chook 1.0.1.b2 → 1.1.5

data/lib/chook/event_handling.rb

@@ -37,4 +37,5 @@ Chook::HandledSubject.generate_classes
 # events
 require 'chook/event'
 require 'chook/event/handled_event'
+require 'chook/event/handled_event_logger'
 Chook::HandledEvent.generate_classes

data/lib/chook/foundation.rb

@@ -27,6 +27,9 @@
 require 'json'
 require 'open-uri'
 require 'pathname'
+require 'logger'
+require 'English'
+require 'securerandom'
 
 require 'chook/version'
 require 'chook/procs' # must load before configuration

data/lib/chook/procs.rb

@@ -30,12 +30,28 @@ module Chook
   module Procs
 
     TRUE_RE = /^\s*(true|yes)\s*$/i
+
     JSS_EPOCH_TO_TIME = proc { |val| Time.strptime val.to_s[0..-4], '%s' }
+
     STRING_TO_BOOLEAN = proc { |val| val =~ TRUE_RE ? true : false }
+
     STRING_TO_PATHNAME = proc { |val| Pathname.new val }
+
+    STRING_TO_LOG_LEVEL = proc do |level|
+      if (0..5).cover? level
+        level
+      else
+        lvl = Chook::Server::Log::LOG_LEVELS[level.to_sym]
+        lvl ? lvl : Logger::UNKNOWN
+      end # if..else
+    end
+
     MOBILE_USERID = proc { |_device| '-1' }
+
     PRODUCT = proc { |_device| nil }
-    ALWAYS_TRUE = proc { |_boolean| True }
+
+    ALWAYS_TRUE = proc { |_boolean| true }
+
     COMPUTER_USERID = proc do |comp|
       id = '-1' unless comp.groups_accounts[:local_accounts].find { |acct| acct[:name] == comp.username }
       id.is_a?(Hash) ? id[:uid] : '-1'

data/lib/chook/server.rb

@@ -22,9 +22,15 @@
 ###    language governing permissions and limitations under the Apache License.
 ###
 ###
-require 'chook/event_handling'
+
 require 'sinatra/base'
+require 'sinatra/custom_logger'
+require 'haml'
 require 'openssl'
+require 'chook/event_handling'
+require 'chook/server/log'
+require 'chook/server/auth'
+require 'chook/server/routes'
 
 module Chook
 
@@ -32,90 +38,85 @@ module Chook
   # the engine of your choice.
   class Server < Sinatra::Base
 
-    DEFAULT_SERVER_ENGINE = :webrick
-    DEFAULT_PORT = 8000
+    DEFAULT_PORT = 80
+    DEFAULT_SSL_PORT = 443
+    DEFAULT_CONCURRENCY = true
+    DEFAULT_SESSION_EXPIRE = 24 * 60 * 60 # one day
 
-    @server_engine = Chook::CONFIG.server_engine || DEFAULT_SERVER_ENGINE
-    require @server_engine.to_s
-    @server_port = Chook::CONFIG.server_port || DEFAULT_PORT
+    # set defaults in config
+    Chook.config.port ||= Chook.config.use_ssl ? DEFAULT_SSL_PORT : DEFAULT_PORT
+    Chook.config.admin_session_expires ||= DEFAULT_SESSION_EXPIRE
 
-    def self.run!
-      # trap HUPs to reload handlers
-      Signal.trap('HUP') do
-        Chook::HandledEvent::Handlers.load_handlers reload: true
-      end
-      Chook::HandledEvent::Handlers.load_handlers
-      chook_configure
-      case @server_engine.to_sym
-      when :webrick
+    # can't use ||= here cuz nil and false have different meanings
+    Chook.config.concurrency = DEFAULT_CONCURRENCY if Chook.config.concurrency.nil?
+
+    # Run the server
+    ###################################
+    def self.run!(log_level: nil)
+      prep_to_run
+
+      if Chook.config.use_ssl
+        super do |server|
+          server.ssl = true
+          server.ssl_options = {
+            cert_chain_file: Chook.config.ssl_cert_path.to_s,
+            private_key_file: Chook.config.ssl_private_key_path.to_s,
+            verify_peer: false
+          }
+        end # super do
+
+      else # no ssl
         super
-      when :thin
-        if Chook::CONFIG.use_ssl
-          super do |server|
-            server.ssl = true
-            server.ssl_options = {
-              cert_chain_file: Chook::CONFIG.ssl_cert_path.to_s,
-              private_key_file: Chook::CONFIG.ssl_private_key_path.to_s,
-              verify_peer: false
-            }
-          end # super do
-        else
-          super
-        end # if use ssl
-      end # case
+      end # if use ssl
     end # self.run
 
