emissary 1.3.20 → 1.3.21

data/lib/emissary/agent/ping.rb

@@ -0,0 +1,37 @@
+#   Copyright 2010 The New York Times
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#
+module Emissary
+  class Agent::Ping < Agent
+    def valid_methods
+      [:ping, :pong]
+    end
+    
+    def ping
+      reply = message.response
+      reply.method = :pong
+
+      ::Emissary.logger.debug "Received PING: originator: #{message.originator}"
+      ::Emissary.logger.debug "Sending PONG : originator: #{reply.originator}"
+
+      reply
+    end
+    
+    def pong
+      ::Emissary.logger.debug "Received PONG"
+      throw :skip_implicit_response
+    end
+  end
+end

data/lib/emissary/agent/proxy.rb

@@ -0,0 +1,26 @@
+#   Copyright 2010 The New York Times
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#
+module Emissary
+  class Agent::Proxy < Agent
+    def valid_methods
+      [ :any ]
+    end
+		
+    def activate
+      throw :skip_implicit_response 
+    end
+  end
+end

data/lib/emissary/agent/rabbitmq.rb

@@ -0,0 +1,233 @@
+#   Copyright 2010 The New York Times
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#
+require 'escape'
+
+module Emissary
+  class Agent::Rabbitmq < Agent
+    NIMBUL_VHOST    = '/nimbul'
+
+    NODE_CONFIG_ACL = '^i-[a-f0-9.]+$'
+    NODE_READ_ACL   = '^(amq.*|i-[a-f0-9.]+|request.%%ID%%.*)$'
+    NODE_WRITE_ACL  = '^(amq.*|i-[a-f0-9.]+|(startup|info|shutdown).%%ID%%.*|nimbul)$'
+    
+    QUEUE_INFO_ITEMS = %w[
+        name durable auto_delete arguments pid owner_pid
+        exclusive_consumer_pid exclusive_consumer_tag
+        messages_ready messages_unacknowledged messages_uncommitted
+        messages acks_uncommitted consumers transactions memory      
+    ]
+    
+    EXCHANGE_INFO_ITEMS = %w[
+      name type durable auto_delete arguments
+    ]
+    
+    CONNECTION_INFO_ITEMS = %w[
+        pid address port peer_address peer_port state channels user
+        vhost timeout frame_max client_properties recv_oct recv_cnt
+        send_oct send_cnt send_pend
+    ]
+    
+    CHANNEL_INFO_ITEMS = %w[
+      pid connection number user vhost transactional consumer_count
+      messages_unacknowledged acks_uncommitted prefetch_count
+    ]
+    
+    BINDINGS_INFO_COLUMNS = %w[ exchange_name queue_name routing_key arguments ]
+    CONSUMER_INFO_COLUMNS = %w[ queue_name channel_process_id consumer_tag must_acknowledge ]
+    
+    class CommandExecutionError < StandardError; end
+
+    def valid_methods
+      [
+        :add_user,
+        :delete_user,
+        :change_password,
+        :list_users,
+        
+        :add_vhost,
+        :delete_vhost,
+        :list_vhosts,
+        
+        :add_node_account,
+        :del_node_account,
+        
+        :list_user_vhosts,
+        :list_vhost_users,
+        
+        :list_queues,
+        :list_bindings,
+        :list_exchanges,
+        :list_connections,
+        :list_channels,
+        :list_consumers
+      ]
+    end
+  
+    def list_queues(vhost)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:list_queues, '-p', vhost, QUEUE_INFO_ITEMS.join(" ")).collect do |line|
+        Hash[*QUEUE_INFO_ITEMS.zip(line.split(/\s+/)).flatten]
+      end
+    end
+    
+    def list_bindings(vhost)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:list_bindings, '-p', vhost).collect do |line|
+        Hash[*BINDINGS_INFO_COLUMNS.zip(line.split(/\s+/)).flatten]
+      end
+    end
+
+    def list_exchanges(vhost)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:list_exchanges, '-p', vhost, EXCHANGE_INFO_ITEMS.join(" ")).collect do |line|
+        Hash[*EXCHANGE_INFO_ITEMS.zip(line.split(/\s+/)).flatten]
+      end
+    end
+      
+    def list_connections
+      rabbitmqctl(:list_connections, CONNECTION_INFO_ITEMS.join(" ")).collect do |line|
+        Hash[*CONNECTION_INFO_ITEMS.zip(line.split(/\s+/)).flatten]
