SSH: fix Include directive escaping and refactor backup logic (#4861)

## Summary

The backup refactoring is actually secondary, the main fix is quoting
paths inside "Include" statement that we add to ssh config.

Noticed that we also didn't do backups for ssh configs, so here are
backup related changes:
- Extracts `BackupFile` from `vscode/settings.go` into a shared
`fileutil` package with exported suffix constants (`SuffixOriginalBak`,
`SuffixLatestBak`), eliminating hardcoded magic strings across callers
and tests
- Replaces `strings.Contains` with a line-aware `containsLine` helper in
`sshconfig` to avoid false positives when the Include path appears in a
comment or as a substring of another line
- Adds migration from unquoted `Include` directives (written by older
CLI versions) to the quoted form, which handles paths with spaces
- A user visible change is that we consider backup errors as hard errors
and don't proceed with the flow

## Tests
Existing, new, and manually

This pull request was AI-assisted by Isaac.

Author: ilia-db

experimental/ssh/internal/fileutil/backup.go

@@ -0,0 +1,39 @@
+package fileutil
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/databricks/cli/libs/log"
+)
+
+const (
+	SuffixOriginalBak = ".original.bak"
+	SuffixLatestBak   = ".latest.bak"
+)
+
+// BackupFile saves data to path+".original.bak" on the first call, and
+// path+".latest.bak" on subsequent calls. Skips if data is empty.
+func BackupFile(ctx context.Context, path string, data []byte) error {
+	if len(data) == 0 {
+		return nil
+	}
+	originalBak := path + SuffixOriginalBak
+	latestBak := path + SuffixLatestBak
+	var bakPath string
+	_, statErr := os.Stat(originalBak)
+	if statErr != nil && !os.IsNotExist(statErr) {
+		return statErr
+	}
+	if os.IsNotExist(statErr) {
+		bakPath = originalBak
+	} else {
+		bakPath = latestBak
+	}
+	if err := os.WriteFile(bakPath, data, 0o600); err != nil {
+		return err
+	}
+	log.Infof(ctx, "Backed up %s to %s", filepath.ToSlash(path), filepath.ToSlash(bakPath))
+	return nil
+}

experimental/ssh/internal/fileutil/backup_test.go

@@ -0,0 +1,85 @@
+package fileutil_test
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/databricks/cli/experimental/ssh/internal/fileutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBackupFile_EmptyData(t *testing.T) {
+	tmpDir := t.TempDir()
+	path := filepath.Join(tmpDir, "file.json")
+
+	err := fileutil.BackupFile(t.Context(), path, []byte{})
+	require.NoError(t, err)
+
+	_, err = os.Stat(path + fileutil.SuffixOriginalBak)
+	assert.True(t, os.IsNotExist(err))
+}
+
+func TestBackupFile_FirstBackup(t *testing.T) {
+	tmpDir := t.TempDir()
+	path := filepath.Join(tmpDir, "file.json")
+	data := []byte(`{"key": "value"}`)
+
+	err := fileutil.BackupFile(t.Context(), path, data)
+	require.NoError(t, err)
+
+	content, err := os.ReadFile(path + fileutil.SuffixOriginalBak)
+	require.NoError(t, err)
+	assert.Equal(t, data, content)
+
+	_, err = os.Stat(path + fileutil.SuffixLatestBak)
+	assert.True(t, os.IsNotExist(err))
+}
+
+func TestBackupFile_SubsequentBackup(t *testing.T) {
+	tmpDir := t.TempDir()
+	path := filepath.Join(tmpDir, "file.json")
+	original := []byte(`{"key": "value"}`)
+	updated := []byte(`{"key": "updated"}`)
+
+	err := fileutil.BackupFile(t.Context(), path, original)
+	require.NoError(t, err)
+
+	err = fileutil.BackupFile(t.Context(), path, updated)
+	require.NoError(t, err)
+
+	// .original.bak must remain unchanged
+	content, err := os.ReadFile(path + fileutil.SuffixOriginalBak)
+	require.NoError(t, err)
+	assert.Equal(t, original, content)
+
+	// .latest.bak should have the updated content
+	content, err = os.ReadFile(path + fileutil.SuffixLatestBak)
+	require.NoError(t, err)
+	assert.Equal(t, updated, content)
+}
+
+func TestBackupFile_WriteError(t *testing.T) {
+	err := fileutil.BackupFile(t.Context(), "/nonexistent/dir/file.json", []byte("data"))
+	assert.Error(t, err)
+}
+
+func TestBackupFile_StatError(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("chmod is not supported on windows")
+	}
+
+	tmpDir := t.TempDir()
+	path := filepath.Join(tmpDir, "file.json")
+
+	// Create the .original.bak file so os.Stat would find it — but make the
+	// parent directory unreadable so Stat returns a permission error instead.
+	require.NoError(t, os.WriteFile(path+fileutil.SuffixOriginalBak, []byte("existing"), 0o600))
+	require.NoError(t, os.Chmod(tmpDir, 0o000))
+	t.Cleanup(func() { _ = os.Chmod(tmpDir, 0o700) })
+
+	err := fileutil.BackupFile(t.Context(), path, []byte("data"))
+	assert.Error(t, err)
+}

