aws-codedeploy-agent 0.0.1

data/lib/instance_agent/codedeploy_plugin/request_helper.rb

@@ -0,0 +1,28 @@
+require 'instance_metadata'
+
+module InstanceAgent
+  module CodeDeployPlugin
+    class RequestHelper
+
+      def initialize(options = {})
+        @deploy_control_client = options[:deploy_control_client]
+      end
+
+      def verify_clients_configuration
+        errors = []
+        errors << "Invalid aws sdk security configuration" unless valid_aws_sdk_security_config?
+        errors << "Invalid server certificate" unless valid_server_certificate?
+        errors
+      end
+ 
+      def valid_aws_sdk_security_config?
+        @deploy_control_client.ssl_verify_peer
+      end
+
+      def valid_server_certificate?
+        @deploy_control_client.verify_cert_fields
+      end
+
+    end
+  end
+end

data/lib/instance_agent/config.rb

@@ -0,0 +1,43 @@
+# encoding: UTF-8
+require 'process_manager/config'
+
+module InstanceAgent
+  class Config < ProcessManager::Config
+    def self.init
+      @config = Config.new
+      ProcessManager::Config.instance_variable_set("@config", @config)
+    end
+
+    def validate
+      errors = super
+      validate_children(errors)
+      errors
+    end
+
+    def initialize
+      super
+      @config.update({
+        :program_name => 'codedeploy-agent',
+        :wait_between_spawning_children => 1,
+        :log_dir => nil,
+        :pid_dir => nil,
+        :shared_dir => nil,
+        :user => nil,
+        :children => 1,
+        :http_read_timeout => 80,
+        :instance_service_region => nil,
+        :instance_service_endpoint => nil,
+        :instance_service_port => nil,
+        :wait_between_runs => 30,
+        :wait_after_error => 30,
+        :codedeploy_test_profile => 'prod'
+      })
+    end
+
+    def validate_children(errors = [])
+      errors << 'children can only be set to 1' unless config[:children] == 1
+      errors
+    end
+
+  end
+end

data/lib/instance_agent/log.rb

@@ -0,0 +1,3 @@
+require 'process_manager/log'
+
+InstanceAgent::Log = ProcessManager::Log

data/lib/instance_agent/platform.rb

@@ -0,0 +1,17 @@
+module InstanceAgent
+
+  class Platform
+
+    attr_accessor :util
+
+    def self.util
+      @util
+    end
+
+    def self.util=(klass)
+      @util = klass
+    end
+  
+  end
+
+end

data/lib/instance_agent/platform/linux_util.rb

@@ -0,0 +1,57 @@
+module InstanceAgent
+  class LinuxUtil
+    def self.supported_versions()
+      [0.0]
+    end
+
+    def self.supported_oses()
+      ['linux']
+    end
+
+    def self.prepare_script_command(script, absolute_path)
+      script_command = absolute_path
+      if(!script.runas.nil?)
+        script_command = 'su ' + script.runas + ' -c ' + absolute_path
+      end
+      script_command
+    end
+
+    def self.script_executable?(path)
+      File.executable?(path)
+    end
+
+    def self.extract_tar(bundle_file, dst)
+      FileUtils.mkdir_p(dst)
+      execute_tar_command("/bin/tar -xpsf #{bundle_file} -C #{dst}")
+    end
+
+    def self.extract_tgz(bundle_file, dst)
+      FileUtils.mkdir_p(dst)
+      execute_tar_command("/bin/tar -zxpsf #{bundle_file} -C #{dst}")
+    end
+
+    private
+    def self.execute_tar_command(cmd)
+      log(:debug, "Executing #{cmd}")
+
+      output = `#{cmd} 2>&1`
+      exit_status = $?.exitstatus
+
+      log(:debug, "Command status: #{$?}")
+      log(:debug, "Command output: #{output}")
+
+      if exit_status != 0
+        msg = "Error extracting tar archive: #{exit_status}"
+        log(:error, msg)
+        raise msg
+      end
+    end
+
+    private
+    def self.log(severity, message)
+      raise ArgumentError, "Unknown severity #{severity.inspect}" unless InstanceAgent::Log::SEVERITIES.include?(severity.to_s)
+      InstanceAgent::Log.send(severity.to_sym, "#{self.to_s}: #{message}")
+    end
+
+  end
+end

