train-juniper 0.7.3 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7074cafad165e2055edc5be8495a250025f4fc06ad658e740b77248e3d2273c
-  data.tar.gz: febffacb8ad71ffc912a76b3be460f598e48e20b0c500de48f10c3cefe11c549
+  metadata.gz: b7571220250289d5866fa3074789e166f5000cde3b93a0174889e24d1a8ac335
+  data.tar.gz: 276162fb0254fc498b4ad562ba3377a1d0d2ba84faccd630eb67f084185798b8
 SHA512:
-  metadata.gz: 4c47e243ab6d5922904bd7898b4c1da8dff8ac4986f3b60629e4662c566e79ace9bbec8a0dfda2ee400e51ec7f060f2c871b11be07d84130ce1f1ac1d23b4d76
-  data.tar.gz: af8b001261139a75f38da8be9711c3c9f14c8a618bd8195234c750262ef40e4a772cd9a081a59deb2880e1c78ac5ad44846ba7c902cc360420a4d4a4b5092be6
+  metadata.gz: 3007c4a588b1024c1553cfa22f9d606628d335578438c4d78c927fb3fa4fe99fad50dcac50da6a184998934a913c218d40a51d6b54fcaaf575dc6b3df7e8ffa8
+  data.tar.gz: 8c52911377b95ef3e51a2e36c4e7b0cc9eaaf3ee9d3877af16f3fdb869e5929904d65bda70344ba049037f6a1cbc138bfd119b18e0d2785a864fd0819a177e7d

data/.env.example

@@ -1,29 +1,20 @@
-# Train-Juniper Environment Variables Example
-# Copy this file to .env and fill in your actual values
-# The plugin automatically detects these environment variables
+# Example environment configuration for train-juniper
+# Copy this file to .env and update with your values
 
-# Juniper Device Connection
-JUNIPER_HOST=your.device.hostname.com
-JUNIPER_USER=your_username
-JUNIPER_PASSWORD=your_password
+# Direct connection to Juniper device
+JUNIPER_HOST=192.168.1.1
 JUNIPER_PORT=22
-JUNIPER_TIMEOUT=60
+JUNIPER_USER=admin
+JUNIPER_PASSWORD=your-password-here
 
-# Bastion/Jump Host (optional - only if device is behind jump host)
-JUNIPER_BASTION_HOST=your.jumphost.com
-JUNIPER_BASTION_USER=your_jump_username
-JUNIPER_BASTION_PORT=22
-JUNIPER_BASTION_PASSWORD=your_jump_password
+# Optional: Connection timeout in seconds
+CONNECTION_TIMEOUT=60
 
-# Custom Proxy Command (alternative to bastion host)
-# JUNIPER_PROXY_COMMAND=ssh your.jumphost.com -W %h:%p
+# Optional: Bastion/jump host configuration
+# Uncomment and configure if you need to connect through a bastion host
+# JUNIPER_BASTION_HOST=jump.example.com
+# JUNIPER_BASTION_USER=admin
+# JUNIPER_BASTION_PORT=22
+# JUNIPER_BASTION_PASSWORD=bastion-password-here
 
-# Usage Examples:
-# 1. Basic connection (auto-detects above variables):
-#    inspec detect -t juniper://
-#
-# 2. Override specific values:
-#    inspec detect -t juniper://different_user@different_host --password override_pass
-#
-# 3. Test connection:
-#    source .env && inspec detect -t juniper:// -l debug
+# Note: If JUNIPER_BASTION_PASSWORD is not set, it will use JUNIPER_PASSWORD

