jerakia 1.2.1 → 2.0.0

data/lib/jerakia/datasource/file/json.rb

@@ -1,17 +1,15 @@
 class Jerakia::Datasource
-  module File
-    class Json
+  class File
+    module Json
       EXTENSION = 'json'.freeze
 
-      class << self
-        require 'json'
-        def convert(data)
-          return {} if data.empty?
-          begin
-            JSON.load(data)
-          rescue JSON::ParserError => e
-            raise Jerakia::FileParseError, "Could not parse JSON content, #{e.message}"
-          end
+      require 'json'
+      def convert(data)
+        return {} if data.empty?
+        begin
+          JSON.load(data)
+        rescue JSON::ParserError => e
+          raise Jerakia::FileParseError, "Could not parse JSON content, #{e.message}"
         end
       end
     end

data/lib/jerakia/datasource/file/yaml.rb

@@ -1,18 +1,16 @@
 class Jerakia::Datasource
-  module File
-    class Yaml
-      EXTENSION = 'yaml'.freeze
-
-      class << self
-        require 'yaml'
-        def convert(data)
-          return {} if data.empty?
-          begin
-            YAML.load(data)
-          rescue Psych::SyntaxError => e
-            raise Jerakia::FileParseError, "Error parsing YAML document: #{e.message}"
-          end
-        end
+  class File
+     module Yaml
+       EXTENSION = 'yaml'.freeze
+       require 'yaml'
+       def convert(data)
+         return {} if data.empty?
+         begin
+           YAML.load(data)
+         rescue Psych::SyntaxError => e
+           raise Jerakia::FileParseError, "Error parsing YAML document: #{e.message}"
+         end
+      
       end
     end
   end

data/lib/jerakia/dsl/lookup.rb

@@ -1,34 +1,28 @@
 class Jerakia
   module Dsl
     class Lookup
-      attr_reader :policy
       attr_reader :request
+      attr_reader :scope_object
       attr_accessor :lookup
 
-      def initialize(name, policy, opts = {})
-        @policy = policy
-        @request = policy.clone_request
-        scope   = policy.scope
-        @lookup = Jerakia::Lookup.new(name, opts, @request, scope)
+      def initialize(name, request, scope, opts = {})
+        @request = request
+        @scope_object = scope
+        @lookup = Jerakia::Lookup.new(name, opts, request, scope)
       end
 
-      def self.evaluate(name, policy, opts, &block)
-        lookup_block = new(name, policy, opts)
+      def self.evaluate(name, request, scope, opts, &block)
+        lookup_block = new(name, request, scope, opts)
         lookup_block.instance_eval &block
-        policy.submit_lookup(lookup_block.lookup)
+        return lookup_block.lookup
       end
 
       # define the data source for the lookup
       # @api: public
       def datasource(name, opts = {})
-        datasource = Jerakia::Datasource.new(name, lookup, opts)
-        lookup.datasource = datasource
-      end
-
-      # give access to the lookup scope object
-      # @api: public
-      def scope
-        lookup.scope
+        lookup.datasource = { :name => name, :opts => opts }
+        #datasource = Jerakia::Datasource.new(name, lookup, opts)
+        #lookup.datasource = datasource
       end
 
       # pass through exposed functions from the main lookup object
@@ -37,6 +31,10 @@ class Jerakia
         lookup.confine(*args)
       end
 
+      def scope
+        @scope_object.value
+      end
+
       def exclude(*args)
         lookup.exclude(*args)
       end

data/lib/jerakia/dsl/policy.rb

@@ -3,14 +3,14 @@ require 'jerakia/cache/file'
 class Jerakia
   module Dsl
     class Policy
-      def self.evaluate_file(filename, request)
-        policy = new(request)
+      def self.evaluate_file(filename)
+        policy = new
         policy.evaluate_file(filename)
         policy.instance
       end
 
-      def self.evaluate(request, &block)
-        policy = new(request)
+      def self.evaluate(&block)
+        policy = new
         policy.instance_eval &block
         policy.instance
       end
@@ -18,8 +18,7 @@ class Jerakia
       attr_accessor :request
       attr_reader   :instance
 