data/lib/instance_agent/runner/child.rb

@@ -0,0 +1,57 @@
+# encoding: UTF-8
+require 'process_manager/child'
+
+module InstanceAgent
+  module Runner
+    class Child < ProcessManager::Daemon::Child
+      AGENTS = {
+        0 => InstanceAgent::CodeDeployPlugin::CommandPoller
+      }
+
+      attr_accessor :runner
+
+      def prepare_run
+        validate_index
+        with_error_handling do
+          @runner = AGENTS[index].runner
+          ProcessManager.set_program_name(description)
+        end
+      end
+
+      def run
+        with_error_handling do
+          runner.run
+        end
+      end
+
+      def description
+        if runner
+          "#{runner.description} of master #{master_pid.inspect}"
+        else
+          'booting child'
+        end
+      end
+
+      def validate_index
+        raise ArgumentError, "Invalid index #{index.inspect}: only 0-2 possible" unless AGENTS.keys.include?(index)
+      end
+
+      def with_error_handling
+        yield
+      rescue SocketError => e
+        ProcessManager::Log.info "#{description}: failed to run as the connection failed! #{e.class} - #{e.message} - #{e.backtrace.join("\n")}"
+        sleep ProcessManager::Config.config[:wait_after_connection_problem]
+        exit 1
+      rescue Exception => e
+        if (e.message.to_s.match(/throttle/i) || e.message.to_s.match(/rateexceeded/i) rescue false)
+          ProcessManager::Log.error "#{description}: ran into throttling - waiting for #{ProcessManager::Config.config[:wait_after_throttle_error]}s until retrying"
+          sleep ProcessManager::Config.config[:wait_after_throttle_error]
+        else
+          ProcessManager::Log.error "#{description}: error during start or run: #{e.class} - #{e.message} - #{e.backtrace.join("\n")}"
+        end
+        exit 1
+      end
+
+    end
+  end
+end

data/lib/instance_agent/runner/master.rb

@@ -0,0 +1,103 @@
+# encoding: UTF-8
+require 'process_manager/master'
+require 'instance_agent/codedeploy_plugin/request_helper'
+require 'instance_agent/codedeploy_plugin/codedeploy_control'
+require 'instance_metadata'
+
+module InstanceAgent
+  module Runner
+    class Master < ProcessManager::Daemon::Master
+    
+      ChildTerminationMaxWaitTime = 80
+      
+      def self.description(pid = $$)
+        "master #{pid}"
+      end
+
+      def self.child_class
+        ::InstanceAgent::Runner::Child
+      end
+
+      def self.pid_description
+        ProcessManager::Config.config[:program_name]
+      end
+
+      def validate_ssl_config
+        if !InstanceMetadata.instance_id.blank?
+          region = InstanceMetadata.region
+          request_helper = InstanceAgent::CodeDeployPlugin::RequestHelper.new(:deploy_control_client => InstanceAgent::CodeDeployPlugin::CodeDeployControl.new(:region => region))
+
+          if (errors = request_helper.verify_clients_configuration)
+            errors.each{|error| ProcessManager::Log.error("Stopping CodeDeploy agent. " + error)}
+          end
+          self.class.abort unless errors.empty?
+        end
+      end
+
+      def self.log_file
+        File.join(ProcessManager::Config.config[:log_dir], "#{ProcessManager::Config.config[:program_name]}.log")
+      end
+
+      def self.pid_file
+        File.join(ProcessManager::Config.config[:pid_dir], "#{ProcessManager::Config.config[:program_name]}.pid")
+      end
+
+      def stop
+        if (pid = self.class.find_pid)
+          puts "Stopping #{description(pid)}"
+          ProcessManager::Log.info("Stopping #{description(pid)}")
+          begin
+            Process.kill('TERM', pid)
+          rescue Errno::ESRCH
+          end
+          
+          begin
+            Timeout.timeout(ChildTerminationMaxWaitTime) do  
+              loop do
+                begin
+                  Process.kill(0, pid)
+                  sleep(1)
+                rescue Errno::ESRCH
+                  break
+                end
+              end
+            end
+          rescue Timeout::Error
+            puts "Child processes still running. Master going down."
+            ProcessManager::Log.warn("Master process (#{pid}) going down before terminating child")
+          end
+        else
+          puts "Nothing running that could be stopped"
+        end
+      end
+
+      def kill_children(sig)
+        children.each do |index, child_pid|
+          begin
+            Process.kill(sig, child_pid)
+          rescue Errno::ESRCH
+          end
+        end
+    
+        begin
+          Timeout.timeout(ChildTerminationMaxWaitTime) do
+            children.each do |index, child_pid|
+              begin
+                Process.wait(child_pid)
+              rescue Errno::ESRCH
+              end
+            end
+          end
+        rescue Timeout::Error
+          children.each do |index, child_pid|
+            if ProcessManager.process_running?(child_pid)
+              puts "Stopping #{ProcessManager::Config.config[:program_name]} agent(#{pid}) but child(#{child_pid}) still processing."
+              ProcessManager::Log.warn("Stopping #{ProcessManager::Config.config[:program_name]} agent(#{pid}) but child(#{child_pid}) is still processing.")
+            end
+          end
+        end
+      end
+      
+    end
+  end
+end

