fix(ns-ha): remove paramiko library

gsanchietti · gsanchietti · commit eb5d0585bc3a · 2025-08-19T10:52:10.000+02:00
Paramiko requies rust. But the rust build is broken on upstream: openwrt/packages#26644
diff --git a/packages/ns-api/Makefile b/packages/ns-api/Makefile
@@ -21,7 +21,7 @@ define Package/ns-api
 	CATEGORY:=NethSecurity
 	TITLE:=NethSecurity REST API
 	URL:=https://github.com/NethServer/nethsecurity-controller/
-	DEPENDS:=+python3-nethsec +python3-openssl +python3-urllib +python3-idna +python3-requests +python3-paramiko
+	DEPENDS:=+python3-nethsec +python3-openssl +python3-urllib +python3-idna +python3-requests +sshpass
 	PKGARCH:=all
 endef
 
diff --git a/packages/ns-api/files/ns.ha b/packages/ns-api/files/ns.ha
@@ -17,8 +17,7 @@ import hashlib
 import time
 from nethsec import utils
 from jinja2 import Template
-import paramiko
-import io
+import tempfile
 import shutil
 
 ### Utilities functions
@@ -83,6 +82,103 @@ def get_device_from_ip(uci, ipaddr):
             return (n, uci.get('network', n, 'device', default=None))
     return (None, None)
 
+def ssh_execute(command, host, port=22, username='root', password=None, private_key_path=None):
+    """
+    Execute SSH command using subprocess
+    """
+    ssh_cmd = ['ssh', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null']
+    # Add port if not default
+    if port != 22:
+        ssh_cmd.extend(['-p', str(port)])
+    # Handle authentication
+    temp_key_file = None
+    if private_key_path:
+        # Convert dropbear key to OpenSSH format
+        try:
+            proc = subprocess.run(['dropbearconvert', 'dropbear', 'openssh', private_key_path, '-'],
+                                check=True, capture_output=True, text=True)
+            # Create temporary file for the converted key
+            temp_key_file = tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem')
+            temp_key_file.write(proc.stdout)
+            temp_key_file.close()
+            os.chmod(temp_key_file.name, 0o600)
+            ssh_cmd.extend(['-i', temp_key_file.name])
+        except subprocess.CalledProcessError as e:
+            raise utils.ValidationError('ssh_key', f'Failed to convert dropbear key: {e}')
+
+    # Add user@host
+    ssh_cmd.append(f'{username}@{host}')
+
+    # Add command
+    ssh_cmd.append(command)
+
+    try:
+        if password:
+            # Use sshpass for password authentication
+            sshpass_cmd = ['sshpass', '-p', password] + ssh_cmd
+            proc = subprocess.run(sshpass_cmd, capture_output=True, text=True, timeout=30)
+        else:
+            proc = subprocess.run(ssh_cmd, capture_output=True, text=True, timeout=30)
+        return proc.stdout, proc.stderr, proc.returncode
+    except subprocess.TimeoutExpired:
+        raise utils.ValidationError('ssh_timeout', 'SSH command timed out')
+    except FileNotFoundError:
+        if password:
+            raise utils.ValidationError('sshpass_missing', 'sshpass command not found, cannot use password authentication')
+        else:
+            raise utils.ValidationError('ssh_missing', 'ssh command not found')
+    finally:
+        # Clean up temporary key file
+        if temp_key_file and os.path.exists(temp_key_file.name):
+            os.unlink(temp_key_file.name)
+
+def ssh_upload_file(local_file_path, remote_file_path, host, port=22, username='root', password=None, private_key_path=None):
+    """
+    Upload file via SCP using subprocess
+    """
+    # First create the destination directory
+    destination_dir = os.path.dirname(remote_file_path)
+    if destination_dir:
+        _, _, returncode = ssh_execute(f"mkdir -p {destination_dir}", host, port, username, password, private_key_path)
+        if returncode != 0:
+            return False
+    scp_cmd = ['scp', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null']
+    # Add port if not default
+    if port != 22:
+        scp_cmd.extend(['-P', str(port)])
+    # Handle authentication
+    temp_key_file = None
+    if private_key_path:
+        # Convert dropbear key to OpenSSH format
+        try:
+            proc = subprocess.run(['dropbearconvert', 'dropbear', 'openssh', private_key_path, '-'],
+                                check=True, capture_output=True, text=True)
+            # Create temporary file for the converted key
+            temp_key_file = tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem')
+            temp_key_file.write(proc.stdout)
+            temp_key_file.close()
+            os.chmod(temp_key_file.name, 0o600)
+            scp_cmd.extend(['-i', temp_key_file.name])
+        except subprocess.CalledProcessError as e:
+            return False
+    # Add source and destination
+    scp_cmd.append(local_file_path)
+    scp_cmd.append(f'{username}@{host}:{remote_file_path}')
+    try:
+        if password:
+            # Use sshpass for password authentication
+            sshpass_cmd = ['sshpass', '-p', password] + scp_cmd
+            proc = subprocess.run(sshpass_cmd, capture_output=True, text=True, timeout=60)
+        else:
+            proc = subprocess.run(scp_cmd, capture_output=True, text=True, timeout=60)
+        return proc.returncode == 0
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        return False
+    finally:
+        # Clean up temporary key file
+        if temp_key_file and os.path.exists(temp_key_file.name):
+            os.unlink(temp_key_file.name)
+
 def allocate_fake_ips(uci):
     wan_counter = 0
     for n in utils.get_all_by_type(uci, 'network', 'interface'):
@@ -159,59 +255,41 @@ def validate_dhcp(lan_interface):
     return errors
 
