aspera-cli 4.15.0 → 4.17.0

data/lib/aspera/rest.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'aspera/log'
+require 'aspera/assert'
 require 'aspera/oauth'
 require 'aspera/rest_error_analyzer'
 require 'aspera/hash_ext'
@@ -55,18 +56,19 @@ module Aspera
         return values.first.eql?(ARRAY_PARAMS)
       end
 
-      # build URI from URL and parameters and check it is http or https
-      def build_uri(url, params=nil)
+      # build URI from URL and parameters and check it is http or https, encode array [] parameters
+      def build_uri(url, query_hash=nil)
         uri = URI.parse(url)
-        raise "REST endpoint shall be http/s not #{uri.scheme}" unless %w[http https].include?(uri.scheme)
-        return uri if params.nil?
-        Log.log.debug{Log.dump('params', params)}
-        raise 'Internal Error: param must be Hash' unless params.is_a?(Hash)
+        Aspera.assert(%w[http https].include?(uri.scheme)){"REST endpoint shall be http/s not #{uri.scheme}"}
+        return uri if query_hash.nil?
+        Log.log.debug{Log.dump('query', query_hash)}
+        Aspera.assert_type(query_hash, Hash)
+        return uri if query_hash.empty?
         query = []
-        params.each do |k, v|
+        query_hash.each do |k, v|
           case v
           when Array
-            # support array url params, there is no standard. Either p[]=1&p[]=2, or p=1&p=2
+            # support array for query parameter, there is no standard. Either p[]=1&p[]=2, or p=1&p=2
             suffix = array_params?(v) ? v.shift : ''
             v.each do |e|
               query.push(["#{k}#{suffix}", e])
@@ -84,7 +86,7 @@ module Aspera
         URI.decode_www_form(query).each_with_object({}){|v, h|h[v.first] = v.last }
       end
 
-      # start a HTTP/S session, also used for web sockets
+      # Start a HTTP/S session, also used for web sockets
       # @param base_url [String] base url of HTTP/S session
       # @return [Net::HTTP] a started HTTP session
       def start_http_session(base_url)
@@ -103,17 +105,34 @@ module Aspera
       # little hack, handy because HTTP debug, proxy, etc... will be available
       # used implement web sockets after `start_http_session`
       def io_http_session(http_session)
-        raise "wring type #{http_session.class}" unless http_session.is_a?(Net::HTTP)
+        Aspera.assert_type(http_session, Net::HTTP)
         # Net::BufferedIO in net/protocol.rb
         result = http_session.instance_variable_get(:@socket)
-        raise "no socket for #{http_session}" if result.nil?
+        Aspera.assert(!result.nil?){"no socket for #{http_session}"}
+        return result
+      end
+
+      # @return [String] PEM certificates of remote server
+      def remote_certificate_chain(url, as_string: true)
+        result = []
+        # initiate a session to retrieve remote certificate
+        http_session = Rest.start_http_session(url)
+        begin
+          # retrieve underlying openssl socket
+          result = Rest.io_http_session(http_session).io.peer_cert_chain
+        rescue
+          result = http_session.peer_cert
+        ensure
+          http_session.finish
+        end
+        result = result.map(&:to_pem).join("\n") if as_string
         return result
       end
 
       # set global parameters
       def set_parameters(**options)
         options.each do |key, value|
-          raise "ERROR: unknown Rest option #{key}" unless @@global.key?(key)
+          Aspera.assert(@@global.key?(key)){"Unknown Rest option #{key}"}
           @@global[key] = value
         end
       end
@@ -129,135 +148,169 @@ module Aspera
     # create and start keep alive connection on demand
     def http_session
       if @http_session.nil?
-        @http_session = self.class.start_http_session(@params[:base_url])
+        @http_session = self.class.start_http_session(@base_url)
       end
       return @http_session
     end
 
