choria-mcorpc-support 2.22.1 → 2.23.3

data/lib/mcollective/shell.rb

@@ -38,18 +38,22 @@ module MCollective
         case opt.to_s
         when "stdout"
           raise "stdout should support <<" unless val.respond_to?("<<")
+
           @stdout = val
 
         when "stderr"
           raise "stderr should support <<" unless val.respond_to?("<<")
+
           @stderr = val
 
         when "stdin"
           raise "stdin should be a String" unless val.is_a?(String)
+
           @stdin = val
 
         when "cwd"
           raise "Directory #{val} does not exist" unless File.directory?(val)
+
           @cwd = val
 
         when "environment"
@@ -62,6 +66,7 @@ module MCollective
 
         when "timeout"
           raise "timeout should be a positive integer or the symbol :on_thread_exit symbol" unless val.eql?(:on_thread_exit) || (val.is_a?(Integer) && val > 0)
+
           @timeout = val
         end
       end
@@ -69,10 +74,10 @@ module MCollective
 
     # Actually does the systemu call passing in the correct environment, stdout and stderr
     def runcommand
-      opts = {"env"    => @environment,
+      opts = {"env" => @environment,
               "stdout" => @stdout,
               "stderr" => @stderr,
-              "cwd"    => @cwd}
+              "cwd" => @cwd}
 
       opts["stdin"] = @stdin if @stdin
 
@@ -108,8 +113,8 @@ module MCollective
             # only wait if the parent thread is dead
             Process.waitpid(cid) unless thread.alive?
           end
-        rescue SystemExit # rubocop:disable Lint/HandleExceptions
-        rescue Errno::ESRCH # rubocop:disable Lint/HandleExceptions
+        rescue SystemExit # rubocop:disable Lint/SuppressedException
+        rescue Errno::ESRCH # rubocop:disable Lint/SuppressedException
         rescue Errno::ECHILD
           Log.warn("Could not reap process '#{cid}'.")
         rescue Exception => e # rubocop:disable Lint/RescueException

data/lib/mcollective/signer/base.rb

@@ -0,0 +1,28 @@
+module MCollective
+  module Signer
+    class Base
+      # Register plugins that inherits base
+      def self.inherited(klass)
+        PluginManager << {:type => "choria_signer_plugin", :class => klass.to_s}
+        super
+      end
+
+      def initialize
+        @config = Config.instance
+        @log = Log
+      end
+
+      # Signs a secure request
+      #
+      # Generally for local mode this would just use the users own certificate but if you have a
+      # remote signer this might use a token to speak to a remote API, by default Choria supports
+      # a standard web service for remote signatures
+      #
+      # @param secure_request [Hash] a choria:secure:request:1 hash
+      # @raise [StandardError] when signing fails
+      def sign_secure_request!(secure_request)
+        raise(NoMethodError, "undefined method `sign_secure_request!' for %s" % inspect)
+      end
+    end
+  end
+end

