Slight fixes for password handling.

[deployable.git] / deploy

#!/usr/bin/env perl
use strict;
use warnings;
my $VERSION = '0.6.0';
use Carp;
use Pod::Usage qw( pod2usage );
use Getopt::Long qw( :config gnu_getopt );
use English qw( -no_match_vars );
use Net::SSH::Perl;
use Net::SSH::Perl::Auth;
use Net::SFTP;
use Net::SFTP::Attributes;
use IO::Prompt;
use Data::Dumper;
use File::Spec::Functions qw( catfile );

my %config = (
   username => 'root',
   debug    => 0,
   dir      => '/tmp/our-deploy',
   prompt   => 1,
);
GetOptions(
   \%config,
   qw(
     usage! help! man! version!

     compress|c!
     debug|D!
     dir|directory|d=s
     password|pass|p:s
     prompt|P!
     script|s=s
     stderr|E!
     stdout|O!
     username|user|u=s
     )
);
pod2usage(message => "$0 $VERSION", -verbose => 99, -sections => ' ')
  if $config{version};
pod2usage(-verbose => 99, -sections => 'USAGE') if $config{usage};
pod2usage(-verbose => 99, -sections => 'USAGE|EXAMPLES|OPTIONS')
  if $config{help};
pod2usage(-verbose => 2) if $config{man};

pod2usage(-verbose => 99, -sections => 'USAGE',
   message => 'Only one allowed between --stdout and --stderr')
   if $config{stdout} && $config{stderr};

# Script implementation here
my @hostnames = @ARGV;
@ARGV = ();

if (exists $config{password}) {
   $config{interactive} = 1;
   $config{identity_files} = [];
   $config{password} = prompt 'password: ', -e => '*'
      unless $config{password};
}

($config{remote} = $config{script}) =~ s{[^\w.-]}{}mxsg;
$config{remote} = catfile($config{dir}, $config{remote});

for my $hostname (@hostnames) {
   eval { operate_on_host($hostname) };
   carp $EVAL_ERROR if $EVAL_ERROR;
}

sub operate_on_host {
   my ($hostname) = @_;
   my $remote = $config{remote};

   print {*STDOUT} "*** OPERATING ON $hostname ***\n";
   if ($config{prompt}) {
      my $choice = lc(prompt "$hostname - continue? (Yes | Skip | No) ",
         -while => qr/\A[nsy]\z/mxs);
      return if $choice eq 's';
      exit 0 if $choice eq 'n';
   } ## end if ($config{prompt})

   # Transfer file into $remote
   my $sftp = get_sftp($hostname);
   make_path($sftp, $config{dir});
   $sftp->put($config{script}, $remote);
   croak "no $remote, sorry. Stopped" unless $sftp->do_stat($remote);

   # Execute file
   my $ssh = get_ssh($hostname);
   $|++;
   print {*STDOUT} "$remote ";
   my ($out, $err, $exit) = $ssh->cmd($remote);
   print {*STDOUT} "exit = $exit\n";

   if ($config{stdout} && defined $out) {
      print {*STDOUT} $out;
   }
   elsif ($config{stderr} && defined $err) {
      print {*STDOUT} $err;
   }
   else {
      for ([STDOUT => $out], [STDERR => $err]) {
         my ($type, $val) = @$_;
         next unless defined $val;
         $val =~ s{\s+\z}{}mxs;
         $val =~ s{^}{$type }gmxs;
         print {*STDOUT} $val, "\n\n";
      } ## end for ([STDOUT => $out], ...
   }

   return;
} ## end sub operate_on_host

sub make_path {
   my ($sftp, $fullpath) = @_;

   my $path = '';
   for my $chunk (split m{/}mxs, $fullpath) {
      $path .= $chunk . '/';    # works fine with the root
      next if $sftp->do_stat($path);
      $sftp->do_mkdir($path, Net::SFTP::Attributes->new());
   }
   croak "no $path, sorry. Stopped" unless $sftp->do_stat($path);

   return;
} ## end sub make_path

sub _get_optionals {
   map { $_ => $config{$_} } grep { exists $config{$_} } qw( interactive identity_files password );
}

sub get_ssh {
   my ($hostname) = @_;
   my %optional;

   my $ssh = Net::SSH::Perl->new(
      $hostname,
      protocol => 2,
      debug    => $config{debug},
      _get_optionals(),
   );
   $ssh->login($config{username}, $config{password}, 'suppress_shell');

   return $ssh;
} ## end sub get_ssh

sub get_sftp {
   my ($hostname) = @_;
   return Net::SFTP->new(
      $hostname,
      warn     => sub { },
      user     => $config{username},
      password => $config{password},
      ssh_args => {
         protocol    => 2,
         debug       => $config{debug},
         compression => $config{compress},
         user        => $config{username},
         _get_optionals(),
      }
   );
} ## end sub get_sftp

