bosh_cli 1.3074.0 → 1.3087.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03a8b109ad4c55b514fb131b00bd54acde8f0ff2
-  data.tar.gz: 5249fa58417ad2159886f1331496919250b04a90
+  metadata.gz: 9baaebb2117962d1abb67eb395ba2511f70e2fab
+  data.tar.gz: a3d09e561bf02bc54b9d83862496ea116d1cce60
 SHA512:
-  metadata.gz: 22665be8b8eb91584b7240bb35ebfcc36a37bda3a08fc58e71dea069de5555d17a0c829c59ab85eaeb50656ca1f63b2997b1b13ee9f18ef7656ade0bf09d7897
-  data.tar.gz: 3bcfcb6e37d01993ab53670fe07c9ab73646faf9e0dabe263e29f56107b9edd13d754b5991d833696f244a0c9d15af4f66ae38a4b4721b527467813b7491f6e8
+  metadata.gz: c6e8bcec875f1365e972686cdb11f497f284022e7c94a1111be28c62e655ed9663e007d95082e5020afcde9698229d40ee7e6cc4f641aab17311b715d0e51cd5
+  data.tar.gz: 5590a84655a049ceca953160d4f73d17a218c0ec08179a1eed8ed517ef5834365b508efca9777fce84f8b12905e04a8c8d4f9e1210e1ae1e6949c040ab0fc705

data/lib/cli/base_command.rb

@@ -39,8 +39,14 @@ module Bosh::Cli
       end
 
       def director
-        @director ||= Bosh::Cli::Client::Director.new(
-          target, credentials, @options.select { |k, _| k == :no_track })
+        return @director if @director
+
+        director_client_options = [:no_track, :ca_cert]
+        @director = Bosh::Cli::Client::Director.new(
+          target,
+          credentials,
+          @options.select { |k, _| director_client_options.include?(k) }
+        )
       end
 
       def release
@@ -134,8 +140,9 @@ module Bosh::Cli
 
     def auth_info
       @auth_info ||= begin
-        director_client = Client::Director.new(target)
-        Client::Uaa::AuthInfo.new(director_client, ENV, config.ca_cert(target))
+        ca_cert = config.ca_cert(target)
+        director_client = Client::Director.new(target, nil, ca_cert: ca_cert)
+        Client::Uaa::AuthInfo.new(director_client, ENV, ca_cert)
       end
     end
 

data/lib/cli/client/director.rb

@@ -35,6 +35,7 @@ module Bosh
           @track_tasks         = !options.delete(:no_track)
           @num_retries         = options.fetch(:num_retries, 5)
           @retry_wait_interval = options.fetch(:retry_wait_interval, 5)
+          @ca_cert             = options[:ca_cert]
         end
 
         def uuid
@@ -292,6 +293,7 @@ module Bosh
 
           options[:payload]      = JSON.generate(payload)
           options[:content_type] = 'application/json'
+          options[:task_success_state] = :queued
 
           request_and_track(:post, url, options)
         end
@@ -728,8 +730,34 @@ module Bosh
           http_client.receive_timeout = API_TIMEOUT
           http_client.connect_timeout = CONNECT_TIMEOUT
 
-          http_client.ssl_config.verify_mode     = OpenSSL::SSL::VERIFY_NONE
-          http_client.ssl_config.verify_callback = Proc.new {}
+          if @ca_cert.nil?
+            http_client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+            http_client.ssl_config.verify_callback = Proc.new {}
+          else
+            unless File.exists?(@ca_cert)
+              err('Invalid ca certificate path')
+            end
+
+            parsed_url = nil
+            begin
+              parsed_url = URI.parse(uri)
+            rescue => e
+              err("Failed to parse director URL: #{e.message}")
+            end
+
+            unless parsed_url.instance_of?(URI::HTTPS)
+              err('CA certificate cannot be used with HTTP protocol')
+            end
+
+            # pass in client certificate
+            begin
+              cert_store = OpenSSL::X509::Store.new
+              cert_store.add_file(@ca_cert)
+            rescue OpenSSL::X509::StoreError
+              err('Invalid SSL Cert')
+            end
+            http_client.ssl_config.cert_store = cert_store
+          end
 
           if @credentials
             headers['Authorization'] = @credentials.authorization_header
@@ -750,6 +778,10 @@ module Bosh
                HTTPClient::KeepAliveDisconnected,
                OpenSSL::SSL::SSLError,
                OpenSSL::X509::StoreError => e
+
+          if e.is_a?(OpenSSL::SSL::SSLError) && e.message.include?('certificate verify failed')
+            err('Invalid SSL Cert')
+          end
           raise DirectorInaccessible, "cannot access director (#{e.message})"
 
         rescue HTTPClient::BadResponseError => e

data/lib/cli/commands/deployment.rb

@@ -31,7 +31,7 @@ module Bosh::Cli::Command
       end
 
       if target
-        old_director = Bosh::Cli::Client::Director.new(target, credentials)
+        old_director = Bosh::Cli::Client::Director.new(target, credentials, ca_cert: config.ca_cert)
         old_director_uuid = old_director.get_status["uuid"] rescue nil
       else
         old_director_uuid = nil
@@ -49,8 +49,9 @@ module Bosh::Cli::Command
               "Please find your director IP or hostname and target it first.")
         end
 
