aws-codedeploy-agent 0.0.2 → 0.0.3

data/lib/instance_agent/plugins/codedeploy/command_poller.rb

@@ -0,0 +1,178 @@
+require 'instance_metadata'
+require 'socket'
+
+module InstanceAgent
+  module Plugins
+    module CodeDeployPlugin
+      class CommandPoller < InstanceAgent::Agent::Base
+
+        VERSION = "2013-04-23"
+        def initialize
+          CodeDeployPlugin::OnPremisesConfig.configure
+          region = ENV['AWS_REGION'] || InstanceMetadata.region
+          @host_identifier = ENV['AWS_HOST_IDENTIFIER'] || InstanceMetadata.host_identifier
+
+          log(:debug, "Configuring deploy control client: Region = #{region.inspect}")
+          log(:debug, "Deploy control endpoint override = " + ENV['AWS_DEPLOY_CONTROL_ENDPOINT'].inspect)
+
+          @deploy_control = InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControl.new(:region => region, :logger => InstanceAgent::Log, :ssl_ca_directory => ENV['AWS_SSL_CA_DIRECTORY'])
+          @deploy_control_client = @deploy_control.get_client
+
+          @plugin = InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor.new(:hook_mapping => create_hook_mapping)
+
+          log(:debug, "Initializing Host Agent: " +
+          "Host Identifier = #{@host_identifier}")
+        end
+
+        def create_hook_mapping
+          #Map commands to lifecycle hooks
+          { "BeforeELBRemove"=>["BeforeELBRemove"],
+            "AfterELBRemove"=>["AfterELBRemove"],
+            "ApplicationStop"=>["ApplicationStop"],
+            "BeforeInstall"=>["BeforeInstall"],
+            "AfterInstall"=>["AfterInstall"],
+            "ApplicationStart"=>["ApplicationStart"],
+            "BeforeELBAdd"=>["BeforeELBAdd"],
+            "AfterELBAdd"=>["AfterELBAdd"],
+            "ValidateService"=>["ValidateService"]}
+        end
+
+        def validate
+          test_profile = InstanceAgent::Config.config[:codedeploy_test_profile]
+          unless ["beta", "gamma"].include?(test_profile.downcase)
+            log(:debug, "Validating CodeDeploy Plugin Configuration")
+            Kernel.abort "Stopping CodeDeploy agent due to SSL validation error." unless @deploy_control.validate_ssl_config
+            log(:debug, "CodeDeploy Plugin Configuration is valid")
+          end
+        end
+
+        def perform
+          return unless command = next_command
+          return unless acknowledge_command(command)
+
+          begin
+            spec = get_deployment_specification(command)
+            #Successful commands will complete without raising an exception
+            script_output = process_command(command, spec)
+            log(:debug, 'Calling PutHostCommandComplete: "Succeeded"')
+            @deploy_control_client.put_host_command_complete(
+            :command_status => 'Succeeded',
+            :diagnostics => {:format => "JSON", :payload => gather_diagnostics()},
+            :host_command_identifier => command.host_command_identifier)
+
+            #Commands that throw an exception will be considered to have failed
+          rescue ScriptError => e
+            log(:debug, 'Calling PutHostCommandComplete: "Code Error" ')
+            @deploy_control_client.put_host_command_complete(
+            :command_status => "Failed",
+            :diagnostics => {:format => "JSON", :payload => gather_diagnostics_from_script_error(e)},
+            :host_command_identifier => command.host_command_identifier)
+            raise e
+          rescue Exception => e
+            log(:debug, 'Calling PutHostCommandComplete: "Code Error" ')
+            @deploy_control_client.put_host_command_complete(
+            :command_status => "Failed",
+            :diagnostics => {:format => "JSON", :payload => gather_diagnostics_from_error(e)},
+            :host_command_identifier => command.host_command_identifier)
+            raise e
+          end
+        end
+
+        def next_command
+          log(:debug, "Calling PollHostCommand:")
+          output = @deploy_control_client.poll_host_command(:host_identifier => @host_identifier)
+          command = output.host_command
+          if command.nil?
