Merge pull request #5830 from shortdudey123/CHEF-4538_ssh-gateway-identity-auth

CHEF-4538 - add an option for gateway_identity_file that will allow key-based authentication on the gateway.
author: Thom May <thom@may.lt> 2017-03-06 19:35:44 +0000
committer: GitHub <noreply@github.com> 2017-03-06 19:35:44 +0000
commit: 8f146dce498b380bb8e70a22688055adf5f6daae (patch)
tree: 3ac26c492cc998e8be3f6f57881d2bab4a69b7b8
parent: b4632f4263ee4ddec7f92cdb9e1ee6dee68fc758 (diff)
parent: 8d8d533642def762cf5fe57ade8460a880e50c40 (diff)
download: chef-8f146dce498b380bb8e70a22688055adf5f6daae.tar.gz
5 files changed, 53 insertions, 1 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index fb41cfae99..3a55c8233d 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -714,6 +714,7 @@ module ChefConfig
       default :ssh_user, nil
       default :ssh_attribute, nil
       default :ssh_gateway, nil
+      default :ssh_gateway_identity, nil
       default :bootstrap_version, nil
       default :bootstrap_proxy, nil
       default :bootstrap_template, nil
diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb
index ee4d9ce7af..f9dca7896a 100644
--- a/lib/chef/knife/bootstrap.rb
+++ b/lib/chef/knife/bootstrap.rb
@@ -67,6 +67,11 @@ class Chef
         :description => "The ssh gateway",
         :proc => Proc.new { |key| Chef::Config[:knife][:ssh_gateway] = key }
 
+      option :ssh_gateway_identity,
+        :long => "--ssh-gateway-identity SSH_GATEWAY_IDENTITY",
+        :description => "The SSH identity file used for gateway authentication",
+        :proc => Proc.new { |key| Chef::Config[:knife][:ssh_gateway_identity] = key }
+
       option :forward_agent,
         :short => "-A",
         :long => "--forward-agent",
@@ -438,6 +443,7 @@ class Chef
         ssh.config[:ssh_password] = config[:ssh_password]
         ssh.config[:ssh_port] = config[:ssh_port]
         ssh.config[:ssh_gateway] = config[:ssh_gateway]
+        ssh.config[:ssh_gateway_identity] = config[:ssh_gateway_identity]
         ssh.config[:forward_agent] = config[:forward_agent]
         ssh.config[:ssh_identity_file] = config[:ssh_identity_file] || config[:identity_file]
         ssh.config[:manual] = true
diff --git a/lib/chef/knife/ssh.rb b/lib/chef/knife/ssh.rb
index e206f72630..d79565991f 100644
--- a/lib/chef/knife/ssh.rb
+++ b/lib/chef/knife/ssh.rb
@@ -92,6 +92,10 @@ class Chef
         :description => "The ssh gateway",
         :proc => Proc.new { |key| Chef::Config[:knife][:ssh_gateway] = key.strip }
 
+      option :ssh_gateway_identity,
+        :long => "--ssh-gateway-identity SSH_GATEWAY_IDENTITY",
+        :description => "The SSH identity file used for gateway authentication"
+
       option :forward_agent,
         :short => "-A",
         :long => "--forward-agent",
@@ -250,7 +254,10 @@ class Chef
         {}.tap do |opts|
           # Chef::Config[:knife][:ssh_user] is parsed in #configure_user and written to config[:ssh_user]
           opts[:user] = user || config[:ssh_user] || ssh_config[:user]
-          if config[:ssh_identity_file]
+          if config[:ssh_gateway_identity]
+            opts[:keys] = File.expand_path(config[:ssh_gateway_identity])
+            opts[:keys_only] = true
+          elsif config[:ssh_identity_file]
             opts[:keys] = File.expand_path(config[:ssh_identity_file])
             opts[:keys_only] = true
           elsif config[:ssh_password]
@@ -546,6 +553,10 @@ class Chef
         config[:ssh_identity_file] = get_stripped_unfrozen_value(config[:ssh_identity_file] || config[:identity_file] || Chef::Config[:knife][:ssh_identity_file])
       end
 
+      def configure_ssh_gateway_identity
+        config[:ssh_gateway_identity] = get_stripped_unfrozen_value(config[:ssh_gateway_identity] || Chef::Config[:knife][:ssh_gateway_identity])
+      end
+
       def run
         @longest = 0
 
