2.0.0

DKroot · DKroot · commit c5552db2ccde · 2023-05-19T09:47:45.000-04:00
diff --git a/ssh-oci-bastion.sh b/ssh-oci-bastion.sh
@@ -13,8 +13,8 @@ NAME
 
 SYNOPSIS
 
-    $SCRIPT_NAME_WITH_EXT [-n] host_user
-    $SCRIPT_NAME_WITH_EXT -p forwarded_host_port
+    $SCRIPT_NAME_WITH_EXT [-o OCI_profile] [-n] host_user
+    $SCRIPT_NAME_WITH_EXT [-o OCI_profile] -p forwarded_host_port
     $SCRIPT_NAME_WITH_EXT -h: display this help
 
 DESCRIPTION
@@ -23,7 +23,7 @@ DESCRIPTION
     host_user
       * Create a session on the bastion for the OCI host with the maximum possible duration (3 h.)
 
-      * Configure (add or update) host-specific \`ProxyJump\` directive parameter in the SSH config, which enables
+      * Configure (append or update) host-specific \`ProxyJump\` directive parameter in the SSH config, which enables
       SSH/SFTP in all clients for the session duration.
 
       * ssh as the specified user (unless -n is specified).
@@ -34,11 +34,15 @@ DESCRIPTION
                             then the OCI host. The tunnel process would run until the session expires or the process is
                             terminated by the user.
 
-ENVIRONMENT
+    -o OCI_profile          use a specified profile section from the \`~/.oci/config\` file [default: \`DEFAULT\`]
 
-    * OCI CLI is required to be installed.
+ENVIRONMENT
 
-    * \`jq\` is required to be installed.
+    * Required commands:
+      * OCI CLI
+      * \`jq\`
+      * \`pcregrep\`
+      * \`perl\`
 
     * Required environment variables:
       * \`OCI_INSTANCE\`, Internal FQDN or Private IP e.g., \`kharkiv.subxxx.main.oraclevcn.com\`
@@ -48,106 +52,41 @@ ENVIRONMENT
     * One of the following SSH public keys in \`~/.ssh/\`: \`id_rsa.pub\`, \`id_dsa.pub\`, \`id_ecdsa.pub\`,
       \`id_ed25519.pub\`, or \`id_xmss.pub\`. If there are multiple keys the first one found in this order will be used.
 
-    Limitations for the \`host_user\` mode:
-      1. There is only one OCI bastion session proxy jump host that is being configured in the SSH config.
-      2. The OCI host is not yet configured in the SSH config before the first run of this script.
+    * If the SSH config has global (\`Host *\`) \`ProxyJump\` parameter it would take precedence.
+    Since the first obtained value for each parameter is used, more host-specific declarations should be given near the
+    beginning of the file, and general defaults at the end. Prepend the following configuration manually in this case
+    before using this script:
+    \`\`\`
+    Host {target}
+      ProxyJump
+    \`\`\`
 
-v1.2.0                                        April 2023                                       Created by Dima Korobskiy
+v2.0.0                                         May 2023                                        Created by Dima Korobskiy
 Credits: George Chacko, Oracle
 HEREDOC
   exit 1
 }
 
