// +build !race package ssh import ( "bufio" "bytes" "encoding/base64" "fmt" "io" "io/ioutil" "math/rand" "net" "os" "path/filepath" "regexp" "strconv" "strings" "testing" "github.com/hashicorp/terraform/communicator/remote" "github.com/hashicorp/terraform/terraform" "golang.org/x/crypto/ssh" ) // private key for mock server const testServerPrivateKey = `-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA19lGVsTqIT5iiNYRgnoY1CwkbETW5cq+Rzk5v/kTlf31XpSU 70HVWkbTERECjaYdXM2gGcbb+sxpq6GtXf1M3kVomycqhxwhPv4Cr6Xp4WT/jkFx 9z+FFzpeodGJWjOH6L2H5uX1Cvr9EDdQp9t9/J32/qBFntY8GwoUI/y/1MSTmMiF tupdMODN064vd3gyMKTwrlQ8tZM6aYuyOPsutLlUY7M5x5FwMDYvnPDSeyT/Iw0z s3B+NCyqeeMd2T7YzQFnRATj0M7rM5LoSs7DVqVriOEABssFyLj31PboaoLhOKgc qoM9khkNzr7FHVvi+DhYM2jD0DwvqZLN6NmnLwIDAQABAoIBAQCGVj+kuSFOV1lT +IclQYA6bM6uY5mroqcSBNegVxCNhWU03BxlW//BE9tA/+kq53vWylMeN9mpGZea riEMIh25KFGWXqXlOOioH8bkMsqA8S7sBmc7jljyv+0toQ9vCCtJ+sueNPhxQQxH D2YvUjfzBQ04I9+wn30BByDJ1QA/FoPsunxIOUCcRBE/7jxuLYcpR+JvEF68yYIh atXRld4W4in7T65YDR8jK1Uj9XAcNeDYNpT/M6oFLx1aPIlkG86aCWRO19S1jLPT b1ZAKHHxPMCVkSYW0RqvIgLXQOR62D0Zne6/2wtzJkk5UCjkSQ2z7ZzJpMkWgDgN ifCULFPBAoGBAPoMZ5q1w+zB+knXUD33n1J+niN6TZHJulpf2w5zsW+m2K6Zn62M MXndXlVAHtk6p02q9kxHdgov34Uo8VpuNjbS1+abGFTI8NZgFo+bsDxJdItemwC4 KJ7L1iz39hRN/ZylMRLz5uTYRGddCkeIHhiG2h7zohH/MaYzUacXEEy3AoGBANz8 e/msleB+iXC0cXKwds26N4hyMdAFE5qAqJXvV3S2W8JZnmU+sS7vPAWMYPlERPk1 D8Q2eXqdPIkAWBhrx4RxD7rNc5qFNcQWEhCIxC9fccluH1y5g2M+4jpMX2CT8Uv+ 3z+NoJ5uDTXZTnLCfoZzgZ4nCZVZ+6iU5U1+YXFJAoGBANLPpIV920n/nJmmquMj orI1R/QXR9Cy56cMC65agezlGOfTYxk5Cfl5Ve+/2IJCfgzwJyjWUsFx7RviEeGw 64o7JoUom1HX+5xxdHPsyZ96OoTJ5RqtKKoApnhRMamau0fWydH1yeOEJd+TRHhc XStGfhz8QNa1dVFvENczja1vAoGABGWhsd4VPVpHMc7lUvrf4kgKQtTC2PjA4xoc QJ96hf/642sVE76jl+N6tkGMzGjnVm4P2j+bOy1VvwQavKGoXqJBRd5Apppv727g /SM7hBXKFc/zH80xKBBgP/i1DR7kdjakCoeu4ngeGywvu2jTS6mQsqzkK+yWbUxJ I7mYBsECgYB/KNXlTEpXtz/kwWCHFSYA8U74l7zZbVD8ul0e56JDK+lLcJ0tJffk gqnBycHj6AhEycjda75cs+0zybZvN4x65KZHOGW/O/7OAWEcZP5TPb3zf9ned3Hl NsZoFj52ponUM6+99A2CmezFCN16c4mbA//luWF+k3VVqR6BpkrhKw== -----END RSA PRIVATE KEY-----` // this cert was signed by the key from testCAPublicKey const testServerHostCert = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgvQ3Bs1ex7277b9q6I0fNaWsVEC16f+LcT8RLPSVMEVMAAAADAQABAAABAQDX2UZWxOohPmKI1hGCehjULCRsRNblyr5HOTm/+ROV/fVelJTvQdVaRtMREQKNph1czaAZxtv6zGmroa1d/UzeRWibJyqHHCE+/gKvpenhZP+OQXH3P4UXOl6h0YlaM4fovYfm5fUK+v0QN1Cn2338nfb+oEWe1jwbChQj/L/UxJOYyIW26l0w4M3Tri93eDIwpPCuVDy1kzppi7I4+y60uVRjsznHkXAwNi+c8NJ7JP8jDTOzcH40LKp54x3ZPtjNAWdEBOPQzuszkuhKzsNWpWuI