bosh-core 1.5.0.pre.1113

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/bosh-core.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+version = File.read(File.expand_path('../../BOSH_VERSION', __FILE__)).strip
+
+Gem::Specification.new do |spec|
+  spec.name          = 'bosh-core'
+  spec.version       = version
+  spec.authors       = 'Pivotal'
+  spec.email         = 'support@cloudfoundry.com'
+  spec.description   = 'Bosh::Core provides things BOSH needs to exist'
+  spec.summary       = 'Bosh::Core provides things BOSH needs to exist'
+  spec.homepage      = 'https://github.com/cloudfoundry/bosh'
+  spec.license       = 'Apache 2.0'
+
+  spec.required_ruby_version = Gem::Requirement.new('>= 1.9.3')
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = %w[lib]
+
+  spec.add_dependency 'gibberish', '~>1.2.0'
+  spec.add_dependency 'yajl-ruby', '~>1.1.0'
+
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rspec-fire'
+end

data/lib/bosh/core/encryption_handler.rb

@@ -0,0 +1,149 @@
+# Copyright (c) 2009-2012 VMware, Inc.
+
+require 'securerandom'
+require 'gibberish'
+require 'securerandom'
+require 'yajl'
+
+module Bosh::Core
+  # Utility class for decrypting/encrypting Director/Agent message exchanges
+  class EncryptionHandler
+    class CryptError < StandardError
+    end
+
+    class SessionError < CryptError
+    end
+
+    class SequenceNumberError < CryptError
+    end
+
+    class SignatureError < CryptError
+    end
+
+    class DecryptionError < CryptError
+    end
+
+    attr_reader :session_id
+
+    def initialize(id, credentials)
+      @id = id
+      crypt_key = credentials['crypt_key']
+      @cipher = Gibberish::AES.new(crypt_key)
+      @sign_key = credentials['sign_key']
+      @session_id = nil
+      @session_sequence_number = 0
+
+      initiate_sequence_number
+    end
+
+    def initiate_sequence_number
+      @sequence_number = Time.now.to_i + SecureRandom.random_number(1 << 32)
+    end
+
+    def encrypt(data)
+      raise ArgumentError unless data.is_a?(Hash)
+
+      start_session unless @session_id
+
+      encapsulated_data = data.dup
+      # Add encrytpion related metadata before signing and encrypting
+      @sequence_number += 1
+      encapsulated_data['sequence_number'] = @sequence_number
+      encapsulated_data['client_id'] = @id
+      encapsulated_data['session_id'] = @session_id
+
+      signed_data = sign(encapsulated_data)
+      encrypted_data = @cipher.encrypt(encode(signed_data))
+      encrypted_data
+    end
+
+    def sign(encapsulated_data)
+      data_json = encode(encapsulated_data)
+      hmac = signature(data_json)
+      signed_data = { 'hmac' => hmac, 'json_data' => data_json }
+      signed_data
+    end
+
+    def decrypt(encrypted_data)
+      begin
+        decrypted_data = @cipher.decrypt(encrypted_data)
+      # rubocop:disable RescueException
+      rescue Exception => e
+      # rubocop:enable RescueException
+
+        raise DecryptionError, e.inspect
+      end
+
+      data = Yajl::Parser.new.parse(decrypted_data)
+
+      verify_signature(data)
+      decoded_data = decode(data['json_data'])
+      verify_session(decoded_data)
+      decoded_data
+    end
+
+    def start_session
+      @session_id = SecureRandom.uuid
+    end
+
+    def verify_signature(data)
+      hmac = data['hmac']
+      json_data = data['json_data']
+
+      json_hmac = signature(json_data)
+      unless constant_time_comparison(hmac, json_hmac)
+        raise SignatureError, "Expected hmac (#{hmac}), got (#{json_hmac})"
+      end
+    end
+
+    # constant time comparison snagged from activesupport
+    def constant_time_comparison(a, b)
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+    def verify_session(decrypted_data)
+      # If you are the receiver of a session - use session_id from payload
+      if @session_id.nil?
+        if !decrypted_data['session_id'].nil?
+          @session_id = decrypted_data['session_id']
+        else
+          raise SessionError, 'no session_id'
+        end
+      end
+
+      unless decrypted_data['session_id'] == @session_id
+        raise SessionError, 'session_id mismatch'
+      end
+
+      sender_sequence_number = decrypted_data['sequence_number'].to_i
+      if sender_sequence_number > @session_sequence_number
+        @session_sequence_number = sender_sequence_number
+      else
+        raise SequenceNumberError, 'invalid sequence number'
+      end
+    end
+
+    def signature(sign_data)
+      Gibberish.HMAC(@sign_key, sign_data, { digest: :sha256 })
+    end
+
+    def encode(data)
+      Yajl::Encoder.encode(data)
+    end
+
+    def decode(json)
+      Yajl::Parser.new.parse(json)
+    end
+
+    def self.generate_credentials
+      %w(crypt_key sign_key).inject({}) do |credentials, key|
+        credentials[key] = SecureRandom.base64(48)
+        credentials
+      end
+    end
+  end
+end