-    public
-
-    attr_reader :params
-
-    def oauth
-      if @oauth.nil?
-        raise 'ERROR: no OAuth defined' unless @params[:auth][:type].eql?(:oauth2)
-        @oauth = Oauth.new(@params[:auth])
-      end
-      return @oauth
-    end
-
-    # @param a_rest_params [Hash] default call parameters (merged at call)
-    def initialize(a_rest_params)
-      raise 'ERROR: expecting Hash' unless a_rest_params.is_a?(Hash)
-      raise 'ERROR: expecting base_url' unless a_rest_params[:base_url].is_a?(String)
-      @params = a_rest_params.clone
-      Log.log.debug{Log.dump('REST params', @params)}
-      # base url without trailing slashes (note: string may be frozen)
-      @params[:base_url] = @params[:base_url].gsub(%r{/+$}, '')
-      @http_session = nil
-      # default is no auth
-      @params[:auth] ||= {type: :none}
-      @params[:not_auth_codes] ||= ['401']
-      @oauth = nil
-      Log.log.debug{Log.dump('REST params(2)', @params)}
-    end
-
-    def oauth_token(force_refresh: false)
-      raise "ERROR: expecting boolean, have #{force_refresh}" unless [true, false].include?(force_refresh)
-      return oauth.get_authorization(use_refresh_token: force_refresh)
-    end
-
-    def build_request(call_data)
+    def build_request(
+      operation:,
+      subpath:,
+      url_params:,
+      json_params:,
+      www_body_params:,
+      text_body_params:,
+      headers:
+    )
       # TODO: shall we percent encode subpath (spaces) test with access key delete with space in id
       # URI.escape()
-      uri = self.class.build_uri("#{call_data[:base_url]}#{['', '/'].include?(call_data[:subpath]) ? '' : '/'}#{call_data[:subpath]}", call_data[:url_params])
+      separator = !['', '/'].include?(subpath) || @base_url.end_with?('/') ? '/' : ''
+      uri = self.class.build_uri("#{@base_url}#{separator}#{subpath}", url_params)
       Log.log.debug{"URI=#{uri}"}
       begin
         # instantiate request object based on string name
-        req = Net::HTTP.const_get(call_data[:operation].capitalize).new(uri)
+        req = Net::HTTP.const_get(operation.capitalize).new(uri)
       rescue NameError
-        raise "unsupported operation : #{call_data[:operation]}"
+        raise "unsupported operation : #{operation}"
       end
-      if call_data.key?(:json_params) && !call_data[:json_params].nil?
-        req.body = JSON.generate(call_data[:json_params]) # , ascii_only: true
-        Log.log.debug{Log.dump('body JSON data', call_data[:json_params])}
+      if !json_params.nil?
+        req.body = JSON.generate(json_params) # , ascii_only: true
         req['Content-Type'] = 'application/json'
-        # call_data[:headers]['Accept']='application/json'
       end
-      if call_data.key?(:www_body_params)
-        req.body = URI.encode_www_form(call_data[:www_body_params])
-        Log.log.debug{"body www data=#{req.body.chomp}"}
+      if !www_body_params.nil?
+        req.body = URI.encode_www_form(www_body_params)
         req['Content-Type'] = 'application/x-www-form-urlencoded'
       end
-      if call_data.key?(:text_body_params)
-        req.body = call_data[:text_body_params]
-        Log.log.debug{"body data=#{req.body.chomp}"}
+      if !text_body_params.nil?
+        req.body = text_body_params
       end
       # set headers
-      if call_data.key?(:headers)
-        call_data[:headers].each_key do |key|
-          req[key] = call_data[:headers][key]
-        end
+      headers.each do |key, value|
+        req[key] = value
       end
       # :type = :basic
-      req.basic_auth(call_data[:auth][:username], call_data[:auth][:password]) if call_data[:auth][:type].eql?(:basic)
+      req.basic_auth(@auth_params[:username], @auth_params[:password]) if @auth_params[:type].eql?(:basic)
       Log.log.debug{Log.dump(:req_body, req.body)}
       return req
     end
 
