front_end_builds 0.0.26 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 454309571c8187f9172c22223e66b72ba3f4a1dd
-  data.tar.gz: 0b379fc6a91e2ea5df974b19497880005621109a
+  metadata.gz: b76de17ea5a85d7b6e1c9ca8d26e7a0b55d16399
+  data.tar.gz: 1e0730650a1db2545efd83710b9d6471dfab7786
 SHA512:
-  metadata.gz: b689b859ed5d190458ffd33bd46de053187288404c510297479e7cc06d5a7d4922f321b9b76e4c7022a9cbb3e3e73eb6b4930c1c7f6c18a506c3cd40918abe13
-  data.tar.gz: 8374c3856062d4eac9f6452e361aa13dd549e93b9d72e1e937da9414c0de82704feb0e02308b93733e2a0f8969ba9478ccc9757b777526ce844d88ea0dd5959c
+  metadata.gz: 9068e3c19df8ade4559bec36fd41bdc0d0543c567773142ed9ead4561dfab6c08bd6379110294c84e6294cace0f45921a0b7176ba2779253cd6388966691576f
+  data.tar.gz: e51b645290dd483bd68c2d65291056fa093c7e9188e451b96aa868773d8493330327f31e9a643e28d32679c0868c32a4cc5f1a76067e84f12af7ca69ad702700

data/app/controllers/front_end_builds/application_controller.rb

@@ -17,5 +17,9 @@ module FrontEndBuilds
       end
     end
 
+    def error!(errors, status = :unprocessable_entity)
+      respond_with_json({ errors: errors }, status: status)
+    end
+
   end
 end

data/app/controllers/front_end_builds/apps_controller.rb

@@ -25,7 +25,7 @@ module FrontEndBuilds
     def create
       @app = FrontEndBuilds::App.new( use_params(:app_create_params) )
 
-      if @app.save!
+      if @app.save
         respond_with_json(
           { app: @app.serialize },
           location: nil

data/app/controllers/front_end_builds/builds_controller.rb

@@ -2,7 +2,7 @@ require_dependency "front_end_builds/application_controller"
 
 module FrontEndBuilds
   class BuildsController < ApplicationController
-    before_filter :set_app!, only: :create
+    before_filter :set_app!, only: [:create]
 
     def index
       builds = FrontEndBuilds::Build.where(app_id: params[:app_id])
@@ -14,12 +14,13 @@ module FrontEndBuilds
     def create
       build = @app.builds.new(use_params(:build_create_params))
 
-      if build.save
-        build.fetch!
-        build.activate! if build.automatic_activation? and build.master?
+      if build.verify && build.save
+        build.setup!
         head :ok
 
       else
+        build.errors[:base] << 'No access - invalid SSH key' if !build.verify
+
         render(
           text: 'Could not create the build: ' + build.errors.full_messages.to_s,
           status: :unprocessable_entity
@@ -37,38 +38,37 @@ module FrontEndBuilds
     private
 
     def set_app!
-      @app = find_app
+      @app = FrontEndBuilds::App
+        .where(name: params[:app_name])
+        .limit(1)
+        .first
+
       if @app.nil?
         render(
-          text: 'That app name/API combination was not found.',
+          text: "No app named #{params[:app_name]}.",
           status: :unprocessable_entity
         )
+
+        return false
       end
     end
 
-    def build_create_params_rails_3
-      params.slice(
+    def _create_params
+      [
         :branch,
         :sha,
         :job,
-        :endpoint
-      )
+        :endpoint,
+        :signature
+      ]
     end
 
-    def build_create_params_rails_4
-      params.permit(
-        :branch,
-        :sha,
-        :job,
-        :endpoint
-      )
+    def build_create_params_rails_3
+      params.slice(*_create_params)
     end
 
-    def find_app
-      FrontEndBuilds::App.where(
-        name: params[:app_name],
-        api_key: params[:api_key]
-      ).limit(1).first
+    def build_create_params_rails_4
+      params.permit(*_create_params)
     end
   end
 end

