Please review pull request #162: (#11660) Adds feature SSHFP opened by (grooverdan)
Description:
RFC4255 SSH fingerprints are now facts in the form SSHFP_RSA, SSHFP_DSA,
SSHFP_ECDSA.
This also performs SHA2 and ECDSA that are part of the draft:
http://tools.ietf.org/id/draft-os-ietf-sshfp-ecdsa-sha2
(www.iana.org/assignments/dns-sshfp-rr-parameters).
(#11659) Adds ssh spec
Adds test cases for the ssh fact module. Reworks a bit of the ssh fact
implementation so that the rspec mochs can work.
- Opened: Wed Feb 01 07:44:09 UTC 2012
- Based on: puppetlabs:master (d9128eb4830fd6911dd690c0c4a0f5a46a81446a)
- Requested merge: grooverdan:ticket/11660-sshfp_and_ssh_rspec (2a862191137370cf16c2d284fe60cc9bed0e9cd8)
Diff follows:
diff --git a/lib/facter/ssh.rb b/lib/facter/ssh.rb index 6aa7e08..23c6578 100644 --- a/lib/facter/ssh.rb +++ b/lib/facter/ssh.rb @@ -12,14 +12,14 @@ ## ["/etc/ssh","/usr/local/etc/ssh","/etc","/usr/local/etc"].each do |dir| - {"SSHDSAKey" => "ssh_host_dsa_key.pub", "SSHRSAKey" => "ssh_host_rsa_key.pub", "SSHECDSAKey" => "ssh_host_ecdsa_key.pub"}.each do |name,file| + {"SSHDSAKey" => { :file => "ssh_host_dsa_key.pub", :sshfprrtype => 2 } , "SSHRSAKey" => { :file => "ssh_host_rsa_key.pub", :sshfprrtype => 1 }, "SSHECDSAKey" => { :file => "ssh_host_ecdsa_key.pub", :sshfprrtype => 3 } }.each do |name,key| Facter.add(name) do setcode do value = nil - filepath = File.join(dir,file) + filepath = File.join(dir,key[:file]) if FileTest.file?(filepath) begin - File.open(filepath) { |f| value = f.read.chomp.split(/\s+/)[1] } + value = File.read(filepath).chomp.split(/\s+/)[1] rescue value = nil end @@ -27,5 +27,27 @@ value end # end of proc end # end of add + Facter.add('SSHFP_' + name[3..-4]) do + setcode do + ssh = Facter.fact(name).value + value = nil + if ssh && key[:sshfprrtype] + begin + require 'digest/sha1' + require 'base64' + digest = Base64.decode64(ssh) + value = 'SSHFP ' + key[:sshfprrtype].to_s + ' 1 ' + Digest::SHA1.hexdigest(digest) + begin + require 'digest/sha2' + value += "\nSSHFP " + key[:sshfprrtype].to_s + ' 2 ' + Digest::SHA256.hexdigest(digest) + rescue + end + rescue + value = nil + end + end # end of sshfp if + value + end # end of sshfp proc + end # end of sshfp add end # end of hash each end # end of dir each diff --git a/spec/unit/ssh_spec.rb b/spec/unit/ssh_spec.rb new file mode 100755 index 0000000..79dc025 --- /dev/null +++ b/spec/unit/ssh_spec.rb @@ -0,0 +1,51 @@ +#!/usr/bin/env rspec + +require 'spec_helper' +require 'facter/ssh' +require 'pathname' + +describe "SSH fact" do + + before do + # We need these facts loaded, but they belong to a file with a + # different name, so load the file explicitly. + Facter.collection.loader.load(:ssh) + end + + # fingerprints extracted from ssh-keygen -r '' -f /etc/ssh/ssh_host_dsa_key.pub + { 'SSHRSAKey' => [ '/usr/local/etc/ssh_host_rsa_key.pub' , "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrs+KtR8hjasELsyCiiBplUeIi77hEHzTSQt1ALG7N4IgtMg27ZAcq0tl2/O9ZarQuClc903pgionbM9Q98CtAIoqgJwdtsor7ETRmzwrcY/mvI7ne51UzQy4Eh9WrplfpNyg+EVO0FUC7mBcay6JY30QKasePp+g4MkwK5cuTzOCzd9up9KELonlH7tTm2L0YI4HhZugwVoTFulCAZvPICxSk1B/fEKyGSZVfY/UxZNqg9g2Wyvq5u40xQ5eO882UwhB3w4IbmRnPKcyotAcqOJxA7hToMKtEmFct+vjHE8T37w8axE/1X9mdvy8IZbkEBL1cupqqb8a8vU1QTg1z", "SSHFP 1 1 1e4f163a1747d0d1a08a29972c9b5d94ee5705d0\nSSHFP 1 2 4e834c91e423d6085ed6dfb880a59e2f1b04f17c1dc17da07708af67c5ab6045" ], + 'SSHDSAKey' => [ '/etc/ssh/ssh_host_dsa_key.pub' , "ssh-dss AAAAB3NzaC1kc3MAAACBAKjmRez14aZT6OKhHrsw19s7u30AdghwHFQbtC+L781YjJ3UV0/WQoZ8NaDL4ovuvW23RuO49tsqSNcVHg+PtRiN2iTVAS2h55TFhaPKhTs+i0NH3p3Ze8LNSYuz8uK7a+nTxysz47GYTHiE1ke8KXe5wGKDO1TO/MUgpDbwx72LAAAAFQD9yMJCnZMiKzA7J1RNkwvgCyBKSQAAAIAtWBAsuRM0F2fdCe+F/JmgyryQmRIT5vP8E1ww3t3ywdLHklN7UMkaEKBW/TN/jj1JOGXtZ2v5XI+0VNoNKD/7dnCGzNViRT/jjfyVi6l5UMg4Q52Gv0RXJoBJpxNqFOU2niSsy8hioyE39W6LJYWJtQozGpH/KKgkCSvxBn5hlAAAAIB1yo/YD0kQICOO0KE+UMMaKtV7FwyedFJsxsWYwZfHXGwWskf0d2+lPhd9qwdbmSvySE8Qrlvu+W+X8AipwGkItSnj16ORF8kO3lfABa+7L4BLDtumt7ybjBPcHOy3n28dd07TmMtyWvLjOb0mcxPo+TwDLtHd3L/3C1Dh41jRPg==\n", "SSHFP 2 1 f63dfe8da99f50ffbcfa40a61161cee29d109f70\nSSHFP 2 2 5f57aa6be9baddd71b6049ed5d8639664a7ddf92ce293e3887f16ad0f2d459d9" ], + 'SSHECDSAKey' => [ '/etc/ssh_host_ecdsa_key.pub' , 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIuKHtgXQUIrXSVNKC7uY+ZOF7jjfqYNU7Cb/IncDOZ7jW44dxsfBzRJwS5sTHERjBinJskY87mmwY07NFF5GoE=', "SSHFP 3 1 091a088fd3500ad9e35ce201c5101646cbf6ff98\nSSHFP 3 2 1dd2aa8f29b539337316e2862b28c196c68ffe0af78fccf9e50625635677e50f"] + }.each_pair do |fact, data| + filename, contents, fingerprint = data + pk = /AAAA\S+/.match(contents).to_s + it "'#{fact}' should be '#{pk}' based on '#{filename}' contents '#{contents}'" do + File.expects(:read).with(filename).at_least_once.returns contents + path, file = Pathname.new(filename).split + ["/etc/ssh","/usr/local/etc/ssh","/etc","/usr/local/etc"].each do |dir| + if dir != path.to_s + blockfile = (Pathname.new(dir) + file).to_s + FileTest.expects(:file?).with( blockfile ).at_least(0).returns false + end + end + FileTest.expects(:file?).with( filename ).at_least_once.returns true + + Facter.fact(fact).value.should == pk + end + fp_fact = 'SSHFP_' + fact[3..-4] + it "'#{fp_fact}' should have fingerprint '#{fingerprint}' based on '#{filename}' contents '#{contents}'" do + File.expects(:read).with(filename).at_least_once.returns contents + path, file = Pathname.new(filename).split + ["/etc/ssh","/usr/local/etc/ssh","/etc","/usr/local/etc"].each do |dir| + if dir != path.to_s + blockfile = (Pathname.new(dir) + file).to_s + FileTest.expects(:file?).with( blockfile ).at_least(0).returns false + end + end + FileTest.expects(:file?).with( filename ).at_least_once.returns true + + Facter.fact(fp_fact).value.should == fingerprint + end + end + +end
--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.