-      def initialize(req)
-        @request = req
+      def initialize()
       end
 
       def evaluate_file(filename)
@@ -33,7 +32,7 @@ class Jerakia
       end
 
       def policy(name, opts = {}, &block)
-        @instance = Jerakia::Policy.new(name, opts, request)
+        @instance = Jerakia::Policy.new(name, opts)
         Jerakia::Dsl::Policyblock.evaluate(instance, &block)
       end
     end
@@ -51,7 +50,11 @@ class Jerakia
       end
 
       def lookup(name, opts = {}, &block)
-        Jerakia::Dsl::Lookup.evaluate(name, policy, opts, &block)
+        Jerakia.log.debug("Adding lookup #{name} for policy #{policy}")
+        policy.lookups << Proc.new do |request, scope| 
+          Jerakia.log.debug("Invoking lookup #{name}")
+          Jerakia::Dsl::Lookup.evaluate(name, request, scope, opts, &block)
+        end
       end
     end
   end

data/lib/jerakia/encryption.rb

@@ -0,0 +1,60 @@
+class Jerakia
+  class Encryption
+
+    @handler = nil
+
+    class << self
+      def handler
+        @handler || @handler = self.new
+      end
+    end
+
+    attr_reader :loaded
+
+    def initialize(provider=nil)
+      if provider.nil?
+        provider = config["provider"]
+      end
+
+      return nil if provider.nil?
+
+      begin
+        require "jerakia/encryption/#{provider}"
+      rescue LoadError => e
+        raise Jerakia::Error, "Failed to load encryption provider #{provider}"
+      end
+
+      begin
+        eval "extend Jerakia::Encryption::#{provider.capitalize}"
+      rescue NameError => e
+        raise Jerakia::Error, "Encryption provider #{provider} did not provide class"
+      end
+      @loaded = true
+    end
+
+    def loaded?
+      loaded
+    end
+
+    def features?(feature)
+      case feature
+      when :encrypt
+        respond_to?('encrypt')
+      when :decrypt
+        respond_to?('decrypt')
+      else
+        false
+      end
+    end
+
+    def self.config
+      Jerakia.config[:encryption] || {}
+    end
+
+    def config
+      self.class.config
+    end
+
+  end
+end
+

