train 3.2.14 → 3.2.20

data/lib/train/transports/ssh.rb

@@ -1,271 +0,0 @@
-# encoding: utf-8
-#
-# Author:: Fletcher Nichol (<fnichol@nichol.ca>)
-# Author:: Dominik Richter (<dominik.richter@gmail.com>)
-# Author:: Christoph Hartmann (<chris@lollyrock.com>)
-#
-# Copyright (C) 2014, Fletcher Nichol
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require "net/ssh"
-require "net/scp"
-require_relative "../errors"
-
-module Train::Transports
-  # Wrapped exception for any internally raised SSH-related errors.
-  #
-  # @author Fletcher Nichol <fnichol@nichol.ca>
-  class SSHFailed < Train::TransportError; end
-  class SSHPTYFailed < Train::TransportError; end
-
-  # A Transport which uses the SSH protocol to execute commands and transfer
-  # files.
-  #
-  # @author Fletcher Nichol <fnichol@nichol.ca>
-  class SSH < Train.plugin(1) # rubocop:disable Metrics/ClassLength
-    name "ssh"
-
-    require_relative "ssh_connection"
-    require_relative "cisco_ios_connection"
-
-    # add options for submodules
-    include_options Train::Extras::CommandWrapper
-
-    # common target configuration
-    option :host,      required: true
-    option :port,      default: 22, required: true
-    option :user,      default: "root", required: true
-    option :key_files, default: nil
-    option :password,  default: nil
-
-    # additional ssh options
-    option :keepalive, default: true
-    option :keepalive_interval, default: 60
-    option :connection_timeout, default: 15
-    option :connection_retries, default: 5
-    option :connection_retry_sleep, default: 1
-    option :max_wait_until_ready, default: 600
-    option :compression, default: false
-    option :pty, default: false
-    option :proxy_command, default: nil
-    option :bastion_host, default: nil
-    option :bastion_user, default: "root"
-    option :bastion_port, default: 22
-    option :non_interactive, default: false
-    option :verify_host_key, default: false
-
-    option :compression_level do |opts|
-      # on nil or false: set compression level to 0
-      opts[:compression] ? 6 : 0
-    end
-
-    # (see Base#connection)
-    def connection(state = {}, &block)
-      opts = merge_options(options, state || {})
-      validate_options(opts)
-      conn_opts = connection_options(opts)
-
-      if defined?(@connection) && @connection_options == conn_opts
-        reuse_connection(&block)
-      else
-        create_new_connection(conn_opts, &block)
-      end
-    end
-
-    private
-
-    def validate_options(options)
-      super(options)
-
-      key_files = Array(options[:key_files])
-      options[:auth_methods] ||= ["none"]
-
-      unless key_files.empty?
-        options[:auth_methods].push("publickey")
-        options[:keys_only] = true if options[:password].nil?
-        options[:key_files] = key_files
-      end
-
-      unless options[:password].nil?
-        options[:auth_methods].push("password", "keyboard-interactive")
-      end
-
-      if options[:auth_methods] == ["none"]
-        if ssh_known_identities.empty?
-          raise Train::ClientError.new(
-            "Your SSH Agent has no keys added, and you have not specified a password or a key file",
-            :no_ssh_password_or_key_available
-          )
-        else
-          logger.debug("[SSH] Using Agent keys as no password or key file have been specified")
-          options[:auth_methods].push("publickey")
-        end
-      end
-
-      if options[:pty]
-        logger.warn("[SSH] PTY requested: stderr will be merged into stdout")
-      end
-
-      if [options[:proxy_command], options[:bastion_host]].all? { |type| !type.nil? }
-        raise Train::ClientError, "Only one of proxy_command or bastion_host needs to be specified"
-      end
-
-      super
-      self
-    end
-
-    # Creates an SSH Authentication KeyManager instance and saves it for
-    # potential future reuse.
-    #
-    # @return [Hash] hash of SSH Known Identities
-    # @api private
-    def ssh_known_identities
-      # Force KeyManager to load the key(s)
-      @manager ||= Net::SSH::Authentication::KeyManager.new(nil).each_identity {}
-      @manager.known_identities
-    end
-
-    # Builds the hash of options needed by the Connection object on
-    # construction.
