openbolt 5.0.0.rc1

data/lib/bolt/transport/ssh/connection.rb

@@ -0,0 +1,321 @@
+# frozen_string_literal: true
+
+require 'logging'
+require 'shellwords'
+require_relative '../../../bolt/node/errors'
+require_relative '../../../bolt/node/output'
+require_relative '../../../bolt/util'
+
+module Bolt
+  module Transport
+    class SSH < Simple
+      class Connection
+        attr_reader :logger, :user, :target
+
+        def initialize(target, transport_logger)
+          # lazy-load expensive gem code
+          require 'net/ssh'
+          require 'net/ssh/proxy/jump'
+
+          raise Bolt::ValidationError, "Target #{target.safe_name} does not have a host" unless target.host
+
+          @target = target
+          @load_config = target.options['load-config']
+
+          ssh_config = @load_config ? Net::SSH::Config.for(target.host) : {}
+          @user = @target.user || ssh_config[:user] || Etc.getlogin
+          @strict_host_key_checking = ssh_config[:strict_host_key_checking]
+
+          @logger = Bolt::Logger.logger(@target.safe_name)
+          @transport_logger = transport_logger
+          @logger.trace("Initializing ssh connection to #{@target.safe_name}")
+
+          if target.options['private-key'].instance_of?(String)
+            begin
+              Bolt::Util.validate_file('ssh key', target.options['private-key'])
+            rescue Bolt::FileError => e
+              Bolt::Logger.warn("invalid_ssh_key", e.msg)
+            end
+          end
+        end
+
+        def connect
+          options = {
+            logger: @transport_logger,
+            non_interactive: true
+          }
+
+          if (key = target.options['private-key'])
+            if key.instance_of?(String)
+              options[:keys] = key
+            else
+              options[:key_data] = [key['key-data']]
+            end
+          end
+
+          options[:port] = target.port if target.port
+          options[:password] = target.password if target.password
+          # Support both net-ssh 4 and 5. We use 5 in packaging, but Beaker pins to 4 so we
+          # want the gem to be compatible with version 4.
+          options[:verify_host_key] = if target.options['host-key-check'].nil?
+                                        # Fall back to SSH behavior. This variable will only be set in net-ssh 5.3+.
+                                        if @strict_host_key_checking.nil? || @strict_host_key_checking
+                                          net_ssh_verifier(:always)
+                                        else
+                                          # SSH's behavior with StrictHostKeyChecking=no: adds new keys to known_hosts.
+                                          # If known_hosts points to /dev/null, then equivalent to :never where it
+                                          # accepts any key beacuse they're all new.
+                                          net_ssh_verifier(:accept_new_or_tunnel_local)
+                                        end
+                                      elsif target.options['host-key-check']
+                                        net_ssh_verifier(:always)
+                                      else
+                                        net_ssh_verifier(:never)
+                                      end
+          options[:timeout] = target.options['connect-timeout'] if target.options['connect-timeout']
+
+          options[:proxy] = Net::SSH::Proxy::Jump.new(target.options['proxyjump']) if target.options['proxyjump']
+
+          # Override the default supported algorithms for net-ssh. By default, a subset of supported algorithms
+          # are enabled in 6.x, while several are deprecated and not enabled by default. The *-algorithms
+          # options can be used to specify a list of algorithms to enable in net-ssh. Any algorithms not in the
+          # list are disabled, including ones that are normally enabled by default. Support for deprecated
+          # algorithms will be removed in 7.x.
+          # https://github.com/net-ssh/net-ssh#supported-algorithms
+          if target.options['encryption-algorithms']
+            options[:encryption] = net_ssh_algorithms(:encryption, target.options['encryption-algorithms'])
+          end
+
+          if target.options['host-key-algorithms']
+            options[:host_key] = net_ssh_algorithms(:host_key, target.options['host-key-algorithms'])
+          end
+
+          if target.options['kex-algorithms']
+            options[:kex] = net_ssh_algorithms(:kex, target.options['kex-algorithms'])
+          end
+
+          if target.options['mac-algorithms']
+            options[:hmac] = net_ssh_algorithms(:hmac, target.options['mac-algorithms'])
+          end
+
+          # This option was to address discrepency betwen net-ssh host-key-check and ssh(1)
+          # For the net-ssh 5.x series it defaults to true, in 6.x it will default to false, and will be removed in 7.x
+          # https://github.com/net-ssh/net-ssh/pull/663#issuecomment-469979931
+          options[:check_host_ip] = false if Net::SSH::VALID_OPTIONS.include?(:check_host_ip)
+
+          if @load_config
+            # Mirroring:
+            # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/agent.rb#L80
+            # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/pageant.rb#L403
+            if defined?(UNIXSocket) && UNIXSocket
+              if ENV['SSH_AUTH_SOCK'].to_s.empty?
