Class: Bolt::Transport::SSH::Connection

Inherits:

Object

• Object
• Bolt::Transport::SSH::Connection

Defined in:

lib/bolt/transport/ssh/connection.rb

Instance Attribute Summary

• #logger ⇒ Object readonly

  Returns the value of attribute logger.

• #target ⇒ Object readonly

  Returns the value of attribute target.

• #user ⇒ Object readonly

  Returns the value of attribute user.

Instance Method Summary

• #connect ⇒ Object
• #disconnect ⇒ Object
• #download_file(source, destination, _download) ⇒ Object
• #execute(command_str) ⇒ Object
• #initialize(target, transport_logger) ⇒ Connection constructor

  A new instance of Connection.

• #max_command_length ⇒ Object
• #net_ssh_algorithms(type, algorithms) ⇒ Object

  Add all default algorithms if the ‘defaults’ key is present and filter out any unsupported algorithms.

• #net_ssh_verifier(verifier) ⇒ Object

  This handles renaming Net::SSH verifiers between version 4.x and 5.x of the gem.

• #reset_cwd? ⇒ Boolean

  This is used by the Bash shell to decide whether to ‘cd` before executing commands as a run-as user.

• #shell ⇒ Object
• #upload_file(source, destination) ⇒ Object
• #validate_ssh_version ⇒ Object

Constructor Details

#initialize(target, transport_logger) ⇒ Connection

Returns a new instance of Connection.

Raises:

• (Bolt::ValidationError)

# File 'lib/bolt/transport/ssh/connection.rb', line 15

def initialize(target, transport_logger)
  # lazy-load expensive gem code
  require 'net/ssh'
  require 'net/ssh/proxy/jump'

  raise Bolt::ValidationError, "Target #{target.safe_name} does not have a host" unless target.host

  @target = target
  @load_config = target.options['load-config']

  ssh_config = @load_config ? Net::SSH::Config.for(target.host) : {}
  @user = @target.user || ssh_config[:user] || Etc.getlogin
  @strict_host_key_checking = ssh_config[:strict_host_key_checking]

  @logger = Bolt::Logger.logger(@target.safe_name)
  @transport_logger = transport_logger
  @logger.trace("Initializing ssh connection to #{@target.safe_name}")

  if target.options['private-key'].instance_of?(String)
    begin
      Bolt::Util.validate_file('ssh key', target.options['private-key'])
    rescue Bolt::FileError => e
      Bolt::Logger.warn("invalid_ssh_key", e.msg)
    end
  end
end

Instance Attribute Details

#logger ⇒ Object (readonly)

Returns the value of attribute logger.

# File 'lib/bolt/transport/ssh/connection.rb', line 13

def logger
  @logger
end

#target ⇒ Object (readonly)

Returns the value of attribute target.

# File 'lib/bolt/transport/ssh/connection.rb', line 13

def target
  @target
end

#user ⇒ Object (readonly)

Returns the value of attribute user.

# File 'lib/bolt/transport/ssh/connection.rb', line 13

def user
  @user
end

Instance Method Details

#connect ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 42

def connect
  options = {
    logger: @transport_logger,
    non_interactive: true
  }

  if (key = target.options['private-key'])
    if key.instance_of?(String)
      options[:keys] = key
    else
      options[:key_data] = [key['key-data']]
    end
  end

  options[:port] = target.port if target.port
  options[:password] = target.password if target.password
  # Support both net-ssh 4 and 5. We use 5 in packaging, but Beaker pins to 4 so we
  # want the gem to be compatible with version 4.
  options[:verify_host_key] = if target.options['host-key-check'].nil?
                                # Fall back to SSH behavior. This variable will only be set in net-ssh 5.3+.
                                if @strict_host_key_checking.nil? || @strict_host_key_checking
                                  net_ssh_verifier(:always)
                                else
                                  # SSH's behavior with StrictHostKeyChecking=no: adds new keys to known_hosts.
                                  # If known_hosts points to /dev/null, then equivalent to :never where it
                                  # accepts any key beacuse they're all new.
                                  net_ssh_verifier(:accept_new_or_tunnel_local)
                                end
                              elsif target.options['host-key-check']
                                net_ssh_verifier(:always)
                              else
                                net_ssh_verifier(:never)
                              end
  options[:timeout] = target.options['connect-timeout'] if target.options['connect-timeout']

  options[:proxy] = Net::SSH::Proxy::Jump.new(target.options['proxyjump']) if target.options['proxyjump']