data/CHANGELOG.md

@@ -5,6 +5,51 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2025-07-04
+
+### Documentation
+
+- Update roadmap with v0.7.4 accomplishments and clear prioritization
+
+### Fixed
+
+- Resolve UUID warning and migrate to XML parsing ([#4](https://github.com/mitre/train-juniper/issues/4))
+
+### Refactor
+
+- Improve code quality based on deep review
+
+### Testing
+
+- Achieve 100% line coverage with cross-platform Windows plink test
+
+## [0.7.4] - 2025-06-24
+
+### Added
+
+- Add Windows plink.exe support for bastion authentication
+
+### Documentation
+
+- Add Windows bastion setup guide and improve navigation
+- Fix MkDocs link warnings
+- Add host key acceptance instructions and InSpec testing examples
+- Improve Windows documentation and standardize on inspec shell
+
+### Fixed
+
+- Clean up ENV in Windows plink test to prevent CI failures
+- Remove trailing whitespace to pass linting
+
+### Miscellaneous Tasks
+
+- Fix linting issues in Windows test script
+
+### Testing
+
+- Add Windows testing scripts and guide
+- Add .env file support to Windows test scripts
+
 ## [0.7.3] - 2025-06-23
 
 ### Documentation

data/CONTRIBUTING.md

@@ -146,7 +146,7 @@ Releases are managed by project maintainers:
 
 ## Community
 
-- Follow our [Code of Conduct](CODE_OF_CONDUCT)
+- Follow our [Code of Conduct](CODE_OF_CONDUCT.md)
 - Be respectful and collaborative
 - Help others learn and contribute
 

data/README.md

@@ -409,7 +409,7 @@ This gem supports a wide range of platforms to ensure maximum compatibility:
 | `x86_64-linux-musl` | Alpine Linux | Docker containers |
 | `x86_64-darwin` | Intel macOS | Older Mac workstations |
 | `arm64-darwin-*` | Apple Silicon macOS | Modern Mac workstations |
-| `x64-mingw-ucrt` | Windows (UCRT) | Windows 10/11 with modern Ruby |
+| `x64-mingw-ucrt` | Windows (UCRT) | Windows 10/11 with modern Ruby ([bastion setup](windows-bastion-setup.md)) |
 | `x86_64-freebsd` | FreeBSD | Network appliances (JunOS heritage) |
 | `x86_64-solaris` | Solaris/illumos | Enterprise environments |
 
@@ -418,10 +418,11 @@ This gem supports a wide range of platforms to ensure maximum compatibility:
 
 ### Documentation
 
-- **[Installation Guide](installation)** - Complete installation instructions
-- **[Basic Usage](basic-usage)** - Getting started with the plugin
-- **[Release Process](RELEASE_PROCESS)** - How to cut releases and publish gems
-- **[Project Roadmap](ROADMAP)** - Future development plans and contribution opportunities
+- **[Installation Guide](installation.md)** - Complete installation instructions
+- **[Basic Usage](basic-usage.md)** - Getting started with the plugin
+- **[Windows Bastion Setup](windows-bastion-setup.md)** - Windows bastion/jump host authentication guide
+- **[Release Process](RELEASE_PROCESS.md)** - How to cut releases and publish gems
+- **[Project Roadmap](ROADMAP.md)** - Future development plans and contribution opportunities
 
 ### Plugin Development Resources
 
@@ -438,7 +439,7 @@ We welcome contributions! Here's how to get started:
 4. Run `bundle exec rake test` to ensure tests pass
 5. Submit a pull request
 
-Please see our [Contributing Guide](CONTRIBUTING) for more details.
+Please see our [Contributing Guide](CONTRIBUTING.md) for more details.
 
 ## Support and Contact
 
@@ -472,12 +473,12 @@ Special thanks to the Train and InSpec communities for their excellent documenta
 
 Licensed under the Apache-2.0 license, except as noted below.
 
-See [LICENSE](LICENSE) for full details.
+See [LICENSE](LICENSE.md) for full details.
 
 ### Notice
 
 This software was produced for the U.S. Government under contract and is subject to Federal Acquisition Regulation Clause 52.227-14.
 
-See [NOTICE](NOTICE) for full details.
+See [NOTICE](NOTICE.md) for full details.
 
