573 lines
15 KiB
Go
573 lines
15 KiB
Go
//go:generate mapstructure-to-hcl2 -type Config
|
|
|
|
package inspec
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"log"
|
|
"net"
|
|
"os"
|
|
"os/exec"
|
|
"os/user"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"syscall"
|
|
"unicode"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
"github.com/hashicorp/hcl/v2/hcldec"
|
|
"github.com/hashicorp/packer-plugin-sdk/adapter"
|
|
"github.com/hashicorp/packer-plugin-sdk/common"
|
|
packersdk "github.com/hashicorp/packer-plugin-sdk/packer"
|
|
"github.com/hashicorp/packer-plugin-sdk/template/config"
|
|
"github.com/hashicorp/packer-plugin-sdk/template/interpolate"
|
|
)
|
|
|
|
var SupportedBackends = map[string]bool{"docker": true, "local": true, "ssh": true, "winrm": true}
|
|
|
|
type Config struct {
|
|
common.PackerConfig `mapstructure:",squash"`
|
|
ctx interpolate.Context
|
|
|
|
// The command to invoke InSpec. Defaults to `inspec`.
|
|
Command string `mapstructure-to-hcl2:"command"`
|
|
SubCommand string `mapstructure-to-hcl2:",skip"`
|
|
|
|
// Extra options to pass to the inspec command
|
|
ExtraArguments []string `mapstructure:"extra_arguments"`
|
|
InspecEnvVars []string `mapstructure:"inspec_env_vars"`
|
|
|
|
// The profile to execute.
|
|
Profile string `mapstructure:"profile"`
|
|
AttributesDirectory string `mapstructure:"attributes_directory"`
|
|
AttributesFiles []string `mapstructure:"attributes"`
|
|
Backend string `mapstructure:"backend"`
|
|
User string `mapstructure:"user"`
|
|
Host string `mapstructure:"host"`
|
|
LocalPort int `mapstructure:"local_port"`
|
|
SSHHostKeyFile string `mapstructure:"ssh_host_key_file"`
|
|
SSHAuthorizedKeyFile string `mapstructure:"ssh_authorized_key_file"`
|
|
ValidExitCodes []int `mapstructure:"valid_exit_codes"`
|
|
}
|
|
|
|
type Provisioner struct {
|
|
config Config
|
|
adapter *adapter.Adapter
|
|
done chan struct{}
|
|
inspecVersion string
|
|
inspecMajVersion uint
|
|
}
|
|
|
|
func (p *Provisioner) ConfigSpec() hcldec.ObjectSpec { return p.config.FlatMapstructure().HCL2Spec() }
|
|
|
|
func (p *Provisioner) Prepare(raws ...interface{}) error {
|
|
p.done = make(chan struct{})
|
|
|
|
err := config.Decode(&p.config, &config.DecodeOpts{
|
|
PluginType: "inspec",
|
|
Interpolate: true,
|
|
InterpolateContext: &p.config.ctx,
|
|
InterpolateFilter: &interpolate.RenderFilter{
|
|
Exclude: []string{},
|
|
},
|
|
}, raws...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Defaults
|
|
if p.config.Command == "" {
|
|
p.config.Command = "inspec"
|
|
}
|
|
|
|
if p.config.SubCommand == "" {
|
|
p.config.SubCommand = "exec"
|
|
}
|
|
|
|
var errs *packersdk.MultiError
|
|
err = validateProfileConfig(p.config.Profile)
|
|
if err != nil {
|
|
errs = packersdk.MultiErrorAppend(errs, err)
|
|
}
|
|
|
|
// Check that the authorized key file exists
|
|
if len(p.config.SSHAuthorizedKeyFile) > 0 {
|
|
err = validateFileConfig(p.config.SSHAuthorizedKeyFile, "ssh_authorized_key_file", true)
