capistrano_recia 0.0.2

data/README.rdoc

@@ -0,0 +1,64 @@
+= RECIA Capistrano
+
+This gem is used by the recia to implements specific behavior in capistrano. It furnish the following services :
+
+ - parents : call of hosts' parents to execute action on them
+ - filters : filter hosts to execute by its roles
+ - password manager : help to generate password and secure them.
+
+== Parents
+
+The function is to execute command on the parent host of current hosts. To do this, we need the gem "nagios_mklivestatus".
+
+To call the function from a task, we need to call a specific method :
+
+ run_parent(cmd)
+ 
+This will select only the servers' parents containing the guest (select parents which are servers).
+There are some notable informations.
+
+The method works as the standard run, except that the ENV['HOSTS'] are remplaced by their parents.
+The command is replaced by its Capistrano::Command::Script version and the original hosts are ordered by their parents and given to the script.
+If some variables are encountered, a loop is created to go through all guest of each host (parents). 
+
+Those are for functionality purpose if you need to execute command with guest as variables you should use this :
+
+ $PARENT:GUEST$ : variable that will be replaced by the name of the guest (we'll create a loop in script)
+ $PARENT:LOOP:START$ : variable that will be replaced by the start of the loop (if not defined and $PARENT:GUEST$ exists, its automatically placed at the start of the command)
+ $PARENT:LOOP:END$ : variable that will be replaced by the end of the loop (if not defined and $PARENT:GUEST$ exists, its automatically placed at the end of the command)
+
+== Filters
+
+This module is made to filter hosts with the roles in task options. It furnish 2 methods for task to run :
+
+ run_filter_roles(cmd) # the host must match one of the roles (connection SSH)
+ run_telnet_filter_roles(cmd) # the host must match one of the roles (connection Telnet)
+ 
+If hosts does not correspond to the filter, they are removed from the list (with informations display) and the command is executed on the remaining hosts.
+
+== Password manager
+
+This is a class which help to manage password security inside capistrano. It's help to generate password (with save in a crypted file), and check the corruption of this password, plus it can securize all the password through a security automaton
+
+To use the manager:
+
+ require 'capistrano_recia'
+ manager = Capistrano::Password::Manager.new(<file_path>)
+ # generate pass
+ new_pass = manager.generate
+ # generate and save
+ new_pass = manager.generate("key")
+ 
+ # test corruption
+ is_corrupt = manager.is_corrupted? "key"
+ 
+ # corrupt password (giving it to a non authorized person
+ pass = manager.corrupt "key"
+ 
+ # live the password uncorrupted when asking for it
+ pass = manager.live_uncorrupt "key"
+ 
+ # securize all corrupted password
+ # securized_pass is a hash of key => password
+ securized_pass = manager.securize
+ 

data/RELEASE.rdoc

@@ -0,0 +1,9 @@
+= capistrano_recia version 0.0.1
+
+== 0.0.1
+
+* Creation of the initial release of the gem
+
+== 0.0.2
+
+* adding password security manager

data/lib/capistrano_recia.rb

@@ -0,0 +1,9 @@
+require 'capistrano'
+require 'capistrano_telnet'
+require 'capistrano_supports'
+require 'nagios_mklivestatus'
+
+load File.join(File.dirname(__FILE__), File.basename(__FILE__, ".rb"), "parents.rb")
+load File.join(File.dirname(__FILE__), File.basename(__FILE__, ".rb"), "filter.rb")
+load File.join(File.dirname(__FILE__), File.basename(__FILE__, ".rb"), "password.rb")
+