data/lib/bosh/core/shell.rb

@@ -0,0 +1,54 @@
+module Bosh::Core
+  class Shell
+    def initialize(stdout = $stdout)
+      @stdout = stdout
+    end
+
+    def run(command, options = {})
+      output_lines = run_command(command, options)
+      output_lines = tail(output_lines, options)
+
+      command_output = output_lines.join("\n")
+      report(command, command_output, options)
+      command_output
+    end
+
+    private
+
+    attr_reader :stdout
+
+    def run_command(command, options)
+      stdout.puts command if options[:output_command]
+      lines = []
+
+      IO.popen(command).each do |line|
+        stdout.puts line.chomp
+        lines << line.chomp
+      end.close
+
+      lines
+    end
+
+    def tail(lines, options)
+      line_number = options[:last_number]
+      line_number ? lines.last(line_number) : lines
+    end
+
+    def report(cmd, command_output, options)
+      return if command_exited_successfully?
+
+      err_msg = "Failed: '#{cmd}' from #{pwd}, with exit status #{$?.to_i}\n\n #{command_output}"
+      options[:ignore_failures] ? stdout.puts("#{err_msg}, continuing anyway") : raise(err_msg)
+    end
+
+    def command_exited_successfully?
+      $?.success?
+    end
+
+    def pwd
+      Dir.pwd
+    rescue Errno::ENOENT
+      'a deleted directory'
+    end
+  end
+end

data/lib/bosh/core/version.rb

@@ -0,0 +1,5 @@
+module Bosh
+  module Core
+    VERSION = '1.5.0.pre.1113'
+  end
+end

data/lib/bosh/core.rb

@@ -0,0 +1,4 @@
+module Bosh
+  module Core
+  end
+end

data/spec/bosh/core/shell_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+require 'bosh/core/shell'
+
+module Bosh::Core
+  describe Shell do
+    let(:stdout) { StringIO.new }
+
+    subject do
+      Shell.new(stdout)
+    end
+
+    describe '#run' do
+      it 'shells out, prints and returns the output of the command' do
+        expect(subject.run('echo hello; echo world')).to eq("hello\nworld")
+        expect(stdout.string).to eq("hello\nworld\n")
+      end
+
+      context 'when "output_command" is specified' do
+        it 'outputs the command' do
+          cmd = 'echo 1;echo 2;echo 3;echo 4;echo 5'
+          subject.run(cmd, output_command: true)
+
+          expect(stdout.string).to include('echo 1;echo 2;echo 3;echo 4;echo 5')
+        end
+      end
+
+      context 'when "last_number" is specified' do
+        it 'tails "last_number" lines of output' do
+          cmd = 'echo 1;echo 2;echo 3;echo 4;echo 5'
+          expect(subject.run(cmd, last_number: 3)).to eq("3\n4\n5")
+          expect(stdout.string).to eq("1\n2\n3\n4\n5\n")
+        end
+
+        it 'outputs the entire output if more lines are requested than generated' do
+          cmd = 'echo 1;echo 2;echo 3;echo 4;echo 5'
+          expect(subject.run(cmd, last_number: 6)).to eq("1\n2\n3\n4\n5")
+          expect(stdout.string).to eq("1\n2\n3\n4\n5\n")
+        end
+      end
+
+      context 'when the command fails' do
+        it 'raises an error' do
+          expect {
+            subject.run('false')
+          }.to raise_error /Failed: 'false' from /
+        end
+
+        context 'because the working directory has gone missing' do
+          it 'fails gracefully with a slightly helpful error message' do
+            Dir.stub(:pwd).and_raise(Errno::ENOENT, 'No such file or directory - getcwd')
+            expect {
+              subject.run('false')
+            }.to raise_error /from a deleted directory/
+          end
+        end
+
+        context 'and ignoring failures' do
+          it 'raises an error' do
+            subject.run('false', ignore_failures: true)
+            expect(stdout.string).to match(/continuing anyway/)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/bosh/core/version_spec.rb

