github.com/gavinw2006/hashicorp-terraform@v0.11.12-beta1/communicator/ssh/provisioner.go (about)

     1  package ssh
     2  
     3  import (
     4  	"bytes"
     5  	"encoding/pem"
     6  	"fmt"
     7  	"io/ioutil"
     8  	"log"
     9  	"net"
    10  	"os"
    11  	"path/filepath"
    12  	"strings"
    13  	"time"
    14  
    15  	"github.com/hashicorp/terraform/communicator/shared"
    16  	"github.com/hashicorp/terraform/terraform"
    17  	"github.com/mitchellh/mapstructure"
    18  	"github.com/xanzy/ssh-agent"
    19  	"golang.org/x/crypto/ssh"
    20  	"golang.org/x/crypto/ssh/agent"
    21  	"golang.org/x/crypto/ssh/knownhosts"
    22  )
    23  
    24  const (
    25  	// DefaultUser is used if there is no user given
    26  	DefaultUser = "root"
    27  
    28  	// DefaultPort is used if there is no port given
    29  	DefaultPort = 22
    30  
    31  	// DefaultScriptPath is used as the path to copy the file to
    32  	// for remote execution if not provided otherwise.
    33  	DefaultScriptPath = "/tmp/terraform_%RAND%.sh"
    34  
    35  	// DefaultTimeout is used if there is no timeout given
    36  	DefaultTimeout = 5 * time.Minute
    37  )
    38  
    39  // connectionInfo is decoded from the ConnInfo of the resource. These are the
    40  // only keys we look at. If a PrivateKey is given, that is used instead
    41  // of a password.
    42  type connectionInfo struct {
    43  	User       string
    44  	Password   string
    45  	PrivateKey string `mapstructure:"private_key"`
    46  	Host       string
    47  	HostKey    string `mapstructure:"host_key"`
    48  	Port       int
    49  	Agent      bool
    50  	Timeout    string
    51  	ScriptPath string        `mapstructure:"script_path"`
    52  	TimeoutVal time.Duration `mapstructure:"-"`
    53  
    54  	BastionUser       string `mapstructure:"bastion_user"`
    55  	BastionPassword   string `mapstructure:"bastion_password"`
    56  	BastionPrivateKey string `mapstructure:"bastion_private_key"`
    57  	BastionHost       string `mapstructure:"bastion_host"`
    58  	BastionHostKey    string `mapstructure:"bastion_host_key"`
    59  	BastionPort       int    `mapstructure:"bastion_port"`
    60  
    61  	AgentIdentity string `mapstructure:"agent_identity"`
    62  }
    63  
    64  // parseConnectionInfo is used to convert the ConnInfo of the InstanceState into
    65  // a ConnectionInfo struct
    66  func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
    67  	connInfo := &connectionInfo{}
    68  	decConf := &mapstructure.DecoderConfig{
    69  		WeaklyTypedInput: true,
    70  		Result:           connInfo,
    71  	}
    72  	dec, err := mapstructure.NewDecoder(decConf)
    73  	if err != nil {
    74  		return nil, err
    75  	}
    76  	if err := dec.Decode(s.Ephemeral.ConnInfo); err != nil {
    77  		return nil, err
    78  	}
    79  
    80  	// To default Agent to true, we need to check the raw string, since the
    81  	// decoded boolean can't represent "absence of config".
    82  	//
    83  	// And if SSH_AUTH_SOCK is not set, there's no agent to connect to, so we
    84  	// shouldn't try.
    85  	if s.Ephemeral.ConnInfo["agent"] == "" && os.Getenv("SSH_AUTH_SOCK") != "" {
    86  		connInfo.Agent = true
    87  	}
    88  
    89  	if connInfo.User == "" {
    90  		connInfo.User = DefaultUser
    91  	}
    92  
    93  	// Format the host if needed.
    94  	// Needed for IPv6 support.
