net-ssh 5.0.2 → 7.0.1

data/lib/net/ssh/config.rb

@@ -1,6 +1,5 @@
 module Net
   module SSH
-
     # The Net::SSH::Config class is used to parse OpenSSH configuration files,
     # and translates that syntax into the configuration syntax that Net::SSH
     # understands. This lets Net::SSH scripts read their configuration (to
@@ -11,6 +10,7 @@ module Net
     #
     # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
     # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
+    # * CertificateFile => maps to the :keycerts option
     # * Ciphers => maps to the :encryption option
     # * Compression => :compression
     # * CompressionLevel => :compression_level
@@ -22,7 +22,9 @@ module Net
     # * HostKeyAlias => :host_key_alias
     # * HostName => :host_name
     # * IdentityFile => maps to the :keys option
+    # * IdentityAgent => :identity_agent
     # * IdentitiesOnly => :keys_only
+    # * CheckHostIP => :check_host_ip
     # * Macs => maps to the :hmac option
     # * PasswordAuthentication => maps to the :auth_methods option password
     # * Port => :port
@@ -31,6 +33,7 @@ module Net
     # * ProxyJump => maps to the :proxy option
     # * PubKeyAuthentication => maps to the :auth_methods option
     # * RekeyLimit => :rekey_limit
+    # * StrictHostKeyChecking => :verify_host_key
     # * User => :user
     # * UserKnownHostsFile => :user_known_hosts_file
     # * NumberOfPasswordPrompts => :number_of_password_prompts
@@ -62,7 +65,7 @@ module Net
         # given +files+ (defaulting to the list of files returned by
         # #default_files), translates the resulting hash into the options
         # recognized by Net::SSH, and returns them.
-        def for(host, files=expandable_default_files)
+        def for(host, files = expandable_default_files)
           translate(files.inject({}) { |settings, file|
             load(file, host, settings)
           })
@@ -74,7 +77,7 @@ module Net
         # ones. Returns a hash containing the OpenSSH options. (See
         # #translate for how to convert the OpenSSH options into Net::SSH
         # options.)
-        def load(path, host, settings={}, base_dir = nil)
+        def load(path, host, settings = {}, base_dir = nil)
           file = File.expand_path(path)
           base_dir ||= File.dirname(file)
           return settings unless File.readable?(file)
@@ -95,7 +98,7 @@ module Net
             next if value.nil?
 
             key.downcase!
-            value = $1 if value =~ /^"(.*)"$/
+            value = unquote(value)
 
             value = case value.strip
                     when /^\d+$/ then value.to_i
@@ -126,7 +129,7 @@ module Net
               block_seen = true
             elsif !block_seen
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (globals[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -137,7 +140,7 @@ module Net
               end
             elsif block_matched
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (settings[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -147,11 +150,18 @@ module Net
                 settings[key] = value unless settings.key?(key)
               end
             end
+
+            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
+            %w[proxyjump proxycommand].each do |proxy_key|
+              if (proxy_value = settings.delete(proxy_key))
+                settings['proxy'] ||= [proxy_key, proxy_value]
+              end
+            end
           end
 
           globals.merge(settings) do |key, oldval, newval|
             case key
-            when 'identityfile'
+            when 'identityfile', 'certificatefile'
               oldval + newval
             else
               newval
@@ -175,34 +185,57 @@ module Net
         # Filters default_files down to the files that are expandable.
         def expandable_default_files
           default_files.keep_if do |path|
-            begin
-              File.expand_path(path)
-              true
-            rescue ArgumentError
-              false
-            end
+            File.expand_path(path)
+            true
+          rescue ArgumentError
+            false
           end
         end
 