data/lib/capistrano_recia/filter.rb

@@ -0,0 +1,91 @@
+##
+# override the actions invocation class of capistrano
+# to add the run_parent method and give access to it inside task definition
+##
+Capistrano::Configuration::Actions::Invocation.class_eval do
+  
+  ##
+  # Check if host contains task
+  ##
+  def host_as_task_role(current_host)
+    # Active From debug Only !
+    # puts "DEBUG :: #{current_host}"
+
+    roles_ok_from_host = nil
+
+    current_task.options[:roles].each do |task_role|
+      
+        # Active From debug Only !
+        # puts "DEBUG :: #{task_role.to_s} ::"
+        roles[:"#{task_role.to_s}"].servers.each do |server|
+            # Active From debug Only !
+            # puts "#{server}"
+            if server.host.to_s == current_host.to_s
+              roles_ok_from_host = 1
+            end
+        end
+    end
+    if roles_ok_from_host != nil && roles_ok_from_host != 0
+        return 1
+    else
+        return 0
+    end
+  end
+  
+  ##
+  # Use the role task option to filter the server with this role
+  ##
+  def run_filter_roles(cmd, options={}, &block)
+    
+    block ||= self.class.default_io_proc
+    
+    hosts_server = find_servers_for_task(current_task)
+    hosts = Array.new
+    
+    ## calcul des rôles de la tâche
+    if current_task.options[:roles].kind_of? Array
+      current_task.options[:roles].each do |task_role|
+        task_roles = "#{task_roles} #{task_role}"
+      end
+    else
+      task_roles = "#{current_task.options[:roles]}"
+      current_task.options[:roles] = [current_task.options[:roles]]
+    end
+    
+    # redistribution des machines par hôte
+    hosts_server.each do |server|
+      if host_as_task_role(server).to_i == 0
+        logger.info "Ce Serveur (#{server}) n'a pas un des role de la tache :#{task_roles}"
+      else
+        hosts.push(server.to_s)
+      end
+    end
+    
+    if hosts != nil and not hosts.empty?
+
+      # save remaining hosts as the callee
+      ENV['HOSTS'] = hosts.join(',')
+    
+      # execute action.
+      tree = Capistrano::Command::Tree.new(self) { |t| t.else(cmd, &block) }
+      run_tree(tree, options)
+    else
+      logger.important "Aucun serveurs ne possede un role : #{task_roles}"
+    end
+  end
+  
+  ##
+  # Use the role task option to filter the server with this role and run a telnet method
+  ##
+  def run_telnet_filter_roles(cmd, options={}, &block)
+    
+    set(:telnet, "true")
+    options[:shell] = false
+    
+    run_filter_roles(cmd, options, &block)
+    
+    unset(:telnet)
+    
+  end
+  
+end