+            log(:debug, "PollHostCommand: Host Command =  nil")
+          else
+            log(:debug, "PollHostCommand: "  +
+            "Host Identifier = #{command.host_identifier}; "  +
+            "Host Command Identifier = #{command.host_command_identifier}; "  +
+            "Deployment Execution ID = #{command.deployment_execution_id}; "  +
+            "Command Name = #{command.command_name}")
+            raise "Host Identifier mismatch: #{@host_identifier} != #{command.host_identifier}" unless @host_identifier.include? command.host_identifier
+            raise "Command Name missing" if command.command_name.nil? || command.command_name.empty?
+          end
+          command
+        end
+
+        def acknowledge_command(command)
+          log(:debug, "Calling PutHostCommandAcknowledgement:")
+          output =  @deploy_control_client.put_host_command_acknowledgement(
+          :diagnostics => nil,
+          :host_command_identifier => command.host_command_identifier)
+          status = output.command_status
+          log(:debug, "Command Status = #{status}")
+
+          if status == 'Succeeded' || status == 'Failed'
+            log(:debug, "Calling PutHostCommandComplete: \"#{status}\" ")
+            @deploy_control_client.put_host_command_complete(
+              :command_status => status,
+              :diagnostics => {:format => "JSON", :payload => gather_diagnostics_from_acknowledge(status)},
+              :host_command_identifier => command.host_command_identifier)
+            return false
+          end
+
+          return true
+        end
+
+        def get_deployment_specification(command)
+          log(:debug, "Calling GetDeploymentSpecification:")
+          output =  @deploy_control_client.get_deployment_specification(
+          :deployment_execution_id => command.deployment_execution_id,
+          :host_identifier => @host_identifier)
+          log(:debug, "GetDeploymentSpecification: " +
+          "Deployment System = #{output.deployment_system}")
+          raise "Deployment System mismatch: #{@plugin.deployment_system} != #{output.deployment_system}" unless @plugin.deployment_system == output.deployment_system
+          raise "Deployment Specification missing" if output.deployment_specification.nil?
+          output.deployment_specification.generic_envelope
+        end
+
+        def process_command(command, spec)
+          log(:debug, "Calling #{@plugin.to_s}.execute_command")
+          @plugin.execute_command(command, spec)
+        end
+
+        private
+        def gather_diagnostics_from_script_error(script_error)
+          script_error.to_json
+        end
+
+        private
+        def gather_diagnostics_from_error(error)
+          begin
+            message = error.message || ""
+            raise ScriptError.new(ScriptError::UNKNOWN_ERROR_CODE, "", ScriptLog.new), message
+          rescue ScriptError => e
+            script_error = e
+          end
+          gather_diagnostics_from_script_error(script_error)
+        end
+
+        private
+        def gather_diagnostics()
+          begin
+            raise ScriptError.new(ScriptError::SUCCEEDED_CODE, "", ScriptLog.new), 'Succeeded'
+          rescue ScriptError => e
+            script_error = e
+          end
+          gather_diagnostics_from_script_error(script_error)
+        end
+
+        private
+        def gather_diagnostics_from_acknowledge(status)
+          begin
+            if status == 'Succeeded'
+              raise ScriptError.new(ScriptError::SUCCEEDED_CODE, "", ScriptLog.new), 'Succeeded'
+            else
+              raise ScriptError.new(ScriptError::UNKNOWN_ERROR_CODE, "", ScriptLog.new), 'Failed'
+            end
+          rescue ScriptError => e
+            script_error = e
+          end
+          gather_diagnostics_from_script_error(script_error)
+        end
+      end
+    end
+  end
+end

