aws-codedeploy-agent 0.0.1

data/lib/instance_agent/codedeploy_plugin/command_poller.rb

@@ -0,0 +1,146 @@
+require 'instance_agent/codedeploy_plugin/command_executor'
+require 'instance_metadata'
+require 'socket'
+require 'instance_agent/codedeploy_plugin/codedeploy_control'
+
+module InstanceAgent
+  module CodeDeployPlugin
+    class CommandPoller < InstanceAgent::Agent::Base
+
+      VERSION = "2013-04-23"
+
+      def initialize
+        region = ENV['AWS_REGION'] || InstanceMetadata.region
+        @host_identifier = ENV['AWS_HOST_IDENTIFIER'] || InstanceMetadata.host_identifier
+
+        log(:debug, "Configuring deploy control client: Region = #{region.inspect}")
+        log(:debug, "Deploy control endpoint override = " + ENV['AWS_DEPLOY_CONTROL_ENDPOINT'].inspect)
+
+        @deploy_control_client = InstanceAgent::CodeDeployPlugin::CodeDeployControl.new(:region => region, :logger => InstanceAgent::Log, :ssl_ca_directory => ENV['AWS_SSL_CA_DIRECTORY']).get_client
+
+        @plugin = InstanceAgent::CodeDeployPlugin::CommandExecutor.new(
+          :deploy_control_client => @deploy_control_client,
+          :hook_mapping => create_hook_mapping)
+
+        log(:debug, "Initializing Host Agent: " +
+                    "Host Identifier = #{@host_identifier}")
+      end
+
+      def create_hook_mapping
+        #Map commands to lifecycle hooks
+        { "BeforeELBRemove"=>["BeforeELBRemove"],
+          "AfterELBRemove"=>["AfterELBRemove"],
+          "ApplicationStop"=>["ApplicationStop"],
+          "BeforeInstall"=>["BeforeInstall"],
+          "AfterInstall"=>["AfterInstall"],
+          "ApplicationStart"=>["ApplicationStart"],
+          "BeforeELBAdd"=>["BeforeELBAdd"],
+          "AfterELBAdd"=>["AfterELBAdd"],
+          "ValidateService"=>["ValidateService"]}
+      end
+
+      def perform
+        return unless command = next_command
+        return unless acknowledge_command(command)
+
+        begin
+          spec = get_deployment_specification(command)
+          #Successful commands will complete without raising an exception
+          script_output = process_command(command, spec)
+          log(:debug, 'Calling PutHostCommandComplete: "Succeeded"')
+          @deploy_control_client.put_host_command_complete(
+            :command_status => 'Succeeded',
+            :diagnostics => {:format => "JSON", :payload => gather_diagnostics()},
+            :host_command_identifier => command.host_command_identifier)
+
+          #Commands that throw an exception will be considered to have failed
+        rescue ScriptError => e
+          log(:debug, 'Calling PutHostCommandComplete: "Code Error" ')
+          @deploy_control_client.put_host_command_complete(
+            :command_status => "Failed",
+            :diagnostics => {:format => "JSON", :payload => gather_diagnostics_from_script_error(e)},
+            :host_command_identifier => command.host_command_identifier)
+          raise e
+        rescue Exception => e
+          log(:debug, 'Calling PutHostCommandComplete: "Code Error" ')
+          @deploy_control_client.put_host_command_complete(
+            :command_status => "Failed",
+            :diagnostics => {:format => "JSON", :payload => gather_diagnostics_from_error(e)},
+            :host_command_identifier => command.host_command_identifier)
+          raise e
+        end
+      end
+
+      def next_command
+        log(:debug, "Calling PollHostCommand:")
+        output = @deploy_control_client.poll_host_command(:host_identifier => @host_identifier)
+        command = output.host_command
+        if command.nil?
+          log(:debug, "PollHostCommand: Host Command =  nil")
+        else
+          log(:debug, "PollHostCommand: "  +
+                      "Host Identifier = #{command.host_identifier}; "  +
+                      "Host Command Identifier = #{command.host_command_identifier}; "  +
+                      "Deployment Execution ID = #{command.deployment_execution_id}; "  +
+                      "Command Name = #{command.command_name}")
+          raise "Host Identifier mismatch: #{@host_identifier} != #{command.host_identifier}" unless @host_identifier.include? command.host_identifier
+          raise "Command Name missing" if command.command_name.nil? || command.command_name.empty?