@@ -0,0 +1,12 @@
+require 'spec_helper'
+require 'bosh/core/version'
+
+module Bosh::Core
+  describe VERSION do
+    let(:bosh_version_file) do
+      File.expand_path('../../../../BOSH_VERSION', File.dirname(__FILE__))
+    end
+
+    it { should eq(File.read(bosh_version_file).strip) }
+  end
+end

data/spec/bosh/core_spec.rb

@@ -0,0 +1,6 @@
+require 'spec_helper'
+require 'bosh/core'
+
+describe Bosh::Core do
+  it { should be_a(Module) }
+end

data/spec/bosh/encryption_handler_spec.rb

@@ -0,0 +1,135 @@
+require 'spec_helper'
+require 'bosh/core/encryption_handler'
+
+module Bosh::Core
+  describe EncryptionHandler do
+    before(:each) do
+      @credentials = EncryptionHandler.generate_credentials
+      @cipher = Gibberish::AES.new(@credentials['crypt_key'])
+      @sign_key = @credentials['sign_key']
+    end
+
+    it 'should encrypt data' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+      encrypted_data = handler.encrypt('hubba' => 'bubba')
+
+      # double decode is not an error - data need to be serialized before it is
+      # signed and then serialized again to be encrypted
+      decrypted_data = handler.decode(handler.decode(@cipher.decrypt(encrypted_data))['json_data'])
+      decrypted_data['hubba'].should eq 'bubba'
+    end
+
+    it 'should be signed' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+      encrypted_data = handler.encrypt('hubba' => 'bubba')
+
+      decrypted_data = handler.decode(@cipher.decrypt(encrypted_data))
+      signature = decrypted_data['hmac']
+      json_data = decrypted_data['json_data']
+
+      signature.should eq Gibberish.HMAC(@sign_key, json_data, { digest: :sha256 })
+    end
+
+    it 'should decrypt' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+
+      encrypted_data = handler.encrypt('hubba' => 'bubba')
+      handler.decrypt(encrypted_data)['hubba'].should eq 'bubba'
+    end
+
+    it 'should verify signature' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+
+      encrypted_data = handler.encrypt('hubba' => 'bubba')
+
+      # build bad data
+      manipulated_data = handler.decode(@cipher.decrypt(encrypted_data))
+      manipulated_data['hmac'] = 'foo'
+      encrypted_manipulated_data = @cipher.encrypt(handler.encode(manipulated_data))
+
+      lambda {
+        handler.decrypt(encrypted_manipulated_data)
+      }.should raise_error(EncryptionHandler::SignatureError,
+                           /Expected hmac \(foo\)/)
+    end
+
+    it 'should verify session' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+
+      encrypted_data = handler.encrypt('knife' => 'fork')
+
+      # build bad data
+      decrypted_data = handler.decode(@cipher.decrypt(encrypted_data))
+
+      bad_data = handler.decode(decrypted_data['json_data'])
+      bad_data['session_id'] = 'bad_session_data'
+
+      bad_json_data = handler.encode(bad_data)
+
+      manipulated_data = {
+        'hmac' => handler.signature(bad_json_data),
+        'json_data' => bad_json_data
+      }
+
+      encrypted_manipulated_data = @cipher.encrypt(handler.encode(manipulated_data))
+
+      lambda {
+        handler.decrypt(encrypted_manipulated_data)
+      }.should raise_error(EncryptionHandler::SessionError)
+    end
+
+    it 'should decrypt for multiple messages' do
+      h1 = EncryptionHandler.new('client_id', @credentials)
