Connection improvements

wttech · Nov 13, 2023 · f927ed2 · f927ed2
1 parent 0d429cd
commit f927ed2
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 18 deletions.
diff --git a/examples/ssh/aem.tf b/examples/ssh/aem.tf
@@ -4,11 +4,13 @@ resource "aem_instance" "single" {
   client {
     type     = "ssh"
     settings = {
-      host             = aws_instance.aem_single.public_ip
-      port             = 22
-      user             = local.ssh_user
-      private_key_file = local.ssh_private_key # cannot be put into state as this is OS-dependent
+      host        = aws_instance.aem_single.public_ip
+      port        = 22
+      user        = local.ssh_user
+      private_key = file(local.ssh_private_key)
+      secure      = false
     }
+    // extract 'credentials' to 'sensitive' map
   }
 
   system {
@@ -34,7 +36,7 @@ resource "aem_instance" "single" {
     SHELL
   }
 
-  compose {} // TODO must be at least empty; TF plugin framework bug?
+  compose {} // must be at least empty
 }
 
 locals {

diff --git a/internal/client/client_manager.go b/internal/client/client_manager.go
@@ -31,10 +31,11 @@ func (c ClientManager) connection(typeName string, settings map[string]string) (
 	switch typeName {
 	case "ssh":
 		return &SSHConnection{
-			host:           settings["host"],
-			user:           settings["user"],
-			privateKeyFile: settings["private_key_file"],
-			port:           cast.ToInt(settings["port"]),
+			host:       settings["host"],
+			user:       settings["user"],
+			privateKey: settings["private_key"],
+			port:       cast.ToInt(settings["port"]),
+			secure:     cast.ToBool(settings["secure"]),
 		}, nil
 	case "aws-ssm":
 		return &AWSSSMConnection{

diff --git a/internal/client/connection_ssh.go b/internal/client/connection_ssh.go
@@ -11,25 +11,44 @@ import (
 type SSHConnection struct {
 	client *goph.Client
 
-	host           string
-	user           string
-	passphrase     string
-	privateKeyFile string
-	port           int
+	host       string
+	user       string
+	passphrase string
+	privateKey string
+	port       int
+	secure     bool
 }
 
 func (s *SSHConnection) Connect() error {
-	auth, err := goph.Key(s.privateKeyFile, s.passphrase)
+	if s.host == "" {
+		return fmt.Errorf("ssh: host is required")
+	}
+	if s.user == "" {
+		return fmt.Errorf("ssh: user is required")
+	}
+	if s.privateKey == "" {
+		return fmt.Errorf("ssh: private key is required")
+	}
+	if s.port == 0 {
+		s.port = 22
+	}
+	signer, err := ssh.ParsePrivateKey([]byte(s.privateKey))
 	if err != nil {
-		return fmt.Errorf("ssh: cannot get auth using private key '%s': %w", s.privateKeyFile, err)
+		return fmt.Errorf("ssh: cannot parse private key: %w", err)
+	}
+	var callback ssh.HostKeyCallback
+	if s.secure {
+		callback = ssh.FixedHostKey(signer.PublicKey())
+	} else {
+		callback = ssh.InsecureIgnoreHostKey()
 	}
 	client, err := goph.NewConn(&goph.Config{
 		User:     s.user,
 		Addr:     s.host,
 		Port:     cast.ToUint(s.port),
-		Auth:     auth,
+		Auth:     goph.Auth{ssh.PublicKeys(signer)},
 		Timeout:  goph.DefaultTimeout,
-		Callback: ssh.InsecureIgnoreHostKey(), // TODO make it secure by default
+		Callback: callback,
 	})
 	if err != nil {
 		return fmt.Errorf("ssh: cannot connect to host '%s': %w", s.host, err)