-    # Sinatra Settings
-    def self.chook_configure
+    def self.prep_to_run
+      @start_time = Time.now
+      log_level ||= Chook.config.log_level
+      @log_level = Chook::Procs::STRING_TO_LOG_LEVEL.call log_level
+
       configure do
-        set :environment, :production
-        enable :logging, :lock
+        set :logger, Log.startup(@log_level)
+        set :server, :thin
         set :bind, '0.0.0.0'
-        set :server, @server_engine
-        set :port, @server_port
-
-        if Chook::CONFIG.use_ssl
-          case @server_engine.to_sym
-          when :webrick
-            require 'webrick/https'
-            key = Chook::CONFIG.ssl_private_key_path.read
-            cert = Chook::CONFIG.ssl_cert_path.read
-            cert_name = Chook::CONFIG.ssl_cert_name
-            set :SSLEnable, true
-            set :SSLVerifyClient, OpenSSL::SSL::VERIFY_NONE
-            set :SSLPrivateKey, OpenSSL::PKey::RSA.new(key, ssl_key_password)
-            set :SSLCertificate, OpenSSL::X509::Certificate.new(cert)
-            set :SSLCertName, [['CN', cert_name]]
-          when :thin
-            true
-          end # case
-        end # if ssl
+        set :port, Chook.config.port
+        set :show_exceptions, :after_handler if development?
+        set :root, "#{File.dirname __FILE__}/server"
+        enable :static
+        enable :sessions
+        set :sessions, expire_after: Chook.config.admin_session_expires if Chook.config.admin_user
+        if Chook.config.concurrency
+          set :threaded, true
+        else
+          enable :lock
+        end
       end # configure
-    end # chook_configure
 
-    def self.ssl_key_password
-      path = Chook::CONFIG.ssl_private_key_pw_path
-      raise 'No config setting for "ssl_private_key_pw_path"' unless path
-      file = Pathname.new path
+      Chook::HandledEvent::Handlers.load_handlers
+    end # prep to run
 
-      # if the path ends with a pipe, its a command that will
-      # return the desired password, so remove the pipe,
-      # execute it, and return stdout from it.
-      if path.end_with? '|'
-        raise 'ssl_private_key_pw_path: #{path} is not an executable file.' unless file.executable?
-        return `#{path.chomp '|'}`.chomp
-      end
+    def self.starttime
+      @start_time
+    end
 
-      raise 'ssl_private_key_pw_path: #{path} is not a readable file.' unless file.readable?
-      stat = file.stat
-      raise "Password file for '#{pw}' has insecure permissions, must be 0600." unless ('%o' % stat.mode).end_with? '0600'
+    def self.uptime
+      @start_time ? "#{humanize_secs(Time.now - @start_time)} ago" : 'Not Running'
+    end
 
-      # chomping an empty string removes all trailing \n's and \r\n's
-      file.read.chomp('')
-    end # ssl_key_password
+    # Very handy!
+    # lifted from
+    # http://stackoverflow.com/questions/4136248/how-to-generate-a-human-readable-time-range-using-ruby-on-rails
+    #
+    def self.humanize_secs(secs)
+      [[60, :second], [60, :minute], [24, :hour], [7, :day], [52.179, :week], [1_000_000, :year]].map do |count, name|
+        next unless secs.positive?
+
+        secs, n = secs.divmod(count)
+        n = n.to_i
+        "#{n} #{n == 1 ? name : (name.to_s + 's')}"
+      end.compact.reverse.join(' ')
+    end
 
   end # class server
 
 end # module
-
-require 'chook/server/routes'