__END__

=head1 NAME

deploy - deploy a script on one or more remote hosts, via ssh

=head1 VERSION

See version at beginning of script, variable $VERSION, or call

   shell$ deploy --version

=head1 USAGE

   deploy [--usage] [--help] [--man] [--version]

   deploy [--debug|-D] [--dir|--directory|-d <dirname>]
          [--password|--pass|-p] [--prompt|-P]
          [--script|-s <scriptname>] [--stderr|-E] [--stdout|-O]
          [--username|--user|-u]

=head1 EXAMPLES

   shell$ deploy

   # Upload deploy-script.pl and execute it on each server listed
   # in file "targets"
   shell$ deploy -s deploy-script.pl `cat targets`

   # ... without bugging me prompting confirmations...
   shell$ deploy -s deploy-script.pl --no-prompt `cat targets`

=head1 DESCRIPTION

This utility allows you to I<deploy> a script to one or more remote 
hosts. Thus, you can provide a script that will be uploaded (via 
B<sftp>) to the remote host and executed (via B<ssh>).

Before operations start for each host you will be prompted for
continuation: you can choose to go, skip or quit. You can disable
this by specifying C<--no-prompt>.

By default, directory C</tmp/our-deploy> on the target system will be
used. You can provide your own working directory path on the target system
via the C<--dir|--directory|-d> option. The directory will be created
if it does not exist.

For logging in, you can provide your own username/password pair directly
on the command line. Note that this utility explicitly avoids public
key authentication in favour of username/password authentication. Don't
ask me why, this may change in the future. Anyway, you're not obliged
to provide either on the command line: the username defaults to C<root>,
and you'll be prompted to provide a password if you don't put any
on the command line but specify the C<--password|-p> option without a value.
The prompt does not show the password on the terminal.

By default, L<Net::SSH::Perl> will try to use public/private key
authentication. If you're confident that this method will work, you can
just hit enter when requested for a password, or you can pass
C<-p> without a password on the command line (you can actually pass
every password you can think of, it will be ignored).

=head2 Output Format

The normal output format is geared at easing parsing by other programs. It
is compound of the following parts:

=over

=item *

a single line specifing the hostname/ip, with the following format:

   *** OPERATING ON <hostname> ***

=item *

a single line reporting the exit code from the remote process, with the
following format:

   </path/to/deployed/program> exit = <exit-code>

=item *

0 or more lines starting with C<STDOUT > (note the space);

=item *

0 or more lines starting with C<STDERR > (note the space).

=back

If any of L</--stderr> or L</--stdout> are present, then the relevant
channel is printed on STDOUT immediately after the first two lines of the
format above, unchanged.

=head2 Example Runs

Suppose to have the following script F<bar.sh> to deploy:

   #!/bin/bash

   echo 'Hi there!'
   ls baz
   echo 'How are you all?!?'

If you don't provide any of L</--stderr> or L</--stdout>, you will have
something like this:

   *** OPERATING ON foo.example.com ***
   /tmp/our-deploy/bar.sh exit = 0
   STDOUT Hi there!
   STDOUT How are you all?!?
   STDERR ls: baz: No such file or directory

If you pass L<--stderr> you will get:

   *** OPERATING ON foo.example.com ***
   /tmp/our-deploy/bar.sh exit = 0
   ls: baz: No such file or directory

If you pass L<--stdout> you will get:

   *** OPERATING ON foo.example.com ***
   /tmp/our-deploy/bar.sh exit = 0
   Hi there!
   How are you all?!?

=head1 OPTIONS

=over

=item --debug | -D

turns on debug mode, which should print out more stuff during operations.
You should not need it as a user.

=item --dir | --directory | -d <dirname>

specify the working directory on the target system. This is the
directory into which the deploy script will be uploaded. It will
be created if it does not exist.

Defaults to C</tmp/our-deploy>.

=item --help

print a somewhat more verbose help, showing usage, this description of
the options and some examples from the synopsis.

=item --man

print out the full documentation for the script.

=item --password | --pass | -p <password>

you can specify the password on the command line, even if it's probably
best B<NOT> to do so and wait for the program to prompt you one.

By default, you'll be prompted a password and this will not be written
on the terminal.

=item --prompt | -P

this option enables prompting before operations are started on each
host. When the prompt is enabled, you're presented with three choices:

=over

=item -

B<Yes> continue deployment on the given host;

=item -

B<Skip> skip this host;

=item -

B<No> stop deployment and exit.