-    #
-    # @param opts [Hash] merged configuration and mutable state data
-    # @return [Hash] hash of connection options
-    # @api private
-    def connection_options(opts)
-      connection_options = {
-        logger: logger,
-        user_known_hosts_file: "/dev/null",
-        hostname: opts[:host],
-        port: opts[:port],
-        username: opts[:user],
-        compression: opts[:compression],
-        compression_level: opts[:compression_level],
-        keepalive: opts[:keepalive],
-        keepalive_interval: opts[:keepalive_interval],
-        timeout: opts[:connection_timeout],
-        connection_retries: opts[:connection_retries],
-        connection_retry_sleep: opts[:connection_retry_sleep],
-        max_wait_until_ready: opts[:max_wait_until_ready],
-        auth_methods: opts[:auth_methods],
-        keys_only: opts[:keys_only],
-        keys: opts[:key_files],
-        password: opts[:password],
-        forward_agent: opts[:forward_agent],
-        proxy_command: opts[:proxy_command],
-        bastion_host: opts[:bastion_host],
-        bastion_user: opts[:bastion_user],
-        bastion_port: opts[:bastion_port],
-        non_interactive: opts[:non_interactive],
-        transport_options: opts,
-      }
-      # disable host key verification. The hash key and value to use
-      # depends on the version of net-ssh in use.
-      connection_options[verify_host_key_option] = verify_host_key_value(opts[:verify_host_key])
-
-      connection_options
-    end
-
-    #
-    # Returns the correct host-key-verification option key to use depending
-    # on what version of net-ssh is in use. In net-ssh <= 4.1, the supported
-    # parameter is `paranoid` but in 4.2, it became `verify_host_key`
-    #
-    # `verify_host_key` does not work in <= 4.1, and `paranoid` throws
-    # deprecation warnings in >= 4.2.
-    #
-    # While the "right thing" to do would be to pin train's dependency on
-    # net-ssh to ~> 4.2, this will prevent InSpec from being used in
-    # Chef v12 because of it pinning to a v3 of net-ssh.
-    #
-    def verify_host_key_option
-      current_net_ssh = Net::SSH::Version::CURRENT
-      new_option_version = Net::SSH::Version[4, 2, 0]
-
-      current_net_ssh >= new_option_version ? :verify_host_key : :paranoid
-    end
-
-    # Likewise, version <5 accepted false; 5+ requires :never or will
-    # issue a deprecation warning. This method allows a lot of common
-    # things through.
-    def verify_host_key_value(given)
-      current_net_ssh = Net::SSH::Version::CURRENT
-      new_value_version = Net::SSH::Version[5, 0, 0]
-      if current_net_ssh >= new_value_version
-        # 5.0+ style
-        {
-          # It's not a boolean anymore.
-          "true" => :always,
-          "false" => :never,
-          true => :always,
-          false => :never,
-          # May be correct value, but strings from JSON config
-          "always" => :always,
-          "never" => :never,
-          nil => :never,
-        }.fetch(given, given)
-      else
-        # up to 4.2 style
-        {
-          "true" => true,
-          "false" => false,
-          nil => false,
-        }.fetch(given, given)
-      end
-    end
-
-    # Creates a new SSH Connection instance and save it for potential future
-    # reuse.
-    #
-    # @param options [Hash] conneciton options
-    # @return [Ssh::Connection] an SSH Connection instance
-    # @api private
-    def create_new_connection(options, &block)
-      if defined?(@connection)
-        logger.debug("[SSH] shutting previous connection #{@connection}")
-        @connection.close
-      end
-
-      @connection_options = options
-      conn = Connection.new(options, &block)
-
-      # Cisco IOS requires a special implementation of `Net:SSH`. This uses the
-      # SSH transport to identify the platform, but then replaces SSHConnection
-      # with a CiscoIOSConnection in order to behave as expected for the user.
-      if defined?(conn.platform.cisco_ios?) && conn.platform.cisco_ios?
-        ios_options = {}
-        ios_options[:host] = @options[:host]
-        ios_options[:user] = @options[:user]
-        # The enable password is used to elevate privileges on Cisco devices
-        # We will also support the sudo password field for the same purpose
-        # for the interim. # TODO
-        ios_options[:enable_password] = @options[:enable_password] || @options[:sudo_password]
-        ios_options[:logger] = @options[:logger]
-        ios_options.merge!(@connection_options)
-        conn = CiscoIOSConnection.new(ios_options)
-      end
-
-      @connection = conn unless conn.nil?