data/lib/chook/server/auth.rb

@@ -0,0 +1,164 @@
+### Copyright 2017 Pixar
+
+###
+###    Licensed under the Apache License, Version 2.0 (the "Apache License")
+###    with the following modification; you may not use this file except in
+###    compliance with the Apache License and the following modification to it:
+###    Section 6. Trademarks. is deleted and replaced with:
+###
+###    6. Trademarks. This License does not grant permission to use the trade
+###       names, trademarks, service marks, or product names of the Licensor
+###       and its affiliates, except as required to comply with Section 4(c) of
+###       the License and to reproduce the content of the NOTICE file.
+###
+###    You may obtain a copy of the Apache License at
+###
+###        http://www.apache.org/licenses/LICENSE-2.0
+###
+###    Unless required by applicable law or agreed to in writing, software
+###    distributed under the Apache License with the above modification is
+###    distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+###    KIND, either express or implied. See the Apache License for the specific
+###    language governing permissions and limitations under the Apache License.
+###
+###
+
+module Chook
+
+  # the server
+  class Server < Sinatra::Base
+
+    # helper module for authentication
+    module Auth
+
+      USE_JAMF_ADMIN_USER = 'use_jamf'.freeze
+
+      def protect_via_basic_auth!
+        # don't protect if user isn't defined
+        return unless Chook.config.webhooks_user
+        return if webhook_user_authorized?
+        headers['WWW-Authenticate'] = 'Basic realm="Restricted Area"'
+        halt 401, "Not authorized\n"
+      end
+
+      def webhook_user_authorized?
+        @auth ||= Rack::Auth::Basic::Request.new(request.env)
+
+        # gotta have basic auth presented to us
+        unless @auth.provided? && @auth.basic? && @auth.credentials
+          Chook.logger.debug "No basic auth provided on protected route: #{request.path_info} from: #{request.ip}"
+          return false
+        end
+
+        authenticate_webhooks_user @auth.credentials
+      end # authorized?
+
+      # webhook user auth always comes from config
+      def authenticate_webhooks_user(creds)
+        if creds.first == Chook.config.webhooks_user && creds.last == Chook::Server.webhooks_user_pw
+          Chook.logger.debug "Got HTTP Basic auth for webhooks user: #{Chook.config.webhooks_user}@#{request.ip}"
+          true
+        else
+          Chook.logger.error "FAILED auth for webhooks user: #{Chook.config.webhooks_user}@#{request.ip}"
+          false
+        end
+      end # authenticate_webhooks_user
+
+      # admin user auth might come from config, might come from Jamf Pro
+      def authenticate_admin(user, pw)
+        return authenticate_jamf_admin(user, pw) if Chook.config.admin_user == USE_JAMF_ADMIN_USER
+        authenticate_admin_user(user, pw)
+      end
+
+      # admin auth from config
+      def authenticate_admin_user(user, pw)
+        if user == Chook.config.admin_user && pw == Chook::Server.admin_user_pw
+          Chook.logger.debug "Got auth for admin user: #{user}@#{request.ip}"
+          session[:authed_admin] = user
+          true
+        else
+          Chook.logger.warn "FAILED auth for admin user: #{user}@#{request.ip}"
+          session[:authed_admin] = nil
+          false
+        end
+      end
+
+      # admin auth from jamf pro
+      def authenticate_jamf_admin(user, pw)
+        require 'ruby-jss'
+        JSS::APIConnection.new(
+          user: user,
+          pw: pw,
+          server: Chook.config.jamf_server,
+          port: Chook.config.jamf_port,
+          use_ssl: Chook.config.jamf_use_ssl,
+          verify_cert: Chook.config.jamf_verify_cert
+        )
+        Chook.logger.debug "Jamf Admin login for: #{user}@#{request.ip}"
+
+        session[:authed_admin] = user
+        true
+      rescue JSS::AuthenticationError
+        Chook.logger.warn "Jamf Admin login FAILED for: #{user}@#{request.ip}"
+        session[:authed_admin] = nil
+        false
+      end # authenticate_jamf_admin
+
+    end # module auth
+
+    helpers Chook::Server::Auth
+
+    # Learn the webhook or admin passwords from config.
+    # so we can authenticate them from the browser and the JSS
+    #
+    # This is at the Server level, since we only need read it
+    # once per server startup, so we store it in a server
+    # instance var.
+    ###################################
+    def self.webhooks_user_pw
+      @webhooks_user_pw ||= pw_from_conf Chook.config.webhooks_user_pw
+    end # self.webhooks_user_pw
+
+    def self.admin_user_pw
+      @admin_user_pw ||= pw_from_conf Chook.config.admin_pw
+    end
+
+    def self.pw_from_conf(setting)
+      return '' unless setting
+
+      # if the path ends with a pipe, its a command that will
+      # return the desired password, so remove the pipe,
+      # execute it, and return stdout from it.
+      return pw_from_command(setting) if setting.end_with? '|'
+
+      # otherwise its a file path, and read the pw from the contents
+      pw_from_file(setting)
+    end # def pw_from_conf(setting)
+
+    def self.pw_from_command(cmd)
+      cmd = cmd.chomp '|'
+      output = `#{cmd} 2>&1`.chomp
+      raise "Can't get password from #{setting}: #{output}" unless $CHILD_STATUS.exitstatus.zero?
+      output
+    end
+
+    def self.pw_from_file(file)
+      file = Pathname.new file
+      return nil unless file.file?
+      stat = file.stat
+      mode = format('%o', stat.mode)
+      raise "Password file #{setting} has insecure mode, must be 0600." unless mode.end_with?('0600')
+      raise "Password file #{setting} has insecure owner, must be owned by UID #{Process.euid}." unless stat.owned?
+      # chomping an empty string removes all trailing \n's and \r\n's
+      file.read.chomp('')
+    end
+
+
+  end # server
+
+end # Chook
+
+require 'chook/server/routes/home'
+require 'chook/server/routes/handle_webhook_event'
+require 'chook/server/routes/handlers'
+require 'chook/server/routes/log'

