terraform/communicator/ssh/provisioner.go

package ssh

import (
	"encoding/pem"
	"fmt"
	"io/ioutil"
	"log"
	"net"
	"os"
	"time"

	"github.com/hashicorp/terraform/terraform"
	"github.com/mitchellh/go-homedir"
	"github.com/mitchellh/mapstructure"
	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/agent"
)

const (
	// DefaultUser is used if there is no user given
	DefaultUser = "root"

	// DefaultPort is used if there is no port given
	DefaultPort = 22

	// DefaultScriptPath is used as the path to copy the file to
	// for remote execution if not provided otherwise.
	DefaultScriptPath = "/tmp/terraform_%RAND%.sh"

	// DefaultTimeout is used if there is no timeout given
	DefaultTimeout = 5 * time.Minute
)

// connectionInfo is decoded from the ConnInfo of the resource. These are the
// only keys we look at. If a KeyFile is given, that is used instead
// of a password.
type connectionInfo struct {
	User       string
	Password   string
	KeyFile    string `mapstructure:"key_file"`
	Host       string
	Port       int
	Agent      bool
	Timeout    string
	ScriptPath string        `mapstructure:"script_path"`
	TimeoutVal time.Duration `mapstructure:"-"`
}

// parseConnectionInfo is used to convert the ConnInfo of the InstanceState into
// a ConnectionInfo struct
func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
	connInfo := &connectionInfo{}
	decConf := &mapstructure.DecoderConfig{
		WeaklyTypedInput: true,
		Result:           connInfo,
	}
	dec, err := mapstructure.NewDecoder(decConf)
	if err != nil {
		return nil, err
	}
	if err := dec.Decode(s.Ephemeral.ConnInfo); err != nil {
		return nil, err
	}

	if connInfo.User == "" {
		connInfo.User = DefaultUser
	}
	if connInfo.Port == 0 {
		connInfo.Port = DefaultPort
	}
	if connInfo.ScriptPath == "" {
		connInfo.ScriptPath = DefaultScriptPath
	}
	if connInfo.Timeout != "" {
		connInfo.TimeoutVal = safeDuration(connInfo.Timeout, DefaultTimeout)
	} else {
		connInfo.TimeoutVal = DefaultTimeout
	}

	return connInfo, nil
}

// safeDuration returns either the parsed duration or a default value
func safeDuration(dur string, defaultDur time.Duration) time.Duration {
	d, err := time.ParseDuration(dur)
	if err != nil {
		log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)
		return defaultDur
	}
	return d
}

// prepareSSHConfig is used to turn the *ConnectionInfo provided into a
// usable *SSHConfig for client initialization.
func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
	var conn net.Conn
	var err error

	sshConf := &ssh.ClientConfig{
		User: connInfo.User,
	}
	if connInfo.Agent {
		sshAuthSock := os.Getenv("SSH_AUTH_SOCK")

		if sshAuthSock == "" {
			return nil, fmt.Errorf("SSH Requested but SSH_AUTH_SOCK not-specified")
		}

		conn, err = net.Dial("unix", sshAuthSock)
		if err != nil {
			return nil, fmt.Errorf("Error connecting to SSH_AUTH_SOCK: %v", err)
		}
		// I need to close this but, later after all connections have been made
		// defer conn.Close()
		signers, err := agent.NewClient(conn).Signers()
		if err != nil {
			return nil, fmt.Errorf("Error getting keys from ssh agent: %v", err)
		}

		sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signers...))
	}
	if connInfo.KeyFile != "" {
		fullPath, err := homedir.Expand(connInfo.KeyFile)
		if err != nil {
			return nil, fmt.Errorf("Failed to expand home directory: %v", err)
		}
		key, err := ioutil.ReadFile(fullPath)
		if err != nil {
			return nil, fmt.Errorf("Failed to read key file '%s': %v", connInfo.KeyFile, err)
		}