+        target_ca_cert = config.ca_cert(new_target_url)
         new_director = Bosh::Cli::Client::Director.new(
-          new_target_url, credentials)
+          new_target_url, credentials, ca_cert: target_ca_cert)
 
         status = new_director.get_status
 

data/lib/cli/commands/misc.rb

@@ -83,7 +83,7 @@ module Bosh::Cli::Command
       end
 
       director_url = normalize_url(director_url)
-      director = Bosh::Cli::Client::Director.new(director_url)
+      director = Bosh::Cli::Client::Director.new(director_url, nil, ca_cert: options[:ca_cert])
 
       begin
         status = director.get_status
@@ -237,7 +237,7 @@ module Bosh::Cli::Command
     end
 
     def get_director_status
-      Bosh::Cli::Client::Director.new(target, credentials).get_status
+      Bosh::Cli::Client::Director.new(target, credentials, ca_cert: config.ca_cert).get_status
     end
   end
 end

data/lib/cli/commands/ssh.rb

@@ -1,16 +1,13 @@
 require 'cli/job_command_args'
+require 'cli/ssh_session'
 
 module Bosh::Cli
   module Command
     class Ssh < Base
-      SSH_USER_PREFIX = 'bosh_'
-      SSH_DSA_PUB     = File.expand_path('~/.ssh/id_dsa.pub')
-      SSH_RSA_PUB     = File.expand_path('~/.ssh/id_rsa.pub')
 
       # bosh ssh
       usage 'ssh'
       desc 'Execute command or start an interactive session'
-      option '--public_key FILE', 'Public key'
       option '--gateway_host HOST', 'Gateway host'
       option '--gateway_user USER', 'Gateway user'
       option '--gateway_identity_file FILE', 'Gateway identity file'
@@ -46,7 +43,6 @@ module Bosh::Cli
              'Note: for download /path/to/destination is a directory'
       option '--download', 'Download file'
       option '--upload', 'Upload file'
-      option '--public_key FILE', 'Public key'
       option '--gateway_host HOST', 'Gateway host'
       option '--gateway_user USER', 'Gateway user'
       option '--gateway_identity_file FILE', 'Gateway identity file'
@@ -111,14 +107,16 @@ module Bosh::Cli
       # @param [Integer] index
       # @param [optional,String] password
       def setup_ssh(deployment_name, job, index, password)
-        user            = random_ssh_username
 
         say("Target deployment is `#{deployment_name}'")
         nl
         say('Setting up ssh artifacts')
+
+        ssh_session = SSHSession.new
+
         status, task_id = director.setup_ssh(
-          deployment_name, job, index, user,
-          public_key, encrypt_password(password))
+          deployment_name, job, index, ssh_session.user,
+          ssh_session.public_key, encrypt_password(password))
 
         unless status == :done
           err("Failed to set up SSH: see task #{task_id} log for details")
@@ -137,6 +135,8 @@ module Bosh::Cli
           end
         end
 
+        ssh_session.set_host_session(sessions.first)
+
         begin
           if options[:gateway_host]
             require 'net/ssh/gateway'
@@ -153,20 +153,17 @@ module Bosh::Cli
             gateway = nil
           end
 
-          yield sessions, user, gateway
+          yield sessions, gateway, ssh_session
         ensure
           nl
           say('Cleaning up ssh artifacts')
+          ssh_session.cleanup
           indices = sessions.map { |session| session['index'] }
-          director.cleanup_ssh(deployment_name, job, "^#{user}$", indices)
+          director.cleanup_ssh(deployment_name, job, "^#{ssh_session.user}$", indices)
           gateway.shutdown! if gateway
         end
       end
 
-      def random_ssh_username
-        SSH_USER_PREFIX + rand(36**9).to_s(36)
-      end
-
       # @param [String] job Job name
       # @param [Integer] index Job index
       def setup_interactive_shell(deployment_name, job, index)
@@ -180,7 +177,7 @@ module Bosh::Cli
           err('Please provide ssh password') if password.blank?
         end
 