data/lib/instance_agent/plugins/codedeploy/deployment_specification.rb

@@ -0,0 +1,161 @@
+require 'openssl'
+require 'instance_metadata'
+
+module InstanceAgent
+  module Plugins
+    module CodeDeployPlugin
+      class DeploymentSpecification
+        attr_accessor :deployment_id, :deployment_group_id, :deployment_group_name, :revision, :revision_source, :application_name
+        attr_accessor :bucket, :key, :bundle_type, :version, :etag
+        attr_accessor :external_account, :repository, :commit_id, :anonymous, :external_auth_token
+        class << self
+          attr_accessor :cert_store
+        end
+
+        def self.init_cert_store(ca_chain_path)
+          @cert_store = OpenSSL::X509::Store.new
+          begin
+            @cert_store.add_file ca_chain_path
+          rescue OpenSSL::X509::StoreError => e
+            raise "Could not load certificate store '#{ca_chain_path}'.\nCaused by: #{e.inspect}"
+          end
+          return @cert_store
+        end
+
+        @cert_store = init_cert_store(File.expand_path('../../../../certs/host-agent-deployment-signer-ca-chain.pem', File.dirname(__FILE__)))
+
+        def initialize(data)
+          raise 'Deployment Spec has no DeploymentId' unless property_set?(data, "DeploymentId")
+          raise 'Deployment Spec has no DeploymentGroupId' unless property_set?(data, "DeploymentGroupId")
+          raise 'Deployment Spec has no DeploymentGroupName' unless property_set?(data, "DeploymentGroupName")
+          raise 'Deployment Spec has no ApplicationName' unless property_set?(data, "ApplicationName")
+
+          @application_name = data["ApplicationName"]
+          @deployment_group_name = data["DeploymentGroupName"]
+
+          if data["DeploymentId"].start_with?("arn:")
+            @deployment_id = getDeploymentIdFromArn(data["DeploymentId"])
+          else
+            @deployment_id = data["DeploymentId"]
+          end
+          @deployment_group_id = data["DeploymentGroupId"]
+
+          raise 'Must specify a revison' unless data["Revision"]
+          @revision_source = data["Revision"]["RevisionType"]
+          raise 'Must specify a revision source' unless @revision_source
+
+          case @revision_source
+          when 'S3'
+            @revision = data["Revision"]["S3Revision"]
+            raise 'S3Revision in Deployment Spec must specify Bucket, Key and BundleType' unless valid_s3_revision?(@revision)
+            raise 'BundleType in S3Revision must be tar, tgz or zip' unless valid_bundle_type?(@revision)
+
+            @bucket = @revision["Bucket"]
+            @key = @revision["Key"]
+            @bundle_type = @revision["BundleType"]
+            @version = @revision["Version"]
+            @etag = @revision["ETag"]
+          when 'GitHub'
+            @revision = data["Revision"]["GitHubRevision"]
+            raise 'GitHubRevision in Deployment Spec must specify Account, Repository and CommitId' unless valid_github_revision?(revision)
+            @external_account = revision["Account"]
+            @repository = revision["Repository"]
+            @commit_id = revision["CommitId"]
+            @external_auth_token = data["GitHubAccessToken"]
+            @anonymous = @external_auth_token.nil?
+          else
+            raise 'Exactly one of S3Revision or GitHubRevision must be specified'
+          end
+        end
+
+        def self.parse(envelope)
+          raise 'Provided deployment spec was nil' if envelope.nil?
+
+          case envelope.format
+          when "PKCS7/JSON"
+            pkcs7 = OpenSSL::PKCS7.new(envelope.payload)
+
+            # The PKCS7_NOCHAIN flag tells OpenSSL to ignore any PKCS7 CA chain that might be attached
+            # to the message directly and use the certificates from provided one only for validating the.
+            # signer's certificate.
+            #
+            # However, it will allow use the PKCS7 signer certificate provided to validate the signature.
