hiera_server 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5ed7a076f781fbc8934000975e64a1da503978fe
+  data.tar.gz: d24759ab5a84cd572020ed9ac57c72571c825937
+SHA512:
+  metadata.gz: 215f91afe5a764aa620d3cf3c8acb22b4a95b60d982fc30b5a1ec696273f1efb7771b380641222b372c63841348cb01224cf7fe49ee2e14eabbee40305218a70
+  data.tar.gz: 98ee06d660aa47cb037ddef2492bac751c57fcf41508a5989e79a5291b2d6b50a915a06ef1da6c1373abb058add6ac092fda7fbbbb83b677aa33ae035b2cd439

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (C) 2015 Ben Ford <binford2k@gmail.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,118 @@
+# Hiera Server
+
+Hiera Server separates the query and the data retrieval into separate processes.
+The *server* portion runs on a remote machine and uses any configured Hiera
+backend to retrieve data. The *client* portion simply runs as a backend on the
+local machine and forwards requests to the server. Facilities are provided to
+configure the data lookup on the server from either end, allowing the server to
+provide data to more than one client using different configurations.
+
+Rather than making multiple HTTP requests, the client will send the full scope
+and any relevant configuration to the server as part of a single request. The
+server will perform the data lookup and return a single response.
+
+## Installation
+
+Install the gem in the proper GEMPATHs on both the local and remote systems.
+
+### Local system (the Puppet master or machine running `puppet apply`)
+
+For the Puppet master to be able to use this gem, you'll need to install it into
+the Puppet master's GEMPATH. If you're using Puppetserver or PE, you'll want to
+install it like such:
+
+    $ /opt/puppetlabs/bin/puppetserver gem install hiera_server
+
+To be able to access it from the command line, as in CLI `hiera` or `puppet apply`,
+you'll need to also install it into the Puppet GEMPATH, such as:
+
+    $ /opt/puppetlabs/puppet/bin/gem install hiera_server
+
+If you're using Passenger or Webrick, you'll only need to install it once, as the
+GEMPATH are typically shared by the master and agent.
+
+### Remote system (the machine running the Hiera server)
+
+This machine doesn't necessarily need to be a Puppet master, but it will need Hiera
+properly installed and configured. Simply install the gem into the Puppet GEMPATH.
+
+    $ /opt/puppetlabs/puppet/bin/gem install hiera_server
+
+## Configuration
+
+Configure the server using the `:server` configuration key in your `hiera.yaml`
+on both the server and the client. The only key **required** is the `[:server][:server]`
+key on the **client** side. This is the address of the machine to forward requests
+to.
+
+### Options
+
+* Options used by the server
+    * `[:server][:port]`
+        * The port to run on. Defaults to 8141
+    * `[:server][:ssl]`
+        * Boolean. Whether to use ssl. Defaults to false simply because I'm lazy for the MVP.
+    * `[:server][:logfile]`
+        * Where to log. Defaults to '/var/log/hiera_server'
+    * `[:server][:pidfile]`
+        * Where to save the pidfile. Defaults to '/var/run/hiera_server.pid'
+    * The toplevel `:backends` and `:hierarchy` will be used by default, but
+      can be overridden by the client.
+* Options used by the client
+    * `[:server][:server]`
+        * The server to forward lookups too. **Required**.
+    * `[:server][:port]`
+        * The port the server is running on. Defaults to 8141
+    * `[:server][:backends]`
+        * If set, this will override the `:backends` setting on the server
+    * `[:server][:hierarchy]`
+        * If set, this will override or add to the `:hierarchy` on the server
+    * `[:server][:hierarchy_override]`
+        * Describes how to merge the ':hierarchy' on the server
+        * Accepted values are: 'prepend`, 'append', 'replace'
+
+### Example `hiera.yaml` file on the client
+
+This will force the server to use the `yaml` backend when servicing requests,
+and will put the `%{clientcert}` at the top of the hierarchy used by the server.
+The server contacted will be `master.puppetlabs.vm` on port `8141`.
+
+    ---
+    :backends:
+      - server
+    
+    :yaml:
+      :datadir: /etc/puppetlabs/code/hieradata
+    
+    :server:
+      :server: master.puppetlabs.vm
+      :port: 8141
+      :backends:
+        - yaml
+      :hierarchy:
+        - "%{clientcert}"
+      :hierarchy_override: prepend
+    
+    :hierarchy:
+      - "environments/%{environment}/hieradata/%{osfamily}"
+      - "environments/%{environment}/hieradata/%{clientcert}"
+      - "environments/%{environment}/hieradata/defaults"
+      - defaults
+
+## Running the server
+
+The server executable is installed into the standard PATH. For example, if you
+installed it on Puppet Enterprise, the server will be located at
+
+    $ /opt/puppetlabs/puppet/bin/hiera_server
+
+A sample init script is located in the `docs` directory of the gem.
+
+## Disclaimer
+
+This is currently a proof of concept and was written in just a few hours. You get what you pay for.
+
+Contact
+-------
+
+binford2k@gmail.com

