diff options
author | Thom May <thom@may.lt> | 2017-03-06 19:35:44 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-03-06 19:35:44 +0000 |
commit | 8f146dce498b380bb8e70a22688055adf5f6daae (patch) | |
tree | 3ac26c492cc998e8be3f6f57881d2bab4a69b7b8 | |
parent | b4632f4263ee4ddec7f92cdb9e1ee6dee68fc758 (diff) | |
parent | 8d8d533642def762cf5fe57ade8460a880e50c40 (diff) | |
download | chef-8f146dce498b380bb8e70a22688055adf5f6daae.tar.gz |
Merge pull request #5830 from shortdudey123/CHEF-4538_ssh-gateway-identity-auth
CHEF-4538 - add an option for gateway_identity_file that will allow key-based authentication on the gateway.
-rw-r--r-- | chef-config/lib/chef-config/config.rb | 1 | ||||
-rw-r--r-- | lib/chef/knife/bootstrap.rb | 6 | ||||
-rw-r--r-- | lib/chef/knife/ssh.rb | 14 | ||||
-rw-r--r-- | spec/functional/knife/ssh_spec.rb | 28 | ||||
-rw-r--r-- | spec/unit/knife/bootstrap_spec.rb | 5 |
5 files changed, 53 insertions, 1 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb index fb41cfae99..3a55c8233d 100644 --- a/chef-config/lib/chef-config/config.rb +++ b/chef-config/lib/chef-config/config.rb @@ -714,6 +714,7 @@ module ChefConfig default :ssh_user, nil default :ssh_attribute, nil default :ssh_gateway, nil + default :ssh_gateway_identity, nil default :bootstrap_version, nil default :bootstrap_proxy, nil default :bootstrap_template, nil diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb index ee4d9ce7af..f9dca7896a 100644 --- a/lib/chef/knife/bootstrap.rb +++ b/lib/chef/knife/bootstrap.rb @@ -67,6 +67,11 @@ class Chef :description => "The ssh gateway", :proc => Proc.new { |key| Chef::Config[:knife][:ssh_gateway] = key } + option :ssh_gateway_identity, + :long => "--ssh-gateway-identity SSH_GATEWAY_IDENTITY", + :description => "The SSH identity file used for gateway authentication", + :proc => Proc.new { |key| Chef::Config[:knife][:ssh_gateway_identity] = key } + option :forward_agent, :short => "-A", :long => "--forward-agent", @@ -438,6 +443,7 @@ class Chef ssh.config[:ssh_password] = config[:ssh_password] ssh.config[:ssh_port] = config[:ssh_port] ssh.config[:ssh_gateway] = config[:ssh_gateway] + ssh.config[:ssh_gateway_identity] = config[:ssh_gateway_identity] ssh.config[:forward_agent] = config[:forward_agent] ssh.config[:ssh_identity_file] = config[:ssh_identity_file] || config[:identity_file] ssh.config[:manual] = true diff --git a/lib/chef/knife/ssh.rb b/lib/chef/knife/ssh.rb index e206f72630..d79565991f 100644 --- a/lib/chef/knife/ssh.rb +++ b/lib/chef/knife/ssh.rb @@ -92,6 +92,10 @@ class Chef :description => "The ssh gateway", :proc => Proc.new { |key| Chef::Config[:knife][:ssh_gateway] = key.strip } + option :ssh_gateway_identity, + :long => "--ssh-gateway-identity SSH_GATEWAY_IDENTITY", + :description => "The SSH identity file used for gateway authentication" + option :forward_agent, :short => "-A", :long => "--forward-agent", @@ -250,7 +254,10 @@ class Chef {}.tap do |opts| # Chef::Config[:knife][:ssh_user] is parsed in #configure_user and written to config[:ssh_user] opts[:user] = user || config[:ssh_user] || ssh_config[:user] - if config[:ssh_identity_file] + if config[:ssh_gateway_identity] + opts[:keys] = File.expand_path(config[:ssh_gateway_identity]) + opts[:keys_only] = true + elsif config[:ssh_identity_file] opts[:keys] = File.expand_path(config[:ssh_identity_file]) opts[:keys_only] = true elsif config[:ssh_password] @@ -546,6 +553,10 @@ class Chef config[:ssh_identity_file] = get_stripped_unfrozen_value(config[:ssh_identity_file] || config[:identity_file] || Chef::Config[:knife][:ssh_identity_file]) end + def configure_ssh_gateway_identity + config[:ssh_gateway_identity] = get_stripped_unfrozen_value(config[:ssh_gateway_identity] || Chef::Config[:knife][:ssh_gateway_identity]) + end + def run @longest = 0 @@ -553,6 +564,7 @@ class Chef configure_password @password = config[:ssh_password] if config[:ssh_password] configure_ssh_identity_file + configure_ssh_gateway_identity configure_gateway configure_session diff --git a/spec/functional/knife/ssh_spec.rb b/spec/functional/knife/ssh_spec.rb index aea7585bb2..cfe28b862f 100644 --- a/spec/functional/knife/ssh_spec.rb +++ b/spec/functional/knife/ssh_spec.rb @@ -246,6 +246,34 @@ describe Chef::Knife::Ssh do end end + context "when knife[:ssh_gateway_identity] is set" do + before do + setup_knife(["*:*", "uptime"]) + Chef::Config[:knife][:ssh_gateway] = "user@ec2.public_hostname" + Chef::Config[:knife][:ssh_gateway_identity] = "~/.ssh/aws-gateway.rsa" + end + + it "uses the ssh_gateway_identity file" do + expect(@knife.session).to receive(:via).with("ec2.public_hostname", "user", { :keys => "#{ENV['HOME']}/.ssh/aws-gateway.rsa", :keys_only => true }) + @knife.run + expect(@knife.config[:ssh_gateway_identity]).to eq("~/.ssh/aws-gateway.rsa") + end + end + + context "when -ssh-gateway-identity is provided and knife[:ssh_gateway] is set" do + before do + setup_knife(["--ssh-gateway-identity", "~/.ssh/aws-gateway.rsa", "*:*", "uptime"]) + Chef::Config[:knife][:ssh_gateway] = "user@ec2.public_hostname" + Chef::Config[:knife][:ssh_gateway_identity] = nil + end + + it "uses the ssh_gateway_identity file" do + expect(@knife.session).to receive(:via).with("ec2.public_hostname", "user", { :keys => "#{ENV['HOME']}/.ssh/aws-gateway.rsa", :keys_only => true }) + @knife.run + expect(@knife.config[:ssh_gateway_identity]).to eq("~/.ssh/aws-gateway.rsa") + end + end + context "when the gateway requires a password" do before do setup_knife(["-G user@ec2.public_hostname", "*:*", "uptime"]) diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb index 9f944b82d9..c2f68277c5 100644 --- a/spec/unit/knife/bootstrap_spec.rb +++ b/spec/unit/knife/bootstrap_spec.rb @@ -649,6 +649,7 @@ describe Chef::Knife::Bootstrap do Chef::Config[:knife][:forward_agent] = true Chef::Config[:knife][:ssh_identity_file] = "~/.ssh/you.rsa" Chef::Config[:knife][:ssh_gateway] = "towel.blinkenlights.nl" + Chef::Config[:knife][:ssh_gateway_identity] = "~/.ssh/gateway.rsa" Chef::Config[:knife][:host_key_verify] = true allow(knife).to receive(:render_template).and_return("") knife.config = {} @@ -676,6 +677,10 @@ describe Chef::Knife::Bootstrap do expect(knife_ssh.config[:ssh_gateway]).to eq("towel.blinkenlights.nl") end + it "configures the ssh gateway identity" do + expect(knife_ssh.config[:ssh_gateway_identity]).to eq("~/.ssh/gateway.rsa") + end + it "configures the host key verify mode" do expect(knife_ssh.config[:host_key_verify]).to eq(true) end |