data/lib/mcollective/signer/choria.rb

@@ -0,0 +1,185 @@
+require_relative "base"
+
+module MCollective
+  module Signer
+    # This is a Secure Request Signer that allows either local signing of requests using the users
+    # own certificate or delegation based signing via a webservice
+    #
+    # This allows one to integrate the Choria CLI into a centralised authentication, authorization and
+    # auditing system
+    #
+    # Available settings:
+    #
+    #   choria.security.request_signer.plugin - the plugin to use, `choria` for this one - the default.
+    #   choria.security.request_signer.token_file - a file holding a token like a JWT or similar
+    #   choria.security.request_signer.token_environment - a ENV key holding a token like a JWT or similar
+    #   choria.security.request_signer.url - a endpoint that implements the v1 signer protocol
+    #
+    # The webservice has to support the specification found at https://choria.io/schemas/choria/signer/v1/service.json
+    class Choria < Base
+      # Retrieves the token from either a local file or the users environment
+      #
+      # @return [String, nil]
+      def token
+        file = @config.pluginconf["choria.security.request_signer.token_file"]
+        env = @config.pluginconf["choria.security.request_signer.token_environment"]
+
+        if file
+          file = File.expand_path(file)
+
+          raise("No token found in %s, please authenticate using your configured authentication service" % file) unless File.exist?(file)
+
+          return File.read(file).chomp
+        end
+
+        raise("could not find token in environment variable %s" % env) unless ENV[env]
+
+        ENV[env].chomp
+      end
+
+      # Signs the secure request
+      #
+      # Signing supports either local mode using local certificates or delegating to a remote
+      # signer that is written in conformance with the signer specification version 1
+      #
+      # @param secure_request [Hash] a v1 secure request
+      def sign_secure_request!(secure_request)
+        return if $choria_unsafe_disable_protocol_security # rubocop:disable Style/GlobalVars
+
+        if remote_signer?
+          remote_sign!(secure_request)
+        else
+          local_sign!(secure_request)
+        end
+      end
+
+      # Determines the callerid for this client
+      #
+      # When a remote signer is enabled the caller is extracted from the JWT
+      # otherwise a choria=user style ID is generated
+      #
+      # @return [String]
+      # @raise [Exception] when the JWT is invalid
+      def callerid
+        if remote_signer?
+          parts = token.split(".")
+
+          raise("Invalid JWT token") unless parts.length == 3
+
+          claims = JSON.parse(Base64.decode64(parts[1]))
+
+          raise("Invalid JWT token") unless claims.include?("callerid")
+          raise("Invalid JWT token") unless claims["callerid"].is_a?(String)
+          raise("Invalid JWT token") if claims["callerid"].empty?
+
+          claims["callerid"]
+        else
+          "choria=%s" % choria.certname
+        end
+      end
+
+      # The body that would be submitted to the remote service
+      #
+      # @param secure_request [Hash] a v1 secure request
+      # @return [Hash]
+      def sign_request_body(secure_request)
+        {
+          "token" => token,
+          "request" => Base64.encode64(secure_request["message"])
+        }
+      end
+
+      # Performs a remote sign operation against a configured web service
+      #
+      # @param secure_request [Hash] a v1 secure request
+      # @raise [StandardError] on signing error
+      def remote_sign!(secure_request)
+        Log.info("Signing secure request using remote signer %s" % remote_signer_url)
+
+        uri = remote_signer_url
+        post = choria.http_post(uri.request_uri)
+        post.body = sign_request_body(secure_request).to_json
+        post["Content-type"] = "application/json"
+
+        http = choria.https(:target => uri.host, :port => uri.port)
+        http.use_ssl = false if uri.scheme == "http"
+
+        # While this might appear alarming it's expected that the clients
+        # in this situation will not have any Choria CA issued certificates
+        # and so wish to use a remote signer - the certificate management woes
+        # being one of the main reasons for centralised AAA.
+        #
+        # So there is no realistic way to verify these requests especially in the
+        # event that these signers run on private IPs and such as would be typical
+        # so while we do this big No No of disabling verify here it really is the
+        # only thing that make sense.
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
+
+        resp = http.request(post)
+
+        signature = {}
+
+        if resp.code == "200"
+          signature = JSON.parse(resp.body)
+        else
+          raise("Could not get remote signature: %s: %s" % [resp.code, resp.body])
+        end
+
+        raise("Could not get remote signature: %s" % signature["error"]) if signature["error"]
+
+        signed_request = JSON.parse(Base64.decode64(signature["secure_request"]))
+        signed_request.each do |k, v|
+          secure_request[k] = v
+        end
+      end
+
+      # Signs using local certificates
+      #
+      # @param secure_request [Hash] a v1 secure request
+      # @raise [StandardError] on signing error
+      def local_sign!(secure_request)
+        Log.info("Signing secure request using local credentials")
+
+        secure_request["signature"] = sign(secure_request["message"])
+        secure_request["pubcert"] = File.read(client_public_cert).chomp
+
+        nil
+      end
+
+      # (see Security::Choria#sign)
+      def sign(string, id=nil)
+        security.sign(string, id)
+      end
+
+      # (see Security::Choria#client_public_cert)
+      def client_public_cert
+        security.client_public_cert
+      end
+
+      # Determines if a remote signer is configured
+      #
+      # @return [Boolean]
+      def remote_signer?
+        !!(remote_signer_url == "" || remote_signer_url)
+      end
+
+      # Determines the remote url to submit standard signing requests to
+      #
+      # @return [URI, Nil]
+      def remote_signer_url
+        return nil unless @config.pluginconf["choria.security.request_signer.url"]
+        return nil if @config.pluginconf["choria.security.request_signer.url"] == ""
+
+        URI.parse(@config.pluginconf["choria.security.request_signer.url"])
+      end
+
+      def security
+        @security ||= PluginManager["security_plugin"]
+      end
+
+      def choria
+        @choria ||= security.choria
+      end
+    end
+  end
+end

data/lib/mcollective/ssl.rb

@@ -166,7 +166,7 @@ module MCollective
 
     # Signs a string using the private key
     def sign(string, base64=false)
-      sig = @private_key.sign(OpenSSL::Digest::SHA1.new, string)
+      sig = @private_key.sign(OpenSSL::Digest.new("SHA1"), string)
 
       base64 ? base64_encode(sig) : sig
     end
@@ -175,7 +175,7 @@ module MCollective
     def verify_signature(signature, string, base64=false)
       signature = base64_decode(signature) if base64
 