+            #
+            # http://www.openssl.org/docs/crypto/PKCS7_verify.html#VERIFY_PROCESS
+            #
+            # The ruby wrapper returns true if OpenSSL returns 1
+            raise "Validation of PKCS7 signed message failed" unless pkcs7.verify([], @cert_store, nil, OpenSSL::PKCS7::NOCHAIN)
+
+            signer_certs = pkcs7.certificates
+            raise "Validation of PKCS7 signed message failed" unless signer_certs.size == 1
+            raise "Validation of PKCS7 signed message failed" unless verify_pkcs7_signer_cert(signer_certs[0])
+
+            deployment_spec = JSON.parse(pkcs7.data)
+
+            sanitized_spec = deployment_spec.clone
+            sanitized_spec["GitHubAccessToken"] &&= "REDACTED"
+            InstanceAgent::Log.debug("#{self.to_s}: Parse: #{sanitized_spec}")
+
+            return new(deployment_spec)
+          else
+            raise "Unsupported DeploymentSpecification format: #{envelope.format}"
+          end
+        end
+
+        private
+        def property_set?(propertyHash, property)
+          propertyHash.has_key?(property) && !propertyHash[property].nil? && !propertyHash[property].empty?
+        end
+
+        def valid_s3_revision?(revision)
+          revision.nil? || %w(Bucket Key BundleType).all? { |k| revision.has_key?(k) }
+        end
+
+        def valid_github_revision?(revision)
+          required_fields = %w(Account Repository CommitId)
+          if !(revision.nil? || revision['Anonymous'].nil? || revision['Anonymous'])
+            required_fields << 'OAuthToken'
+          end
+          revision.nil? || required_fields.all? { |k| revision.has_key?(k) }
+        end
+
+        private
+        def valid_bundle_type?(revision)
+          revision.nil? || %w(tar zip tgz).any? { |k| revision["BundleType"] == k }
+        end
+
+        def self.verify_pkcs7_signer_cert(cert)
+          @@region ||= ENV['AWS_REGION'] || InstanceMetadata.region
+          
+          # Do some minimal cert pinning
+          case InstanceAgent::Config.config()[:codedeploy_test_profile]
+          when 'beta', 'gamma'
+            cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-integ.amazonaws.com"
+          when 'prod'
+            case @@region
+            when 'us-east-1'
+              cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-us-east-1.amazonaws.com"
+            when 'us-west-2'
+              cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-us-west-2.amazonaws.com"
+            when 'eu-west-1'
+              cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-eu-west-1.amazonaws.com"
+            when 'ap-southeast-2'
+              cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-signer-ap-southeast-2.amazonaws.com"
+            else
+              raise "Unknown region '#{@region}'"
+            end
+          else
+            raise "Unknown profile '#{Config.config()[:codedeploy_test_profile]}'"
+          end
+        end
+
+        private
+        def getDeploymentIdFromArn(arn)
+          # example arn format: "arn:aws:codedeploy:us-east-1:123412341234:deployment/12341234-1234-1234-1234-123412341234"
+          arn.split(":", 6)[5].split("/",2)[1]
+        end
+
+      end
+    end
+  end
+end

data/lib/instance_agent/plugins/codedeploy/hook_executor.rb

@@ -0,0 +1,226 @@
+require 'timeout'
+require 'open3'
+require 'json'
+require 'fileutils'
+
+module InstanceAgent
+  module Plugins
+    module CodeDeployPlugin
+      class ScriptLog
+        attr_reader :log
+        def append_to_log(log_entry)
+          log_entry ||= ""
+          @log ||= []
+          @log.push(log_entry)
+
+          index = @log.size
+          remaining_buffer = 2048
+
+          while (index > 0 && (remaining_buffer - @log[index-1].length) > 0)
+            index = index - 1
+            remaining_buffer = remaining_buffer - @log[index-1].length
+          end
+
+          if index > 0
+            @log = @log.drop(index)
+          end
+        end
+
+        def concat_log(log_entries)
+          log_entries ||= []
+          log_entries.each do |log_entry|
+            append_to_log(log_entry)
+          end
+        end
+      end
+
+      class ScriptError < StandardError
+        attr_reader :error_code, :script_name, :log
+
+        SUCCEEDED_CODE = 0
+        SCRIPT_MISSING_CODE = 1
+        SCRIPT_EXECUTABILITY_CODE = 2
+        SCRIPT_TIMED_OUT_CODE = 3
+        SCRIPT_FAILED_CODE = 4
+        UNKNOWN_ERROR_CODE = 5
+        def initialize(error_code, script_name, log)
+          @error_code = error_code
+          @script_name = script_name
+          @log = log
+        end
+
+        def to_json
+          log = @log.log || []
+          log = log.join("")
+          {'error_code' => @error_code, 'script_name' => @script_name, 'message' => message, 'log' => log}.to_json
+        end
+      end
+
+      class HookExecutor
+
+        LAST_SUCCESSFUL_DEPLOYMENT = "OldOrIgnore"
+        CURRENT = "New"
+        def initialize(arguments = {})
+          #check arguments
+          raise "Lifecycle Event Required " if arguments[:lifecycle_event].nil?