data/app/controllers/front_end_builds/pubkeys_controller.rb

@@ -0,0 +1,50 @@
+require_dependency "front_end_builds/application_controller"
+
+module FrontEndBuilds
+  class PubkeysController < ApplicationController
+    def index
+      keys = FrontEndBuilds::Pubkey.order(:name)
+      respond_with_json(pubkeys: keys.map(&:serialize))
+    end
+
+    def create
+      pubkey = FrontEndBuilds::Pubkey
+        .new( use_params(:pubkey_create_params) )
+
+      if pubkey.save
+        respond_with_json(
+          { pubkey: pubkey.serialize },
+          location: nil
+        )
+      else
+        error!(pubkey.errors)
+      end
+    end
+
+    def destroy
+      pubkey = FrontEndBuilds::Pubkey.find(params[:id])
+
+      if pubkey.destroy
+        respond_with_json(
+          { pubkey: { id: pubkey.id } },
+          location: nil
+        )
+      else
+        error!(pubkey.errors)
+      end
+    end
+
+    private
+
+    def pubkey_create_params_rails_3
+      params[:pubkey].slice(:name, :pubkey)
+    end
+
+    def pubkey_create_params_rails_4
+      params.require(:pubkey).permit(
+        :name,
+        :pubkey
+      )
+    end
+  end
+end

data/app/models/front_end_builds/app.rb

@@ -22,9 +22,6 @@ module FrontEndBuilds
     end
 
     validates :name, presence: true
-    validates :api_key, presence: true
-
-    before_validation :ensure_api_key!
 
     def self.register_url(name, url)
       @_url ||= {}
@@ -40,15 +37,10 @@ module FrontEndBuilds
       self.class.get_url(name)
     end
 
-    def ensure_api_key!
-      self.api_key = SecureRandom.uuid if api_key.blank?
-    end
-
     def serialize
       {
         id: id,
         name: name,
-        api_key: api_key,
         build_ids: recent_builds.map(&:id),
         live_build_id: (live_build ? live_build.id : nil),
         location: get_url,

data/app/models/front_end_builds/build.rb

@@ -5,15 +5,18 @@ module FrontEndBuilds
     if defined?(ProtectedAttributes) || ::ActiveRecord::VERSION::MAJOR < 4
       attr_accessible :branch,
                       :sha,
-                      :endpoint
+                      :endpoint,
+                      :signature
     end
 
     belongs_to :app, class_name: "FrontEndBuilds::App"
+    belongs_to :pubkey, class_name: "FrontEndBuilds::Pubkey"
 
     validates :app, presence: true
     validates :sha, presence: true
     validates :branch, presence: true
     validates :endpoint, presence: true
+    validates :signature, presence: true
 
     scope :recent, -> { limit(10).order('created_at desc') }
 
@@ -62,6 +65,29 @@ module FrontEndBuilds
         .first
     end
 
+    # Public: Is the signature is valid for the build.
+    #
+    # Returns boolean.
+    def verify
+      !!matching_pubkey
+    end
+
+    # Public: Find the pubkey that can verify the builds
+    # signature.
+    def matching_pubkey
+      Pubkey.all
+        .detect { |key| key.verify(self) }
+        .tap { |key| self.pubkey = key }
+    end
+
+    def setup!
+      fetch!
+
+      if automatic_activation? && master?
+        activate!
+      end
+    end
+
     def live?
       self == app.live_build
     end

data/app/models/front_end_builds/pubkey.rb

@@ -0,0 +1,74 @@
+require 'front_end_builds/utils/ssh_pubkey_convert'
+require 'base64'
+require 'openssl'
+
+module FrontEndBuilds
+  class Pubkey < ActiveRecord::Base
+    if defined?(ProtectedAttributes) || ::ActiveRecord::VERSION::MAJOR < 4
+      attr_accessible :name,
+                      :pubkey
+    end
+
+    validates :name, presence: true
+    validates :pubkey, presence: true
+
+    has_many :builds, class_name: "FrontEndBuilds::Build"
+
+    def fingerprint
+      content = pubkey.split(/\s/)[1]
+
+      if content
+        Digest::MD5.hexdigest(Base64.decode64(content))
+          .scan(/.{1,2}/)
+          .join(":")
+      else
+        'Unknown'
+      end
+    end
+
+    def ssh_pubkey?
+      (type, b64, _) = pubkey.split(/\s/)
+      %w{ssh-rsa ssh-dss}.include?(type) && b64.present?
+    end
+
+    # Public: In order to verify a signature we need the key to be an OpenSSL
+    # RSA PKey and not a string that you would find in an ssh pubkey key. Most
+    # people are going to be adding ssh public keys to their build system, this
+    # method will covert them to OpenSSL RSA if needed.
+    def to_rsa_pkey
+      FrontEndBuilds::Utils::SSHPubKeyConvert
+        .convert(pubkey)
+    end
+
+    # Public: Will verify that the sigurate has access to deploy the build
+    # object. The signature includes the endpoint and app name.
+    #
+    # Returns boolean
+    def verify(build)
+      # TODO might as well cache this and store in the db so we dont have to
+      # convert every time
+      pkey = to_rsa_pkey
+      signature = Base64.decode64(build.signature)
+      digest = OpenSSL::Digest::SHA256.new
+      expected = "#{build.app.name}-#{build.endpoint}"
+
+      pkey.verify(digest, signature, expected)
+    end
+
+    def last_build
+      builds
+        .order('created_at desc')
+        .limit(1)
+        .first
+    end
+
+    def serialize
+      {
+        id: id,
+        name: name,
+        fingerprint: fingerprint,
+        lastUsedAt: last_build.try(:created_at)
+      }
+    end
+  end
+end

