sshkit 1.16.1 → 1.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: adf8778cdb780fc5190e6e29a913f97c9367073850ec4db02c30ee5fca61b15e
-  data.tar.gz: b9ad84e2f7cdc7cfd6d5773954b764182a828b3b02886085ce29a96a75f1672f
+  metadata.gz: fc70293f2ae9b1fd7a0adf61cac4ff329fa54e4c7461570eec898560777fc006
+  data.tar.gz: b707f414b46ca07e1b6b9f0db26f5512d1a1a654922292d959d56f7d2bb9be39
 SHA512:
-  metadata.gz: d7a6fc9a49bf60dc427426a988499d081d0666c1a2e3ac06b57952a6352c3ae93c09792d464ad844295cf3a6fb69cfb238213b6bd93fdf5e761b603df205c36c
-  data.tar.gz: d1e3a4f0eb0cf3e3baca205bffe236581fc260f5c7e70cbd9155d64f827bc3ce6732f2f74f9024171f192aa2e0061dcb9894b651ded2a916479164d98dfcd4fd
+  metadata.gz: b127c917a1bd92af92ede9cf7710c75c82504159b4432bd0ec483a8cae1aed2dc269c1e58bfd5fd7f2f384f3ed6115db5e9dacbcab7eedf5bae42597afaec585
+  data.tar.gz: cefe7b628ec52664d2753bc09787ef1aae4cbbea93774afce828397bb18d77afbd78622c3ec84f3d90bf6b609af2b6be56c5bb03e6d35c6f48c9a2e9a3d81a9b

data/CHANGELOG.md

@@ -7,6 +7,10 @@ appear at the top.
 
   * Your contribution here!
 
+## [1.17.0][] (2018-07-07)
+
+  * [#430](https://github.com/capistrano/sshkit/pull/430): [Feature] Command Argument STDOUT/capistrano.log Hiding - [@NorseGaud](https://github.com/NorseGaud)
+
 ## [1.16.1][] (2018-05-20)
 
   * [#425](https://github.com/capistrano/sshkit/pull/425): Command#group incorrectly escapes double quotes, resulting in a a syntax error when specifying the group execution using `as`. This issue manifested when user command quotes changed from double quotes to single quotes. This fix removes the double quote escaping - [@pblesi](https://github.com/pblesi).
@@ -742,7 +746,8 @@ version `0.0.5`.
 
 First release.
 
-[Unreleased]: https://github.com/capistrano/sshkit/compare/v1.16.1...HEAD
+[Unreleased]: https://github.com/capistrano/sshkit/compare/v1.17.0...HEAD
+[1.17.0]: https://github.com/capistrano/sshkit/compare/v1.16.1...v1.17.0
 [1.16.1]: https://github.com/capistrano/sshkit/compare/v1.16.0...v1.16.1
 [1.16.0]: https://github.com/capistrano/sshkit/compare/v1.15.1...v1.16.0
 [1.15.1]: https://github.com/capistrano/sshkit/compare/v1.15.0...v1.15.1

data/Gemfile

@@ -18,8 +18,3 @@ end
 if Gem::Requirement.new('< 2.1').satisfied_by?(Gem::Version.new(RUBY_VERSION))
   gem 'public_suffix', '< 3'
 end
-
-# rbnacl-libsodium > 1.0.15.1 requires Ruby 2.2.6+
-if Gem::Requirement.new('< 2.2.6').satisfied_by?(Gem::Version.new(RUBY_VERSION))
-  gem 'rbnacl-libsodium', '<= 1.0.15.1'
-end

data/README.md

@@ -5,7 +5,6 @@ more servers.
 
 [![Gem Version](https://badge.fury.io/rb/sshkit.svg)](https://rubygems.org/gems/sshkit)
 [![Build Status](https://travis-ci.org/capistrano/sshkit.svg?branch=master)](https://travis-ci.org/capistrano/sshkit)
-[![Dependency Status](https://gemnasium.com/capistrano/sshkit.svg)](https://gemnasium.com/capistrano/sshkit)
 