-        setup_ssh(deployment_name, job, index, password) do |sessions, user, gateway|
+        setup_ssh(deployment_name, job, index, password) do |sessions, gateway, ssh_session|
           session = sessions.first
 
           unless session['status'] == 'success' && session['ip']
@@ -192,26 +189,30 @@ module Bosh::Cli
           skip_strict_host_key_checking = options[:strict_host_key_checking] =~ (/(no|false)$/i) ?
               '-o StrictHostKeyChecking=no' : '-o StrictHostKeyChecking=yes'
 
+          private_key_option = ssh_session.ssh_private_key_option
+
           if gateway
             port        = gateway.open(session['ip'], 22)
-            ssh_session = Process.spawn('ssh', "#{user}@localhost", '-p', port.to_s, skip_strict_host_key_checking)
-            Process.waitpid(ssh_session)
+            known_host_option  = ssh_session.ssh_known_host_option(port)
+            ssh_session_pid = Process.spawn('ssh', "#{ssh_session.user}@localhost", '-p', port.to_s, private_key_option, skip_strict_host_key_checking, known_host_option)
+            Process.waitpid(ssh_session_pid)
             gateway.close(port)
           else
-            ssh_session = Process.spawn('ssh', "#{user}@#{session['ip']}", skip_strict_host_key_checking)
-            Process.waitpid(ssh_session)
+            known_host_option = ssh_session.ssh_known_host_option(nil)
+            ssh_session_pid = Process.spawn('ssh', "#{ssh_session.user}@#{session['ip']}", private_key_option, skip_strict_host_key_checking, known_host_option)
+            Process.waitpid(ssh_session_pid)
           end
         end
       end
 
       def perform_operation(operation, deployment_name, job, index, args)
-        setup_ssh(deployment_name, job, index, options[:default_password]) do |sessions, user, gateway|
+        setup_ssh(deployment_name, job, index, options[:default_password]) do |sessions, gateway, ssh_session|
           sessions.each do |session|
             unless session['status'] == 'success' && session['ip']
               err("Failed to set up SSH on #{job}/#{index}: #{session.inspect}")
             end
 
-            with_ssh(user, session['ip'], gateway) do |ssh|
+            with_ssh(session['ip'], ssh_session, gateway) do |ssh|
               case operation
                 when :exec
                   nl
@@ -232,40 +233,24 @@ module Bosh::Cli
         end
       end
 
-      # @return [String] Public key
-      def public_key
-        public_key_path = options[:public_key]
-
-        if public_key_path
-          unless File.file?(public_key_path)
-            err("Can't find file `#{public_key_path}'")
-          end
-          return File.read(public_key_path)
-        else
-          %x[ssh-add -L 1>/dev/null 2>&1]
-          if $?.exitstatus == 0
-            return %x[ssh-add -L].split("\n").first
-          else
-            [SSH_DSA_PUB, SSH_RSA_PUB].each do |key_file|
-              return File.read(key_file) if File.file?(key_file)
-            end
-          end
-        end
-
-        err('Please specify a public key file')
-      end
-
       # @param [String] user
       # @param [String] ip
       # @param [optional, Net::SSH::Gateway] gateway
       # @yield [Net::SSH]
-      def with_ssh(user, ip, gateway = nil)
+      def with_ssh(ip, ssh_session, gateway = nil)
         require 'net/scp'
+        options = { :keys => ssh_session.ssh_private_key_path }
         if gateway
-          gateway.ssh(ip, user) { |ssh| yield ssh }
+          gateway.ssh(ip, ssh_session.user, options) { |ssh| yield ssh }
         else
           require 'net/ssh'
-          Net::SSH.start(ip, user) { |ssh| yield ssh }
+
+          known_host_path = ssh_session.ssh_known_host_path(nil)
+          if known_host_path.length > 0
+            options[:user_known_hosts_file] = known_host_path
+          end
+
+          Net::SSH.start(ip, ssh_session.user, options) { |ssh| yield ssh }
         end
       end
     end

data/lib/cli/config.rb

@@ -218,10 +218,11 @@ module Bosh::Cli
     end
 
 
-    def save_ca_cert_path(cert_path)
+    def save_ca_cert_path(cert_path, for_target=nil)
       expanded_path = cert_path ? File.expand_path(cert_path) : nil
+      cert_target = for_target || target
       @config_file['ca_cert'] ||= {}
-      @config_file['ca_cert'][target] = expanded_path
+      @config_file['ca_cert'][cert_target] = expanded_path
 