    95  	connInfo.Host = shared.IpFormat(connInfo.Host)
    96  
    97  	if connInfo.Port == 0 {
    98  		connInfo.Port = DefaultPort
    99  	}
   100  	if connInfo.ScriptPath == "" {
   101  		connInfo.ScriptPath = DefaultScriptPath
   102  	}
   103  	if connInfo.Timeout != "" {
   104  		connInfo.TimeoutVal = safeDuration(connInfo.Timeout, DefaultTimeout)
   105  	} else {
   106  		connInfo.TimeoutVal = DefaultTimeout
   107  	}
   108  
   109  	// Default all bastion config attrs to their non-bastion counterparts
   110  	if connInfo.BastionHost != "" {
   111  		// Format the bastion host if needed.
   112  		// Needed for IPv6 support.
   113  		connInfo.BastionHost = shared.IpFormat(connInfo.BastionHost)
   114  
   115  		if connInfo.BastionUser == "" {
   116  			connInfo.BastionUser = connInfo.User
   117  		}
   118  		if connInfo.BastionPassword == "" {
   119  			connInfo.BastionPassword = connInfo.Password
   120  		}
   121  		if connInfo.BastionPrivateKey == "" {
   122  			connInfo.BastionPrivateKey = connInfo.PrivateKey
   123  		}
   124  		if connInfo.BastionPort == 0 {
   125  			connInfo.BastionPort = connInfo.Port
   126  		}
   127  	}
   128  
   129  	return connInfo, nil
   130  }
   131  
   132  // safeDuration returns either the parsed duration or a default value
   133  func safeDuration(dur string, defaultDur time.Duration) time.Duration {
   134  	d, err := time.ParseDuration(dur)
   135  	if err != nil {
   136  		log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)
   137  		return defaultDur
   138  	}
   139  	return d
   140  }
   141  
   142  // prepareSSHConfig is used to turn the *ConnectionInfo provided into a
   143  // usable *SSHConfig for client initialization.
   144  func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
   145  	sshAgent, err := connectToAgent(connInfo)
   146  	if err != nil {
   147  		return nil, err
   148  	}
   149  
   150  	host := fmt.Sprintf("%s:%d", connInfo.Host, connInfo.Port)
   151  
   152  	sshConf, err := buildSSHClientConfig(sshClientConfigOpts{
   153  		user:       connInfo.User,
   154  		host:       host,
   155  		privateKey: connInfo.PrivateKey,
   156  		password:   connInfo.Password,
   157  		hostKey:    connInfo.HostKey,
   158  		sshAgent:   sshAgent,
   159  	})
   160  	if err != nil {
   161  		return nil, err
   162  	}
   163  
   164  	connectFunc := ConnectFunc("tcp", host)
   165  
   166  	var bastionConf *ssh.ClientConfig
   167  	if connInfo.BastionHost != "" {
   168  		bastionHost := fmt.Sprintf("%s:%d", connInfo.BastionHost, connInfo.BastionPort)
   169  
   170  		bastionConf, err = buildSSHClientConfig(sshClientConfigOpts{
   171  			user:       connInfo.BastionUser,
   172  			host:       bastionHost,
   173  			privateKey: connInfo.BastionPrivateKey,
   174  			password:   connInfo.BastionPassword,
   175  			hostKey:    connInfo.HostKey,
   176  			sshAgent:   sshAgent,
   177  		})
   178  		if err != nil {
   179  			return nil, err
   180  		}
   181  
   182  		connectFunc = BastionConnectFunc("tcp", bastionHost, bastionConf, "tcp", host)
   183  	}
   184  
   185  	config := &sshConfig{
   186  		config:     sshConf,
   187  		connection: connectFunc,
   188  		sshAgent:   sshAgent,
   189  	}
   190  	return config, nil
   191  }
   192  
   193  type sshClientConfigOpts struct {
   194  	privateKey string
   195  	password   string
   196  	sshAgent   *sshAgent
   197  	user       string
   198  	host       string
   199  	hostKey    string
   200  }
   201  
   202  func buildSSHClientConfig(opts sshClientConfigOpts) (*ssh.ClientConfig, error) {
   203  	hkCallback := ssh.InsecureIgnoreHostKey()
   204  
   205  	if opts.hostKey != "" {
   206  		// The knownhosts package only takes paths to files, but terraform
   207  		// generally wants to handle config data in-memory. Rather than making
   208  		// the known_hosts file an exception, write out the data to a temporary
   209  		// file to create the HostKeyCallback.
