chook 1.1.0 → 1.1.1

data/data/chook.conf.example

@@ -80,9 +80,12 @@ logs_to_keep: 10
 log_max_megs: 10
 
 #################
-# Any value here will turn on 'HTTP Basic Authentication' and this will be the username
-# required to make any connection to the Chook server.
-# Leaving this empty will allow any connection without authentication
+# Any value here will turn on 'HTTP Basic Authentication' for webhooks,
+# and this will be the username required for a Jamf Pro server to send
+# webhooks to the Chook server.
+#
+# Leaving this empty will allow receiving of webooks with no authentication
+#
 # Default: none
 #
 webhooks_user:
@@ -102,3 +105,79 @@ webhooks_user:
 # Default: none
 #
 webhooks_user_pw:
+
+#################
+# Any value here will require authentication to view the admin web page.
+#
+# Leaving this empty will allow anyone to see the admin web page.
+#
+# If the value here is 'use_jamf' then anyone can log in with their
+# Jamf Pro credentials, and the admin_pw setting is ignored
+# (see the jamf_* settings below)
+#
+# If the value is anything else, it is the username required to
+# log in to the admin web page.
+#
+# Default: none
+#
+admin_user:
+
+#################
+# When admin page authentication is enabled by setting admin_user, this
+# tells chook how to learn the password for that user:
+#
+# - if the admin_user is 'use_jamf' then this is ignored, see the jamf_* settings below
+#
+# - If its a path to a file, the file contains the password and nothing else.
+#   The file must be owned by the user running the chook server, and must have
+#   mode 0600.
+#
+# - If it ends with a pipe character (|), everything execpt the pipe is considered
+#   to be a shell command, executable by the user running the chook server.
+#   The standard-output of the command will be the password.
+#
+# Default: none
+#
+admin_pw:
+
+#################
+# When admin page authentication is enabled by setting admin_user,
+# this is how many seconds before the browser session expires and the
+# admin must log in again.
+#
+# Default: 86400 (24 hours)
+#
+admin_session_expires: 86400
+
+#################
+# When the admin_user is 'use_jamf', this is the hostname of the
+# Jamf Pro server to use for authentication
+#
+# Default: none, but /etc/ruby-jss.conf will be honored
+#
+jamf_server:
+
+#################
+# When the admin_user is 'use_jamf', this is the port of the
+# Jamf Pro server to use for Authentication
+#
+# Default: none, but /etc/ruby-jss.conf will be honored
+#
+jamf_port:
+
+#################
+# When the admin_user is 'use_jamf', should SSL be used when
+# connection to the jamf_server? true or false
+#
+# Default: none, but /etc/ruby-jss.conf will be honored
+#
+jamf_use_ssl:
+
+#################
+# When the admin_user is 'use_jamf', and jamf_use_ssl is true,
+# should SSL certificates from the jamf server be
+# validated?
+#
+# Default: none, but /etc/ruby-jss.conf will be honored
+#
+jamf_verify_cert:

data/lib/chook/configuration.rb

@@ -54,7 +54,14 @@ module Chook
       log_max_megs:  :to_i,
       logs_to_keep: :to_i,
       webhooks_user: nil,
-      webhooks_user_pw: nil
+      webhooks_user_pw: nil,
+      admin_user: nil,
+      admin_pw: nil,
+      admin_session_expires: :to_i,
+      jamf_server: nil,
+      jamf_port: :to_i,
+      jamf_use_ssl: Chook::Procs::STRING_TO_BOOLEAN,
+      jamf_verify_cert: Chook::Procs::STRING_TO_BOOLEAN
     }.freeze
 
     # Class Variables

data/lib/chook/event/handled_event.rb

@@ -139,12 +139,12 @@ module Chook
     end # def handle
 
     def pipe_to_executable(handler)
-      logger.debug "Sending JSON to stdin of '#{handler}'"
+      logger.debug "EXTERNAL: Sending JSON to stdin of '#{handler.basename}'"
       IO.popen([handler.to_s], 'w') { |h| h.puts @raw_json }
     end
 
     def handle_with_proc(handler)
-      logger.debug "Running Handler defined in #{handler.handler_file}"
+      logger.debug "INTERNAL: Running Handler defined in #{handler.handler_file}"
       handler.handle self
     end
 

data/lib/chook/server.rb

@@ -25,10 +25,11 @@
 
 require 'sinatra/base'
 require 'sinatra/custom_logger'
-# require 'haml'
+require 'haml'
 require 'openssl'
 require 'chook/event_handling'
 require 'chook/server/log'
+require 'chook/server/auth'
 require 'chook/server/routes'
 
 module Chook
@@ -40,9 +41,11 @@ module Chook
     DEFAULT_PORT = 80
     DEFAULT_SSL_PORT = 443
     DEFAULT_CONCURRENCY = true
+    DEFAULT_SESSION_EXPIRE = 24 * 60 * 60 # one day
 
