epas 0.2.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,23 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+
+gem "aws"
+gem "i18n"
+gem "activesupport"
+
+group :development do
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.6.0"
+  gem "rcov", ">= 0"
+  gem "reek", "~> 1.2.8"
+  gem "roodi", "~> 2.1.0"
+end
+
+group :test do
+  gem "mocha"
+end

data/Gemfile.lock

@@ -0,0 +1,46 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (3.0.7)
+    aws (2.5.3)
+      http_connection
+      uuidtools
+      xml-simple
+    git (1.2.5)
+    http_connection (1.4.1)
+    i18n (0.6.0)
+    jeweler (1.6.2)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+    mocha (0.9.12)
+    rake (0.9.2)
+    rcov (0.9.9)
+    reek (1.2.8)
+      ruby2ruby (~> 1.2)
+      ruby_parser (~> 2.0)
+      sexp_processor (~> 3.0)
+    roodi (2.1.0)
+      ruby_parser
+    ruby2ruby (1.2.5)
+      ruby_parser (~> 2.0)
+      sexp_processor (~> 3.0)
+    ruby_parser (2.0.6)
+      sexp_processor (~> 3.0)
+    sexp_processor (3.0.5)
+    uuidtools (2.1.2)
+    xml-simple (1.0.16)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport
+  aws
+  bundler (~> 1.0.0)
+  i18n
+  jeweler (~> 1.6.0)
+  mocha
+  rcov
+  reek (~> 1.2.8)
+  roodi (~> 2.1.0)

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Ramon Salvadó
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,55 @@
+= epas
+
+The <b>epas<b> acronym stands for EC2 Puppet Auto Signer.
+
+This gem provides a simple script to autosign ec2 instances into puppet. This way you can launch new instances in ec2 and avoid having to sign them manually.
+
+First it checks to see if there is any pending sign request, if there is it makes a query to AWS to obtain the instance_id of all machines. If any of this ids matches with the hostname of the request it signs it.
+
+For example if we launch a new ec2 server whose instance id is i-12345 and we insert this id into the hostname (using user-data for example), and this server makes a request to our puppet master, this script will autosign the request.
+
+    # user-data script example
+    # Helper functions
+    die() { status=$1; shift; echo "FATAL: $*"; exit $status; }
+    instance_id="`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id || die \"wget instance-id has failed: $?\"`"
+    # 1) Proper hostname setup (to be used by puppet)
+    hostname="${instance_id}"
+    echo $hostname > /proc/sys/kernel/hostname
+    sed -i "s|localhost.localdomain|$hostname|g" /etc/sysconfig/network
+    sed -i "s|localhost.localdomain|localhost.localdomain $hostname|g" /etc/hosts
+    service puppet start
+
+It expects to be run in a puppet-master server in a cron job or similar.
+
+By default it reads aws credentials from "~/.awssecret" which should be a file with the aws id and the aws secret in separate lines.
+
+Example contents of "~/.awssecret":
+
+    1D43DD69O8EJGS3X2WR2
+    zDWZH14jYZU0KBn09dCTHRQUJFAvpPz155o23Qu7
+
+You can also pass another file as an argument:
+
+    # Example cron job 1.
+    * * * * * ec2-puppet-autosigner /path/to/aws_credentials
+
+By defaults it checks all avaliable regions, but you can also pass the regions you want to check as parameters:
+
+   # Example cron job 2.
+   * * * * * ec2-puppet-autosigner /path/to/aws_credentials eu-west-1 us-east-1
+
+== Contributing to epas
+
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2011 Ramon Salvadó. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,67 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "epas"
+  gem.homepage = "http://github.com/rsalvado/epas"
+  gem.license = "MIT"
+  gem.summary = %Q{Script to autosign ec2 instances into puppet.}
+  gem.description = %Q{To be run in a cron script or a daemon. Autosigns ec2 instances based on hostname and instance_id, it expects instance_id as part of the ec2 instance hostname.}
+  gem.email = "rsalvado@gnuine.com"
+  gem.authors = ["Ramon Salvadó"]
+  gem.executables = ["ec2-puppet-autosigner"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+require 'rcov/rcovtask'
+Rcov::RcovTask.new do |test|
+  test.libs << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+  test.rcov_opts << '--exclude "gems/*"'
+end
+
+require 'reek/rake/task'
+Reek::Rake::Task.new do |t|
+  t.fail_on_error = true
+  t.verbose = false
+  t.source_files = 'lib/**/*.rb'
+end
+
+require 'roodi'
+require 'roodi_task'
+RoodiTask.new do |t|
+  t.verbose = false
+end
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "epas #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.2.0

data/bin/ec2-puppet-autosigner

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'epas'
+rescue LoadError
+  require 'rubygems'
+  require 'epas'
+end
+
+credentials_file = ARGV[0] || "~/.awssecret"
+ec2_regions = ARGV.drop(1)
+
+# TODO: Add proper command line arguments handling
+Epas::AutoSigner.new(credentials_file, ec2_regions)