experimental/ssh/internal/sshconfig/sshconfig.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/databricks/cli/experimental/ssh/internal/fileutil"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/env"
 )
@@ -80,11 +81,24 @@ func EnsureIncludeDirective(ctx context.Context, configPath string) error {
 	// Convert path to forward slashes for SSH config compatibility across platforms
 	configDirUnix := filepath.ToSlash(configDir)
 
-	includeLine := fmt.Sprintf("Include %s/*", configDirUnix)
-	if strings.Contains(string(content), includeLine) {
+	// Quoted to handle paths with spaces; OpenSSH still expands globs inside quotes.
+	includeLine := fmt.Sprintf(`Include "%s/*"`, configDirUnix)
+	if containsLine(content, includeLine) {
 		return nil
 	}
 
+	// Migrate unquoted Include written by older versions of the CLI.
+	oldIncludeLine := fmt.Sprintf("Include %s/*", configDirUnix)
+	if containsLine(content, oldIncludeLine) {
+		if err := fileutil.BackupFile(ctx, configPath, content); err != nil {
+			return fmt.Errorf("failed to backup SSH config before migration: %w", err)
+		}
+		return os.WriteFile(configPath, replaceLine(content, oldIncludeLine, includeLine), 0o600)
+	}
+
+	if err := fileutil.BackupFile(ctx, configPath, content); err != nil {
+		return fmt.Errorf("failed to backup SSH config: %w", err)
+	}
 	newContent := includeLine + "\n"
 	if len(content) > 0 && !strings.HasPrefix(string(content), "\n") {
 		newContent += "\n"
@@ -99,6 +113,31 @@ func EnsureIncludeDirective(ctx context.Context, configPath string) error {
 	return nil
 }
 
+// containsLine reports whether data contains line as a line match,
+// trimming leading whitespace and \r (Windows line endings) before comparing.
+func containsLine(data []byte, line string) bool {
+	for l := range strings.SplitSeq(string(data), "\n") {
+		if strings.TrimLeft(strings.TrimRight(l, "\r"), " \t") == line {
+			return true
+		}
+	}
+	return false
+}
+
+// replaceLine replaces the first line in data whose trimmed content matches old
+// with new. Uses the same trim logic as containsLine. Returns data unchanged if
+// no match.
+func replaceLine(data []byte, old, new string) []byte {
+	lines := strings.Split(string(data), "\n")
+	for i, l := range lines {
+		if strings.TrimLeft(strings.TrimRight(l, "\r"), " \t") == old {
+			lines[i] = new
+			break
+		}
+	}
+	return []byte(strings.Join(lines, "\n"))
+}
+
 func GetHostConfigPath(ctx context.Context, hostName string) (string, error) {
 	configDir, err := GetConfigDir(ctx)
 	if err != nil {

experimental/ssh/internal/sshconfig/sshconfig_test.go

@@ -80,9 +80,9 @@ func TestEnsureIncludeDirective_AlreadyExists(t *testing.T) {
 	configDir, err := GetConfigDir(t.Context())
 	require.NoError(t, err)
 