 © 2025 The MITRE Corporation.

data/lib/train-juniper/connection/bastion_proxy.rb

@@ -1,26 +1,41 @@
 # frozen_string_literal: true
 
 require 'train-juniper/constants'
+require 'train-juniper/connection/windows_proxy'
+require 'train-juniper/connection/ssh_askpass'
 
 module TrainPlugins
   module Juniper
     # Handles bastion host proxy configuration and authentication
     module BastionProxy
+      include WindowsProxy
+      include SshAskpass
+
       # Configure bastion proxy for SSH connection
       # @param ssh_options [Hash] SSH options to modify
       def configure_bastion_proxy(ssh_options)
-        require 'net/ssh/proxy/jump' unless defined?(Net::SSH::Proxy::Jump)
-
-        # Build proxy jump string from bastion options
         bastion_user = @options[:bastion_user] || @options[:user]
         bastion_port = @options[:bastion_port]
+        bastion_password = @options[:bastion_password] || @options[:password]
+
+        # On Windows with password auth, use plink.exe if available
+        if Gem.win_platform? && bastion_password && plink_available?
+          configure_plink_proxy(ssh_options, bastion_user, bastion_port, bastion_password)
+        else
+          configure_standard_proxy(ssh_options, bastion_user, bastion_port)
+        end
+      end
 
-        proxy_jump = if bastion_port == Constants::DEFAULT_SSH_PORT
-                       "#{bastion_user}@#{@options[:bastion_host]}"
-                     else
-                       "#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
-                     end
+      private
+
+      # Configure standard SSH proxy using Net::SSH::Proxy::Jump
+      # @param ssh_options [Hash] SSH options to modify
+      # @param bastion_user [String] Username for bastion
+      # @param bastion_port [Integer] Port for bastion
+      def configure_standard_proxy(ssh_options, bastion_user, bastion_port)
+        require 'net/ssh/proxy/jump' unless defined?(Net::SSH::Proxy::Jump)
 
+        proxy_jump = build_proxy_jump_string(bastion_user, bastion_port)
         @logger.debug("Using bastion host: #{proxy_jump}")
 
         # Set up automated password authentication via SSH_ASKPASS
@@ -29,49 +44,34 @@ module TrainPlugins
         ssh_options[:proxy] = Net::SSH::Proxy::Jump.new(proxy_jump)
       end
 
-      # Set up SSH_ASKPASS for bastion password authentication
-      def setup_bastion_password_auth
-        bastion_password = @options[:bastion_password] || @options[:password]
-        return unless bastion_password
-
-        @ssh_askpass_script = create_ssh_askpass_script(bastion_password)
-        ENV['SSH_ASKPASS'] = @ssh_askpass_script
-        ENV['SSH_ASKPASS_REQUIRE'] = 'force'
-        @logger.debug('Configured SSH_ASKPASS for automated bastion authentication')
+      # Configure plink.exe proxy for Windows password authentication
+      # @param ssh_options [Hash] SSH options to modify
+      # @param bastion_user [String] Username for bastion
+      # @param bastion_port [Integer] Port for bastion
+      # @param bastion_password [String] Password for bastion
+      def configure_plink_proxy(ssh_options, bastion_user, bastion_port, bastion_password)
+        require 'net/ssh/proxy/command' unless defined?(Net::SSH::Proxy::Command)
+
+        proxy_cmd = build_plink_proxy_command(
+          @options[:bastion_host],
+          bastion_user,
+          bastion_port,
+          bastion_password
+        )
+
+        @logger.debug('Using plink.exe for bastion proxy')
+        ssh_options[:proxy] = Net::SSH::Proxy::Command.new(proxy_cmd)
       end
 
