From 7344ac6529e663fe6555fb760cc766e0a81b9a2f Mon Sep 17 00:00:00 2001
From: Bo-Yi Wu <appleboy.tw@gmail.com>
Date: Sun, 24 May 2020 10:43:11 +0800
Subject: [PATCH] chore: support UseInsecureCipher (#158)

---
 go.mod         |  2 +-
 go.sum         |  2 ++
 main.go        | 67 ++++++++++++++++++++++++-------------------
 plugin.go      | 77 ++++++++++++++++++++++++++------------------------
 plugin_test.go | 35 +++++++++++++++++++++++
 5 files changed, 116 insertions(+), 67 deletions(-)

diff --git a/go.mod b/go.mod
index d244c55..f7fd172 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/appleboy/drone-ssh
 go 1.14
 
 require (
-	github.com/appleboy/easyssh-proxy v1.3.5
+	github.com/appleboy/easyssh-proxy v1.3.6
 	github.com/joho/godotenv v1.3.0
 	github.com/stretchr/testify v1.3.0
 	github.com/urfave/cli v1.22.4
diff --git a/go.sum b/go.sum
index 6257be6..7a147f2 100644
--- a/go.sum
+++ b/go.sum
@@ -5,6 +5,8 @@ github.com/appleboy/easyssh-proxy v1.3.4 h1:yNgzsJ9qaDNGzQILDXEK4boioJMmUUaTUsxY
 github.com/appleboy/easyssh-proxy v1.3.4/go.mod h1:Kk57I3w7OCafOjp5kgZFvxk2fO8Tca5CriBTOsbSbjY=
 github.com/appleboy/easyssh-proxy v1.3.5 h1:EGTCbqAVRcGKHQMFSxz30lQmb+0nXL+jUiCrg/FjHQM=
 github.com/appleboy/easyssh-proxy v1.3.5/go.mod h1:Kk57I3w7OCafOjp5kgZFvxk2fO8Tca5CriBTOsbSbjY=
+github.com/appleboy/easyssh-proxy v1.3.6 h1:YELdI5z/NK/hSspkkcohSa9uJQxA4/e2H+f5jDD6pGA=
+github.com/appleboy/easyssh-proxy v1.3.6/go.mod h1:Kk57I3w7OCafOjp5kgZFvxk2fO8Tca5CriBTOsbSbjY=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
diff --git a/main.go b/main.go
index e6addc2..6b122b6 100644
--- a/main.go
+++ b/main.go
@@ -19,7 +19,6 @@ func main() {
 	if filename, found := os.LookupEnv("PLUGIN_ENV_FILE"); found {
 		_ = godotenv.Load(filename)
 	}
-	defaultCiphers := cli.StringSlice{"aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"}
 	app := cli.NewApp()
 	app.Name = "Drone SSH"
 	app.Usage = "Executing remote ssh commands"
@@ -63,7 +62,11 @@ func main() {
 			Name:   "ciphers",
 			Usage:  "The allowed cipher algorithms. If unspecified then a sensible",
 			EnvVar: "PLUGIN_CIPHERS,SSH_CIPHERS,CIPHERS,INPUT_CIPHERS",
-			Value:  &defaultCiphers,
+		},
+		cli.BoolFlag{
+			Name:   "useInsecureCipher",
+			Usage:  "include more ciphers with use_insecure_cipher",
+			EnvVar: "PLUGIN_USE_INSECURE_CIPHER,SSH_USE_INSECURE_CIPHER,USE_INSECURE_CIPHER,INPUT_USE_INSECURE_CIPHER",
 		},
 		cli.StringFlag{
 			Name:   "fingerprint",
@@ -160,7 +163,11 @@ func main() {
 			Name:   "proxy.ciphers",
 			Usage:  "The allowed cipher algorithms. If unspecified then a sensible",
 			EnvVar: "PLUGIN_PROXY_CIPHERS,SSH_PROXY_CIPHERS,PROXY_CIPHERS,INPUT_PROXY_CIPHERS",
-			Value:  &defaultCiphers,
+		},
+		cli.BoolFlag{
+			Name:   "proxy.useInsecureCipher",
+			Usage:  "include more ciphers with use_insecure_cipher",
+			EnvVar: "PLUGIN_PROXY_USE_INSECURE_CIPHER,SSH_PROXY_USE_INSECURE_CIPHER,PROXY_USE_INSECURE_CIPHER,INPUT_PROXY_USE_INSECURE_CIPHER",
 		},
 		cli.StringFlag{
 			Name:   "proxy.fingerprint",
@@ -224,33 +231,35 @@ func run(c *cli.Context) error {
 	}
 	plugin := Plugin{
 		Config: Config{
-			Key:            c.String("ssh-key"),
-			KeyPath:        c.String("key-path"),
-			Username:       c.String("user"),
-			Password:       c.String("password"),
-			Passphrase:     c.String("ssh-passphrase"),
-			Fingerprint:    c.String("fingerprint"),
-			Host:           c.StringSlice("host"),
