terraform/helper/ssh/provisioner.go

package ssh

import (
	"encoding/pem"
	"fmt"
	"io/ioutil"
	"log"
	"os/user"
	"strings"
	"time"

	"code.google.com/p/go.crypto/ssh"
	"github.com/hashicorp/terraform/terraform"
	"github.com/mitchellh/mapstructure"
)

const (
	// DefaultUser is used if there is no default user given
	DefaultUser = "root"

	// DefaultPort is used if there is no port given
	DefaultPort = 22

	// DefaultScriptPath is used as the path to copy the file to
	// for remote execution if not provided otherwise.
	DefaultScriptPath = "/tmp/script.sh"

	// DefaultTimeout is used if there is no timeout given
	DefaultTimeout = 5 * time.Minute
)

// SSHConfig is decoded from the ConnInfo of the resource. These
// are the only keys we look at. If a KeyFile is given, that is used
// instead of a password.
type SSHConfig struct {
	User       string
	Password   string
	KeyFile    string `mapstructure:"key_file"`
	Host       string
	Port       int
	Timeout    string
	ScriptPath string        `mapstructure:"script_path"`
	TimeoutVal time.Duration `mapstructure:"-"`
}

// VerifySSH is used to verify the ConnInfo is usable by remote-exec
func VerifySSH(s *terraform.ResourceState) error {
	connType := s.ConnInfo["type"]
	switch connType {
	case "":
	case "ssh":
	default:
		return fmt.Errorf("Connection type '%s' not supported", connType)
	}
	return nil
}

// ParseSSHConfig is used to convert the ConnInfo of the ResourceState into
// a SSHConfig struct
func ParseSSHConfig(s *terraform.ResourceState) (*SSHConfig, error) {
	sshConf := &SSHConfig{}
	decConf := &mapstructure.DecoderConfig{
		WeaklyTypedInput: true,
		Result:           sshConf,
	}
	dec, err := mapstructure.NewDecoder(decConf)
	if err != nil {
		return nil, err
	}
	if err := dec.Decode(s.ConnInfo); err != nil {
		return nil, err
	}
	if sshConf.User == "" {
		sshConf.User = DefaultUser
	}
	if sshConf.Port == 0 {
		sshConf.Port = DefaultPort
	}
	if sshConf.ScriptPath == "" {
		sshConf.ScriptPath = DefaultScriptPath
	}
	if sshConf.Timeout != "" {
		sshConf.TimeoutVal = safeDuration(sshConf.Timeout, DefaultTimeout)
	} else {
		sshConf.TimeoutVal = DefaultTimeout
	}
	return sshConf, nil
}

// safeDuration returns either the parsed duration or a default value
func safeDuration(dur string, defaultDur time.Duration) time.Duration {
	d, err := time.ParseDuration(dur)
	if err != nil {
		log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)
		return defaultDur
	}
	return d
}

// expandUserPath replaces a leading ~ in a filepath with the path to a HOME
// directory.
// TODO: Does this work on Windows?
func expandUserPath(path string) (string, error) {
	if !strings.HasPrefix(path, "~") {
		return path, nil
	}
	i := strings.IndexByte(path, '/')
	if i < 0 {
		i = len(path)
	}
	userhome := ""
	if i == 1 {
		u, err := user.Current()
		if err != nil {
			return "", err
		}

		userhome = u.HomeDir
	} else {
		u, err := user.Lookup(path[1:i])
		if err != nil {
			return path, nil
		}
		userhome = u.HomeDir
	}
	userhome = strings.TrimSuffix(userhome, "/")
	return userhome + path[i:], nil
}

// PrepareConfig is used to turn the *SSHConfig provided into a
// usable *Config for client initialization.
func PrepareConfig(conf *SSHConfig) (*Config, error) {
	sshConf := &ssh.ClientConfig{
		User: conf.User,
	}
	if conf.KeyFile != "" {
		fullPath, err := expandUserPath(conf.KeyFile)
		if err != nil {
			return nil, fmt.Errorf("Failed to expand home directory: %v", err)
		}
		key, err := ioutil.ReadFile(fullPath)
		if err != nil {
			return nil, fmt.Errorf("Failed to read key file '%s': %v", conf.KeyFile, err)
		}