-      # Create temporary SSH_ASKPASS script for automated password authentication
-      # @param password [String] The password to use
-      # @return [String] Path to the created script
-      def create_ssh_askpass_script(password)
-        require 'tempfile'
-
-        if Gem.win_platform?
-          # :nocov:
-          # Create Windows PowerShell script
-          script = Tempfile.new(['ssh_askpass', '.ps1'])
-          # PowerShell handles escaping better, just escape quotes
-          escaped_password = password.gsub("'", "''")
-          script.write("Write-Output '#{escaped_password}'\r\n")
-          script.close
-
-          # Create a wrapper batch file to execute PowerShell with bypass policy
-          wrapper = Tempfile.new(['ssh_askpass_wrapper', '.bat'])
-          wrapper.write("@echo off\r\npowershell.exe -ExecutionPolicy Bypass -File \"#{script.path}\"\r\n")
-          wrapper.close
-
-          @logger.debug("Created SSH_ASKPASS PowerShell script at #{script.path} with wrapper at #{wrapper.path}")
-          wrapper.path
-          # :nocov:
+      # Build proxy jump string from bastion options
+      # @param bastion_user [String] Username for bastion
+      # @param bastion_port [Integer] Port for bastion
+      # @return [String] Proxy jump string
+      def build_proxy_jump_string(bastion_user, bastion_port)
+        if bastion_port == Constants::DEFAULT_SSH_PORT
+          "#{bastion_user}@#{@options[:bastion_host]}"
         else
-          # Create Unix shell script
-          script = Tempfile.new(['ssh_askpass', '.sh'])
-          script.write("#!/bin/bash\necho '#{password}'\n")
-          script.close
-          File.chmod(0o755, script.path)
-
-          @logger.debug("Created SSH_ASKPASS script at #{script.path}")
-          script.path
+          "#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
         end
       end
 
@@ -88,11 +88,7 @@ module TrainPlugins
         end
 
         # Use ProxyJump (-J) which handles password authentication properly
-        jump_host = if bastion_port == Constants::DEFAULT_SSH_PORT
-                      "#{bastion_user}@#{@options[:bastion_host]}"
-                    else
-                      "#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
-                    end
+        jump_host = build_proxy_jump_string(bastion_user, bastion_port)
         args += ['-J', jump_host]
 
         # Add SSH keys if specified

data/lib/train-juniper/connection/command_executor.rb

@@ -40,9 +40,9 @@ module TrainPlugins
           # Format JunOS result
           format_junos_result(output, safe_cmd)
         rescue StandardError => e
-          log_error(e, 'Command execution failed')
+          log_error(e, "Command execution failed for: #{safe_cmd}")
           # Handle connection errors gracefully
-          error_result(e.message)
+          error_result("#{e.message} (command: #{safe_cmd})")
           # :nocov:
         end
       end

data/lib/train-juniper/connection/ssh_askpass.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'tempfile'
+
+module TrainPlugins
+  module Juniper
+    # SSH_ASKPASS script management for automated password authentication
+    module SshAskpass
+      # Set up SSH_ASKPASS for bastion password authentication
+      def setup_bastion_password_auth
+        bastion_password = @options[:bastion_password] || @options[:password]
+        return unless bastion_password
+
+        @ssh_askpass_script = create_ssh_askpass_script(bastion_password)
+        ENV['SSH_ASKPASS'] = @ssh_askpass_script
+        ENV['SSH_ASKPASS_REQUIRE'] = 'force'
+        @logger.debug('Configured SSH_ASKPASS for automated bastion authentication')
+      end
+
+      # Create temporary SSH_ASKPASS script for automated password authentication
+      # @param password [String] The password to use
+      # @return [String] Path to the created script
+      def create_ssh_askpass_script(password)
+        if Gem.win_platform?
+          create_windows_askpass_script(password)
+        else
+          create_unix_askpass_script(password)
+        end
+      end
+
+      private
+
+      # Create Windows PowerShell script for SSH_ASKPASS
+      # @param password [String] The password to use
+      # @return [String] Path to the wrapper batch file
+      def create_windows_askpass_script(password)
+        # :nocov:
+        # Create Windows PowerShell script
+        script = Tempfile.new(['ssh_askpass', '.ps1'])
+        # PowerShell handles escaping better, just escape quotes
+        escaped_password = password.gsub("'", "''")
+        script.write("Write-Output '#{escaped_password}'\r\n")
+        script.close
+
+        # Create a wrapper batch file to execute PowerShell with bypass policy
+        wrapper = Tempfile.new(['ssh_askpass_wrapper', '.bat'])
+        wrapper.write("@echo off\r\npowershell.exe -ExecutionPolicy Bypass -File \"#{script.path}\"\r\n")
+        wrapper.close
+
+        @logger.debug("Created SSH_ASKPASS PowerShell script at #{script.path} with wrapper at #{wrapper.path}")
+        wrapper.path
+        # :nocov:
+      end
+
+      # Create Unix shell script for SSH_ASKPASS
+      # @param password [String] The password to use
+      # @return [String] Path to the created script
+      def create_unix_askpass_script(password)
+        script = Tempfile.new(['ssh_askpass', '.sh'])
+        script.write("#!/bin/bash\necho '#{password}'\n")
+        script.close
+        File.chmod(0o755, script.path)
+
+        @logger.debug("Created SSH_ASKPASS script at #{script.path}")
+        script.path
+      end
+    end
+  end
+end