data/app/views/front_end_builds/admin/index.html.erb

@@ -8,7 +8,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1">
 
     <base href="/BASEURL/" />
-<meta name="admin/config/environment" content="%7B%22modulePrefix%22%3A%22admin%22%2C%22environment%22%3A%22production%22%2C%22baseURL%22%3A%22BASEURL%22%2C%22locationType%22%3A%22auto%22%2C%22usePodsByDefault%22%3Atrue%2C%22podModulePrefix%22%3A%22admin/pods%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%7D%2C%22APP%22%3A%7B%7D%2C%22usePretender%22%3Afalse%2C%22contentSecurityPolicyHeader%22%3A%22Content-Security-Policy-Report-Only%22%2C%22contentSecurityPolicy%22%3A%7B%22default-src%22%3A%22%27none%27%22%2C%22script-src%22%3A%22%27self%27%22%2C%22font-src%22%3A%22%27self%27%22%2C%22connect-src%22%3A%22%27self%27%22%2C%22img-src%22%3A%22%27self%27%22%2C%22style-src%22%3A%22%27self%27%22%2C%22media-src%22%3A%22%27self%27%22%7D%2C%22exportApplicationGlobal%22%3Afalse%7D" />
+<meta name="admin/config/environment" content="%7B%22modulePrefix%22%3A%22admin%22%2C%22environment%22%3A%22production%22%2C%22baseURL%22%3A%22BASEURL%22%2C%22locationType%22%3A%22auto%22%2C%22usePodsByDefault%22%3Atrue%2C%22podModulePrefix%22%3A%22admin/pods%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%7D%2C%22APP%22%3A%7B%7D%2C%22contentSecurityPolicyHeader%22%3A%22Content-Security-Policy-Report-Only%22%2C%22contentSecurityPolicy%22%3A%7B%22default-src%22%3A%22%27none%27%22%2C%22script-src%22%3A%22%27self%27%22%2C%22font-src%22%3A%22%27self%27%22%2C%22connect-src%22%3A%22%27self%27%22%2C%22img-src%22%3A%22%27self%27%22%2C%22style-src%22%3A%22%27self%27%22%2C%22media-src%22%3A%22%27self%27%22%7D%2C%22ember-pretenderify%22%3A%7B%22usingProxy%22%3Afalse%7D%2C%22exportApplicationGlobal%22%3Afalse%7D" />
 
     <script>
       window.RAILS_ENV = {
@@ -16,15 +16,15 @@
       }
     </script>
     <link rel="stylesheet" href="/front_end_builds/assets/vendor-a8105f0efcfa2b3ff559e3a06333c43e.css">
-    <link rel="stylesheet" href="/front_end_builds/assets/admin-bd8ae9b4c42b63d1827d52d21829066d.css">
+    <link rel="stylesheet" href="/front_end_builds/assets/admin-e75b37fa41fedcd7e63427d0d395331a.css">
 
     
   </head>
   <body>
     
 
-    <script src="/front_end_builds/assets/vendor-7a09b85604a427672dac82dc0bcac289.js"></script>
-    <script src="/front_end_builds/assets/admin-c8d319818b689f7119754abfe0c8742d.js"></script>
+    <script src="/front_end_builds/assets/vendor-04e7c54f17406375028018e3cb9433af.js"></script>
+    <script src="/front_end_builds/assets/admin-8ff31b44f8d2b836f2f6a419fb1d4766.js"></script>
 
     
   </body>

data/config/routes.rb

@@ -3,6 +3,7 @@ FrontEndBuilds::Engine.routes.draw do
   scope :api, path: '/api' do
     resources :apps, only: [:index, :show, :create, :update, :destroy]
     resources :builds, only: [:index, :show]
+    resources :pubkeys, only: [:index, :create, :destroy]
     resources :host_apps, only: [:show]
   end
 

data/db/migrate/20150124215337_create_front_end_builds_pubkeys.rb

@@ -0,0 +1,10 @@
+class CreateFrontEndBuildsPubkeys < ActiveRecord::Migration
+  def change
+    create_table :front_end_builds_pubkeys do |t|
+      t.string :name, null: false
+      t.text :pubkey, null: false
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20150124221024_add_pubkey_to_build.rb