|
|
if err != nil {
|
|
log.Println(p.config.SSHAuthorizedKeyFile, "does not exist")
|
|
errs = packersdk.MultiErrorAppend(errs, err)
|
|
}
|
|
}
|
|
if len(p.config.SSHHostKeyFile) > 0 {
|
|
err = validateFileConfig(p.config.SSHHostKeyFile, "ssh_host_key_file", true)
|
|
if err != nil {
|
|
log.Println(p.config.SSHHostKeyFile, "does not exist")
|
|
errs = packersdk.MultiErrorAppend(errs, err)
|
|
}
|
|
}
|
|
|
|
if p.config.Backend == "" {
|
|
p.config.Backend = "ssh"
|
|
}
|
|
|
|
if _, ok := SupportedBackends[p.config.Backend]; !ok {
|
|
errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("backend: %s must be a valid backend", p.config.Backend))
|
|
}
|
|
|
|
if p.config.Backend == "docker" && p.config.Host == "" {
|
|
errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("backend: host must be specified for docker backend"))
|
|
}
|
|
|
|
if p.config.Host == "" {
|
|
p.config.Host = "127.0.0.1"
|
|
}
|
|
|
|
if p.config.LocalPort > 65535 {
|
|
errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("local_port: %d must be a valid port", p.config.LocalPort))
|
|
}
|
|
|
|
if len(p.config.AttributesDirectory) > 0 {
|
|
err = validateDirectoryConfig(p.config.AttributesDirectory, "attrs")
|
|
if err != nil {
|
|
log.Println(p.config.AttributesDirectory, "does not exist")
|
|
errs = packersdk.MultiErrorAppend(errs, err)
|
|
}
|
|
}
|
|
|
|
if p.config.User == "" {
|
|
usr, err := user.Current()
|
|
if err != nil {
|
|
errs = packersdk.MultiErrorAppend(errs, err)
|
|
} else {
|
|
p.config.User = usr.Username
|
|
}
|
|
}
|
|
if p.config.User == "" {
|
|
errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("user: could not determine current user from environment."))
|
|
}
|
|
|
|
if p.config.ValidExitCodes == nil {
|
|
p.config.ValidExitCodes = []int{0, 101}
|
|
}
|
|
|
|
if errs != nil && len(errs.Errors) > 0 {
|
|
return errs
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (p *Provisioner) getVersion() error {
|
|
out, err := exec.Command(p.config.Command, "version").Output()
|
|
if err != nil {
|
|
return fmt.Errorf(
|
|
"Error running \"%s version\": %s", p.config.Command, err.Error())
|
|
}
|
|
|
|
versionRe := regexp.MustCompile(`(\d+\.\d+[.\d+]*)`)
|
|
matches := versionRe.FindStringSubmatch(string(out))
|
|
if matches == nil {
|
|
return fmt.Errorf(
|
|
"Could not find %s version in output:\n%s", p.config.Command, string(out))
|
|
}
|
|
|
|
version := matches[1]
|
|
log.Printf("%s version: %s", p.config.Command, version)
|
|
p.inspecVersion = version
|
|
|
|
majVer, err := strconv.ParseUint(strings.Split(version, ".")[0], 10, 0)
|
|
if err != nil {
|
|
return fmt.Errorf("Could not parse major version from \"%s\".", version)
|
|
}
|
|
p.inspecMajVersion = uint(majVer)
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *Provisioner) Provision(ctx context.Context, ui packersdk.Ui, comm packersdk.Communicator, generatedData map[string]interface{}) error {
|
|
ui.Say("Provisioning with Inspec...")
