sshkit-backends-netssh_global 0.0.1

data/README.md

@@ -0,0 +1,59 @@
+# SSHKit Backends Netssh Global
+
+**SSHKit Backends Netssh Global** is a backend to be used in conjunction with
+Capistrano 3 and SSHKit to allow global configuration to be set. For example, 
+all commands can be run under a different user or folder - without modifying the
+command.
+
+This is designed to make it possible for Capistrano 3 to deploy on systems where
+users login as one identity and then need to sudo to a different identity for
+each command.
+
+This works globally so that default tasks will automatically `sudo` and `cd`
+without modification. This allows the default tasks to be used in this kind of
+setup without them being altered.
+
+If a task specifically `sudo`'s or `cd`'s then the global setting will not take
+effect.
+
+In some setups the ssh agent also needs to be forwarded (such as git clone).
+Here the setting `ssh_commands` can be set to automatically forward the ssh
+agent to the sudo user for certain commands.
+
+### To run tests
+
+To setup an OSX machine to run the tests, install Homebrew then:
+
+```
+brew tap Homebrew/bundle
+brew bundle
+vagrant up --provision
+bundle
+rake
+```
+
+### Usage
+
+```ruby
+require 'sshkit/backends/netssh_global'
+
+SSHKit::Backend::NetsshGlobal.configure do |config|
+  config.owner        = 'bob'       # Which user to sudo as for every command
+  config.directory    = '/home/bob' # Can be specified if it is important to default commands to run in a 
+                                    # certain directory. This can be used to overcome permission problems when
+                                    # sudo'ing
+  config.ssh_commands = [:git]      # Setting for which commands require SSH forwarding
+  config.shell        = 'bash -l'   # Setting that allows the shell that sudo runs to be overriden
+end
+
+# Per host configuration
+Host.new("example.com").tap do |h|
+  h.properties.owner        = 'fred'
+  h.properties.directory    = '/home/fred'
+  h.properties.ssh_commands = [:git, :bundle]
+end
+```
+
+### Credits
+
+The code and test suite are built on top of [SSHKit](http://github.com/capistrano/sshkit).

data/Rakefile

@@ -0,0 +1,27 @@
+#!/usr/bin/env rake
+
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+task :default => :test
+
+desc "Run all tests"
+task :test => ['test:units', 'test:functional']
+
+namespace :test do
+
+  Rake::TestTask.new(:units) do |t|
+    t.libs << "test"
+    t.test_files = FileList['test/unit/**/test*.rb']
+  end
+
+  Rake::TestTask.new(:functional) do |t|
+    t.libs << "test"
+    t.test_files = FileList['test/functional/**/test*.rb']
+  end
+
+end
+
+Rake::Task["test:functional"].enhance do
+  warn "Remember there are still some VMs running, kill them with `vagrant halt` if you are finished using them."
+end

data/Vagrantfile

@@ -0,0 +1,20 @@
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = 'hashicorp/precise64'
+
+  json_config_path = File.join("test", "boxes.json")
+  list = File.open(json_config_path).read
+  list = JSON.parse(list)
+
+  list.each do |vm|
+    config.vm.define vm["name"] do |web|
+      web.vm.network "forwarded_port", guest: 22, host: vm["port"]
+      web.vm.provision "shell", inline: "apt-get update && apt-get install --yes acl csh"
+
+      vm["users"].each do |user|
+        web.vm.provision "shell", inline: "useradd --create-home #{user}"
+      end
+    end
+  end
+end

data/lib/sshkit/backends/netssh_global.rb

@@ -0,0 +1,87 @@
+require 'sshkit/command_sudo_ssh_forward'
+
+module SSHKit
+  module Backend
+    class NetsshGlobal < Netssh
+      class Configuration < Netssh::Configuration
+        attr_accessor :owner, :directory, :shell
+        attr_writer :ssh_commands
+
+        def ssh_commands
+          @ssh_commands || [:ssh, :git, :'ssh-add', :bundle]
+        end
+      end
+
+      class << self
+        def config
+          @config ||= Configuration.new
+        end
+      end
+
+      @pool = SSHKit::Backend::ConnectionPool.new
+
+      def upload!(local, remote, options = {})
+        execute :setfacl, "-m u:#{ssh_user}:rwx #{File.dirname(remote)}; true"
+        execute :setfacl, "-m u:#{ssh_user}:rw #{remote}; true"
+        super
+        as :root do
+          # Required as uploaded file is owned by SSH user, not owner
+          execute :chown, property(:owner), remote
+        end
+      end
+
+      private
+
+      def user
+        @user || property(:owner)
+      end
+
+      def ssh_user
+        host.user || configure_host.ssh_options.fetch(:user)
+      end
+
+      def pwd
+        @pwd.nil? ? property(:directory) : File.join(@pwd)
+      end
+
+      def property(name)
+        host.properties.public_send(name) || self.class.config.public_send(name)
+      end
+
+      def with_ssh
+        configure_host
+        conn = self.class.pool.checkout(
+          String(host.hostname),
+          host.username,
+          host.netssh_options,
+          &Net::SSH.method(:start)
+        )
+        begin
+          yield conn.connection
+        ensure
+          self.class.pool.checkin conn
+        end
+      end
+
+      def configure_host
+        host.tap do |h|
+          h.ssh_options = self.class.config.ssh_options.merge(host.ssh_options || {})
+        end
+      end
+
+      def command(*args)
+        options = args.extract_options!
+        options.merge!(
+          in: pwd,
+          env: @env,
+          host: configure_host,
+          user: user,
+          group: @group,
+          ssh_commands: property(:ssh_commands),
+          shell: property(:shell)
+        )
+        SSHKit::CommandSudoSshForward.new(*[*args, options])
+      end
+    end
+  end
+end