   210  		tf, err := ioutil.TempFile("", "tf-known_hosts")
   211  		if err != nil {
   212  			return nil, fmt.Errorf("failed to create temp known_hosts file: %s", err)
   213  		}
   214  		defer tf.Close()
   215  		defer os.RemoveAll(tf.Name())
   216  
   217  		// we mark this as a CA as well, but the host key fallback will still
   218  		// use it as a direct match if the remote host doesn't return a
   219  		// certificate.
   220  		if _, err := tf.WriteString(fmt.Sprintf("@cert-authority %s %s\n", opts.host, opts.hostKey)); err != nil {
   221  			return nil, fmt.Errorf("failed to write temp known_hosts file: %s", err)
   222  		}
   223  		tf.Sync()
   224  
   225  		hkCallback, err = knownhosts.New(tf.Name())
   226  		if err != nil {
   227  			return nil, err
   228  		}
   229  	}
   230  
   231  	conf := &ssh.ClientConfig{
   232  		HostKeyCallback: hkCallback,
   233  		User:            opts.user,
   234  	}
   235  
   236  	if opts.privateKey != "" {
   237  		pubKeyAuth, err := readPrivateKey(opts.privateKey)
   238  		if err != nil {
   239  			return nil, err
   240  		}
   241  		conf.Auth = append(conf.Auth, pubKeyAuth)
   242  	}
   243  
   244  	if opts.password != "" {
   245  		conf.Auth = append(conf.Auth, ssh.Password(opts.password))
   246  		conf.Auth = append(conf.Auth, ssh.KeyboardInteractive(
   247  			PasswordKeyboardInteractive(opts.password)))
   248  	}
   249  
   250  	if opts.sshAgent != nil {
   251  		conf.Auth = append(conf.Auth, opts.sshAgent.Auth())
   252  	}
   253  
   254  	return conf, nil
   255  }
   256  
   257  func readPrivateKey(pk string) (ssh.AuthMethod, error) {
   258  	// We parse the private key on our own first so that we can
   259  	// show a nicer error if the private key has a password.
   260  	block, _ := pem.Decode([]byte(pk))
   261  	if block == nil {
   262  		return nil, fmt.Errorf("Failed to read key %q: no key found", pk)
   263  	}
   264  	if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
   265  		return nil, fmt.Errorf(
   266  			"Failed to read key %q: password protected keys are\n"+
   267  				"not supported. Please decrypt the key prior to use.", pk)
   268  	}
   269  
   270  	signer, err := ssh.ParsePrivateKey([]byte(pk))
   271  	if err != nil {
   272  		return nil, fmt.Errorf("Failed to parse key file %q: %s", pk, err)
   273  	}
   274  
   275  	return ssh.PublicKeys(signer), nil
   276  }
   277  
   278  func connectToAgent(connInfo *connectionInfo) (*sshAgent, error) {
   279  	if connInfo.Agent != true {
   280  		// No agent configured
   281  		return nil, nil
   282  	}
   283  
   284  	agent, conn, err := sshagent.New()
   285  	if err != nil {
   286  		return nil, err
   287  	}
   288  
   289  	// connection close is handled over in Communicator
   290  	return &sshAgent{
   291  		agent: agent,
   292  		conn:  conn,
   293  		id:    connInfo.AgentIdentity,
   294  	}, nil
   295  
   296  }
   297  
   298  // A tiny wrapper around an agent.Agent to expose the ability to close its
   299  // associated connection on request.
   300  type sshAgent struct {
   301  	agent agent.Agent
   302  	conn  net.Conn
   303  	id    string
   304  }
   305  
   306  func (a *sshAgent) Close() error {
   307  	if a.conn == nil {
   308  		return nil
   309  	}
   310  
   311  	return a.conn.Close()
   312  }
   313  
   314  // make an attempt to either read the identity file or find a corresponding
   315  // public key file using the typical openssh naming convention.
   316  // This returns the public key in wire format, or nil when a key is not found.
