asbestos 0.0.1

data/lib/asbestos/address.rb

@@ -0,0 +1,8 @@
+
+module Asbestos
+  class Address
+    include Asbestos::ClassCollection
+
+    class_collection :all
+  end
+end

data/lib/asbestos/dsl.rb

@@ -0,0 +1,40 @@
+
+def host_template(name, &block)
+  name = name.to_sym
+  Asbestos::HostTemplate.new(name, block).tap do |host_template|
+
+    #
+    # Calling define_method wont let you define block parameters,
+    # but doing it this way will
+    #
+    Object.send(:define_method, name) do |host_name, &block|
+      host(host_name, &host_template.template).tap do |h|
+        h.instance_eval &block if block
+        h.template = name
+      end
+    end
+
+  end
+end
+
+def host(name, &block)
+  Asbestos::Host.new(name.to_sym).tap do |h|
+    h.instance_eval &block if block_given?
+  end
+end
+
+def rule_set(name, &template)
+  Asbestos::RuleSet[name.to_sym] = template
+end
+
+def service(name, &template)
+  Asbestos::Service[name.to_sym] = template
+end
+
+def address(name, address)
+  Asbestos::Address[name] = [*address]
+end
+
+
+# For referencing lazy hosts in the dsl without prepending "Asbestos::"
+Host = Asbestos::Host

data/lib/asbestos/firewalls/iptables.rb

@@ -0,0 +1,127 @@
+module Asbestos::Firewall
+  module IPTables
+
+    def self.preamble(host)
+      [ "# Generated by Asbestos at #{Time.now.utc} for #{host.name}",
+        "# #{Asbestos::HOMEPAGE}",
+        "*filter"
+      ] +
+      host.chains.collect do |name, default_action|
+        chain name, default_action
+      end
+    end
+
+
+    def self.chain(name, default_action)
+      default_action = '-' if default_action == :none
+
+      ":#{name.upcase} #{default_action.upcase} [0:0]"
+    end
+
+
+    def self.open_port(interfaces, port, protocol, comment, remote_address = nil)
+      if interfaces
+        interfaces.collect do |interface|
+          accept :state     => :new,
+                 :protocol  => protocol,
+                 :port      => port,
+                 :comment   => comment,
+                 :interface => interface,
+                 :remote_address => remote_address
+        end
+      else
+        accept :state     => :new,
+               :protocol  => protocol,
+               :port      => port,
+               :comment   => comment,
+               :remote_address => remote_address
+      end
+    end
+
+    #
+    # TODO: Use iptables' long options here for clarity?
+    #
+    def self.rule(args)
+      Array.new.tap do |r|
+        chain = \
+          if args[:chain]
+            args[:chain].to_s.upcase
+          else
+            'INPUT'
+          end
+        r << "-A #{chain}"
+
+        r << "-j #{args[:action].upcase}" if args[:action]
+
+        if args[:interface]
+          direction = \
+            if args[:direction]
+              case args[:direction]
+                when :incoming
+                  'i'
+                when :outgoing
+                  'o'
+                else
+                  raise "you must provide a :direction flag of either :incoming or :outgoing"
+              end
+            elsif %w{INPUT PREROUTING}.include? chain
+              'i'
+            elsif %w{OUTPUT POSTROUTING}.include? chain
+              'o'
+            else
+              raise "you must provide a :direction flag of either :incoming or :outgoing to use :interface with chain #{chain}"
+            end
+          r << "-#{direction} #{args[:interface]}"
+        end
+
+        r << "-p #{args[:protocol]}" if args[:protocol]
+        r << "-d #{args[:local_address]}" if args[:local_address]
+        r << "-s #{args[:remote_address]}" if args[:remote_address]
+
+        r << "-m state --state #{args[:state].upcase}" if args[:state]
+        #r << "-m #{args[:protocol]} --dport #{args[:port]}" if args[:protocol] && args[:port]
+        r << "--dport #{args[:port]}" if args[:port]
+        r << "-m limit --limit #{args[:limit]}" if args[:limit]
+
+        r << %{--log-prefix "#{args[:log_prefix]}"} if args[:log_prefix]
+        r << "--log-level #{args[:log_level]}" if args[:log_level]
+
+        r << "--icmp-type #{args[:icmp_type]}" if args[:icmp_type]
+
+        if args[:comment]
+          if args[:interface]
+            r << %{-m comment --comment "#{args[:comment]} on #{args[:interface]}"}
+          else
+            r << %{-m comment --comment "#{args[:comment]}"}
+          end
+        end
+      end.join(' ')
+    end
+
+    class << self
+      [:accept, :reject, :drop, :log].each do |action|
+        define_method(action) do |args|
+          self.rule(args.merge(:action => action))
+        end
+      end
+    end
+
+
+
+    def self.postamble(host)
+      Array.new.tap do |rules|
+       rules << log(:limit => '5/min',
+                    :log_level => 7,
+                    :log_prefix => "iptables dropped: ",
+                    :comment => "log dropped packets") if host.log_denials?
+
+       rules << drop(:chain => :input,
+                     :comment => "drop packets that haven't been explicitly accepted") if host.chains[:input].upcase == :ACCEPT
+
+       rules << 'COMMIT'
+       rules << "# Asbestos completed at #{Time.now.utc}"
+      end
+    end
+
+  end
+end