data/lib/train-juniper/connection/ssh_session.rb

@@ -17,6 +17,9 @@ module TrainPlugins
 
       # Default SSH options for Juniper connections
       # @note verify_host_key is set to :never for network device compatibility
+      # Rationale: Network devices often regenerate SSH keys after firmware updates
+      # and operate in controlled environments where MITM attacks are mitigated by
+      # network segmentation. This matches standard network automation practices.
       SSH_DEFAULTS = {
         verify_host_key: :never
       }.freeze

data/lib/train-juniper/connection/windows_proxy.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'shellwords'
+
+module TrainPlugins
+  module Juniper
+    # Windows-specific proxy handling using plink.exe
+    # This pattern is used by various Ruby projects for Windows SSH support,
+    # including hglib.rb (Mercurial) and follows Net::SSH::Proxy::Command patterns
+    module WindowsProxy
+      # Check if plink.exe is available on Windows
+      # @return [Boolean] true if plink.exe is found in PATH
+      def plink_available?
+        return false unless Gem.win_platform?
+
+        ENV['PATH'].split(File::PATH_SEPARATOR).any? do |path|
+          File.exist?(File.join(path, 'plink.exe'))
+        end
+      end
+
+      # Build plink.exe proxy command for Windows bastion authentication
+      # @param bastion_host [String] Bastion hostname
+      # @param user [String] Username for bastion
+      # @param port [Integer] Port for bastion
+      # @param password [String] Password for bastion
+      # @return [String] Complete plink command string
+      def build_plink_proxy_command(bastion_host, user, port, password)
+        parts = []
+        parts << 'plink.exe'
+        parts << '-batch' # Non-interactive mode
+        parts << '-ssh'   # Force SSH protocol (not telnet)
+        parts << '-pw'
+        parts << Shellwords.escape(password)
+
+        if port && port != 22
+          parts << '-P'
+          parts << port.to_s
+        end
+
+        parts << "#{user}@#{bastion_host}"
+        parts << '-nc'
+        parts << '%h:%p' # Netcat mode for proxying
+
+        parts.join(' ')
+      end
+    end
+  end
+end

data/lib/train-juniper/connection.rb

@@ -102,10 +102,10 @@ module TrainPlugins
         end
 
         @options[:keepalive] = true
-        @options[:keepalive_interval] = 60
+        @options[:keepalive_interval] = Constants::SSH_KEEPALIVE_INTERVAL
 
         # Setup logger
-        @logger = @options[:logger] || Logger.new(STDOUT, level: Logger::WARN)
+        @logger = @options[:logger] || Logger.new(STDOUT, level: Constants::DEFAULT_LOG_LEVEL)
 
         # JunOS CLI prompt patterns
         @cli_prompt = /[%>$#]\s*$/
@@ -187,6 +187,38 @@ module TrainPlugins
         false
       end
 