data/epas.gemspec

@@ -0,0 +1,74 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{epas}
+  s.version = "0.2.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Ramon Salvad\303\263"]
+  s.date = %q{2011-06-07}
+  s.default_executable = %q{ec2-puppet-autosigner}
+  s.description = %q{To be run in a cron script or a daemon. Autosigns ec2 instances based on hostname and instance_id, it expects instance_id as part of the ec2 instance hostname.}
+  s.email = %q{rsalvado@gnuine.com}
+  s.executables = ["ec2-puppet-autosigner"]
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "bin/ec2-puppet-autosigner",
+    "epas.gemspec",
+    "lib/epas.rb",
+    "test/epas/test_auto_signer.rb",
+    "test/helper.rb"
+  ]
+  s.homepage = %q{http://github.com/rsalvado/epas}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.6.2}
+  s.summary = %q{Script to autosign ec2 instances into puppet.}
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<aws>, [">= 0"])
+      s.add_runtime_dependency(%q<i18n>, [">= 0"])
+      s.add_runtime_dependency(%q<activesupport>, [">= 0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.6.0"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+      s.add_development_dependency(%q<reek>, ["~> 1.2.8"])
+      s.add_development_dependency(%q<roodi>, ["~> 2.1.0"])
+    else
+      s.add_dependency(%q<aws>, [">= 0"])
+      s.add_dependency(%q<i18n>, [">= 0"])
+      s.add_dependency(%q<activesupport>, [">= 0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.6.0"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<reek>, ["~> 1.2.8"])
+      s.add_dependency(%q<roodi>, ["~> 2.1.0"])
+    end
+  else
+    s.add_dependency(%q<aws>, [">= 0"])
+    s.add_dependency(%q<i18n>, [">= 0"])
+    s.add_dependency(%q<activesupport>, [">= 0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.6.0"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<reek>, ["~> 1.2.8"])
+    s.add_dependency(%q<roodi>, ["~> 2.1.0"])
+  end
+end
+

data/lib/epas.rb

@@ -0,0 +1,78 @@
+require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/kernel/reporting'
+
+module Epas
+
+  class UnavailableEC2Credentials < StandardError; end
+  class UnavailablePuppet < StandardError; end
+
+  class AutoSigner
+
+    # Creates a new auto_signer object tied to the specific ec2 account and regions provided.
+    #
+    # ==== Attributes
+    #
+    # * +file+ - Path to a file containing only the EC2 id and secret access_keys in the two first lines and in this order. Defaults to "~/.awssecret".
+    # * +regions+ - Array containing all EC2 regions to check, defaults to all available.
+    #
+    # ==== Examples
+    #
+    #    Epas::Autosigner.new
+    #    Epas::AutoSigner.new myfile, [ 'eu-west-1', 'eu-east-1']
+    def initialize(file = "~/.awssecret", regions = nil)
+      raise UnavailablePuppet unless command?('puppet') && command?('puppetca')
+      @aws_id, @aws_key        = read_aws_credentials(file)
+      @regions                 = regions || get_all_ec2_regions
+      @awaiting_sign_instances = get_awaiting_sign_instances
+    end
+
+    # Signs all pending requests in puppet initiated by ec2 machines.
+    def sign_ec2_instance_requests!
+      # TODO: Add logging to syslog
+      unless @awaiting_sign_instances.blank?
+        get_all_ec2_instances_ids.each do |instance_id|
+          @awaiting_sign_instances.each do |hostname|
+            sign_instance(hostname) if hostname.match /#{instance_id}/
+          end
+        end
+      end
+    end
+
+    private
+
+    def read_aws_credentials(file)
+      file = File.expand_path(file)
+      raise UnavailableEC2Credentials unless File.exists?(file)
+      id, key = File.read(file).split("\n")
+      raise UnavailableEC2Credentials if id.blank? || key.blank?
+      [id, key]
+    end
+
+    def sign_instance(hostname)
+      `puppet cert --sign #{hostname}`
+    end
+
+    def get_awaiting_sign_instances
+      `puppetca --list`.split("\n")
+    end
+
+    def get_all_ec2_regions
+      %w(eu-west-1 us-east-1 ap-northeast-1 us-west-1 ap-southeast-1)
+    end
+
+    def get_all_ec2_instances_ids
+      instances = @regions.map do |region|
+       silence_stream STDOUT do
+          Aws::Ec2.new(@aws_id, @aws_key, :region => region).describe_instances
+        end
+      end.flatten
+      ids = instances.map { |i| i[:aws_instance_id] }
+    end
+
+    def command?(command)
+      system("which #{command} > /dev/null 2>&1")
+    end
+
+  end
+
+end