data/lib/capistrano_recia/parents.rb

@@ -0,0 +1,77 @@
+##
+# Include Nagios Query Helper to Capistrano::Configuration
+# in order to access helper from methods.
+##
+Capistrano::Configuration.class_eval do
+  include Nagios::MkLiveStatus::QueryHelper
+end
+
+##
+# override the actions invocation class of capistrano
+# to add the run_parent method and give access to it inside task definition
+##
+Capistrano::Configuration::Actions::Invocation.class_eval do
+  
+  ##
+  # Calculate the parent server of those in parameters and execute the command on them.
+  # We can loop through the child by using:
+  #  - $PARENT:GUEST$ : required if we loop through guests, its replaced by the child name of the host.
+  #  - $PARENT:LOOP:START$ : (opt.) start of the loop if not defined its automatically positionned at the beginning of the command
+  #  - $PARENT:LOOP:END$ : (opt.) end of the loop if not defined its automatically positionned at the end of the command
+  def run_parent(cmd, options={}, &block)
+    
+    block ||= self.class.default_io_proc
+    
+    guest_servers = find_servers_for_task(current_task)
+    hosts = Hash.new
+    
+    # redistribution des machines par hôte
+    guest_servers.each do |server|
+      guest = server.to_s
+      mklive = Nagios::MkLiveStatus::Request.new(fetch(:nagios_path, nil))
+      query = Nagios::MkLiveStatus::Query.new()
+      query.get "hosts"
+      query.addColumn "parents"
+      query.addFilter nagmk_filter("host_name", "=", guest)
+
+      result = mklive.query(query)
+      
+      parent = result.split("\n")[0] if result != nil
+
+      if parent == nil or parent.empty? or parent.match(/^rca/)
+        logger.important "Ce serveur (#{guest}) n'est pas une machine virtuelle : Aucun serveur hote trouve pour la machine"
+      else
+        if not hosts.key?(parent)
+          hosts[parent] = Array.new
+        end
+        hosts[parent].push(guest)
+      end
+
+    end
+
+    # save parent hosts as the callee
+    ENV['HOSTS'] = hosts.keys.join(',')
+    
+    # create a command script.
+    cmd = Capistrano::Command::Script.new("#{cmd.gsub(/\\/, '\\').gsub(/\"/,'\"')}") if cmd.kind_of? String
+    cmd['host'] = hosts
+    
+    ## replace vars if they are encountered
+    loop_start = "<% prop('host', Hash.new)['$CAPISTRANO:HOST$'].each do |guest| %>"
+    loop_end = "<% end %>"
+    loop_guest = "<%= guest %>"
+    
+    if cmd.include? "$PARENT:GUEST$"
+      cmd.contents.insert(0, "$PARENT:LOOP:START$\n") if not cmd.include? "$PARENT:LOOP:START"
+      cmd.contents.insert(-1, "\n$PARENT:LOOP:END$") if not cmd.include? "$PARENT:LOOP:END"
+    end
+      
+    cmd.gsub(/\$PARENT:LOOP:START\$/, loop_start)
+    cmd.gsub(/\$PARENT:LOOP:END\$/, loop_end)
+    cmd.gsub(/\$PARENT:GUEST\$/, loop_guest)
+    
+    # execute action.
+    tree = Capistrano::Command::Tree.new(self) { |t| t.else(cmd, &block) }
+    run_tree(tree, options)
+  end
+end

data/lib/capistrano_recia/password.rb

@@ -0,0 +1,7 @@
+require 'keepass-password-generator'
+
+module Capistrano::Password
+  
+end
+
+load File.join(File.dirname(__FILE__), File.basename(__FILE__, ".rb"), "manager.rb")