		// We parse the private key on our own first so that we can
		// show a nicer error if the private key has a password.
		block, _ := pem.Decode(key)
		if block == nil {
			return nil, fmt.Errorf(
				"Failed to read key '%s': no key found", conf.KeyFile)
		}
		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
			return nil, fmt.Errorf(
				"Failed to read key '%s': password protected keys are\n"+
					"not supported. Please decrypt the key prior to use.", conf.KeyFile)
		}

		signer, err := ssh.ParsePrivateKey(key)
		if err != nil {
			return nil, fmt.Errorf("Failed to parse key file '%s': %v", conf.KeyFile, err)
		}

		sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))
	}
	if conf.Password != "" {
		sshConf.Auth = append(sshConf.Auth,
			ssh.Password(conf.Password))
		sshConf.Auth = append(sshConf.Auth,
			ssh.KeyboardInteractive(PasswordKeyboardInteractive(conf.Password)))
	}
	host := fmt.Sprintf("%s:%d", conf.Host, conf.Port)
	config := &Config{
		SSHConfig:  sshConf,
		Connection: ConnectFunc("tcp", host),
	}
	return config, nil
}
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`package ssh`

			`import (`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00			`"encoding/pem"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"fmt"`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`"io/ioutil"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"log"`
Fixes #179 -- expand ~'s in the path to a key file 2014-08-11 20:39:29 +02:00			`"os/user"`
			`"strings"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"time"`

Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`"code.google.com/p/go.crypto/ssh"`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`"github.com/hashicorp/terraform/terraform"`
			`"github.com/mitchellh/mapstructure"`
			`)`

			`const (`
			`// DefaultUser is used if there is no default user given`
			`DefaultUser = "root"`

			`// DefaultPort is used if there is no port given`
			`DefaultPort = 22`

			`// DefaultScriptPath is used as the path to copy the file to`
			`// for remote execution if not provided otherwise.`
			`DefaultScriptPath = "/tmp/script.sh"`

			`// DefaultTimeout is used if there is no timeout given`
			`DefaultTimeout = 5 * time.Minute`
			`)`

			`// SSHConfig is decoded from the ConnInfo of the resource. These`
			`// are the only keys we look at. If a KeyFile is given, that is used`
			`// instead of a password.`
			`type SSHConfig struct {`
			`User string`
			`Password string`
			KeyFile string `mapstructure:"key_file"`
			`Host string`
			`Port int`
			`Timeout string`
			ScriptPath string `mapstructure:"script_path"`
			TimeoutVal time.Duration `mapstructure:"-"`
			`}`

Update provisioner.go Comment should be capitalized to match exported function "VerifySSH" 2014-08-07 19:19:03 +02:00			`// VerifySSH is used to verify the ConnInfo is usable by remote-exec`
Refactor helper methods out of provisioner 2014-07-15 23:50:53 +02:00			`func VerifySSH(s *terraform.ResourceState) error {`
			`connType := s.ConnInfo["type"]`
			`switch connType {`
			`case "":`
			`case "ssh":`
			`default:`
			`return fmt.Errorf("Connection type '%s' not supported", connType)`
			`}`
			`return nil`
			`}`

			`// ParseSSHConfig is used to convert the ConnInfo of the ResourceState into`
			`// a SSHConfig struct`
			`func ParseSSHConfig(s terraform.ResourceState) (SSHConfig, error) {`
			`sshConf := &SSHConfig{}`
			`decConf := &mapstructure.DecoderConfig{`
			`WeaklyTypedInput: true,`
			`Result: sshConf,`
			`}`
			`dec, err := mapstructure.NewDecoder(decConf)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err := dec.Decode(s.ConnInfo); err != nil {`
			`return nil, err`
			`}`
			`if sshConf.User == "" {`
			`sshConf.User = DefaultUser`
			`}`
			`if sshConf.Port == 0 {`
			`sshConf.Port = DefaultPort`
			`}`
			`if sshConf.ScriptPath == "" {`
			`sshConf.ScriptPath = DefaultScriptPath`
			`}`
			`if sshConf.Timeout != "" {`
			`sshConf.TimeoutVal = safeDuration(sshConf.Timeout, DefaultTimeout)`
			`} else {`
			`sshConf.TimeoutVal = DefaultTimeout`
			`}`
			`return sshConf, nil`
			`}`

