add blocking_command option to config (#29)

cyrilst · web-flow · commit dfd354179b43 · 2025-03-11T14:47:42.000+01:00
diff --git a/cmd/sshproxy/sshproxy.go b/cmd/sshproxy/sshproxy.go
@@ -374,6 +374,21 @@ func mainExitCode() int {
 		}()
 	}
 
+	// launch blocking command
+	if config.BlockingCommand != "" {
+		args := strings.Fields(config.BlockingCommand)
+		cmd := exec.Command(args[0], args[1:]...)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		rc, err := runCommand(cmd, false)
+		if err != nil {
+			log.Errorf("error running blocking command: %s", err)
+		}
+		if rc != 0 {
+			return rc
+		}
+	}
+
 	// launch background command
 	if config.BgCommand != "" {
 		wg.Add(1)
diff --git a/config/sshproxy.yaml b/config/sshproxy.yaml
@@ -79,6 +79,12 @@
 #    command: "sftp"
 #    disable_dump: true
 
+# A command can be launched before the bg_command and before connecting to the
+# destination. The standard and error outputs are displayed to the user. If the
+# return code of the blocking command is not 0, sshproxy will abort the
+# session.
+#blocking_command: ""
+
 # A command can be launched in the background for the session duration.
 # The standard and error outputs are only logged in debug mode.
 #bg_command: ""
diff --git a/doc/sshproxy.yaml.txt b/doc/sshproxy.yaml.txt
@@ -47,6 +47,13 @@ The following keys can be defined:
 	precisely, when all backends are either down or disabled in etcd).
 	This message can be multiline. It is empty by default.
 
+*blocking_command*::
+	A string specifying a command which will be launched before the
+	bg_command and before connecting to the destination. The standard and
+	error outputs are displayed to the user. If the return code of the
+	blocking command is not 0, sshproxy will abort the session. It is
+	empty by default.
+
 *bg_command*::
 	a string specifying a command which will be launched in the background
 	for the session duration. Its standard and error outputs are only
diff --git a/pkg/utils/config.go b/pkg/utils/config.go
@@ -53,6 +53,7 @@ type Config struct {
 	Etcd                  etcdConfig
 	EtcdStatsInterval     Duration `yaml:"etcd_stats_interval"`
 	LogStatsInterval      Duration `yaml:"log_stats_interval"`
+	BlockingCommand       string   `yaml:"blocking_command"`
 	BgCommand             string   `yaml:"bg_command"`
 	SSH                   sshConfig
 	TranslateCommands     map[string]*TranslateCommandConfig `yaml:"translate_commands"`
@@ -110,6 +111,7 @@ type subConfig struct {
 	Etcd                  interface{}
 	EtcdStatsInterval     interface{} `yaml:"etcd_stats_interval"`
 	LogStatsInterval      interface{} `yaml:"log_stats_interval"`
+	BlockingCommand       interface{} `yaml:"blocking_command"`
 	BgCommand             interface{} `yaml:"bg_command"`
 	SSH                   interface{}
 	TranslateCommands     map[string]*TranslateCommandConfig `yaml:"translate_commands"`
@@ -138,6 +140,7 @@ func PrintConfig(config *Config, groups map[string]bool) []string {
 	output = append(output, fmt.Sprintf("config.etcd = %+v", config.Etcd))
 	output = append(output, fmt.Sprintf("config.etcd_stats_interval = %s", config.EtcdStatsInterval.Duration()))
 	output = append(output, fmt.Sprintf("config.log_stats_interval = %s", config.LogStatsInterval.Duration()))
+	output = append(output, fmt.Sprintf("config.blocking_command = %s", config.BlockingCommand))
 	output = append(output, fmt.Sprintf("config.bg_command = %s", config.BgCommand))
 	output = append(output, fmt.Sprintf("config.ssh = %+v", config.SSH))
 	for k, v := range config.TranslateCommands {
@@ -212,6 +215,10 @@ func parseSubConfig(config *Config, subconfig *subConfig) error {
 		}
 	}
 
