File.writable?(id_file)).to be_truthy
+
+          expect(File.world_readable?(id_file)).to be_falsey
+          expect(File.world_writable?(id_file)).to be_falsey
+
+          expect(connection).to be(ssh_portal_connection)
+
+          if ssh_pty
+            expect(cmd).not_to include('-T')
+          else
+            expect(cmd.last).to eq('-T')
+          end
+
+          has_yielded = true
+        end
+
+        expect(has_yielded).to be_truthy
+      end
+    end
+
+    context 'with a PTY' do
+      let(:ssh_pty) { true }
+      include_examples '#with_ssh_cmd examples'
+    end
+
+    context 'without a PTY' do
+      let(:ssh_pty) { false }
+      include_examples '#with_ssh_cmd examples'
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aptible-api
 version: !ruby/object:Gem::Version
-  version: 0.9.13
+  version: 0.9.14
 platform: ruby
 authors:
 - Frank Macreery
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-30 00:00:00.000000000 Z
+date: 2016-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aptible-resource
@@ -198,9 +198,11 @@ files:
 - lib/aptible/api/release.rb
 - lib/aptible/api/resource.rb
 - lib/aptible/api/service.rb
+- lib/aptible/api/ssh_portal_connection.rb
 - lib/aptible/api/version.rb
 - lib/aptible/api/vhost.rb
 - spec/aptible/api/agent_spec.rb
+- spec/aptible/api/operation_spec.rb
 - spec/aptible/api/resource_spec.rb
 - spec/aptible/api_spec.rb
 - spec/shared/with_env.rb
@@ -231,6 +233,7 @@ specification_version: 4
 summary: Ruby client for api.aptible.com
 test_files:
 - spec/aptible/api/agent_spec.rb
+- spec/aptible/api/operation_spec.rb
 - spec/aptible/api/resource_spec.rb
 - spec/aptible/api_spec.rb
 - spec/shared/with_env.rb