train-juniper 0.7.0 → 0.7.1

data/lib/train-juniper/connection.rb

@@ -14,8 +14,18 @@
 require 'train'
 require 'logger'
 
-# Juniper-specific platform detection
+# Juniper-specific modules
+require 'train-juniper/constants'
 require 'train-juniper/platform'
+require 'train-juniper/connection/validation'
+require 'train-juniper/connection/command_executor'
+require 'train-juniper/connection/error_handling'
+require 'train-juniper/connection/ssh_session'
+require 'train-juniper/connection/bastion_proxy'
+require 'train-juniper/helpers/environment'
+require 'train-juniper/helpers/logging'
+require 'train-juniper/helpers/mock_responses'
+require 'train-juniper/file_abstraction/juniper_file'
 
 # Using Train's SSH transport for connectivity
 
@@ -25,6 +35,23 @@ module TrainPlugins
     class Connection < Train::Plugins::Transport::BaseConnection
       # Include Juniper-specific platform detection
       include TrainPlugins::Juniper::Platform
+      # Include environment variable helpers
+      include TrainPlugins::Juniper::Environment
+      # Include validation methods
+      include TrainPlugins::Juniper::Validation
+      # Include command execution methods
+      include TrainPlugins::Juniper::CommandExecutor
+      # Include error handling methods
+      include TrainPlugins::Juniper::ErrorHandling
+      # Include SSH session management
+      include TrainPlugins::Juniper::SSHSession
+      # Include bastion proxy support
+      include TrainPlugins::Juniper::BastionProxy
+      # Include logging helpers
+      include TrainPlugins::Juniper::Logging
+
+      # Alias for Train CommandResult for backward compatibility
+      CommandResult = Train::Extras::CommandResult
 
       attr_reader :ssh_session
 
@@ -33,11 +60,11 @@ module TrainPlugins
         host: { env: 'JUNIPER_HOST' },
         user: { env: 'JUNIPER_USER' },
         password: { env: 'JUNIPER_PASSWORD' },
-        port: { env: 'JUNIPER_PORT', type: :int, default: 22 },
+        port: { env: 'JUNIPER_PORT', type: :int, default: Constants::DEFAULT_SSH_PORT },
         timeout: { env: 'JUNIPER_TIMEOUT', type: :int, default: 30 },
         bastion_host: { env: 'JUNIPER_BASTION_HOST' },
         bastion_user: { env: 'JUNIPER_BASTION_USER' },
-        bastion_port: { env: 'JUNIPER_BASTION_PORT', type: :int, default: 22 },
+        bastion_port: { env: 'JUNIPER_BASTION_PORT', type: :int, default: Constants::DEFAULT_SSH_PORT },
         bastion_password: { env: 'JUNIPER_BASTION_PASSWORD' },
         proxy_command: { env: 'JUNIPER_PROXY_COMMAND' }
       }.freeze
@@ -93,8 +120,12 @@ module TrainPlugins
         super(@options)
 
         # Establish SSH connection to Juniper device (unless in mock mode or skip_connect)
-        @logger.debug('Attempting to connect to Juniper device...')
-        connect unless @options[:mock] || @options[:skip_connect]
+        if @options[:mock]
+          log_mock_mode
+        elsif !@options[:skip_connect]
+          @logger.debug('Attempting to connect to Juniper device...')
+          connect
+        end
       end
 
       # Secure string representation (never expose credentials)
@@ -102,6 +133,8 @@ module TrainPlugins
         "#<#{self.class.name}:0x#{object_id.to_s(16)} @host=#{@options[:host]} @user=#{@options[:user]}>"
       end
 
+      # Secure inspect method that uses to_s
+      # @return [String] Secure string representation
       def inspect
         to_s
       end
@@ -127,7 +160,7 @@ module TrainPlugins
       # @raise [NotImplementedError] Always raises as uploads are not supported
       # @note Network devices use command-based configuration instead of file uploads
       def upload(locals, remote)
-        raise NotImplementedError, "#{self.class} does not implement #upload() - network devices use command-based configuration"
+        raise NotImplementedError, Constants::UPLOAD_NOT_SUPPORTED
       end
 