 ## How might it work?
 
@@ -444,6 +443,32 @@ SSHKit.config.output = SSHKit::Formatter::Pretty.new(output)
 SSHKit.config.output = SSHKit::Formatter::SimpleText.new(File.open('log/deploy.log', 'wb'))
 ```
 
+#### Output & Log Redaction
+
+If necessary, redact() can be used on a section of your execute arguments to hide it from both STDOUT and the capistrano.log. It supports the majority of data types.
+
+```ruby
+# Example from capistrano-postgresql gem
+execute(:psql, fetch(:pg_system_db), '-c', %Q{"CREATE USER \\"#{fetch(:pg_username)}\\" PASSWORD}, redact("'#{fetch(:pg_password)}'"), %Q{;"})
+```
+Once wrapped, sshkit logging will replace the actual pg_password with a [REDACTED] value:
+
+```
+# STDOUT
+00:00 postgresql:create_database_user
+      01 sudo -i -u postgres psql -d postgres -c "CREATE USER \"db_admin_user\" PASSWORD [REDACTED] ;"
+      01 CREATE ROLE
+    ✔ 01 user@localhost 0.099s
+
+# capistrano.log
+INFO [59dbd2ba] Running /usr/bin/env sudo -i -u postgres psql -d postgres -c "CREATE USER \"db_admin_user\" PASSWORD [REDACTED] ;" as user@localhost
+DEBUG [59dbd2ba] Command: ( export PATH="$HOME/.gem/ruby/2.5.0/bin:$PATH" ; /usr/bin/env sudo -i -u postgres psql -d postgres -c "CREATE USER \"db_admin_user\" PASSWORD [REDACTED] ;" )
+DEBUG [529b623c] CREATE ROLE
+
+```
+
+Yet, the created database user will have the value from `fetch(:pg_password)`.
+
 #### Output Colors
 
 By default, SSHKit will color the output using ANSI color escape sequences

data/lib/sshkit.rb

@@ -21,6 +21,9 @@ module SSHKit
 
   end
 
+  # Used for redaction of a certain argument
+  module Redaction end
+
 end
 
 require_relative 'sshkit/all'

data/lib/sshkit/backends/abstract.rb

@@ -42,6 +42,10 @@ module SSHKit
         @group = nil
       end
 
+      def redact(arg) # Used in execute_command to hide redact() args a user passes in
+        arg.to_s.extend(Redaction) # to_s due to our inability to extend Integer, etc
+      end
+
       def make(commands=[])
         execute :make, commands
       end

data/lib/sshkit/backends/local.rb

@@ -39,10 +39,8 @@ module SSHKit
       private
 
       def execute_command(cmd)
-        output.log_command_start(cmd)
-
+        output.log_command_start(cmd.with_redaction)
         cmd.started = Time.now
-
         Open3.popen3(cmd.to_command) do |stdin, stdout, stderr, wait_thr|
           stdout_thread = Thread.new do
             while (line = stdout.gets) do
@@ -50,19 +48,15 @@ module SSHKit
               output.log_command_data(cmd, :stdout, line)
             end
           end
-
           stderr_thread = Thread.new do
             while (line = stderr.gets) do
               cmd.on_stderr(stdin, line)
               output.log_command_data(cmd, :stderr, line)
             end
           end
-
           stdout_thread.join
           stderr_thread.join
-
           cmd.exit_status = wait_thr.value.to_i
-
           output.log_command_exit(cmd)
         end
       end

data/lib/sshkit/backends/netssh.rb

@@ -123,7 +123,7 @@ module SSHKit
       end
 
       def execute_command(cmd)
-        output.log_command_start(cmd)
+        output.log_command_start(cmd.with_redaction)
         cmd.started = true
         exit_status = nil
         with_ssh do |ssh|

data/lib/sshkit/backends/printer.rb

@@ -5,7 +5,7 @@ module SSHKit
     class Printer < Abstract
 
       def execute_command(cmd)
-        output.log_command_start(cmd)
+        output.log_command_start(cmd.with_redaction)
       end
 
       alias :upload! :execute

data/lib/sshkit/command.rb

@@ -204,6 +204,13 @@ module SSHKit
       end
     end
 
+    def with_redaction
+      new_args = args.map{|arg| arg.is_a?(Redaction) ? '[REDACTED]' : arg }
+      redacted_cmd = dup
+      redacted_cmd.instance_variable_set(:@args, new_args)
+      redacted_cmd
+    end
+
     def to_s
       if should_map?
         [SSHKit.config.command_map[command.to_sym], *Array(args)].join(' ')

data/lib/sshkit/version.rb

@@ -1,3 +1,3 @@
 module SSHKit
-  VERSION = "1.16.1".freeze
+  VERSION = "1.17.0".freeze
 end

data/sshkit.gemspec

@@ -29,6 +29,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency('mocha')
 
