train-juniper 0.7.4 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6da9bb07db2daaa3ca21d2fef18b0a200ff15597495dece758e0e509d10c13ad
-  data.tar.gz: 86e802113118c172748e2187e09db4c95c080f393dc083932a65386d19c82f3c
+  metadata.gz: b7571220250289d5866fa3074789e166f5000cde3b93a0174889e24d1a8ac335
+  data.tar.gz: 276162fb0254fc498b4ad562ba3377a1d0d2ba84faccd630eb67f084185798b8
 SHA512:
-  metadata.gz: 0137dee8f2547f0973d2e513491574e624f55a605993ca8e6211e1c84c77341fe840d45704903e25eaeacb6e043b1846556f2f124ee08863c591357e34c37ecb
-  data.tar.gz: ddd016a7cf4cc47d68e9e0f89283d874ea563abab20cc6f2e822d67658694bac3782d3cef0ef4f2a1976bfbf4b2a8652050ff87c9b9d13c18864a5c26a169482
+  metadata.gz: 3007c4a588b1024c1553cfa22f9d606628d335578438c4d78c927fb3fa4fe99fad50dcac50da6a184998934a913c218d40a51d6b54fcaaf575dc6b3df7e8ffa8
+  data.tar.gz: 8c52911377b95ef3e51a2e36c4e7b0cc9eaaf3ee9d3877af16f3fdb869e5929904d65bda70344ba049037f6a1cbc138bfd119b18e0d2785a864fd0819a177e7d

data/.env.example

@@ -1,16 +1,20 @@
-# Example .env file for Windows testing
-# Copy this to .env and fill in your actual values
+# Example environment configuration for train-juniper
+# Copy this file to .env and update with your values
 
-# Target Juniper device (behind bastion)
-JUNIPER_HOST=192.168.1.100
+# Direct connection to Juniper device
+JUNIPER_HOST=192.168.1.1
+JUNIPER_PORT=22
 JUNIPER_USER=admin
-JUNIPER_PASSWORD=device_password
+JUNIPER_PASSWORD=your-password-here
 
-# Bastion/Jump host
-BASTION_HOST=bastion.example.com
-BASTION_USER=jumpuser
-BASTION_PASSWORD=bastion_password
+# Optional: Connection timeout in seconds
+CONNECTION_TIMEOUT=60
 
-# Optional: Custom ports
-# JUNIPER_PORT=22
-# BASTION_PORT=22
+# Optional: Bastion/jump host configuration
+# Uncomment and configure if you need to connect through a bastion host
+# JUNIPER_BASTION_HOST=jump.example.com
+# JUNIPER_BASTION_USER=admin
+# JUNIPER_BASTION_PORT=22
+# JUNIPER_BASTION_PASSWORD=bastion-password-here
+
+# Note: If JUNIPER_BASTION_PASSWORD is not set, it will use JUNIPER_PASSWORD

data/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2025-07-04
+
+### Documentation
+
+- Update roadmap with v0.7.4 accomplishments and clear prioritization
+
+### Fixed
+
+- Resolve UUID warning and migrate to XML parsing ([#4](https://github.com/mitre/train-juniper/issues/4))
+
+### Refactor
+
+- Improve code quality based on deep review
+
+### Testing
+
+- Achieve 100% line coverage with cross-platform Windows plink test
+
 ## [0.7.4] - 2025-06-24
 
 ### Added
@@ -18,6 +36,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add host key acceptance instructions and InSpec testing examples
 - Improve Windows documentation and standardize on inspec shell
 
+### Fixed
+
+- Clean up ENV in Windows plink test to prevent CI failures
+- Remove trailing whitespace to pass linting
+
 ### Miscellaneous Tasks
 
 - Fix linting issues in Windows test script

data/lib/train-juniper/connection/command_executor.rb

@@ -40,9 +40,9 @@ module TrainPlugins
           # Format JunOS result
           format_junos_result(output, safe_cmd)
         rescue StandardError => e
-          log_error(e, 'Command execution failed')
+          log_error(e, "Command execution failed for: #{safe_cmd}")
           # Handle connection errors gracefully
-          error_result(e.message)
+          error_result("#{e.message} (command: #{safe_cmd})")
           # :nocov:
         end
       end

data/lib/train-juniper/connection/ssh_session.rb

@@ -17,6 +17,9 @@ module TrainPlugins
 
       # Default SSH options for Juniper connections
       # @note verify_host_key is set to :never for network device compatibility
+      # Rationale: Network devices often regenerate SSH keys after firmware updates
+      # and operate in controlled environments where MITM attacks are mitigated by
+      # network segmentation. This matches standard network automation practices.
       SSH_DEFAULTS = {
         verify_host_key: :never
       }.freeze

