bssh 2.1.2

Parallel SSH command execution tool for cluster management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303

// Copyright 2025 Lablup Inc. and Jeongkyu Shin
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//! Core SSH configuration parsing functionality
//!
//! This module contains the main parsing logic for SSH configurations,
//! including the 2-pass parsing strategy for Include and Match directives.

use crate::ssh::ssh_config::include::{combine_included_files, resolve_includes};
use crate::ssh::ssh_config::match_directive::{MatchBlock, MatchCondition};
use crate::ssh::ssh_config::types::{ConfigBlock, SshHostConfig};
use anyhow::{Context, Result};
use std::path::Path;

use super::options;

/// Parse SSH configuration content with Include and Match support
pub fn parse(content: &str) -> Result<Vec<SshHostConfig>> {
    // For synchronous parsing without file path, we can't resolve includes
    // This maintains backward compatibility for tests and simple usage
    parse_without_includes(content)
}

/// Parse SSH configuration from a file with full Include support
pub async fn parse_from_file(path: &Path, content: &str) -> Result<Vec<SshHostConfig>> {
    // Pass 1: Resolve all Include directives
    let included_files = resolve_includes(path, content)
        .await
        .with_context(|| format!("Failed to resolve includes for {}", path.display()))?;

    // Combine all included files into a single configuration
    let combined_content = combine_included_files(&included_files);

    // Pass 2: Parse the combined configuration
    parse_without_includes(&combined_content)
}

/// Parse SSH configuration content without Include resolution
pub(super) fn parse_without_includes(content: &str) -> Result<Vec<SshHostConfig>> {
    // Security: Set reasonable limits to prevent DoS attacks
    const MAX_LINE_LENGTH: usize = 8192; // 8KB per line should be more than enough
    const MAX_VALUE_LENGTH: usize = 4096; // 4KB for individual values

    let mut configs = Vec::new();
    let mut current_config: Option<SshHostConfig> = None;
    let mut current_match: Option<MatchBlock> = None;
    let mut line_number = 0;
    let mut in_match_block = false;

    for line in content.lines() {
        line_number += 1;

        // Skip source file comments added by include resolution
        if line.starts_with("# Source:") {
            continue;
        }

        // Security: Check line length to prevent DoS
        if line.len() > MAX_LINE_LENGTH {
            anyhow::bail!("Line {line_number} exceeds maximum length of {MAX_LINE_LENGTH} bytes");
        }

        let line = line.trim();

        // Skip empty lines and comments
        if line.is_empty() || line.starts_with('#') {
            continue;
        }

        // Get lowercase version of line for keyword detection
        let lower_line = line.to_lowercase();

        // Check for Include directive (should have been resolved in pass 1)
        if lower_line.starts_with("include") {
            // In direct parsing mode, we skip Include directives
            tracing::debug!(
                "Skipping Include directive at line {} (not in file mode)",
                line_number
            );
            continue;
        }

        // Check for Match directive
        if lower_line.starts_with("match ")
            || lower_line.starts_with("match\t")
            || lower_line == "match"
            || lower_line.starts_with("match=")
        {
            // Save previous config if any
            if let Some(config) = current_config.take() {
                configs.push(config);
            }
            if let Some(match_block) = current_match.take() {
                configs.push(match_block.config);
            }

            // Parse Match conditions
            let conditions = MatchCondition::parse_match_line(line, line_number)?;

            // Create new Match block
            let mut match_block = MatchBlock::new(line_number);
            match_block.conditions = conditions.clone();

            // Create config for this Match block
            let config = SshHostConfig {
                block_type: Some(ConfigBlock::Match(conditions)),
                ..Default::default()
            };
            match_block.config = config;

            current_match = Some(match_block);
            current_config = None;
            in_match_block = true;
            continue;
        }

        // Check for Host directive (must be "host" not "hostname" etc.)
        if lower_line.starts_with("host ")
            || lower_line.starts_with("host\t")
            || lower_line == "host"
            || (lower_line.starts_with("host=") && !lower_line.starts_with("hostname="))
        {
            // Save previous config if any
            if let Some(config) = current_config.take() {
                configs.push(config);
            }
            if let Some(match_block) = current_match.take() {
                configs.push(match_block.config);
            }

            // Parse Host patterns
            let patterns = parse_host_line(line, line_number)?;

            // Create new Host config
            let config = SshHostConfig {
                host_patterns: patterns.clone(),
                block_type: Some(ConfigBlock::Host(patterns)),
                ..Default::default()
            };

            current_config = Some(config);
            current_match = None;
            in_match_block = false;
            continue;
        }

