smart_proxy_remote_execution_ssh 0.4.0 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 750910e916f0d4ad411cf868636075e597573dd8cca720e414156bcee55331dc
-  data.tar.gz: 4003e71f358abc47847fb9a2e4cf3c211189bc915b6b4196dd02d6d21633d2b8
+  metadata.gz: 1ba2217281e0dfb1199d345fd81e2e135c3b3f83e590177ecc8826dfb8176262
+  data.tar.gz: db341f9a3cbed3045938d16cc0b772887098ee1db4adc2d4b515449785afbf39
 SHA512:
-  metadata.gz: efa2a87ce6a6125f7701979305a0c5fcc1fb3ad2703d5aef140505943789b45648311e46f892791a919a88d757f019485ff45209efc22423cc6543a298224a03
-  data.tar.gz: 4411e680ca841903d47b295090c4a194f92dfe91cc58796272d42b9c370ad6a3e6a8bc34973f0d7a85d93fe604788993428d944277b05426194893ecff0a9d51
+  metadata.gz: 4564886d08716efa9f7d40b887027d67dcd2bb9b02688033cd6f9f7f5a633a2e215ff5e567e144db687f7bb51f624b19aa240159c0f2a15ccaccbe983161c28a
+  data.tar.gz: fb3e8fd7bdba9193731c1399f2809e5625c6313b9cf1a1d1a6daad1e2bfc012e7057ebc7a3766e9d4bf9e1938b898dabfeea042f87db2d31b20dd07964a6744e

data/lib/smart_proxy_remote_execution_ssh/actions/pull_script.rb

@@ -0,0 +1,110 @@
+require 'mqtt'
+require 'json'
+
+module Proxy::RemoteExecution::Ssh::Actions
+  class PullScript < Proxy::Dynflow::Action::Runner
+    JobDelivered = Class.new
+
+    execution_plan_hooks.use :cleanup, :on => :stopped
+
+    def plan(action_input, mqtt: false)
+      super(action_input)
+      input[:with_mqtt] = mqtt
+    end
+
+    def run(event = nil)
+      if event == JobDelivered
+        output[:state] = :delivered
+        suspend
+      else
+        super
+      end
+    end
+
+    def init_run
+      otp_password = if input[:with_mqtt]
+                       ::Proxy::Dynflow::OtpManager.generate_otp(execution_plan_id)
+                     end
+      input[:job_uuid] = job_storage.store_job(host_name, execution_plan_id, run_step_id, input[:script])
+      output[:state] = :ready_for_pickup
+      output[:result] = []
+      mqtt_start(otp_password) if input[:with_mqtt]
+      suspend
+    end
+
+    def cleanup(_plan = nil)
+      job_storage.drop_job(execution_plan_id, run_step_id)
+      Proxy::Dynflow::OtpManager.passwords.delete(execution_plan_id)
+    end
+
+    def process_external_event(event)
+      output[:state] = :running
+      data = event.data
+      continuous_output = Proxy::Dynflow::ContinuousOutput.new
+      Array(data['output']).each { |line| continuous_output.add_output(line, 'stdout') } if data.key?('output')
+      exit_code = data['exit_code'].to_i if data['exit_code']
+      process_update(Proxy::Dynflow::Runner::Update.new(continuous_output, exit_code))
+    end
+
+    def kill_run
+      case output[:state]
+      when :ready_for_pickup
+        # If the job is not running yet on the client, wipe it from storage
+        cleanup
+        # TODO: Stop the action
+      when :notified, :running
+        # Client was notified or is already running, dealing with this situation
+        # is only supported if mqtt is available
+        # Otherwise we have to wait it out
+        # TODO
+        # if input[:with_mqtt]
+      end
+      suspend
+    end
+
+    def mqtt_start(otp_password)
+      payload = {
+        type: 'data',
+        message_id: SecureRandom.uuid,
+        version: 1,
+        sent: DateTime.now.iso8601,
+        directive: 'foreman',
+        metadata: {
+          'job_uuid': input[:job_uuid],
+          'username': execution_plan_id,
+          'password': otp_password,
+          'return_url': "#{input[:proxy_url]}/ssh/jobs/#{input[:job_uuid]}/update",
+        },
+        content: "#{input[:proxy_url]}/ssh/jobs/#{input[:job_uuid]}",
+      }
+      mqtt_notify payload
+      output[:state] = :notified
+    end
+
+    def mqtt_notify(payload)
+      MQTT::Client.connect(settings.mqtt_broker, settings.mqtt_port) do |c|
+        c.publish(mqtt_topic, JSON.dump(payload), false, 1)
+      end
+    end
+
+    def host_name
+      alternative_names = input.fetch(:alternative_names, {})
+
+      alternative_names[:consumer_uuid] ||
+        alternative_names[:fqdn] ||
+        input[:hostname]
+    end
+
+    def mqtt_topic
+      "yggdrasil/#{host_name}/data/in"
+    end
+
+    def settings
+      Proxy::RemoteExecution::Ssh::Plugin.settings
+    end
+
+    def job_storage
+      Proxy::RemoteExecution::Ssh.job_storage
+    end
+  end
+end