+        end
+        command
+      end
+
+      def acknowledge_command(command)
+        log(:debug, "Calling PutHostCommandAcknowledgement:")
+        output =  @deploy_control_client.put_host_command_acknowledgement(
+          :diagnostics => nil,
+          :host_command_identifier => command.host_command_identifier)
+        status = output.command_status
+        log(:debug, "Command Status = #{status}")
+        true unless status == "Succeeded" || status == "Failed"
+      end
+
+      def get_deployment_specification(command)
+        log(:debug, "Calling GetDeploymentSpecification:")
+        output =  @deploy_control_client.get_deployment_specification(
+          :deployment_execution_id => command.deployment_execution_id,
+          :host_identifier => @host_identifier)
+        log(:debug, "GetDeploymentSpecification: " +
+                    "Deployment System = #{output.deployment_system}")
+        raise "Deployment System mismatch: #{@plugin.deployment_system} != #{output.deployment_system}" unless @plugin.deployment_system == output.deployment_system
+        raise "Deployment Specification missing" if output.deployment_specification.nil?
+        output.deployment_specification.generic_envelope
+      end
+
+      def process_command(command, spec)
+        log(:debug, "Calling #{@plugin.to_s}.execute_command")
+        @plugin.execute_command(command, spec)
+      end
+
+      private
+      def gather_diagnostics_from_script_error(script_error)
+        script_error.to_json
+      end
+
+      private
+      def gather_diagnostics_from_error(error)
+        begin
+          message = error.message || ""
+          raise ScriptError.new(ScriptError::UNKNOWN_ERROR_CODE, "", ScriptLog.new), message
+        rescue ScriptError => e
+          script_error = e
+        end
+        gather_diagnostics_from_script_error(script_error)
+      end
+
+      private
+      def gather_diagnostics()
+        begin
+          raise ScriptError.new(ScriptError::SUCCEEDED_CODE, "", ScriptLog.new), 'Succeeded'
+        rescue ScriptError => e
+          script_error = e
+        end
+        gather_diagnostics_from_script_error(script_error)
+      end
+    end
+  end
+end

data/lib/instance_agent/codedeploy_plugin/deployment_specification.rb

@@ -0,0 +1,150 @@
+require 'openssl'
+require 'instance_metadata'
+
+module InstanceAgent
+  module CodeDeployPlugin
+    class DeploymentSpecification
+      attr_accessor :deployment_id, :deployment_group_id, :revision, :revision_source
+      attr_accessor :bucket, :key, :bundle_type, :version, :etag
+      attr_accessor :external_account, :repository, :commit_id, :anonymous, :external_auth_token
+      class << self
+        attr_accessor :cert_store
+      end
+
+      def self.init_cert_store(ca_chain_path)
+        @cert_store = OpenSSL::X509::Store.new
+        begin
+          @cert_store.add_file ca_chain_path
+        rescue OpenSSL::X509::StoreError => e
+          raise "Could not load certificate store '#{ca_chain_path}'.\nCaused by: #{e.inspect}"
+        end
+        return @cert_store
+      end
+
+      @cert_store = init_cert_store(File.expand_path('../../../certs/host-agent-deployment-signer-ca-chain.pem', File.dirname(__FILE__)))
+
+      def initialize(data)
+        raise 'Deployment Spec has no DeploymentId' unless property_set?(data, "DeploymentId")
+        raise 'Deployment Spec has no DeploymentGroupId' unless property_set?(data, "DeploymentGroupId")
+
+        if data["DeploymentId"].start_with?("arn:")
+          @deployment_id = getDeploymentIdFromArn(data["DeploymentId"])
+        else
+          @deployment_id = data["DeploymentId"]
+        end
+        @deployment_group_id = data["DeploymentGroupId"]
+
+        raise 'Must specify a revison' unless data["Revision"]
+        @revision_source = data["Revision"]["RevisionType"]
+        raise 'Must specify a revision source' unless @revision_source
+
+        case @revision_source
+        when 'S3'
+          @revision = data["Revision"]["S3Revision"]
+          raise 'S3Revision in Deployment Spec must specify Bucket, Key and BundleType' unless valid_s3_revision?(@revision)
+          raise 'BundleType in S3Revision must be tar, tgz or zip' unless valid_bundle_type?(@revision)
+
+          @bucket = @revision["Bucket"]
+          @key = @revision["Key"]
+          @bundle_type = @revision["BundleType"]
+          @version = @revision["Version"]
+          @etag = @revision["ETag"]
+        when 'GitHub'
+          @revision = data["Revision"]["GitHubRevision"]
+          raise 'GitHubRevision in Deployment Spec must specify Account, Repository and CommitId' unless valid_github_revision?(revision)
+          @external_account = revision["Account"]
+          @repository = revision["Repository"]
+          @commit_id = revision["CommitId"]
+          @external_auth_token = data["GitHubAccessToken"]
+          @anonymous = @external_auth_token.nil?
