loom-core 0.0.1

data/lib/loomext/coremods/package/package.rb

@@ -0,0 +1,62 @@
+require "forwardable"
+require_relative "adapter"
+
+module LoomExt::CoreMods
+  class Package < Loom::Mods::Module
+
+    UnsupportedPackageManager = Class.new Loom::Mods::ModActionError
+
+    attr_reader :pkg_adapter
+
+    register_mod :pkg
+
+    def init_action
+      @pkg_adapter = default_adapter
+    end
+
+    def get(adapter)
+      case adapter.to_sym
+      when :dnf
+        DnfAdapter.new loom
+      when :rpm
+        RpmAdapter.new loom
+      when :apt
+        AptAdapter.new loom
+      when :dpkg
+        DpkgAdapter.new loom
+      when :gem
+        GemAdapter.new loom
+      else
+        raise UnsupportedPackageManager, adapter
+      end
+    end
+    alias_method :[], :get
+
+    def default_adapter
+      if loom.test :which, "dnf"
+        DnfAdapter.new loom
+      elsif loom.test :which, "rpm"
+        RpmAdapter.new loom
+      elsif loom.test :which, "apt"
+        AptAdapter.new loom
+      elsif loom.test :which, "dpkg"
+        DpkgAdapter.new loom
+      else
+        raise UnsupportedPackageManager
+      end
+    end
+
+    module Actions
+      extend Forwardable
+      def_delegators :@pkg_adapter, :installed?, :install, :uninstall,
+      :update_cache, :upgrade, :ensure_installed
+
+      def [](*args)
+        get(*args)
+      end
+    end
+
+    import_actions Package::Actions
+
+  end
+end

data/lib/loomext/coremods/user.rb

@@ -0,0 +1,82 @@
+module LoomExt::CoreMods
+  class User < Loom::Mods::Module
+
+    SudoersDNoExistError = Class.new Loom::Mods::ModActionError
+    SudoersDNotIncluded = Class.new Loom::Mods::ModActionError
+
+    register_mod :user
+    required_commands :useradd, :userdel, :getent
+
+    SUDOERS_FILE = "/etc/sudoers"
+    SUDOERS_DIR = "/etc/sudoers.d"
+    LOOM_SUDOERS_FILE = SUDOERS_DIR + "/90-loom-sudoers"
+
+    def user_exists?(user)
+      shell.test :getent, :passwd, user
+    end
+
+    def includes_sudoers?
+      shell.test :grep, :"-e", :"'^#includedir #{SUDOERS_DIR}$'", SUDOERS_FILE
+    end
+
+    def sudoersd_exists?
+      shell.test :test, %Q[-d #{SUDOERS_DIR}]
+    end
+
+    module Actions
+      def add(user,
+              home_dir: nil,
+              login_shell: "/bin/bash",
+              uid: nil,
+              gid: nil,
+              groups: [],
+              is_system_user: nil)
+        if user_exists? user
+          Loom.log.warn "add_user skipping existing user => #{user}"
+          return
+        end
+
+        flags = []
+        flags << ["--home-dir", home_dir] if home_dir
+        flags << ["--create-home"] if home_dir
+        flags << ["--shell", login_shell] if login_shell
+        flags << ["--uid", uid] if uid
+        flags << ["--gid", gid] if gid
+        flags << ["--groups", groups] unless groups.empty?
+        flags << "--system" if is_system_user
+
+        loom.exec :useradd, flags, user
+      end
+
+      def add_system_user(user, **user_fields)
+        if user_exists? user
+          Loom.log.warn "add_system_user skipping existing user => #{user}"
+          return
+        end
+
+        add user, is_system_user: true, login_shell: "/bin/false", **user_fields
+      end
+
+      def remove(user)
+        unless user_exists? user
+          Loom.log.warn "remove_user skipping non-existant user => #{user}"
+          return
+        end
+
+        loom.exec :userdel, "-r", user
+      end
+
+      def make_sudoer(user)
+        raise SudoersDNotIncluded unless includes_sudoers?
+        raise SudoersDNoExistError unless sudoersd_exists?
+
+        sudoer_conf = :"#{user} ALL=(ALL) NOPASSWD:ALL"
+
+        loom.files(LOOM_SUDOERS_FILE).append sudoer_conf
+        loom.exec :chmod, "0440", LOOM_SUDOERS_FILE
+      end
+    end
+  end
+
+  User.import_actions User::Actions
+end