  # Override the default supported algorithms for net-ssh. By default, a subset of supported algorithms
  # are enabled in 6.x, while several are deprecated and not enabled by default. The *-algorithms
  # options can be used to specify a list of algorithms to enable in net-ssh. Any algorithms not in the
  # list are disabled, including ones that are normally enabled by default. Support for deprecated
  # algorithms will be removed in 7.x.
  # https://github.com/net-ssh/net-ssh#supported-algorithms
  if target.options['encryption-algorithms']
    options[:encryption] = net_ssh_algorithms(:encryption, target.options['encryption-algorithms'])
  end

  if target.options['host-key-algorithms']
    options[:host_key] = net_ssh_algorithms(:host_key, target.options['host-key-algorithms'])
  end

  if target.options['kex-algorithms']
    options[:kex] = net_ssh_algorithms(:kex, target.options['kex-algorithms'])
  end

  if target.options['mac-algorithms']
    options[:hmac] = net_ssh_algorithms(:hmac, target.options['mac-algorithms'])
  end

  # This option was to address discrepency betwen net-ssh host-key-check and ssh(1)
  # For the net-ssh 5.x series it defaults to true, in 6.x it will default to false, and will be removed in 7.x
  # https://github.com/net-ssh/net-ssh/pull/663#issuecomment-469979931
  options[:check_host_ip] = false if Net::SSH::VALID_OPTIONS.include?(:check_host_ip)

  if @load_config
    # Mirroring:
    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/agent.rb#L80
    # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/pageant.rb#L403
    if defined?(UNIXSocket) && UNIXSocket
      if ENV['SSH_AUTH_SOCK'].to_s.empty?
        @logger.debug { "Disabling use_agent in net-ssh: ssh-agent is not available" }
        options[:use_agent] = false
      end
    elsif Bolt::Util.windows?
      pageant = Net::SSH::Authentication::Pageant::Win.FindWindow("Pageant", "Pageant")
      # If pageant is not running
      if pageant.to_i == 0
        @logger.debug { "Disabling use_agent in net-ssh: pageant process not running" }
        options[:use_agent] = false
      end
    end
  else
    # Disable ssh config and ssh-agent if requested via load_config
    options[:config] = false
    options[:use_agent] = false
  end

  @session = Net::SSH.start(target.host, @user, options)
  validate_ssh_version
  @logger.trace { "Opened session" }
rescue Net::SSH::AuthenticationFailed => e
  raise Bolt::Node::ConnectError.new(
    e.message,
    'AUTH_ERROR'
  )
rescue Net::SSH::HostKeyError => e
  raise Bolt::Node::ConnectError.new(
    "Host key verification failed for #{target.safe_name}: #{e.message}",
    'HOST_KEY_ERROR'
  )
rescue Net::SSH::ConnectionTimeout
  raise Bolt::Node::ConnectError.new(
    "Timeout after #{target.options['connect-timeout']} seconds connecting to #{target.safe_name}",
    'CONNECT_ERROR'
  )
rescue StandardError => e
  raise Bolt::Node::ConnectError.new(
    "Failed to connect to #{target.safe_name}: #{e.message}",
    'CONNECT_ERROR'
  )
end

#disconnect ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 154

def disconnect
  if @session && !@session.closed?
    begin
      Timeout.timeout(@target.options['disconnect-timeout']) { @session.close }
    rescue Timeout::Error
      @session.shutdown!
    end
    @logger.trace { "Closed session" }
  end
end

#download_file(source, destination, _download) ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 243

def download_file(source, destination, _download)
  # Do not log wrapper script content
  @logger.trace { "Downloading #{source} to #{destination}" }
  @session.scp.download!(source, destination, recursive: true)
rescue StandardError => e
  raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
end