+      # Required by Train framework for node identification
+      # @return [String] URI that uniquely identifies this connection
+      # @example Direct connection
+      #   "juniper://admin@device.example.com:22"
+      # @example Bastion connection
+      #   "juniper://admin@device.example.com:22?via=jumpuser@bastion.example.com:2222"
+      def uri
+        base_uri = "juniper://#{@options[:user]}@#{@options[:host]}:#{@options[:port]}"
+
+        # Include bastion information if connecting through a jump host
+        if @options[:bastion_host]
+          bastion_user = @options[:bastion_user] || @options[:user]
+          bastion_port = @options[:bastion_port] || 22
+          bastion_info = "via=#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
+          "#{base_uri}?#{bastion_info}"
+        else
+          base_uri
+        end
+      end
+
+      # Optional method for better UUID generation using device-specific identifiers
+      # @return [String] Unique identifier for this device/connection
+      # @note Tries to get Juniper device serial number, falls back to hostname
+      def unique_identifier
+        # Don't attempt device detection in mock mode
+        return @options[:host] if @options[:mock]
+
+        # Use the platform module's serial detection which follows DRY principle
+        serial = detect_junos_serial
+        serial || @options[:host]
+      end
+
       # List of sensitive option keys to redact in logs
       SENSITIVE_OPTIONS = %i[password bastion_password key_files proxy_command].freeze
       private_constant :SENSITIVE_OPTIONS

data/lib/train-juniper/constants.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'logger'
+
 module TrainPlugins
   module Juniper
     # Common constants used across the plugin
@@ -9,6 +11,14 @@ module TrainPlugins
       DEFAULT_SSH_PORT = 22
       # @return [Range] Valid port range for SSH connections
       PORT_RANGE = (1..65_535)
+      # @return [Integer] SSH keepalive interval in seconds
+      SSH_KEEPALIVE_INTERVAL = 60
+      # @return [Integer] Maximum keepalive count before disconnect
+      SSH_KEEPALIVE_MAX_COUNT = 3
+
+      # Logging Configuration
+      # @return [Integer] Default log level
+      DEFAULT_LOG_LEVEL = Logger::WARN
 
       # Standard SSH Options for network devices
       STANDARD_SSH_OPTIONS = {

data/lib/train-juniper/helpers/mock_responses.rb

@@ -39,10 +39,56 @@ module TrainPlugins
         OUTPUT
       end
 
+      # Mock chassis hardware XML output
+      # @return [String] mock XML output for 'show chassis hardware | display xml' command
+      def self.mock_chassis_xml_output
+        <<~OUTPUT
+          <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos">
+            <chassis-inventory xmlns="http://xml.juniper.net/junos/12.1X47/junos-chassis">
+              <chassis junos:style="inventory">
+                <name>Chassis</name>
+                <serial-number>JN123456</serial-number>
+                <description>SRX240H2</description>
+              </chassis>
+            </chassis-inventory>
+          </rpc-reply>
+        OUTPUT
+      end
+
+      # Mock version XML output
+      # @return [String] mock XML output for 'show version | display xml' command
+      def self.mock_version_xml_output
+        <<~OUTPUT
+          <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos">
+            <software-information>
+              <host-name>lab-srx</host-name>
+              <product-model>SRX240H2</product-model>
+              <product-name>srx240h2</product-name>
+              <junos-version>12.1X47-D15.4</junos-version>
+            </software-information>
+          </rpc-reply>
+        OUTPUT
+      end
+
       # Get mock response for a command
       # @param cmd [String] the command to get response for
       # @return [Array<String, Integer>] tuple of [output, exit_status]
       def self.response_for(cmd)
+        # Check if command includes display modifiers
+        if cmd.include?('| display xml')
+          # Handle XML output requests
+          # Use simple string split to avoid ReDoS vulnerability
+          base_cmd = cmd.split('|').first.strip
+
+          case base_cmd
+          when 'show chassis hardware'
+            return [mock_chassis_xml_output, 0]
+          when 'show version'
+            return [mock_version_xml_output, 0]
+          end
+        end
+
+        # Standard text response handling
         response = RESPONSES.find { |pattern, _| cmd.match?(/#{pattern}/) }
 
         if response

data/lib/train-juniper/platform.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rexml/document'
+
 # Platform definition file for Juniper network devices.
 # This defines the "juniper" platform within Train's platform detection system.
 