+          raise "Deployment ID required " if arguments[:deployment_id].nil?
+          raise "Deployment Root Directory Required " if arguments[:deployment_root_dir].nil?
+          raise "App Spec Path Required " if arguments[:app_spec_path].nil?
+          raise "Application name required" if arguments[:application_name].nil?
+          raise "Deployment Group name required" if arguments[:deployment_group_name].nil?
+          @lifecycle_event = arguments[:lifecycle_event]
+          @deployment_id = arguments[:deployment_id]
+          @application_name = arguments[:application_name]
+          @deployment_group_name = arguments[:deployment_group_name]
+          select_correct_deployment_root_dir(arguments[:deployment_root_dir], arguments[:last_successful_deployment_dir])
+          return if @deployment_root_dir.nil?
+          @deployment_archive_dir = File.join(@deployment_root_dir, 'deployment-archive')
+          @app_spec_path = arguments[:app_spec_path]
+          parse_app_spec
+          @hook_logging_mutex = Mutex.new
+          @script_log = ScriptLog.new
+          @child_envs={'LIFECYCLE_EVENT' => @lifecycle_event.to_s,
+                      'DEPLOYMENT_ID'   => @deployment_id.to_s,
+                      'APPLICATION_NAME' => @application_name,
+                      'DEPLOYMENT_GROUP_NAME' => @deployment_group_name}
+
+        end
+
+        def execute
+          return if @app_spec.nil?
+          if (hooks = @app_spec.hooks[@lifecycle_event]) &&
+          !hooks.empty?
+            create_script_log_file_if_needed do |script_log_file|
+              log_script("LifecycleEvent - " + @lifecycle_event + "\n", script_log_file)
+              hooks.each do |script|
+                if(!File.exist?(script_absolute_path(script)))
+                  raise ScriptError.new(ScriptError::SCRIPT_MISSING_CODE, script.location, @script_log), 'Script does not exist at specified location: ' + script.location
+                elsif(!InstanceAgent::Platform.util.script_executable?(script_absolute_path(script)))
+                  log :warn, 'Script at specified location: ' + script.location + ' is not executable.  Trying to make it executable.'
+                  begin
+                    FileUtils.chmod("+x", script_absolute_path(script))
+                  rescue
+                    raise ScriptError.new(ScriptError::SCRIPT_EXECUTABILITY_CODE, script.location, @script_log), 'Unable to set script at specified location: ' + script.location + ' as executable'
+                  end
+                end
+                begin
+                  execute_script(script, script_log_file)
+                rescue Timeout::Error
+                  raise ScriptError.new(ScriptError::SCRIPT_TIMED_OUT_CODE, script.location, @script_log), 'Script at specified location: ' +script.location + ' failed to complete in '+script.timeout.to_s+' seconds'
+                end
+              end
+            end
+          end
+          @script_log.log
+        end
+
+        private
+        def execute_script(script, script_log_file)
+          script_command = InstanceAgent::Platform.util.prepare_script_command(script, script_absolute_path(script))
+          log_script("Script - " + script.location + "\n", script_log_file)
+          exit_status = 1
+          signal = nil
+
+          if !InstanceAgent::Platform.util.supports_process_groups?
+            # The Windows port doesn't emulate process groups so don't try to use them here
+            open3_options = {}
+            signal = 'KILL' #It is up to the script to handle killing child processes it spawns.