data/lib/capistrano_recia/password/manager.rb

@@ -0,0 +1,143 @@
+# encoding: utf-8
+class Capistrano::Password::Manager
+  
+  require 'yaml'
+  require 'encrypted_strings'
+  require 'keepass/password'
+  
+  
+  # constructor must determine the path to the save file.
+  # if we need to change the keepass regexp, the second parameter is used for it (default [S]20)
+  def initialize(file_path, keepass = "[S]{20}")
+    @file_path = file_path
+    @salt = "recia_password"
+    @keepass_regex = keepass
+  end
+  
+  # to use only in a secure context (batch, admins who should know the pass)
+  def live_uncorrupt(save_key)
+    pass = nil
+    # load yaml file
+    yaml = load_file
+    # if yaml file contains informations
+    if yaml and yaml.has_key? save_key
+      # get the password
+      pass = yaml[save_key]["password"]
+    end
+
+    # decrypt the password
+    if pass
+      pass = pass.decrypt(:symmetric, :password => @salt)
+    end
+    
+    # return password
+    return pass
+  end
+  
+  # permet de savoir si le mot de passe est corrompu
+  def is_corrupted?(save_key)
+    # load yaml file
+    yaml = load_file
+    if yaml and yaml.has_key? save_key
+      # check if password is corrupted
+      corrupt = yaml[save_key]["corrupt"]
+      if corrupt.to_s == "true"
+        return true
+      end
+    end
+    
+    return false
+  end
+  
+  # permet de récupérer les mots de passe corrompus
+  def corrupted()
+    list = Array.new
+    
+    yaml = load_file
+    
+    yaml.keys.each do |key|
+      if is_corrupted? key
+        list.push key
+      end
+    end
+    
+    list
+  end
+  
+  # permet de récupérer un mot de passe si sa clé de sauvegarde est enregistré, sinon retourne nil
+  def corrupt(save_key)
+    # get passwd
+    pass = live_uncorrupt save_key
+    
+    # load yaml file
+    yaml = load_file
+    
+    # if yaml file contains informations
+    if yaml and pass
+      # set password to corrupted
+      yaml[save_key]["corrupt"] = true
+
+      # save the information of corruption to the file
+      File.open(@file_path, "w") do |io|
+        io.write(yaml.to_yaml)
+        io.close
+      end
+    end
+
+    # return password
+    return pass
+  end
+  
+  # permet de générer un mot de passe.
+  # le premier paramètre indique si nous devons sauvegarder ou non le mot de passe (nil ou "" aucune sauvegarde)
+  # le deuxième paramètre est celui des options de keepass.
+  def generate(save_key="")
+    
+    # generate a password without lookalikes (l, I, !, ...)
+    pass = KeePass::Password.generate(@keepass_regex, :remove_lookalikes => true)
+    
+    # crypt the password
+    enc_pass = pass.encrypt(:symmetric, :password => @salt)
+    enc_pass.send :remove_instance_variable, :@cipher
+    
+    # if a save key is passed
+    if save_key and not save_key.empty?
+      # load yaml file
+      yaml = load_file
+      yaml[save_key] = Hash.new if not yaml.has_key? save_key
+      # add password to file
+      yaml[save_key]["password"] = enc_pass
+      yaml[save_key]["corrupt"] = false
+      # save file
+      File.open(@file_path, "w") do |io|
+        io.write(yaml.to_yaml)
+        io.close
+      end
+    end
+    
+    return pass, enc_pass
+    
+  end
+  
+  # regenerate all corrupted password. and return all the password which are regenerated by keys
+  def securize()
+    
+    securized = Hash.new
+    
+    # for each corrupted passwd
+    corrupted.each do |key|
+      securized[key] = Hash.new
+      securized[key]['old'] = corrupt(key)
+      securized[key]['new'], crypted = generate(key)
+    end
+    
+    securized
+  end
+  
+  private
+  def load_file()
+    yaml = Hash.new
+    yaml = YAML::load_file(@file_path) if File.exists? @file_path
+    yaml
+  end
+end

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: capistrano_recia
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+  prerelease: 
+platform: ruby
+authors:
+- Esco-lan Team
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-08-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: capistrano
+  requirement: &10927620 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.11.2
+  type: :runtime
+  prerelease: false
+  version_requirements: *10927620
+- !ruby/object:Gem::Dependency
+  name: capistrano_telnet
+  requirement: &10927080 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: *10927080
+- !ruby/object:Gem::Dependency
+  name: capistrano_supports
+  requirement: &10926320 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: *10926320
+- !ruby/object:Gem::Dependency
+  name: nagios_mklivestatus
+  requirement: &10925540 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.11
+  type: :runtime
+  prerelease: false
+  version_requirements: *10925540
+- !ruby/object:Gem::Dependency
+  name: keepass-password-generator
+  requirement: &10924860 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: *10924860
+- !ruby/object:Gem::Dependency
+  name: encrypted_strings
+  requirement: &10923940 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.3.3
+  type: :runtime
+  prerelease: false
+  version_requirements: *10923940
+description: RECIA Capistrano Support
+email: team@esco-lan.org
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+- RELEASE.rdoc
+files:
+- lib/capistrano_recia/filter.rb
+- lib/capistrano_recia/password.rb
+- lib/capistrano_recia/password/manager.rb
+- lib/capistrano_recia/parents.rb
+- lib/capistrano_recia.rb
+- README.rdoc
+- RELEASE.rdoc
+homepage: https://github.com/RECIA/capistrano_recia
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.8
+signing_key: 
+specification_version: 3
+summary: Provides additionnal methods to capistrano like run_parent, run_filter_role_contained
+  and run_filter_role_uncontained
+test_files: []