-	// Use forward slashes as that's what SSH config uses
+	// Use forward slashes and quotes as that's what SSH config uses
 	configDirUnix := filepath.ToSlash(configDir)
-	existingContent := "Include " + configDirUnix + "/*\n\nHost example\n    User test\n"
+	existingContent := `Include "` + configDirUnix + `/*"` + "\n\nHost example\n    User test\n"
 	err = os.MkdirAll(filepath.Dir(configPath), 0o700)
 	require.NoError(t, err)
 	err = os.WriteFile(configPath, []byte(existingContent), 0o600)
@@ -96,6 +96,59 @@ func TestEnsureIncludeDirective_AlreadyExists(t *testing.T) {
 	assert.Equal(t, existingContent, string(content))
 }
 
+func TestEnsureIncludeDirective_MigratesOldUnquotedFormat(t *testing.T) {
+	tmpDir := t.TempDir()
+	t.Setenv("HOME", tmpDir)
+	t.Setenv("USERPROFILE", tmpDir)
+
+	configPath := filepath.Join(tmpDir, ".ssh", "config")
+
+	configDir, err := GetConfigDir(t.Context())
+	require.NoError(t, err)
+
+	configDirUnix := filepath.ToSlash(configDir)
+	oldContent := "Include " + configDirUnix + "/*\n\nHost example\n    User test\n"
+	err = os.MkdirAll(filepath.Dir(configPath), 0o700)
+	require.NoError(t, err)
+	err = os.WriteFile(configPath, []byte(oldContent), 0o600)
+	require.NoError(t, err)
+
+	err = EnsureIncludeDirective(t.Context(), configPath)
+	assert.NoError(t, err)
+
+	content, err := os.ReadFile(configPath)
+	assert.NoError(t, err)
+	configStr := string(content)
+
+	assert.Contains(t, configStr, `Include "`+configDirUnix+`/*"`)
+	assert.NotContains(t, configStr, "Include "+configDirUnix+"/*\n")
+	assert.Contains(t, configStr, "Host example")
+}
+
+func TestEnsureIncludeDirective_NotFooledBySubstring(t *testing.T) {
+	tmpDir := t.TempDir()
+	t.Setenv("HOME", tmpDir)
+	t.Setenv("USERPROFILE", tmpDir)
+
+	configPath := filepath.Join(tmpDir, ".ssh", "config")
+
+	configDir, err := GetConfigDir(t.Context())
+	require.NoError(t, err)
+
+	configDirUnix := filepath.ToSlash(configDir)
+	// The include path appears only inside a comment, not as a standalone directive.
+	existingContent := `# Include "` + configDirUnix + `/*"` + "\nHost example\n    User test\n"
+	require.NoError(t, os.MkdirAll(filepath.Dir(configPath), 0o700))
+	require.NoError(t, os.WriteFile(configPath, []byte(existingContent), 0o600))
+
+	err = EnsureIncludeDirective(t.Context(), configPath)
+	require.NoError(t, err)
+
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+	assert.Contains(t, string(content), `Include "`+configDirUnix+`/*"`)
+}
+
 func TestEnsureIncludeDirective_PrependsToExisting(t *testing.T) {
 	tmpDir := t.TempDir()
 	configPath := filepath.Join(tmpDir, ".ssh", "config")
@@ -127,6 +180,127 @@ func TestEnsureIncludeDirective_PrependsToExisting(t *testing.T) {
 	assert.Less(t, includeIndex, hostIndex, "Include directive should come before existing content")
 }
 
+func TestContainsLine(t *testing.T) {
+	tests := []struct {
+		name  string
+		data  string
+		line  string
+		found bool
+	}{
+		{"exact match", `Include "/path/*"` + "\nHost example\n", `Include "/path/*"`, true},
+		{"not present", "Host example\n", `Include "/path/*"`, false},
+		{"substring only", `# Include "/path/*"`, `Include "/path/*"`, false},
+		{"commented line", `# Include "/path/*"` + "\n" + `Include "/path/*"` + "\n", `Include "/path/*"`, true},
+		{"windows line ending", `Include "/path/*"` + "\r\nHost example\r\n", `Include "/path/*"`, true},
+		{"empty data", "", `Include "/path/*"`, false},
+		{"indented with spaces", "  " + `Include "/path/*"` + "\nHost example\n", `Include "/path/*"`, true},
+		{"indented with tab", "\t" + `Include "/path/*"` + "\nHost example\n", `Include "/path/*"`, true},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.found, containsLine([]byte(tc.data), tc.line))
+		})
+	}
+}
+
+func TestReplaceLine(t *testing.T) {
+	tests := []struct {
+		name     string
+		data     string
+		old      string
+		new      string
+		expected string
+	}{
+		{
+			"exact match",
+			`Include "/p/*"` + "\nHost x\n",
+			`Include "/p/*"`, `Include "/p/*" NEW`,
+			`Include "/p/*" NEW` + "\nHost x\n",
+		},
+		{
+			"indented match",
+			"  " + `Include "/p/*"` + "\nHost x\n",
+			`Include "/p/*"`, `Include "/p/*" NEW`,
+			`Include "/p/*" NEW` + "\nHost x\n",
+		},
+		{
+			"no match",
+			"Host x\n",
+			`Include "/p/*"`, `Include "/p/*" NEW`,
+			"Host x\n",
+		},
+		{
+			"substring in comment — must not be replaced",
+			`# Include "/p/*"` + "\nHost x\n",
+			`Include "/p/*"`, `Include "/p/*" NEW`,
+			`# Include "/p/*"` + "\nHost x\n",
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := replaceLine([]byte(tc.data), tc.old, tc.new)
+			assert.Equal(t, tc.expected, string(got))
+		})
+	}
+}
+
+func TestEnsureIncludeDirective_MigratesIndentedOldFormat(t *testing.T) {
+	tmpDir := t.TempDir()
+	t.Setenv("HOME", tmpDir)
+	t.Setenv("USERPROFILE", tmpDir)
+
+	configPath := filepath.Join(tmpDir, ".ssh", "config")
+
+	configDir, err := GetConfigDir(t.Context())
+	require.NoError(t, err)
+
+	configDirUnix := filepath.ToSlash(configDir)
+	// Old format with leading whitespace — should still be detected and migrated.
+	oldContent := "  Include " + configDirUnix + "/*\n\nHost example\n    User test\n"
+	require.NoError(t, os.MkdirAll(filepath.Dir(configPath), 0o700))
+	require.NoError(t, os.WriteFile(configPath, []byte(oldContent), 0o600))
+
+	err = EnsureIncludeDirective(t.Context(), configPath)
+	require.NoError(t, err)
+
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+	configStr := string(content)
+
+	assert.Contains(t, configStr, `Include "`+configDirUnix+`/*"`)
+	assert.NotContains(t, configStr, "  Include "+configDirUnix+"/*")
+	assert.Contains(t, configStr, "Host example")
+}
+
+func TestEnsureIncludeDirective_NotFooledByOldFormatSubstring(t *testing.T) {
+	tmpDir := t.TempDir()
+	t.Setenv("HOME", tmpDir)
+	t.Setenv("USERPROFILE", tmpDir)
+
+	configPath := filepath.Join(tmpDir, ".ssh", "config")
+
+	configDir, err := GetConfigDir(t.Context())
+	require.NoError(t, err)
+
+	configDirUnix := filepath.ToSlash(configDir)
+	// Old unquoted form appears only inside a comment — must not be migrated.
+	existingContent := "# Include " + configDirUnix + "/*\nHost example\n    User test\n"
+	require.NoError(t, os.MkdirAll(filepath.Dir(configPath), 0o700))
+	require.NoError(t, os.WriteFile(configPath, []byte(existingContent), 0o600))
+
+	err = EnsureIncludeDirective(t.Context(), configPath)
+	require.NoError(t, err)
+
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+	configStr := string(content)
+
+	// New quoted directive should have been prepended (not a migration).
+	assert.Contains(t, configStr, `Include "`+configDirUnix+`/*"`)
+	// Comment line must be preserved unchanged.
+	assert.Contains(t, configStr, "# Include "+configDirUnix+"/*")
+}
+
 func TestGetHostConfigPath(t *testing.T) {
 	path, err := GetHostConfigPath(t.Context(), "test-host")
 	assert.NoError(t, err)