data/lib/smart_proxy_remote_execution_ssh/actions/run_script.rb

@@ -1,8 +1,22 @@
-require 'foreman_tasks_core/shareable_action'
+require 'smart_proxy_dynflow/action/shareable'
+require 'smart_proxy_dynflow/action/runner'
 
 module Proxy::RemoteExecution::Ssh
   module Actions
-    class RunScript < ForemanTasksCore::Runner::Action
+    class RunScript < ::Dynflow::Action
+      def plan(*args)
+        mode = Proxy::RemoteExecution::Ssh::Plugin.settings.mode
+        case mode
+        when :ssh, :'ssh-async'
+          plan_action(ScriptRunner, *args)
+        when :pull, :'pull-mqtt'
+          plan_action(PullScript, *args,
+                      mqtt: mode == :'pull-mqtt')
+        end
+      end
+    end
+
+    class ScriptRunner < Proxy::Dynflow::Action::Runner
       def initiate_runner
         additional_options = {
           :step_id => run_step_id,

data/lib/smart_proxy_remote_execution_ssh/actions.rb

@@ -0,0 +1,6 @@
+module Proxy::RemoteExecution::Ssh
+  module Actions
+    require 'smart_proxy_remote_execution_ssh/actions/run_script'
+    require 'smart_proxy_remote_execution_ssh/actions/pull_script'
+  end
+end

data/lib/smart_proxy_remote_execution_ssh/api.rb

@@ -1,11 +1,13 @@
 require 'net/ssh'
 require 'base64'
+require 'smart_proxy_dynflow/runner'
 
 module Proxy::RemoteExecution
   module Ssh
 
     class Api < ::Sinatra::Base
       include Sinatra::Authorization::Helpers
+      include Proxy::Dynflow::Helpers
 
       get "/pubkey" do
         File.read(Ssh.public_key_file)
@@ -37,6 +39,53 @@ module Proxy::RemoteExecution
           end
         204
       end
+
+      # Payload is a hash where
+      # exit_code: Integer | NilClass
+      # output: String
+      post '/jobs/:job_uuid/update' do |job_uuid|
+        do_authorize_with_ssl_client
+
+        with_authorized_job(job_uuid) do |job_record|
+          data = MultiJson.load(request.body.read)
+          notify_job(job_record, ::Proxy::Dynflow::Runner::ExternalEvent.new(data))
+        end
+      end
+
+      get '/jobs' do
+        do_authorize_with_ssl_client
+
+        MultiJson.dump(Proxy::RemoteExecution::Ssh.job_storage.job_uuids_for_host(https_cert_cn))
+      end
+
+      get "/jobs/:job_uuid" do |job_uuid|
+        do_authorize_with_ssl_client
+
+        with_authorized_job(job_uuid) do |job_record|
+          notify_job(job_record, Actions::PullScript::JobDelivered)
+          job_record[:job]
+        end
+      end
+
+      private
+
+      def notify_job(job_record, event)
+        world.event(job_record[:execution_plan_uuid], job_record[:run_step_id], event)
+      end
+
+      def with_authorized_job(uuid)
+        if (job = authorized_job(uuid))
+          yield job
+        else
+          halt 404
+        end
+      end
+
+      def authorized_job(uuid)
+        job_record = Proxy::RemoteExecution::Ssh.job_storage.find_job(uuid) || {}
+        return job_record if authorize_with_token(clear: false, task_id: job_record[:execution_plan_uuid]) ||
+                             job_record[:hostname] == https_cert_cn
+      end
     end
   end
 end