+	if subconfig.BlockingCommand != nil {
+		config.BlockingCommand = subconfig.BlockingCommand.(string)
+	}
+
 	if subconfig.BgCommand != nil {
 		config.BgCommand = subconfig.BgCommand.(string)
 	}
diff --git a/test/fedora-image/sshproxy_test.go b/test/fedora-image/sshproxy_test.go
@@ -53,6 +53,7 @@ func addLineSSHProxyConf(line string) {
 
 func removeLineSSHProxyConf(line string) {
 	ctx := context.Background()
+	line = strings.ReplaceAll(line, "/", "\\/")
 	for _, gateway := range gateways {
 		_, _, _, err := runCommand(ctx, "ssh", []string{fmt.Sprintf("root@%s", gateway), "--", fmt.Sprintf("sed -i 's/^%s$//' %s", line, SSHPROXYCONFIG)}, nil, nil)
 		if err != nil {
@@ -63,6 +64,7 @@ func removeLineSSHProxyConf(line string) {
 
 func updateLineSSHProxyConf(key string, value string) {
 	ctx := context.Background()
+	value = strings.ReplaceAll(value, "/", "\\/")
 	for _, gateway := range gateways {
 		_, _, _, err := runCommand(ctx, "ssh", []string{fmt.Sprintf("root@%s", gateway), "--", fmt.Sprintf("sed -i '/%s:/s/: .*$/: %s/' %s", key, value, SSHPROXYCONFIG)}, nil, nil)
 		if err != nil {
@@ -243,6 +245,29 @@ func TestSimpleConnect(t *testing.T) {
 	}
 }
 
+func TestBlockingCommand(t *testing.T) {
+	addLineSSHProxyConf("blocking_command: /bin/true")
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	args, cmd := prepareCommand("gateway1", 2023, "hostname")
+	_, stdout, stderr, err := runCommand(ctx, "ssh", args, nil, nil)
+	stdoutStr := strings.TrimSpace(string(stdout))
+	if err != nil {
+		t.Errorf("%s unexpected error: %v | stderr = %s", cmd, err, string(stderr))
+	} else if stdoutStr != "server1" {
+		t.Errorf("%s hostname = %s, want server1", cmd, stdoutStr)
+	}
+	updateLineSSHProxyConf("blocking_command", "/bin/false")
+	defer removeLineSSHProxyConf("blocking_command: /bin/false")
+	args, _ = prepareCommand("gateway1", 2023, "hostname")
+	rc, _, _, err := runCommand(ctx, "ssh", args, nil, nil)
+	if err == nil {
+		t.Errorf("got no error, expected error due to blocking_command")
+	} else if rc != 1 {
+		t.Errorf("blocking_command rc = %d, want 1", rc)
+	}
+}
+
 func TestNodesets(t *testing.T) {
 	disableHost("server[1000-1002]")
 	checkHostState(t, "server1000:22", "disabled", true)
@@ -382,12 +407,12 @@ func TestEtcdConnections(t *testing.T) {
 }
 
 func TestWithoutEtcd(t *testing.T) {
-	updateLineSSHProxyConf("endpoints", "[\"https:\\/\\/void:2379\"]")
+	updateLineSSHProxyConf("endpoints", "[\"https://void:2379\"]")
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 	args, cmdStr := prepareCommand("gateway1", 2023, "hostname")
 	_, stdout, _, err := runCommand(ctx, "ssh", args, nil, nil)
-	updateLineSSHProxyConf("endpoints", "[\"https:\\/\\/etcd:2379\"]")
+	updateLineSSHProxyConf("endpoints", "[\"https://etcd:2379\"]")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -396,10 +421,10 @@ func TestWithoutEtcd(t *testing.T) {
 		t.Errorf("%s got %s, expected server1", cmdStr, dest)
 	}
 
-	updateLineSSHProxyConf("endpoints", "[\"https:\\/\\/void:2379\"]")
+	updateLineSSHProxyConf("endpoints", "[\"https://void:2379\"]")
 	updateLineSSHProxyConf("mandatory", "true")
 	_, _, _, err = runCommand(ctx, "ssh", args, nil, nil)
-	updateLineSSHProxyConf("endpoints", "[\"https:\\/\\/etcd:2379\"]")
+	updateLineSSHProxyConf("endpoints", "[\"https://etcd:2379\"]")
 	updateLineSSHProxyConf("mandatory", "false")
 	if err == nil {
 		t.Error("the connection should have been rejected")