+      h2 = EncryptionHandler.new('client_id', @credentials)
+      encrypted_data1 = h1.encrypt('hubba' => 'bubba')
+      encrypted_data2 = h1.encrypt('bubba' => 'hubba')
+
+      h2.decrypt(encrypted_data1)['hubba'].should eq 'bubba'
+      h2.decrypt(encrypted_data2)['bubba'].should eq 'hubba'
+    end
+
+    it 'should exchange messages' do
+      h1 = EncryptionHandler.new('client_id', @credentials)
+      h2 = EncryptionHandler.new('client_id', @credentials)
+
+      encrypted_data1 = h1.encrypt('hubba' => 'bubba')
+      h2.decrypt(encrypted_data1)['hubba'].should eq 'bubba'
+
+      encrypted_data2 = h2.encrypt('kermit' => 'frog')
+      h1.decrypt(encrypted_data2)['kermit'].should eq 'frog'
+
+      encrypted_data3 = h1.encrypt('frank' => 'zappa')
+      h2.decrypt(encrypted_data3)['frank'].should eq 'zappa'
+    end
+
+    it 'should fail when sequence number is out of order' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+      encrypted_data1 = handler.encrypt('foo' => 'bar')
+      encrypted_data2 = handler.encrypt('baz' => 'bus')
+
+      handler.decrypt(encrypted_data2)
+
+      lambda {
+        handler.decrypt(encrypted_data1)
+      }.should raise_error(EncryptionHandler::SequenceNumberError)
+    end
+
+    it 'should handle garbage encrypt args' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+      lambda {
+        handler.encrypt('bleh')
+      }.should raise_error(ArgumentError)
+    end
+
+    it 'should handle garbage decrypt args' do
+      handler = EncryptionHandler.new('client_id', @credentials)
+      lambda {
+        handler.decrypt('f')
+      }.should raise_error(EncryptionHandler::DecryptionError, /TypeError/)
+
+      lambda {
+        handler.decrypt('fddddddddddddddddddddddddddddddddddddddddddddddddd')
+      }.should raise_error(EncryptionHandler::DecryptionError, /CipherError/)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,5 @@
+require 'rspec'
+
+Dir.glob(File.expand_path('support/**/*.rb', File.dirname(__FILE__))).each do |support|
+  require support
+end

metadata

@@ -0,0 +1,142 @@
+--- !ruby/object:Gem::Specification
+name: bosh-core
+version: !ruby/object:Gem::Version
+  version: 1.5.0.pre.1113
+  prerelease: 6
+platform: ruby
+authors:
+- Pivotal
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-10-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gibberish
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: yajl-ruby
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-fire
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Bosh::Core provides things BOSH needs to exist
+email: support@cloudfoundry.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- bosh-core.gemspec
+- lib/bosh/core.rb
+- lib/bosh/core/encryption_handler.rb
+- lib/bosh/core/shell.rb
+- lib/bosh/core/version.rb
+- spec/bosh/core/shell_spec.rb
+- spec/bosh/core/version_spec.rb
+- spec/bosh/core_spec.rb
+- spec/bosh/encryption_handler_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/cloudfoundry/bosh
+licenses:
+- Apache 2.0
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.9.3
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Bosh::Core provides things BOSH needs to exist
+test_files:
+- spec/bosh/core/shell_spec.rb
+- spec/bosh/core/version_spec.rb
+- spec/bosh/core_spec.rb
+- spec/bosh/encryption_handler_spec.rb
+- spec/spec_helper.rb