data/lib/sshkit/backends/version.rb

@@ -0,0 +1,7 @@
+module SSHKit
+  module Backends
+    class NetsshGlobal
+      VERSION = '0.0.1'
+    end
+  end
+end

data/lib/sshkit/command_sudo_ssh_forward.rb

@@ -0,0 +1,74 @@
+module SSHKit
+  class CommandSudoSshForward < SSHKit::Command
+    def to_command
+      return command.to_s unless should_map?
+
+      within do
+        ssh_agent do
+          umask do
+            with do
+              user do
+                in_background do
+                  group do
+                    to_s
+                  end
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+
+    def environment_hash
+      default_env.merge(options_env)
+    end
+
+    def ssh_agent(&block)
+      return yield unless ssh_forwarding_required?
+      "setfacl -m #{options[:user]}:x $(dirname $SSH_AUTH_SOCK) && setfacl -m #{options[:user]}:rw $SSH_AUTH_SOCK && %s" % yield
+    end
+
+    def user(&block)
+      return yield unless options[:user]
+      shell = options[:shell] || 'sh'
+      "sudo -u #{options[:user]} #{environment_string + " " unless environment_string.empty?}-- #{shell} -c '%s'" % %Q{#{yield}}
+    end
+
+    def with(&block)
+      return yield if environment_hash.empty? || sudo_command?
+      "( #{environment_string} %s )" % yield
+    end
+
+    private
+
+    def options_env
+      (options[:env] || {}).merge(default_ssh_options)
+    end
+
+    def default_env
+      SSHKit.config.default_env || {}
+    end
+
+    def default_ssh_options
+      ssh_forwarding_required? ? {'SSH_AUTH_SOCK' => '$SSH_AUTH_SOCK'} : {}
+    end
+
+    def ssh_forwarding_required?
+       ssh_command? && sudo_command? && ssh_forwarding_enabled?
+    end
+
+    def ssh_command?
+      options.fetch(:ssh_commands, []).include?(command)
+    end
+
+    def ssh_forwarding_enabled?
+      options[:host] && options[:host].ssh_options[:forward_agent]
+    end
+
+    def sudo_command?
+      options[:user]
+    end
+
+  end
+end

data/sshkit-backends-netssh_global.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/sshkit/backends/version', __FILE__)
+
+Gem::Specification.new do |gem|
+
+  gem.authors       = ["Theo Cushion", "Dennis Ideler"]
+  gem.email         = ["tcushion@pivotal.io", "dennis.ideler@fundingcircle.com"]
+  gem.summary       = %q{SSHKit backend for globally sudoing commands}
+  gem.description   = %q{A backend to be used in conjunction with Capistrano 3
+and SSHKit to allow deployment on setups where users login as one identity and
+then need to sudo to a different identity for each command.}
+  gem.homepage      = "http://github.com/fundingcircle/sshkit-backends-netssh_global"
+  # gem.license       = "GPL3"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- test/*`.split("\n")
+  gem.name          = "sshkit-backends-netssh_global"
+  gem.require_paths = ["lib"]
+  gem.version       = SSHKit::Backends::NetsshGlobal::VERSION
+
+  gem.add_runtime_dependency('sshkit', '1.7.1')
+
+  gem.add_development_dependency('minitest', ['>= 2.11.3', '< 2.12.0'])
+  gem.add_development_dependency('rake')
+  gem.add_development_dependency('turn')
+  gem.add_development_dependency('mocha')
+end

data/test/boxes.json

@@ -0,0 +1,13 @@
+[
+  {
+    "name": "one",
+    "port": 3001,
+    "user": "vagrant",
+    "password": "vagrant",
+    "hostname": "localhost",
+    "users": [
+      "owner",
+      "owner2"
+    ]
+  }
+]