-    end
-
-    # Return the last saved SSH connection instance.
-    #
-    # @return [Ssh::Connection] an SSH Connection instance
-    # @api private
-    def reuse_connection
-      logger.debug("[SSH] reusing existing connection #{@connection}")
-      yield @connection if block_given?
-      @connection
-    end
-  end
-end

data/lib/train/transports/ssh_connection.rb

@@ -1,342 +0,0 @@
-# encoding: utf-8
-#
-# Author:: Fletcher Nichol (<fnichol@nichol.ca>)
-# Author:: Dominik Richter (<dominik.richter@gmail.com>)
-# Author:: Christoph Hartmann (<chris@lollyrock.com>)
-#
-# Copyright (C) 2014, Fletcher Nichol
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require "net/ssh"
-require "net/scp"
-require "timeout"
-
-class Train::Transports::SSH
-  # A Connection instance can be generated and re-generated, given new
-  # connection details such as connection port, hostname, credentials, etc.
-  # This object is responsible for carrying out the actions on the remote
-  # host such as executing commands, transferring files, etc.
-  #
-  # @author Fletcher Nichol <fnichol@nichol.ca>
-  class Connection < BaseConnection # rubocop:disable Metrics/ClassLength
-    attr_reader :hostname
-    attr_reader :transport_options
-
-    def initialize(options)
-      # Track IOS command retries to prevent infinite loop on IOError. This must
-      # be done before `super()` because the parent runs detection commands.
-      @ios_cmd_retries = 0
-
-      super(options)
-
-      @session                = nil
-      @username               = @options.delete(:username)
-      @hostname               = @options.delete(:hostname)
-      @port                   = @options[:port] # don't delete from options
-      @connection_retries     = @options.delete(:connection_retries)
-      @connection_retry_sleep = @options.delete(:connection_retry_sleep)
-      @max_wait_until_ready   = @options.delete(:max_wait_until_ready)
-      @max_ssh_sessions       = @options.delete(:max_ssh_connections) { 9 }
-      @transport_options      = @options.delete(:transport_options)
-      @proxy_command          = @options.delete(:proxy_command)
-      @bastion_host           = @options.delete(:bastion_host)
-      @bastion_user           = @options.delete(:bastion_user)
-      @bastion_port           = @options.delete(:bastion_port)
-
-      @cmd_wrapper            = CommandWrapper.load(self, @transport_options)
-    end
-
-    # (see Base::Connection#close)
-    def close
-      return if @session.nil?
-
-      logger.debug("[SSH] closing connection to #{self}")
-      session.close
-    ensure
-      @session = nil
-    end
-
-    def ssh_opts
-      level = logger.debug? ? "VERBOSE" : "ERROR"
-      fwd_agent = options[:forward_agent] ? "yes" : "no"
-
-      args  = %w{ -o UserKnownHostsFile=/dev/null }
-      args += %w{ -o StrictHostKeyChecking=no }
-      args += %w{ -o IdentitiesOnly=yes }        if options[:keys]
-      args += %w{ -o BatchMode=yes }             if options[:non_interactive]
-      args += %W{ -o LogLevel=#{level} }
-      args += %W{ -o ForwardAgent=#{fwd_agent} } if options.key?(:forward_agent)
-      Array(options[:keys]).each do |ssh_key|
-        args += %W{ -i #{ssh_key} }
-      end
-      args
-    end
-
-    def check_proxy
-      [@proxy_command, @bastion_host].any? { |type| !type.nil? }
-    end
-
-    def generate_proxy_command
-      return @proxy_command unless @proxy_command.nil?