         private
 
+        def translate_verify_host_key(value)
+          case value
+          when false
+            :never
+          when true
+            :always
+          when 'accept-new'
+            :accept_new
+          end
+        end
+
+        def translate_keepalive(hash, value)
+          if value && value.to_i > 0
+            hash[:keepalive] = true
+            hash[:keepalive_interval] = value.to_i
+          else
+            hash[:keepalive] = false
+          end
+        end
+
+        TRANSLATE_CONFIG_KEY_RENAME_MAP = {
+          bindaddress: :bind_address,
+          compression: :compression,
+          compressionlevel: :compression_level,
+          certificatefile: :keycerts,
+          connecttimeout: :timeout,
+          forwardagent: :forward_agent,
+          identitiesonly: :keys_only,
+          identityagent: :identity_agent,
+          globalknownhostsfile: :global_known_hosts_file,
+          hostkeyalias: :host_key_alias,
+          identityfile: :keys,
+          fingerprinthash: :fingerprint_hash,
+          port: :port,
+          user: :user,
+          userknownhostsfile: :user_known_hosts_file,
+          checkhostip: :check_host_ip
+        }.freeze
         def translate_config_key(hash, key, value, settings)
-          rename = {
-            bindaddress: :bind_address,
-            compression: :compression,
-            compressionlevel: :compression_level,
-            connecttimeout: :timeout,
-            forwardagent: :forward_agent,
-            identitiesonly: :keys_only,
-            globalknownhostsfile: :global_known_hosts_file,
-            hostkeyalias: :host_key_alias,
-            identityfile: :keys,
-            fingerprinthash: :fingerprint_hash,
-            port: :port,
-            user: :user,
-            userknownhostsfile: :user_known_hosts_file
-          }
           case key
+          when :stricthostkeychecking
+            hash[:verify_host_key] = translate_verify_host_key(value)
           when :ciphers
             hash[:encryption] = value.split(/,/)
           when :hostbasedauthentication
@@ -220,12 +253,7 @@ module Net
           when :serveralivecountmax
             hash[:keepalive_maxcount] = value.to_i if value
           when :serveraliveinterval
-            if value && value.to_i > 0
-              hash[:keepalive] = true
-              hash[:keepalive_interval] = value.to_i
-            else
-              hash[:keepalive] = false
-            end
+            translate_keepalive(hash, value)
           when :passwordauthentication
             if value
               (hash[:auth_methods] << 'password').uniq!
@@ -246,15 +274,9 @@ module Net
             end
           when :preferredauthentications
             hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
-          when :proxycommand
-            if value and value !~ /^none$/
-              require 'net/ssh/proxy/command'
-              hash[:proxy] = Net::SSH::Proxy::Command.new(value)
-            end
-          when :proxyjump
-            if value
-              require 'net/ssh/proxy/jump'
-              hash[:proxy] = Net::SSH::Proxy::Jump.new(value)
+          when :proxy
+            if (proxy = setup_proxy(*value))
+              hash[:proxy] = proxy
             end
           when :pubkeyauthentication
             if value
@@ -267,10 +289,25 @@ module Net
           when :sendenv
             multi_send_env = value.to_s.split(/\s+/)
             hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
+          when :setenv
+            hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
           when :numberofpasswordprompts
             hash[:number_of_password_prompts] = value.to_i
-          when *rename.keys
-            hash[rename[key]] = value
+          when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
+            hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
+          end
+        end
+
+        def setup_proxy(type, value)
+          case type
+          when 'proxycommand'
+            if value !~ /^none$/
+              require 'net/ssh/proxy/command'
+              Net::SSH::Proxy::Command.new(value)
+            end
+          when 'proxyjump'
+            require 'net/ssh/proxy/jump'
+            Net::SSH::Proxy::Jump.new(value)
           end
         end
 
@@ -278,9 +315,9 @@ module Net
         # host names.
         def pattern2regex(pattern)
           tail = pattern
-          prefix = ""
+          prefix = String.new
           while !tail.empty? do
-            head,sep,tail = tail.partition(/[\*\?]/)
+            head, sep, tail = tail.partition(/[\*\?]/)
             prefix = prefix + Regexp.quote(head)
             case sep
             when '*'
@@ -326,12 +363,17 @@ module Net
         end
 
         def eval_match_conditions(condition, host, settings)
-          conditions = condition.split(/\s+/)
+          # Not using `\s` for whitespace matching as canonical
+          # ssh_config parser implementation (OpenSSH) has specific character set.
+          # Ref: https://github.com/openssh/openssh-portable/blob/2581333d564d8697837729b3d07d45738eaf5a54/misc.c#L237-L239
+          conditions = condition.split(/[ \t\r\n]+|(?<!=)=(?!=)/).reject(&:empty?)
           return true if conditions == ["all"]
 
           conditions = conditions.each_slice(2)
-          matching = true
-          conditions.each do |(kind,exprs)|
+          condition_matches = []
+          conditions.each do |(kind, exprs)|
+            exprs = unquote(exprs)
+
             case kind.downcase
             when "all"
               raise "all cannot be mixed with other conditions"
@@ -346,15 +388,19 @@ module Net
               exprs.split(",").each do |expr|
                 condition_met = condition_met || host =~ pattern2regex(expr)
               end
-              matching = matching && negated ^ condition_met
+              condition_matches << (true && negated ^ condition_met)
               # else
               # warn "net-ssh: Unsupported expr in Match block: #{kind}"
             end
           end
-          matching
+
+          !condition_matches.empty? && condition_matches.all?
+        end
+
+        def unquote(string)
+          string =~ /^"(.*)"$/ ? Regexp.last_match(1) : string
         end
       end
     end
-
   end
 end