     # set defaults in config
     Chook.config.port ||= Chook.config.use_ssl ? DEFAULT_SSL_PORT : DEFAULT_PORT
+    Chook.config.admin_session_expires ||= DEFAULT_SESSION_EXPIRE
 
     # can't use ||= here cuz nil and false have different meanings
     Chook.config.concurrency = DEFAULT_CONCURRENCY if Chook.config.concurrency.nil?
@@ -50,21 +53,7 @@ module Chook
     # Run the server
     ###################################
     def self.run!(log_level: nil)
-      log_level ||= Chook.config.log_level
-      @log_level = Chook::Procs::STRING_TO_LOG_LEVEL.call log_level
-
-      configure do
-        set :logger, Log.startup(@log_level)
-        set :server, :thin
-        set :bind, '0.0.0.0'
-        set :port, Chook.config.port
-        set :show_exceptions, :after_handler if development?
-        set :root, "#{File.dirname __FILE__}/server"
-        enable :static
-        enable :lock unless Chook.config.concurrency
-      end # configure
-
-      Chook::HandledEvent::Handlers.load_handlers
+      prep_to_run
 
       if Chook.config.use_ssl
         super do |server|
@@ -75,43 +64,31 @@ module Chook
             verify_peer: false
           }
         end # super do
-      else
+
+      else # no ssl
         super
       end # if use ssl
     end # self.run
 
-    # Learn the client password, if we're using basic auth
-    ###################################
-    def self.webhooks_user_pw
-      return @webhooks_user_pw if @webhooks_user_pw
-      return nil unless Chook.config.webhooks_user_pw
-
-      setting = Chook.config.webhooks_user_pw
-
-      @webhooks_user_pw =
-        if setting.end_with? '|'
-          # if the path ends with a pipe, its a command that will
-          # return the desired password, so remove the pipe,
-          # execute it, and return stdout from it.
-          cmd = setting.chomp '|'
-          output = `#{cmd} 2>&1`.chomp
-          raise "Can't get webhooks user password: #{output}" unless $CHILD_STATUS.exitstatus.zero?
-          output
-
-        else
-          # otherwise its a file path, and read the pw from the contents
-          file = Pathname.new setting
-          return nil unless file.file?
-          stat = file.stat
-          mode = format('%o', stat.mode)
-          raise 'Password file for webhooks user has insecure mode, must be 0600.' unless mode.end_with?('0600')
-          raise "Password file for webhooks user has insecure owner, must be owned by UID #{Process.euid}." unless stat.owned?
+    def self.prep_to_run
+      log_level ||= Chook.config.log_level
+      @log_level = Chook::Procs::STRING_TO_LOG_LEVEL.call log_level
 
-          # chomping an empty string removes all trailing \n's and \r\n's
-          file.read.chomp('')
+      configure do
+        set :logger, Log.startup(@log_level)
+        set :server, :thin
+        set :bind, '0.0.0.0'
+        set :port, Chook.config.port
+        set :show_exceptions, :after_handler if development?
+        set :root, "#{File.dirname __FILE__}/server"
+        enable :static
+        enable :sessions
+        set :sessions, expire_after: Chook.config.admin_session_expires if Chook.config.admin_user
+        enable :lock unless Chook.config.concurrency
+      end # configure
 