data/lib/jerakia/encryption/vault.rb

@@ -0,0 +1,168 @@
+require 'jerakia/util/http'
+require 'json'
+require 'base64'
+
+class Jerakia
+  class Encryption
+    module Vault
+      class AuthenticationError < Jerakia::Error
+      end
+
+      attr_reader :approle_token
+      attr_reader :vault_ssl_key
+      attr_reader :vault_ssl_cert
+
+      def signiture
+        /^vault:v[0-9]:[^ ]+$/
+      end
+
+      def config
+        {
+          "vault_keyname" => "jerakia",
+          "vault_addr" => "https://127.0.0.1:8200",
+          "vault_use_ssl" => true,
+          "vault_ssl_verify" => true,
+          "vault_token" => ENV['VAULT_TOKEN'] || nil,
+          "vault_api_version" => 1
+       }.merge(self.class.config)
+      end
+  
+
+
+      def vault_url(endpoint)
+        uri = []
+        uri << config['vault_addr']
+        uri << "v#{config['vault_api_version']}"
+        uri << endpoint
+        uri.flatten.join("/")
+      end
+
+      def login
+        Jerakia.log.debug('Requesting new token from Vault server')
+        role_id = config['vault_role_id']
+        secret_id = config['vault_secret_id']
+
+        login_data = { "role_id" => role_id }
+        login_data['secret_id'] = secret_id unless secret_id.nil?
+
+        response = vault_post(login_data, :login, false)
+        @approle_token = response['auth']['client_token']
+        Jerakia.log.debug("Recieved authentication token from vault server, ttl: #{response['auth']['lease_duration']}")
+      end
+
+      def ssl?
+        config['vault_use_ssl']
+      end
+
+      def read_file(file)
+        raise Jerakia::EncryptionError, "Cannot read #{file}" unless File.exists?(file)
+        File.read(file)
+      end
+
+      def ssl_key
+        return nil if config['vault_ssl_key'].nil?
+        @vault_ssl_key ||= read_file(config['vault_ssl_key'])
+        vault_ssl_key
+      end
+
+      def ssl_cert
+        return nil if config['vault_ssl_cert'].nil?
+        @vault_ssl_cert ||= read_file(config['vault_ssl_cert'])
+        vault_ssl_cert
+      end
+
+
+      def token_configured?
+        not config['vault_token'].nil?
+      end
+
+      def token
+        authenticate
+        config['vault_token'] || approle_token
+      end
+
+      def authenticate
+        unless token_configured?
+          login if approle_token.nil?
+        end
+      end
+
+      def endpoint(action)
+        {
+          :decrypt => "transit/decrypt/#{config['vault_keyname']}",
+          :encrypt => "transit/encrypt/#{config['vault_keyname']}",
+          :login   => "auth/approle/login"
+        }[action]
+      end 
+
+      def url_path(action)
+        vault_url(endpoint(action))
+      end
+
+          
+
+      def parse_response(response)
+        body = JSON.load(response.body)
+        if response.code_type == Net::HTTPOK
+          return body
+        else
+          if response.code == "403"
+            raise Jerakia::Encryption::Vault::AuthenticationError, body
+          end
+          if body['errors'].is_a?(Array)
+            message = body['errors'].join("\n")
+          else
+            message = "Failed to decrypt entry #{body}"
+          end
+          raise Jerakia::EncryptionError, "Error decrypting data from Vault: #{message}"
+        end
+      end
+          
+      def vault_post(data, action, use_token=true, headers={})
+        url = url_path(action)
+        http_options = {}
+
+        if ssl?
+          http_options = {
+            :ssl        => true,
+            :ssl_verify => config['vault_ssl_verify'],
+            :ssl_cert   => ssl_cert,
+            :ssl_key    => ssl_key,
+          }
+        end
+
+        Jerakia.log.debug("Connecting to vault at #{url}")
+        tries = 0
+        begin
+          headers['X-Vault-Token'] = token if use_token
+          tries += 1
+          parse_response Jerakia::Util::Http.post(url, data, headers, http_options)
+        rescue Jerakia::Encryption::Vault::AuthenticationError => e
+          Jerakia.log.debug("Encountered Jerakia::Encryption::Vault::AuthenticationError, retrying with new token (#{tries})")
+
+          login
+          retry if tries < 2
+          raise
+        rescue Jerakia::HTTPError => e
+          raise Jerakia::EncryptionError, "Error connecting to Vault service: #{e.message}"
+        end
+      end
+
+      def decrypt(string)
+        response = vault_post({ 'ciphertext' => string}, :decrypt)
+        response_data=response['data']
+        Base64.decode64(response_data['plaintext'])
+      end
+
+      def encrypt(plain)
+        encoded = Base64.encode64(plain)
+        response = vault_post({ 'plaintext' => encoded}, :encrypt)
+        response_data=response['data']
+        response_data['ciphertext']
+      end
+
+
+    end
+  end
+end
+

data/lib/jerakia/error.rb

@@ -13,4 +13,14 @@ class Jerakia
 
   class FileParseError < Jerakia::Error
   end
+
+  class DatasourceArgumentError < Jerakia::Error
+  end
+
+  class HTTPError < Jerakia::Error
+  end
+
+  class EncryptionError < Jerakia::Error
+  end
+
 end

data/lib/jerakia/launcher.rb

@@ -8,15 +8,27 @@ class Jerakia
   class Launcher
     attr_reader :request
     attr_reader :answer
+    attr_reader :policies
 
-    def initialize(req)
-      @request = req
+    def initialize
+      @policies = {}
+      policy_files.each do |policy_file|
+        policy = Jerakia::Dsl::Policy.evaluate_file(policy_file)
+        raise Jerakia::PolicyError, "Policy #{policy.name} declared twice" if @policies[policy.name]
+        @policies[policy.name] = policy
+      end
     end
 
-    def evaluate(&block)
-      policy = Jerakia::Dsl::Policy.evaluate(request, &block)
-      policy.execute
-      @answer = policy.answer
+    def policy_dir
+      Jerakia.config.policydir
+    end
+
+    def policy_files
+      Dir[File.join(policy_dir, '*.rb')]
+    end
+
+    def self.evaluate(&block)
+      Jerakia::Dsl::Policy.evaluate(&block)
     end
 
     def invoke_from_file