data/lib/smart_proxy_remote_execution_ssh/cockpit.rb

@@ -1,11 +1,11 @@
-require 'net/ssh'
+require 'smart_proxy_remote_execution_ssh/net_ssh_compat'
 require 'forwardable'
 
 module Proxy::RemoteExecution
   module Cockpit
     # A wrapper class around different kind of sockets to comply with Net::SSH event loop
     class BufferedSocket
-      include Net::SSH::BufferedIo
+      include Proxy::RemoteExecution::NetSSHCompat::BufferedIO
       extend Forwardable
 
       # The list of methods taken from OpenSSL::SSL::SocketForwarder for the object to act like a socket
@@ -52,14 +52,14 @@ module Proxy::RemoteExecution
       end
       def_delegators(:@socket, :read_nonblock, :write_nonblock, :close)
 
-      def recv(n)
+      def recv(count)
         res = ""
         begin
           # To drain a SSLSocket before we can go back to the event
           # loop, we need to repeatedly call read_nonblock; a single
           # call is not enough.
           loop do
-            res += @socket.read_nonblock(n)
+            res += @socket.read_nonblock(count)
           end
         rescue IO::WaitReadable
           # Sometimes there is no payload after reading everything
@@ -95,8 +95,8 @@ module Proxy::RemoteExecution
       end
       def_delegators(:@socket, :read_nonblock, :write_nonblock, :close)
 
-      def recv(n)
-        @socket.read_nonblock(n)
+      def recv(count)
+        @socket.read_nonblock(count)
       end
 
       def send(mesg, flags)
@@ -113,6 +113,7 @@ module Proxy::RemoteExecution
 
       def initialize(env)
         @env = env
+        @open_ios = []
       end
 
       def valid?
@@ -127,6 +128,7 @@ module Proxy::RemoteExecution
           begin
             @env['rack.hijack'].call
           rescue NotImplementedError
+            # This is fine
           end
           @socket = @env['rack.hijack_io']
         end
@@ -137,15 +139,11 @@ module Proxy::RemoteExecution
       private
 
       def ssh_on_socket
-        with_error_handling { start_ssh_loop }
+        with_error_handling { system_ssh_loop }
       end
 
       def with_error_handling
         yield
-      rescue Net::SSH::AuthenticationFailed => e
-        send_error(401, e.message)
-      rescue Errno::EHOSTUNREACH
-        send_error(400, "No route to #{host}")
       rescue SystemCallError => e
         send_error(400, e.message)
       rescue SocketError => e
@@ -161,50 +159,67 @@ module Proxy::RemoteExecution
         end
       end
 
