bifrossht 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7b03fe4cd0d9018b1ff90518b74d3019217aa67fc5c89225aaa34abb944b83f0
+  data.tar.gz: ff8d8cc131c39e524f1fb93638482f79e2a7f3b0db08ce73c754a3b1ab16a336
+SHA512:
+  metadata.gz: 7445e28653f35372d83dcc0d25a039bd5d50a1471495eefc7e8b2d0187ff58f003c621528faaba087f80b2638f0231b87c2d362da17b84a40ecadb2589bcaa44
+  data.tar.gz: 30fc48521df93f361c5334d943d8f65c3437366d67d184428acec1bcc3c61d2f2926443ae09b31c02e2462205ce45e9ff4cc885532fd4e84f4078fd9308c7ba7

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Gemfile.lock

@@ -0,0 +1,23 @@
+PATH
+  remote: .
+  specs:
+    bifrossht (0.0.1)
+      gli (~> 2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    gli (2.18.2)
+    rake (12.3.3)
+    rdoc (6.1.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bifrossht!
+  rake (~> 12)
+  rdoc (~> 6)
+
+BUNDLED WITH
+   1.16.1

data/README.md

@@ -0,0 +1,112 @@
+# bifrossht
+
+An auto-routing ssh proxy command.
+
+## What is bifrossht?
+
+`bifrossht` is a ssh `ProxyCommand` tool.
+
+It could be used to automate the configuration of ssh hopping
+in complex environments.
+
+## How does it work?
+
+With the use of `HostFilter` additional lookups and rules can be
+applied to the hostname before connecting:
+
+* Additional domain lookups
+* Lookup with hostname prefixes
+
+After the hostname lookup `bifrossht` will try to detect the hop
+for connecting to the target server.
+
+First it tries to match the hop based on configured filters:
+
+* Regex on the Hostname
+* Subnet matching on the ip-address
+
+When no explicit configuration has matched it falls back to:
+
+* Auto-probing of hops
+
+## Installation
+
+`bifrossht` is written in ruby(>= 2.0) and available from rubygems.org:
+
+```
+gem install bifrossht
+```
+
+## Configuration
+
+`bifrossht` must be configured in `~/.bifrossht.yml`:
+
+```yaml
+---
+host_filters:
+  - type: SearchDomain
+    domains:
+      - cluster-xy.provider.tld
+      - internal.provider.tld
+    prefixes:
+      - vm00
+
+connections:
+  - name: direct
+    type: Exec
+    match_addr:
+      - "192.168.0.0/24"
+      - "192.168.1.0/24"
+    parameters:
+      timeout: 1
+      command: nc %h %p
+
+  - name: dmz
+    type: Exec
+    match:
+      - "dmz.provider.tld$"
+    match_addr:
+      - "80.241.212.0/24"
+    parameters:
+      timeout: 3
+      command: ssh -W hop-dmz.internal.provider.tld
+
+  - name: internet
+    type: Exec
+    skip_probe: true
+    match:
+      - "your-server.de$"
+      - "contabo.net$"
+      - "compute.amazonaws.com$"
+      - "google.internal$"
+    parameters:
+      timeout: 5
+      command: proxytunnel -p gateway.internal.provider.tld:3128 -d %h:%p
+```
+
+Then configure the `ProxyCommand` in `~/.ssh/config`:
+
+```
+Host *
+  ProxyCommand bifrossht connect -p %p %h
+```
+
+## Troubleshooting
+
+Run the `bifrossht` command standalone and increase log level:
+
+```
+bifrossht -l debug connect host0815.internal.provider.tld
+```
+
+## Copyright
+
+2019 Markus Benning
+
+## License
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+