@@ -51,6 +53,33 @@ module TrainPlugins::Juniper
 
     private
 
+    # Generic XML extraction helper
+    # @param output [String] XML output from command
+    # @param xpath_patterns [Array<String>] XPath patterns to try in order
+    # @param command_desc [String] Description of command for error messages
+    # @yield [REXML::Element] Optional block to process the found element
+    # @return [String, nil] Extracted text or result of block processing
+    def extract_from_xml(output, xpath_patterns, command_desc)
+      return nil if output.nil? || output.empty?
+
+      doc = REXML::Document.new(output)
+
+      # Try each XPath pattern until we find an element
+      element = nil
+      xpath_patterns.each do |xpath|
+        element = doc.elements[xpath]
+        break if element
+      end
+
+      return nil unless element
+
+      # If block given, let it process the element, otherwise return text
+      block_given? ? yield(element) : element.text&.strip
+    rescue StandardError => e
+      logger&.warn("Failed to parse XML output from '#{command_desc}': #{e.message}")
+      nil
+    end
+
     # Generic detection helper for version and architecture
     # @param attribute_name [String] Name of the attribute to detect
     # @param command [String] Command to run (default: 'show version')
@@ -95,79 +124,77 @@ module TrainPlugins::Juniper
     # @return [String, nil] JunOS version string or nil if not detected
     # @note This runs safely after the connection is established
     def detect_junos_version
-      detect_attribute('junos_version') { |output| extract_version_from_output(output) }
+      detect_attribute('junos_version', 'show version | display xml') { |output| extract_version_from_xml(output) }
     end
 
-    # Extract version string from JunOS show version output
-    # @param output [String] Raw output from 'show version' command
+    # Extract version string from JunOS show version XML output
+    # @param output [String] XML output from 'show version | display xml' command
     # @return [String, nil] Extracted version string or nil
-    def extract_version_from_output(output)
-      return nil if output.nil? || output.empty?
-
-      # Try multiple JunOS version patterns
-      patterns = [
-        /Junos:\s+([\w\d.-]+)/,                           # "Junos: 12.1X47-D15.4"
-        /JUNOS Software Release \[([\w\d.-]+)\]/,         # "JUNOS Software Release [12.1X47-D15.4]"
-        /junos version ([\w\d.-]+)/i,                     # "junos version 21.4R3"
-        /Model: \S+, JUNOS Base OS boot \[([\w\d.-]+)\]/, # Some hardware variants
-        /([\d]+\.[\d]+[\w.-]*)/                           # Generic version pattern
+    def extract_version_from_xml(output)
+      xpath_patterns = [
+        '//junos-version',
+        '//package-information/name[text()="junos"]/following-sibling::comment',
+        '//software-information/version'
       ]
 
-      patterns.each do |pattern|
-        match = output.match(pattern)
-        return match[1] if match
-      end
-
-      nil
+      extract_from_xml(output, xpath_patterns, 'show version | display xml')
     end
 
     # Detect JunOS architecture from device output
     # @return [String, nil] Architecture string or nil if not detected
     # @note This runs safely after the connection is established
     def detect_junos_architecture
-      detect_attribute('junos_architecture') { |output| extract_architecture_from_output(output) }
+      detect_attribute('junos_architecture', 'show version | display xml') { |output| extract_architecture_from_xml(output) }
     end
 
-    # Extract architecture string from JunOS show version output
-    # @param output [String] Raw output from 'show version' command
+    # Extract architecture string from JunOS show version XML output
+    # @param output [String] XML output from 'show version | display xml' command
     # @return [String, nil] Architecture string (x86_64, arm64, etc.) or nil
-    def extract_architecture_from_output(output)
-      return nil if output.nil? || output.empty?
-
-      # Try multiple JunOS architecture patterns
-      patterns = [
-        /Model:\s+(\S+)/, # "Model: SRX240H2" -> extract model as arch indicator
-        /Junos:\s+[\w\d.-]+\s+built\s+[\d-]+\s+[\d:]+\s+by\s+builder\s+on\s+(\S+)/, # Build architecture
-        /JUNOS.*\[([\w-]+)\]/,                                 # JUNOS package architecture
-        /Architecture:\s+(\S+)/i,                              # Direct architecture line
-        /Platform:\s+(\S+)/i,                                  # Platform designation
-        /Processor.*:\s*(\S+)/i # Processor type
+    def extract_architecture_from_xml(output)
+      xpath_patterns = [
+        '//product-model',
+        '//software-information/product-model',
+        '//chassis-inventory/chassis/description'
       ]
 