-########################################################################################################################
-# Update or insert a property value in a file. The inserted line could be appended or prepended.
-#
-# Arguments:
-#   $1     file
-#   $2     key: an ERE expression. It is matched as a line substring.
-#          When key = `^` no matching is done, and the replacement line is *prepended*.
-#   $3     (optional) property value line. All matching lines get replaced with this. Defaults to key.
-#
-# Returns:
-#   None
-#
-# Examples:
-#   upsert /etc/ssh/sshd_config 'IgnoreRhosts ' 'IgnoreRhosts yes'
-#   upsert /etc/ssh/sshd_config '#*Banner ' 'Banner /etc/issue.net'
-#   upsert /etc/logrotate.d/syslog ^ /var/log/cron
-#   upsert ~/.ssh/config "Host ${OCI_INSTANCE}"
-#
-# Author: Dima Korobskiy
-# Credits: https://superuser.com/questions/590630/sed-how-to-replace-line-if-found-or-append-to-end-of-file-if-not-found
-########################################################################################################################
-upsert() {
-  local file="$1"
-  # Escape all `/` as `\/`
-  local -r key="${2//\//\/}"
-  local value="${3:-$2}"
-  if [[ $3 ]]; then
-    echo "\`${file}\` / \`${key}\` := \`${value}\`"
-  else
-    echo "\`${file}\` << \`${key}\`"
-  fi
-
-  if [[ -s "$file" ]]; then
-    # Escape all `/` as `\/`
-    value="${value//\//\/}"
-
-    case $OSTYPE in
-      darwin*) local sed_options=(-I '' -E) ;;
-      linux*) local sed_options=(--in-place --regexp-extended) ;;
-    esac
-
-    if [[ "$key" == "^" ]]; then
-      # no matching is done and the replacement line is *prepended*
-
-      sed "${sed_options[@]}" "1i${value}" "$file"
-    else
-      # For each matching line (`/.../`), copy it to the hold space (`h`) then substitute the whole line with the
-      # `value` (`s`). If the `key` is anchored (`^prefix`), the key line is still matched via `^.*${key}.*`: the second
-      # anchor gets ignored.
-      #
-      # On the last line (`$`): exchange (`x`) hold space and pattern space then check if the latter is empty. If it's
-      # empty, that means no match was found so replace the pattern space with the desired value (`s`) then append
-      # (`H`) to the current line in the hold buffer. If it's not empty, it means the substitution was already made.
-      #
-      # Finally, exchange again (`x`).
-      sed "${sed_options[@]}" "/${key}/{
-          h
-          s/^.*${key}.*/${value}/
-        }
-        \${
-          x
-          /^\$/{
-            s//${value}/
-            H
-          }
-          x
-        }" "$file"
-    fi
-  else
-    # No file or empty file
-    echo -e "$value" >"$file"
-  fi
-}
-
 #declare -a ports
 # If a character is followed by a colon, the option is expected to have an argument
-while getopts p:nh OPT; do
+while getopts np:o:h OPT; do
   case "$OPT" in
+    n)
+      readonly SKIP_SSH=true
+      ;;
     p)
       port="$OPTARG"
       #ports+=("$OPTARG")
       ;;
-    n)
-      readonly SKIP_SSH=true
+    o)
+      readonly PROFILE_OPT="--profile $OPTARG"
       ;;
     *) # -h or `?`: an unknown option
       usage
       ;;
   esac
 done
+echo -e "\n# \`$0 $*\`: run by \`${USER:-${USERNAME:-${LOGNAME:-UID #$UID}}}@${HOSTNAME}\`, in \`${PWD}\` #\n"
 shift $((OPTIND - 1))
 
 # Process positional parameters
@@ -165,16 +104,24 @@ if ! command -v jq >/dev/null; then
   exit 1
 fi
 
+if ! command -v pcregrep >/dev/null; then
+  # shellcheck disable=SC2016
+  echo >&2 'Please install PCRE'
+  exit 1
+fi
+
+if ! command -v perl > /dev/null; then
+  echo "Please install Perl"
+  exit 1
+fi
+
 for required_env_var in 'OCI_INSTANCE' 'OCI_INSTANCE_OCID' 'OCI_BASTION_OCID'; do
   if [[ ! ${!required_env_var} ]]; then
     echo >&2 "Please define $required_env_var"
     exit 1
   fi
 done
 