data/Rakefile

@@ -0,0 +1,44 @@
+require 'rake/clean'
+require 'rubygems'
+require 'rubygems/package_task'
+require 'rdoc/task'
+require 'cucumber'
+require 'cucumber/rake/task'
+Rake::RDocTask.new do |rd|
+  rd.main = "README.rdoc"
+  rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
+  rd.title = 'Your application title'
+end
+
+spec = eval(File.read('bifrossht.gemspec'))
+
+Gem::PackageTask.new(spec) do |pkg|
+end
+CUKE_RESULTS = 'results.html'
+CLEAN << CUKE_RESULTS
+desc 'Run features'
+Cucumber::Rake::Task.new(:features) do |t|
+  opts = "features --format html -o #{CUKE_RESULTS} --format progress -x"
+  opts += " --tags #{ENV['TAGS']}" if ENV['TAGS']
+  t.cucumber_opts =  opts
+  t.fork = false
+end
+
+desc 'Run features tagged as work-in-progress (@wip)'
+Cucumber::Rake::Task.new('features:wip') do |t|
+  tag_opts = ' --tags ~@pending'
+  tag_opts = ' --tags @wip'
+  t.cucumber_opts = "features --format html -o #{CUKE_RESULTS} --format pretty -x -s#{tag_opts}"
+  t.fork = false
+end
+
+task :cucumber => :features
+task 'cucumber:wip' => 'features:wip'
+task :wip => 'features:wip'
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/*_test.rb']
+end
+
+task :default => [:test,:features]

data/bin/bifrossht

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'bifrossht/app'
+
+exit Bifrossht::App.run(ARGV)

data/lib/bifrossht/app.rb

@@ -0,0 +1,67 @@
+require 'gli'
+
+require 'bifrossht/version.rb'
+require 'bifrossht/errors.rb'
+require 'bifrossht/logger.rb'
+require 'bifrossht/config.rb'
+require 'bifrossht/host_filter.rb'
+require 'bifrossht/connection.rb'
+require 'bifrossht/target.rb'
+
+module Bifrossht
+  class App
+    extend GLI::App
+
+    program_desc 'SSH auto-routing proxy command'
+
+    version Bifrossht::VERSION
+
+    subcommand_option_handling :normal
+    arguments :strict
+
+    desc 'configuration file'
+    default_value '~/.bifrossht.yml'
+    arg_name 'path'
+    flag %i[c config]
+
+    desc 'log level'
+    default_value 'info'
+    arg_name 'log_level'
+    flag %i[l log_level]
+
+    desc 'connect to an target'
+    arg 'host'
+    command :connect do |c|
+      c.flag %i[p port], default_value: '22'
+      c.action do |_global_options, options, args|
+        target = Target.new(args[0], options[:port])
+
+        HostFilter.apply(target)
+        hop = Connection.find(target)
+        raise ApplicationError, 'no suitable hop found' unless hop
+
+        Logger.info("Connecting #{target.host} using #{hop.name}...")
+        hop.connect(target)
+      end
+    end
+
+    pre do |global, _command, _options, _args|
+      Logger.log_level(global[:l])
+      Config.load_config(global[:c])
+      HostFilter.register_filters(Config.host_filters)
+      Connection.register_connections(Config.connections)
+      true
+    end
+
+    post do |global, command, options, args|
+      # empty
+    end
+
+    on_error do |e|
+      raise e unless e.is_a? Bifrossht::Error
+
+      Logger.error(e.message)
+      false
+    end
+  end
+end

data/lib/bifrossht/config.rb

@@ -0,0 +1,41 @@
+require 'bifrossht/config/element'
+require 'bifrossht/config/host_filter'
+require 'bifrossht/config/connection'
+
+require 'yaml'
+
+module Bifrossht
+  class Config
+    class << self
+      attr_reader :config
+
+      def load_config(path)
+        @config = YAML.load_file(File.expand_path(path)) || {}
+      rescue Errno::ENOENT => e
+        raise ParameterError, "Configuration file: #{e.message}"
+      end
+
+      def host_filters
+        @host_filters ||= build_subconfig('host_filters', Config::HostFilter)
+      end
+
+      def connections
+        @connections ||= build_subconfig('connections', Config::Connection)
+      end
+
+      private
+
+      def build_subconfig(key, klass)
+        return [] unless @config.key?(key)
+
+        params = @config[key]
+
+        unless params.is_a? Array
+          raise ParameterError, "#{key} must be an array"
+        end
+
+        params.map { |c| klass.new(c) }
+      end
+    end
+  end
+end