       # Download files from Juniper device (not supported)
@@ -136,88 +169,9 @@ module TrainPlugins
       # @raise [NotImplementedError] Always raises as downloads are not supported
       # @note Use run_command() to retrieve configuration data instead
       def download(remotes, local)
-        raise NotImplementedError, "#{self.class} does not implement #download() - use run_command() to retrieve configuration data"
-      end
-
-      # Execute commands on Juniper device via SSH
-      # @param cmd [String] The JunOS command to execute
-      # @return [CommandResult] Result object with stdout, stderr, and exit status
-      # @raise [Train::ClientError] If command contains dangerous characters
-      # @example
-      #   result = connection.run_command('show version')
-      #   puts result.stdout
-      def run_command_via_connection(cmd)
-        # Sanitize command to prevent injection
-        safe_cmd = sanitize_command(cmd)
-
-        return mock_command_result(safe_cmd) if @options[:mock]
-
-        begin
-          # Ensure we're connected
-          connect unless connected?
-
-          @logger.debug("Executing command: #{safe_cmd}")
-
-          # Execute command via SSH session
-          output = @ssh_session.exec!(safe_cmd)
-
-          @logger.debug("Command output: #{output}")
-
-          # Format JunOS result
-          format_junos_result(output, safe_cmd)
-        rescue StandardError => e
-          @logger.error("Command execution failed: #{e.message}")
-          # Handle connection errors gracefully
-          CommandResult.new('', e.message, 1)
-        end
+        raise NotImplementedError, Constants::DOWNLOAD_NOT_SUPPORTED
       end
 