|
|
p.config.ctx.Data = generatedData
|
|
|
|
userp, err := interpolate.Render(p.config.User, &p.config.ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("Could not interpolate inspec user: %s", err)
|
|
}
|
|
p.config.User = userp
|
|
|
|
host, err := interpolate.Render(p.config.Host, &p.config.ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("Could not interpolate inspec user: %s", err)
|
|
}
|
|
p.config.Host = host
|
|
|
|
for i, envVar := range p.config.InspecEnvVars {
|
|
envVar, err := interpolate.Render(envVar, &p.config.ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("Could not interpolate inspec env vars: %s", err)
|
|
}
|
|
p.config.InspecEnvVars[i] = envVar
|
|
}
|
|
|
|
for i, arg := range p.config.ExtraArguments {
|
|
arg, err := interpolate.Render(arg, &p.config.ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("Could not interpolate inspec extra arguments: %s", err)
|
|
}
|
|
p.config.ExtraArguments[i] = arg
|
|
}
|
|
|
|
for i, arg := range p.config.AttributesFiles {
|
|
arg, err := interpolate.Render(arg, &p.config.ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("Could not interpolate inspec attributes: %s", err)
|
|
}
|
|
p.config.AttributesFiles[i] = arg
|
|
}
|
|
|
|
k, err := newUserKey(p.config.SSHAuthorizedKeyFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
hostSigner, err := newSigner(p.config.SSHHostKeyFile)
|
|
if err != nil {
|
|
return fmt.Errorf("error creating host signer: %s", err)
|
|
}
|
|
|
|
// Remove the private key file
|
|
if len(k.privKeyFile) > 0 {
|
|
defer os.Remove(k.privKeyFile)
|
|
}
|
|
|
|
keyChecker := ssh.CertChecker{
|
|
UserKeyFallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
|
|
if user := conn.User(); user != p.config.User {
|
|
return nil, errors.New(fmt.Sprintf("authentication failed: %s is not a valid user", user))
|
|
}
|
|
|
|
if !bytes.Equal(k.Marshal(), pubKey.Marshal()) {
|
|
return nil, errors.New("authentication failed: unauthorized key")
|
|
}
|
|
|
|
return nil, nil
|
|
},
|
|
IsUserAuthority: func(k ssh.PublicKey) bool { return true },
|
|
}
|
|
|
|
config := &ssh.ServerConfig{
|
|
AuthLogCallback: func(conn ssh.ConnMetadata, method string, err error) {
|
|
log.Printf("authentication attempt from %s to %s as %s using %s", conn.RemoteAddr(), conn.LocalAddr(), conn.User(), method)
|
|
},
|
|
PublicKeyCallback: keyChecker.Authenticate,
|
|
//NoClientAuth: true,
|
|
}
|
|
|
|
config.AddHostKey(hostSigner)
|
|
|
|
localListener, err := func() (net.Listener, error) {
|
|
|
|
port := p.config.LocalPort
|
|
tries := 1
|
|
if port != 0 {
|
|
tries = 10
|
|
}
|
|
for i := 0; i < tries; i++ {
|
|
l, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port))
|
|
port++
|
|
if err != nil {
|
|
ui.Say(err.Error())
|
|
continue
|
|
}
|
|
_, portStr, err := net.SplitHostPort(l.Addr().String())
|
|
if err != nil {
|
|
ui.Say(err.Error())
|
|
continue
|
|
}
|
|
p.config.LocalPort, err = strconv.Atoi(portStr)
|
|
if err != nil {
|
|
ui.Say(err.Error())
|
|
continue
|
|
}
|
|
return l, nil
|
|
}
|
|
return nil, errors.New("Error setting up SSH proxy connection")
|
|
}()
|
|
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ui = &packersdk.SafeUi{
|
|
Sem: make(chan int, 1),
|
|
Ui: ui,
|
|
}