#execute(command_str) ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 165

def execute(command_str)
  in_rd, in_wr = IO.pipe
  out_rd, out_wr = IO.pipe
  err_rd, err_wr = IO.pipe
  th = Thread.new do
    exit_code = nil
    session_channel = @session.open_channel do |channel|
      # Request a pseudo tty
      channel.request_pty if target.options['tty']

      channel.exec(command_str) do |_, success|
        unless success
          raise Bolt::Node::ConnectError.new(
            "Could not execute command: #{command_str.inspect}",
            'EXEC_ERROR'
          )
        end

        channel.on_data do |_, data|
          out_wr << data
        end

        channel.on_extended_data do |_, _, data|
          err_wr << data
        end

        channel.on_request("exit-status") do |_, data|
          exit_code = data.read_long
        end
      end
    end
    write_th = Thread.new do
      chunk_size = 4096
      eof = false
      active = true
      readable = false
      while active && !eof
        @session.loop(0.1) do
          active = session_channel.active?
          readable = select([in_rd], [], [], 0)
          # Loop as long as the channel is still live and there's nothing to be written
          active && !readable
        end
        if readable
          if in_rd.eof?
            session_channel.eof!
            eof = true
          else
            to_write = in_rd.readpartial(chunk_size)
            session_channel.send_data(to_write)
          end
        end
      end
      session_channel.wait
    end
    write_th.join
    exit_code
  ensure
    write_th.terminate
    in_rd.close
    out_wr.close
    err_wr.close
  end
  [in_wr, out_rd, err_rd, th]
rescue Errno::EMFILE => e
  msg = "#{e.message}. This might be resolved by increasing your user limit "\
    "with 'ulimit -n 1024'. See https://puppet.com/docs/bolt/latest/bolt_known_issues.html for details."
  raise Bolt::Error.new(msg, 'bolt/too-many-files')
end

#max_command_length ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 303

def max_command_length
  if target.options['login-shell'] == 'powershell'
    32000
  end
end

#net_ssh_algorithms(type, algorithms) ⇒ Object

Add all default algorithms if the ‘defaults’ key is present and filter out any unsupported algorithms.

# File 'lib/bolt/transport/ssh/connection.rb', line 278

def net_ssh_algorithms(type, algorithms)
  if algorithms.include?('defaults')
    defaults = Net::SSH::Transport::Algorithms::DEFAULT_ALGORITHMS[type]
    algorithms += defaults
  end

  known = Net::SSH::Transport::Algorithms::ALGORITHMS[type]

  algorithms & known
end

#net_ssh_verifier(verifier) ⇒ Object

This handles renaming Net::SSH verifiers between version 4.x and 5.x of the gem

# File 'lib/bolt/transport/ssh/connection.rb', line 253

def net_ssh_verifier(verifier)
  case verifier
  when :always
    if defined?(Net::SSH::Verifiers::Always)
      Net::SSH::Verifiers::Always.new
    else
      Net::SSH::Verifiers::Secure.new
    end
  when :never
    if defined?(Net::SSH::Verifiers::Never)
      Net::SSH::Verifiers::Never.new
    else
      Net::SSH::Verifiers::Null.new
    end
  when :accept_new_or_tunnel_local
    if defined?(Net::SSH::Verifiers::AcceptNewOrLocalTunnel)
      Net::SSH::Verifiers::AcceptNewOrLocalTunnel.new
    else
      Net::SSH::Verifiers::Lenient.new
    end
  end
end

#reset_cwd? ⇒ Boolean

This is used by the Bash shell to decide whether to ‘cd` before executing commands as a run-as user

Returns:

• (Boolean)

# File 'lib/bolt/transport/ssh/connection.rb', line 299

def reset_cwd?
  true
end

#shell ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 289

def shell
  @shell ||= if target.options['login-shell'] == 'powershell'
               Bolt::Shell::Powershell.new(target, self)
             else
               Bolt::Shell::Bash.new(target, self)
             end
end

#upload_file(source, destination) ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 235

def upload_file(source, destination)
  # Do not log wrapper script content
  @logger.trace { "Uploading #{source} to #{destination}" } unless source.is_a?(StringIO)
  @session.scp.upload!(source, destination, recursive: true)
rescue StandardError => e
  raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
end

#validate_ssh_version ⇒ Object

# File 'lib/bolt/transport/ssh/connection.rb', line 309

def validate_ssh_version
  remote_version = @session.transport.server_version.version
  return unless target.options['login-shell'] && remote_version

  match = remote_version.match(/OpenSSH_for_Windows_(\d+\.\d+)/)
  if match && match[1].to_f < 7.9
    raise "Powershell over SSH requires OpenSSH server >= 7.9, target is running #{match[1]}"
  end
end