Class: Bolt::Transport::SSH::Connection

Inherits:
Bolt::Transport::Sudoable::Connection show all
Defined in:
lib/bolt/transport/ssh/connection.rb

Constant Summary collapse

PAGEANT_NAME =
"Pageant\0".encode(Encoding::UTF_16LE)

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from Bolt::Transport::Sudoable::Connection

#build_sudoable_command_str, #inject_interpreter, #make_executable, #make_tempdir, #prepend_sudo_success, #run_as, #running_as, #with_tempdir, #write_executable

Constructor Details

#initialize(target, transport_logger) ⇒ Connection

Returns a new instance of Connection.



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/bolt/transport/ssh/connection.rb', line 17

def initialize(target, transport_logger)
  # lazy-load expensive gem code
  require 'net/ssh'
  require 'net/ssh/proxy/jump'

  raise Bolt::ValidationError, "Target #{target.safe_name} does not have a host" unless target.host
  @sudo_id = SecureRandom.uuid

  @target = target
  @load_config = target.options['load-config']

  ssh_config = @load_config ? Net::SSH::Config.for(target.host) : {}
  @user = @target.user || ssh_config[:user] || Etc.getlogin
  @run_as = nil
  @strict_host_key_checking = ssh_config[:strict_host_key_checking]

  @logger = Logging.logger[@target.safe_name]
  @transport_logger = transport_logger
  @logger.debug("Initializing ssh connection to #{@target.safe_name}")

  @sudo_password = @target.options['sudo-password']
  # rubocop:disable Style/GlobalVars
  @sudo_password ||= @target.options['password'] if $future
  # rubocop:enable Style/GlobalVars

  if target.options['private-key']&.instance_of?(String)
    begin
      Bolt::Util.validate_file('ssh key', target.options['private-key'])
    rescue Bolt::FileError => e
      @logger.warn(e.msg)
    end
  end
end

Instance Attribute Details

#loggerObject (readonly)

Returns the value of attribute logger.



14
15
16
# File 'lib/bolt/transport/ssh/connection.rb', line 14

def logger
  @logger
end

#run_as=(value) ⇒ Object (writeonly)

Sets the attribute run_as

Parameters:

  • value

    the value to set the attribute run_as to.



15
16
17
# File 'lib/bolt/transport/ssh/connection.rb', line 15

def run_as=(value)
  @run_as = value
end

#targetObject (readonly)

Returns the value of attribute target.



14
15
16
# File 'lib/bolt/transport/ssh/connection.rb', line 14

def target
  @target
end

#userObject (readonly)

Returns the value of attribute user.



14
15
16
# File 'lib/bolt/transport/ssh/connection.rb', line 14

def user
  @user
end

Instance Method Details

#connectObject



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# File 'lib/bolt/transport/ssh/connection.rb', line 53

def connect
  options = {
    logger: @transport_logger,
    non_interactive: true
  }

  if (key = target.options['private-key'])
    if key.instance_of?(String)
      options[:keys] = key
    else
      options[:key_data] = [key['key-data']]
    end
  end

  options[:port] = target.port if target.port
  options[:password] = target.password if target.password
  # Support both net-ssh 4 and 5. We use 5 in packaging, but Beaker pins to 4 so we
  # want the gem to be compatible with version 4.
  options[:verify_host_key] = if target.options['host-key-check'].nil?
                                # Fall back to SSH behavior. This variable will only be set in net-ssh 5.3+.
                                if @strict_host_key_checking.nil? || @strict_host_key_checking
                                  net_ssh_verifier(:always)
                                else
                                  # SSH's behavior with StrictHostKeyChecking=no: adds new keys to known_hosts.
                                  # If known_hosts points to /dev/null, then equivalent to :never where it
                                  # accepts any key beacuse they're all new.
                                  net_ssh_verifier(:accept_new_or_tunnel_local)
                                end
                              elsif target.options['host-key-check']
                                net_ssh_verifier(:always)
                              else
                                net_ssh_verifier(:never)
                              end
  options[:timeout] = target.options['connect-timeout'] if target.options['connect-timeout']

  options[:proxy] = Net::SSH::Proxy::Jump.new(target.options['proxyjump']) if target.options['proxyjump']

  # This option was to address discrepency betwen net-ssh host-key-check and ssh(1)
  # For the net-ssh 5.x series it defaults to true, in 6.x it will default to false, and will be removed in 7.x
  # https://github.com/net-ssh/net-ssh/pull/663#issuecomment-469979931
  options[:check_host_ip] = false if Net::SSH::VALID_OPTIONS.include?(:check_host_ip)

  if @load_config
    # Mirroring:
    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/agent.rb#L80
    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/pageant.rb#L403
    if defined?(UNIXSocket) && UNIXSocket
      if ENV['SSH_AUTH_SOCK'].to_s.empty?
        @logger.debug { "Disabling use_agent in net-ssh: ssh-agent is not available" }
        options[:use_agent] = false
      end
    elsif Bolt::Util.windows?
      require 'Win32API' # case matters in this require!
      # https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-findwindoww
      @find_window ||= Win32API.new('user32', 'FindWindowW', %w[P P], 'L')
      if @find_window.call(nil, PAGEANT_NAME).to_i == 0
        @logger.debug { "Disabling use_agent in net-ssh: pageant process not running" }
        options[:use_agent] = false
      end
    end
  else
    # Disable ssh config and ssh-agent if requested via load_config
    options[:config] = false
    options[:use_agent] = false
  end

  @session = Net::SSH.start(target.host, @user, options)
  @logger.debug { "Opened session" }
rescue Net::SSH::AuthenticationFailed => e
  raise Bolt::Node::ConnectError.new(
    e.message,
    'AUTH_ERROR'
  )
rescue Net::SSH::HostKeyError => e
  raise Bolt::Node::ConnectError.new(
    "Host key verification failed for #{target.safe_name}: #{e.message}",
    'HOST_KEY_ERROR'
  )
rescue Net::SSH::ConnectionTimeout
  raise Bolt::Node::ConnectError.new(
    "Timeout after #{target.options['connect-timeout']} seconds connecting to #{target.safe_name}",
    'CONNECT_ERROR'
  )
rescue StandardError => e
  raise Bolt::Node::ConnectError.new(
    "Failed to connect to #{target.safe_name}: #{e.message}",
    'CONNECT_ERROR'
  )
end

#copy_file(source, destination) ⇒ Object



269
270
271
272
273
274
275
# File 'lib/bolt/transport/ssh/connection.rb', line 269

def copy_file(source, destination)
  # Do not log wrapper script content
  @logger.debug { "Uploading #{source}, to #{destination}" } unless source.is_a?(StringIO)
  @session.scp.upload!(source, destination, recursive: true)
rescue StandardError => e
  raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
end

#disconnectObject



143
144
145
146
147
148
149
150
151
152
# File 'lib/bolt/transport/ssh/connection.rb', line 143

def disconnect
  if @session && !@session.closed?
    begin
      Timeout.timeout(@target.options['disconnect-timeout']) { @session.close }
    rescue Timeout::Error
      @session.shutdown!
    end
    @logger.debug { "Closed session" }
  end
end

#execute(command, sudoable: false, **options) ⇒ Object



190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
# File 'lib/bolt/transport/ssh/connection.rb', line 190

def execute(command, sudoable: false, **options)
  result_output = Bolt::Node::Output.new
  run_as = options[:run_as] || self.run_as
  escalate = sudoable && run_as && @user != run_as
  use_sudo = escalate && @target.options['run-as-command'].nil?

  command_str = inject_interpreter(options[:interpreter], command)
  if escalate
    if use_sudo
      sudo_exec = target.options['sudo-executable'] || "sudo"
      sudo_flags = [sudo_exec, "-S", "-u", run_as, "-p", Sudoable.sudo_prompt]
      sudo_flags += ["-E"] if options[:environment]
      sudo_str = Shellwords.shelljoin(sudo_flags)
    else
      sudo_str = Shellwords.shelljoin(@target.options['run-as-command'] + [run_as])
    end
    command_str = build_sudoable_command_str(command_str, sudo_str, @sudo_id, options)
  end

  # Including the environment declarations in the shelljoin will escape
  # the = sign, so we have to handle them separately.
  if options[:environment]
    env_decls = options[:environment].map do |env, val|
      "#{env}=#{Shellwords.shellescape(val)}"
    end
    command_str = "#{env_decls.join(' ')} #{command_str}"
  end

  @logger.debug { "Executing: #{command_str}" }

  session_channel = @session.open_channel do |channel|
    # Request a pseudo tty
    channel.request_pty if target.options['tty']

    channel.exec(command_str) do |_, success|
      unless success
        raise Bolt::Node::ConnectError.new(
          "Could not execute command: #{command_str.inspect}",
          'EXEC_ERROR'
        )
      end

      channel.on_data do |_, data|
        unless use_sudo && handled_sudo(channel, data, options[:stdin])
          result_output.stdout << data
        end
        @logger.debug { "stdout: #{data.strip}" }
      end

      channel.on_extended_data do |_, _, data|
        unless use_sudo && handled_sudo(channel, data, options[:stdin])
          result_output.stderr << data
        end
        @logger.debug { "stderr: #{data.strip}" }
      end

      channel.on_request("exit-status") do |_, data|
        result_output.exit_code = data.read_long
      end
      # A wrapper is used to direct stdin when elevating privilage or using tty
      if options[:stdin] && !use_sudo && !options[:wrapper]
        channel.send_data(options[:stdin])
        channel.eof!
      end
    end
  end
  session_channel.wait

  if result_output.exit_code == 0
    @logger.debug { "Command returned successfully" }
  else
    @logger.info { "Command failed with exit code #{result_output.exit_code}" }
  end
  result_output
rescue StandardError
  @logger.debug { "Command aborted" }
  raise
end

#handled_sudo(channel, data, stdin) ⇒ Object



154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
# File 'lib/bolt/transport/ssh/connection.rb', line 154

def handled_sudo(channel, data, stdin)
  if data.lines.include?(Sudoable.sudo_prompt)
    if @sudo_password
      channel.send_data("#{@sudo_password}\n")
      channel.wait
      return true
    else
      # Cancel the sudo prompt to prevent later commands getting stuck
      channel.close
      raise Bolt::Node::EscalateError.new(
        "Sudo password for user #{@user} was not provided for #{target.safe_name}",
        'NO_PASSWORD'
      )
    end
  elsif data =~ /^#{@sudo_id}/
    if stdin
      channel.send_data(stdin)
      channel.eof!
    end
    return true
  elsif data =~ /^#{@user} is not in the sudoers file\./
    @logger.debug { data }
    raise Bolt::Node::EscalateError.new(
      "User #{@user} does not have sudo permission on #{target.safe_name}",
      'SUDO_DENIED'
    )
  elsif data =~ /^Sorry, try again\./
    @logger.debug { data }
    raise Bolt::Node::EscalateError.new(
      "Sudo password for user #{@user} not recognized on #{target.safe_name}",
      'BAD_PASSWORD'
    )
  end
  false
end

#net_ssh_verifier(verifier) ⇒ Object

This handles renaming Net::SSH verifiers between version 4.x and 5.x of the gem



279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
# File 'lib/bolt/transport/ssh/connection.rb', line 279

def net_ssh_verifier(verifier)
  case verifier
  when :always
    if defined?(Net::SSH::Verifiers::Always)
      Net::SSH::Verifiers::Always.new
    else
      Net::SSH::Verifiers::Secure.new
    end
  when :never
    if defined?(Net::SSH::Verifiers::Never)
      Net::SSH::Verifiers::Never.new
    else
      Net::SSH::Verifiers::Null.new
    end
  when :accept_new_or_tunnel_local
    if defined?(Net::SSH::Verifiers::AcceptNewOrLocalTunnel)
      Net::SSH::Verifiers::AcceptNewOrLocalTunnel.new
    else
      Net::SSH::Verifiers::Lenient.new
    end
  end
end