@@ -553,6 +564,7 @@ class Chef
         configure_password
         @password = config[:ssh_password] if config[:ssh_password]
         configure_ssh_identity_file
+        configure_ssh_gateway_identity
         configure_gateway
         configure_session
 
diff --git a/spec/functional/knife/ssh_spec.rb b/spec/functional/knife/ssh_spec.rb
index aea7585bb2..cfe28b862f 100644
--- a/spec/functional/knife/ssh_spec.rb
+++ b/spec/functional/knife/ssh_spec.rb
@@ -246,6 +246,34 @@ describe Chef::Knife::Ssh do
       end
     end
 
+    context "when knife[:ssh_gateway_identity] is set" do
+      before do
+        setup_knife(["*:*", "uptime"])
+        Chef::Config[:knife][:ssh_gateway] = "user@ec2.public_hostname"
+        Chef::Config[:knife][:ssh_gateway_identity] = "~/.ssh/aws-gateway.rsa"
+      end
+
+      it "uses the ssh_gateway_identity file" do
+        expect(@knife.session).to receive(:via).with("ec2.public_hostname", "user", { :keys => "#{ENV['HOME']}/.ssh/aws-gateway.rsa", :keys_only => true })
+        @knife.run
+        expect(@knife.config[:ssh_gateway_identity]).to eq("~/.ssh/aws-gateway.rsa")
+      end
+    end
+
+    context "when -ssh-gateway-identity is provided and knife[:ssh_gateway] is set" do
+      before do
+        setup_knife(["--ssh-gateway-identity", "~/.ssh/aws-gateway.rsa", "*:*", "uptime"])
+        Chef::Config[:knife][:ssh_gateway] = "user@ec2.public_hostname"
+        Chef::Config[:knife][:ssh_gateway_identity] = nil
+      end
+
+      it "uses the ssh_gateway_identity file" do
+        expect(@knife.session).to receive(:via).with("ec2.public_hostname", "user", { :keys => "#{ENV['HOME']}/.ssh/aws-gateway.rsa", :keys_only => true })
+        @knife.run
+        expect(@knife.config[:ssh_gateway_identity]).to eq("~/.ssh/aws-gateway.rsa")
+      end
+    end
+
     context "when the gateway requires a password" do
       before do
         setup_knife(["-G user@ec2.public_hostname", "*:*", "uptime"])
diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb
index 9f944b82d9..c2f68277c5 100644
--- a/spec/unit/knife/bootstrap_spec.rb
+++ b/spec/unit/knife/bootstrap_spec.rb
@@ -649,6 +649,7 @@ describe Chef::Knife::Bootstrap do
         Chef::Config[:knife][:forward_agent] = true
         Chef::Config[:knife][:ssh_identity_file] = "~/.ssh/you.rsa"
         Chef::Config[:knife][:ssh_gateway] = "towel.blinkenlights.nl"
+        Chef::Config[:knife][:ssh_gateway_identity] = "~/.ssh/gateway.rsa"
         Chef::Config[:knife][:host_key_verify] = true
         allow(knife).to receive(:render_template).and_return("")
         knife.config = {}
@@ -676,6 +677,10 @@ describe Chef::Knife::Bootstrap do
         expect(knife_ssh.config[:ssh_gateway]).to eq("towel.blinkenlights.nl")
       end
 
+      it "configures the ssh gateway identity" do
+        expect(knife_ssh.config[:ssh_gateway_identity]).to eq("~/.ssh/gateway.rsa")
+      end
+
       it "configures the host key verify mode" do
         expect(knife_ssh.config[:host_key_verify]).to eq(true)
       end
author	Thom May <thom@may.lt>	2017-03-06 19:35:44 +0000
committer	GitHub <noreply@github.com>	2017-03-06 19:35:44 +0000
commit	8f146dce498b380bb8e70a22688055adf5f6daae (patch)
tree	3ac26c492cc998e8be3f6f57881d2bab4a69b7b8
parent	b4632f4263ee4ddec7f92cdb9e1ee6dee68fc758 (diff)
parent	8d8d533642def762cf5fe57ade8460a880e50c40 (diff)
download	chef-8f146dce498b380bb8e70a22688055adf5f6daae.tar.gz