   gem.add_development_dependency('bcrypt_pbkdf')
-  gem.add_development_dependency('rbnacl', '~> 3.4')
-  gem.add_development_dependency('rbnacl-libsodium')
+  gem.add_development_dependency('ed25519', '>= 1.2', '< 2.0')
 end

data/test/functional/backends/test_netssh.rb

@@ -42,13 +42,43 @@ module SSHKit
         ], command_lines
       end
 
+      def test_redaction
+        # Be sure redaction in the logs is showing [REDACTED]
+        Netssh.new(a_host) do
+          execute :echo, 'password:', redact('PASSWORD')
+          execute :echo, 'password:', redact(10000)
+          execute :echo, 'password:', redact(['test1','test2'])
+          execute :echo, 'password:', redact({:test => 'test_value'})
+        end.run
+        command_lines = @output.lines.select { |line| line.start_with?('Command:') }
+        assert_equal [
+                         "Command: /usr/bin/env echo password: [REDACTED]\n",
+                         "Command: /usr/bin/env echo password: [REDACTED]\n",
+                         "Command: /usr/bin/env echo password: [REDACTED]\n",
+                         "Command: /usr/bin/env echo password: [REDACTED]\n"
+                     ], command_lines
+        # Be sure the actual command executed without *REDACTED*
+        Netssh.new(a_host) do
+          file_name = 'test.file'
+          execute :touch, redact("'#{file_name}'") # Test and be sure single quotes are included in actual command; expected /usr/bin/env touch 'test.file'
+          execute :ls, 'test.file'
+        end.run
+        ls_lines = @output.lines.select { |line| line.start_with?("\ttest.file") }
+        assert_equal [
+                         "\ttest.file\n"
+                     ], ls_lines
+        # Cleanup
+        Netssh.new(a_host) do
+          execute :rm, ' -f test.file'
+        end.run
+      end
+
       def test_group_netssh
         Netssh.new(a_host) do
           as user: :root, group: :admin do
            execute :touch, 'restart.txt'
           end
         end.run
-
         command_lines = @output.lines.select { |line| line.start_with?('Command:') }
         assert_equal [
           "Command: if ! sudo -u root whoami > /dev/null; then echo \"You cannot switch to user 'root' using sudo, please check the sudoers file\" 1>&2; false; fi\n",
@@ -66,16 +96,21 @@ module SSHKit
       end
 
       def test_ssh_option_merge
-        a_host.ssh_options = { paranoid: true }
+        verify_host_opt = if Net::SSH::Version::MAJOR >= 5
+                            { verify_host_key: :always }
+                          else
+                            { paranoid: true }
+                          end
+        a_host.ssh_options = verify_host_opt
         host_ssh_options = {}
         SSHKit::Backend::Netssh.config.ssh_options = { forward_agent: false }
         Netssh.new(a_host) do |host|
           capture(:uname)
           host_ssh_options = host.ssh_options
         end.run
-        assert_equal [:forward_agent, :paranoid, :known_hosts, :logger, :password_prompt].sort, host_ssh_options.keys.sort
+        assert_equal [:forward_agent, *verify_host_opt.keys, :known_hosts, :logger, :password_prompt].sort, host_ssh_options.keys.sort
         assert_equal false, host_ssh_options[:forward_agent]
-        assert_equal true, host_ssh_options[:paranoid]
+        assert_equal verify_host_opt.values.first, host_ssh_options[verify_host_opt.keys.first]
         assert_instance_of SSHKit::Backend::Netssh::KnownHosts, host_ssh_options[:known_hosts]
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sshkit
 version: !ruby/object:Gem::Version
-  version: 1.16.1
+  version: 1.17.0
 platform: ruby
 authors:
 - Lee Hambley
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-21 00:00:00.000000000 Z
+date: 2018-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ssh
@@ -152,33 +152,25 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rbnacl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.4'
-- !ruby/object:Gem::Dependency
-  name: rbnacl-libsodium
+  name: ed25519
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: A comprehensive toolkit for remotely running commands in a structured
   manner on groups of servers.
 email: