train-juniper 0.5.4

data/lib/train-juniper/platform.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+# Platform definition file for Juniper network devices.
+# This defines the "juniper" platform within Train's platform detection system.
+
+module TrainPlugins::Juniper
+  # Platform detection mixin for Juniper network devices
+  module Platform
+    # Platform name constant for consistency
+    PLATFORM_NAME = 'juniper'
+
+    # Platform detection for Juniper network devices
+    #
+    # For dedicated transport plugins, we use force_platform! to bypass
+    # Train's automatic platform detection, which might run commands before
+    # the connection is ready. This is the standard pattern used by official
+    # Train plugins like train-k8s-container.
+    def platform
+      # Return cached platform if already computed
+      return @platform if defined?(@platform)
+
+      # Register the juniper platform in Train's platform registry
+      # JunOS devices are FreeBSD-based, so inherit from bsd family for InSpec resource compatibility
+      # This allows InSpec resources like 'command' to work with Juniper devices
+      Train::Platforms.name(PLATFORM_NAME).title('Juniper JunOS').in_family('bsd')
+
+      # Try to detect actual JunOS version and architecture from device
+      device_version = detect_junos_version || TrainPlugins::Juniper::VERSION
+      device_arch = detect_junos_architecture || 'unknown'
+      logger&.debug("Detected device architecture: #{device_arch}")
+
+      # Bypass Train's platform detection and declare our known platform
+      # Include architecture in the platform details to ensure it's properly set
+      platform_details = {
+        release: device_version,
+        arch: device_arch
+      }
+
+      platform_obj = force_platform!(PLATFORM_NAME, platform_details)
+      logger&.debug("Set platform data: #{platform_obj.platform}")
+
+      # Cache the platform object to prevent repeated calls
+      @platform = platform_obj
+    end
+
+    private
+
+    # Detect JunOS version from device output
+    # This runs safely after the connection is established
+    def detect_junos_version
+      # Return cached version if already detected
+      return @detected_junos_version if defined?(@detected_junos_version)
+
+      # Only try version detection if we have an active connection
+      return @detected_junos_version = nil unless respond_to?(:run_command_via_connection)
+      return @detected_junos_version = nil if @options&.dig(:mock) # Skip in mock mode
+
+      begin
+        # Check if connection is ready before running commands
+        return @detected_junos_version = nil unless connected?
+
+        # Execute 'show version' command to get JunOS information
+        result = run_command_via_connection('show version')
+        return @detected_junos_version = nil unless result&.exit_status&.zero?
+
+        # Cache the result for architecture detection to avoid duplicate calls
+        @cached_show_version_result = result
+
+        # Parse JunOS version from output using multiple patterns
+        version = extract_version_from_output(result.stdout)
+
+        if version
+          logger&.debug("Detected JunOS version: #{version}")
+          @detected_junos_version = version
+        else
+          logger&.debug("Could not parse JunOS version from: #{result.stdout[0..100]}")
+          @detected_junos_version = nil
+        end
+      rescue StandardError => e
+        # If version detection fails, log and return nil
+        logger&.debug("JunOS version detection failed: #{e.message}")
+        @detected_junos_version = nil
+      end
+    end
+
+    # Extract version string from JunOS show version output
+    def extract_version_from_output(output)
+      return nil if output.nil? || output.empty?
+
+      # Try multiple JunOS version patterns
+      patterns = [
+        /Junos:\s+([\d\w\.-]+)/,                           # "Junos: 12.1X47-D15.4"
+        /JUNOS Software Release \[([\d\w\.-]+)\]/,         # "JUNOS Software Release [12.1X47-D15.4]"
+        /junos version ([\d\w\.-]+)/i,                     # "junos version 21.4R3"
+        /Model: \S+, JUNOS Base OS boot \[([\d\w\.-]+)\]/, # Some hardware variants
+        /([\d]+\.[\d]+[\w\.-]*)/                           # Generic version pattern
+      ]
+
+      patterns.each do |pattern|
+        match = output.match(pattern)
+        return match[1] if match
+      end
+
+      nil
+    end
+
+    # Detect JunOS architecture from device output
+    # This runs safely after the connection is established
+    def detect_junos_architecture
+      # Return cached architecture if already detected
+      return @detected_junos_architecture if defined?(@detected_junos_architecture)
+
+      # Only try architecture detection if we have an active connection
+      return @detected_junos_architecture = nil unless respond_to?(:run_command_via_connection)
+      return @detected_junos_architecture = nil if @options&.dig(:mock) # Skip in mock mode
+
+      begin
+        # Check if connection is ready before running commands
+        return @detected_junos_architecture = nil unless connected?
+
+        # Reuse version detection result to avoid duplicate 'show version' calls
+        # Both version and architecture come from the same command output
+        if defined?(@detected_junos_version) && @detected_junos_version
+          # We already have the output from version detection, parse architecture from it
+          result = @cached_show_version_result
+        else
+          # Execute 'show version' command and cache the result
+          result = run_command_via_connection('show version')
+          @cached_show_version_result = result if result&.exit_status&.zero?
+        end
+
+        return @detected_junos_architecture = nil unless result&.exit_status&.zero?
+
+        # Parse architecture from output using multiple patterns
+        arch = extract_architecture_from_output(result.stdout)
+
+        if arch
+          logger&.debug("Detected JunOS architecture: #{arch}")
+          @detected_junos_architecture = arch
+        else
+          logger&.debug("Could not parse JunOS architecture from: #{result.stdout[0..100]}")
+          @detected_junos_architecture = nil
+        end
+      rescue StandardError => e
+        # If architecture detection fails, log and return nil
+        logger&.debug("JunOS architecture detection failed: #{e.message}")
+        @detected_junos_architecture = nil
+      end
+    end
+
+    # Extract architecture string from JunOS show version output
+    def extract_architecture_from_output(output)
+      return nil if output.nil? || output.empty?
+
+      # Try multiple JunOS architecture patterns
+      patterns = [
+        /Model:\s+(\S+)/, # "Model: SRX240H2" -> extract model as arch indicator
+        /Junos:\s+[\d\w\.-]+\s+built\s+[\d-]+\s+[\d:]+\s+by\s+builder\s+on\s+(\S+)/, # Build architecture
+        /JUNOS.*\[([\w-]+)\]/,                                 # JUNOS package architecture
+        /Architecture:\s+(\S+)/i,                              # Direct architecture line
+        /Platform:\s+(\S+)/i,                                  # Platform designation
+        /Processor.*:\s*(\S+)/i # Processor type
+      ]
+
+      patterns.each do |pattern|
+        match = output.match(pattern)
+        next unless match
+
+        arch_value = match[1]
+        # Convert model names to architecture indicators
+        case arch_value
+        when /SRX\d+/i
+          return 'x86_64'  # Most SRX models are x86_64
+        when /MX\d+/i
+          return 'x86_64'  # MX routers are typically x86_64
+        when /EX\d+/i
+          return 'arm64'   # Many EX switches use ARM
+        when /QFX\d+/i
+          return 'x86_64'  # QFX switches typically x86_64
+        when /^(x86_64|amd64|i386|arm64|aarch64|sparc|mips)$/i
+          return arch_value.downcase
+        else
+          # Return the model as-is if we can't map it
+          return arch_value
+        end
+      end
+
+      nil
+    end
+  end
+end