data/lib/train-juniper/connection/windows_proxy.rb

@@ -30,7 +30,7 @@ module TrainPlugins
         parts << '-batch' # Non-interactive mode
         parts << '-ssh'   # Force SSH protocol (not telnet)
         parts << '-pw'
-        parts << (password.include?(' ') ? "\"#{password}\"" : password)
+        parts << Shellwords.escape(password)
 
         if port && port != 22
           parts << '-P'

data/lib/train-juniper/connection.rb

@@ -102,10 +102,10 @@ module TrainPlugins
         end
 
         @options[:keepalive] = true
-        @options[:keepalive_interval] = 60
+        @options[:keepalive_interval] = Constants::SSH_KEEPALIVE_INTERVAL
 
         # Setup logger
-        @logger = @options[:logger] || Logger.new(STDOUT, level: Logger::WARN)
+        @logger = @options[:logger] || Logger.new(STDOUT, level: Constants::DEFAULT_LOG_LEVEL)
 
         # JunOS CLI prompt patterns
         @cli_prompt = /[%>$#]\s*$/
@@ -187,6 +187,38 @@ module TrainPlugins
         false
       end
 
+      # Required by Train framework for node identification
+      # @return [String] URI that uniquely identifies this connection
+      # @example Direct connection
+      #   "juniper://admin@device.example.com:22"
+      # @example Bastion connection
+      #   "juniper://admin@device.example.com:22?via=jumpuser@bastion.example.com:2222"
+      def uri
+        base_uri = "juniper://#{@options[:user]}@#{@options[:host]}:#{@options[:port]}"
+
+        # Include bastion information if connecting through a jump host
+        if @options[:bastion_host]
+          bastion_user = @options[:bastion_user] || @options[:user]
+          bastion_port = @options[:bastion_port] || 22
+          bastion_info = "via=#{bastion_user}@#{@options[:bastion_host]}:#{bastion_port}"
+          "#{base_uri}?#{bastion_info}"
+        else
+          base_uri
+        end
+      end
+
+      # Optional method for better UUID generation using device-specific identifiers
+      # @return [String] Unique identifier for this device/connection
+      # @note Tries to get Juniper device serial number, falls back to hostname
+      def unique_identifier
+        # Don't attempt device detection in mock mode
+        return @options[:host] if @options[:mock]
+
+        # Use the platform module's serial detection which follows DRY principle
+        serial = detect_junos_serial
+        serial || @options[:host]
+      end
+
       # List of sensitive option keys to redact in logs
       SENSITIVE_OPTIONS = %i[password bastion_password key_files proxy_command].freeze
       private_constant :SENSITIVE_OPTIONS

data/lib/train-juniper/constants.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'logger'
+
 module TrainPlugins
   module Juniper
     # Common constants used across the plugin
@@ -9,6 +11,14 @@ module TrainPlugins
       DEFAULT_SSH_PORT = 22
       # @return [Range] Valid port range for SSH connections
       PORT_RANGE = (1..65_535)
+      # @return [Integer] SSH keepalive interval in seconds
+      SSH_KEEPALIVE_INTERVAL = 60
+      # @return [Integer] Maximum keepalive count before disconnect
+      SSH_KEEPALIVE_MAX_COUNT = 3
+
+      # Logging Configuration
+      # @return [Integer] Default log level
+      DEFAULT_LOG_LEVEL = Logger::WARN
 