+        else
+          raise 'Exactly one of S3Revision or GitHubRevision must be specified'
+        end
+      end
+
+      def self.parse(envelope)
+        raise 'Provided deployment spec was nil' if envelope.nil?
+
+        case envelope.format
+        when "PKCS7/JSON"
+          pkcs7 = OpenSSL::PKCS7.new(envelope.payload)
+
+          # The PKCS7_NOCHAIN flag tells OpenSSL to ignore any PKCS7 CA chain that might be attached
+          # to the message directly and use the certificates from provided one only for validating the.
+          # signer's certificate.
+          #
+          # However, it will allow use the PKCS7 signer certificate provided to validate the signature.
+          #
+          # http://www.openssl.org/docs/crypto/PKCS7_verify.html#VERIFY_PROCESS
+          #
+          # The ruby wrapper returns true if OpenSSL returns 1
+          raise "Validation of PKCS7 signed message failed" unless pkcs7.verify([], @cert_store, nil, OpenSSL::PKCS7::NOCHAIN)
+
+          signer_certs = pkcs7.certificates
+          raise "Validation of PKCS7 signed message failed" unless signer_certs.size == 1
+          raise "Validation of PKCS7 signed message failed" unless verify_pkcs7_signer_cert(signer_certs[0])
+
+          deployment_spec = JSON.parse(pkcs7.data)
+
+          sanitized_spec = deployment_spec.clone
+          sanitized_spec["GitHubAccessToken"] &&= "REDACTED"
+          InstanceAgent::Log.debug("#{self.to_s}: Parse: #{sanitized_spec}")
+
+          return new(deployment_spec)
+        else
+          raise "Unsupported DeploymentSpecification format: #{envelope.format}"
+        end
+      end
+
+      private
+
+      def property_set?(propertyHash, property)
+        propertyHash.has_key?(property) && !propertyHash[property].nil? && !propertyHash[property].empty?
+      end
+
+      def valid_s3_revision?(revision)
+        revision.nil? || %w(Bucket Key BundleType).all? { |k| revision.has_key?(k) }
+      end
+
+      def valid_github_revision?(revision)
+        required_fields = %w(Account Repository CommitId)
+        if !(revision.nil? || revision['Anonymous'].nil? || revision['Anonymous'])
+          required_fields << 'OAuthToken'
+        end
+        revision.nil? || required_fields.all? { |k| revision.has_key?(k) }
+      end
+
+      private
+
+      def valid_bundle_type?(revision)
+        revision.nil? || %w(tar zip tgz).any? { |k| revision["BundleType"] == k }
+      end
+
+      def self.verify_pkcs7_signer_cert(cert)
+        @@region ||= ENV['AWS_REGION'] || InstanceMetadata.region
+
+        case InstanceAgent::Config.config()[:codedeploy_test_profile]
+        when 'prod'
+          case @@region
+          when 'us-east-1'
+            cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-us-east-1.amazonaws.com"
+          when 'us-west-2'
+            cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-us-west-2.amazonaws.com"
+          else
+            raise "Unknown region '#{@region}'"
+          end
+        else
+          raise "Unknown profile '#{Config.config()[:codedeploy_test_profile]}'"
+        end
+      end
+
+      private
+
+      def getDeploymentIdFromArn(arn)
+        # example arn format: "arn:aws:codedeploy:us-east-1:123412341234:deployment/12341234-1234-1234-1234-123412341234"