data/lib/instance_metadata.rb

@@ -0,0 +1,47 @@
+require 'net/http'
+require 'json'
+require 'instance_agent'
+
+class InstanceMetadata
+
+  IP_ADDRESS = '169.254.169.254'
+  PORT = 80
+
+  def self.host_identifier
+    doc = JSON.parse(http_get('/latest/dynamic/instance-identity/document').strip)
+    "arn:aws:ec2:#{doc['region']}:#{doc['accountId']}:instance/#{doc['instanceId']}"
+  end
+
+  def self.region
+    az = http_get('/latest/meta-data/placement/availability-zone').strip
+    raise "Invalid availability zone name: #{az}" unless
+      az =~ /[a-z]{2}-[a-z]+-\d+[a-z]/
+    az.chop
+  end
+
+  def self.instance_id
+    begin
+      Net::HTTP.start(IP_ADDRESS, PORT) do |http|
+        response = http.get('/latest/meta-data/instance-id')
+        if response.code.to_i != 200
+          return nil
+        end
+        return response.body
+      end
+    rescue
+      return nil
+    end
+  end
+
+  private
+  def self.http_get(path)
+    Net::HTTP.start(IP_ADDRESS, PORT) do |http|
+      response = http.get(path)
+      if response.code.to_i != 200
+        InstanceAgent::Log.send(:debug, "HTTP error from metadata service, code #{reponse.code}")
+        raise "HTTP error from metadata service, code #{reponse.code}"
+      end
+      return response.body
+    end
+  end
+end