data/lib/asbestos/host.rb

@@ -0,0 +1,244 @@
+
+class Asbestos::Host
+  include Asbestos::ClassCollection
+
+  class_collection :all
+  class_collection :groups
+
+  class << self
+    # returns a lazily evaluated block, to allow hosts to be 
+    # defined in the DSL without a lot of hoopla
+    def [](name)
+      lambda { @all[name] }
+    end
+  end
+
+
+  attr_reader :name
+  attr_reader :groups
+  attr_reader :interfaces
+  attr_reader :addresses
+  attr_reader :rulesets
+  attr_reader :chains
+
+  # the HostTemplate that built this host
+  attr_accessor :template
+
+
+  def initialize(name)
+    @name = name
+    @groups = []
+    @rulesets = []
+
+    @chains = {}
+
+    @interfaces = {} # maps interface's tag to /dev name
+    @addresses = {} # maps interface's /dev name to an ip address
+
+
+    Asbestos.with_indifferent_access! @chains
+    Asbestos.with_indifferent_access! @interfaces
+    Asbestos.with_indifferent_access! @addresses
+
+    if Asbestos.hostname.to_sym == @name
+      Asbestos.interfaces.each do |if_name, info|
+        @addresses[if_name] = info[:inet_addr]
+      end
+    end
+
+    #
+    # Define the necessary chains
+    # # FIXME do we need :forward too?
+    #
+    [:input, :output].each do |name|
+      chain(name, :accept)
+    end
+
+    self.class.all[name] = self
+  end
+
+
+  def debug
+    [
+      "Hostname: #{@name}",
+      (@template ? "  Template: #{@template}" : nil),
+      "  Interfaces: #{@interfaces}",
+      "  Addresses: #{@addresses}",
+    ].tap do |a|
+      a << "  Groups: #{@groups.sort.join(', ')}" unless @groups.empty?
+      unless @rulesets.empty?
+        a << "  RuleSets/Services:"
+        @rulesets.each { |s| a << "    #{s.inspect}" }
+      end
+    end.join("\n")
+  end
+
+  def inspect
+    "#<Host name:#{name}>"
+  end
+
+  alias_method :to_s, :inspect
+
+
+  #
+  # DSL ------------------------------------------------------------------------------
+  #
+
+  #
+  # Places this host in a named group
+  #
+  # host 'dax' do
+  #   group :developers
+  # end
+  #
+  def group(name = nil)
+    if name
+      @groups << name
+      self.class.groups[name] ||= []
+      self.class.groups[name] << self
+    else
+      @groups
+    end
+  end
+
+  #
+  # Defines an interface on this host with a given "tag". The interface's address can
+  # be defined explicitly, or at runtime via a block.
+  #
+  # host 'dax' do
+  #   group :developers
+  #
+  #   interface :external, :eth0  #=> address is "dax_external"
+  #   interface :dmz, [:eth1, :eth2]  #=> addresses are "dax_dmz_eth1" and "dax_dmz_eth2"
+  #
+  #   interface :internal, :eth3 do |host|
+  #     [host.group, host.name, 'foo'].join('_')
+  #   end  #=> address is "developers_dax_foo"
+  #
+  #   interface :internal, :eth4, 'bar' #=> address is "bar"
+  # end
+  #
+  def interface(tag, if_names, address = nil, &block)
+    if_names = [*if_names]
+    raise "single address, #{address}, given for multiple interfaces, #{if_names}, on host #{name}" if if_names.length > 1 && address
+
+    @interfaces[tag] = if_names
+
