deploy-agent 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0fabf21134da24a6c3a0e705f251796822e0ac92
-  data.tar.gz: b604919b01e5af9f279ab6b5b5a9ba2bcc38d957
+  metadata.gz: a41327831b4a0f98c160aede42a5c71b694e012e
+  data.tar.gz: 7bf66283175fb01c1b0dff0daf87328e0d1f7fd3
 SHA512:
-  metadata.gz: e7f145767229dad5eaebd8a7bbb4f80dae6e3f79a18573a10fe21dd31c4526918fc62461cfb63f2eb60ed900d406bceca20aaee13cb3573364640d559eaf9672
-  data.tar.gz: 8d4246315146209663771135504bd8508ed6030cd17f6e5f3858405842c13b59e439b5eaa188c1bedbfb69b4b965538a7db3bb685c78b4869d800bd8d07fe30a
+  metadata.gz: f9f3f9099ab483e3ab9f20f52e095b8821a0146f2bbfad70cc7084a5356d43a0859d1263c692424148a8e2d3edd84f57df36d9d2420c4ba49974e2d01b638e7f
+  data.tar.gz: 7f9f3fc08beb0ced4b97f6f4e601e75ebb53fdbcdfc6d341ebfabb2d729aea14129bd9acf24191ad3e81ce7decb021c09c813482fe4b6102207afcf9cb4ed3b3

data/lib/deploy_agent.rb

@@ -8,7 +8,16 @@ module DeployAgent
   CONFIG_PATH      = File.expand_path('~/.deploy')
   CERTIFICATE_PATH = File.expand_path('~/.deploy/agent.crt')
   KEY_PATH         = File.expand_path('~/.deploy/agent.key')
-  CA_PATH          = File.expand_path('~/.deploy/ca.crt')
   PID_PATH         = File.expand_path('~/.deploy/agent.pid')
   LOG_PATH         = File.expand_path('~/.deploy/agent.log')
+  ACCESS_PATH      = File.expand_path('~/.deploy/agent.access')
+  CA_PATH          = File.expand_path('../../ca.crt', __FILE__)
+
+  def self.allowed_destinations
+      destinations = File.read(ACCESS_PATH)
+      destinations = destinations.split(/\n/).map(&:strip)
+      destinations = destinations.reject { |n| n == '' || n[0] == '#' }
+      destinations = destinations.map { |l| l.split(' ', 2)[0] }
+      return destinations
+  end
 end

data/lib/deploy_agent/certificate_manager.rb

@@ -12,6 +12,11 @@ module DeployAgent
     end
 
     def generate_certificate
+      FileUtils.mkdir_p(CONFIG_PATH)
+      unless File.file?(ACCESS_PATH)
+        File.write(ACCESS_PATH, "# This file contains a list of host and network addresses the Deploy agent\n # will allow connections to. Add IPs or networks (CIDR format) as needed.\n\n# Allow deployments to localhost\n127.0.0.1\n::1\n")
+      end
+
       puts 'This tool will assist you in generating a certificate for your Deploy agent.'
       puts
       if File.file?(CERTIFICATE_PATH)
@@ -51,8 +56,6 @@ module DeployAgent
           response = http.request request
           response_hash = JSON.parse(response.body)
           if response_hash['status'] == 'success'
-            FileUtils.mkdir_p(CONFIG_PATH)
-            File.write(CA_PATH,          response_hash['data']['ca'])
             File.write(CERTIFICATE_PATH, response_hash['data']['certificate'])
             File.write(KEY_PATH,         response_hash['data']['private_key'])
             puts

data/lib/deploy_agent/cli.rb

@@ -1,3 +1,5 @@
+require 'ipaddr'
+
 module DeployAgent
   class CLI
 
@@ -14,13 +16,6 @@ module DeployAgent
       CertificateManager.new.generate_certificate
     end
 
-    def ensure_configured
-      unless File.file?(CERTIFICATE_PATH)
-        puts 'Deploy agent is not configured. Please run "deploy-agent setup" first.'
-        Process.exit(1)
-      end
-    end
-
     def restart
       stop
       while(is_running?)
@@ -70,8 +65,29 @@ module DeployAgent
       Agent.new.run
     end
 
+    def accesslist
+      puts "Access list:"
+      DeployAgent.allowed_destinations.each do |destination|
+        begin
+          IPAddr.new(destination)
+          puts " - " + destination
+        rescue IPAddr::InvalidAddressError
+          puts " - " + destination + " (INVALID)"
+        end
+      end
+      puts
+      puts "To edit the list of allowed servers, please modify " + ACCESS_PATH
+    end
+
     private
 
+    def ensure_configured
+      unless File.file?(CERTIFICATE_PATH) && File.file?(ACCESS_PATH)
+        puts 'Deploy agent is not configured. Please run "deploy-agent setup" first.'
+        Process.exit(1)
+      end
+    end
+
     def is_running?
       if pid = pid_from_file
         Process.kill(0, pid)

data/lib/deploy_agent/server_connection.rb

@@ -21,7 +21,7 @@ module DeployAgent
 
       # Configure an OpenSSL context with server vertification
       ctx = OpenSSL::SSL::SSLContext.new
-      ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ctx.verify_mode = check_certificate ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
       # Load the agent certificate and key used to authenticate this agent
       ctx.cert = OpenSSL::X509::Certificate.new(File.read(CERTIFICATE_PATH))
       ctx.key = OpenSSL::PKey::RSA.new(File.read(KEY_PATH))
@@ -70,6 +70,8 @@ module DeployAgent
           id = packet[1,2].unpack('n')[0]
           host, port = packet[3..-1].split('/', 2)
           @agent.logger.info "[#{id}] Connection request from server: #{host}:#{port}"
+          return send_connection_error(id, "Destination address not allowed") unless destination_allowed?(host)
+
           begin
             # Create conenction to the final destination and save info by id
             @destination_connections[id] = DestinationConnection.new(host, port, id, @nio_selector, self)
@@ -108,6 +110,18 @@ module DeployAgent
       close
     end
 
+    def destination_allowed?(destination)
+      return false unless File.file?(ACCESS_PATH)
+      DeployAgent.allowed_destinations.each do |network|
+        begin
+          return true if IPAddr.new(network).include?(destination)
+        rescue IPAddr::InvalidAddressError
+          # Not a valid IP or netmask, deny and continue
+        end
+      end
+      false
+    end
+
     # Notify server of successful connection
     def send_connection_success(id)
       send_packet([2, id, 0].pack('CnC'))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: deploy-agent
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - aTech Media
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-09 00:00:00.000000000 Z
+date: 2017-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r