4QAGywXIuPfU9uhqguE4qByqgz2SGQ3OvsUdW+L4OFgzaMPQPC+pks3o2acvAAAAAAAAAAAAAAACAAAAB2NhLXRlc3QAAAANAAAACTEyNy4wLjAuMQAAAABag0jkAAAAAHDcHtAAAAAAAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCrozyZIhdEvalCn+eSzHH94cO9ykiywA13ntWI7mJcHBwYTeCYWG8E9zGXyp2iDOjCGudM0Tdt8o0OofKChk9Z/qiUN0G8y1kmaXBlBM3qA5R9NPpvMYMNkYLfX6ivtZCnqrsbzaoqN2Oc/7H2StHzJWh/XCGu9otQZA6vdv1oSmAsZOjw/xIGaGQqDUaLq21J280PP1qSbdJHf76iSHE+TWe3YpqV946JWM5tCh0DykZ10VznvxYpUjzhr07IN3tVKxOXbPnnU7lX6IaLIWgfzLqwSyheeux05c3JLF9iF4sFu8ou4hwQz1iuUTU1jxgwZP0w/bkXgFFs0949lW81AAABDwAAAAdzc2gtcnNhAAABAEyoiVkZ5z79nh3WSU5mU2U7e2BItnnEqsJIm9EN+35uG0yORSXmQoaa9mtli7G3r79tyqEJd/C95EdNvU/9TjaoDcbH8OHP+Ue9XSfUzBuQ6bGSXe6mlZlO7QJ1cIyWphFP3MkrweDSiJ+SpeXzLzZkiJ7zKv5czhBEyG/MujFgvikotL+eUNG42y2cgsesXSjENSBS3l11q55a+RM2QKt3W32im8CsSxrH6Mz6p4JXQNgsVvZRknLxNlWXULFB2HLTunPKzJNMTf6xZf66oivSBAXVIdNKhlVpAQ3dT/dW5K6J4aQF/hjWByyLprFwZ16cPDqvtalnTCpbRYelNbw=` const testCAPublicKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrozyZIhdEvalCn+eSzHH94cO9ykiywA13ntWI7mJcHBwYTeCYWG8E9zGXyp2iDOjCGudM0Tdt8o0OofKChk9Z/qiUN0G8y1kmaXBlBM3qA5R9NPpvMYMNkYLfX6ivtZCnqrsbzaoqN2Oc/7H2StHzJWh/XCGu9otQZA6vdv1oSmAsZOjw/xIGaGQqDUaLq21J280PP1qSbdJHf76iSHE+TWe3YpqV946JWM5tCh0DykZ10VznvxYpUjzhr07IN3tVKxOXbPnnU7lX6IaLIWgfzLqwSyheeux05c3JLF9iF4sFu8ou4hwQz1iuUTU1jxgwZP0w/bkXgFFs0949lW81` func newMockLineServer(t *testing.T, signer ssh.Signer) string { serverConfig := &ssh.ServerConfig{ PasswordCallback: acceptUserPass("user", "pass"), PublicKeyCallback: acceptPublicKey(testClientPublicKey), } var err error if signer == nil { signer, err = ssh.ParsePrivateKey([]byte(testServerPrivateKey)) if err != nil { t.Fatalf("unable to parse private key: %s", err) } } serverConfig.AddHostKey(signer) l, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { t.Fatalf("Unable to listen for connection: %s", err) } go func() { defer l.Close() c, err := l.Accept() if err != nil { t.Errorf("Unable to accept incoming connection: %s", err) } defer c.Close() conn, chans, _, err := ssh.NewServerConn(c, serverConfig) if err != nil { t.Logf("Handshaking error: %v", err) } t.Log("Accepted SSH connection") for newChannel := range chans { channel, requests, err := newChannel.Accept() if err != nil { t.Errorf("Unable to accept channel.") } t.Log("Accepted channel") go func(in <-chan *ssh.Request) { for req := range in { if req.WantReply { req.Reply(true, nil) } } }(requests) go func(newChannel ssh.NewChannel) { conn.OpenChannel(newChannel.ChannelType(), nil) }(newChannel) defer