-# `${USER:-${USERNAME:-${LOGNAME}}}` might not be available inside Docker containers
-echo -e "\n# oci-bastion.sh: running under $(whoami)@${HOSTNAME} in ${PWD} #"
-
 readonly MAX_TTL=$((3 * 60 * 60))
 readonly CHECK_INTERVAL_SEC=5
 # Intermittent `Permission denied (publickey)` errors might occur when trying to ssh immediately after session creation
@@ -201,12 +148,16 @@ if [[ $port ]]; then
   # `--session-ttl`: session duration in seconds (defaults to 30 minutes, maximum is 3 hours).
   # `--wait-interval-seconds`: state check interval (defaults to 30 seconds).
   # `--ssh-public-key-file` is required
-  session_ocid=$(time oci bastion session create-port-forwarding --bastion-id "$OCI_BASTION_OCID" \
+  # shellcheck disable=SC2086 # $PROFILE_OPT is a two-word CLI option
+  session_ocid=$(time oci bastion session create-port-forwarding $PROFILE_OPT --bastion-id "$OCI_BASTION_OCID" \
     --target-resource-id "$OCI_INSTANCE_OCID" --target-private-ip "${OCI_INSTANCE}" --target-port "$port" \
     --session-ttl $MAX_TTL --ssh-public-key-file $SSH_PUB_KEY --wait-for-state SUCCEEDED --wait-for-state FAILED \
     --wait-interval-seconds $CHECK_INTERVAL_SEC | jq --raw-output '.data.resources[0].identifier')
   echo "Bastion Port Forwarding Session OCID=$session_ocid"
-  ssh_command=$(oci bastion session get --session-id "$session_ocid" | jq --raw-output '.data["ssh-metadata"].command')
+
+  # shellcheck disable=SC2086 # $PROFILE_OPT is a two-word CLI option
+  ssh_command=$(oci bastion session get $PROFILE_OPT --session-id "$session_ocid" \
+    | jq --raw-output '.data["ssh-metadata"].command')
   # Result: `ssh -i <privateKey> -N -L <localPort>:{HOST_IP}:5432 -p 22 ocid1.bastionsession.xx@yy.oraclecloud.com`
   # Remove the placeholder
   ssh_command="${ssh_command/-i <privateKey>/}"
@@ -227,12 +178,16 @@ if [[ $HOST_USER ]]; then
   # `--session-ttl`: session duration in seconds (defaults to 30 minutes, maximum is 3 hours).
   # `--wait-interval-seconds`: state check interval (defaults to 30 seconds).
   # `--ssh-public-key-file` is required
-  session_ocid=$(time oci bastion session create-managed-ssh --bastion-id "$OCI_BASTION_OCID" \
+  # shellcheck disable=SC2086 # $PROFILE_OPT is a two-word CLI option
+  session_ocid=$(time oci bastion session create-managed-ssh $PROFILE_OPT --bastion-id "$OCI_BASTION_OCID" \
     --target-resource-id "$OCI_INSTANCE_OCID" --target-os-username "$HOST_USER" --session-ttl $MAX_TTL \
     --ssh-public-key-file $SSH_PUB_KEY --wait-for-state SUCCEEDED --wait-for-state FAILED \
     --wait-interval-seconds $CHECK_INTERVAL_SEC | jq --raw-output '.data.resources[0].identifier')
   echo "Bastion Session OCID=$session_ocid"
-  ssh_command=$(oci bastion session get --session-id "$session_ocid" | jq --raw-output '.data["ssh-metadata"].command')
+
+  # shellcheck disable=SC2086 # $PROFILE_OPT is a two-word CLI option
+  ssh_command=$(oci bastion session get $PROFILE_OPT --session-id "$session_ocid" \
+    | jq --raw-output '.data["ssh-metadata"].command')
   # Result: `ssh -i <privateKey> -o ProxyCommand=\"ssh -i <privateKey> -W %h:%p -p 22
   #   ocid1.bastionsession.xx@yy.oraclecloud.com\" -p 22 {HOST_USER}@{HOST_IP}`
   # Extract the bastion session SSH destination: the `ocid1.bastionsession.xx@yy.oraclecloud.com` part
@@ -241,8 +196,23 @@ if [[ $HOST_USER ]]; then
   # Remove the string tail and reconstruct `ocid1.bastionsession.xx@yy.oraclecloud.com`
   bastion_session_dest="ocid1.bastionsession.${bastion_session_dest%%oraclecloud.com*}oraclecloud.com"
 
-  upsert ~/.ssh/config "Host ${OCI_INSTANCE}"
-  upsert ~/.ssh/config '  ProxyJump ocid1.bastionsession.' "  ProxyJump ${bastion_session_dest}"
+  # Multi-line upsert
+  if pcregrep -M -q "(?s)Host ${OCI_INSTANCE}.*?ProxyJump" ~/.ssh/config; then
+    # Update
+
+    # -i input edited in-place
+    # -p iterate over filename arguments
+    # -0 use null as record separator
+    # `@host` in the bastion session has to be escaped
+    perl -i -p -0 -e "s/(Host ${OCI_INSTANCE}.*?)ProxyJump.*/\1ProxyJump ${bastion_session_dest//@/\\@}/s" ~/.ssh/config
+  else
+    # Append
+    cat >>~/.ssh/config <<HEREDOC
+
+Host ${OCI_INSTANCE}
+  ProxyJump ${bastion_session_dest}
+HEREDOC
+  fi
 
   if [[ $SKIP_SSH ]]; then
     exit 0