data/test/functional/backends/test_netssh_global.rb

@@ -0,0 +1,300 @@
+require 'helper'
+require 'securerandom'
+
+require 'sshkit/backends/netssh_global'
+
+module SSHKit
+  module Backend
+    class TestNetsshGlobalFunctional < FunctionalTest
+      def setup
+        super
+        NetsshGlobal.configure do |config|
+          config.owner = a_user
+          config.directory = nil
+          config.shell = nil
+        end
+        VagrantWrapper.reset!
+      end
+
+      def a_user
+        a_box.fetch('users').fetch(0)
+      end
+
+      def another_user
+        a_box.fetch('users').fetch(1)
+      end
+
+      def a_box
+        VagrantWrapper.boxes_list.first
+      end
+
+      def a_host
+        VagrantWrapper.hosts['one']
+      end
+
+      def test_capture
+        File.open('/dev/null', 'w') do |dnull|
+          SSHKit.capture_output(dnull) do
+            captured_command_result = nil
+            NetsshGlobal.new(a_host) do
+              captured_command_result = capture(:uname)
+            end.run
+
+            assert captured_command_result
+            assert_match captured_command_result, /Linux|Darwin/
+          end
+        end
+      end
+
+      def test_ssh_option_merge
+        a_host.ssh_options = { paranoid: true }
+        host_ssh_options = {}
+        SSHKit::Backend::NetsshGlobal.config.ssh_options = { forward_agent: false }
+        NetsshGlobal.new(a_host) do |host|
+          capture(:uname)
+          host_ssh_options = host.ssh_options
+        end.run
+        assert_equal({ forward_agent: false, paranoid: true }, host_ssh_options)
+      end
+
+      def test_configure_owner_via_global_config
+        NetsshGlobal.configure do |config|
+          config.owner = a_user
+        end
+
+        output = ''
+        NetsshGlobal.new(a_host) do
+          output = capture :whoami
+        end.run
+        assert_equal a_user, output
+      end
+
+      def test_configure_owner_via_host
+        a_host.properties.owner = another_user
+
+        output = ''
+        NetsshGlobal.new(a_host) do
+          output = capture :whoami
+        end.run
+        assert_equal another_user, output
+      end
+
+      def test_configure_shell_via_global_config
+        NetsshGlobal.configure do |config|
+          config.shell = "csh"
+        end
+
+        running_shell = ''
+        NetsshGlobal.new(a_host) do
+          running_shell = capture :echo, '$shell'
+        end.run
+
+        assert_equal '/bin/csh', running_shell
+      end
+
+      def test_configure_directory_to_nil_has_no_effect
+        NetsshGlobal.configure do |config|
+          config.directory = nil
+        end
+
+        output = ''
+        NetsshGlobal.new(a_host) do
+          output = capture :pwd
+        end.run
+        assert_equal "/home/#{a_host.user}", output
+      end
+
+      def test_configure_directory_via_global_config
+        NetsshGlobal.configure do |config|
+          config.directory = '/tmp'
+        end
+
+        output = ''
+        NetsshGlobal.new(a_host) do
+          output = capture :pwd
+        end.run
+        assert_equal '/tmp', output
+      end
+
+      def test_configure_directory_via_host
+        NetsshGlobal.configure do |config|
+          config.directory = '/usr'
+        end
+
+        a_host.properties.directory = '/tmp'
+        output = ''
+        NetsshGlobal.new(a_host) do
+          output = capture :pwd
+        end.run
+        assert_equal '/tmp', output
+      end
+
+      def test_execute_raises_on_non_zero_exit_status_and_captures_stdout_and_stderr
+        err = assert_raises SSHKit::Command::Failed do
+          NetsshGlobal.new(a_host) do
+            execute :echo, "\"Test capturing stderr\" 1>&2; false"
+          end.run
+        end
+        assert_equal "echo exit status: 1\necho stdout: Nothing written\necho stderr: Test capturing stderr\n", err.message
+      end
+
+      def test_test_does_not_raise_on_non_zero_exit_status
+        NetsshGlobal.new(a_host) do
+          test :false
+        end.run
+      end
+
+      def test_test_executes_as_owner_when_command_contains_no_spaces
+        result = NetsshGlobal.new(a_host) do
+          test 'test', '"$USER" = "owner"'
+        end.run
+
+        assert(result, 'Expected test to execute as "owner", but it did not')
+      end
+
+      def test_test_executes_as_ssh_user_when_command_contains_spaces
+        result = NetsshGlobal.new(a_host) do
+          test 'test "$USER" = "vagrant"'