		// We parse the private key on our own first so that we can
		// show a nicer error if the private key has a password.
		block, _ := pem.Decode(key)
		if block == nil {
			return nil, fmt.Errorf(
				"Failed to read key '%s': no key found", connInfo.KeyFile)
		}
		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
			return nil, fmt.Errorf(
				"Failed to read key '%s': password protected keys are\n"+
					"not supported. Please decrypt the key prior to use.", connInfo.KeyFile)
		}

		signer, err := ssh.ParsePrivateKey(key)
		if err != nil {
			return nil, fmt.Errorf("Failed to parse key file '%s': %v", connInfo.KeyFile, err)
		}

		sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))
	}
	if connInfo.Password != "" {
		sshConf.Auth = append(sshConf.Auth,
			ssh.Password(connInfo.Password))
		sshConf.Auth = append(sshConf.Auth,
			ssh.KeyboardInteractive(PasswordKeyboardInteractive(connInfo.Password)))
	}
	host := fmt.Sprintf("%s:%d", connInfo.Host, connInfo.Port)
	config := &sshConfig{
		config:       sshConf,
		connection:   ConnectFunc("tcp", host),
		sshAgentConn: conn,
	}
	return config, nil
}
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`package ssh`

			`import (`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00			`"encoding/pem"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"fmt"`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`"io/ioutil"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"log"`
Add SSH Agent support 2015-03-16 00:12:25 +01:00			`"net"`
			`"os"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"time"`

			`"github.com/hashicorp/terraform/terraform"`
Remove extraneous trailing bit in the import URL 2014-08-19 21:27:01 +02:00			`"github.com/mitchellh/go-homedir"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"github.com/mitchellh/mapstructure"`
Add SSH Agent support 2015-03-16 00:12:25 +01:00			`"golang.org/x/crypto/ssh"`
			`"golang.org/x/crypto/ssh/agent"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`)`

			`const (`
Adding support for WinRM 2015-04-10 20:34:46 +02:00			`// DefaultUser is used if there is no user given`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`DefaultUser = "root"`

			`// DefaultPort is used if there is no port given`
			`DefaultPort = 22`

			`// DefaultScriptPath is used as the path to copy the file to`
			`// for remote execution if not provided otherwise.`
Updated the PR according to the review comments * We now return an error when you set the script_path to C:\Windows\Temp explaining this is currently not supported * The fix in PR #1588 is converted to the updated setup in this PR including the unit tests Last thing to do is add a few tests for the WinRM communicator… 2015-04-30 18:02:33 +02:00			`DefaultScriptPath = "/tmp/terraform_%RAND%.sh"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00
			`// DefaultTimeout is used if there is no timeout given`
			`DefaultTimeout = 5 * time.Minute`
			`)`

Adding support for WinRM 2015-04-10 20:34:46 +02:00			`// connectionInfo is decoded from the ConnInfo of the resource. These are the`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`// only keys we look at. If a KeyFile is given, that is used instead`
			`// of a password.`
Adding support for WinRM 2015-04-10 20:34:46 +02:00			`type connectionInfo struct {`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`User string`
			`Password string`
			KeyFile string `mapstructure:"key_file"`
			`Host string`
			`Port int`
Add SSH Agent support 2015-03-16 00:12:25 +01:00			`Agent bool`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`Timeout string`
			ScriptPath string `mapstructure:"script_path"`
			TimeoutVal time.Duration `mapstructure:"-"`
			`}`

Adding support for WinRM 2015-04-10 20:34:46 +02:00			`// parseConnectionInfo is used to convert the ConnInfo of the InstanceState into`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`// a ConnectionInfo struct`
Adding support for WinRM 2015-04-10 20:34:46 +02:00			`func parseConnectionInfo(s terraform.InstanceState) (connectionInfo, error) {`
			`connInfo := &connectionInfo{}`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`decConf := &mapstructure.DecoderConfig{`
			`WeaklyTypedInput: true,`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`Result: connInfo,`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`}`
			`dec, err := mapstructure.NewDecoder(decConf)`
			`if err != nil {`
			`return nil, err`
			`}`
helper/ssh: convert to InstanceState 2014-09-17 01:55:02 +02:00			`if err := dec.Decode(s.Ephemeral.ConnInfo); err != nil {`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`return nil, err`
			`}`
Updated the PR according to the review comments * We now return an error when you set the script_path to C:\Windows\Temp explaining this is currently not supported * The fix in PR #1588 is converted to the updated setup in this PR including the unit tests Last thing to do is add a few tests for the WinRM communicator… 2015-04-30 18:02:33 +02:00
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.User == "" {`
			`connInfo.User = DefaultUser`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.Port == 0 {`
			`connInfo.Port = DefaultPort`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.ScriptPath == "" {`
			`connInfo.ScriptPath = DefaultScriptPath`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.Timeout != "" {`
			`connInfo.TimeoutVal = safeDuration(connInfo.Timeout, DefaultTimeout)`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`} else {`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`connInfo.TimeoutVal = DefaultTimeout`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`}`
Updated the PR according to the review comments * We now return an error when you set the script_path to C:\Windows\Temp explaining this is currently not supported * The fix in PR #1588 is converted to the updated setup in this PR including the unit tests Last thing to do is add a few tests for the WinRM communicator… 2015-04-30 18:02:33 +02:00
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`return connInfo, nil`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`}`