 def execute_remote_command(command, backup_node_ip=None, port=None):
-    # Connect to the remote server using SSH
+    """Execute a command on the remote backup node using SSH."""
     uci = EUci()
-    ssh = paramiko.SSHClient()
-    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     if port is None:
         port = uci.get('dropbear', 'ha_link', 'Port', default=None)
     if backup_node_ip is None:
         backup_node_ip = uci.get('keepalived', 'ha_peer', 'address', default=None)
     if not port or not backup_node_ip:
         raise utils.ValidationError('backup_node_ip', 'missing_backup_node_ip')
-    # Convert the private key from Dropbear to OpenSSH format
-    private_key_path = '/etc/keepalived/keys/id_rsa'
-    proc = subprocess.run(['dropbearconvert', 'dropbear', 'openssh', private_key_path, "-"], check=True, capture_output=True, text=True)
-    private_key = paramiko.RSAKey.from_private_key(io.StringIO(proc.stdout))
-    ssh.connect(backup_node_ip, port=port, username='root', pkey=private_key)
-    # Execute the command
-    _, stdout, stderr = ssh.exec_command(command)
-    # Read the output
-    output = stdout.read().decode()
-    error = stderr.read().decode()
-    return output, error
+    stdout, stderr, returncode = ssh_execute(
+        command,
+        backup_node_ip,
+        port=int(port),
+        private_key_path='/etc/keepalived/keys/id_rsa'
+    )
+    if returncode != 0:
+        raise utils.ValidationError('ssh_command', f'Command failed with return code {returncode}: {stderr}')
 
-def upload_remote_file(local_file_path, remote_file_path, backup_node_ip=None, port=None):
-    # Prepare the destination directory
-    destination_dir = os.path.dirname(remote_file_path)
-    execute_remote_command(f"mkdir -p {destination_dir}")
+    return stdout, stderr
 
-    # Connect to the remote server using SSH
+def upload_remote_file(local_file_path, remote_file_path, backup_node_ip=None, port=None):
+    """Upload a file to the remote backup node using SCP."""
     uci = EUci()
-    ssh = paramiko.SSHClient()
-    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     if port is None:
         port = uci.get('dropbear', 'ha_link', 'Port', default=None)
     if backup_node_ip is None:
         backup_node_ip = uci.get('keepalived', 'ha_peer', 'address', default=None)
     if not port or not backup_node_ip:
         raise utils.ValidationError('backup_node_ip', 'missing_backup_node_ip')
-
-    # Convert the private key from Dropbear to OpenSSH format
-    private_key_path = '/etc/keepalived/keys/id_rsa'
-    proc = subprocess.run(['dropbearconvert', 'dropbear', 'openssh', private_key_path, "-"], check=True, capture_output=True, text=True)
-    private_key = paramiko.RSAKey.from_private_key(io.StringIO(proc.stdout))
-
-    try:
-        # Upload the file using SFTP
-        ssh.connect(backup_node_ip, port=port, username='root', pkey=private_key)
-        sftp = ssh.open_sftp()
-        sftp.put(local_file_path, remote_file_path)
-        sftp.close()
-        ssh.close()
-        return True
-    except Exception as e:
-        return False
+    return ssh_upload_file(
+        local_file_path,
+        remote_file_path,
+        backup_node_ip,
+        port=int(port),
+        private_key_path='/etc/keepalived/keys/id_rsa'
+    )
 