@@ -0,0 +1,7 @@
+class AddPubkeyToBuild < ActiveRecord::Migration
+  def change
+    # Track what public deployed each build
+    add_column :front_end_builds_builds, :pubkey_id, :integer
+    add_column :front_end_builds_builds, :signature, :text
+  end
+end

data/db/migrate/20150224040537_remove_api_key_from_apps.rb

@@ -0,0 +1,5 @@
+class RemoveApiKeyFromApps < ActiveRecord::Migration
+  def change
+    remove_column :front_end_builds_apps, :api_key
+  end
+end

data/lib/front_end_builds/utils/ssh_pubkey_convert.rb

@@ -0,0 +1,92 @@
+# This is needed to convert an SSH pubkey into a RSA OpenSSL pubkey that we can
+# use to verify the signature. I got this from:
+#
+# https://github.com/mytestbed/omf/blob/master/omf_common/lib/omf_common/auth/ssh_pub_key_convert.rb
+#
+
+module FrontEndBuilds::Utils
+  # Copyright (c) 2012 National ICT Australia Limited (NICTA).
+  # This software may be used and distributed solely under the terms of the MIT license (License).
+  # You should find a copy of the License in LICENSE.TXT or at http://opensource.org/licenses/MIT.
+  # By downloading or using this software you accept the terms and the liability disclaimer in the License.
+
+  require 'base64'
+  require 'openssl'
+
+  # This file provides a converter that accepts an SSH public key string
+  # and converts it to an OpenSSL::PKey::RSA object for use in verifying
+  # received messages.  (DSA support pending).
+  #
+  class SSHPubKeyConvert
+    # Unpack a 4-byte unsigned integer from the +bytes+ array.
+    #
+    # Returns a pair (+u32+, +bytes+), where +u32+ is the extracted
+    # unsigned integer, and +bytes+ is the remainder of the original
+    # +bytes+ array that follows +u32+.
+    #
+    def self.unpack_u32(bytes)
+      return bytes.unpack("N")[0], bytes[4..-1]
+    end
+
+    # Unpack a string from the +bytes+ array.  Exactly +len+ bytes will
+    # be extracted.
+    #
+    # Returns a pair (+string+, +bytes+), where +string+ is the
+    # extracted string (of length +len+), and +bytes+ is the remainder
+    # of the original +bytes+ array that follows +string+.
+    #
+    def self.unpack_string(bytes, len)
+      return bytes.unpack("A#{len}")[0], bytes[len..-1]
+    end
+
+    # Convert a string in SSH public key format to a key object
+    # suitable for use with OpenSSL.  If the key is an RSA key then an
+    # OpenSSL::PKey::RSA object is returned.  If the key is a DSA key
+    # then an OpenSSL::PKey::DSA object is returned.  In either case,
+    # the object returned is suitable for encrypting data or verifying
+    # signatures, but cannot be used for decrypting or signing.
+    #
+    # The +keystring+ should be a single line, as per an SSH public key
+    # file as generated by +ssh-keygen+, or a line from an SSH
+    # +authorized_keys+ file.
+    #
+    def self.convert(keystring)
+      (_, b64, _) = keystring.split(' ')
+      raise ArgumentError, "Invalid SSH public key '#{keystring}'" if b64.nil?
+
+      decoded_key = Base64.decode64(b64)
+      (n, bytes) = unpack_u32(decoded_key)
+      (keytype, bytes) = unpack_string(bytes, n)
+
+      if keytype == "ssh-rsa"
+        (n, bytes) = unpack_u32(bytes)
+        (estr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (nstr, bytes) = unpack_string(bytes, n)
+
+        key = OpenSSL::PKey::RSA.new
+        key.n = OpenSSL::BN.new(nstr, 2)
+        key.e = OpenSSL::BN.new(estr, 2)
+        key
+      elsif keytype == 'ssh-dss'
+        (n, bytes) = unpack_u32(bytes)
+        (pstr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (qstr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (gstr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (pkstr, bytes) = unpack_string(bytes, n)
+
+        key = OpenSSL::PKey::DSA.new
+        key.p = OpenSSL::BN.new(pstr, 2)
+        key.q = OpenSSL::BN.new(qstr, 2)
+        key.g = OpenSSL::BN.new(gstr, 2)
+        key.pub_key = OpenSSL::BN.new(pkstr, 2)
+        key
+      else
+        nil
+      end
+    end
+  end
+end

data/lib/front_end_builds/version.rb

@@ -1,3 +1,3 @@
 module FrontEndBuilds
-  VERSION = "0.0.26"
+  VERSION = "0.1.0"
 end