procurve: add model spec, fix secret redaction, simplify the model, rstrip comments#3840
procurve: add model spec, fix secret redaction, simplify the model, rstrip comments#3840thanegill wants to merge 9 commits into
Conversation
|
You don't define rstrip_cfg method? You probably intended something like: comment cfg.each_line.map(&:rstrip).join("\n") + "\n"But then we might ask, why not add this to :all. block? |
0413710 to
0d6db29
Compare
Oops, I thought that was defined in refinements. Added, copied from |
We could. But I'm not certain there is any training whitespace that is needed to restore the config accurately. |
|
Maybe rather something like def comment_clean str
comment str.each_line.map(&:rstrip).join("\n") + "\n"
endSo that you're not repeating yourself that much. Also, if you can, please provide spec/model/data files for testing purposes. I'm uncomfortable as this was submitted with non-working code, so I don't know if it works at all, or if it breaks for everyone. |
MockSsh delivered the init prompt synchronously inside open_channel, before its return value was assigned to SSH's @SES. A model that sends data in response to the init prompt. e.g., Procurve answering "Press any key to continue" - would hit a nil @SES. Queue the init prompt instead so it is delivered on the first ssh.loop (in #login), by which time @SES is set.
Add a device-simulation unit test for the Procurve model (2930M-48G-PoE+, WC.16.11.0028) plus a prompt test, captured with extra/device2yaml.rb. To make the captured session replayable, Procurve sends Enter (not Space) for the "Press any key" prompt, and its pre_logout is split into separate logout/y/n sends, matching what device2yaml records line-by-line.
…ssword hashes ProCurve emits `snmp-server host <ip> community "<name>" ...`, but the secret rule matched `snmp-server host <ip> <community>` and so redacted the literal word "community", leaving the community name exposed. Match the optional `community` keyword and hide the name. Also redact `password ... sha1 "<hash>"` local user password hashes (which may wrap onto the next line in captured output), which were previously stored when remove_secret was set. Both covered by a new secret test.
Strip trailing whitespace from the commented `show` command sections by routing them through a new `clean_comment` helper (comment + rstrip_lines), adding a `String#rstrip_lines` refinement. The regenerated test output shows the trailing-whitespace removal.
0d6db29 to
6c1f2b3
Compare
|
Added the spec model data for tests. Found a few other bugs along the way. Let me know if this would be better suited as multiple PRs. |
…dditional HPE Aruba switches use the procurve model
- Replace the vt100 escape code stripping with :escape_codes - Since escape codes are now stripped before prompt detection, the prompt and expect's no longer need to account for them. - Use the cut_tail and reject_lines refinements.
d8aa439 to
16dc56a
Compare
…ecrets The :secret rule only covered SNMP communities, sha1 password hashes, and RADIUS/TACACS+ keys. With include-credentials (and encrypt-credentials) the running-config can also carry SNMPv3 auth/priv passwords, plaintext/sha256 and encrypted-password local passwords, RADIUS/TACACS+ encrypted-key (resolves ytti#3774), key-chain key material, 802.1X supplicant secrets, SNTP authentication keys, the MACsec pre-shared CAK, and the encrypt-credentials master pre-shared-key. Redact all of them (drawn from the ArubaOS-Switch Access Security Guide). Add two synthetic fixtures, one per mutually-exclusive mode, covering the cleartext/hashed and encrypted- forms respectively. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
16dc56a to
2919901
Compare
Pre-Request Checklist
rubocop --auto-correct)rake test)Description
MockSshcut_*andrstrip_linesrefinement:escape_codesand simplify the model