+        end.run
+
+        assert(result, 'Expected test to execute as "vagrant", but it did not')
+      end
+
+      def test_upload_file
+        file_contents = ""
+        file_owner = nil
+        file_name = File.join("/tmp", SecureRandom.uuid)
+        File.open file_name, 'w+' do |f|
+          f.write 'example_file'
+        end
+
+        NetsshGlobal.new(a_host) do
+          upload!(file_name, file_name)
+          file_contents = capture(:cat, file_name)
+          file_owner = capture(:stat, '-c', '%U',  file_name)
+        end.run
+
+        assert_equal 'example_file', file_contents
+        assert_equal a_user, file_owner
+      end
+
+      def test_upload_file_to_folder_owned_by_user
+        dir = File.join('/tmp', SecureRandom.uuid)
+        NetsshGlobal.new(a_host) do
+          execute(:mkdir, dir)
+        end.run
+
+        file_name = SecureRandom.uuid
+        local_file = File.join('/tmp', file_name)
+        File.open local_file, 'w+' do |f|
+          f.write 'example_file'
+        end
+
+        file_contents = ""
+        file_owner = nil
+        remote_file = File.join(dir, file_name)
+        NetsshGlobal.new(a_host) do
+          upload!(local_file, remote_file)
+          file_contents = capture(:cat, remote_file)
+          file_owner = capture(:stat, '-c', '%U',  remote_file)
+        end.run
+
+        assert_equal 'example_file', file_contents
+        assert_equal a_user, file_owner
+      end
+
+      def test_upload_file_overtop_of_existing_file
+        file_name = File.join('/tmp', SecureRandom.uuid)
+        File.open file_name, 'w+' do |f|
+          f.write 'example_file'
+        end
+
+        NetsshGlobal.new(a_host) do
+          upload!(file_name, file_name)
+        end.run
+
+        file_contents = ""
+        file_owner = nil
+        NetsshGlobal.new(a_host) do
+          upload!(file_name, file_name)
+          file_contents = capture(:cat, file_name)
+          file_owner = capture(:stat, '-c', '%U',  file_name)
+        end.run
+
+        assert_equal 'example_file', file_contents
+        assert_equal a_user, file_owner
+      end
+
+      def test_upload_string_io
+        file_contents = ""
+        file_owner = nil
+        NetsshGlobal.new(a_host) do
+          file_name = File.join("/tmp", SecureRandom.uuid)
+          upload!(StringIO.new('example_io'), file_name)
+          file_contents = download!(file_name)
+          file_owner = capture(:stat, '-c', '%U',  file_name)
+        end.run
+        assert_equal "example_io", file_contents
+        assert_equal a_user, file_owner
+      end
+
+      def test_upload_large_file
+        size      = 25
+        fills     = SecureRandom.random_bytes(1024*1024)
+        file_name = "/tmp/file-#{SecureRandom.uuid}-#{size}.txt"
+        File.open(file_name, 'w') do |f|
+          (size).times {f.write(fills) }
+        end
+
+        file_contents = ""
+        NetsshGlobal.new(a_host) do
+          upload!(file_name, file_name)
+          file_contents = download!(file_name)
+        end.run
+
+        assert_equal File.open(file_name).read, file_contents
+      end
+
+      def test_ssh_forwarded_when_command_is_ssh_command
+        remote_ssh_output = ''
+        local_ssh_output = `ssh-add -l 2>&1`.strip
+        a_host.ssh_options = { forward_agent: true }
+        NetsshGlobal.new(a_host) do |host|
+          remote_ssh_output = capture 'ssh-add', '-l', '2>&1;', 'true'
+        end.run
+
+        assert_equal local_ssh_output, remote_ssh_output
+      end
+
+      def test_ssh_not_forwarded_when_command_is_not_an_ssh_command
+        echo_output = ''
+
+        a_host.ssh_options = { forward_agent: true }
+        a_host.properties.ssh_commands = [:not_echo]
+        NetsshGlobal.new(a_host) do |host|
+          echo_output = capture :echo, '$SSH_AUTH_SOCK'
+        end.run
+
+        assert_match '', echo_output
+      end
+
+      def test_can_configure_ssh_commands
+        echo_output = ''
+
+        a_host.ssh_options = { forward_agent: true }
+        a_host.properties.ssh_commands = [:echo]
+        NetsshGlobal.new(a_host) do |host|
+          echo_output = capture :echo, '$SSH_AUTH_SOCK'
+        end.run
+
+        assert_match /\/tmp\//, echo_output
+      end
+
+      def test_default_ssh_commands
+        ssh_commands = NetsshGlobal.config.ssh_commands
+
+        assert_equal [:ssh, :git, :'ssh-add', :bundle], ssh_commands
+      end
+    end
+  end
+end