       # Standard SSH Options for network devices
       STANDARD_SSH_OPTIONS = {

data/lib/train-juniper/helpers/mock_responses.rb

@@ -39,10 +39,56 @@ module TrainPlugins
         OUTPUT
       end
 
+      # Mock chassis hardware XML output
+      # @return [String] mock XML output for 'show chassis hardware | display xml' command
+      def self.mock_chassis_xml_output
+        <<~OUTPUT
+          <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos">
+            <chassis-inventory xmlns="http://xml.juniper.net/junos/12.1X47/junos-chassis">
+              <chassis junos:style="inventory">
+                <name>Chassis</name>
+                <serial-number>JN123456</serial-number>
+                <description>SRX240H2</description>
+              </chassis>
+            </chassis-inventory>
+          </rpc-reply>
+        OUTPUT
+      end
+
+      # Mock version XML output
+      # @return [String] mock XML output for 'show version | display xml' command
+      def self.mock_version_xml_output
+        <<~OUTPUT
+          <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos">
+            <software-information>
+              <host-name>lab-srx</host-name>
+              <product-model>SRX240H2</product-model>
+              <product-name>srx240h2</product-name>
+              <junos-version>12.1X47-D15.4</junos-version>
+            </software-information>
+          </rpc-reply>
+        OUTPUT
+      end
+
       # Get mock response for a command
       # @param cmd [String] the command to get response for
       # @return [Array<String, Integer>] tuple of [output, exit_status]
       def self.response_for(cmd)
+        # Check if command includes display modifiers
+        if cmd.include?('| display xml')
+          # Handle XML output requests
+          # Use simple string split to avoid ReDoS vulnerability
+          base_cmd = cmd.split('|').first.strip
+
+          case base_cmd
+          when 'show chassis hardware'
+            return [mock_chassis_xml_output, 0]
+          when 'show version'
+            return [mock_version_xml_output, 0]
+          end
+        end
+
+        # Standard text response handling
         response = RESPONSES.find { |pattern, _| cmd.match?(/#{pattern}/) }
 
         if response

data/lib/train-juniper/platform.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rexml/document'
+
 # Platform definition file for Juniper network devices.
 # This defines the "juniper" platform within Train's platform detection system.
 
@@ -51,6 +53,33 @@ module TrainPlugins::Juniper
 
     private
 
+    # Generic XML extraction helper
+    # @param output [String] XML output from command
+    # @param xpath_patterns [Array<String>] XPath patterns to try in order
+    # @param command_desc [String] Description of command for error messages
+    # @yield [REXML::Element] Optional block to process the found element
+    # @return [String, nil] Extracted text or result of block processing
+    def extract_from_xml(output, xpath_patterns, command_desc)
+      return nil if output.nil? || output.empty?
+
+      doc = REXML::Document.new(output)
+
+      # Try each XPath pattern until we find an element
+      element = nil
+      xpath_patterns.each do |xpath|
+        element = doc.elements[xpath]
+        break if element
+      end
+
+      return nil unless element
+
+      # If block given, let it process the element, otherwise return text
+      block_given? ? yield(element) : element.text&.strip
+    rescue StandardError => e
+      logger&.warn("Failed to parse XML output from '#{command_desc}': #{e.message}")
+      nil
+    end
+
     # Generic detection helper for version and architecture
     # @param attribute_name [String] Name of the attribute to detect
     # @param command [String] Command to run (default: 'show version')
@@ -95,79 +124,77 @@ module TrainPlugins::Juniper
     # @return [String, nil] JunOS version string or nil if not detected
     # @note This runs safely after the connection is established
     def detect_junos_version
-      detect_attribute('junos_version') { |output| extract_version_from_output(output) }
+      detect_attribute('junos_version', 'show version | display xml') { |output| extract_version_from_xml(output) }
     end
 
-    # Extract version string from JunOS show version output
-    # @param output [String] Raw output from 'show version' command
+    # Extract version string from JunOS show version XML output
+    # @param output [String] XML output from 'show version | display xml' command
     # @return [String, nil] Extracted version string or nil
-    def extract_version_from_output(output)
-      return nil if output.nil? || output.empty?
-
-      # Try multiple JunOS version patterns
-      patterns = [
-        /Junos:\s+([\w\d.-]+)/,                           # "Junos: 12.1X47-D15.4"
-        /JUNOS Software Release \[([\w\d.-]+)\]/,         # "JUNOS Software Release [12.1X47-D15.4]"
-        /junos version ([\w\d.-]+)/i,                     # "junos version 21.4R3"
-        /Model: \S+, JUNOS Base OS boot \[([\w\d.-]+)\]/, # Some hardware variants
-        /([\d]+\.[\d]+[\w.-]*)/                           # Generic version pattern
+    def extract_version_from_xml(output)
+      xpath_patterns = [
+        '//junos-version',
+        '//package-information/name[text()="junos"]/following-sibling::comment',
+        '//software-information/version'
       ]
 
-      patterns.each do |pattern|
-        match = output.match(pattern)
-        return match[1] if match
-      end
-
-      nil
+      extract_from_xml(output, xpath_patterns, 'show version | display xml')
     end
 
     # Detect JunOS architecture from device output
     # @return [String, nil] Architecture string or nil if not detected
     # @note This runs safely after the connection is established
     def detect_junos_architecture
-      detect_attribute('junos_architecture') { |output| extract_architecture_from_output(output) }
+      detect_attribute('junos_architecture', 'show version | display xml') { |output| extract_architecture_from_xml(output) }
     end
 