+    # determine the address for each interface
+    if_names.each do |if_name|
+      new_address = \
+        if !address
+          if block_given? 
+            yield(self, if_name)
+          else
+            if if_names.length > 1
+              "#{name}_#{tag}_#{if_name}"
+            else
+              "#{name}_#{tag}"
+            end
+          end
+        else
+          address
+        end
+      @addresses[if_name] ||= new_address
+    end
+
+  end
+
+  #
+  # Indicates that this host should log denied firewall packets.
+  #
+  # host 'dax' do
+  #   log_denials
+  # end
+  def log_denials
+    @log_denials = true
+  end
+
+  def log_denials?
+    !!@log_denials
+  end
+
+
+  #
+  # Defines a firewall chain on this host, this may be an IPTables-only concept.
+  #
+  # The default_action here is also called the chain's "policy" in IPTables parlance
+  #
+  def chain(name, default_action = :none)
+    @chains[name.downcase.to_sym] = default_action
+  end
+
+  #
+  # Indicates that this host should have rules to allow the corresponding
+  # service to run on it. The arguments provided after the service name
+  # should be valid DSL calls supported by the service. Certain DSL calls
+  # come standard with all services, see the Service class for more info.
+  #
+  # host 'dax' do
+  #   runs :nginx, :on => :external
+  #   runs :ssh,   :on => :internal, :port => 22022
+  #   runs :riak,  :on => :internal, :from => {:riak_cluster => :internal}
+  # end
+  #
+  def runs(service_name, args = {})
+    template = Asbestos::Service[service_name]
+    raise "Service not defined: #{service_name}" unless template
+
+    @rulesets <<
+      Asbestos::Service.new(service_name, self).tap do |s|
+        s.instance_eval &template
+        # override template defaults with provided options
+        args.each do |k, v|
+          s.send k, v
+        end
+      end
+  end
+
+
+  #
+  # Determine this host's firewall rules, according to the firewall type.
+  #
+  def rules
+    #
+    # This is called first in case any preable needs to be declared (chains, specifically)
+    #
+    _ruleset_rules = ruleset_rules
+
+    [
+      Asbestos.firewall.preamble(self),
+      _ruleset_rules,
+      Asbestos.firewall.postamble(self)
+    ].flatten
+  end
+
+  #
+  # Ask each ruleset/service to generate its rules.
+  #
+  def ruleset_rules
+    @rulesets.collect do |r|
+      ["# Begin [#{r.name}]",
+       r.firewall_rules,
+       "# End [#{r.name}]",
+       ""]
+    end
+  end
+
+  #
+  # Missing methods should be the name of RuleSets, if not, raise an error
+  #
+  # This is similar to the "runs" method above, but for RuleSets, rather than services.
+  #
+  def method_missing(rule_set_name, args = {})
+    template = Asbestos::RuleSet[rule_set_name]
+    raise %{Unknown host DSL call : "#{rule_set_name}" for host "#{name}"} unless template
+
+    @rulesets << \
+      Asbestos::RuleSet.new(rule_set_name, self, template).tap do |rs|
+        # override template defaults with provided options
+        args.each do |k, v|
+          rs.send k, v
+        end
+      end
+  end
+end