-
-      args = %w{ ssh }
-      args += ssh_opts
-      args += %W{ #{@bastion_user}@#{@bastion_host} }
-      args += %W{ -p #{@bastion_port} }
-      args += %w{ -W %h:%p }
-      args.join(" ")
-    end
-
-    # (see Base::Connection#login_command)
-    def login_command
-      args = ssh_opts
-      args += %W{ -o ProxyCommand='#{generate_proxy_command}' } if check_proxy
-      args += %W{ -p #{@port} }
-      args += %W{ #{@username}@#{@hostname} }
-      LoginCommand.new("ssh", args)
-    end
-
-    # (see Base::Connection#upload)
-    def upload(locals, remote)
-      waits = []
-      Array(locals).each do |local|
-        opts = File.directory?(local) ? { recursive: true } : {}
-
-        waits.push session.scp.upload(local, remote, opts) do |_ch, name, sent, total|
-          logger.debug("Uploaded #{name} (#{total} bytes)") if sent == total
-        end
-        waits.shift.wait while waits.length >= @max_ssh_sessions
-      end
-      waits.each(&:wait)
-    rescue Net::SSH::Exception => ex
-      raise Train::Transports::SSHFailed, "SCP upload failed (#{ex.message})"
-    end
-
-    def download(remotes, local)
-      waits = []
-      Array(remotes).map do |remote|
-        opts = file(remote).directory? ? { recursive: true } : {}
-        waits.push session.scp.download(remote, local, opts) do |_ch, name, recv, total|
-          logger.debug("Downloaded #{name} (#{total} bytes)") if recv == total
-        end
-        waits.shift.wait while waits.length >= @max_ssh_sessions
-      end
-      waits.each(&:wait)
-    rescue Net::SSH::Exception => ex
-      raise Train::Transports::SSHFailed, "SCP download failed (#{ex.message})"
-    end
-
-    # (see Base::Connection#wait_until_ready)
-    def wait_until_ready
-      delay = 3
-      session(
-        retries: @max_wait_until_ready / delay,
-        delay:   delay,
-        message: "Waiting for SSH service on #{@hostname}:#{@port}, " \
-                 "retrying in #{delay} seconds"
-      )
-      run_command(PING_COMMAND.dup)
-    end
-
-    def uri
-      "ssh://#{@username}@#{@hostname}:#{@port}"
-    end
-
-    # remote_port_forwarding
-    def forward_remote(port, host, remote_port, remote_host = "127.0.0.1")
-      @session.forward.remote(port, host, remote_port, remote_host)
-    end
-
-    def obscured_options
-      options_to_print = @options.clone
-      options_to_print[:password] = "<hidden>" if options_to_print.key?(:password)
-      options_to_print
-    end
-
-    def with_sudo_pty
-      old_pty = transport_options[:pty]
-      transport_options[:pty] = true if @sudo
-
-      yield
-    ensure
-      transport_options[:pty] = old_pty
-    end
-
-    private
-
-    PING_COMMAND = "echo '[SSH] Established'".freeze
-
-    RESCUE_EXCEPTIONS_ON_ESTABLISH = [
-      Errno::EACCES, Errno::EADDRINUSE, Errno::ECONNREFUSED, Errno::ETIMEDOUT,
-      Errno::ECONNRESET, Errno::ENETUNREACH, Errno::EHOSTUNREACH, Errno::EPIPE,
-      Net::SSH::Disconnect, Net::SSH::AuthenticationFailed, Net::SSH::ConnectionTimeout,
-      Timeout::Error
-    ].freeze
-
-    # Establish an SSH session on the remote host.
-    #
-    # @param opts [Hash] retry options
-    # @option opts [Integer] :retries the number of times to retry before
-    #   failing
-    # @option opts [Float] :delay the number of seconds to wait until
-    #   attempting a retry
-    # @option opts [String] :message an optional message to be logged on
-    #   debug (overriding the default) when a rescuable exception is raised
-    # @return [Net::SSH::Connection::Session] the SSH connection session
-    # @api private
-    def establish_connection(opts)
-      logger.debug("[SSH] opening connection to #{self}")
-      logger.debug("[SSH] using options %p" % [obscured_options])
-      if check_proxy
-        require "net/ssh/proxy/command"
-        @options[:proxy] = Net::SSH::Proxy::Command.new(generate_proxy_command)
-      end
-      Net::SSH.start(@hostname, @username, @options.clone.delete_if { |_key, value| value.nil? })
-    rescue *RESCUE_EXCEPTIONS_ON_ESTABLISH => e
-      if (opts[:retries] -= 1) <= 0
-        logger.warn("[SSH] connection failed, terminating (#{e.inspect})")
-        raise Train::Transports::SSHFailed, "SSH session could not be established"
-      end
-
-      if opts[:message]
-        logger.debug("[SSH] connection failed (#{e.inspect})")
-        message = opts[:message]
-      else
-        message = "[SSH] connection failed, retrying in #{opts[:delay]}"\
-                  " seconds (#{e.inspect})"
-      end
-      logger.info(message)
-
-      sleep(opts[:delay])
-      retry
-    end
-
-    def file_via_connection(path, *args)
-      if os.aix?