+        arn.split(":", 6)[5].split("/",2)[1]
+      end
+
+    end
+  end
+end

data/lib/instance_agent/codedeploy_plugin/hook_executor.rb

@@ -0,0 +1,206 @@
+require 'timeout'
+require 'open3'
+require 'json'
+require 'fileutils'
+
+module InstanceAgent
+  module CodeDeployPlugin
+    class ScriptLog
+      attr_reader :log
+
+      def append_to_log(log_entry)
+        log_entry ||= ""
+        @log ||= []
+        @log.push(log_entry)
+
+        index = @log.size
+        remaining_buffer = 2048
+
+        while (index > 0 && (remaining_buffer - @log[index-1].length) > 0)
+          index = index - 1
+          remaining_buffer = remaining_buffer - @log[index-1].length
+        end
+
+        if index > 0
+          @log = @log.drop(index)
+        end
+      end
+
+      def concat_log(log_entries)
+        log_entries ||= []
+        log_entries.each do |log_entry|
+           append_to_log(log_entry)
+        end
+      end
+    end
+
+    class ScriptError < StandardError
+      attr_reader :error_code, :script_name, :log
+
+      SUCCEEDED_CODE = 0
+      SCRIPT_MISSING_CODE = 1
+      SCRIPT_EXECUTABILITY_CODE = 2
+      SCRIPT_TIMED_OUT_CODE = 3
+      SCRIPT_FAILED_CODE = 4
+      UNKNOWN_ERROR_CODE = 5
+
+      def initialize(error_code, script_name, log)
+        @error_code = error_code
+        @script_name = script_name
+        @log = log
+      end
+
+      def to_json
+        log = @log.log || []
+        log = log.join("")
+        {'error_code' => @error_code, 'script_name' => @script_name, 'message' => message, 'log' => log}.to_json
+      end
+    end
+
+    class HookExecutor
+
+      LAST_SUCCESSFUL_DEPLOYMENT = "OldOrIgnore"
+      CURRENT = "New"
+
+      def initialize(arguments = {})
+        #check arguments
+        raise "Lifecycle Event Required " if arguments[:lifecycle_event].nil?
+        raise "Deployment Root Directory Required " if arguments[:deployment_root_dir].nil?
+        raise "App Spec Path Required " if arguments[:app_spec_path].nil?
+        @lifecycle_event = arguments[:lifecycle_event]
+        select_correct_deployment_root_dir(arguments[:deployment_root_dir], arguments[:last_successful_deployment_dir])
+        return if @deployment_root_dir.nil?
+        @deployment_archive_dir = File.join(@deployment_root_dir, 'deployment-archive')
+        @app_spec_path = arguments[:app_spec_path]
+        parse_app_spec
+        @hook_logging_mutex = Mutex.new
+        @script_log = ScriptLog.new
+      end
+
+      def execute
+        return if @app_spec.nil?
+        if (hooks = @app_spec.hooks[@lifecycle_event]) &&
+            !hooks.empty?
+          create_script_log_file_if_needed do |script_log_file|
+            log_script("LifecycleEvent - " + @lifecycle_event + "\n", script_log_file)
+            hooks.each do |script|
+              if(!File.exist?(script_absolute_path(script)))
+                raise ScriptError.new(ScriptError::SCRIPT_MISSING_CODE, script.location, @script_log), 'Script does not exist at specified location: ' + script.location
+              elsif(!InstanceAgent::Platform.util.script_executable?(script_absolute_path(script)))
+                log :warn, 'Script at specified location: ' + script.location + ' is not executable.  Trying to make it executable.'