-      def start_ssh_loop
-        err_buf = ""
-
-        Net::SSH.start(host, ssh_user, ssh_options) do |ssh|
-          channel = ssh.open_channel do |ch|
-            ch.exec(command) do |ch, success|
-              raise "could not execute command" unless success
-
-              ssh.listen_to(buf_socket)
-
-              ch.on_process do
-                if buf_socket.available.positive?
-                  ch.send_data(buf_socket.read_available)
-                end
-                if buf_socket.closed?
-                  ch.close
-                end
-              end
-
-              ch.on_data do |ch2, data|
-                send_start
-                buf_socket.enqueue(data)
-              end
-
-              ch.on_request('exit-status') do |ch, data|
-                code = data.read_long
-                send_start if code.zero?
-                err_buf += "Process exited with code #{code}.\r\n"
-                ch.close
-              end
-
-              ch.on_request('exit-signal') do |ch, data|
-                err_buf += "Process was terminated with signal #{data.read_string}.\r\n"
-                ch.close
-              end
-
-              ch.on_extended_data do |ch2, type, data|
-                err_buf += data
-              end
-            end
+      def system_ssh_loop
+        in_read, in_write   = IO.pipe
+        out_read, out_write = IO.pipe
+        err_read, err_write = IO.pipe
+
+        # Force the script runner to initialize its logger
+        script_runner.logger
+        pid = spawn(*script_runner.send(:get_args, command), :in => in_read, :out => out_write, :err => err_write)
+        [in_read, out_write, err_write].each(&:close)
+
+        send_start
+        # Not SSL buffer, but the interface kinda matches
+        out_buf = MiniSSLBufferedSocket.new(out_read)
+        err_buf = MiniSSLBufferedSocket.new(err_read)
+        in_buf  = MiniSSLBufferedSocket.new(in_write)
+
+        inner_system_ssh_loop out_buf, err_buf, in_buf, pid
+      end
+
+      def inner_system_ssh_loop(out_buf, err_buf, in_buf, pid)
+        err_buf_raw = ''
+        readers = [buf_socket, out_buf, err_buf]
+        loop do
+          # Prime the sockets for reading
+          ready_readers, ready_writers = IO.select(readers, [buf_socket, in_buf], nil, 300)
+          (ready_readers || []).each { |reader| reader.close if reader.fill.zero? }
+
+          proxy_data(out_buf, in_buf)
+          if buf_socket.closed?
+            script_runner.close_session
           end
 
-          channel.wait
-          send_error(400, err_buf) unless @started
+          if out_buf.closed?
+            code = Process.wait2(pid).last.exitstatus
+            send_start if code.zero? # TODO: Why?
+            err_buf_raw += "Process exited with code #{code}.\r\n"
+            break
+          end
+
+          if err_buf.available.positive?
+            err_buf_raw += err_buf.read_available
+          end
+
+          flush_pending_writes(ready_writers || [])
+        end
+      rescue # rubocop:disable Style/RescueStandardError
+        send_error(400, err_buf_raw) unless @started
+      ensure
+        [out_buf, err_buf, in_buf].each(&:close)
+      end
+
+      def proxy_data(out_buf, in_buf)
+        { out_buf => buf_socket, buf_socket => in_buf }.each do |src, dst|
+          dst.enqueue(src.read_available) if src.available.positive?
+          dst.close if src.closed?
+        end
+      end
+
+      def flush_pending_writes(writers)
+        writers.each do |writer|
+          writer.respond_to?(:send_pending) ? writer.send_pending : writer.flush
         end
       end
 
@@ -215,6 +230,7 @@ module Proxy::RemoteExecution
           buf_socket.enqueue("Connection: upgrade\r\n")
           buf_socket.enqueue("Upgrade: raw\r\n")
           buf_socket.enqueue("\r\n")
+          buf_socket.send_pending
         end
       end
 
@@ -223,6 +239,7 @@ module Proxy::RemoteExecution
         buf_socket.enqueue("Connection: close\r\n")
         buf_socket.enqueue("\r\n")
         buf_socket.enqueue(msg)
+        buf_socket.send_pending
       end
 
       def params
@@ -234,34 +251,33 @@ module Proxy::RemoteExecution
       end
 
       def buf_socket
-        @buffered_socket ||= BufferedSocket.build(@socket)
+        @buf_socket ||= BufferedSocket.build(@socket)
       end
 
       def command
         params["command"]
       end
 
-      def ssh_user
-        params["ssh_user"]
-      end
-
       def host
         params["hostname"]
       end
 