+                @logger.debug { "Disabling use_agent in net-ssh: ssh-agent is not available" }
+                options[:use_agent] = false
+              end
+            elsif Bolt::Util.windows?
+              pageant = Net::SSH::Authentication::Pageant::Win.FindWindow("Pageant", "Pageant")
+              # If pageant is not running
+              if pageant.to_i == 0
+                @logger.debug { "Disabling use_agent in net-ssh: pageant process not running" }
+                options[:use_agent] = false
+              end
+            end
+          else
+            # Disable ssh config and ssh-agent if requested via load_config
+            options[:config] = false
+            options[:use_agent] = false
+          end
+
+          @session = Net::SSH.start(target.host, @user, options)
+          validate_ssh_version
+          @logger.trace { "Opened session" }
+        rescue Net::SSH::AuthenticationFailed => e
+          raise Bolt::Node::ConnectError.new(
+            e.message,
+            'AUTH_ERROR'
+          )
+        rescue Net::SSH::HostKeyError => e
+          raise Bolt::Node::ConnectError.new(
+            "Host key verification failed for #{target.safe_name}: #{e.message}",
+            'HOST_KEY_ERROR'
+          )
+        rescue Net::SSH::ConnectionTimeout
+          raise Bolt::Node::ConnectError.new(
+            "Timeout after #{target.options['connect-timeout']} seconds connecting to #{target.safe_name}",
+            'CONNECT_ERROR'
+          )
+        rescue StandardError => e
+          raise Bolt::Node::ConnectError.new(
+            "Failed to connect to #{target.safe_name}: #{e.message}",
+            'CONNECT_ERROR'
+          )
+        end
+
+        def disconnect
+          if @session && !@session.closed?
+            begin
+              Timeout.timeout(@target.options['disconnect-timeout']) { @session.close }
+            rescue Timeout::Error
+              @session.shutdown!
+            end
+            @logger.trace { "Closed session" }
+          end
+        end
+
+        def execute(command_str)
+          in_rd, in_wr = IO.pipe
+          out_rd, out_wr = IO.pipe
+          err_rd, err_wr = IO.pipe
+          th = Thread.new do
+            exit_code = nil
+            session_channel = @session.open_channel do |channel|
+              # Request a pseudo tty
+              channel.request_pty if target.options['tty']
+
+              channel.exec(command_str) do |_, success|
+                unless success
+                  raise Bolt::Node::ConnectError.new(
+                    "Could not execute command: #{command_str.inspect}",
+                    'EXEC_ERROR'
+                  )
+                end
+
+                channel.on_data do |_, data|
+                  out_wr << data
+                end
+
+                channel.on_extended_data do |_, _, data|
+                  err_wr << data
+                end
+
+                channel.on_request("exit-status") do |_, data|
+                  exit_code = data.read_long
+                end
+              end
+            end
+            write_th = Thread.new do
+              chunk_size = 4096
+              eof = false
+              active = true
+              readable = false
+              while active && !eof
+                @session.loop(0.1) do
+                  active = session_channel.active?
+                  readable = select([in_rd], [], [], 0)
+                  # Loop as long as the channel is still live and there's nothing to be written
+                  active && !readable
+                end
+                if readable
+                  if in_rd.eof?
+                    session_channel.eof!
+                    eof = true
+                  else
+                    to_write = in_rd.readpartial(chunk_size)
+                    session_channel.send_data(to_write)
+                  end
+                end
+              end
+              session_channel.wait
+            end
+            write_th.join
+            exit_code
+          ensure
+            write_th.terminate
+            in_rd.close
+            out_wr.close
+            err_wr.close
+          end
+          [in_wr, out_rd, err_rd, th]
+        rescue Errno::EMFILE => e
+          msg = "#{e.message}. This might be resolved by increasing your user limit "\
+            "with 'ulimit -n 1024'. See https://puppet.com/docs/bolt/latest/bolt_known_issues.html for details."