+      end
+    end
+      
+    def list_channels
+      rabbitmqctl(:list_channels, CHANNEL_INFO_ITEMS.join(" ")).collect do |line|
+        Hash[*CHANNEL_INFO_ITEMS.zip(line.split(/\s+/)).flatten]
+      end
+    end
+    
+    def list_consumers(vhost)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:list_consumers, '-p', vhost).collect do |line|
+        Hash[*CONSUMER_INFO_COLUMNS.zip(line.split(/\s+/)).flatten]
+      end
+    end
+
+    def list_users
+      rabbitmqctl(:list_users)
+    end
+    
+    def list_vhosts
+      rabbitmqctl(:list_vhosts)
+    end
+    
+    def list_vhost_users(vhost)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:list_permissions, '-p', vhost).flatten.select { |l|
+        !l.nil?
+      }.collect {
+        |l| l.split(/\s+/)[0]
+      }
+    end
+    
+    def list_user_vhosts(user)
+      list_vhosts.select { |vhost| list_vhost_users(vhost).include? user }
+    end
+
+    def set_vhost_permissions(user, vhost, config, write, read)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:set_permissions, '-p', vhost, user, config, write, read)
+    end
+    
+    def del_vhost_permissions(user, vhost)
+      vhost = vhost.empty? ? '/' : vhost
+      rabbitmqctl(:clear_permissions, '-p', vhost, user)
+    end
+
+    def add_node_account_acl(user, namespace_id)
+      config_acl = NODE_CONFIG_ACL.gsub('%%ID%%', namespace_id.to_s)
+      write_acl  = NODE_WRITE_ACL.gsub('%%ID%%', namespace_id.to_s)
+      read_acl   = NODE_READ_ACL.gsub('%%ID%%', namespace_id.to_s)
+      
+      begin      
+        set_vhost_permissions(user, NIMBUL_VHOST, config_acl, write_acl, read_acl)
+      rescue CommandExecutionError => e
+        "problem adding account acls for user: #{user}: #{e.message}"
+      else
+        "successfully added account acls for user: #{user}"
+      end
+    end
+
+    def add_node_account(user, password, namespace_id)
+      begin
+        add_user(user, password)
+        add_node_account_acl(user, namespace_id.to_s)
+      rescue CommandExecutionError => e
+        "failed to add new node account: #{user}:#{namespace_id.to_s}"
+      end
+    end
+    
+    def del_node_account_acl(user, vhost)
+      begin
+        del_vhost_permissions(user, vhost)
+      rescue CommandExecutionError => e
+        "problem unmapping user from vhost: #{user}:#{vhost} #{e.message}"
+      else
+        "successfully unmapped user from vhost: #{user}:#{vhost}"
+      end
+    end
+  
+    def add_vhost(path)
+      begin
+        !!rabbitmqctl(:add_vhost, path)
+      rescue CommandExecutionError => e
+        raise e unless e.message.include? 'vhost_already_exists'
+      end
+    end
+    
+    def add_user(user, pass)
+      begin
+        !!rabbitmqctl(:add_user, user, pass)
+      rescue CommandExecutionError => e
+        raise e unless e.message.include? 'user_already_exists'
+      end
+    end
+    
+    def change_password(user, pass)
+      begin
+        !!rabbitmqctl(:change_password, user, pass)
+      rescue CommandExecutionError => e
+        return false if e.message.include? 'no_such_user'
+        raise e 
+      end
+    end
+    
+    def delete_user(user)
+      begin
+        !!rabbitmqctl(:delete_user, user)
+      rescue CommandExecutionError => e
+        raise e unless e.message.include? 'no_such_user'
+      end
+    end
+    
+    def delete_vhost(path)
+      begin
+        !!rabbitmqctl(:delete_vhost, path)
+      rescue CommandExecutionError => e
+        raise e unless e.message.include? 'no_such_vhost'
+      end
+    end
+
+    def rabbitmqctl(*args)
+      result = []
+      `rabbitmqctl #{Escape.shell_command([*args.collect{|a| a.to_s}])} 2>&1`.each do |line|
+        raise CommandExecutionError, $1 if line =~ /Error: (.*)/
+        result << line.chomp unless line =~ /\.\.\./
+      end
+      result
+    end
+  end
+end