+    public
+
+    attr_reader :auth_params
+    attr_reader :base_url
+
+    def params
+      return {
+        base_url:       @base_url,
+        auth:           @auth_params,
+        not_auth_codes: @not_auth_codes,
+        redirect_max:   @redirect_max,
+        headers:        @headers
+      }
+    end
+
+    # @param base_url [String] base URL of REST API
+    # @param auth [Hash] authentication parameters:
+    #     :type (:none, :basic, :url, :oauth2)
+    #     :username   [:basic]
+    #     :password   [:basic]
+    #     :url_query  [:url]    a hash
+    #     :*          [:oauth2] see OAuth::Factory class
+    # @param not_auth_codes [Array] codes that trigger a refresh/regeneration of bearer token
+    # @param redirect_max [int] max redirections allowed
+    def initialize(
+      base_url:,
+      auth: nil,
+      not_auth_codes: nil,
+      redirect_max: 0,
+      headers: nil
+    )
+      Aspera.assert_type(base_url, String)
+      # base url with max one trailing slashes (note: string may be frozen)
+      @base_url = base_url.gsub(%r{//+$}, '/')
+      # default is no auth
+      @auth_params = auth.nil? ? {type: :none} : auth
+      Aspera.assert_type(@auth_params, Hash)
+      Aspera.assert(@auth_params.key?(:type)){'no auth type defined'}
+      @not_auth_codes = not_auth_codes.nil? ? ['401'] : not_auth_codes
+      Aspera.assert_type(@not_auth_codes, Array)
+      # persistent session
+      @http_session = nil
+      # OAuth object (created on demand)
+      @oauth = nil
+      @redirect_max = redirect_max
+      @headers = headers.nil? ? {} : headers
+      Aspera.assert_type(@headers, Hash)
+      @headers['User-Agent'] ||= @@global[:user_agent]
+    end
+
+    # @return the OAuth object (create, or cached if already created)
+    def oauth
+      if @oauth.nil?
+        Aspera.assert(@auth_params[:type].eql?(:oauth2)){'no OAuth defined'}
+        oauth_parameters = @auth_params.reject { |k, _v| k.eql?(:type) }
+        Log.log.debug{Log.dump('oauth parameters', oauth_parameters)}
+        @oauth = OAuth::Factory.instance.create(**oauth_parameters)
+      end
+      return @oauth
+    end
+
+    def oauth_token(force_refresh: false)
+      Aspera.assert_values(force_refresh, [true, false])
+      return oauth.get_authorization(use_refresh_token: force_refresh)
+    end
+
     # HTTP/S REST call
-    # call_data has keys:
-    # :auth
-    # :operation
-    # :subpath
-    # :headers
-    # :json_params
-    # :url_params
-    # :www_body_params
-    # :text_body_params
-    # :save_to_file (filepath) default: nil
-    # :return_error (bool) default: nil
-    # :redirect_max (int) default: 0
-    # :not_auth_codes (array) codes that trigger a refresh/regeneration of bearer token
-    # ----
-    # authentication (:auth) :
-    # :type (:none, :basic, :oauth2, :url)
-    # :username   [:basic]
-    # :password   [:basic]
-    # :url_query  [:url] a hash
-    # :*          [:oauth2] see Oauth class
-    def call(call_data)
-      raise "Hash call parameter is required (#{call_data.class})" unless call_data.is_a?(Hash)
-      call_data[:subpath] = '' if call_data[:subpath].nil?
-      Log.log.debug{"accessing #{call_data[:subpath]}".red.bold.bg_green}
-      call_data[:headers] ||= {}
-      call_data[:headers]['User-Agent'] ||= @@global[:user_agent]
-      # defaults from @params are overridden by call data
-      call_data = @params.deep_merge(call_data)
-      case call_data[:auth][:type]
+    # @param save_to_file (filepath)
+    # @param return_error (bool)
+    def call(
+      operation:,
+      subpath: nil,
+      json_params: nil,
+      url_params: nil,
+      www_body_params: nil,
+      text_body_params: nil,
+      save_to_file: nil,
+      return_error: false,
+      headers: nil
+    )
+      subpath = subpath.to_s if subpath.is_a?(Symbol)
+      subpath = '' if subpath.nil?
+      Aspera.assert_type(subpath, String)
+      if headers.nil?
+        headers = @headers.clone
+      else
+        h = headers
+        headers = @headers.clone
+        headers.merge!(h)
+      end
+      Aspera.assert_type(headers, Hash)
+      Log.log.debug{"#{operation} [#{subpath}]".red.bold.bg_green}
+      case @auth_params[:type]
       when :none
         # no auth
       when :basic
         Log.log.debug('using Basic auth')
         # done in build_req
       when :oauth2
-        call_data[:headers]['Authorization'] = oauth_token unless call_data[:headers].key?('Authorization')
+        headers['Authorization'] = oauth_token unless headers.key?('Authorization')
       when :url
-        call_data[:url_params] ||= {}
-        call_data[:auth][:url_query].each do |key, value|
-          call_data[:url_params][key] = value
+        url_params ||= {}
+        @auth_params[:url_query].each do |key, value|
+          url_params[key] = value
         end
-      else raise "unsupported auth type: [#{call_data[:auth][:type]}]"
+      else Aspera.error_unexpected_value(@auth_params[:type])
       end
-      req = build_request(call_data)
-      Log.log.debug{"call_data = #{call_data}"}
       result = {http: nil}
       # start a block to be able to retry the actual HTTP request
       begin
+        req = build_request(
+          operation: operation, subpath: subpath, json_params: json_params, url_params: url_params, www_body_params: www_body_params,