data/bin/hiera_server

@@ -0,0 +1,73 @@
+#! /usr/bin/env ruby
+
+require 'rubygems'
+require 'fileutils'
+require 'sinatra/base'
+require 'webrick'
+require 'webrick/https'
+require 'openssl'
+require 'resolv'
+require 'json'
+
+require 'hiera'
+require 'hiera/util'
+require 'optparse'
+
+require 'hiera_server'
+
+$config = YAML.load_file(File.join(Hiera::Util.config_dir, 'hiera.yaml'))
+$config[:server]           ||= {}
+$config[:server][:bind]    ||= '0.0.0.0'
+$config[:server][:port]    ||= '8141'
+$config[:server][:ssl]     ||= false
+$config[:server][:logfile] ||= '/var/log/hiera_server'
+$config[:server][:pidfile] ||= '/var/run/hiera_server.pid'
+
+optparse = OptionParser.new { |opts|
+  opts.banner = "Usage : #{File.basename($PROGRAM_NAME)}"
+
+  opts.on("-d", "--debug", "Display extra debugging information.") do
+    require 'pry'
+    $config[:server][:debug] = true
+  end
+
+  opts.separator('')
+
+  opts.on("-h", "--help", "Displays this help") do
+    puts opts
+    exit
+  end
+}
+optparse.parse!
+
+if $config[:server][:debug]
+  servertype = WEBrick::SimpleServer
+  loglevel   = WEBrick::Log::DEBUG
+else
+  servertype = WEBrick::Daemon
+  loglevel   = WEBrick::Log::INFO
+end
+
+options = {
+  :Host          => $config[:server][:bind],
+  :Port          => $config[:server][:port],
+  :Logger        => WEBrick::Log::new($config[:server][:logfile], loglevel),
+  :ServerType    => servertype,
+  :SSLEnable     => $config[:server][:ssl],
+  :StartCallback => Proc.new { File.open($config[:server][:pidfile], 'w') {|f| f.write Process.pid } },
+}
+if $config[:server][:ssl] then
+  options[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
+  options[:SSLCertificate]  = OpenSSL::X509::Certificate.new(File.open("#{$config[:server][:public_key]}").read)
+  options[:SSLPrivateKey]   = OpenSSL::PKey::RSA.new(File.open("#{$config[:server][:private_key]}").read)
+  options[:SSLCertName]     = [ [ "CN",WEBrick::Utils::getservername ] ]
+end
+
+Rack::Handler::WEBrick.run(HieraServer, options) do |server|
+  [:INT, :TERM].each do |sig|
+    trap(sig) do
+      server.stop
+      FileUtils.rm $config[:server][:pidfile]
+    end
+  end
+end

data/doc/hiera_server.init.example

@@ -0,0 +1,86 @@
+#!/bin/bash
+# webhook       Init script for running the hiera server daemon
+#
+# Author:       Ben Ford <binford2k@gmail.com
+#
+# chkconfig: 2345 98 02
+#
+# description: Init script for running the hiera server daemon
+# processname: hiera_server
+
+# This is a pretty cruddy init script.
+
+# source function library
+#. /etc/rc.d/init.d/functions
+
+PATH=/opt/puppetlabs/puppet/bin/:/usr/local/bin:$PATH
+PID=$([ -f /var/run/hiera_server.pid ] && cat /var/run/hiera_server.pid)
+
+printstat()
+{
+  if [ "$1" != "" ]
+  then
+    echo $1
+  else
+    if [ $RETVAL -eq 0 ]; then echo "OK"; else echo "FAIL"; fi
+  fi
+}
+
+start()
+{
+	echo -n $"Starting Hiera Server: "
+	hiera_server
+	RETVAL=$?
+	printstat
+}
+
+stop()
+{
+  echo -n $"Stopping Hiera Server: "
+	if [ "${PID}" == "" ]
+	then
+  	printstat 'not running'
+  	RETVAL=2
+  else
+    kill ${PID}
+    RETVAL=$?
+    sleep 3 # it would be nice if webrick didn't take so long to shut down
+    printstat
+  fi
+}
+
+status()
+{
+  if [ "${PID}" != "" ]
+  then
+    echo $"Hiera Server is running."
+    RETVAL=0
+  else
+    echo $"Hiera Server is stopped."
+    RETVAL=1
+  fi
+}
+
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+	start)
+		start
+		;;
+	stop)
+		stop
+		;;
+	restart)
+		restart
+		;;
+	status)
+		status
+		;;
+	*)
+		echo $"Usage: $0 {start|stop|restart|status}"
+		RETVAL=10
+esac
+exit $RETVAL