-    # Extract architecture string from JunOS show version output
-    # @param output [String] Raw output from 'show version' command
+    # Extract architecture string from JunOS show version XML output
+    # @param output [String] XML output from 'show version | display xml' command
     # @return [String, nil] Architecture string (x86_64, arm64, etc.) or nil
-    def extract_architecture_from_output(output)
-      return nil if output.nil? || output.empty?
-
-      # Try multiple JunOS architecture patterns
-      patterns = [
-        /Model:\s+(\S+)/, # "Model: SRX240H2" -> extract model as arch indicator
-        /Junos:\s+[\w\d.-]+\s+built\s+[\d-]+\s+[\d:]+\s+by\s+builder\s+on\s+(\S+)/, # Build architecture
-        /JUNOS.*\[([\w-]+)\]/,                                 # JUNOS package architecture
-        /Architecture:\s+(\S+)/i,                              # Direct architecture line
-        /Platform:\s+(\S+)/i,                                  # Platform designation
-        /Processor.*:\s*(\S+)/i # Processor type
+    def extract_architecture_from_xml(output)
+      xpath_patterns = [
+        '//product-model',
+        '//software-information/product-model',
+        '//chassis-inventory/chassis/description'
       ]
 
-      patterns.each do |pattern|
-        match = output.match(pattern)
-        next unless match
+      extract_from_xml(output, xpath_patterns, 'show version | display xml') do |element|
+        model = element.text.strip
 
-        arch_value = match[1]
-        # Convert model names to architecture indicators
-        case arch_value
+        # Map model names to architecture
+        case model
         when /SRX\d+/i
-          return 'x86_64'  # Most SRX models are x86_64
+          'x86_64'  # Most SRX models are x86_64
         when /MX\d+/i
-          return 'x86_64'  # MX routers are typically x86_64
+          'x86_64'  # MX routers are typically x86_64
         when /EX\d+/i
-          return 'arm64'   # Many EX switches use ARM
+          'arm64'   # Many EX switches use ARM
         when /QFX\d+/i
-          return 'x86_64'  # QFX switches typically x86_64
-        when /^(x86_64|amd64|i386|arm64|aarch64|sparc|mips)$/i
-          return arch_value.downcase
+          'x86_64'  # QFX switches typically x86_64
         else
-          # Return the model as-is if we can't map it
-          return arch_value
+          # Default to x86_64 for unknown models
+          'x86_64'
         end
       end
+    end
 
-      nil
+    # Detect JunOS serial number from device output
+    # @return [String, nil] Serial number string or nil if not detected
+    # @note This runs safely after the connection is established
+    def detect_junos_serial
+      detect_attribute('junos_serial', 'show chassis hardware | display xml') { |output| extract_serial_from_xml(output) }
+    end
+
+    # Extract serial number from JunOS chassis hardware XML output
+    # @param output [String] XML output from 'show chassis hardware | display xml' command
+    # @return [String, nil] Serial number string or nil
+    def extract_serial_from_xml(output)
+      xpath_patterns = [
+        '//chassis/serial-number',
+        '//chassis-sub-module/serial-number',
+        '//module/serial-number[1]'
+      ]
+
+      extract_from_xml(output, xpath_patterns, 'show chassis hardware | display xml')
     end
   end
 end

data/lib/train-juniper/version.rb

@@ -8,6 +8,6 @@
 module TrainPlugins
   module Juniper
     # Version number of the train-juniper plugin
-    VERSION = '0.7.4'
+    VERSION = '0.8.0'
   end
 end

data/train-juniper.gemspec

@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
 
   # Community plugins typically use train-core for smaller footprint
   # train-core provides core functionality without cloud dependencies
-  spec.add_dependency 'train-core', '~> 3.12.13'
+  spec.add_dependency 'train-core', '~> 3.12', '>= 3.12.13'
 
   # SSH connectivity dependencies - match train-core's exact version range
   spec.add_dependency 'net-ssh', '>= 2.9', '< 8.0'

metadata

@@ -1,20 +1,23 @@
 --- !ruby/object:Gem::Specification
 name: train-juniper
 version: !ruby/object:Gem::Version
-  version: 0.7.4
+  version: 0.8.0
 platform: ruby
 authors:
 - MITRE Corporation
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-06-24 00:00:00.000000000 Z
+date: 2025-07-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.12.13
   type: :runtime
@@ -22,6 +25,9 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.12.13
 - !ruby/object:Gem::Dependency