-      patterns.each do |pattern|
-        match = output.match(pattern)
-        next unless match
+      extract_from_xml(output, xpath_patterns, 'show version | display xml') do |element|
+        model = element.text.strip
 
-        arch_value = match[1]
-        # Convert model names to architecture indicators
-        case arch_value
+        # Map model names to architecture
+        case model
         when /SRX\d+/i
-          return 'x86_64'  # Most SRX models are x86_64
+          'x86_64'  # Most SRX models are x86_64
         when /MX\d+/i
-          return 'x86_64'  # MX routers are typically x86_64
+          'x86_64'  # MX routers are typically x86_64
         when /EX\d+/i
-          return 'arm64'   # Many EX switches use ARM
+          'arm64'   # Many EX switches use ARM
         when /QFX\d+/i
-          return 'x86_64'  # QFX switches typically x86_64
-        when /^(x86_64|amd64|i386|arm64|aarch64|sparc|mips)$/i
-          return arch_value.downcase
+          'x86_64'  # QFX switches typically x86_64
         else
-          # Return the model as-is if we can't map it
-          return arch_value
+          # Default to x86_64 for unknown models
+          'x86_64'
         end
       end
+    end
 
-      nil
+    # Detect JunOS serial number from device output
+    # @return [String, nil] Serial number string or nil if not detected
+    # @note This runs safely after the connection is established
+    def detect_junos_serial
+      detect_attribute('junos_serial', 'show chassis hardware | display xml') { |output| extract_serial_from_xml(output) }
+    end
+
+    # Extract serial number from JunOS chassis hardware XML output
+    # @param output [String] XML output from 'show chassis hardware | display xml' command
+    # @return [String, nil] Serial number string or nil
+    def extract_serial_from_xml(output)
+      xpath_patterns = [
+        '//chassis/serial-number',
+        '//chassis-sub-module/serial-number',
+        '//module/serial-number[1]'
+      ]
+
+      extract_from_xml(output, xpath_patterns, 'show chassis hardware | display xml')
     end
   end
 end

data/lib/train-juniper/version.rb

@@ -8,6 +8,6 @@
 module TrainPlugins
   module Juniper
     # Version number of the train-juniper plugin
-    VERSION = '0.7.3'
+    VERSION = '0.8.0'
   end
 end

data/train-juniper.gemspec

@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
 
   # Community plugins typically use train-core for smaller footprint
   # train-core provides core functionality without cloud dependencies
-  spec.add_dependency 'train-core', '~> 3.12.13'
+  spec.add_dependency 'train-core', '~> 3.12', '>= 3.12.13'
 
   # SSH connectivity dependencies - match train-core's exact version range
   spec.add_dependency 'net-ssh', '>= 2.9', '< 8.0'

metadata

@@ -1,20 +1,23 @@
 --- !ruby/object:Gem::Specification
 name: train-juniper
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.8.0
 platform: ruby
 authors:
 - MITRE Corporation
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-06-23 00:00:00.000000000 Z
+date: 2025-07-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.12.13
   type: :runtime
@@ -22,6 +25,9 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.12.13
 - !ruby/object:Gem::Dependency
@@ -227,8 +233,10 @@ files:
 - lib/train-juniper/connection/bastion_proxy.rb
 - lib/train-juniper/connection/command_executor.rb
 - lib/train-juniper/connection/error_handling.rb
+- lib/train-juniper/connection/ssh_askpass.rb
 - lib/train-juniper/connection/ssh_session.rb
 - lib/train-juniper/connection/validation.rb
+- lib/train-juniper/connection/windows_proxy.rb
 - lib/train-juniper/constants.rb
 - lib/train-juniper/file_abstraction/juniper_file.rb
 - lib/train-juniper/helpers/environment.rb