=back

One letter suffices. By default, C<Yes> is assumed.

By default this option is I<always> active, so you're probably
interested in C<--no-prompt> to disable it.

=item --script | -s <scriptname>

set the script/program to upload and execute. This script will be uploaded
to the target system (see C<--directory|-d> above), but the name of the
script will be sanitised (only alphanumeric, C<_>, C<.> and C<-> will
be retained), so be careful if you have to look for the uploaded
script later.

=item --stderr | -E

select only the STDERR channel from the responses got via SSH. This
option cannot be used with L</--stdout>.

=item --stdout | -O

select only the STDOUT channel from the responses got via SSH. This
option cannot be used with L</--stderr>.

=item --usage

print a concise usage line and exit.

=item --username | --user | -u <username>

specify the user name to use for logging into the remote host(s).

Defaults to C<root>.

=item --version

print the version of the script.

=back

=head1 DIAGNOSTICS

=over

=item C<< no %s, sorry. Stopped at... >>

The given element is not available on the target system.

In case of the directory, this means that the automatic creation
process did not work for any reason. In case of the script, this
means that the file upload did not work.

=back


=head1 CONFIGURATION AND ENVIRONMENT

deploy requires no configuration files or environment variables.


=head1 DEPENDENCIES

=over

=item -

L<IO::Prompt>

=item -

L<Net::SFTP>

=item -

L<Net::SSH::Perl>

=back


=head1 BUGS AND LIMITATIONS

No bugs have been reported.

Please report any bugs or feature requests through http://rt.cpan.org/


=head1 AUTHOR

Flavio Poletti C<flavio@polettix.it>


=head1 LICENCE AND COPYRIGHT

Copyright (c) 2007-2008, Flavio Poletti C<flavio@polettix.it>.
All rights reserved.

This script is free software; you can redistribute it and/or
modify it under the same terms as Perl itself. See L<perlartistic>
and L<perlgpl>.

Questo script è software libero: potete ridistribuirlo e/o
modificarlo negli stessi termini di Perl stesso. Vedete anche
L<perlartistic> e L<perlgpl>.


=head1 DISCLAIMER OF WARRANTY

BECAUSE THIS SOFTWARE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH
YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
NECESSARY SERVICING, REPAIR, OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE SOFTWARE AS PERMITTED BY THE ABOVE LICENCE, BE
LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL,
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
THE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.

=head1 NEGAZIONE DELLA GARANZIA

Poiché questo software viene dato con una licenza gratuita, non
c'è alcuna garanzia associata ad esso, ai fini e per quanto permesso
dalle leggi applicabili. A meno di quanto possa essere specificato
altrove, il proprietario e detentore del copyright fornisce questo
software "così com'è" senza garanzia di alcun tipo, sia essa espressa
o implicita, includendo fra l'altro (senza però limitarsi a questo)
eventuali garanzie implicite di commerciabilità e adeguatezza per
uno scopo particolare. L'intero rischio riguardo alla qualità ed
alle prestazioni di questo software rimane a voi. Se il software
dovesse dimostrarsi difettoso, vi assumete tutte le responsabilità
ed i costi per tutti i necessari servizi, riparazioni o correzioni.

In nessun caso, a meno che ciò non sia richiesto dalle leggi vigenti
o sia regolato da un accordo scritto, alcuno dei detentori del diritto
di copyright, o qualunque altra parte che possa modificare, o redistribuire
questo software così come consentito dalla licenza di cui sopra, potrà
essere considerato responsabile nei vostri confronti per danni, ivi
inclusi danni generali, speciali, incidentali o conseguenziali, derivanti
dall'utilizzo o dall'incapacità di utilizzo di questo software. Ciò
include, a puro titolo di esempio e senza limitarsi ad essi, la perdita
di dati, l'alterazione involontaria o indesiderata di dati, le perdite
sostenute da voi o da terze parti o un fallimento del software ad
operare con un qualsivoglia altro software. Tale negazione di garanzia
rimane in essere anche se i dententori del copyright, o qualsiasi altra
parte, è stata avvisata della possibilità di tali danneggiamenti.

Se decidete di utilizzare questo software, lo fate a vostro rischio
e pericolo. Se pensate che i termini di questa negazione di garanzia
non si confacciano alle vostre esigenze, o al vostro modo di
considerare un software, o ancora al modo in cui avete sempre trattato
software di terze parti, non usatelo. Se lo usate, accettate espressamente
questa negazione di garanzia e la piena responsabilità per qualsiasi
tipo di danno, di qualsiasi natura, possa derivarne.

=cut