|
|
p.adapter = adapter.NewAdapter(p.done, localListener, config, "", ui, comm)
|
|
|
|
defer func() {
|
|
log.Print("shutting down the SSH proxy")
|
|
close(p.done)
|
|
p.adapter.Shutdown()
|
|
}()
|
|
|
|
go p.adapter.Serve()
|
|
|
|
tf, err := ioutil.TempFile(p.config.AttributesDirectory, "packer-provisioner-inspec.*.yml")
|
|
if err != nil {
|
|
return fmt.Errorf("Error preparing packer attributes file: %s", err)
|
|
}
|
|
defer os.Remove(tf.Name())
|
|
|
|
w := bufio.NewWriter(tf)
|
|
w.WriteString(fmt.Sprintf("packer_build_name: %s\n", p.config.PackerBuildName))
|
|
w.WriteString(fmt.Sprintf("packer_builder_type: %s\n", p.config.PackerBuilderType))
|
|
|
|
if err := w.Flush(); err != nil {
|
|
tf.Close()
|
|
return fmt.Errorf("Error preparing packer attributes file: %s", err)
|
|
}
|
|
tf.Close()
|
|
p.config.AttributesFiles = append(p.config.AttributesFiles, tf.Name())
|
|
|
|
if err := p.executeInspec(ui, comm, k.privKeyFile); err != nil {
|
|
return fmt.Errorf("Error executing Inspec: %s", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *Provisioner) executeInspec(ui packersdk.Ui, comm packersdk.Communicator, privKeyFile string) error {
|
|
var envvars []string
|
|
|
|
args := []string{p.config.SubCommand, p.config.Profile}
|
|
args = append(args, "--backend", p.config.Backend)
|
|
args = append(args, "--host", p.config.Host)
|
|
|
|
if p.config.User != "" {
|
|
args = append(args, "--user", p.config.User)
|
|
}
|
|
|
|
if p.config.Backend == "ssh" {
|
|
if len(privKeyFile) > 0 {
|
|
args = append(args, "--key-files", privKeyFile)
|
|
}
|
|
args = append(args, "--port", strconv.Itoa(p.config.LocalPort))
|
|
}
|
|
|
|
args = append(args, "--input-file")
|
|
args = append(args, p.config.AttributesFiles...)
|
|
args = append(args, p.config.ExtraArguments...)
|
|
|
|
if len(p.config.InspecEnvVars) > 0 {
|
|
envvars = append(envvars, p.config.InspecEnvVars...)
|
|
}
|
|
|
|
cmd := exec.Command(p.config.Command, args...)
|
|
|
|
cmd.Env = os.Environ()
|
|
if len(envvars) > 0 {
|
|
cmd.Env = append(cmd.Env, envvars...)
|
|
}
|
|
|
|
stdout, err := cmd.StdoutPipe()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
stderr, err := cmd.StderrPipe()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
wg := sync.WaitGroup{}
|
|
repeat := func(r io.ReadCloser) {
|
|
reader := bufio.NewReader(r)
|
|
for {
|
|
line, err := reader.ReadString('\n')
|
|
if line != "" {
|
|
line = strings.TrimRightFunc(line, unicode.IsSpace)
|
|
ui.Message(line)
|
|
}
|
|
if err != nil {
|
|
if err == io.EOF {
|
|
break
|
|
} else {
|
|
ui.Error(err.Error())
|
|
break
|
|
}
|
|
}
|
|
}
|
|
wg.Done()
|
|
}
|
|
wg.Add(2)
|
|
go repeat(stdout)
|
|
go repeat(stderr)
|
|
|
|
ui.Say(fmt.Sprintf("Executing Inspec: %s", strings.Join(cmd.Args, " ")))
|
|
if err := cmd.Start(); err != nil {
|
|
return err
|
|
}
|
|
wg.Wait()
|
|
|
|
if err := cmd.Wait(); err != nil {
|
|
if exiterr, ok := err.(*exec.ExitError); ok {
|
|
// The program has exited with an exit code != 0
|
|
|
|
// This works on both Unix and Windows. Although package
|
|
// syscall is generally platform dependent, WaitStatus is
|
|
// defined for both Unix and Windows and in both cases has
|
|
// an ExitStatus() method with the same signature.
