Add support for hashed host lists

byroot · byroot · commit 8e907372178d · 2016-02-18T13:07:25.000-05:00
diff --git a/lib/sshkit/backends/netssh.rb b/lib/sshkit/backends/netssh.rb
@@ -30,19 +30,32 @@ def initialize(path)
         end
 
         def keys_for(hostlist)
-          keys = hosts_keys || parse_file
+          keys, hashes = hosts_keys, hosts_hashes
+          parse_file unless keys && hashes
+          keys, hashes = hosts_keys, hosts_hashes
+
           hostlist.split(',').each do |host|
-            if key_list = keys[host]
-              return key_list
+            key_list = keys[host]
+            return key_list if key_list
+
+            hashes.each do |(hmac, salt), key|
+              if OpenSSL::HMAC.digest(sha1, salt, host) == hmac
+                return key
+              end
             end
           end
+
           []
         end
 
         private
 
         attr_reader :path
-        attr_accessor :hosts_keys
+        attr_accessor :hosts_keys, :hosts_hashes
+
+        def sha1
+          @sha1 ||= OpenSSL::Digest.new('sha1')
+        end
 
         def parse_file
           synchronize do
@@ -51,35 +64,58 @@ def parse_file
             return self.hosts_keys = {} unless File.readable?(path)
 
             new_keys = {}
+            new_hashes = []
             File.open(path) do |file|
               scanner = StringScanner.new("")
               file.each_line do |line|
                 scanner.string = line
-                hostlist, key = parse_line(scanner)
-                next unless key
-
-                hostlist.each do |host|
-                  (new_keys[host] ||= []) << key
-                end
+                parse_line(scanner, new_keys, new_hashes)
               end
             end
-            return self.hosts_keys = new_keys
+            self.hosts_keys = new_keys
+            self.hosts_hashes = new_hashes
+          end
+        end
+
+        def parse_line(scanner, hosts_keys, hosts_hashes)
+          return if empty_line?(scanner)
+
+          hostlist = parse_hostlist(scanner)
+          return unless supported_type?(scanner)
+          key = parse_key(scanner)
+
+          if hostlist.size == 1 && hostlist.first =~ /\A\|1(\|.+){2}\z/
+            hosts_hashes << [parse_host_hash(hostlist.first), key]
+          else
+            hostlist.each do |host|
+              (hosts_keys[host] ||= []) << key
+            end
           end
         end
 
-        def parse_line(scanner)
+        def parse_host_hash(line)
+          _, _, salt, hmac = line.split('|')
+          [Base64.decode64(hmac), Base64.decode64(salt)]
+        end
+
+        def empty_line?(scanner)
           scanner.skip(/\s*/)
-          return if scanner.match?(/$|#/)
+          scanner.match?(/$|#/)
+        end
 
-          hostlist = scanner.scan(/\S+/).split(',')
+        def parse_hostlist(scanner)
           scanner.skip(/\s*/)
-          type = scanner.scan(/\S+/)
+          scanner.scan(/\S+/).split(',')
+        end
 
-          return unless Net::SSH::KnownHosts::SUPPORTED_TYPE.include?(type)
+        def supported_type?(scanner)
+          scanner.skip(/\s*/)
+          Net::SSH::KnownHosts::SUPPORTED_TYPE.include?(scanner.scan(/\S+/))
+        end
 
+        def parse_key(scanner)
           scanner.skip(/\s*/)
-          blob = scanner.rest.unpack("m*").first
-          return hostlist, Net::SSH::Buffer.new(blob).read_key
+          Net::SSH::Buffer.new(scanner.rest.unpack("m*").first).read_key
         end
       end
 