-      @public_key.verify(OpenSSL::Digest::SHA1.new, signature, string)
+      @public_key.verify(OpenSSL::Digest.new("SHA1"), signature, string)
     end
 
     # base 64 encode a string
@@ -196,6 +196,7 @@ module MCollective
       # The Base 64 character set is A-Z a-z 0-9 + / =
       # Also allow for whitespace, but raise if we get anything else
       raise(ArgumentError, "invalid base64") if string !~ /^[A-Za-z0-9+\/=\s]+$/
+
       Base64.decode64(string)
     end
 
@@ -248,7 +249,8 @@ module MCollective
       raise "Could not find key #{key}" unless File.exist?(key)
       raise "#{type} key file '#{key}' is empty" if File.zero?(key)
 
-      if type == :public
+      case type
+      when :public
         begin
           key = OpenSSL::PKey::RSA.new(File.read(key))
         rescue OpenSSL::PKey::RSAError
@@ -271,9 +273,9 @@ module MCollective
         # See  http://bugs.ruby-lang.org/issues/4550
         OpenSSL.errors if Util.ruby_version =~ /^1.8/
 
-        return key
-      elsif type == :private
-        return OpenSSL::PKey::RSA.new(File.read(key), passphrase)
+        key
+      when :private
+        OpenSSL::PKey::RSA.new(File.read(key), passphrase)
       else
         raise "Can only load :public or :private keys"
       end

data/lib/mcollective/util.rb

@@ -10,12 +10,12 @@ module MCollective
 
       if agent.is_a?(Regexp)
         if !Agents.agentlist.grep(agent).empty?
-          return true
+          true
         else
-          return false
+          false
         end
       else
-        return Agents.agentlist.include?(agent)
+        Agents.agentlist.include?(agent)
       end
     end
 
@@ -41,9 +41,10 @@ module MCollective
 
       begin
         File.readlines(cfile).each do |k|
-          if klass.is_a?(Regexp)
+          case klass
+          when Regexp
             return true if k.chomp.match(klass)
-          elsif k.chomp == klass
+          when k.chomp
             return true
           end
         end
@@ -74,11 +75,11 @@ module MCollective
       fact = fact.clone
       case fact
       when Array
-        return fact.any? { |element| test_fact_value(element, value, operator)}
+        fact.any? { |element| test_fact_value(element, value, operator)}
       when Hash
-        return fact.keys.any? { |element| test_fact_value(element, value, operator)}
+        fact.keys.any? { |element| test_fact_value(element, value, operator)}
       else
-        return test_fact_value(fact, value, operator)
+        test_fact_value(fact, value, operator)
       end
     end
 
@@ -104,7 +105,7 @@ module MCollective
           value = Float(value) # rubocop:disable Lint/UselessAssignment
         end
 
-        return true if eval("fact #{operator} value") # rubocop:disable Security/Eval
+        return true if eval("fact #{operator} value") # rubocop:disable Security/Eval, Style/EvalWithLocation
       end
 
       false
@@ -118,9 +119,10 @@ module MCollective
     def self.has_identity?(identity)
       identity = Regexp.new(identity.gsub("\/", "")) if identity.start_with?("/")
 
-      if identity.is_a?(Regexp)
+      case identity
+      when Regexp
         return Config.instance.identity.match(identity)
-      elsif Config.instance.identity == identity
+      when Config.instance.identity
         return true
       end
 
@@ -135,9 +137,9 @@ module MCollective
     # Creates an empty filter
     def self.empty_filter
       {
-        "fact"     => [],
+        "fact" => [],
         "cf_class" => [],
-        "agent"    => [],
+        "agent" => [],
         "identity" => [],
         "compound" => []
       }
@@ -146,7 +148,7 @@ module MCollective
     # Returns the PuppetLabs mcollective path for windows
     def self.windows_prefix
       require "win32/dir"
-      File.join(Dir::COMMON_APPDATA, "PuppetLabs", "mcollective")
+      File.join(Dir::COMMON_APPDATA, "PuppetLabs", "choria")
     end
 
     def self.choria_windows_prefix
@@ -154,19 +156,23 @@ module MCollective
       File.join(Dir::COMMON_APPDATA, "ChoriaIO", "choria")
     end
 
-    def self.mcollective_config_paths_for_user
+    def self.config_paths_for_user
       config_paths = []
 