-      # JunOS error patterns organized by type
-      JUNOS_ERRORS = {
-        configuration: [/^error:/i, /configuration database locked/i],
-        syntax: [/syntax error/i],
-        command: [/invalid command/i, /unknown command/i],
-        argument: [/missing argument/i]
-      }.freeze
-
-      # Flattened error patterns for quick matching
-      JUNOS_ERROR_PATTERNS = JUNOS_ERRORS.values.flatten.freeze
-
-      # SSH option mapping configuration
-      SSH_OPTION_MAPPING = {
-        port: :port,
-        password: :password,
-        timeout: :timeout,
-        keepalive: :keepalive,
-        keepalive_interval: :keepalive_interval,
-        keys: ->(opts) { Array(opts[:key_files]) if opts[:key_files] },
-        keys_only: ->(opts) { opts[:keys_only] if opts[:key_files] }
-      }.freeze
-
-      # Default SSH options for Juniper connections
-      # @note verify_host_key is set to :never for network device compatibility
-      SSH_DEFAULTS = {
-        verify_host_key: :never
-      }.freeze
-
-      # Mock response configuration
-      MOCK_RESPONSES = {
-        'show version' => :mock_show_version_output,
-        'show chassis hardware' => :mock_chassis_output,
-        'show configuration' => "interfaces {\n    ge-0/0/0 {\n        unit 0;\n    }\n}",
-        'show route' => "inet.0: 5 destinations, 5 routes\n0.0.0.0/0       *[Static/5] 00:00:01\n",
-        'show system information' => "Hardware: SRX240H2\nOS: JUNOS 12.1X47-D15.4\n",
-        'show interfaces' => "Physical interface: ge-0/0/0, Enabled, Physical link is Up\n"
-      }.freeze
-
-      # Command sanitization patterns
-      # Note: Pipe (|) is allowed as it's commonly used in JunOS commands
-      DANGEROUS_COMMAND_PATTERNS = [
-        /[;&<>$`]/,     # Shell metacharacters (excluding pipe)
-        /\n|\r/,        # Newlines that could inject commands
-        /\\(?![nrt])/   # Escape sequences (except valid ones like \n, \r, \t)
-      ].freeze
-
       # Check connection health
       # @return [Boolean] true if connection is healthy, false otherwise
       # @example
@@ -245,349 +199,6 @@ module TrainPlugins
         @logger.debug("Juniper connection initialized with options: #{safe_options.inspect}")
         @logger.debug("Environment: JUNIPER_BASTION_USER=#{env_value('JUNIPER_BASTION_USER')} -> bastion_user=#{@options[:bastion_user]}")
       end
-
-      # Sanitize command to prevent injection attacks
-      def sanitize_command(cmd)
-        cmd_str = cmd.to_s.strip
-
-        if DANGEROUS_COMMAND_PATTERNS.any? { |pattern| cmd_str.match?(pattern) }
-          raise Train::ClientError, "Invalid characters in command: #{cmd_str.inspect}"
-        end
-
-        cmd_str
-      end
-
-      # Establish SSH connection to Juniper device
-      def connect
-        return if connected?
-
-        begin
-          # Use direct SSH connection (network device pattern)
-          # Defensive loading - only require if not fully loaded
-          require 'net/ssh' unless defined?(Net::SSH) && Net::SSH.respond_to?(:start)
-
-          @logger.debug('Establishing SSH connection to Juniper device')
-
-          ssh_options = build_ssh_options
-
-          # Add bastion host support if configured
-          if @options[:bastion_host]
-            require 'net/ssh/proxy/jump' unless defined?(Net::SSH::Proxy::Jump)
-
-            # Build proxy jump string from bastion options
-            bastion_user = @options[:bastion_user] || @options[:user] # Use explicit bastion user or fallback to main user
-            bastion_port = @options[:bastion_port]
-
-            proxy_jump = if bastion_port == 22
-                           "#{bastion_user}@#{@options[:bastion_host]}"
-                         else
-                           "#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
-                         end
-
-            @logger.debug("Using bastion host: #{proxy_jump}")
-
-            # Set up automated password authentication via SSH_ASKPASS
-            bastion_password = @options[:bastion_password] || @options[:password] # Use explicit bastion password or fallback
-            if bastion_password
-              @ssh_askpass_script = create_ssh_askpass_script(bastion_password)
-              ENV['SSH_ASKPASS'] = @ssh_askpass_script
-              ENV['SSH_ASKPASS_REQUIRE'] = 'force' # Force use of SSH_ASKPASS even with terminal
-              @logger.debug('Configured SSH_ASKPASS for automated bastion authentication')
-            end
-
-            ssh_options[:proxy] = Net::SSH::Proxy::Jump.new(proxy_jump)
-          end
-
-          @logger.debug("Connecting to #{@options[:host]}:#{@options[:port]} as #{@options[:user]}")
-
-          # Direct SSH connection
-          @ssh_session = Net::SSH.start(@options[:host], @options[:user], ssh_options)
-          @logger.debug('SSH connection established successfully')
-
-          # Configure JunOS session for automation
-          test_and_configure_session
-        rescue StandardError => e
-          @logger.error("SSH connection failed: #{e.message}")
-
-          # Provide helpful error messages for common authentication issues
-          if (e.message.include?('Permission denied') || e.message.include?('command failed')) && @options[:bastion_host]
-            raise Train::TransportError, <<~ERROR
-              Failed to connect to Juniper device #{@options[:host]} via bastion #{@options[:bastion_host]}: #{e.message}
-
-              SSH bastion authentication with passwords is not supported due to ProxyCommand limitations.
-              Please use one of these alternatives:
-
-              1. SSH Key Authentication (Recommended):
-                 Use --key-files option to specify SSH private key files
-              #{'   '}
-              2. SSH Agent:
-                 Ensure your SSH agent has the required keys loaded
-              #{'   '}
-              3. Direct Connection:
-                 Connect directly to the device if network allows (remove bastion options)
-
-              For more details, see: https://mitre.github.io/train-juniper/troubleshooting/#bastion-authentication
-            ERROR
-          else
-            raise Train::TransportError, "Failed to connect to Juniper device #{@options[:host]}: #{e.message}"
-          end
-        end
-      end
-
-      # Check if SSH connection is active
-      def connected?
-        return true if @options[:mock]
-
-        !@ssh_session.nil?
-      rescue StandardError
-        false
-      end
-
-      # Check if running in mock mode
-      def mock?
-        @options[:mock] == true
-      end
-
-      # Test connection and configure JunOS session
-      def test_and_configure_session
-        @logger.debug('Testing SSH connection and configuring JunOS session')
-
-        # Test connection first
-        @ssh_session.exec!('echo "connection test"')
-        @logger.debug('SSH connection test successful')
-
-        # Optimize CLI for automation
-        @ssh_session.exec!('set cli screen-length 0')
-        @ssh_session.exec!('set cli screen-width 0')
-        @ssh_session.exec!('set cli complete-on-space off') if @options[:disable_complete_on_space]
-
-        @logger.debug('JunOS session configured successfully')
-      rescue StandardError => e
-        @logger.warn("Failed to configure JunOS session: #{e.message}")
-      end
-
-      # Format JunOS command results (from implementation plan)
-      def format_junos_result(output, cmd)
-        # Parse JunOS-specific error patterns
-        if junos_error?(output)
-          CommandResult.new('', output, 1)