			`// safeDuration returns either the parsed duration or a default value`
			`func safeDuration(dur string, defaultDur time.Duration) time.Duration {`
			`d, err := time.ParseDuration(dur)`
			`if err != nil {`
			`log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)`
			`return defaultDur`
			`}`
			`return d`
			`}`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00
Adding support for WinRM 2015-04-10 20:34:46 +02:00			`// prepareSSHConfig is used to turn the *ConnectionInfo provided into a`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`// usable *SSHConfig for client initialization.`
Adding support for WinRM 2015-04-10 20:34:46 +02:00			`func prepareSSHConfig(connInfo connectionInfo) (sshConfig, error) {`
Add cleanup function to close SSHAgent 2015-03-21 02:18:35 +01:00			`var conn net.Conn`
			`var err error`

Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`sshConf := &ssh.ClientConfig{`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`User: connInfo.User,`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.Agent {`
Add SSH Agent support 2015-03-16 00:12:25 +01:00			`sshAuthSock := os.Getenv("SSH_AUTH_SOCK")`

			`if sshAuthSock == "" {`
			`return nil, fmt.Errorf("SSH Requested but SSH_AUTH_SOCK not-specified")`
			`}`

Add cleanup function to close SSHAgent 2015-03-21 02:18:35 +01:00			`conn, err = net.Dial("unix", sshAuthSock)`
Add SSH Agent support 2015-03-16 00:12:25 +01:00			`if err != nil {`
			`return nil, fmt.Errorf("Error connecting to SSH_AUTH_SOCK: %v", err)`
			`}`
			`// I need to close this but, later after all connections have been made`
			`// defer conn.Close()`
			`signers, err := agent.NewClient(conn).Signers()`
			`if err != nil {`
			`return nil, fmt.Errorf("Error getting keys from ssh agent: %v", err)`
			`}`

			`sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signers...))`
			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.KeyFile != "" {`
			`fullPath, err := homedir.Expand(connInfo.KeyFile)`
Fixes #179 -- expand ~'s in the path to a key file 2014-08-11 20:39:29 +02:00			`if err != nil {`
			`return nil, fmt.Errorf("Failed to expand home directory: %v", err)`
			`}`
			`key, err := ioutil.ReadFile(fullPath)`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`if err != nil {`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`return nil, fmt.Errorf("Failed to read key file '%s': %v", connInfo.KeyFile, err)`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`}`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00
			`// We parse the private key on our own first so that we can`
			`// show a nicer error if the private key has a password.`
			`block, _ := pem.Decode(key)`
			`if block == nil {`
			`return nil, fmt.Errorf(`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`"Failed to read key '%s': no key found", connInfo.KeyFile)`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00			`}`
			`if block.Headers["Proc-Type"] == "4,ENCRYPTED" {`
			`return nil, fmt.Errorf(`
			`"Failed to read key '%s': password protected keys are\n"+`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`"not supported. Please decrypt the key prior to use.", connInfo.KeyFile)`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00			`}`

Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`signer, err := ssh.ParsePrivateKey(key)`
			`if err != nil {`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`return nil, fmt.Errorf("Failed to parse key file '%s': %v", connInfo.KeyFile, err)`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`}`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))`
			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`if connInfo.Password != "" {`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`sshConf.Auth = append(sshConf.Auth,`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`ssh.Password(connInfo.Password))`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`sshConf.Auth = append(sshConf.Auth,`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`ssh.KeyboardInteractive(PasswordKeyboardInteractive(connInfo.Password)))`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`}`
Adding some abstractions for the communicators This is needed as preperation for adding WinRM support. There is still one error in the tests which needs another look, but other than that it seems like were now ready to start working on the WinRM part… 2015-04-09 21:58:00 +02:00			`host := fmt.Sprintf("%s:%d", connInfo.Host, connInfo.Port)`
Adding support for WinRM 2015-04-10 20:34:46 +02:00			`config := &sshConfig{`
			`config: sshConf,`
			`connection: ConnectFunc("tcp", host),`
			`sshAgentConn: conn,`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`}`
			`return config, nil`
			`}`