data/test/certificate_helper.rb

@@ -0,0 +1,120 @@
+require 'openssl'
+require 'tempfile'
+
+class CertificateHelper
+  def initialize()
+    generate_root()
+    generate_intermediate()
+    generate_signer()
+
+    ca_chain_file = generate_ca_chain()
+
+    ENV['AWS_REGION'] = 'us-east-1'
+    InstanceAgent::CodeDeployPlugin::DeploymentSpecification.init_cert_store(ca_chain_file)
+  end
+
+  def generate_root()
+    @root_key = OpenSSL::PKey::RSA.new(1024)
+    @root_cert = OpenSSL::X509::Certificate.new
+    @root_cert.version = 2
+    @root_cert.serial = 1
+    @root_cert.subject = OpenSSL::X509::Name.new [
+        ['C', 'US'], ['ST', 'Washington'], ['L', 'Seattle'],
+        ['O', 'Amazon.com, Inc.'], ['CN', 'Host Agent TEST CA Root G1']
+    ]
+    @root_cert.issuer = @root_cert.subject
+    @root_cert.public_key = @root_key.public_key
+    @root_cert.not_before = Time.now
+    @root_cert.not_after = Time.now + 60
+    ef = OpenSSL::X509::ExtensionFactory.new
+
+    ef.subject_certificate = @root_cert
+    ef.issuer_certificate = @root_cert
+    @root_cert.extensions = [
+      ef.create_extension("basicConstraints","CA:TRUE",true),
+      ef.create_extension("keyUsage","keyCertSign, cRLSign", true),
+      ef.create_extension("subjectKeyIdentifier","hash",false),
+    ]
+
+    @root_cert.sign(@root_key, OpenSSL::Digest::SHA1.new)
+
+    return @root_cert
+  end
+
+  def generate_intermediate()
+    @intermediate_key = OpenSSL::PKey::RSA.new(1024)
+    @intermediate_cert = OpenSSL::X509::Certificate.new
+    @intermediate_cert.version = 2
+    @intermediate_cert.serial = 1
+    @intermediate_cert.subject = OpenSSL::X509::Name.new [
+        ['C', 'US'], ['ST', 'Washington'], ['L', 'Seattle'],
+        ['O', 'Amazon.com, Inc.'], ['CN', 'Host Agent TEST CA Intermediate G1']
+    ]
+    @intermediate_cert.issuer = @root_cert.subject
+    @intermediate_cert.public_key = @intermediate_key.public_key
+    @intermediate_cert.not_before = Time.now
+    @intermediate_cert.not_after = Time.now + 60
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = @intermediate_cert
+    ef.issuer_certificate = @root_cert
+    @intermediate_cert.extensions = [
+      ef.create_extension("basicConstraints","CA:TRUE",true),
+      ef.create_extension("keyUsage","keyCertSign, cRLSign", true),
+      ef.create_extension("subjectKeyIdentifier","hash",false)
+    ]
+
+    @intermediate_cert.sign(@root_key, OpenSSL::Digest::SHA1.new)
+
+    return @intermediate_cert
+  end
+
+  def generate_signer()
+    @signer_key = OpenSSL::PKey::RSA.new(1024)
+    @signer_cert = OpenSSL::X509::Certificate.new
+    @signer_cert.version = 2
+    @signer_cert.serial = 1
+    @signer_cert.subject = OpenSSL::X509::Name.new [
+        ['C', 'US'], ['ST', 'Washington'], ['L', 'Seattle'],
+        ['O', 'Amazon.com, Inc.'], ['CN', 'codedeploy-signer-us-east-1.amazonaws.com']
+    ]
+    @signer_cert.issuer = @intermediate_cert.subject
+    @signer_cert.public_key = @signer_key.public_key
+    @signer_cert.not_before = Time.now
+    @signer_cert.not_after = Time.now + 60
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = @signer_cert
+    ef.issuer_certificate = @intermediate_cert
+    @signer_cert.extensions = [
+      ef.create_extension('basicConstraints', 'CA:FALSE', true),
+      ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature', true),
+      ef.create_extension('subjectKeyIdentifier', 'hash')
+    ]
+
+    @signer_cert.sign(@intermediate_key, OpenSSL::Digest::SHA1.new)
+
+    return @signer_cert
+  end
+
+  def generate_ca_chain()
+    ca_chain_file = Tempfile.new('host-agent-deployment-signer-ca-chain')
+
+    File.open(ca_chain_file.path, "wb") do |ca_chain|
+      ca_chain.print @root_cert.to_pem
+      ca_chain.print @intermediate_cert.to_pem
+    end
+
+    return ca_chain_file.path
+  end
+
+  def sign_message(message)
+    if @signer_key.nil?
+      raise "Signer key not initialized"
+    end
+
+    pkcs7 = OpenSSL::PKCS7::sign(@signer_cert, @signer_key, message, [], OpenSSL::PKCS7::BINARY)
+
+    return pkcs7.to_pem
+  end
+end