Unity-Technologies
diff --git a/‎basic_cmds_test.go
Lines changed: 26 additions & 2 deletions b/‎basic_cmds_test.go
Lines changed: 26 additions & 2 deletions
diff --git a/‎client.go
Lines changed: 34 additions & 11 deletions b/‎client.go
Lines changed: 34 additions & 11 deletions
diff --git a/‎client_test.go
Lines changed: 129 additions & 1 deletion b/‎client_test.go
Lines changed: 129 additions & 1 deletion
@@ -20,18 +20,42 @@ func TestCmdsBasic(t *testing.T) {
 	if !assert.NoError(t, err) {
 		return
 	}
+	defer func() {
+		assert.NoError(t, c.Close())
+	}()
+
+	testCmdsBasic(t, c)
+}
+
+func TestCmdsBasicSSH(t *testing.T) {
+	s := newServer(t)
+	if s == nil {
+		return
+	}
+	s.useSSH = true
+	defer func() {
+		assert.NoError(t, s.Close())
+	}()
 
+	c, err := NewClient(s.Addr, Timeout(time.Second*2), SSH(sshClientTestConfig))
+	if !assert.NoError(t, err) {
+		return
+	}
 	defer func() {
 		assert.NoError(t, c.Close())
 	}()
 
+	testCmdsBasic(t, c)
+}
+
+func testCmdsBasic(t *testing.T, c *Client) { //nolint: thelper
 	auth := func(t *testing.T) {
 		t.Helper()
-		if err = c.Login("user", "pass"); !assert.NoError(t, err) {
+		if err := c.Login("user", "pass"); !assert.NoError(t, err) {
 			return
 		}
 
-		if err = c.Logout(); !assert.NoError(t, err) {
+		if err := c.Logout(); !assert.NoError(t, err) {
 			return
 		}
 	}
 
@@ -9,12 +9,11 @@ import (
 	"regexp"
 	"strings"
 	"time"
+
+	"golang.org/x/crypto/ssh"
 )
 
 const (
-	// DefaultPort is the default TeamSpeak 3 ServerQuery port.
-	DefaultPort = 10011
-
 	// MaxParseTokenSize is the maximum buffer size used to parse the
 	// server responses.
 	// It's relatively large to enable us to deal with the typical responses
@@ -44,9 +43,18 @@ var (
 	DefaultNotifyBufSize = 5
 )
 
+// Connection is a connection to a TeamSpeak 3 server.
+// It's a wrapper around net.Conn with a Connect method.
+type Connection interface {
+	net.Conn
+
+	// Connect connects to the server on addr with a timeout.
+	Connect(addr string, timeout time.Duration) error
+}
+
 // Client is a TeamSpeak 3 ServerQuery client.
 type Client struct {
-	conn          net.Conn
+	conn          Connection
 	timeout       time.Duration
 	keepAlive     time.Duration
 	scanner       *bufio.Scanner
@@ -114,13 +122,29 @@ func ConnectHeader(connectHeader string) func(*Client) error {
 	}
 }
 
-// NewClient returns a new TeamSpeak 3 client connected to addr.
-func NewClient(addr string, options ...func(c *Client) error) (*Client, error) {
-	if !strings.Contains(addr, ":") {
-		addr = fmt.Sprintf("%v:%v", addr, DefaultPort)
+// SSH tells the client to use SSH instead of insecure legacy TCP.
+// A valid login has to be provided with ssh.ClientConfig.
+//
+// Example config (missing host-key validation):
+//
+//	&ssh.ClientConfig{
+//		User: "serveradmin",
+//		Auth: []ssh.AuthMethod{
+//			ssh.Password("password"),
+//		},
+//	}
+func SSH(config *ssh.ClientConfig) func(*Client) error {
+	return func(c *Client) error {
+		c.conn = &sshConnection{config: config}
+		return nil
 	}
+}
 
+// NewClient returns a new TeamSpeak 3 client connected to addr.
+// Use with SSH where possible for improved security.
+func NewClient(addr string, options ...func(c *Client) error) (*Client, error) {
 	c := &Client{
+		conn:          new(legacyConnection),
 		timeout:       DefaultTimeout,
 		keepAlive:     DefaultKeepAlive,
 		buf:           make([]byte, startBufSize),
@@ -145,9 +169,8 @@ func NewClient(addr string, options ...func(c *Client) error) (*Client, error) {
 	// Wire up command groups
 	c.Server = &ServerMethods{Client: c}
 
-	var err error
-	if c.conn, err = net.DialTimeout("tcp", addr, c.timeout); err != nil {
-		return nil, fmt.Errorf("client: dial timeout: %w", err)
+	if err := c.conn.Connect(addr, c.timeout); err != nil {
+		return nil, fmt.Errorf("client: connect: %w", err)
 	}
 
 	c.scanner = bufio.NewScanner(bufio.NewReader(c.conn))
 