data/lib/train-juniper/transport.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+# Juniper Train Plugin Transport Definition
+# Defines the main transport class for connecting to Juniper network devices.
+# This transport enables SSH connectivity to JunOS devices for InSpec.
+require 'train-juniper/connection'
+
+module TrainPlugins
+  module Juniper
+    class Transport < Train.plugin(1)
+      name 'juniper'
+
+      # Connection options for Juniper devices
+      # Following Train SSH transport standard options
+      option :host, required: true
+      option :port, default: 22
+      option :user, required: true
+      option :password, default: nil
+      option :timeout, default: 30
+
+      # Proxy/Bastion host support (Train standard options)
+      option :bastion_host, default: nil
+      option :bastion_user, default: nil # Let connection handle env vars and defaults
+      option :bastion_port, default: 22
+      option :bastion_password, default: nil # Separate password for bastion authentication
+      option :proxy_command, default: nil
+
+      # SSH key authentication options
+      option :key_files, default: nil
+      option :keys_only, default: false
+
+      # Advanced SSH options
+      option :keepalive, default: true
+      option :keepalive_interval, default: 60
+      option :connection_timeout, default: 30
+      option :connection_retries, default: 5
+      option :connection_retry_sleep, default: 1
+
+      # Standard Train options for compatibility
+      option :insecure, default: false
+      option :self_signed, default: false
+
+      # Juniper-specific options
+      option :mock, default: false
+      option :disable_complete_on_space, default: false
+
+      # Create and return a connection to a Juniper device
+      def connection(_instance_opts = nil)
+        # Cache the connection instance for reuse
+        # @options contains parsed connection details from train URI
+        @connection ||= TrainPlugins::Juniper::Connection.new(@options)
+      end
+    end
+  end
+end

data/lib/train-juniper/version.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This file exists simply to record the version number of the plugin.
+# It is kept in a separate file, so that your gemspec can load it and
+# learn the current version without loading the whole plugin.  Also,
+# many CI servers can update this file when "version bumping".
+
+module TrainPlugins
+  module Juniper
+    VERSION = '0.5.4'
+  end
+end

data/lib/train-juniper.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+# This file is known as the "entry point."
+# This is the file Train will try to load if it
+# thinks your plugin is needed.
+
+# The *only* thing this file should do is setup the
+# load path, then load plugin files.
+
+# Next two lines simply add the path of the gem to the load path.
+# This is not needed when being loaded as a gem; but when doing
+# plugin development, you may need it.  Either way, it's harmless.
+libdir = __dir__
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+# It's traditional to keep your gem version in a separate file, so CI can find it easier.
+require 'train-juniper/version'
+
+# A train plugin has three components: Transport, Connection, and Platform.
+# Transport acts as the glue.
+require 'train-juniper/transport'
+require 'train-juniper/platform'
+require 'train-juniper/connection'