        // Parse configuration option
        let (keyword, args) = parse_config_line(line, line_number, MAX_VALUE_LENGTH)?;

        if keyword.is_empty() {
            continue;
        }

        // Apply option to current config block
        if in_match_block {
            if let Some(ref mut match_block) = current_match {
                options::parse_option(&mut match_block.config, &keyword, &args, line_number)
                    .with_context(|| format!("Error at line {line_number}: {line}"))?;
            }
        } else if let Some(ref mut config) = current_config {
            options::parse_option(config, &keyword, &args, line_number)
                .with_context(|| format!("Error at line {line_number}: {line}"))?;
        } else {
            // Global option outside any block
            // In OpenSSH, these set defaults but we're ignoring them for now
            tracing::debug!(
                "Ignoring global option '{}' at line {}",
                keyword,
                line_number
            );
        }
    }

    // Don't forget the last config
    if let Some(config) = current_config {
        configs.push(config);
    }
    if let Some(match_block) = current_match {
        configs.push(match_block.config);
    }

    Ok(configs)
}

/// Parse a Host directive line
pub(super) fn parse_host_line(line: &str, line_number: usize) -> Result<Vec<String>> {
    let line = line.trim();

    // Support both "Host pattern" and "Host=pattern" syntax
    let patterns_str = if let Some(pos) = line.find('=') {
        // Host=pattern syntax
        if line[..pos].trim().to_lowercase() != "host" {
            anyhow::bail!("Invalid Host directive at line {line_number}");
        }
        line[pos + 1..].trim()
    } else {
        // Host pattern syntax
        let parts: Vec<&str> = line.split_whitespace().collect();
        if parts.is_empty() || parts[0].to_lowercase() != "host" {
            anyhow::bail!("Invalid Host directive at line {line_number}");
        }
        if parts.len() < 2 {
            anyhow::bail!("Host directive requires at least one pattern at line {line_number}");
        }
        // Join all parts after "Host"
        line[parts[0].len()..].trim()
    };

    if patterns_str.is_empty() {
        anyhow::bail!("Host directive requires at least one pattern at line {line_number}");
    }

    // Split into individual patterns
    let patterns: Vec<String> = patterns_str
        .split_whitespace()
        .map(|s| s.to_string())
        .collect();

    Ok(patterns)
}

/// Parse a configuration line into keyword and arguments
pub(super) fn parse_config_line(
    line: &str,
    line_number: usize,
    max_value_length: usize,
) -> Result<(String, Vec<String>)> {
    let line = line.trim();

    // Determine if using equals syntax
    let eq_pos = line.find('=');
    let uses_equals_syntax = if let Some(pos) = eq_pos {
        // Has equals sign - extract first word to check
        let prefix = &line[..pos];
        let first_word = prefix
            .split_whitespace()
            .next()
            .unwrap_or("")
            .to_lowercase();
        // Host and Match never use equals syntax
        !matches!(first_word.as_str(), "host" | "match")
    } else {
        false
    };

    let (keyword, args) = if let Some(pos) = eq_pos.filter(|_| uses_equals_syntax) {
        // Option=Value syntax
        let key_part = line[..pos].trim();
        let value_part = &line[pos + 1..];

        if key_part.is_empty() {
            return Ok((String::new(), vec![]));
        }

        let trimmed_value = value_part.trim();

        // Security: Check value length
        if trimmed_value.len() > max_value_length {
            anyhow::bail!(
                "Value at line {line_number} exceeds maximum length of {max_value_length} bytes"
            );
        }

        let args = if trimmed_value.is_empty() {
            vec![]
        } else {
            // Special handling for comma-separated options
            match key_part.to_lowercase().as_str() {
                "ciphers"
                | "macs"
                | "hostkeyalgorithms"
                | "kexalgorithms"
                | "preferredauthentications"
                | "protocol" => trimmed_value
                    .split(',')
                    .map(|s| s.trim().to_string())
                    .collect(),
                _ => vec![trimmed_value.to_string()],
            }
        };

        (key_part.to_lowercase(), args)
    } else {
        // Option Value syntax (space-separated)
        let mut parts = line.split_whitespace();
        let keyword = parts.next().unwrap_or("").to_lowercase();
        let args: Vec<String> = parts.map(|s| s.to_string()).collect();
        (keyword, args)
    };

    Ok((keyword, args))
}