   317  func findIDPublicKey(id string) []byte {
   318  	for _, d := range idKeyData(id) {
   319  		signer, err := ssh.ParsePrivateKey(d)
   320  		if err == nil {
   321  			log.Println("[DEBUG] parsed id private key")
   322  			pk := signer.PublicKey()
   323  			return pk.Marshal()
   324  		}
   325  
   326  		// try it as a publicKey
   327  		pk, err := ssh.ParsePublicKey(d)
   328  		if err == nil {
   329  			log.Println("[DEBUG] parsed id public key")
   330  			return pk.Marshal()
   331  		}
   332  
   333  		// finally try it as an authorized key
   334  		pk, _, _, _, err = ssh.ParseAuthorizedKey(d)
   335  		if err == nil {
   336  			log.Println("[DEBUG] parsed id authorized key")
   337  			return pk.Marshal()
   338  		}
   339  	}
   340  
   341  	return nil
   342  }
   343  
   344  // Try to read an id file using the id as the file path. Also read the .pub
   345  // file if it exists, as the id file may be encrypted. Return only the file
   346  // data read. We don't need to know what data came from which path, as we will
   347  // try parsing each as a private key, a public key and an authorized key
   348  // regardless.
   349  func idKeyData(id string) [][]byte {
   350  	idPath, err := filepath.Abs(id)
   351  	if err != nil {
   352  		return nil
   353  	}
   354  
   355  	var fileData [][]byte
   356  
   357  	paths := []string{idPath}
   358  
   359  	if !strings.HasSuffix(idPath, ".pub") {
   360  		paths = append(paths, idPath+".pub")
   361  	}
   362  
   363  	for _, p := range paths {
   364  		d, err := ioutil.ReadFile(p)
   365  		if err != nil {
   366  			log.Printf("[DEBUG] error reading %q: %s", p, err)
   367  			continue
   368  		}
   369  		log.Printf("[DEBUG] found identity data at %q", p)
   370  		fileData = append(fileData, d)
   371  	}
   372  
   373  	return fileData
   374  }
   375  
   376  // sortSigners moves a signer with an agent comment field matching the
   377  // agent_identity to the head of the list when attempting authentication. This
   378  // helps when there are more keys loaded in an agent than the host will allow
   379  // attempts.
   380  func (s *sshAgent) sortSigners(signers []ssh.Signer) {
   381  	if s.id == "" || len(signers) < 2 {
   382  		return
   383  	}
   384  
   385  	// if we can locate the public key, either by extracting it from the id or
   386  	// locating the .pub file, then we can more easily determine an exact match
   387  	idPk := findIDPublicKey(s.id)
   388  
   389  	// if we have a signer with a connect field that matches the id, send that
   390  	// first, otherwise put close matches at the front of the list.
   391  	head := 0
   392  	for i := range signers {
   393  		pk := signers[i].PublicKey()
   394  		k, ok := pk.(*agent.Key)
   395  		if !ok {
   396  			continue
   397  		}
   398  
   399  		// check for an exact match first
   400  		if bytes.Equal(pk.Marshal(), idPk) || s.id == k.Comment {
   401  			signers[0], signers[i] = signers[i], signers[0]
   402  			break
   403  		}
   404  
   405  		// no exact match yet, move it to the front if it's close. The agent
   406  		// may have loaded as a full filepath, while the config refers to it by
   407  		// filename only.
   408  		if strings.HasSuffix(k.Comment, s.id) {
   409  			signers[head], signers[i] = signers[i], signers[head]
   410  			head++
   411  			continue
   412  		}
   413  	}
   414  
   415  	ss := []string{}
   416  	for _, signer := range signers {
   417  		pk := signer.PublicKey()
   418  		k := pk.(*agent.Key)
   419  		ss = append(ss, k.Comment)
   420  	}
   421  }
   422  
   423  func (s *sshAgent) Signers() ([]ssh.Signer, error) {
   424  	signers, err := s.agent.Signers()
   425  	if err != nil {
   426  		return nil, err
   427  	}
   428  
   429  	s.sortSigners(signers)
   430  	return signers, nil
   431  }
   432  
   433  func (a *sshAgent) Auth() ssh.AuthMethod {
   434  	return ssh.PublicKeysCallback(a.Signers)
   435  }
   436  
   437  func (a *sshAgent) ForwardToAgent(client *ssh.Client) error {
   438  	return agent.ForwardToAgent(client, a.agent)
   439  }