       expanded_path
     end

data/lib/cli/ssh_session.rb

@@ -0,0 +1,116 @@
+require 'sshkey'
+
+module Bosh::Cli
+  class SSHSession
+
+    SSH_USER_PREFIX     = 'bosh_'
+
+    attr_reader :public_key, :user
+
+    def initialize
+      @session_uuid = SecureRandom::uuid
+      @public_key = generate_rsa_key
+      @user = random_ssh_username
+    end
+
+    def set_host_session(session)
+      @host_session = session
+    end
+
+    def ssh_known_host_option(port)
+      path = user_known_host_path(port)
+      if path.length > 0
+        path = "-o UserKnownHostsFile=#{path}"
+      end
+      return path
+    end
+
+    def ssh_known_host_path(port)
+      user_known_host_path(port)
+    end
+
+    def ssh_private_key_option
+      "-i#{ssh_private_key_path}"
+    end
+
+    def ssh_private_key_path
+      File.join(ENV['HOME'], '.bosh', 'tmp', "#{@session_uuid}_key")
+    end
+
+    def cleanup
+      remove_private_key
+      remove_known_host_file
+    end
+
+    private
+
+    def generate_rsa_key
+      key = SSHKey.generate(
+          type:       "RSA",
+          bits:       2048,
+          comment:    "bosh-ssh",
+      )
+      add_private_key(key.private_key)
+      return key.ssh_public_key
+    end
+
+    def remove_private_key
+      file_name = private_key_file_name
+      FileUtils.rm_rf(file_name) if File.exist?(file_name)
+    end
+
+    def private_key_file_name
+      File.join(ENV['HOME'], '.bosh', 'tmp', "#{@session_uuid}_key")
+    end
+
+    def add_private_key(private_key)
+      file_name = private_key_file_name
+      create_dir_for_file(file_name)
+
+      key_File = File.new(file_name, "w", 0400)
+      key_File.puts(private_key)
+      key_File.close
+    end
+
+    def random_ssh_username
+      SSH_USER_PREFIX + rand(36**9).to_s(36)
+    end
+
+    def user_known_host_path(gatewayPort)
+      if @host_session.include?('host_public_key')
+        hostEntryIP =  if gatewayPort then "[localhost]:#{gatewayPort}" else @host_session['ip'] end
+        hostEntry = "#{hostEntryIP} #{@host_session['host_public_key']}"
+        add_known_host_file(hostEntry)
+        return known_host_file_path
+      else
+        return String.new
+      end
+    end
+
+    def known_host_file_path
+      File.join(ENV['HOME'], '.bosh', 'tmp', "#{@session_uuid}_known_hosts")
+    end
+
+    def add_known_host_file(hostEntry)
+      file_name = known_host_file_path
+
+      create_dir_for_file(file_name)
+
+      known_host_file = File.new(file_name, "w")
+      known_host_file.puts(hostEntry)
+      known_host_file.close
+    end
+
+    def remove_known_host_file
+      file_name = known_host_file_path
+      FileUtils.rm_rf(file_name) if File.exist?(file_name)
+    end
+
+    def create_dir_for_file(file_name)
+      dirname = File.dirname(file_name)
+      unless File.directory?(dirname)
+        FileUtils.mkdir_p(dirname)
+      end
+    end
+  end
+end

data/lib/cli/task_tracking/task_tracker.rb

@@ -13,6 +13,7 @@ module Bosh::Cli::TaskTracking
     def initialize(director, task_id, options = {})
       @director = director
       @task_id = task_id
+      @task_success_state = options[:task_success_state] || :done
       @options = options
 
       @quiet = !!options[:quiet]
@@ -139,7 +140,7 @@ module Bosh::Cli::TaskTracking
     end
 
     def finished?(state)
-      'done error cancelled'.include?(state)
+      "#{@task_success_state} error cancelled".include?(state)
     end
 
     def interactive?

data/lib/cli/version.rb

@@ -1,5 +1,5 @@
 module Bosh
   module Cli
-    VERSION = '1.3074.0'
+    VERSION = '1.3087.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bosh_cli
 version: !ruby/object:Gem::Version
-  version: 1.3074.0
+  version: 1.3087.0
 platform: ruby
 authors:
 - VMware
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-09-19 00:00:00.000000000 Z
+date: 2015-09-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bosh_common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3074.0
+        version: 1.3087.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3074.0
+        version: 1.3087.0
 - !ruby/object:Gem::Dependency
   name: bosh-template
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3074.0
+        version: 1.3087.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3074.0
+        version: 1.3087.0
 - !ruby/object:Gem::Dependency
   name: cf-uaa-lib
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3074.0
+        version: 1.3087.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3074.0
+        version: 1.3087.0
 - !ruby/object:Gem::Dependency
   name: net-ssh
   requirement: !ruby/object:Gem::Requirement
@@ -206,6 +206,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.4
+- !ruby/object:Gem::Dependency
+  name: sshkey
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -412,6 +426,7 @@ files:
 - lib/cli/resurrection.rb
 - lib/cli/runner.rb
 - lib/cli/source_control/git_ignore.rb
+- lib/cli/ssh_session.rb
 - lib/cli/stemcell.rb
 - lib/cli/task_tracking.rb
 - lib/cli/task_tracking/event_log_renderer.rb