-        end # if else
-    end # self.webhooks_user_pw
+      Chook::HandledEvent::Handlers.load_handlers
+    end # prep to run
 
   end # class server
 

data/lib/chook/server/auth.rb

@@ -0,0 +1,164 @@
+### Copyright 2017 Pixar
+
+###
+###    Licensed under the Apache License, Version 2.0 (the "Apache License")
+###    with the following modification; you may not use this file except in
+###    compliance with the Apache License and the following modification to it:
+###    Section 6. Trademarks. is deleted and replaced with:
+###
+###    6. Trademarks. This License does not grant permission to use the trade
+###       names, trademarks, service marks, or product names of the Licensor
+###       and its affiliates, except as required to comply with Section 4(c) of
+###       the License and to reproduce the content of the NOTICE file.
+###
+###    You may obtain a copy of the Apache License at
+###
+###        http://www.apache.org/licenses/LICENSE-2.0
+###
+###    Unless required by applicable law or agreed to in writing, software
+###    distributed under the Apache License with the above modification is
+###    distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+###    KIND, either express or implied. See the Apache License for the specific
+###    language governing permissions and limitations under the Apache License.
+###
+###
+
+module Chook
+
+  # the server
+  class Server < Sinatra::Base
+
+    # helper module for authentication
+    module Auth
+
+      USE_JAMF_ADMIN_USER = 'use_jamf'.freeze
+
+      def protect_via_basic_auth!
+        # don't protect if user isn't defined
+        return unless Chook.config.webhooks_user
+        return if webhook_user_authorized?
+        headers['WWW-Authenticate'] = 'Basic realm="Restricted Area"'
+        halt 401, "Not authorized\n"
+      end
+
+      def webhook_user_authorized?
+        @auth ||= Rack::Auth::Basic::Request.new(request.env)
+
+        # gotta have basic auth presented to us
+        unless @auth.provided? && @auth.basic? && @auth.credentials
+          Chook.logger.debug "No basic auth provided on protected route: #{request.path_info} from: #{request.ip}"
+          return false
+        end
+
+        authenticate_webhooks_user @auth.credentials
+      end # authorized?
+
+      # webhook user auth always comes from config
+      def authenticate_webhooks_user(creds)
+        if creds.first == Chook.config.webhooks_user && creds.last == Chook::Server.webhooks_user_pw
+          Chook.logger.debug "Got HTTP Basic auth for webhooks user: #{Chook.config.webhooks_user}@#{request.ip}"
+          true
+        else
+          Chook.logger.error "FAILED auth for webhooks user: #{Chook.config.webhooks_user}@#{request.ip}"
+          false
+        end
+      end # authenticate_webhooks_user
+
+      # admin user auth might come from config, might come from Jamf Pro
+      def authenticate_admin(user, pw)
+        return authenticate_jamf_admin(user, pw) if Chook.config.admin_user == USE_JAMF_ADMIN_USER
+        authenticate_admin_user(user, pw)
+      end
+
+      # admin auth from config
+      def authenticate_admin_user(user, pw)
+        if user == Chook.config.admin_user && pw == Chook::Server.admin_user_pw
+          Chook.logger.debug "Got auth for admin user: #{user}@#{request.ip}"
+          session[:authed_admin] = user
+          true
+        else
+          Chook.logger.warn "FAILED auth for admin user: #{user}@#{request.ip}"
+          session[:authed_admin] = nil
+          false
+        end
+      end
+
+      # admin auth from jamf pro
+      def authenticate_jamf_admin(user, pw)
+        require 'ruby-jss'
+        JSS::APIConnection.new(
+          user: user,
+          pw: pw,
+          server: Chook.config.jamf_server,
+          port: Chook.config.jamf_port,
+          use_ssl: Chook.config.jamf_use_ssl,
+          verify_cert: Chook.config.jamf_verify_cert
+        )
+        Chook.logger.debug "Jamf Admin login for: #{user}@#{request.ip}"
+
+        session[:authed_admin] = user
+        true
+      rescue JSS::AuthenticationError
+        Chook.logger.warn "Jamf Admin login FAILED for: #{user}@#{request.ip}"
+        session[:authed_admin] = nil
+        false
+      end # authenticate_jamf_admin
+
+    end # module auth
+
+    helpers Chook::Server::Auth
+
+    # Learn the webhook or admin passwords from config.
+    # so we can authenticate them from the browser and the JSS
+    #
+    # This is at the Server level, since we only need read it
+    # once per server startup, so we store it in a server
+    # instance var.
+    ###################################
+    def self.webhooks_user_pw
+      @webhooks_user_pw ||= pw_from_conf Chook.config.webhooks_user_pw
+    end # self.webhooks_user_pw
+
+    def self.admin_user_pw
+      @admin_user_pw ||= pw_from_conf Chook.config.admin_pw
+    end
+
+    def self.pw_from_conf(setting)
+      return '' unless setting
+
+      # if the path ends with a pipe, its a command that will
+      # return the desired password, so remove the pipe,
+      # execute it, and return stdout from it.
+      return pw_from_command(setting) if setting.end_with? '|'
+
+      # otherwise its a file path, and read the pw from the contents
+      pw_from_file(setting)
+    end # def pw_from_conf(setting)
+
+    def self.pw_from_command(cmd)
+      cmd = cmd.chomp '|'
+      output = `#{cmd} 2>&1`.chomp
+      raise "Can't get password from #{setting}: #{output}" unless $CHILD_STATUS.exitstatus.zero?
+      output
+    end
+
+    def self.pw_from_file(file)
+      file = Pathname.new file
+      return nil unless file.file?
+      stat = file.stat
+      mode = format('%o', stat.mode)
+      raise "Password file #{setting} has insecure mode, must be 0600." unless mode.end_with?('0600')
+      raise "Password file #{setting} has insecure owner, must be owned by UID #{Process.euid}." unless stat.owned?
+      # chomping an empty string removes all trailing \n's and \r\n's
+      file.read.chomp('')
+    end
+
+
+  end # server
+
+end # Chook
+
+require 'chook/server/routes/home'
+require 'chook/server/routes/handle_webhook_event'
+require 'chook/server/routes/handlers'
+require 'chook/server/routes/log'