-      begin
-        # File.expand_path will raise if HOME isn't set, catch it
-        user_path = File.expand_path("~/.mcollective")
-        config_paths << user_path
-      rescue Exception # rubocop:disable Lint/RescueException, Lint/HandleExceptions
+      ["~/.choriarc", "~/.mcollective"].each do |f|
+        begin
+          # File.expand_path will raise if HOME isn't set, catch it
+          config_paths << File.expand_path(f)
+        rescue ArgumentError # rubocop:disable Lint/SuppressedException
+        end
       end
 
       if windows?
+        config_paths << File.join(choria_windows_prefix, "etc", "client.conf")
         config_paths << File.join(windows_prefix, "etc", "client.cfg")
       else
+        config_paths << "/etc/choria/client.conf"
+        config_paths << "/usr/local/etc/choria/client.conf"
         config_paths << "/etc/puppetlabs/mcollective/client.cfg"
         config_paths << "/etc/mcollective/client.cfg"
         config_paths << "/usr/local/etc/mcollective/client.cfg"
@@ -175,56 +181,44 @@ module MCollective
       config_paths
     end
 
-    def self.choria_config_paths_for_user
-      config_paths = []
-
-      begin
-        # File.expand_path will raise if HOME isn't set, catch it
-        user_path = File.expand_path("~/.choriarc")
-        config_paths << user_path
-      rescue Exception # rubocop:disable Lint/RescueException, Lint/HandleExceptions
-      end
-
-      if windows?
-        config_paths << File.join(choria_windows_prefix, "etc", "client.conf")
-      else
-        config_paths << "/etc/choria/client.conf"
-        config_paths << "/usr/local/etc/choria/client.conf"
-      end
-
-      config_paths
-    end
-
     # Picks the default user config file, priorities are first Choria ones then old MCollective ones
     #
     # In roughly this order, first to exist is used:
     #
     # - ~/.choriarc
-    # - APPData/ChoriaIO/choria/etc/client.conf on windows
-    # - /etc/choria/client.conf then
-    # - /usr/local/etc/choria/client.conf on unix
     # - ~/.mcollective
-    # - APPData/PuppetLabs/mcollective/etc/client.cfg on windows
+    #
+    # On Unix:
+    #
+    # - /etc/choria/client.conf
+    # - /usr/local/etc/choria/client.conf
     # - /etc/puppetlabs/mcollective/client.cfg
     # - /etc/mcollective/client.cfg
     # - /usr/local/etc/mcollective/client.cfg
+    #
+    # On Windows:
+    #
+    # - APPData/ChoriaIO/choria/etc/client.conf on windows
+    # - APPData/PuppetLabs/mcollective/etc/client.cfg on windows
     def self.config_file_for_user
-      config_paths = choria_config_paths_for_user + mcollective_config_paths_for_user
+      config_paths = config_paths_for_user
+
       found = config_paths.find_index { |file| File.readable?(file) } || 0
+
       config_paths[found]
     end
 
     # Creates a standard options hash
     def self.default_options
       {
-        :verbose           => false,
-        :disctimeout       => nil,
-        :timeout           => 5,
-        :config            => config_file_for_user,
-        :collective        => nil,
-        :discovery_method  => nil,
+        :verbose => false,
+        :disctimeout => nil,
+        :timeout => 5,
+        :config => config_file_for_user,
+        :collective => nil,
+        :discovery_method => nil,
         :discovery_options => Config.instance.default_discovery_options,
-        :filter            => empty_filter
+        :filter => empty_filter
       }
     end
 
@@ -273,15 +267,16 @@ module MCollective
 
     # Parse a fact filter string like foo=bar into the tuple hash thats needed
     def self.parse_fact_string(fact)
-      if fact =~ /^([^ ]+?)[ ]*=>[ ]*(.+)/
+      case fact
+      when /^([^ ]+?) *=> *(.+)/
         {:fact => $1, :value => $2, :operator => ">="}
-      elsif fact =~ /^([^ ]+?)[ ]*=<[ ]*(.+)/
+      when /^([^ ]+?) *=< *(.+)/
         {:fact => $1, :value => $2, :operator => "<="}
-      elsif fact =~ /^([^ ]+?)[ ]*(<=|>=|<|>|!=|==|=~)[ ]*(.+)/
+      when /^([^ ]+?) *(<=|>=|<|>|!=|==|=~) *(.+)/
         {:fact => $1, :value => $3, :operator => $2}
-      elsif fact =~ /^(.+?)[ ]*=[ ]*\/(.+)\/$/
+      when /^(.+?) *= *\/(.+)\/$/
         {:fact => $1, :value => "/#{$2}/", :operator => "=~"}
-      elsif fact =~ /^([^= ]+?)[ ]*=[ ]*(.+)/
+      when /^([^= ]+?) *= *(.+)/
         {:fact => $1, :value => $2, :operator => "=="}
       else
         raise "Could not parse fact #{fact} it does not appear to be in a valid format"
@@ -326,9 +321,9 @@ module MCollective
       }
 
       if colorize
-        return colors[code] || ""
+        colors[code] || ""
       else
-        return ""
+        ""
       end
     end
 