@@ -40,6 +40,38 @@ func TestClient(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func TestClientSSH(t *testing.T) {
+	s := newServer(t)
+	if s == nil {
+		return
+	}
+	s.useSSH = true
+	defer func() {
+		assert.NoError(t, s.Close())
+	}()
+
+	c, err := NewClient(s.Addr, Timeout(time.Second), SSH(sshClientTestConfig))
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	defer func() {
+		assert.Error(t, c.Close())
+	}()
+
+	_, err = c.Exec("version")
+	assert.NoError(t, err)
+
+	_, err = c.ExecCmd(NewCmd("version"))
+	assert.NoError(t, err)
+
+	_, err = c.ExecCmd(NewCmd("invalid"))
+	assert.Error(t, err)
+
+	_, err = c.ExecCmd(NewCmd("disconnect"))
+	assert.Error(t, err)
+}
+
 func TestClientNilOption(t *testing.T) {
 	_, err := NewClient("", nil)
 	if !assert.Error(t, err) {
@@ -79,6 +111,27 @@ func TestClientDisconnect(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func TestClientDisconnectSSH(t *testing.T) {
+	s := newServer(t)
+	if s == nil {
+		return
+	}
+	s.useSSH = true
+	defer func() {
+		assert.NoError(t, s.Close())
+	}()
+
+	c, err := NewClient(s.Addr, Timeout(time.Second), SSH(sshClientTestConfig))
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	assert.NoError(t, c.Close())
+
+	_, err = c.Exec("version")
+	assert.Error(t, err)
+}
+
 func TestClientWriteFail(t *testing.T) {
 	s := newServer(t)
 	if s == nil {
@@ -92,7 +145,7 @@ func TestClientWriteFail(t *testing.T) {
 	if !assert.NoError(t, err) {
 		return
 	}
-	assert.NoError(t, c.conn.(*net.TCPConn).CloseWrite())
+	assert.NoError(t, c.conn.(*legacyConnection).Conn.(*net.TCPConn).CloseWrite())
 
 	_, err = c.Exec("version")
 	assert.Error(t, err)
@@ -108,6 +161,16 @@ func TestClientDialFail(t *testing.T) {
 	assert.NoError(t, c.Close())
 }
 
+func TestClientDialFailSSH(t *testing.T) {
+	c, err := NewClient("127.0.0.1", Timeout(time.Nanosecond), SSH(sshClientTestConfig))
+	if assert.Error(t, err) {
+		return
+	}
+
+	// Should never get here
+	assert.NoError(t, c.Close())
+}
+
 func TestClientTimeout(t *testing.T) {
 	s := newServer(t)
 	if s == nil {
@@ -127,6 +190,26 @@ func TestClientTimeout(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func TestClientTimeoutSSH(t *testing.T) {
+	s := newServer(t)
+	if s == nil {
+		return
+	}
+	s.useSSH = true
+	defer func() {
+		assert.NoError(t, s.Close())
+	}()
+
+	c, err := NewClient(s.Addr, Timeout(time.Millisecond*100), SSH(sshClientTestConfig))
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Not receiving a response must cause a timeout
+	_, err = c.Exec(" ")
+	assert.Error(t, err)
+}
+
 func TestClientDeadline(t *testing.T) {
 	s := newServer(t)
 	if s == nil {
@@ -151,6 +234,31 @@ func TestClientDeadline(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestClientDeadlineSSH(t *testing.T) {
+	s := newServer(t)
+	if s == nil {
+		return
+	}
+	s.useSSH = true
+	defer func() {
+		assert.NoError(t, s.Close())
+	}()
+
+	c, err := NewClient(s.Addr, Timeout(time.Millisecond*100), SSH(sshClientTestConfig))
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	_, err = c.Exec("version")
+	assert.NoError(t, err)
+
+	// Inactivity must not cause a timeout
+	time.Sleep(c.timeout * 2)
+
+	_, err = c.Exec("version")
+	assert.NoError(t, err)
+}
+
 func TestClientNoHeader(t *testing.T) {
 	s := newServerStopped(t)
 	if s == nil {
@@ -211,6 +319,26 @@ func TestClientFailConn(t *testing.T) {
 	assert.NoError(t, c.Close())
 }
 
+func TestClientFailConnSSH(t *testing.T) {
+	s := newServerStopped(t)
+	if s == nil {
+		return
+	}
+	s.failConn = true
+	s.Start()
+	defer func() {
+		assert.NoError(t, s.Close())
+	}()
+
+	c, err := NewClient(s.Addr, Timeout(time.Second), SSH(sshClientTestConfig))
+	if assert.Error(t, err) {
+		return
+	}
+
+	// Should never get here
+	assert.NoError(t, c.Close())
+}
+
 func TestClientBadHeader(t *testing.T) {
 	s := newServerStopped(t)
 	if s == nil {