channel.Close() } conn.Close() }() return l.Addr().String() } func TestNew_Invalid(t *testing.T) { address := newMockLineServer(t, nil) parts := strings.Split(address, ":") r := &terraform.InstanceState{ Ephemeral: terraform.EphemeralState{ ConnInfo: map[string]string{ "type": "ssh", "user": "user", "password": "i-am-invalid", "host": parts[0], "port": parts[1], "timeout": "30s", }, }, } c, err := New(r) if err != nil { t.Fatalf("error creating communicator: %s", err) } err = c.Connect(nil) if err == nil { t.Fatal("should have had an error connecting") } } func TestStart(t *testing.T) { address := newMockLineServer(t, nil) parts := strings.Split(address, ":") r := &terraform.InstanceState{ Ephemeral: terraform.EphemeralState{ ConnInfo: map[string]string{ "type": "ssh", "user": "user", "password": "pass", "host": parts[0], "port": parts[1], "timeout": "30s", }, }, } c, err := New(r) if err != nil { t.Fatalf("error creating communicator: %s", err) } var cmd remote.Cmd stdout := new(bytes.Buffer) cmd.Command = "echo foo" cmd.Stdout = stdout err = c.Start(&cmd) if err != nil { t.Fatalf("error executing remote command: %s", err) } } func TestHostKey(t *testing.T) { // get the server's public key signer, err := ssh.ParsePrivateKey([]byte(testServerPrivateKey)) if err != nil { panic("unable to parse private key: " + err.Error()) } pubKey := fmt.Sprintf("ssh-rsa %s", base64.StdEncoding.EncodeToString(signer.PublicKey().Marshal())) address := newMockLineServer(t, nil) host, p, _ := net.SplitHostPort(address) port, _ := strconv.Atoi(p) connInfo := &connectionInfo{ User: "user", Password: "pass", Host: host, HostKey: pubKey, Port: port, Timeout: "30s", } cfg, err := prepareSSHConfig(connInfo) if err != nil { t.Fatal(err) } c := &Communicator{ connInfo: connInfo, config: cfg, } var cmd remote.Cmd stdout := new(bytes.Buffer) cmd.Command = "echo foo" cmd.Stdout = stdout if err := c.Start(&cmd); err != nil { t.Fatal(err) } if err := c.Disconnect(); err != nil { t.Fatal(err) } // now check with the wrong HostKey address = newMockLineServer(t, nil) _, p, _ = net.SplitHostPort(address) port, _ = strconv.Atoi(p) connInfo.HostKey = testClientPublicKey connInfo.Port = port cfg, err = prepareSSHConfig(connInfo) if err != nil { t.Fatal(err) } c = &Communicator{ connInfo: connInfo, config: cfg, } err = c.Start(&cmd) if err == nil || !strings.Contains(err.Error(), "mismatch") { t.Fatalf("expected host key mismatch, got error:%v", err) } } func TestHostCert(t *testing.T) { pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(testServerHostCert)) if err != nil { t.Fatal(err) } signer, err := ssh.ParsePrivateKey([]byte(testServerPrivateKey)) if err != nil { t.Fatal(err) } signer, err = ssh.NewCertSigner(pk.