@@ -379,9 +374,7 @@ module MCollective
       text.each_with_index do |line, i|
         whitespace = 0
 
-        while whitespace < line.length && line[whitespace].chr == " "
-          whitespace += 1
-        end
+        whitespace += 1 while whitespace < line.length && line[whitespace].chr == " "
 
         # If the current line is empty, indent it so that a snippet
         # from the previous line is aligned correctly.
@@ -435,21 +428,21 @@ module MCollective
     #
     # Returns [0, 0] if it can't figure it out or if you're
     # not running on a tty
-    def self.terminal_dimensions(stdout=STDOUT, environment=ENV)
+    def self.terminal_dimensions(stdout=$stdout, environment=ENV)
       return [0, 0] unless stdout.tty?
 
       return [80, 40] if Util.windows?
 
       if environment["COLUMNS"] && environment["LINES"]
-        return [environment["COLUMNS"].to_i, environment["LINES"].to_i]
+        [environment["COLUMNS"].to_i, environment["LINES"].to_i]
 
       elsif environment["TERM"] && command_in_path?("tput")
-        return [`tput cols`.to_i, `tput lines`.to_i]
+        [`tput cols`.to_i, `tput lines`.to_i]
 
       elsif command_in_path?("stty")
-        return `stty size`.scan(/\d+/).map(&:to_i)
+        `stty size`.scan(/\d+/).map(&:to_i)
       else
-        return [0, 0]
+        [0, 0]
       end
     rescue
       [0, 0]
@@ -490,6 +483,7 @@ module MCollective
         elsif b == "."            then return 1
         elsif a =~ /^\d+$/ && b =~ /^\d+$/
           return a.to_s.upcase <=> b.to_s.upcase if a =~ /^0/ || b =~ /^0/
+
           return a.to_i <=> b.to_i
         else
           return a.upcase <=> b.upcase
@@ -516,10 +510,11 @@ module MCollective
     # Any other value will return FalseClass
     def self.str_to_bool(val)
       clean_val = val.to_s.strip
-      if clean_val =~ /^(1|yes|true|y|t)$/i
-        return true
-      elsif clean_val =~ /^(0|no|false|n|f)$/i
-        return false
+      case clean_val
+      when /^(1|yes|true|y|t)$/i
+        true
+      when /^(0|no|false|n|f)$/i
+        false
       else
         raise("Cannot convert string value '#{clean_val}' into a boolean.")
       end
@@ -531,8 +526,7 @@ module MCollective
       template_path = File.join(config_dir, template_file)
       return template_path if File.exist?(template_path)
 
-      template_path = File.join("/etc/mcollective", template_file)
-      template_path
+      File.join("/etc/mcollective", template_file)
     end
 
     # subscribe to the direct addressing queue
@@ -563,6 +557,7 @@ module MCollective
 
       while char = Win32API.new("crtdll", "_getch", [], "I").Call
         break if [10, 13].include?(char) # return or newline
+
         if [127, 8].include?(char) # backspace and delete
           input.slice!(-1, 1) unless input.empty?
         else
@@ -574,17 +569,13 @@ module MCollective
     end
 
     def self.get_hidden_input_on_unix # rubocop:disable Naming/AccessorMethodName
-      unless $stdin.tty?
-        raise "Could not hook to stdin to hide input. If using SSH, try using -t flag while connecting to server."
-      end
-      unless system "stty -echo -icanon"
-        raise "Could not hide input using stty command."
-      end
+      raise "Could not hook to stdin to hide input. If using SSH, try using -t flag while connecting to server." unless $stdin.tty?
+      raise "Could not hide input using stty command." unless system "stty -echo -icanon"
+
       input = $stdin.gets
     ensure
-      unless system "stty echo icanon"
-        raise "Could not enable echoing of input. Try executing `stty echo icanon` to debug."
-      end
+      raise "Could not enable echoing of input. Try executing `stty echo icanon` to debug." unless system "stty echo icanon"
+
       input
     end