data/lib/bifrossht/config/connection.rb

@@ -0,0 +1,45 @@
+module Bifrossht
+  class Config
+    class Connection < Config::Element
+      def initialize(options = {})
+        super
+
+        validate_presence 'type', 'name'
+        validate_type 'type', String
+        validate_type 'name', String
+        validate_boolean 'skip_probe'
+        validate_type 'parameters', Hash
+        validate_type 'match', Array
+        validate_type 'match_addr', Array
+      end
+
+      def type
+        @options['type']
+      end
+
+      def name
+        @options['name']
+      end
+
+      def skip_probe
+        @options['skip_probe'] || false
+      end
+
+      def parameters
+        @options['parameters'] || {}
+      end
+
+      def match
+        return [] if @options['match'].nil?
+
+        @options['match'].map { |re| Regexp.new re }
+      end
+
+      def match_addr
+        return [] if @options['match_addr'].nil?
+
+        @options['match_addr'].map { |ip| IPAddr.new ip }
+      end
+    end
+  end
+end

data/lib/bifrossht/config/element.rb

@@ -0,0 +1,34 @@
+module Bifrossht
+  class Config
+    class Element
+      def initialize(options = {})
+        @options = options
+      end
+
+      private
+
+      def validate_presence(*options)
+        options.each do |name|
+          raise ParameterError, "#{self.class.name} is missing parameter #{name}" unless @options.key?(name)
+        end
+      end
+
+      def validate_type(option, type)
+        return unless @options.key?(option)
+
+        raise ParameterError, "option #{option} for #{self.class} is not of type #{type}" unless @options[option].is_a? type
+      end
+
+      def validate_enum(option, values)
+        return unless @options.key?(option)
+
+        value = @options[option]
+        raise ParameterError, "option #{option} for #{self.class} does not allow value #{value}" unless values.include?(value)
+      end
+
+      def validate_boolean(option)
+        validate_enum(option, [true, false])
+      end
+    end
+  end
+end

data/lib/bifrossht/config/host_filter.rb

@@ -0,0 +1,26 @@
+module Bifrossht
+  class Config
+    class HostFilter < Config::Element
+      def initialize(options = {})
+        super
+
+        validate_presence 'type', 'domains'
+        validate_type 'type', String
+        validate_type 'domains', Array
+        validate_type 'prefixes', Array
+      end
+
+      def type
+        @options['type']
+      end
+
+      def domains
+        @options['domains'] || []
+      end
+
+      def prefixes
+        @options['prefixes'] || []
+      end
+    end
+  end
+end

data/lib/bifrossht/connection.rb

@@ -0,0 +1,57 @@
+require 'bifrossht/connection/base'
+#require 'bifrossht/connection/direct'
+require 'bifrossht/connection/exec'
+#require 'bifrossht/connection/http_proxy'
+
+module Bifrossht
+  class Connection
+    class << self
+      attr_reader :connections
+
+      def register_connections(connections = [])
+        connections.each { |c| register_connection(c) }
+      end
+
+      def register_connection(config)
+        @connections ||= {}
+
+        klass = build_class_name(config.type)
+        @connections[config.name] = klass.new(config)
+      end
+
+      def find(target)
+        c = match(target)
+        return c unless c.nil?
+
+        probe(target)
+      end
+
+      def match(target)
+        connections.values.select do |c|
+          c.match(target)
+        end.first
+      end
+
+      def probe(target)
+        connections.values.reject(&:skip_probe).each do |c|
+          Logger.debug("probing #{c.name}...")
+          return c if c.probe(target)
+        end
+
+        nil
+      end
+
+      def connection(hop)
+        @connections[hop]
+      end
+
+      private
+
+      def build_class_name(type)
+        Object.const_get("Bifrossht::Connection::#{type}")
+      rescue NameError => e
+        raise ParameterError, "Cant load connection: #{e.message}"
+      end
+    end
+  end
+end