data/lib/asbestos/host_template.rb

@@ -0,0 +1,15 @@
+class Asbestos::HostTemplate
+  include Asbestos::ClassCollection
+
+  class_collection :all
+
+  attr_reader :template
+
+  def initialize(name, template)
+    @name = name
+    @template = template
+
+    self.class[name] = self
+  end
+
+end

data/lib/asbestos/metadata.rb

@@ -0,0 +1,4 @@
+module Asbestos
+  VERSION = "0.0.1"
+  HOMEPAGE = "http://www.github.com/koudelka/asbestos"
+end

data/lib/asbestos/rule_set.rb

@@ -0,0 +1,131 @@
+require 'forwardable'
+
+class Asbestos::RuleSet
+  extend ::Forwardable
+  include Asbestos::ClassCollection
+
+  class_collection :all
+
+  attr_reader :name
+  attr_reader :host
+  attr_reader :attributes
+  attr_reader :commands
+
+  def initialize(name, host, template)
+    @name = name
+    @host = host
+    @attributes = {}
+    @commands = []
+    @template = template
+  end
+
+  def inspect
+    "#{name}:#{@attributes.inspect}"
+  end
+
+
+  #
+  # Asks this RuleSet to generate its firewall rules
+  #
+  def firewall_rules
+    instance_eval &@template
+    @commands
+  end
+
+  #
+  # DSL ------------------------------------------------------------------------------
+  #
+
+  #
+  # These host functions are useful when building rules.
+  #
+  def_delegators :@host, :chain, :interfaces, :command, :addresses
+
+  #
+  # Records a literal firewall command for this host, ignoring firewall type (iptables, ipfw, etc)
+  #
+  def command(str)
+    @commands << str
+  end
+
+  #
+  # Requests a rule from this platform's firewall, with the given args.
+  #
+  [:rule, :accept, :reject, :drop, :log].each do |action|
+    define_method(action) do |args|
+      @commands << Asbestos.firewall.send(action, args)
+    end
+  end
+
+  #
+  # Given a list of "from" objects, resolve a list of hosts or addresses
+  #
+  def from_each(froms = @attributes[:from], &block)
+    case froms
+      when Array # a list of any of the other types
+        froms.each do |from|
+          from_each from, &block
+        end
+      when Hash # either a group or a specific host paired with an interface
+        froms.each do |host_or_group, their_interface_tag|
+          if [Symbol, String].include? host_or_group.class # it's a group name
+            Host.groups[host_or_group].uniq.each do |group_host|
+              next if group_host == @host
+              yield group_host, their_interface_tag
+            end
+          else # it's a Host or a lazly defined Host in a proc
+            host = host_or_group.is_a?(Proc) ?  host_or_group.call : host_or_group
+            yield host, their_interface_tag
+          end
+        end
+      when String, Symbol # some kind of address(es)
+        if Asbestos::Address[froms]
+          Asbestos::Address[froms].each do |address|
+            yield address
+          end
+        else
+          yield froms
+        end
+      when nil # from everyone
+        yield nil
+      when Host, Proc
+        raise "#{@host.name}/#{name}: you specified a 'from' Host but no remote interface"
+      else
+        raise "#{@host.name}/#{name}: invalid 'from' object"
+    end
+  end
+
+  #
+  # Resolves a set of "from" objects into addresses
+  #
+  def from_each_address(froms = @attributes[:from])
+    from_each(froms) do |host_or_address, remote_interface_tag|
+      case host_or_address
+        when Host # specific host, specific remote interface
+          host_or_address.interfaces[remote_interface_tag].each do |remote_interface|
+              yield host_or_address.addresses[remote_interface]
+          end
+        else
+          yield host_or_address
+      end
+    end
+  end
+
+  #
+  # Responsible for storing and retrieving unspecified DSL calls as service attributes.
+  #
+  def method_missing(attribute, *args)
+    if args.empty?
+      @attributes[attribute]
+    else
+      #
+      # Certain DSL properties should be stored as arrays
+      #
+      if [:ports, :protocols, :groups].include? attribute
+        @attributes[attribute] = [*args]
+      else
+        @attributes[attribute] = args.first
+      end
+    end
+  end
+end