data/train-juniper.gemspec

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# As plugins are usually packaged and distributed as a RubyGem,
+# we have to provide a .gemspec file, which controls the gembuild
+# and publish process.  This is a fairly generic gemspec.
+
+# It is traditional in a gemspec to dynamically load the current version
+# from a file in the source tree.  The next three lines make that happen.
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'train-juniper/version'
+
+Gem::Specification.new do |spec|
+  # Importantly, all Train plugins must be prefixed with `train-`
+  spec.name          = 'train-juniper'
+
+  # It is polite to namespace your plugin under TrainPlugins::YourPluginInCamelCase
+  spec.version       = TrainPlugins::Juniper::VERSION
+  spec.authors       = ['MITRE Corporation']
+  spec.email         = ['saf@mitre.org']
+  spec.summary       = 'Train transport for Juniper Networks JunOS devices'
+  spec.description   = 'Provides SSH connectivity to Juniper Networks devices running JunOS for InSpec compliance testing and ' \
+                       'infrastructure inspection. Supports platform detection, command execution, and configuration file access.'
+  spec.homepage      = 'https://github.com/mitre/train-juniper'
+  spec.license       = 'Apache-2.0'
+
+  # Metadata for better gem discovery
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/mitre/train-juniper/issues',
+    'changelog_uri' => 'https://github.com/mitre/train-juniper/blob/main/CHANGELOG.md',
+    'documentation_uri' => 'https://mitre.github.io/train-juniper/',
+    'homepage_uri' => 'https://github.com/mitre/train-juniper',
+    'source_code_uri' => 'https://github.com/mitre/train-juniper',
+    'security_policy_uri' => 'https://github.com/mitre/train-juniper/security/policy',
+    'rubygems_mfa_required' => 'true'
+  }
+
+  # Though complicated-looking, this is pretty standard for a gemspec.
+  # It just filters what will actually be packaged in the gem (leaving
+  # out tests, etc)
+  # Standard pattern for Train plugins - include all lib files and key docs
+  spec.files = %w[
+    README.md train-juniper.gemspec LICENSE.md NOTICE.md CHANGELOG.md
+    CODE_OF_CONDUCT.md CONTRIBUTING.md SECURITY.md
+    .env.example Rakefile
+  ] + Dir.glob(
+    'lib/**/*', File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ['lib']
+
+  # If you rely on any other gems, list them here with any constraints.
+  # This is how `inspec plugin install` is able to manage your dependencies.
+  # For example, perhaps you are writing a thing that talks to AWS, and you
+  # want to ensure you have `aws-sdk` in a certain version.
+
+  # If you only need certain gems during development or testing, list
+  # them in Gemfile, not here.
+  # Do not list inspec as a dependency of the train plugin.
+
+  # All plugins should mention train, > 1.4
+  spec.required_ruby_version = '>= 3.1.0'
+
+  # Community plugins typically use train-core for smaller footprint
+  # train-core provides core functionality without cloud dependencies
+  spec.add_dependency 'train-core', '~> 3.12.13'
+
+  # SSH connectivity dependencies - match train-core's exact version range
+  spec.add_dependency 'net-ssh', '>= 2.9', '< 8.0'
+
+  # Force compatible FFI version to avoid conflicts with InSpec
+  spec.add_dependency 'ffi', '~> 1.16.0'
+end

metadata

@@ -0,0 +1,115 @@
+--- !ruby/object:Gem::Specification
+name: train-juniper
+version: !ruby/object:Gem::Version
+  version: 0.5.4
+platform: ruby
+authors:
+- MITRE Corporation
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-06-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: train-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.12.13
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.12.13
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+description: Provides SSH connectivity to Juniper Networks devices running JunOS for
+  InSpec compliance testing and infrastructure inspection. Supports platform detection,
+  command execution, and configuration file access.
+email:
+- saf@mitre.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".env.example"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- LICENSE.md
+- NOTICE.md
+- README.md
+- Rakefile
+- SECURITY.md
+- lib/train-juniper.rb
+- lib/train-juniper/connection.rb
+- lib/train-juniper/platform.rb
+- lib/train-juniper/transport.rb
+- lib/train-juniper/version.rb
+- train-juniper.gemspec
+homepage: https://github.com/mitre/train-juniper
+licenses:
+- Apache-2.0
+metadata:
+  bug_tracker_uri: https://github.com/mitre/train-juniper/issues
+  changelog_uri: https://github.com/mitre/train-juniper/blob/main/CHANGELOG.md
+  documentation_uri: https://mitre.github.io/train-juniper/
+  homepage_uri: https://github.com/mitre/train-juniper
+  source_code_uri: https://github.com/mitre/train-juniper
+  security_policy_uri: https://github.com/mitre/train-juniper/security/policy
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.27
+signing_key:
+specification_version: 4
+summary: Train transport for Juniper Networks JunOS devices
+test_files: []