data/lib/bifrossht/connection/base.rb

@@ -0,0 +1,43 @@
+module Bifrossht
+  class Connection
+    class Base
+      attr_accessor :config
+
+      def initialize(config)
+        @config = config
+      end
+
+      def name
+        config.name
+      end
+
+      def probe(_target)
+        raise 'not implemented'
+      end
+
+      def connect(_target)
+        raise 'not implemented'
+      end
+
+      def skip_probe
+        config.skip_probe
+      end
+
+      def match(target)
+        host_matches = config.match.select do |re|
+          re.match(target.host)
+        end
+        return true if host_matches.any?
+
+        if target.resolvable?
+          addr_matches = config.match_addr.select do |net|
+            net.include?(target.resolved_ip)
+          end
+          return true if addr_matches.any?
+        end
+
+        false
+      end
+    end
+  end
+end

data/lib/bifrossht/connection/exec.rb

@@ -0,0 +1,48 @@
+module Bifrossht
+  class Connection
+    class Exec < Base
+      def probe(target)
+        cmd = command(target)
+        Logger.debug("probing command: #{cmd}")
+        in_r, in_w = IO.pipe
+        io = IO.popen(['sh', '-c', cmd, in: in_w, err: '/dev/null'])
+        in_w.close
+        ready = IO.select([io], nil, nil, timeout)
+        if ready
+          banner = io.readline
+        else
+          Logger.debug('probe timed out!')
+        end
+        Process.kill('TERM', io.pid)
+        in_r.close
+        io.close
+
+        return true if banner =~ /^SSH-/
+
+        false
+      rescue EOFError
+        false
+      end
+
+      def connect(target)
+        cmd = command(target)
+        Logger.debug("executing: #{cmd}")
+        exec cmd
+      end
+
+      private
+
+      def command(target)
+        command_pattern.gsub('%h', target.host).gsub('%p', target.port.to_s)
+      end
+
+      def command_pattern
+        config.parameters['command'] || 'ssh -W %h:%p'
+      end
+
+      def timeout
+        (config.parameters['timeout'] || 3).to_i
+      end
+    end
+  end
+end

data/lib/bifrossht/errors.rb

@@ -0,0 +1,6 @@
+module Bifrossht
+  class Error < StandardError; end
+
+  class ParameterError < Error; end
+  class ApplicationError < Error; end
+end

data/lib/bifrossht/host_filter.rb

@@ -0,0 +1,38 @@
+require 'bifrossht/host_filter/base'
+require 'bifrossht/host_filter/search_domain'
+
+module Bifrossht
+  class HostFilter
+    class << self
+      attr_reader :filters
+
+      def register_filters(filters = [])
+        filters.each { |f| register_filter(f) }
+      end
+
+      def register_filter(config)
+        @filters ||= []
+
+        klass = build_class_name(config.type)
+        @filters << klass.new(config)
+      end
+
+      def apply(target)
+        filters.each do |filter|
+          next unless filter.match(target.host)
+
+          new_host = filter.apply(target.host)
+          target.rewrite(new_host)
+        end
+      end
+
+      private
+
+      def build_class_name(type)
+        Object.const_get("Bifrossht::HostFilter::#{type}")
+      rescue NameError => e
+        raise ParameterError, "Cant load host_filter: #{e.message}"
+      end
+    end
+  end
+end

data/lib/bifrossht/host_filter/base.rb

@@ -0,0 +1,19 @@
+module Bifrossht
+  class HostFilter
+    class Base
+      attr_accessor :config
+
+      def initialize(config)
+        @config = config
+      end
+
+      def match(_host)
+        false
+      end
+
+      def apply(host)
+        host
+      end
+    end
+  end
+end

data/lib/bifrossht/host_filter/search_domain.rb

@@ -0,0 +1,34 @@
+require 'resolv'
+
+module Bifrossht
+  class HostFilter
+    class SearchDomain < Base
+      def match(host)
+        host !~ /\./
+      end
+
+      def apply(host)
+        prefixes = [''] + config.prefixes
+
+        config.domains.each do |domain|
+          prefixes.each do |prefix|
+            record = "#{prefix}#{host}.#{domain}"
+
+            begin
+              address = Resolv.getaddress record
+            rescue Resolv::ResolvError => e
+              Logger.debug "SearchDomain: #{e.message}"
+            end
+
+            unless address.nil?
+              Logger.debug "SearchDomain: using #{record}"
+              return record
+            end
+          end
+        end
+
+        host
+      end
+    end
+  end
+end