			`// safeDuration returns either the parsed duration or a default value`
			`func safeDuration(dur string, defaultDur time.Duration) time.Duration {`
			`d, err := time.ParseDuration(dur)`
			`if err != nil {`
			`log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)`
			`return defaultDur`
			`}`
			`return d`
			`}`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00
Fixes #179 -- expand ~'s in the path to a key file 2014-08-11 20:39:29 +02:00			`// expandUserPath replaces a leading ~ in a filepath with the path to a HOME`
			`// directory.`
			`// TODO: Does this work on Windows?`
			`func expandUserPath(path string) (string, error) {`
			`if !strings.HasPrefix(path, "~") {`
			`return path, nil`
			`}`
			`i := strings.IndexByte(path, '/')`
			`if i < 0 {`
			`i = len(path)`
			`}`
			`userhome := ""`
			`if i == 1 {`
			`u, err := user.Current()`
			`if err != nil {`
			`return "", err`
			`}`

			`userhome = u.HomeDir`
			`} else {`
			`u, err := user.Lookup(path[1:i])`
			`if err != nil {`
			`return path, nil`
			`}`
			`userhome = u.HomeDir`
			`}`
Added a test and fixed a typo 2014-08-11 20:47:56 +02:00			`userhome = strings.TrimSuffix(userhome, "/")`
Fixes #179 -- expand ~'s in the path to a key file 2014-08-11 20:39:29 +02:00			`return userhome + path[i:], nil`
			`}`

Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`// PrepareConfig is used to turn the *SSHConfig provided into a`
			`// usable *Config for client initialization.`
			`func PrepareConfig(conf SSHConfig) (Config, error) {`
			`sshConf := &ssh.ClientConfig{`
			`User: conf.User,`
			`}`
			`if conf.KeyFile != "" {`
Fixes #179 -- expand ~'s in the path to a key file 2014-08-11 20:39:29 +02:00			`fullPath, err := expandUserPath(conf.KeyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to expand home directory: %v", err)`
			`}`
			`key, err := ioutil.ReadFile(fullPath)`
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`if err != nil {`
			`return nil, fmt.Errorf("Failed to read key file '%s': %v", conf.KeyFile, err)`
			`}`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00
			`// We parse the private key on our own first so that we can`
			`// show a nicer error if the private key has a password.`
			`block, _ := pem.Decode(key)`
			`if block == nil {`
			`return nil, fmt.Errorf(`
			`"Failed to read key '%s': no key found", conf.KeyFile)`
			`}`
			`if block.Headers["Proc-Type"] == "4,ENCRYPTED" {`
			`return nil, fmt.Errorf(`
			`"Failed to read key '%s': password protected keys are\n"+`
			`"not supported. Please decrypt the key prior to use.", conf.KeyFile)`
			`}`

Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`signer, err := ssh.ParsePrivateKey(key)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to parse key file '%s': %v", conf.KeyFile, err)`
			`}`
helper/ssh: error if private key on SSH [GH-73] 2014-08-05 18:53:02 +02:00
Refactor shared SSH setup code 2014-07-16 01:51:20 +02:00			`sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))`
			`}`
			`if conf.Password != "" {`
			`sshConf.Auth = append(sshConf.Auth,`
			`ssh.Password(conf.Password))`
			`sshConf.Auth = append(sshConf.Auth,`
			`ssh.KeyboardInteractive(PasswordKeyboardInteractive(conf.Password)))`
			`}`
			`host := fmt.Sprintf("%s:%d", conf.Host, conf.Port)`
			`config := &Config{`
			`SSHConfig: sshConf,`
			`Connection: ConnectFunc("tcp", host),`
			`}`
			`return config, nil`
			`}`