data/test/epas/test_auto_signer.rb

@@ -0,0 +1,63 @@
+require 'helper'
+require 'tempfile'
+require 'aws'
+
+class TestAutoSigner < Test::Unit::TestCase
+
+  def setup
+    @awaiting_sign_instances = %w( appserver.i-qwerty.example.com dbserver.i-uiop.com ).join("\n")
+    @eu_instances = [ { :aws_instance_id => 'i-qwerty' } ]
+    @us_instances = [ { :aws_instance_id => 'i-uiop' } ]
+    @regions = %w(eu-west-1 us-east-1)
+    @instances_by_region = {
+      @regions[0] => @eu_instances,
+      @regions[1] => @us_instances
+    }
+    @aws_id = 'myid'
+    @aws_key = 'mykey'
+    @credentials_file = Tempfile.new('credentials')
+    @credentials_file.write "#{@aws_id}\n#{@aws_key}"
+    @credentials_file.close
+    Epas::AutoSigner.any_instance.expects(:system).with("which puppet > /dev/null 2>&1").returns(true)
+    Epas::AutoSigner.any_instance.expects(:system).with("which puppetca > /dev/null 2>&1").returns(true)
+  end
+
+  def test_should_raise_exception_when_ec2_credentials_unavailable
+    assert_raise Epas::UnavailableEC2Credentials do
+      unexistant_file = '1232wqewqdscdslkdsakdowqowqoewqoewqieoiwqoewq'
+      Epas::AutoSigner.new(unexistant_file)
+    end
+  end
+
+  def test_should_raise_exception_when_null_credentials
+    file = Tempfile.open('credentials')
+    assert_raise Epas::UnavailableEC2Credentials do
+      Epas::AutoSigner.new(file.path)
+    end
+  end
+
+  def test_should_raise_exception_when_invalid_credentials
+    Epas::AutoSigner.any_instance.expects(:`).with('puppetca --list').returns(@awaiting_sign_instances)
+    assert_raise Aws::AwsError do
+      as = Epas::AutoSigner.new(@credentials_file.path)
+      as.sign_ec2_instance_requests!
+    end
+  end
+
+  def test_should_sign_our_ec2_instances_certificate_requests
+
+    @instances_by_region.each do |region, instances|
+      ::Aws::Ec2.expects(:new).with(@aws_id, @aws_key, :region => region).returns(stub(:describe_instances => instances))
+    end
+
+    Epas::AutoSigner.any_instance.expects(:`).with('puppetca --list').returns(@awaiting_sign_instances)
+
+    Epas::AutoSigner.any_instance.expects(:`).with("puppet cert --sign appserver.i-qwerty.example.com").once
+    Epas::AutoSigner.any_instance.expects(:`).with("puppet cert --sign dbserver.i-uiop.com").once
+
+    autosigner = Epas::AutoSigner.new(@credentials_file.path, @regions)
+    autosigner.sign_ec2_instance_requests!
+
+  end
+
+end

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'mocha'
+
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'epas'
+
+class Test::Unit::TestCase
+end

metadata

@@ -0,0 +1,198 @@
+--- !ruby/object:Gem::Specification 
+name: epas
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: 
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
+platform: ruby
+authors: 
+- "Ramon Salvad\xC3\xB3"
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-06-07 00:00:00 +02:00
+default_executable: ec2-puppet-autosigner
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  type: :runtime
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  name: aws
+  version_requirements: *id001
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :runtime
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  name: i18n
+  version_requirements: *id002
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :runtime
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  name: activesupport
+  version_requirements: *id003
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :development
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  name: bundler
+  version_requirements: *id004
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :development
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 6
+        - 0
+        version: 1.6.0
+  name: jeweler
+  version_requirements: *id005
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :development
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  name: rcov
+  version_requirements: *id006
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :development
+  requirement: &id007 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 2
+        - 8
+        version: 1.2.8
+  name: reek
+  version_requirements: *id007
+  prerelease: false
+- !ruby/object:Gem::Dependency 
+  type: :development
+  requirement: &id008 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 2
+        - 1
+        - 0
+        version: 2.1.0
+  name: roodi
+  version_requirements: *id008
+  prerelease: false
+description: To be run in a cron script or a daemon. Autosigns ec2 instances based on hostname and instance_id, it expects instance_id as part of the ec2 instance hostname.
+email: rsalvado@gnuine.com
+executables: 
+- ec2-puppet-autosigner
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- .document
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- bin/ec2-puppet-autosigner
+- epas.gemspec
+- lib/epas.rb
+- test/epas/test_auto_signer.rb
+- test/helper.rb
+has_rdoc: true
+homepage: http://github.com/rsalvado/epas
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.2
+signing_key: 
+specification_version: 3
+summary: Script to autosign ec2 instances into puppet.
+test_files: []
+