+          else
+            open3_options = {:pgroup => true}
+            signal = '-TERM' #kill the process group instead of pid
+          end
+
+          Open3.popen3(@child_envs, script_command, open3_options) do |stdin, stdout, stderr, wait_thr|
+            stdin.close
+            stdout_thread = Thread.new{stdout.each_line { |line| log_script("[stdout]" + line.to_s, script_log_file)}}
+            stderr_thread = Thread.new{stderr.each_line { |line| log_script("[stderr]" + line.to_s, script_log_file)}}
+            if !wait_thr.join(script.timeout)
+              Process.kill(signal, wait_thr.pid)
+              raise Timeout::Error
+            end
+            stdout_thread.join
+            stderr_thread.join
+            exit_status = wait_thr.value.exitstatus
+          end
+          if(exit_status != 0)
+            script_error = 'Script at specified location: ' + script.location + ' failed with exit code ' + exit_status.to_s
+            if(!script.runas.nil?)
+              script_error = 'Script at specified location: ' + script.location + ' run as user ' + script.runas + ' failed with exit code ' + exit_status.to_s
+            end
+            raise ScriptError.new(ScriptError::SCRIPT_FAILED_CODE, script.location, @script_log), script_error
+          end
+        end
+
+        private
+        def create_script_log_file_if_needed
+          script_log_file_location = File.join(@deployment_root_dir, 'logs/scripts.log')
+          if(!File.exists?(script_log_file_location))
+            unless File.directory?(File.dirname(script_log_file_location))
+              FileUtils.mkdir_p(File.dirname(script_log_file_location))
+            end
+            script_log_file = File.open(script_log_file_location, 'w')
+          else
+            script_log_file = File.open(script_log_file_location, 'a')
+          end
+          yield(script_log_file)
+        ensure
+          script_log_file.close unless script_log_file.nil?
+        end
+
+        private
+        def script_absolute_path(script)
+          File.join(@deployment_archive_dir, script.location)
+        end
+
+        private
+        def parse_app_spec
+          app_spec_location = File.join(@deployment_archive_dir, @app_spec_path)
+          log(:debug, "Checking for app spec in #{app_spec_location}")
+          @app_spec =  ApplicationSpecification::ApplicationSpecification.parse(File.read(app_spec_location))
+        end
+
+        private
+        def select_correct_deployment_root_dir(current_deployment_root_dir, last_successful_deployment_root_dir)
+          @deployment_root_dir = current_deployment_root_dir
+          hook_deployment_mapping = mapping_between_hooks_and_deployments
+          if(hook_deployment_mapping[@lifecycle_event] == LAST_SUCCESSFUL_DEPLOYMENT && !File.exist?(File.join(@deployment_root_dir, 'deployment-archive')))
+            @deployment_root_dir = last_successful_deployment_root_dir
+          end
+        end
+
+        private
+        def mapping_between_hooks_and_deployments
+          {"BeforeELBRemove"=>LAST_SUCCESSFUL_DEPLOYMENT,
+            "AfterELBRemove"=>LAST_SUCCESSFUL_DEPLOYMENT,
+            "ApplicationStop"=>LAST_SUCCESSFUL_DEPLOYMENT,
+            "BeforeInstall"=>CURRENT,
+            "AfterInstall"=>CURRENT,
+            "ApplicationStart"=>CURRENT,
+            "BeforeELBAdd"=>CURRENT,
+            "AfterELBAdd"=>CURRENT,
+            "ValidateService"=>CURRENT}
+        end
+
+        private
+        def description
+          self.class.to_s
+        end
+
+        private
+        def log(severity, message)
+          raise ArgumentError, "Unknown severity #{severity.inspect}" unless InstanceAgent::Log::SEVERITIES.include?(severity.to_s)
+          InstanceAgent::Log.send(severity.to_sym, "#{description}: #{message}")
+        end
+
+        private
+        def log_script(message, script_log_file)
+          @hook_logging_mutex.synchronize do
+            @script_log.append_to_log(message)
+            script_log_file.write(Time.now.to_s[0..-7] + ' ' + message)
+            script_log_file.flush
+          end
+        end
+      end
+    end
+  end
+end