-        Train::File::Remote::Aix.new(self, path, *args)
-      elsif os.solaris?
-        Train::File::Remote::Unix.new(self, path, *args)
-      elsif os[:name] == "qnx"
-        Train::File::Remote::Qnx.new(self, path, *args)
-      elsif os.windows?
-        Train::File::Remote::Windows.new(self, path, *args)
-      else
-        Train::File::Remote::Linux.new(self, path, *args)
-      end
-    end
-
-    def run_command_via_connection(cmd, &data_handler)
-      cmd.dup.force_encoding("binary") if cmd.respond_to?(:force_encoding)
-
-      reset_session if session.closed?
-
-      exit_status, stdout, stderr = execute_on_channel(cmd, &data_handler)
-
-      # Since `@session.loop` succeeded, reset the IOS command retry counter
-      @ios_cmd_retries = 0
-
-      CommandResult.new(stdout, stderr, exit_status)
-    rescue Net::SSH::Exception => ex
-      raise Train::Transports::SSHFailed, "SSH command failed (#{ex.message})"
-    rescue IOError
-      # Cisco IOS occasionally closes the stream prematurely while we are
-      # running commands to detect if we need to switch to the Cisco IOS
-      # transport. This retries the command if this is the case.
-      # See:
-      #  https://github.com/inspec/train/pull/271
-      logger.debug("[SSH] Possible Cisco IOS race condition, retrying command")
-
-      # Only attempt retry up to 5 times to avoid infinite loop
-      @ios_cmd_retries += 1
-      raise if @ios_cmd_retries >= 5
-
-      retry
-    end
-
-    # Returns a connection session, or establishes one when invoked the
-    # first time.
-    #
-    # @param retry_options [Hash] retry options for the initial connection
-    # @return [Net::SSH::Connection::Session] the SSH connection session
-    # @api private
-    def session(retry_options = {})
-      @session ||= establish_connection({
-        retries: @connection_retries.to_i,
-        delay: @connection_retry_sleep.to_i,
-      }.merge(retry_options))
-    end
-
-    def reset_session
-      @session = nil
-    end
-
-    # String representation of object, reporting its connection details and
-    # configuration.
-    #
-    # @api private
-    def to_s
-      "#{@username}@#{@hostname}"
-    end
-
-    # Given a channel and a command string, it will execute the command on the channel
-    # and accumulate results in  @stdout/@stderr.
-    #
-    # @param channel [Net::SSH::Connection::Channel] an open ssh channel
-    # @param cmd [String] the command to execute
-    # @return [Integer] exit status or nil if exit-status/exit-signal requests
-    #         not received.
-    #
-    # @api private
-    def execute_on_channel(cmd)
-      stdout = ""
-      stderr = ""
-      exit_status = nil
-      session.open_channel do |channel|
-        # wrap commands if that is configured
-        cmd = @cmd_wrapper.run(cmd) if @cmd_wrapper
-
-        logger.debug("[SSH] #{self} cmd = #{cmd}")
-
-        if @transport_options[:pty]
-          channel.request_pty do |_ch, success|
-            raise Train::Transports::SSHPTYFailed, "Requesting PTY failed" unless success
-          end
-        end
-
-        channel.exec(cmd) do |_, success|
-          abort "Couldn't execute command on SSH." unless success
-          channel.on_data do |_, data|
-            yield(data) if block_given?
-            stdout += data
-          end
-
-          channel.on_extended_data do |_, _type, data|
-            yield(data) if block_given?
-            stderr += data
-          end
-
-          channel.on_request("exit-status") do |_, data|
-            exit_status = data.read_long
-          end
-
-          channel.on_request("exit-signal") do |_, data|
-            exit_status = data.read_long
-          end
-        end
-      end
-      session.loop
-      [exit_status, stdout, stderr]
-    end
-  end
-end