data/lib/chook/server/log.rb

@@ -0,0 +1,215 @@
+### Copyright 2017 Pixar
+
+###
+###    Licensed under the Apache License, Version 2.0 (the "Apache License")
+###    with the following modification; you may not use this file except in
+###    compliance with the Apache License and the following modification to it:
+###    Section 6. Trademarks. is deleted and replaced with:
+###
+###    6. Trademarks. This License does not grant permission to use the trade
+###       names, trademarks, service marks, or product names of the Licensor
+###       and its affiliates, except as required to comply with Section 4(c) of
+###       the License and to reproduce the content of the NOTICE file.
+###
+###    You may obtain a copy of the Apache License at
+###
+###        http://www.apache.org/licenses/LICENSE-2.0
+###
+###    Unless required by applicable law or agreed to in writing, software
+###    distributed under the Apache License with the above modification is
+###    distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+###    KIND, either express or implied. See the Apache License for the specific
+###    language governing permissions and limitations under the Apache License.
+###
+###
+
+# the main module
+module Chook
+
+  # the server app
+  class Server < Sinatra::Base
+
+    # the CustomLogger helper allows us to
+    # use our own Logger instance as the
+    # Sinatra `logger` available in routes vis `set :logger...`
+    helpers Sinatra::CustomLogger
+
+    # This module defines our custom Logger instance from the config settings
+    # and makes it available in the .logger module method,
+    # which is used anywhere outside of a route
+    # (inside of a route, the #logger method is locally available)
+    #
+    # General access to the logger:
+    #   from anywhere in Chook, as long as a server is running, the Logger
+    #   instance is available at Chook.logger or Chook::Server::Log.logger
+    #
+    #
+    # Logging from inside a route:
+    #   inside a Sinatra route, the local `logger` method returnes the
+    #   Logger instance.
+    #
+    # Logging from an internal handler:
+    #  In an internal WebHook handler, starting with `Chook.event_handler do |event|`
+    #  the logger should be accesses via the event's own wrapper: event.logger
+    #  Each message will be prepended with the event'd ID
+    #
+    # Logging from an external handler:
+    #  from an external handler you can POST a JSON formatted log entry to
+    #  http(s)://chookserver/log. The body must be a JSON object with 2 keys:
+    #  'level' and 'message', with non-empty strings.
+    #  The level must be one of: fatal, error, warn, info, or debug. Any other
+    #  value as the level will always be logged regardless of current logging
+    #  level. NOTE: if your server requires authentication, you must provide it
+    #  when using this route.
+    #
+    # Here's an example with curl, split to multi-line for clarity:
+    #
+    # curl -H "Content-Type: application/json" \
+    #   -X POST \
+    #   --data '{"level":"debug", "message":"It Worked"}' \
+    #   https://user:passwd@chookserver.myorg.org:443/log
+    #
+    module Log
+
+      # Using an instance of this as the Logger target sends logfile writes
+      # to all registered streams as well as the file
+      class LogFileWithStream < File
+
+        # ServerSent Events data lines always start with this
+        LOGSTREAM_DATA_PFX = 'data:'.freeze
+
+        def write(str)
+          super # writes out to the file
+          flush
+          # send to any active streams
+          Chook::Server::Log.log_streams.keys.each do |active_stream|
+            # ignore streams closed at the client end,
+            # they get removed when a new stream starts
+            # see the route: get '/subscribe_to_log_stream'
+            next if active_stream.closed?
+
+            # send new data to the stream
+            active_stream << "#{LOGSTREAM_DATA_PFX}#{str}\n\n"