+          raise Bolt::Error.new(msg, 'bolt/too-many-files')
+        end
+
+        def upload_file(source, destination)
+          # Do not log wrapper script content
+          @logger.trace { "Uploading #{source} to #{destination}" } unless source.is_a?(StringIO)
+          @session.scp.upload!(source, destination, recursive: true)
+        rescue StandardError => e
+          raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
+        end
+
+        def download_file(source, destination, _download)
+          # Do not log wrapper script content
+          @logger.trace { "Downloading #{source} to #{destination}" }
+          @session.scp.download!(source, destination, recursive: true)
+        rescue StandardError => e
+          raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
+        end
+
+        # This handles renaming Net::SSH verifiers between version 4.x and 5.x
+        # of the gem
+        def net_ssh_verifier(verifier)
+          case verifier
+          when :always
+            if defined?(Net::SSH::Verifiers::Always)
+              Net::SSH::Verifiers::Always.new
+            else
+              Net::SSH::Verifiers::Secure.new
+            end
+          when :never
+            if defined?(Net::SSH::Verifiers::Never)
+              Net::SSH::Verifiers::Never.new
+            else
+              Net::SSH::Verifiers::Null.new
+            end
+          when :accept_new_or_tunnel_local
+            if defined?(Net::SSH::Verifiers::AcceptNewOrLocalTunnel)
+              Net::SSH::Verifiers::AcceptNewOrLocalTunnel.new
+            else
+              Net::SSH::Verifiers::Lenient.new
+            end
+          end
+        end
+
+        # Add all default algorithms if the 'defaults' key is present and filter
+        # out any unsupported algorithms.
+        def net_ssh_algorithms(type, algorithms)
+          if algorithms.include?('defaults')
+            defaults = Net::SSH::Transport::Algorithms::DEFAULT_ALGORITHMS[type]
+            algorithms += defaults
+          end
+
+          known = Net::SSH::Transport::Algorithms::ALGORITHMS[type]
+
+          algorithms & known
+        end
+
+        def shell
+          @shell ||= if target.options['login-shell'] == 'powershell'
+                       Bolt::Shell::Powershell.new(target, self)
+                     else
+                       Bolt::Shell::Bash.new(target, self)
+                     end
+        end
+
+        # This is used by the Bash shell to decide whether to `cd` before
+        # executing commands as a run-as user
+        def reset_cwd?
+          true
+        end
+
+        def max_command_length
+          if target.options['login-shell'] == 'powershell'
+            32000
+          end
+        end
+
+        def validate_ssh_version
+          remote_version = @session.transport.server_version.version
+          return unless target.options['login-shell'] && remote_version
+
+          match = remote_version.match(/OpenSSH_for_Windows_(\d+\.\d+)/)
+          if match && match[1].to_f < 7.9
+            raise "Powershell over SSH requires OpenSSH server >= 7.9, target is running #{match[1]}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bolt/transport/ssh/exec_connection.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+require 'open3'
+
+module Bolt
+  module Transport
+    class SSH < Simple
+      class ExecConnection
+        attr_reader :user, :target
+
+        def initialize(target)
+          raise Bolt::ValidationError, "Target #{target.safe_name} does not have a host" unless target.host
+
+          @target = target
+          begin
+            ssh_config = Net::SSH::Config.for(target.host)
+            @user = @target.user || ssh_config[:user] || Etc.getlogin
+          rescue StandardError
+            @user = @target.user || Etc.getlogin
+          end
+          @logger = Bolt::Logger.logger(self)
+        end
+
+        # This is used to verify we can connect to targets with `connected?`
+        def connect
+          cmd = build_ssh_command('exit')
+          _, err, stat = Open3.capture3(*cmd)
+          unless stat.success?
+            raise Bolt::Node::ConnectError.new(
+              "Failed to connect to #{@target.safe_name}: #{err}",
+              'CONNECT_ERROR'
+            )
+          end
+        end
+
+        def disconnect; end
+
+        def shell
+          Bolt::Shell::Bash.new(@target, self)
+        end
+
+        def userhost
+          "#{@user}@#{@target.host}"
+        end
+
+        def ssh_opts
+          # NOTE: not all commands we might use here support various `-o` options,
+          # always provide a way to run without them.