+          text_body_params: text_body_params, headers: headers)
         # we try the call, and will retry only if oauth, as we can, first with refresh, and then re-auth if refresh is bad
         oauth_tries ||= 2
         # initialize with number of initial retries allowed, nil gives zero
-        tries_remain_redirect = call_data[:redirect_max].to_i if tries_remain_redirect.nil?
+        tries_remain_redirect = @redirect_max.to_i if tries_remain_redirect.nil?
         Log.log.debug("send request (retries=#{tries_remain_redirect})")
         result_mime = nil
         file_saved = false
@@ -266,13 +319,13 @@ module Aspera
           result[:http] = response
           result_mime = (result[:http]['Content-Type'] || 'text/plain').split(';').first.downcase
           # JSON data needs to be parsed, in case it contains an error code
-          if !call_data[:save_to_file].nil? &&
+          if !save_to_file.nil? &&
               result[:http].code.to_s.start_with?('2') &&
               !result[:http]['Content-Length'].nil? &&
               !JSON_DECODE.include?(result_mime)
             total_size = result[:http]['Content-Length'].to_i
             Log.log.debug('before write file')
-            target_file = call_data[:save_to_file]
+            target_file = save_to_file
             # override user's path to path in header
             if !response['Content-Disposition'].nil? && (m = response['Content-Disposition'].match(/filename="([^"]+)"/))
               target_file = File.join(File.dirname(target_file), m[1])
@@ -305,13 +358,13 @@ module Aspera
         else # when 'text/plain'
           result[:http].body
         end
-        Log.log.debug{Log.dump("result: parsed: #{result_mime}", result[:data])}
-        Log.log.debug{"result: code=#{result[:http].code}"}
+        Log.log.debug{"result: code=#{result[:http].code} mime=#{result_mime}"}
+        Log.log.debug{Log.dump('data', result[:data])}
         RestErrorAnalyzer.instance.raise_on_error(req, result)
-        File.write(call_data[:save_to_file], result[:http].body) unless file_saved || call_data[:save_to_file].nil?
+        File.write(save_to_file, result[:http].body) unless file_saved || save_to_file.nil?
       rescue RestCallError => e
         # not authorized: oauth token expired
-        if call_data[:not_auth_codes].include?(result[:http].code.to_s) && call_data[:auth][:type].eql?(:oauth2)
+        if @not_auth_codes.include?(result[:http].code.to_s) && @auth_params[:type].eql?(:oauth2)
           begin
             # try to use refresh token
             req['Authorization'] = oauth_token(force_refresh: true)
@@ -321,35 +374,28 @@ module Aspera
             # regenerate a brand new token
             req['Authorization'] = oauth_token(force_refresh: true)
           end
-          Log.log.debug{"using new token=#{call_data[:headers]['Authorization']}"}
-          retry unless (oauth_tries -= 1).zero?
+          Log.log.debug{"using new token=#{headers['Authorization']}"}
+          retry if (oauth_tries -= 1).nonzero?
         end # if oauth
         # redirect ? (any code beginning with 3)
-        if tries_remain_redirect.positive? && e.response.is_a?(Net::HTTPRedirection)
+        if e.response.is_a?(Net::HTTPRedirection) && tries_remain_redirect.positive?
           tries_remain_redirect -= 1
-          current_uri = URI.parse(call_data[:base_url])
+          current_uri = URI.parse(@base_url)
           new_url = e.response['location']
           # special case: relative redirect
           if URI.parse(new_url).host.nil?
             # we don't manage relative redirects with non-absolute path
-            raise "Error: redirect location is relative: #{new_url}, but does not start with /." unless new_url.start_with?('/')
-            new_url = current_uri.scheme + '://' + current_uri.host + new_url
-          end
-          Log.log.info{"URL is moved: #{new_url}"}
-          redirection_uri = URI.parse(new_url)
-          call_data[:base_url] = new_url
-          call_data[:subpath] = ''
-          if current_uri.host.eql?(redirection_uri.host) && current_uri.port.eql?(redirection_uri.port)
-            req = build_request(call_data)
-            retry
-          else
-            # change host
-            Log.log.info{"Redirect changes host: #{current_uri.host} -> #{redirection_uri.host}"}
-            return self.class.new(call_data).call(call_data)
+            Aspera.assert(new_url.start_with?('/')){"redirect location is relative: #{new_url}, but does not start with /."}
+            new_url = "#{current_uri.scheme}://#{current_uri.host}#{new_url}"
           end
+          # forwards the request to the new location
+          return self.class.new(base_url: new_url, redirect_max: tries_remain_redirect).call(
+            operation: operation, json_params: json_params,
+            url_params: url_params, www_body_params: www_body_params, text_body_params: text_body_params,
+            save_to_file: save_to_file, return_error: return_error, headers: headers)
         end
         # raise exception if could not retry and not return error in result
-        raise e unless call_data[:return_error]
+        raise e unless return_error
       end # begin request
       Log.log.debug{"result=#{result}"}
       return result
@@ -361,36 +407,37 @@ module Aspera
 