+          end
+        end
+      end # class
+
+      # mapping of integer levels to symbols
+      LOG_LEVELS = {
+        fatal: Logger::FATAL,
+        error: Logger::ERROR,
+        warn: Logger::WARN,
+        info: Logger::INFO,
+        debug: Logger::DEBUG
+      }.freeze
+
+      # log Streaming
+      # ServerSent Events data lines always start with this
+      LOGSTREAM_DATA_PFX = 'data:'.freeze
+
+      # Send this to the clients at least every LOGSTREAM_KEEPALIVE_MAX secs
+      # even if there's no data for the stream
+      LOGSTREAM_KEEPALIVE_MSG = "#{LOGSTREAM_DATA_PFX} I'm Here!\n\n".freeze
+      LOGSTREAM_KEEPALIVE_MAX = 10
+
+      # the clients will recognize M3_LOG_STREAM_CLOSED and stop trying
+      # to connect via ssh.
+      LOGSTREAM_CLOSED_PFX = "#{LOGSTREAM_DATA_PFX} M3_LOG_STREAM_CLOSED:".freeze
+
+      DEFAULT_FILE = Pathname.new '/var/log/chook-server.log'
+      DEFAULT_MAX_MEGS = 10
+      DEFAULT_TO_KEEP = 10
+      DEFAULT_LEVEL = Logger::INFO
+
+      # set defaults in config
+      Chook.config.log_file ||= DEFAULT_FILE
+      Chook.config.logs_to_keep ||= DEFAULT_TO_KEEP
+      Chook.config.log_max_megs ||= DEFAULT_MAX_MEGS
+      Chook.config.log_level ||= DEFAULT_LEVEL
+
+      # Create the logger,
+      # make the first log entry for this run,
+      # and return it so it can be used by the server
+      # when it does `set :logger, Log.startup(@log_level)`
+      def self.startup(level = Chook.config.log_level)
+        # create the logger using a LogFileWithStream instance
+        @logger =
+          if Chook.config.logs_to_keep && Chook.config.logs_to_keep > 0
+            Logger.new(
+              LogFileWithStream.new(Chook.config.log_file, 'a'),
+              Chook.config.logs_to_keep,
+              (Chook.config.log_max_megs * 1024 * 1024)
+            )
+          else
+            Logger.new(LogFileWithStream.new(Chook.config.log_file, 'a'))
+          end
+
+        # date and line format
+        @logger.datetime_format = '%Y-%m-%d %H:%M:%S'
+
+        @logger.formatter = proc do |severity, datetime, _progname, msg|
+          "#{datetime}: [#{severity}] #{msg}\n"
+        end
+
+        # level
+        level &&= Chook::Procs::STRING_TO_LOG_LEVEL.call level
+        level ||= Chook.config.log_level
+        level ||= DEFAULT_LEVEL
+        @logger.level = level
+
+        # first startup entry
+        @logger.unknown "Chook Server v#{Chook::VERSION} starting up. PID: #{$PROCESS_ID}, Port: #{Chook.config.port}, SSL: #{Chook.config.use_ssl}"
+
+        # if debug, log our config
+        if level == Logger::DEBUG
+          @logger.debug 'Config: '
+          Chook::Configuration::CONF_KEYS.keys.each do |key|
+            @logger.debug "  Chook.config.#{key} = #{Chook.config.send key}"
+          end
+        end
+
+        # return the logger, the server uses it as a helper
+        @logger
+      end # log
+
+      # general access to the logger as Chook::Server::Log.logger
+      def self.logger
+        @logger ||= startup
+      end
+
+      # a Hash  of registered log streams
+      # streams are keys, valus are their IP addrs
+      # see the `get '/subscribe_to_log_stream'` route
+      #
+      def self.log_streams
+        @log_streams ||= {}
+      end
+
+      def self.clean_log_streams
+        log_streams.delete_if do |stream, ip|
+          if stream.closed?
+            logger.debug "Removing closed log stream for #{ip}"
+            true
+          else
+            false
+          end # if
+        end # delete if
+      end # clean_log_streams
+
+    end # module
+
+  end # server
+
+  # access from everywhere as Chook.logger
+  def self.logger
+    Server::Log.logger
+  end
+
+  # log an exception - multiple log lines
+  # the first being the error message the rest being indented backtrace
+  def self.log_exception(exception)
+    logger.error exception.to_s
+    exception.backtrace.each { |l| logger.error "..#{l}" }
+  end
+
+end # Chook