-			Port:           c.Int("port"),
-			Timeout:        c.Duration("timeout"),
-			CommandTimeout: c.Duration("command.timeout"),
-			Script:         scripts,
-			ScriptStop:     c.Bool("script.stop"),
-			Envs:           c.StringSlice("envs"),
-			Debug:          c.Bool("debug"),
-			Sync:           c.Bool("sync"),
-			Ciphers:        c.StringSlice("ciphers"),
+			Key:               c.String("ssh-key"),
+			KeyPath:           c.String("key-path"),
+			Username:          c.String("user"),
+			Password:          c.String("password"),
+			Passphrase:        c.String("ssh-passphrase"),
+			Fingerprint:       c.String("fingerprint"),
+			Host:              c.StringSlice("host"),
+			Port:              c.Int("port"),
+			Timeout:           c.Duration("timeout"),
+			CommandTimeout:    c.Duration("command.timeout"),
+			Script:            scripts,
+			ScriptStop:        c.Bool("script.stop"),
+			Envs:              c.StringSlice("envs"),
+			Debug:             c.Bool("debug"),
+			Sync:              c.Bool("sync"),
+			Ciphers:           c.StringSlice("ciphers"),
+			UseInsecureCipher: c.Bool("useInsecureCipher"),
 			Proxy: easyssh.DefaultConfig{
-				Key:         c.String("proxy.ssh-key"),
-				KeyPath:     c.String("proxy.key-path"),
-				User:        c.String("proxy.username"),
-				Password:    c.String("proxy.password"),
-				Passphrase:  c.String("proxy.ssh-passphrase"),
-				Fingerprint: c.String("proxy.fingerprint"),
-				Server:      c.String("proxy.host"),
-				Port:        c.String("proxy.port"),
-				Timeout:     c.Duration("proxy.timeout"),
-				Ciphers:     c.StringSlice("proxy.ciphers"),
+				Key:               c.String("proxy.ssh-key"),
+				KeyPath:           c.String("proxy.key-path"),
+				User:              c.String("proxy.username"),
+				Password:          c.String("proxy.password"),
+				Passphrase:        c.String("proxy.ssh-passphrase"),
+				Fingerprint:       c.String("proxy.fingerprint"),
+				Server:            c.String("proxy.host"),
+				Port:              c.String("proxy.port"),
+				Timeout:           c.Duration("proxy.timeout"),
+				Ciphers:           c.StringSlice("proxy.ciphers"),
+				UseInsecureCipher: c.Bool("proxy.useInsecureCipher"),
 			},
 		},
 		Writer: os.Stdout,
diff --git a/plugin.go b/plugin.go
index 6bfc4bf..2a79cd1 100644
--- a/plugin.go
+++ b/plugin.go
@@ -23,23 +23,24 @@ var (
 type (
 	// Config for the plugin.
 	Config struct {
-		Key            string
-		Passphrase     string
-		KeyPath        string
-		Username       string
-		Password       string
-		Host           []string
-		Port           int
-		Fingerprint    string
-		Timeout        time.Duration
-		CommandTimeout time.Duration
-		Script         []string
-		ScriptStop     bool
-		Envs           []string
-		Proxy          easyssh.DefaultConfig
-		Debug          bool
-		Sync           bool
-		Ciphers        []string
+		Key               string
+		Passphrase        string
+		KeyPath           string
+		Username          string
+		Password          string
+		Host              []string
+		Port              int
+		Fingerprint       string
+		Timeout           time.Duration
+		CommandTimeout    time.Duration
+		Script            []string
+		ScriptStop        bool
+		Envs              []string
+		Proxy             easyssh.DefaultConfig
+		Debug             bool
+		Sync              bool
+		Ciphers           []string
+		UseInsecureCipher bool
 	}
 