     # @param encoding : one of: :json_params, :url_params
     def create(subpath, params, encoding=:json_params)
-      return call({operation: 'POST', subpath: subpath, headers: {'Accept' => 'application/json'}, encoding => params})
+      return call(operation: 'POST', subpath: subpath, headers: {'Accept' => 'application/json'}, encoding => params)
     end
 
-    def read(subpath, options=nil)
-      return call({operation: 'GET', subpath: subpath, headers: {'Accept' => 'application/json'}, url_params: options})
+    def read(subpath, query=nil)
+      return call(operation: 'GET', subpath: subpath, headers: {'Accept' => 'application/json'}, url_params: query)
     end
 
     def update(subpath, params)
-      return call({operation: 'PUT', subpath: subpath, headers: {'Accept' => 'application/json'}, json_params: params})
+      return call(operation: 'PUT', subpath: subpath, headers: {'Accept' => 'application/json'}, json_params: params)
     end
 
     def delete(subpath, params=nil)
-      return call({operation: 'DELETE', subpath: subpath, headers: {'Accept' => 'application/json'}, url_params: params})
+      return call(operation: 'DELETE', subpath: subpath, headers: {'Accept' => 'application/json'}, url_params: params)
     end
 
     def cancel(subpath)
-      return call({operation: 'CANCEL', subpath: subpath, headers: {'Accept' => 'application/json'}})
+      return call(operation: 'CANCEL', subpath: subpath, headers: {'Accept' => 'application/json'})
     end
 
-    # Query by name and returns a single result, else it throws an exception (no or multiple results)
+    # Query entity by general search (read with parameter `q`)
+    # TODO: not generic enough ? move somewhere ? inheritance ?
     # @param subpath path of entity in API
     # @param search_name name of searched entity
-    # @param options additional search options
-    def lookup_by_name(subpath, search_name, options={})
-      # returns entities whose name contains value (case insensitive)
-      matching_items = read(subpath, options.merge({'q' => search_name}))[:data]
+    # @param query additional search query parameters
+    # @returns [Hash] A single entity matching the search, or an exception if not found or multiple found
+    def lookup_by_name(subpath, search_name, query={})
+      # returns entities matching the query (it matches against several fields in case insensitive way)
+      matching_items = read(subpath, query.merge({'q' => search_name}))[:data]
       # API style: {totalcount:, ...} cspell: disable-line
-      # TODO: not generic enough ? move somewhere ? inheritance ?
       matching_items = matching_items[subpath] if matching_items.is_a?(Hash)
-      raise "Internal error: expecting array, have #{matching_items.class}" unless matching_items.is_a?(Array)
+      Aspera.assert_type(matching_items, Array)
       case matching_items.length
       when 1 then return matching_items.first
       when 0 then raise %Q{#{ENTITY_NOT_FOUND} #{subpath}: "#{search_name}"}

data/lib/aspera/rest_error_analyzer.rb

@@ -90,6 +90,7 @@ module Aspera
       # @param msg one error message  to add to list
       def add_error(call_context, type, msg)
         call_context[:messages].push(msg)
+        Log.log.trace1{"Found error: #{type}: #{msg}"}
         log_file = instance.log_file
         # log error for further analysis (file must exist to activate)
         return if log_file.nil? || !File.exist?(log_file)