 def find_device_config(uci, device, config=None):
     if config is None:
@@ -677,15 +755,6 @@ def init_remote(ssh_password):
     if not all([primary_node_ip, backup_node_ip, password, pubkey]):
         raise utils.ValidationError('paramters', 'missing_required_configuration_values')
 
-    # Connect to the backup node using paramiko
-    ssh = paramiko.SSHClient()
-    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-
-    try:
-        ssh.connect(backup_node_ip, port=22, username='root', password=ssh_password)
-    except paramiko.SSHException as e:
-        raise utils.ValidationError('ssh', "ssh_connection_failed")
-
     # Prepare the init-local command
     virtual_ip_sections = utils.get_all_by_type(u, 'keepalived', 'ipaddress')
     virtual_ip = None
@@ -704,15 +773,18 @@ def init_remote(ssh_password):
         "password": password
     })
 
-    # Execute the init-local command on the backup node
-    _, stdout, stderr = ssh.exec_command(f"echo '{init_local_command}' | /usr/libexec/rpcd/ns.ha call init-local")
-    output = stdout.read().decode()
-    error = stderr.read().decode()
-    ssh.close()
-    if error:
-        raise RuntimeError(f"Error executing init-local on backup node: {error}")
-
-    return json.loads(output)
+    # Execute the init-local command on the backup
+    stdout, stderr, returncode = ssh_execute(
+        f"echo '{init_local_command}' | /usr/libexec/rpcd/ns.ha call init-local",
+        backup_node_ip,
+        port=22,
+        password=ssh_password
+    )
+    if returncode != 0:
+        return utils.generic_error(f"ssh_connection_failed: {stderr}")
+    if stderr:
+        return utils.generic_error(f"Error executing init-local on backup node: {stderr}")
+    return json.loads(stdout)
 
 
 def status():
@@ -762,16 +834,6 @@ def validate_requirements(role, lan_interface, wan_interface):
 def check_remote(backup_node_ip, ssh_password, lan_interface, wan_interface):
     errors = []
 
-    # Accessible via SSH on port 22
-    ssh = paramiko.SSHClient()
-    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-
-    try:
-        ssh.connect(backup_node_ip, port=22, username='root', password=ssh_password)
-    except Exception as e:
-        errors.append('ssh_connection_failed: ' + str(e))
-        return {"success": False, "errors": errors}
-
     # Call validate-configuration on the remote node
     validate_command = json.dumps({
         "role": "backup",
@@ -780,13 +842,22 @@ def check_remote(backup_node_ip, ssh_password, lan_interface, wan_interface):
     })
 
     try:
-        _, stdout, _ = ssh.exec_command(f"echo '{validate_command}' | /usr/libexec/rpcd/ns.ha call validate-requirements")
+        stdout, stderr, returncode = ssh_execute(
+            f"echo '{validate_command}' | /usr/libexec/rpcd/ns.ha call validate-requirements",
+            backup_node_ip,
+            port=22,
+            password=ssh_password
+        )
+        if returncode != 0:
+            errors.append('ssh_connection_failed: ' + stderr)
+            return {"success": False, "errors": errors}
     except Exception as e:
-        errors.append(str(e))
+        errors.append('ssh_connection_failed: ' + str(e))
+        return {"success": False, "errors": errors}
 
     try:
         if stdout:
-            result = json.loads(stdout.read().decode())
+            result = json.loads(stdout)
             if not result.get("success"):
                 errors.extend(result.get("errors", []))
     except:
