dtk-node-agent 0.5.10

data/mcollective_additions/plugins/v2.2/connector/stomp_em.rb

@@ -0,0 +1,191 @@
+require 'eventmachine'
+module MCollective
+  module Connector
+        # Handles sending and receiving messages over the Stomp protocol
+        #
+        # This plugin supports version 1.1 or 1.1.6 and newer of the Stomp rubygem
+        # the versions between those had multi threading issues.
+        #
+        # For all versions you can configure it as follows:
+        #
+        #    connector = stomp
+        #    plugin.stomp.host = stomp.your.net
+        #    plugin.stomp.port = 6163
+        #    plugin.stomp.user = you
+        #    plugin.stomp.password = secret
+        #
+        # For versions of ActiveMQ that supports message priorities
+        # you can set a priority, this will cause a "priority" header
+        # to be emitted if present:
+        #
+        #     plugin.stomp.priority = 4
+        #
+    class Stomp_em<Base
+      #this is effectively a singleton, but not mixin in Singleton beacuse mcollective isstantiates with new
+      #TODO: may look at making singleton and patching with making :new public, recognizing that will only be called once
+
+      module StompClient
+        include EM::Protocols::Stomp
+        def initialize(*args)
+          super(*args)
+          #TODO: if cannot fidn user and log this shoudl be error
+          conn_opts = (args.last.kind_of?(Hash))? args.last : {}
+          @login = conn_opts[:login]
+          @passcode = conn_opts[:passcode]
+          @connected = false
+        end
+
+        def connection_completed
+          connect :login => @login, :passcode => @passcode
+        end
+
+        def receive_msg msg
+          if msg.command == "CONNECTED"
+pp [:is_connected]
+            @connected = true
+          else
+            Stomp_em.process(msg) 
+          end
+        end
+
+        def is_connected?()
+          @connected
+        end
+      end
+
+      def initialize
+        @config = Config.instance
+        @subscriptions = []
+        @connected = nil
+        @connection = nil
+      end
+
+      def set_context(context)
+        @@decode_context = context[:decode_context]
+        @@multiplexer = context[:multiplexer]
+      end
+
+      def disconnect
+        #TODO: need to write
+      end
+
+      # Connects to the Stomp middleware
+      def connect
+        if @connection
+          Log.debug("Already connection, not re-initializing connection")
+          return
+        end
+        begin
+          host = nil
+          port = nil
+          user = nil
+          password = nil
+          @@base64 = false
+
+          @@base64 = get_bool_option("stomp.base64", false)
+          @@msgpriority = get_option("stomp.priority", 0).to_i
+
+          # Maintain backward compat for older stomps
+          host = get_env_or_option("STOMP_SERVER", "stomp.host")
+          port = get_env_or_option("STOMP_PORT", "stomp.port", 6163).to_i
+          user = get_env_or_option("STOMP_USER", "stomp.user")
+          password = get_env_or_option("STOMP_PASSWORD", "stomp.password")
+
+          #TODO: assume reactor is running already
+          @connection = EM.connect host, port, StompClient, :login => user, :passcode => password
+          Log.debug("Connecting to #{host}:#{port}")
+         rescue Exception => e
+          pp e.backtrace[0..5]
+          raise("Could not connect to Stomp Server: #{e}")
+        end
+      end
+
+      def wait_until_connected?
+        return if @connected
+        loop do 
+          return if @connected = @connection.is_connected?
+          sleep 1
+        end
+      end
+    
+    
+      def self.process(msg)
+        # STOMP puts the payload in the body variable, pass that
+        # into the payload of MCollective::Request and discard all the
+        # other headers etc that stomp provides
+        raw_msg = 
+          if @@base64
+            Request.new(SSL.base64_decode(msg.body))
+          else
+            Request.new(msg.body)
+          end     
+        msg = @@decode_context.r8_decode_receive(raw_msg)
+        @@multiplexer.process_response(msg,msg[:requestid])
+      end
+
+      #TODO: make automic subscribe_and_send because need subscribe to happen before send does
+      # Subscribe to a topic or queue
+      def subscribe(source)
+        unless @subscriptions.include?(source)
+          EM::defer do 
+            Log.debug("Subscribing to #{source}")
+            wait_until_connected?
+            @connection.subscribe(source)
+            @subscriptions << source
+          end
+        end
+      end
+      def subscribe_and_send(source,destination,body,params={})
+        EM::defer do 
+          wait_until_connected?
+          unless @subscriptions.include?(source)
+            Log.debug("Subscribing to #{source}")
+            @connection.subscribe(source)
+            @subscriptions << source
+          end
+          @connection.send(destination,body,params)
+        end
+      end
+
+      # Subscribe to a topic or queue
+      def unsubscribe(source)
+        #TODO
+      end
+     private
+      def get_env_or_option(env, opt, default=nil)
+        return ENV[env] if ENV.include?(env)
+        return @config.pluginconf[opt] if @config.pluginconf.include?(opt)
+        return default if default
+
+        raise("No #{env} environment or plugin.#{opt} configuration option given")
+      end
+
+      # looks for a config option, accepts an optional default
+      #
+      # raises an exception when it cant find a value anywhere
+      def get_option(opt, default=nil)
+        return @config.pluginconf[opt] if @config.pluginconf.include?(opt)
+        return default if default
+
+        raise("No plugin.#{opt} configuration option given")
+      end
+
+      # gets a boolean option from the config, supports y/n/true/false/1/0
+      def get_bool_option(opt, default)
+        return default unless @config.pluginconf.include?(opt)
+
+        val = @config.pluginconf[opt]
+
+        if val =~ /^1|yes|true/
+          return true
+        elsif val =~ /^0|no|false/
+          return false
+        else
+          return default
+        end
+      end
+    end
+  end
+end
+
+# vi:tabstop=4:expandtab:ai

data/mcollective_additions/plugins/v2.2/facts/pbuilder_facts.rb

@@ -0,0 +1,35 @@
+require 'open-uri'
+require 'timeout'
+require 'yaml'
+
+module MCollective
+  module Facts
+    # A factsource for pbuilder
+    class Pbuilder_facts < Base
+
+      def load_facts_from_source
+        ret = {"pbuilderid" => get_pbuilderid()}
+        yaml_file = '/etc/mcollective/facts.yaml'
+        if File.exists?(yaml_file)
+          yaml_facts = YAML.load_file(yaml_file)
+          ret.merge!(yaml_facts)
+        end
+        ret
+      end
+
+      def get_pbuilderid()
+        ret = nil
+        begin
+          addr = "169.254.169.254"
+          wait_sec = 2
+          Timeout::timeout(wait_sec) {open("http://#{addr}:80/")}
+          ret = OpenURI.open_uri("http://#{addr}/2008-02-01/meta-data/instance-id").read
+        rescue Timeout::Error
+        rescue
+          #TODO: unexpected; write to log what error is
+        end
+        ret
+      end
+    end
+  end
+end

data/mcollective_additions/plugins/v2.2/security/sshkey.ddl

@@ -0,0 +1,9 @@
+metadata  :name        => 'sshkey',
+          :description => 'Security Plugin that uses ssh keys for signing',
+          :author      => 'Pieter Loubser <pieter.loubser@puppetlabs.com>',
+          :license     => 'ASL 2.0',
+          :version     => '0.4',
+          :url         => 'http://projects.puppetlabs.com/projects/mcollective-plugins/wiki',
+          :timeout     => 10
+
+requires :mcollective => '2.2.1'

data/mcollective_additions/plugins/v2.2/security/sshkey.rb

@@ -0,0 +1,362 @@
+module MCollective
+  module Security
+    # Configuration
+    #
+    # Client:
+    #   client.private_key                      : A private key used to sign requests with - defaults to ssh-agent
+    #   client.known_hosts                      : The known_hosts file to use - defaults to /home/callerid/.ssh/known_hosts
+    #   client.send_key                         : Send the client's public key with the request - doesn not send the key by default.
+    #                                             To send a key specify the key file to send.
+    #
+    # Server:
+    #   server.private_key                      : The private key used to sign replies with - Defaults to /etc/ssh/ssh_host_rsa_key * required
+    #   server.authorized_keys                  : The authorized_keys file to use - defaults to the caller's authorized_keys file in his home directory
+    #   server.send_key                         : Send the server's public key with the request - does not send the key by default.
+    #                                             To send a key specify the key file to send.
+    #
+    # Shared:
+    #   (client|server).publickey_dir          : Directory to store received keys - defaults to none
+    #   (client|server).learn_public_keys      : Allow writing public keys to publickey_dir - defaults to not sending.
+    #   (client|server).overwrite_stored_keys  : Overwrite received keys - defaults to false
+    class Sshkey < Base
+      gem 'sshkeyauth', '>= 0.0.4'
+
+      require 'ssh/key/signer'
+      require 'ssh/key/verifier'
+      require 'etc'
+
+      def decodemsg(msg)
+        body = Marshal.load(msg.payload)
+
+        if validrequest?(body)
+          body[:body] = Marshal.load(body[:body])
+          return body
+        else
+          nil
+        end
+      end
+
+      def encodereply(sender, msg, requestid, requestcallerid=nil)
+        serialized_msg = Marshal.dump(msg)
+        reply = create_reply(requestid, sender, serialized_msg)
+        reply[:serialized_data] = Marshal.dump(create_hash_fields(serialized_msg, reply[:msgtime], requestid))
+        reply[:hash] = makehash(reply[:serialized_data])
+
+        if server_key = lookup_config_option('send_key')
+          if File.exists?(server_key)
+            reply[:public_key] = load_key(server_key)
+          else
+            raise("Cannot create reply. sshkey.server.send_key set but key '%s' does not exist." % server_key)
+          end
+        end
+
+        Marshal.dump(reply)
+      end
+
+      def encoderequest(sender, msg, requestid, filter, target_agent, target_collective, ttl=60)
+        serialized_msg = Marshal.dump(msg)
+        req = create_request(requestid, filter, serialized_msg, @initiated_by, target_agent, target_collective, ttl)
+
+
+        if client_key = lookup_config_option('send_key')
+          if File.exists?(client_key)
+            req[:public_key] = load_key(client_key)
+          else
+            raise("Cannot create request. sshkey.client.send_key set but key '%s' does not exist." % client_key)
+          end
+        end
+
+        req[:serialized_data] = Marshal.dump(create_hash_fields(serialized_msg, req[:msgtime], requestid, ttl, callerid))
+        req[:hash] = makehash(req[:serialized_data])
+
+        Marshal.dump(req)
+      end
+
+      def validrequest?(req)
+        # Check if verification keys are correctly configured
+        valid_configuration?
+        # Check if key should be written to disk and write it
+        write_key_to_disk(req[:public_key], (req[:callerid] || req[:senderid]).split('=')[-1] ) if req[:public_key]
+
+        if @initiated_by == :client
+          Log.debug('Validating reply from node %s' % req[:senderid])
+          verifier = client_verifier(req[:senderid])
+        else
+          Log.debug('Validating request from client %s' % req[:callerid])
+          verifier = node_verifier(req[:callerid], (req[:agent] == 'registration'), req[:public_key])
+        end
+
+        signatures = Marshal.load(req[:hash])
+
+        if verifier.verify?(signatures, req[:serialized_data])
+          @stats.validated
+          return true
+        else
+          @stats.unvalidated
+          Log.debug('Received an invalid signature in message.')
+          raise SecurityValidationFailed
+        end
+      end
+
+      def callerid
+        'sshkey=%s' % Etc.getlogin
+      end
+
+      private
+
+      # Checks that publickey_dir and known_hosts|authorized_keys are not set at the same time.
+      def valid_configuration?
+        if @initiated_by == :client
+          if lookup_config_option('publickey_dir') && lookup_config_option('known_hosts')
+            raise('Both publickey_dir and known_hosts are defined in client config. Cannot lookup public key')
+          end
+        elsif @initiated_by == :node
+          if lookup_config_option('publickey_dir') && lookup_config_option('authorized_keys')
+            raise('Both publickey_dir and authorized_keys are defiend in server config. Cannot lookup public key')
+          end
+        end
+      end
+
+      # Checks if the attached public key needs to be stored locally
+      # Overwriting is disabled by default
+      # - The publickey_directory config option needs to be set before
+      #   the file will be written.
+      # - The directory must exist before writing.
+      # - The learn_public_keys configuration option must be enabled.
+      def write_key_to_disk(key, identity)
+
+        # Writing is disabled. Don't bother checking any other states.
+        return unless lookup_config_option('learn_public_keys') =~ /^1|y/
+
+        publickey_dir = lookup_config_option('publickey_dir')
+
+        unless publickey_dir
+          Log.info("Public key sent with request but no publickey_dir defined in configuration. Not writing key to disk.")