+          cmd = []
+          # BatchMode is SSH's noninteractive option: if key authentication
+          # fails it will error out instead of falling back to password prompt
+          cmd += %w[-o BatchMode=yes] if @target.transport_config['batch-mode']
+
+          cmd += %W[-o Port=#{@target.port}] if @target.port
+
+          if @target.transport_config.key?('host-key-check')
+            hkc = @target.transport_config['host-key-check'] ? 'yes' : 'no'
+            cmd += %W[-o StrictHostKeyChecking=#{hkc}]
+          end
+
+          if (key = target.transport_config['private-key'])
+            cmd += ['-i', key]
+          end
+          cmd
+        end
+
+        def build_ssh_command(command)
+          ssh_conf = @target.transport_config['ssh-command'] || 'ssh'
+          ssh_cmd = Array(ssh_conf)
+          ssh_cmd += ssh_opts
+          ssh_cmd << userhost
+          # Add option separator before command for wrappers around SSH
+          ssh_cmd << '--'
+          ssh_cmd << command
+        end
+
+        def upload_file(source, dest)
+          @logger.trace { "Uploading #{source} to #{dest}" } unless source.is_a?(StringIO)
+
+          cp_conf = @target.transport_config['copy-command'] || ["scp", "-r"]
+          cp_cmd = Array(cp_conf)
+          cp_cmd += ssh_opts
+
+          _, err, stat = if source.is_a?(StringIO)
+                           Tempfile.create(File.basename(dest)) do |f|
+                             f.write(source.read)
+                             f.close
+                             cp_cmd << f.path
+                             cp_cmd << "#{userhost}:#{Shellwords.escape(dest)}"
+                             Open3.capture3(*cp_cmd)
+                           end
+                         else
+                           cp_cmd << source
+                           cp_cmd << "#{userhost}:#{Shellwords.escape(dest)}"
+                           Open3.capture3(*cp_cmd)
+                         end
+
+          if stat.success?
+            @logger.trace "Successfully uploaded #{source} to #{dest}"
+          else
+            message = "Could not copy file to #{dest}: #{err}"
+            raise Bolt::Node::FileError.new(message, 'COPY_ERROR')
+          end
+        end
+
+        def download_file(source, dest, _download)
+          @logger.trace { "Downloading #{userhost}:#{source} to #{dest}" }
+
+          FileUtils.mkdir_p(dest)
+
+          cp_conf = @target.transport_config['copy-command'] || ["scp", "-r"]
+          cp_cmd = Array(cp_conf)
+          cp_cmd += ssh_opts
+          cp_cmd << "#{userhost}:#{Shellwords.escape(source)}"
+          cp_cmd << dest
+
+          _, err, stat = Open3.capture3(*cp_cmd)
+
+          if stat.success?
+            @logger.trace "Successfully downloaded #{userhost}:#{source} to #{dest}"
+          else
+            message = "Could not copy file to #{dest}: #{err}"
+            raise Bolt::Node::FileError.new(message, 'COPY_ERROR')
+          end
+        end
+
+        def execute(command)
+          cmd_array = build_ssh_command(command)
+          Open3.popen3(*cmd_array)
+        end
+
+        # This is used by the Bash shell to decide whether to `cd` before
+        # executing commands as a run-as user
+        def reset_cwd?
+          true
+        end
+      end
+    end
+  end
+end

data/lib/bolt/transport/ssh.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative '../../bolt/logger'
+require_relative '../../bolt/node/errors'
+require_relative '../../bolt/transport/simple'
+
+module Bolt
+  module Transport
+    class SSH < Simple
+      def initialize
+        super
+
+        require 'net/ssh'
+        require 'net/scp'
+        begin
+          require 'net/ssh/krb'
+        rescue LoadError
+          logger.debug("Authentication method 'gssapi-with-mic' (Kerberos) is not available.")
+        end
+        @transport_logger = Bolt::Logger.logger(Net::SSH)
+        @transport_logger.level = :warn
+      end
+
+      def with_connection(target)
+        if target.transport_config['ssh-command'] && !target.transport_config['native-ssh']
+          Bolt::Logger.warn_once("native_ssh_disabled", "native-ssh must be true to use ssh-command")
+        end
+
+        conn = if target.transport_config['native-ssh']
+                 ExecConnection.new(target)
+               else
+                 Connection.new(target, @transport_logger)
+               end
+        conn.connect
+        yield conn
+      ensure
+        begin
+          conn&.disconnect
+        rescue StandardError => e
+          logger.info("Failed to close connection to #{target.safe_name} : #{e.message}")
+        end
+      end
+    end
+  end
+end
+
+require_relative 'ssh/connection'
+require_relative 'ssh/exec_connection'