data/lib/emissary/agent/sshkeys.rb

@@ -0,0 +1,152 @@
+#   Copyright 2010 The New York Times
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#
+require 'digest/md5'
+require 'base64'
+require 'etc'
+
+module Emissary
+  class Agent::Sshkeys < Agent
+    AUTH_KEY_FILE = '.ssh/authorized_keys'
+
+    attr_reader :user
+    
+    def valid_methods
+      [ :add, :delete, :update ]
+    end
+    
+    def post_init
+      begin
+        @user = Etc.getpwnam(args.shift)
+      rescue ArgumentError => e
+        if e.message =~ /can't find user/
+          raise "User '#{args.first}' does not exist on this system"
+        else
+          raise "Unhandled error attempting to retrieve data on user [#{args.first}]: #{e.message}"
+        end
+      end
+    end
+    
+    def add pubkey
+      raise "Missing 'key_uri' argument - can't download key!" if pubkey.nil?
+
+      pubkey_name = Digest::MD5.hexdigest(pubkey.split(/\s+/).join(' ').chomp)
+
+      begin
+        keys = get_keys(user)
+        if not keys.has_key?(pubkey_name)
+          keys[pubkey_name] = pubkey
+          write_keys(user, keys)
+          result = "Successfully added key [#{pubkey_name}] to user [#{user.name}]"
+        else
+          result = "Could not add key [#{pubkey_name}] to user [#{user.name}] - key already exists!"
+        end
+      rescue Exception => e
+        raise Exception, 'Possibly unable to add user key - error was: ' + e.message, caller
+      end
+
+      return result
+    end
+    
+    def delete pubkey
+      return 'No authorized_keys file - nothing changed' if not File.exists?(File.join(user.dir, AUTH_KEY_FILE))
+  
+      keyname = Digest::MD5.hexdigest(pubkey)
+      begin
+        keys = get_keys(user)
+        if keys.has_key?(keyname)
+          keys.delete(keyname)
+          write_keys(user, keys)
+          result = "Successfully removed key [#{keyname}] from user [#{user.name}]"
+        else
+          result = "Could not remove key [#{keyname}] from user [#{user.name}] - key not there!"
+        end
+      rescue Exception => e
+        raise "Possibly unable to remove key #{keyname} for user #{user.name} - error was: #{e.message}"
+      end
+  
+      return result
+    end
+
+    def update oldkey, newkey
+      return 'Not implemented'
+    end
+    
+    private
+    
+    def write_keys(user, keys)
+      auth_file_do(user, 'w') do |fp|
+        fp << keys.values.join("\n")
+      end
+    end
+  
+    def get_keys(user)
+      ::Emissary.logger.debug "retreiving ssh keys from file #{File.join(user.dir, AUTH_KEY_FILE)}"
+  
+      keys = {}
+      auth_file_do(user, 'r') do |fp|
+        fp.readlines.each do |line|
+          keys[Digest::MD5.hexdigest(line.chomp)] = line.chomp
+        end
+      end
+  
+      return keys
+    end
+  
+    def auth_file_setup(user)
+      user_auth_file = File.join(user.dir, AUTH_KEY_FILE)
+      user_ssh_dir   = File.dirname(user_auth_file)
+  
+      begin
+        if not File.directory?(user_ssh_dir)
+          Dir.mkdir(user_ssh_dir)
+          File.open(user_ssh_dir) do |f|
+            f.chown(user.uid, user.gid)
+            f.chmod(0700)
+          end
+        end
+        if not File.exists?(user_auth_file)
+          File.open(user_auth_file, 'a') do |f|
+            f.chown(user.uid, user.gid)
+            f.chmod(0600)
+          end
+        end
+      rescue Exception => e
+        raise "Error creating #{user_auth_file} -- #{e.message}"
+      end
+  
+      return user_auth_file
+    end
+  
+    def auth_file_do(user, mode = 'r', &block)
+      begin
+        auth_file = auth_file_setup(user)
+        File.open(auth_file, mode) do |f|
+          f.flock File::LOCK_EX
+          yield(f)
+          f.flock File::LOCK_UN
+        end
+      rescue Exception => e
+        case mode
+          when 'r': mode = 'reading from'
+          when 'a': mode = 'appending to'
+          when 'w': mode = 'writing to'
+          else mode = "unknown operation #{mode} for File.open() on "
+        end
+        raise "Error #{mode} file '#{auth_file}' --  #{e.message}"
+      end
+    end
+  end
+end