(*ssh.Certificate), signer) if err != nil { t.Fatal(err) } address := newMockLineServer(t, signer) host, p, _ := net.SplitHostPort(address) port, _ := strconv.Atoi(p) connInfo := &connectionInfo{ User: "user", Password: "pass", Host: host, HostKey: testCAPublicKey, Port: port, Timeout: "30s", } cfg, err := prepareSSHConfig(connInfo) if err != nil { t.Fatal(err) } c := &Communicator{ connInfo: connInfo, config: cfg, } var cmd remote.Cmd stdout := new(bytes.Buffer) cmd.Command = "echo foo" cmd.Stdout = stdout if err := c.Start(&cmd); err != nil { t.Fatal(err) } if err := c.Disconnect(); err != nil { t.Fatal(err) } // now check with the wrong HostKey address = newMockLineServer(t, signer) _, p, _ = net.SplitHostPort(address) port, _ = strconv.Atoi(p) connInfo.HostKey = testClientPublicKey connInfo.Port = port cfg, err = prepareSSHConfig(connInfo) if err != nil { t.Fatal(err) } c = &Communicator{ connInfo: connInfo, config: cfg, } err = c.Start(&cmd) if err == nil || !strings.Contains(err.Error(), "authorities") { t.Fatalf("expected host key mismatch, got error:%v", err) } } func TestAccUploadFile(t *testing.T) { // use the local ssh server and scp binary to check uploads if ok := os.Getenv("SSH_UPLOAD_TEST"); ok == "" { t.Log("Skipping Upload Acceptance without SSH_UPLOAD_TEST set") t.Skip() } r := &terraform.InstanceState{ Ephemeral: terraform.EphemeralState{ ConnInfo: map[string]string{ "type": "ssh", "user": os.Getenv("USER"), "host": "127.0.0.1", "port": "22", "timeout": "30s", }, }, } c, err := New(r) if err != nil { t.Fatalf("error creating communicator: %s", err) } tmpDir, err := ioutil.TempDir("", "communicator") if err != nil { t.Fatal(err) } defer os.RemoveAll(tmpDir) content := []byte("this is the file content") source := bytes.NewReader(content) tmpFile := filepath.Join(tmpDir, "tempFile.out") err = c.Upload(tmpFile, source) if err != nil { t.Fatalf("error uploading file: %s", err) } data, err := ioutil.ReadFile(tmpFile) if err != nil { t.Fatal(err) } if !bytes.Equal(data, content) { t.Fatalf("bad: %s", data) } } func TestAccHugeUploadFile(t *testing.T) { // use the local ssh server and scp binary to check uploads if ok := os.Getenv("SSH_UPLOAD_TEST"); ok == "" { t.Log("Skipping Upload Acceptance without SSH_UPLOAD_TEST set") t.Skip() } r := &terraform.InstanceState{ Ephemeral: terraform.EphemeralState{ ConnInfo: map[string]string{ "type": "ssh", "user": os.Getenv("USER"), "host": "127.0.0.1", "port": "22", "timeout": "30s", }, }, } c, err := New(r) if err != nil { t.Fatalf("error creating communicator: %s", err) } // copy 4GB of data, random to prevent compression. size := int64(1 << 32) source := io.LimitReader(rand.New(rand.NewSource(0)), size) dest, err := ioutil.TempFile("", "communicator") if err != nil { t.Fatal(err) } destName := dest.Name() dest.Close() defer os.Remove(destName) t.Log("Uploading to", destName) // bypass the Upload method so we can directly supply the file size // preventing the extra copy of the huge file. targetDir := filepath.Dir(destName) targetFile := filepath.Base(destName) scpFunc := func(w io.Writer, stdoutR *bufio.Reader) error { return scpUploadFile(targetFile, source, w, stdoutR, size) } err = c.scpSession("scp -vt "+targetDir, scpFunc) if err != nil { t.Fatal(err) } // check the final file size fs, err := os.Stat(destName) if err != nil { t.Fatal(err) } if fs.Size() != size { t.Fatalf("expected file size of %d, got %d", size, fs.Size()) } } func TestScriptPath(t *testing.T) { cases := []struct { Input string Pattern string }{ { "/tmp/script.sh", `^/tmp/script\.sh$`, }, { "/tmp/script_%RAND%.sh", `^/tmp/script_(\d+)\.sh$`, }, } for _, tc := range cases { r := &terraform.InstanceState{ Ephemeral: terraform.EphemeralState{ ConnInfo: map[string]string{ "type": "ssh", "script_path": tc.Input, }, }, } comm, err := New(r) if err != nil { t.Fatalf("err: %s", err) } output := comm.ScriptPath() match, err := regexp.Match(tc.Pattern, []byte(output)) if err != nil { t.Fatalf("bad: %s\n\nerr: %s", tc.Input, err) } if !match { t.Fatalf("bad: %s\n\n%s", tc.Input, output) } } } func TestScriptPath_randSeed(t *testing.T) { // Pre GH-4186 fix, this value was the deterministic start the pseudorandom // chain of unseeded math/rand values for Int31(). staticSeedPath := "/tmp/terraform_1298498081.sh" c, err := New(&terraform.InstanceState{}) if err != nil { t.Fatalf("err: %s", err) } path := c.ScriptPath() if path == staticSeedPath { t.Fatalf("rand not seeded! got: %s", path) } } const testClientPrivateKey = `-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAxOgNXOJ/jrRDxBZTSk2X9otNy9zcpUmJr5ifDi5sy7j2ZiQS beBt1Wf+tLNWis8Cyq06ttEvjjRuM75yucyD6GrqDTXVCSm4PeOIQeDhPhw26wYZ O0h/mFgrAiCwaEl8AFXVBInOhVn/0nqgUpkwckh76bjTsNeifkiugK3cfJOuBdrU ZGbgugJjmYo4Cmv7ECo1gCFT5N+BAjOji3z3N5ClBH5HaWC77jH7kTH0k5cZ+ZRQ tG9EqLyvWlnzTAR/Yly0JInkOa16Ms1Au5sIJwEoJfHKsNVK06IlLob53nblwYW0 H5gv1Kb/rS+nUkpPtA5YFShB7iZnPLPPv6qXSwIDAQABAoIBAC0UY1rMkB9/rbQK 2G6+bPgI1HrDydAdkeQdsOxyPH43jlG8GGwHYZ3l/S4pkLqewijcmACay6Rm5IP8 Kg/XfquLLqJvnKJIZuHkYaGTdn3dv8T21Hf6FRwvs0j9auW1TSpWfDpZwmpNPIBX irTeVXUUmynbIrvt4km/IhRbuYrbbb964CLYD1DCl3XssXxoRNvPpc5EtOuyDorA 5g1hvZR1FqbOAmOuNQMYJociMuWB8mCaHb+o1Sg4A65OLXxoKs0cuwInJ/n/R4Z3 +GrV+x5ypBMxXgjjQtKMLEOujkvxs1cp34hkbhKMHHXxbMu5jl74YtGGsLLk90rq ieZGIgECgYEA49OM9mMCrDoFUTZdJaSARA/MOXkdQgrqVTv9kUHee7oeMZZ6lS0i bPU7g+Bq+UAN0qcw9x992eAElKjBA71Q5UbZYWh29BDMZd8bRJmwz4P6aSMoYLWI Sr31caJU9LdmPFatarNeehjSJtlTuoZD9+NElnnUwNaTeOOo5UdhTQsCgYEA3UGm QWoDUttFwK9oL2KL8M54Bx6EzNhnyk03WrqBbR7PJcPKnsF0R/0soQ+y0FW0r8RJ TqG6ze5fUJII72B4GlMTQdP+BIvaKQttwWQTNIjbbv4NksF445gdVOO1xi9SvQ7k uvMVxOb+1jL3HAFa3furWu2tJRDs6dhuaILLxsECgYEAhnhlKUBDYZhVbxvhWsh/ lKymY/3ikQqUSX7BKa1xPiIalDY3YDllql4MpMgfG8L85asdMZ96ztB0o7H/Ss/B IbLxt5bLLz+DBVXsaE82lyVU9h10RbCgI01/w3SHJHHjfBXFAcehKfvgfmGkE+IP 2A5ie1aphrCgFqh5FetNuQUCgYEAibL42I804FUtFR1VduAa/dRRqQSaW6528dWa lLGsKRBalUNEEAeP6dmr89UEUVp1qEo94V0QGGe5FDi+rNPaC3AWdQqNdaDgNlkx hoFU3oYqIuqj4ejc5rBd2N4a2+vJz3W8bokozDGC+iYf2mMRfUPKwj1XW9Er0OFs 3UhBsEECgYEAto/iJB7ZlCM7EyV9JW0tsEt83rbKMQ/Ex0ShbBIejej0Xx7bwx60 tVgay+bzJnNkXu6J4XVI98A/WsdI2kW4hL0STYdHV5HVA1l87V4ZbvTF2Bx8a8RJ OF3UjpMTWKqOprw9nAu5VuwNRVzORF8ER8rgGeaR2/gsSvIYFy9VXq8= -----END RSA PRIVATE KEY-----` var testClientPublicKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE6A1c4n+OtEPEFlNKTZf2i03L3NylSYmvmJ8OLmzLuPZmJBJt4G3VZ/60s1aKzwLKrTq20S+ONG4zvnK5zIPoauoNNdUJKbg944hB4OE+HDbrBhk7SH+YWCsCILBoSXwAVdUEic6FWf/SeqBSmTBySHvpuNOw16J+SK6Ardx8k64F2tRkZuC6AmOZijgKa/sQKjWAIVPk34ECM6OLfPc3kKUEfkdpYLvuMfuRMfSTlxn5lFC0b0SovK9aWfNMBH9iXLQkieQ5rXoyzUC7mwgnASgl8cqw1UrToiUuhvneduXBhbQfmC/Upv+tL6dSSk+0DlgVKEHuJmc8s8+/qpdL` func acceptUserPass(goodUser, goodPass string) func(ssh.ConnMetadata, []byte) (*ssh.Permissions, error) { return func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) { if c.User() == goodUser && string(pass) == goodPass { return nil, nil } return nil, fmt.Errorf("password rejected for %q", c.User()) } } func acceptPublicKey(keystr string) func(ssh.ConnMetadata, ssh.PublicKey) (*ssh.Permissions, error) { goodkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keystr)) if err != nil { panic(fmt.Errorf("error parsing key: %s", err)) } return func(_ ssh.ConnMetadata, inkey ssh.PublicKey) (*ssh.Permissions, error) { if bytes.Equal(inkey.Marshal(), goodkey.Marshal()) { return nil, nil } return nil, fmt.Errorf("public key rejected") } }