+                begin
+                  FileUtils.chmod("+x", script_absolute_path(script))
+                rescue
+                  raise ScriptError.new(ScriptError::SCRIPT_EXECUTABILITY_CODE, script.location, @script_log), 'Unable to set script at specified location: ' + script.location + ' as executable'
+                end
+              end
+              begin
+                execute_script(script, script_log_file)
+              rescue Timeout::Error
+                raise ScriptError.new(ScriptError::SCRIPT_TIMED_OUT_CODE, script.location, @script_log), 'Script at specified location: ' +script.location + ' failed to complete in '+script.timeout.to_s+' seconds'
+              end
+            end
+          end
+        end
+        @script_log.log
+      end
+
+      private
+      def execute_script(script, script_log_file)
+        script_command = InstanceAgent::Platform.util.prepare_script_command(script, script_absolute_path(script))
+        log_script("Script - " + script.location + "\n", script_log_file)
+        exit_status = 1
+        Open3.popen3(script_command, :pgroup => true) do |stdin, stdout, stderr, wait_thr|
+          stdin.close
+          stdout_thread = Thread.new{stdout.each_line { |line| log_script("[stdout]" + line.to_s, script_log_file)}}
+          stderr_thread = Thread.new{stderr.each_line { |line| log_script("[stderr]" + line.to_s, script_log_file)}}
+          if !wait_thr.join(script.timeout)
+            Process.kill('-TERM', wait_thr.pid) #kill the process group instead of pid
+            raise Timeout::Error
+          end
+          stdout_thread.join
+          stderr_thread.join
+          exit_status = wait_thr.value.exitstatus
+        end
+        if(exit_status != 0)
+          script_error = 'Script at specified location: ' + script.location + ' failed with exit code ' + exit_status.to_s
+          if(!script.runas.nil?)
+            script_error = 'Script at specified location: ' + script.location + ' run as user ' + script.runas + ' failed with exit code ' + exit_status.to_s
+          end
+          raise ScriptError.new(ScriptError::SCRIPT_FAILED_CODE, script.location, @script_log), script_error
+        end
+      end
+
+
+      private
+      def create_script_log_file_if_needed
+        script_log_file_location = File.join(@deployment_root_dir, 'logs/scripts.log')
+        if(!File.exists?(script_log_file_location))
+          unless File.directory?(File.dirname(script_log_file_location))
+            FileUtils.mkdir_p(File.dirname(script_log_file_location))
+          end
+          script_log_file = File.open(script_log_file_location, 'w')
+        else
+          script_log_file = File.open(script_log_file_location, 'a')
+        end
+        yield(script_log_file)
+      ensure
+        script_log_file.close unless script_log_file.nil?
+      end
+
+      private
+      def script_absolute_path(script)
+        File.join(@deployment_archive_dir, script.location)
+      end
+
+      private
+      def parse_app_spec
+        app_spec_location = File.join(@deployment_archive_dir, @app_spec_path)
+        log(:debug, "Checking for app spec in #{app_spec_location}")
+        @app_spec =  ApplicationSpecification::ApplicationSpecification.parse(File.read(app_spec_location))
+      end
+
+      private
+      def select_correct_deployment_root_dir(current_deployment_root_dir, last_successful_deployment_root_dir)
+        @deployment_root_dir = current_deployment_root_dir
+        hook_deployment_mapping = mapping_between_hooks_and_deployments
+        if(hook_deployment_mapping[@lifecycle_event] == LAST_SUCCESSFUL_DEPLOYMENT && !File.exist?(File.join(@deployment_root_dir, 'deployment-archive')))
+          @deployment_root_dir = last_successful_deployment_root_dir
+        end
+      end
+
+      private
+      def mapping_between_hooks_and_deployments
+        {"BeforeELBRemove"=>LAST_SUCCESSFUL_DEPLOYMENT,
+         "AfterELBRemove"=>LAST_SUCCESSFUL_DEPLOYMENT,
+         "ApplicationStop"=>LAST_SUCCESSFUL_DEPLOYMENT,
+         "BeforeInstall"=>CURRENT,
+         "AfterInstall"=>CURRENT,
+         "ApplicationStart"=>CURRENT,
+         "BeforeELBAdd"=>CURRENT,
+         "AfterELBAdd"=>CURRENT,
+         "ValidateService"=>CURRENT}
+      end
+
+      private
+      def description
+        self.class.to_s
+      end
+
+      private
+      def log(severity, message)
+        raise ArgumentError, "Unknown severity #{severity.inspect}" unless InstanceAgent::Log::SEVERITIES.include?(severity.to_s)
+        InstanceAgent::Log.send(severity.to_sym, "#{description}: #{message}")
+      end
+
+      private
+      def log_script(message, script_log_file)
+        @hook_logging_mutex.synchronize do
+          @script_log.append_to_log(message)
+          script_log_file.write(Time.now.to_s[0..-7] + ' ' + message)
+          script_log_file.flush
+        end
+      end
+    end
+  end
+end