+          return
+        end
+
+        if File.directory?(publickey_dir)
+          if File.exists?(old_keyfile = File.join(publickey_dir, "#{identity}_pub.pem"))
+            old_key = File.read(old_keyfile).chomp
+
+            unless old_key == key
+              unless lookup_config_option('overwrite_stored_keys', 'n') =~ /^1|y/
+                Log.warn("Public key sent from '%s' does not match the stored key. Not overwriting." % identity)
+              else
+                Log.warn("Public key sent from '%s' does not match the stored key. Overwriting." % identity)
+                File.open(File.join(publickey_dir, "#{identity}_pub.pem"), 'w') { |f| f.puts key }
+              end
+            end
+          else
+            Log.debug("Discovered a new public key for '%s'. Writing to '%s'" % [identity, publickey_dir])
+            File.open(File.join(publickey_dir, "#{identity}_pub.pem"), 'w') { |f| f.puts key }
+          end
+        else
+          raise("Cannot write public key to '%s'. Directory does not exist." % publickey_dir)
+        end
+      end
+
+      # Fetches the correct configuration option for a client or a server
+      def lookup_config_option(opt, default = nil)
+        if @initiated_by == :client
+          result = @config.pluginconf.fetch("sshkey.client.#{opt}", default)
+
+          if result && ["authorized_keys", "private_key", "send_key", "publickey_dir", "known_hosts"].include?(opt)
+            return File.expand_path(result)
+          else
+            return result
+          end
+        elsif @initiated_by == :node
+          return @config.pluginconf.fetch("sshkey.server.#{opt}", default)
+        end
+      end
+
+      # Creates a hash of the fields used to sign a message
+      # Response messages use the msg, msgtime and requestid fields.
+      # Request messages use the same fields as response, but include
+      # ttl and callerid.
+      def create_hash_fields(msg, msgtime, requestid, ttl = nil, callerid = nil)
+        map = {:msg       => msg,
+               :msgtime   => msgtime,
+               :requestid => requestid}
+
+        # Check if this is a server hash
+        return map if (ttl == nil && callerid == nil)
+
+        map[:ttl] = ttl
+        map[:callerid] = callerid
+
+        map
+      end
+
+      # Adds a key to a signer object and disables ssh-agent
+      def add_key_to_signer(signer, key)
+        signer.add_key_file(key)
+        signer.use_agent = false
+      end
+
+      # Creates a signed hash of fields using the node's private key
+      def makehash(data)
+        signer = SSH::Key::Signer.new
+
+        # Check if the client is signing its request with a predefined
+        # private key. If this is the case, disable ssh-agent.
+        if @initiated_by == :client && (private_key = lookup_config_option('private_key'))
+          unless File.exists?(private_key)
+            raise("Cannot sign request - private key not found: '%s'" % private_key)
+          else
+            add_key_to_signer(signer, private_key)
+          end
+        elsif @initiated_by == :node
+          if private_key = lookup_config_option('private_key')
+            add_key_to_signer(signer, private_key)
+          else
+            # First try and default to ssh_host_dsa_key
+            if File.exists?(private_key = '/etc/ssh/ssh_host_dsa_key')
+              add_key_to_signer(signer, private_key)
+            # If that fails, try ssh_host_rsa_key
+            elsif File.exists?(private_key = '/etc/ssh/ssh_host_rsa_key')
+              add_key_to_signer(signer, private_key)
+            else
+              raise("Cannot sign reply - private key not found: 's'" % private_key)
+            end
+          end
+        end
+
+        # Default to using ssh-agent for key signing
+        signatures = signer.sign(data).collect { |s| s.signature }
+        Marshal.dump(signatures)
+      end
+
+      #Returns the contents of a key file on disk
+      def load_key(key)
+        if File.exists?(key)
+          return File.read(key).strip
+        else
+          nil
+        end
+      end
+
+      # Looks for a specific key in a known hosts file
+      def find_key_in_known_hosts(hostname, known_hosts)
+        key = nil
+        search_for = /^#{hostname}/
+
+        if File.exists?(known_hosts)
+          File.read(known_hosts).each_line do |line|
+            fields = line.split
+            fields[0].split(',').each do |maybehost|
+              if maybehost =~ search_for
+                fields = line.split
+                key = fields[-2] << ' ' << fields[-1]
+                break
+              end
+            end
+            break unless key.nil?
