From f97d1cdc1b83459dd06ff62fa6114ef0b7fb44e8 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 20 Mar 2019 11:42:49 -0400 Subject: [PATCH 1/3] Choose value for verify-host-key dynamically Signed-off-by: Clinton Wolfe --- lib/train/transports/ssh.rb | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/lib/train/transports/ssh.rb b/lib/train/transports/ssh.rb index fc4202c1..e866f792 100644 --- a/lib/train/transports/ssh.rb +++ b/lib/train/transports/ssh.rb @@ -167,9 +167,9 @@ def connection_options(opts) non_interactive: opts[:non_interactive], transport_options: opts, } - # disable host key verification. The hash key to use + # disable host key verification. The hash key and value to use # depends on the version of net-ssh in use. - connection_options[verify_host_key_option] = opts[:verify_host_key] || false + connection_options[verify_host_key_option] = verify_host_key_value(opts[:verify_host_key]) connection_options end @@ -193,6 +193,34 @@ def verify_host_key_option current_net_ssh >= new_option_version ? :verify_host_key : :paranoid end + # Likewise, version <5 accepted false; 5+ requires :never or will + # issue a deprecation warning. This method allows a lot of common + # things through. + def verify_host_key_value(given) + current_net_ssh = Net::SSH::Version::CURRENT + new_value_version = Net::SSH::Version[5, 0, 0] + + if current_net_ssh >= new_value_version + # 5.0+ style + { + # It's not a boolean anymore. + 'true' => :always, + 'false' => :never, + true => :always, + false => :never, + # May be correct value, but strings from JSON config + 'always' => :always, + 'never' => :never, + }.fetch(given, given) + else + # up to 4.2 style + { + 'true' => true, + 'false' => false, + }.fetch(given, given) + end + end + # Creates a new SSH Connection instance and save it for potential future # reuse. # From 6049ef4cd8f0311edb13304637682c92d8109f50 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 26 Mar 2019 15:13:28 -0400 Subject: [PATCH 2/3] Include nil in possible map for verify host key options to satisfy test Signed-off-by: Clinton Wolfe --- lib/train/transports/ssh.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/train/transports/ssh.rb b/lib/train/transports/ssh.rb index e866f792..cb425a12 100644 --- a/lib/train/transports/ssh.rb +++ b/lib/train/transports/ssh.rb @@ -199,7 +199,6 @@ def verify_host_key_option def verify_host_key_value(given) current_net_ssh = Net::SSH::Version::CURRENT new_value_version = Net::SSH::Version[5, 0, 0] - if current_net_ssh >= new_value_version # 5.0+ style { @@ -217,6 +216,7 @@ def verify_host_key_value(given) { 'true' => true, 'false' => false, + nil => false, }.fetch(given, given) end end From fb5d895b1db1e86fd176f6ae73cb8d1d8d4b0362 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 10 Apr 2019 11:03:31 -0400 Subject: [PATCH 3/3] Add testing for verify_host_key setting Signed-off-by: Clinton Wolfe --- lib/train/transports/ssh.rb | 1 + test/unit/helper.rb | 1 + test/unit/transports/ssh_test.rb | 38 +++++++++++++++++++++++++++++++- 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/lib/train/transports/ssh.rb b/lib/train/transports/ssh.rb index cb425a12..4d18af9a 100644 --- a/lib/train/transports/ssh.rb +++ b/lib/train/transports/ssh.rb @@ -210,6 +210,7 @@ def verify_host_key_value(given) # May be correct value, but strings from JSON config 'always' => :always, 'never' => :never, + nil => :never, }.fetch(given, given) else # up to 4.2 style diff --git a/test/unit/helper.rb b/test/unit/helper.rb index b643eaa5..65f4448f 100644 --- a/test/unit/helper.rb +++ b/test/unit/helper.rb @@ -2,6 +2,7 @@ require 'minitest/autorun' require 'minitest/spec' +require 'mocha/minitest' require 'mocha/setup' require 'byebug' diff --git a/test/unit/transports/ssh_test.rb b/test/unit/transports/ssh_test.rb index f8cf4649..ee1c5141 100644 --- a/test/unit/transports/ssh_test.rb +++ b/test/unit/transports/ssh_test.rb @@ -1,6 +1,6 @@ # encoding: utf-8 -require 'helper' +require_relative '../helper' require 'train/transports/ssh' describe 'ssh transport' do @@ -62,6 +62,42 @@ connection_options[:verify_host_key].must_equal true end end + + describe "various values are mapped appropriately for verify_host_key" do + # This would be better: + # Net::SSH::Version.stub_const(:CURRENT, Net::SSH::Version[5,0,1]) + current_version = Net::SSH::Version::CURRENT + threshold_version = Net::SSH::Version[5, 0, 0] + if current_version < threshold_version + it "maps correctly when net-ssh < 5.0" do + { + 'true' => true, + 'false' => false, + nil => false, + }.each do |given, expected| + opts = { :verify_host_key => given } + seen_opts = ssh.send(:connection_options, opts) + seen_opts[:verify_host_key].must_equal expected + end + end + else + it "maps correctly when net-ssh > 5.0" do + { + 'true' => :always, + 'false' => :never, + true => :always, + false => :never, + 'always' => :always, + 'never' => :never, + nil => :never, + }.each do |given, expected| + opts = { :verify_host_key => given } + seen_opts = ssh.send(:connection_options, opts) + seen_opts[:verify_host_key].must_equal expected + end + end + end + end end describe 'ssh options' do