data/lib/chook/server/public/css/chook.css

@@ -39,6 +39,10 @@
   font-size: 1.2em;
 }
 
+#login_incorrect {
+  color: red;
+}
+
 /* ******* Section Label Areas ******* */
 
 .section_label {

data/lib/chook/server/public/js/chook.js

@@ -1,3 +1,23 @@
+// log out of basic auth by sending an incorrect name /pw
+// may not work on all browsers
+// see second comment at
+// https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication#492926
+
+function logout() {
+  //var logged_out_page = window.location.protocol + '//xxxx:xxxx@' + window.location.host + '/login';
+
+  var xhttp = new XMLHttpRequest();
+
+  xhttp.onreadystatechange = function() {
+    if (this.readyState == 4) {
+      window.location = "/login";
+    }
+  };
+
+  xhttp.open("GET", "/LOG_OUT:no_such_pw@logout", true);
+  xhttp.setRequestHeader("Authorization", "Basic " + btoa("LOG_OUT:no_such_pw"));
+  xhttp.send();
+}
 
 // show the logbox
 function view_log() {

data/lib/chook/server/routes.rb

@@ -28,32 +28,13 @@ module Chook
   # the server
   class Server < Sinatra::Base
 
-    # These two helpers let us decude which routes need
-    # http basic auth and which don't
-    #
-    # To protect a route, put `protected!` as the
-    # first line of code in the route.
-    #
-    # See http://sinatrarb.com/faq.html#auth
-    #
-    helpers do
-      def protected!
-        # don't protect if user isn't defined
-        return unless Chook.config.webhooks_user
+    HANDLE_EVENT_ROUTE = '/handle_webhook_event'.freeze
 
-        return if authorized?
-        headers['WWW-Authenticate'] = 'Basic realm="Restricted Area"'
-        halt 401, "Not authorized\n"
-      end
-
-      def authorized?
-        @auth ||= Rack::Auth::Basic::Request.new(request.env)
-        @auth.provided? && \
-          @auth.basic? && \
-          @auth.credentials && \
-          @auth.credentials == [Chook.config.webhooks_user, Chook::Server.webhooks_user_pw]
-      end
-    end
+  #   before do
+  #     break if request.path_info == Chook::Server::HANDLE_EVENT_ROUTE
+  # #    break if request.path_info == '/' && session[:authed_admin]
+  # #    redirect '/' unless session[:authed_admin]
+  #   end
 
     # log errors in production (in dev, they go to stdout and the browser)
     error do
@@ -69,4 +50,5 @@ end # Chook
 require 'chook/server/routes/home'
 require 'chook/server/routes/handle_webhook_event'
 require 'chook/server/routes/handlers'
+require 'chook/server/routes/login_logout'
 require 'chook/server/routes/log'