data/lib/hiera/backend/server_backend.rb

@@ -0,0 +1,67 @@
+require 'json'
+require 'openssl'
+require "net/https"   # use instead of rest-client so we can set SSL options
+
+class Hiera
+  module Backend
+    class Server_backend
+      def initialize
+        Config[:server][:backends]  ||= Config[:backends]
+        Config[:server][:hierarchy] ||= Config[:hierarchy]
+        Config[:server][:port]      ||= '8141'
+
+        # I think this connection can be reused like this. If not, move it to the query and make it local
+        @http = Net::HTTP.new(Config[:server][:server], Config[:server][:port])
+
+        if Config[:server][:ssl]
+          @http.use_ssl = true
+          @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+          store = OpenSSL::X509::Store.new
+          store.add_cert(OpenSSL::X509::Certificate.new(File.read(Config[:server][:ca_cert])))
+          @http.cert_store = store
+
+          @http.key = OpenSSL::PKey::RSA.new(File.read(Config[:server][:public_key]))
+          @http.cert = OpenSSL::X509::Certificate.new(File.read(Config[:server][:private_key]))
+        else
+          @http.use_ssl = false
+        end
+
+        debug ("Loaded HieraServer Backend")
+      end
+
+      def debug(msg)
+        Hiera.debug("[HieraServer]: #{msg}")
+      end
+
+      def warn(msg)
+        Hiera.warn("[HieraServer]:  #{msg}")
+      end
+
+      def lookup(key, scope, order_override, resolution_type, context)
+        debug("Looking up '#{key}', resolution type is #{resolution_type}")
+
+        path    = "/#{resolution_type.to_s}/#{key}"
+        request = Net::HTTP::Post.new(path, initheader = {'Content-Type' =>'application/json'})
+
+        request.body = {
+          "scope"              => scope,
+          "backends"           => Config[:server][:backends],
+          "hierarchy"          => Config[:server][:hierarchy],
+          "hierarchy_override" => Config[:server][:hierarchy_override],
+        }.to_json
+
+        # make the request
+        response = JSON.parse(@http.request(request).body)
+
+        if response.keys.include? 'value'
+          response['value']
+        else
+          warn response['error']
+          debug response['trace']
+        end
+      end
+
+    end
+  end
+end

data/lib/hiera_server.rb

@@ -0,0 +1,78 @@
+require 'rubygems'
+require 'sinatra/base'
+require 'json'
+
+require 'hiera'
+
+class HieraServer < Sinatra::Base
+
+  get '/' do
+    raise Sinatra::NotFound
+  end
+
+  post '/:type/:key' do |type, key|
+    begin
+      request.body.rewind
+      body  = JSON.parse(request.body.read)
+      hiera = Hiera.new(:config => munged_config(body))
+
+      if type == 'merge'
+        value = hiera.lookup(key, nil, body['scope'], nil, body['merge'])
+      else
+        value = hiera.lookup(key, nil, body['scope'], nil, type.to_sym)
+      end
+    # Must rescue Exception because that's what Hiera raises.
+    rescue Exception => e
+      binding.pry if $config[:server][:debug]
+      raise e if [Interrupt, SignalException].include? e.class
+      {
+        'error' => e.message,
+        'trace' => e.backtrace,
+      }.to_json
+    end
+
+    {'value' => value}.to_json
+  end
+
+  not_found do
+    halt 404, "You shall not pass! (page not found)\n"
+  end
+
+  helpers do
+    def protected!
+      unless authorized?
+        response['WWW-Authenticate'] = %(Basic realm="Restricted Area")
+        throw(:halt, [401, "Not authorized\n"])
+      end
+    end  #end protected!
+
+    def authorized?
+      @auth ||=  Rack::Auth::Basic::Request.new(request.env)
+      @auth.provided? && @auth.basic? && @auth.credentials &&
+      @auth.credentials == [$config['user'],$config['pass']]
+    end  #end authorized?
+
+    def munged_config(data)
+      config = $config.dup
+
+      # let the client configure the backend to use
+      config[:backends] = data['backends'] if data.include? 'backends'
+
+      # munge the hierarchy as needed
+      case data['hierarchy_override']
+      when 'prepend'
+        config[:hierarchy].unshift data['hierarchy']
+      when 'append'
+        config[:hierarchy] << data['hierarchy']
+      when 'replace'
+        config[:hierarchy] = data['hierarchy']
+      end
+
+      # now copy in arbitrary config settings that we're not already handling
+      config[:server] = data.reject {|item| ['backend', 'hierarchy', 'scope', 'merge'].include? item }
+
+      config
+    end
+
+  end
+end

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification
+name: hiera_server
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Ben Ford
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-11-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: json_pure
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+    Hiera Server separates the query and the data retrieval into separate processes.
+    The *server* portion runs on a remote machine and uses any configured Hiera backend
+    to retrieve data. The *client* portion simply runs as a backend on the local machine.
+
+    Facilities are provided to configure the data lookup on the server from either end.
+    See README.md for more information.
+email: binford2k@gmail.com
+executables:
+- hiera_server
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- LICENSE
+- bin/hiera_server
+- lib/hiera/backend/server_backend.rb
+- lib/hiera_server.rb
+- doc/hiera_server.init.example
+homepage: https://github.com/binford2k/hiera_server
+licenses:
+- Apache 2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: Provides a remote server for Hiera lookups and a backend client.
+test_files: []