|
|
if status, ok := exiterr.Sys().(syscall.WaitStatus); ok {
|
|
exitStatus := status.ExitStatus()
|
|
// Check exit code against allowed codes (likely just 0)
|
|
validExitCode := false
|
|
for _, v := range p.config.ValidExitCodes {
|
|
if exitStatus == v {
|
|
validExitCode = true
|
|
}
|
|
}
|
|
if !validExitCode {
|
|
return fmt.Errorf(
|
|
"Inspec exited with unexpected exit status: %d. Expected exit codes are: %v",
|
|
exitStatus, p.config.ValidExitCodes)
|
|
}
|
|
}
|
|
} else {
|
|
return fmt.Errorf("Unable to get exit status: %s", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func validateFileConfig(name string, config string, req bool) error {
|
|
if req {
|
|
if name == "" {
|
|
return fmt.Errorf("%s must be specified.", config)
|
|
}
|
|
}
|
|
info, err := os.Stat(name)
|
|
if err != nil {
|
|
return fmt.Errorf("%s: %s is invalid: %s", config, name, err)
|
|
} else if info.IsDir() {
|
|
return fmt.Errorf("%s: %s must point to a file", config, name)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func validateProfileConfig(name string) error {
|
|
if name == "" {
|
|
return fmt.Errorf("profile must be specified.")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func validateDirectoryConfig(name string, config string) error {
|
|
info, err := os.Stat(name)
|
|
if err != nil {
|
|
return fmt.Errorf("%s: %s is invalid: %s", config, name, err)
|
|
} else if !info.IsDir() {
|
|
return fmt.Errorf("%s: %s must point to a directory", config, name)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
type userKey struct {
|
|
ssh.PublicKey
|
|
privKeyFile string
|
|
}
|
|
|
|
func newUserKey(pubKeyFile string) (*userKey, error) {
|
|
userKey := new(userKey)
|
|
if len(pubKeyFile) > 0 {
|
|
pubKeyBytes, err := ioutil.ReadFile(pubKeyFile)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to read public key")
|
|
}
|
|
userKey.PublicKey, _, _, _, err = ssh.ParseAuthorizedKey(pubKeyBytes)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to parse authorized key")
|
|
}
|
|
|
|
return userKey, nil
|
|
}
|
|
|
|
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to generate key pair")
|
|
}
|
|
userKey.PublicKey, err = ssh.NewPublicKey(key.Public())
|
|
if err != nil {
|
|
return nil, errors.New("Failed to extract public key from generated key pair")
|
|
}
|
|
|
|
// To support Inspec calling back to us we need to write
|
|
// this file down
|
|
privateKeyDer := x509.MarshalPKCS1PrivateKey(key)
|
|
privateKeyBlock := pem.Block{
|
|
Type: "RSA PRIVATE KEY",
|
|
Headers: nil,
|
|
Bytes: privateKeyDer,
|
|
}
|
|
tf, err := ioutil.TempFile("", "packer-provisioner-inspec.*.key")
|
|
if err != nil {
|
|
return nil, errors.New("failed to create temp file for generated key")
|
|
}
|
|
_, err = tf.Write(pem.EncodeToMemory(&privateKeyBlock))
|
|
if err != nil {
|
|
return nil, errors.New("failed to write private key to temp file")
|
|
}
|
|
|
|
err = tf.Close()
|
|
if err != nil {
|
|
return nil, errors.New("failed to close private key temp file")
|
|
}
|
|
userKey.privKeyFile = tf.Name()
|
|
|
|
return userKey, nil
|
|
}
|
|
|
|
type signer struct {
|
|
ssh.Signer
|
|
}
|
|
|
|
func newSigner(privKeyFile string) (*signer, error) {
|
|
signer := new(signer)
|
|
|
|
if len(privKeyFile) > 0 {
|
|
privateBytes, err := ioutil.ReadFile(privKeyFile)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to load private host key")
|
|
}
|
|
|
|
signer.Signer, err = ssh.ParsePrivateKey(privateBytes)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to parse private host key")
|
|
}
|
|
|
|
return signer, nil
|
|
}
|
|
|
|
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to generate server key pair")
|
|
}
|
|
|
|
signer.Signer, err = ssh.NewSignerFromKey(key)
|
|
if err != nil {
|
|
return nil, errors.New("Failed to extract private key from generated key pair")
|
|
}
|
|
|
|
return signer, nil
|
|
}
|