data/lib/aspera/rest_errors_aspera.rb

@@ -15,12 +15,14 @@ module Aspera
         RestErrorAnalyzer.instance.add_simple_handler(name: 'Type 1: error:user_message', path: %w[error user_message], always: true)
         RestErrorAnalyzer.instance.add_simple_handler(name: 'Type 2: error:description', path: %w[error description])
         RestErrorAnalyzer.instance.add_simple_handler(name: 'Type 3: error:internal_message', path: %w[error internal_message])
-        # AoC Automation
-        RestErrorAnalyzer.instance.add_simple_handler(name: 'AoC Automation', path: ['error'])
         RestErrorAnalyzer.instance.add_simple_handler(name: 'Type 5', path: ['error_description'])
         RestErrorAnalyzer.instance.add_simple_handler(name: 'Type 6', path: ['message'])
+        # AoC Automation
+        RestErrorAnalyzer.instance.add_simple_handler(name: 'AoC Automation', path: ['error'])
         RestErrorAnalyzer.instance.add_handler('Type 7: errors[]') do |type, call_context|
           next unless call_context[:data].is_a?(Hash) && call_context[:data]['errors'].is_a?(Hash)
+          # special for Shares: false positive ? (update global transfer_settings)
+          next if call_context[:data].key?('min_connect_version')
           call_context[:data]['errors'].each do |k, v|
             RestErrorAnalyzer.add_error(call_context, type, "#{k}: #{v}")
           end
@@ -31,7 +33,7 @@ module Aspera
           d_t_s = call_context[:data]['transfer_specs']
           next unless d_t_s.is_a?(Array)
           d_t_s.each do |res|
-            r_err = res.dig(*%w[transfer_spec error])
+            r_err = res.dig(*%w[transfer_spec error]) || res['error']
             next unless r_err.is_a?(Hash)
             RestErrorAnalyzer.add_error(call_context, type, "#{r_err['code']}: #{r_err['reason']}: #{r_err['user_message']}")
           end

data/lib/aspera/resumer.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'singleton'
+require 'aspera/log'
+require 'aspera/assert'
+
+module Aspera
+  # implements a simple resume policy
+  class Resumer
+    # list of supported parameters and default values
+    DEFAULTS = {
+      iter_max:      7,
+      sleep_initial: 2,
+      sleep_factor:  2,
+      sleep_max:     60
+    }.freeze
+
+    # @param params see DEFAULTS
+    def initialize(params=nil)
+      @parameters = DEFAULTS.dup
+      if !params.nil?
+        Aspera.assert_type(params, Hash)
+        params.each do |k, v|
+          Aspera.assert_values(k, DEFAULTS.keys){'resume parameter'}
+          Aspera.assert_type(v, Integer){k}
+          @parameters[k] = v
+        end
+      end
+      Log.log.debug{"resume params=#{@parameters}"}
+    end
+
+    # calls block a number of times (resumes) until success or limit reached
+    # this is re-entrant, one resumer can handle multiple transfers in //
+    def execute_with_resume
+      Aspera.assert(block_given?)
+      # maximum of retry
+      remaining_resumes = @parameters[:iter_max]
+      sleep_seconds = @parameters[:sleep_initial]
+      Log.log.debug{"retries=#{remaining_resumes}"}
+      # try to send the file until ascp is successful
+      loop do
+        Log.log.debug('transfer starting')
+        begin
+          # call provided block
+          yield
+          # exit retry loop if success
+          break
+        rescue Transfer::Error => e
+          Log.log.warn{"An error occurred during transfer: #{e.message}"}
+          # failure in ascp
+          if e.retryable?
+            # exit if we exceed the max number of retry
+            raise Transfer::Error, "Maximum number of retry reached (#{@parameters[:iter_max]})" if remaining_resumes <= 0
+          else
+            # give one chance only to non retryable errors
+            unless remaining_resumes.eql?(@parameters[:iter_max])
+              Log.log.error('non-retryable error'.red.blink)
+              raise e
+            end
+          end
+        end
+
+        # take this retry in account
+        remaining_resumes -= 1
+        Log.log.warn{"Resuming in #{sleep_seconds} seconds (retry left:#{remaining_resumes})"}
+
+        # wait a bit before retrying, maybe network condition will be better
+        sleep(sleep_seconds)
+
+        # increase retry period
+        sleep_seconds *= @parameters[:sleep_factor]
+        # cap value
+        sleep_seconds = @parameters[:sleep_max] if sleep_seconds > @parameters[:sleep_max]
+      end # loop
+    end
+  end
+end