-      def ssh_options
-        auth_methods = %w[publickey]
-        auth_methods.unshift('password') if params["ssh_password"]
-
-        ret = {}
-        ret[:port] = params["ssh_port"] if params["ssh_port"]
-        ret[:keys] = [key_file] if key_file
-        ret[:password] = params["ssh_password"] if params["ssh_password"]
-        ret[:passphrase] = params[:ssh_key_passphrase] if params[:ssh_key_passphrase]
-        ret[:keys_only] = true
-        ret[:auth_methods] = auth_methods
-        ret[:verify_host_key] = true
-        ret[:number_of_password_prompts] = 1
+      def script_runner
+        @script_runner ||= Proxy::RemoteExecution::Ssh::Runners::ScriptRunner.build(
+          runner_params,
+          suspended_action: nil
+        )
+      end
+
+      def runner_params
+        ret = { secrets: {} }
+        ret[:secrets][:ssh_password] = params["ssh_password"] if params["ssh_password"]
+        ret[:secrets][:key_passphrase] = params["ssh_key_passphrase"] if params["ssh_key_passphrase"]
+        ret[:ssh_port] = params["ssh_port"] if params["ssh_port"]
+        ret[:ssh_user] = params["ssh_user"]
+        # For compatibility only
+        ret[:script] = nil
+        ret[:hostname] = host
         ret
       end
     end

data/lib/smart_proxy_remote_execution_ssh/dispatcher.rb

@@ -1,7 +1,7 @@
-require 'foreman_tasks_core/runner/dispatcher'
+require 'smart_proxy_dynflow/runner/dispatcher'
 
 module Proxy::RemoteExecution::Ssh
-  class Dispatcher < ::ForemanTasksCore::Runner::Dispatcher
+  class Dispatcher < ::Proxy::Dynflow::Runner::Dispatcher
     def refresh_interval
       @refresh_interval ||= Plugin.settings[:runner_refresh_interval] ||
                             Plugin.runner_class::DEFAULT_REFRESH_INTERVAL

data/lib/smart_proxy_remote_execution_ssh/job_storage.rb

@@ -0,0 +1,51 @@
+# lib/job_storage.rb
+require 'sequel'
+
+module Proxy::RemoteExecution::Ssh
+  class JobStorage
+    def initialize
+      @db = Sequel.sqlite
+      @db.create_table :jobs do
+        DateTime :timestamp, null: false, default: Sequel::CURRENT_TIMESTAMP
+        String :uuid, fixed: true, size: 36, primary_key: true, null: false
+        String :hostname, null: false, index: true
+        String :execution_plan_uuid, fixed: true, size: 36, null: false, index: true
+        Integer :run_step_id, null: false
+        String :job, text: true
+      end
+    end
+
+    def find_job(uuid)
+      jobs.where(uuid: uuid).first
+    end
+
+    def job_uuids_for_host(hostname)
+      jobs_for_host(hostname).order(:timestamp)
+                             .select_map(:uuid)
+    end
+
+    def store_job(hostname, execution_plan_uuid, run_step_id, job, uuid: SecureRandom.uuid, timestamp: Time.now.utc)
+      jobs.insert(timestamp: timestamp,
+                  uuid: uuid,
+                  hostname: hostname,
+                  execution_plan_uuid: execution_plan_uuid,
+                  run_step_id: run_step_id,
+                  job: job)
+      uuid
+    end
+
+    def drop_job(execution_plan_uuid, run_step_id)
+      jobs.where(execution_plan_uuid: execution_plan_uuid, run_step_id: run_step_id).delete
+    end
+
+    private
+
+    def jobs_for_host(hostname)
+      jobs.where(hostname: hostname)
+    end
+
+    def jobs
+      @db[:jobs]
+    end
+  end
+end