 	// Plugin structure
@@ -56,27 +57,29 @@ func escapeArg(arg string) string {
 func (p Plugin) exec(host string, wg *sync.WaitGroup, errChannel chan error) {
 	// Create MakeConfig instance with remote username, server address and path to private key.
 	ssh := &easyssh.MakeConfig{
-		Server:      host,
-		User:        p.Config.Username,
-		Password:    p.Config.Password,
-		Port:        strconv.Itoa(p.Config.Port),
-		Key:         p.Config.Key,
-		KeyPath:     p.Config.KeyPath,
-		Passphrase:  p.Config.Passphrase,
-		Timeout:     p.Config.Timeout,
-		Ciphers:     p.Config.Ciphers,
-		Fingerprint: p.Config.Fingerprint,
+		Server:            host,
+		User:              p.Config.Username,
+		Password:          p.Config.Password,
+		Port:              strconv.Itoa(p.Config.Port),
+		Key:               p.Config.Key,
+		KeyPath:           p.Config.KeyPath,
+		Passphrase:        p.Config.Passphrase,
+		Timeout:           p.Config.Timeout,
+		Ciphers:           p.Config.Ciphers,
+		Fingerprint:       p.Config.Fingerprint,
+		UseInsecureCipher: p.Config.UseInsecureCipher,
 		Proxy: easyssh.DefaultConfig{
-			Server:      p.Config.Proxy.Server,
-			User:        p.Config.Proxy.User,
-			Password:    p.Config.Proxy.Password,
-			Port:        p.Config.Proxy.Port,
-			Key:         p.Config.Proxy.Key,
-			KeyPath:     p.Config.Proxy.KeyPath,
-			Passphrase:  p.Config.Proxy.Passphrase,
-			Timeout:     p.Config.Proxy.Timeout,
-			Ciphers:     p.Config.Proxy.Ciphers,
-			Fingerprint: p.Config.Proxy.Fingerprint,
+			Server:            p.Config.Proxy.Server,
+			User:              p.Config.Proxy.User,
+			Password:          p.Config.Proxy.Password,
+			Port:              p.Config.Proxy.Port,
+			Key:               p.Config.Proxy.Key,
+			KeyPath:           p.Config.Proxy.KeyPath,
+			Passphrase:        p.Config.Proxy.Passphrase,
+			Timeout:           p.Config.Proxy.Timeout,
+			Ciphers:           p.Config.Proxy.Ciphers,
+			Fingerprint:       p.Config.Proxy.Fingerprint,
+			UseInsecureCipher: p.Config.Proxy.UseInsecureCipher,
 		},
 	}
 
diff --git a/plugin_test.go b/plugin_test.go
index 5cf5e84..663f587 100644
--- a/plugin_test.go
+++ b/plugin_test.go
@@ -669,3 +669,38 @@ func TestPlugin_scriptCommands(t *testing.T) {
 		})
 	}
 }
+
+func TestUseInsecureCipher(t *testing.T) {
+	var (
+		buffer   bytes.Buffer
+		expected = `
+			======CMD======
+			mkdir a/b/c
+			mkdir d/e/f
+			======END======
+			err: mkdir: can't create directory 'a/b/c': No such file or directory
+			err: mkdir: can't create directory 'd/e/f': No such file or directory
+		`
+	)
+
+	plugin := Plugin{
+		Config: Config{
+			Host:     []string{"localhost"},
+			Username: "drone-scp",
+			Port:     22,
+			KeyPath:  "./tests/.ssh/id_rsa",
+			Script: []string{
+				"mkdir a/b/c",
+				"mkdir d/e/f",
+			},
+			CommandTimeout:    10 * time.Second,
+			UseInsecureCipher: true,
+		},
+		Writer: &buffer,
+	}
+
+	err := plugin.Exec()
+	assert.NotNil(t, err)
+
+	assert.Equal(t, unindent(expected), unindent(buffer.String()))
+}