+          end
+        end
+
+        unless key
+          Log.warn("Could not find a key for host '%s' in file '%s'" % [hostname, known_hosts])
+          raise SecurityValidationFailed
+        end
+
+        key
+      end
+
+      # Create a client verifier object which uses the correct public key
+      def client_verifier(senderid)
+        verifier = SSH::Key::Verifier.new(senderid)
+        verifier.use_authorized_keys = false
+
+        if publickey_dir = lookup_config_option('publickey_dir')
+          Log.debug("Using public key directory: '%s'" % publickey_dir)
+          verifier.add_public_key_data(find_shared_public_key(publickey_dir, senderid))
+
+        elsif (known_hosts = lookup_config_option('known_hosts'))
+          Log.debug("Using custom known_hosts file: '%s'" % known_hosts)
+          verifier.add_public_key_data(find_key_in_known_hosts(senderid, known_hosts))
+
+        elsif (authorized_keys = lookup_config_option('authorized_keys'))
+          Log.debug("Found custom authorized_keys file: '%s'" % authorized_keys)
+          verifier.authorized_keys_file = authorized_keys
+          verifier.use_authorized_keys = true
+
+        else
+          begin
+            user = Etc.getlogin
+            known_hosts = File.join(Etc.getpwnam(user).dir, '.ssh', 'known_hosts')
+            Log.debug("Using default known_hosts file for user '%s': ''" % [user, known_hosts])
+            verifier.add_public_key_data(find_key_in_known_hosts(senderid, "%s" % known_hosts))
+          rescue => e
+            raise("Cannot find known_hosts file for user '%s': '%s'" % [user, known_hosts])
+          end
+        end
+
+        verifier.use_agent = false
+
+        verifier
+      end
+
+      # Looks for a public key in a shared directory
+      def find_shared_public_key(dir, id)
+        unless File.directory?(dir)
+          raise("Cannot read shared public key directory: '%s'" % dir)
+        end
+
+        if File.exists?(key_file = File.join(dir, "#{id}_pub.pem"))
+          return File.read(key_file)
+        else
+          Log.warn("Cannot find public key for id '%s': '%s'" % [id, File.join(dir, "#{id}_pub.pem")])
+          raise SecurityValidationFailed
+        end
+      end
+
+      # Create a node verifier object which uses the correct public key
+      def node_verifier(callerid, registration = false, pubkey = nil)
+        user = callerid.split('=')[-1]
+        verifier = SSH::Key::Verifier.new(user)
+        verifier.use_agent = false
+
+        # Here we deal with the special case where a registration message
+        # is being validated. send_key has to be defined in the configuration.
+        # TODO : This is a stop gap measure we should remove when we fix
+        #        registration
+        if registration && pubkey
+          Log.debug("Found registration message. Using sender's public key")
+          verifier.add_public_key_data(pubkey)
+          verifier.use_authorized_keys = false
+
+        elsif registration && !pubkey
+          Log.warn("Cannot verify registration request. Server did not send its public key")
+          raise SecurityValidationFailed
+
+        elsif publickey_dir = lookup_config_option('publickey_dir')
+          if File.directory?(publickey_dir)
+            Log.debug("Found shared public key directory: '%s'" % publickey_dir)
+            verifier.add_public_key_data(find_shared_public_key(publickey_dir, user))
+            verifier.use_authorized_keys = false
+          else
+            raise("Public key directory '%s' does not exist" % publickey_dir)
+          end
+
+        elsif (authorized_keys = lookup_config_option('authorized_keys'))
+          authorized_keys = authorized_keys.sub('%u') { |c| user }
+          Log.debug("Found custom authorized_keys file: '%s'" % authorized_keys)
+          verifier.authorized_keys_file = authorized_keys
+
+        else
+          begin
+            authorized_keys = File.join(Etc.getpwnam(user).dir, '.ssh', 'authorized_keys')
+            Log.debug("No authorized_keys file or publickey_dir specified. Using '%s'" % authorized_keys)
+            verifier.authorized_keys_file = authorized_keys
+          rescue => e
+            raise("Cannot find authorized_keys file for user '%s': '%s'" % [user, authorized_keys])
+          end
+        end
+
+        verifier
+      end
+    end
+  end
+end