data/lib/bifrossht/logger.rb

@@ -0,0 +1,42 @@
+require 'logger'
+require 'forwardable'
+
+module Bifrossht
+  class Logger
+    class << self
+      extend Forwardable
+
+      def_delegators :@logger, :debug, :info, :warn, :error, :fatal
+
+      def log_level(level = 'warn')
+        mylevel = case level
+                  when 'debug' then ::Logger::DEBUG
+                  when 'info' then ::Logger::INFO
+                  when 'warn' then ::Logger::WARN
+                  when 'error' then ::Logger::ERROR
+                  when 'fatal' then ::Logger::FATAL
+                  else
+                    raise "Unknown log-level #{level}"
+                  end
+
+        logger.level = mylevel
+      end
+
+      def logger
+        return @logger unless @logger.nil?
+
+        @logger = ::Logger.new(STDERR)
+        @logger.level = ::Logger::INFO
+        @logger.formatter = proc do |severity, _datetime, _progname, msg|
+          if severity == 'INFO'
+            "#{msg}\n"
+          else
+            "#{severity}: #{msg}\n"
+          end
+        end
+
+        @logger
+      end
+    end
+  end
+end

data/lib/bifrossht/target.rb

@@ -0,0 +1,65 @@
+require 'ipaddr'
+require 'resolv'
+
+module Bifrossht
+  class Target
+    attr_reader :entries
+    attr_reader :port
+
+    def initialize(host, port)
+      @entries = [host]
+      @port = port.to_i
+    end
+
+    def rewrite(new)
+      return if new == host
+
+      @entries.push(new)
+    end
+
+    def orig_host
+      @entries.first
+    end
+
+    def host
+      @entries.last
+    end
+
+    def to_s
+      host
+    end
+
+    def ip
+      @ip ||= IPAddr.new host
+    rescue IPAddr::InvalidAddressError
+      nil
+    end
+
+    def ip?
+      !ip.nil?
+    end
+
+    def resolved_ip
+      @resolved_ip ||= resolve_address
+    end
+
+    def resolvable?
+      !resolved_ip.nil?
+    end
+
+    private
+
+    def resolve_address
+      return ip if ip?
+
+      record = Resolv.getaddress(host)
+      return nil unless record
+
+      IPAddr.new(record)
+    rescue Resolv::ResolvError
+      nil
+    rescue IPAddr::InvalidAddressError
+      nil
+    end
+  end
+end

data/lib/bifrossht/version.rb

@@ -0,0 +1,3 @@
+module Bifrossht
+  VERSION = '0.0.1'
+end

metadata

@@ -0,0 +1,112 @@
+--- !ruby/object:Gem::Specification
+name: bifrossht
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Markus Benning
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-08-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6'
+- !ruby/object:Gem::Dependency
+  name: gli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+description: 
+email: ich@markusbenning.de
+executables:
+- bifrossht
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/bifrossht
+- lib/bifrossht/app.rb
+- lib/bifrossht/config.rb
+- lib/bifrossht/config/connection.rb
+- lib/bifrossht/config/element.rb
+- lib/bifrossht/config/host_filter.rb
+- lib/bifrossht/connection.rb
+- lib/bifrossht/connection/base.rb
+- lib/bifrossht/connection/exec.rb
+- lib/bifrossht/errors.rb
+- lib/bifrossht/host_filter.rb
+- lib/bifrossht/host_filter/base.rb
+- lib/bifrossht/host_filter/search_domain.rb
+- lib/bifrossht/logger.rb
+- lib/bifrossht/target.rb
+- lib/bifrossht/version.rb
+homepage: https://markusbenning.de
+licenses:
+- GPL-3.0+
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--title"
+- bifrossht
+- "--main"
+- README.md
+- "-ri"
+require_paths:
+- lib
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: SSH auto-routing proxy command
+test_files: []