data/lib/aspera/secret_hider.rb

@@ -6,6 +6,8 @@ require 'logger'
 module Aspera
   # remove secret from logs and output
   class SecretHider
+    # configurable:
+    ADDITIONAL_KEYS_TO_HIDE = []
     # display string for hidden secrets
     HIDDEN_PASSWORD = '🔑'
     # env vars for ascp with secrets
@@ -14,7 +16,7 @@ module Aspera
     KEY_SECRETS = %w[password secret passphrase _key apikey crn token].freeze
     HTTP_SECRETS = %w[Authorization].freeze
     ALL_SECRETS = [ASCP_ENV_SECRETS, KEY_SECRETS, HTTP_SECRETS].flatten.freeze
-    KEY_FALSE_POSITIVES = [/^access_key$/].freeze
+    KEY_FALSE_POSITIVES = [/^access_key$/, /^fallback_private_key$/].freeze
     # regex that define named captures :begin and :end
     REGEX_LOG_REPLACES = [
       # CLI manager get/set options
@@ -32,7 +34,7 @@ module Aspera
       # cred in http dump
       /(?<begin>(?:#{HTTP_SECRETS.join('|')}): )[^\\]+(?<end>\\)/i
     ].freeze
-    private_constant :HIDDEN_PASSWORD, :ASCP_ENV_SECRETS, :KEY_SECRETS, :ALL_SECRETS, :REGEX_LOG_REPLACES
+    private_constant :HIDDEN_PASSWORD, :ASCP_ENV_SECRETS, :KEY_SECRETS, :HTTP_SECRETS, :ALL_SECRETS, :KEY_FALSE_POSITIVES, :REGEX_LOG_REPLACES
     @log_secrets = false
     class << self
       attr_accessor :log_secrets
@@ -56,6 +58,7 @@ module Aspera
         return false unless keyword.is_a?(String) && value.is_a?(String)
         # those are not secrets
         return false if KEY_FALSE_POSITIVES.any?{|f|f.match?(keyword)}
+        return true if ADDITIONAL_KEYS_TO_HIDE.include?(keyword)
         # check if keyword (name) contains an element that designate it as a secret
         ALL_SECRETS.any?{|kw|keyword.include?(kw)}
       end

data/lib/aspera/ssh.rb

@@ -2,15 +2,22 @@
 
 require 'net/ssh'
 
-# HACK: deactivate ed25519 and ecdsa private keys from ssh identities, as it usually cause problems
-old_verbose = $VERBOSE
-$VERBOSE = nil
-begin
-  module Net; module SSH; module Authentication; class Session; private; def default_keys; %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa]; end; end; end; end; end # rubocop:disable Layout/AccessModifierIndentation, Layout/EmptyLinesAroundAccessModifier, Layout/LineLength, Style/Semicolon
-rescue StandardError
-  # ignore errors
+if ENV.fetch('ASCLI_ENABLE_ED25519', 'false').eql?('false')
+  # HACK: deactivate ed25519 and ecdsa private keys from SSH identities, as it usually causes problems
+  old_verbose = $VERBOSE
+  $VERBOSE = nil
+  begin
+    module Net; module SSH; module Authentication; class Session; private; def default_keys; %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa]; end; end; end; end; end # rubocop:disable Layout/AccessModifierIndentation, Layout/EmptyLinesAroundAccessModifier, Layout/LineLength, Style/Semicolon
+  rescue StandardError
+    # ignore errors
+  end
+  $VERBOSE = old_verbose
+end
+
+if RUBY_ENGINE == 'jruby' && ENV.fetch('ASCLI_ENABLE_ECDSHA2', 'false').eql?('false')
+  Net::SSH::Transport::Algorithms::ALGORITHMS.each_value { |a| a.reject! { |a| a =~ /^ecd(sa|h)-sha2/ } }
+  Net::SSH::KnownHosts::SUPPORTED_TYPE.reject! { |t| t =~ /^ecd(sa|h)-sha2/ }
 end
-$VERBOSE = old_verbose
 
 module Aspera
   # A simple wrapper around Net::SSH