-        else
-          CommandResult.new(clean_output(output, cmd), '', 0)
-        end
-      end
-
-      # Check for JunOS error patterns (from implementation plan)
-      def junos_error?(output)
-        JUNOS_ERROR_PATTERNS.any? { |pattern| output.match?(pattern) }
-      end
-
-      # Clean command output
-      def clean_output(output, cmd)
-        # Handle nil output gracefully
-        return '' if output.nil?
-
-        # Remove command echo and prompts
-        lines = output.to_s.split("\n")
-        lines.reject! { |line| line.strip == cmd.strip }
-
-        # Remove JunOS prompt patterns from the end
-        lines.pop while lines.last && lines.last.strip.match?(/^[%>$#]+\s*$/)
-
-        lines.join("\n")
-      end
-
-      # Helper method to safely get environment variable value
-      # Returns nil if env var is not set or is empty string
-      def env_value(key)
-        value = ENV.fetch(key, nil)
-        return nil if value.nil? || value.empty?
-
-        value
-      end
-
-      # Helper method to get environment variable as integer
-      # Returns nil if env var is not set, empty, or not a valid integer
-      def env_int(key)
-        value = env_value(key)
-        return nil unless value
-
-        value.to_i
-      rescue ArgumentError
-        nil
-      end
-
-      # Build SSH connection options from @options
-      def build_ssh_options
-        SSH_DEFAULTS.merge(
-          SSH_OPTION_MAPPING.each_with_object({}) do |(ssh_key, option_key), opts|
-            value = option_key.is_a?(Proc) ? option_key.call(@options) : @options[option_key]
-            opts[ssh_key] = value unless value.nil?
-          end
-        )
-      end
-
-      # Validate all connection options
-      def validate_connection_options!
-        validate_required_options!
-        validate_option_types!
-        validate_proxy_options!
-      end
-
-      # Validate required options are present
-      def validate_required_options!
-        raise Train::ClientError, 'Host is required' unless @options[:host]
-        raise Train::ClientError, 'User is required' unless @options[:user]
-      end
-
-      # Validate option types and ranges
-      def validate_option_types!
-        validate_port! if @options[:port]
-        validate_timeout! if @options[:timeout]
-        validate_bastion_port! if @options[:bastion_port]
-      end
-
-      # Validate port is in valid range
-      def validate_port!
-        port = @options[:port].to_i
-        raise Train::ClientError, "Invalid port: #{@options[:port]} (must be 1-65535)" unless port.between?(1, 65_535)
-      end
-
-      # Validate timeout is positive number
-      def validate_timeout!
-        timeout = @options[:timeout]
-        raise Train::ClientError, "Invalid timeout: #{timeout} (must be positive number)" unless timeout.is_a?(Numeric) && timeout.positive?
-      end
-
-      # Validate bastion port is in valid range
-      def validate_bastion_port!
-        port = @options[:bastion_port].to_i
-        raise Train::ClientError, "Invalid bastion_port: #{@options[:bastion_port]} (must be 1-65535)" unless port.between?(1, 65_535)
-      end
-
-      # Validate proxy configuration options (Train standard)
-      def validate_proxy_options!
-        # Cannot use both bastion_host and proxy_command simultaneously
-        if @options[:bastion_host] && @options[:proxy_command]
-          raise Train::ClientError, 'Cannot specify both bastion_host and proxy_command'
-        end
-      end
-
-      # Create temporary SSH_ASKPASS script for automated password authentication
-      def create_ssh_askpass_script(password)
-        require 'tempfile'
-
-        script = Tempfile.new(['ssh_askpass', '.sh'])
-        script.write("#!/bin/bash\necho '#{password}'\n")
-        script.close
-        File.chmod(0o755, script.path)
-
-        @logger.debug("Created SSH_ASKPASS script at #{script.path}")
-        script.path
-      end
-
-      # Generate SSH proxy command for bastion host using ProxyJump (-J)
-      def generate_bastion_proxy_command(bastion_user, bastion_port)
-        args = ['ssh']
-
-        # SSH options for connection
-        args += ['-o', 'UserKnownHostsFile=/dev/null']
-        args += ['-o', 'StrictHostKeyChecking=no']
-        args += ['-o', 'LogLevel=ERROR']
-        args += ['-o', 'ForwardAgent=no']
-
-        # Use ProxyJump (-J) which handles password authentication properly
-        jump_host = if bastion_port == 22
-                      "#{bastion_user}@#{@options[:bastion_host]}"
-                    else
-                      "#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
-                    end
-        args += ['-J', jump_host]
-
-        # Add SSH keys if specified
-        if @options[:key_files]
-          Array(@options[:key_files]).each do |key_file|
-            args += ['-i', key_file]
-          end
-        end
-
-        # Target connection - %h and %p will be replaced by Net::SSH
-        args += ['%h', '-p', '%p']
-
-        args.join(' ')
-      end
-
-      # Mock command execution for testing
-      def mock_command_result(cmd)
-        response = MOCK_RESPONSES.find { |pattern, _| cmd.match?(/#{pattern}/) }
-
-        if response
-          output = response[1].is_a?(Symbol) ? send(response[1]) : response[1]
-          CommandResult.new(output, '', 0)
-        else
-          CommandResult.new("% Unknown command: #{cmd}", '', 1)
-        end
-      end
-
-      # Mock JunOS version output for testing
-      def mock_show_version_output
-        <<~OUTPUT
-          Hostname: lab-srx
-          Model: SRX240H2
-          Junos: 12.1X47-D15.4
-          JUNOS Software Release [12.1X47-D15.4]
-        OUTPUT
-      end
-
-      # Mock chassis output for testing
-      def mock_chassis_output
-        <<~OUTPUT
-          Hardware inventory:
-          Item             Version  Part number  Serial number     Description
-          Chassis                                JN123456          SRX240H2
-        OUTPUT
-      end
-    end
-
-    # File abstraction for Juniper configuration and operational data
-    class JuniperFile
-      # Initialize a new JuniperFile
-      # @param connection [Connection] The Juniper connection instance
-      # @param path [String] The virtual file path
-      def initialize(connection, path)
-        @connection = connection
-        @path = path
-      end
-
-      # Get the content of the virtual file
-      # @return [String] The command output based on the path
-      # @example
-      #   file = connection.file('/config/interfaces')
-      #   file.content  # Returns output of 'show configuration interfaces'
-      def content
-        # For Juniper devices, translate file paths to appropriate commands
-        case @path
-        when %r{/config/(.*)}
-          # Configuration sections: /config/interfaces -> show configuration interfaces
-          section = ::Regexp.last_match(1)
-          result = @connection.run_command("show configuration #{section}")
-          result.stdout
-        when %r{/operational/(.*)}
-          # Operational data: /operational/interfaces -> show interfaces
-          section = ::Regexp.last_match(1)
-          result = @connection.run_command("show #{section}")
-          result.stdout
-        else
-          # Default to treating path as a show command
-          result = @connection.run_command("show #{@path}")
-          result.stdout
-        end
-      end
-
-      def exist?
-        !content.empty?
-      rescue StandardError
-        false
-      end
     end
   end
 end

data/lib/train-juniper/constants.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module TrainPlugins
+  module Juniper
+    # Common constants used across the plugin
+    module Constants
+      # SSH Configuration
+      # @return [Integer] Default SSH port
+      DEFAULT_SSH_PORT = 22
+      # @return [Range] Valid port range for SSH connections
+      PORT_RANGE = (1..65_535)
+
+      # Standard SSH Options for network devices
+      STANDARD_SSH_OPTIONS = {
+        'UserKnownHostsFile' => '/dev/null',
+        'StrictHostKeyChecking' => 'no',
+        'LogLevel' => 'ERROR',
+        'ForwardAgent' => 'no'
+      }.freeze
+
+      # JunOS CLI Prompt Patterns
+      # @return [Regexp] Pattern matching JunOS CLI prompts
+      CLI_PROMPT = /[%>$#]\s*$/
+      # @return [Regexp] Pattern matching JunOS configuration mode prompts
+      CONFIG_PROMPT = /[%#]\s*$/
+
+      # File Path Patterns
+      # @return [Regexp] Pattern for configuration file paths
+      CONFIG_PATH_PATTERN = %r{/config/(.*)}
+      # @return [Regexp] Pattern for operational data paths
+      OPERATIONAL_PATH_PATTERN = %r{/operational/(.*)}
+
+      # Error Messages
+      # @return [String] Error message for unsupported upload operations
+      UPLOAD_NOT_SUPPORTED = 'File operations not supported for Juniper devices - use command-based configuration'
+      # @return [String] Error message for unsupported download operations
+      DOWNLOAD_NOT_SUPPORTED = 'File operations not supported for Juniper devices - use run_command() to retrieve data'
+    end
+  end
+end

data/lib/train-juniper/file_abstraction/juniper_file.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'train-juniper/constants'
+
+module TrainPlugins
+  module Juniper
+    # File abstraction for Juniper configuration and operational data
+    class JuniperFile
+      # Initialize a new JuniperFile
+      # @param connection [Connection] The Juniper connection instance
+      # @param path [String] The virtual file path
+      def initialize(connection, path)
+        @connection = connection
+        @path = path
+      end
+
+      # Get the content of the virtual file
+      # @return [String] The command output based on the path
+      # @example
+      #   file = connection.file('/config/interfaces')
+      #   file.content  # Returns output of 'show configuration interfaces'
+      def content
+        # For Juniper devices, translate file paths to appropriate commands
+        case @path
+        when Constants::CONFIG_PATH_PATTERN
+          # Configuration sections: /config/interfaces -> show configuration interfaces
+          section = ::Regexp.last_match(1)
+          result = @connection.run_command("show configuration #{section}")
+          result.stdout
+        when Constants::OPERATIONAL_PATH_PATTERN
+          # Operational data: /operational/interfaces -> show interfaces
+          section = ::Regexp.last_match(1)
+          result = @connection.run_command("show #{section}")
+          result.stdout
+        else
+          # Default to treating path as a show command
+          result = @connection.run_command("show #{@path}")
+          result.stdout
+        end
+      end
+
+      # Check if the file exists (has content)
+      # @return [Boolean] true if the file has content, false otherwise
+      def exist?
+        !content.empty?
+      rescue StandardError
+        false
+      end
+
+      # Return string representation of file path
+      # @return [String] the file path
+      def to_s
+        @path
+      end
+
+      # File upload not supported for network devices
+      # @raise [NotImplementedError] always raises as upload is not supported
+      def upload(_content)
+        raise NotImplementedError, Constants::UPLOAD_NOT_SUPPORTED
+      end
+
+      # File download not supported for network devices
+      # @raise [NotImplementedError] always raises as download is not supported
+      def download(_local_path)
+        raise NotImplementedError, Constants::DOWNLOAD_NOT_SUPPORTED
+      end
+    end
+  end
+end

data/lib/train-juniper/helpers/environment.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module TrainPlugins
+  module Juniper
+    # Helper methods for safely handling environment variables
+    module Environment
+      # Helper method to safely get environment variable value
+      # Returns nil if env var is not set or is empty string
+      # @param key [String] The environment variable name
+      # @return [String, nil] The value or nil if not set/empty
+      def env_value(key)
+        value = ENV.fetch(key, nil)
+        return nil if value.nil? || value.empty?
+
+        value
+      end
+
+      # Helper method to get environment variable as integer
+      # Returns nil if env var is not set, empty, or not a valid integer
+      # @param key [String] The environment variable name
+      # @return [Integer, nil] The integer value or nil if not valid
+      def env_int(key)
+        value = env_value(key)
+        return nil unless value
+
+        value.to_i
+      end
+    end
+  end
+end