data/lib/loomext/coremods/vm/all.rb

@@ -0,0 +1,6 @@
+module LoomExt::CoreMods
+  module VM
+  end
+end
+
+require_relative "vbox"

data/lib/loomext/coremods/vm/vbox.rb

@@ -0,0 +1,84 @@
+module LoomExt::CoreMods::VM
+  class Virtualbox < Loom::Mods::Module
+
+    DuplicateVMImport = Class.new Loom::ExecutionError
+    UnknownVM = Class.new Loom::ExecutionError
+
+    register_mod :vbox
+    required_commands :vboxmanage
+
+    module Actions
+      def check_exists(vm)
+        loom.test "vboxmanage showvminfo #{vm}".split
+      end
+
+      def check_running(vm)
+        loom.test "vboxmanage list runningvms".split, :piped_cmds => [
+          "grep \"#{vm}\"".split
+        ]
+      end
+
+      def list
+        loom << "vboxmanage list vms".split
+      end
+
+      def snapshot(vm, action: :take, snapshot_name: nil)
+        raise UnknownVM, vm unless check_exists(vm)
+
+        cmd = ["vboxmanage snapshot #{vm} #{action}"]
+        cmd <<  snapshot_name if snapshot_name
+        cmd = cmd.join " "
+
+        loom << cmd.split
+      end
+
+      def import(ova_file, vm, disk, take_snapshot: true)
+        raise DuplicateVMImport, vm if check_exists(vm)
+
+        loom << "vboxmanage import #{ova_file} \
+            --vsys 0 --vmname #{vm} \
+            --vsys 0 --unit 12 --disk '#{disk}'".split
+
+        if take_snapshot
+          snapshot vm, action: :take, snapshot_name: "#{vm}:import"
+        end
+      end
+
+      def clone(src_vm, dst_vm, options: :link, snapshot: nil, take_snapshot: true)
+        raise DuplicateVMImport, "VM already exists => #{dst_vm}" if check_exists(dst_vm)
+        raise UnknownVM, src_vm unless check_exists(src_vm)
+
+        cmd = ["vboxmanage clonevm #{src_vm}"]
+        cmd << "--snapshot #{snapshot}" if snapshot
+        cmd << "--options #{options}" if options
+        cmd << "--name #{dst_vm}"
+        cmd << "--register"
+        cmd = cmd.join " "
+
+        loom << cmd.split
+
+        if take_snapshot
+          snapshot dst_vm, action: :take, snapshot_name: "#{dst_vm}:clone"
+        end
+      end
+
+      def up(vm)
+        unless check_running(vm)
+          loom << "vboxmanage startvm #{vm} --type headless".split
+        else
+          Loom.log.warn "VM #{vm} already running, nothing to do"
+        end
+      end
+
+      def down(vm)
+        if check_running(vm)
+          loom << "vboxmanage controlvm #{vm} acpipowerbutton".split
+        else
+          Loom.log.warn "VM #{vm} not running, nothing to do"
+        end
+      end
+    end
+
+    import_actions Actions
+  end
+end

data/loom.gemspec

@@ -0,0 +1,39 @@
+$LOAD_PATH.push File.expand_path '../lib/', __FILE__
+require 'loom/version'
+
+Gem::Specification.new do |s|
+  s.name = 'loom-core'
+  s.description = 'Repeatable management of remote hosts over SSH'
+  s.summary = s.description
+  s.version = Loom::VERSION
+  s.license = 'MIT'
+  s.authors = ['Erick Johnson']
+  s.email = 'ejohnson82@gmail.com'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- spec/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = %w[lib]
+
+  s.add_dependency 'sshkit', '~> 1.11'
+  s.add_dependency 'commander', '~> 4.4'
+
+  # Need net-ssh beta and its explicit requirements until for ed25519
+  # elliptic curve key support
+  # https://github.com/net-ssh/net-ssh/issues/214
+
+  # grrr.. 4.x.beta won't work in `gem install` until the official
+  # release due to net-scp gem dependencies.
+  # I can manually `gem install net-ssh --version 4.0.0.beta3` for now.
+  # s.add_dependency 'net-ssh', '>= 4.0.0.beta3'
+  s.add_dependency 'net-ssh', '>= 3'
+  s.add_dependency 'rbnacl-libsodium', '1.0.10'
+  s.add_dependency 'bcrypt_pbkdf', '1.0.0.alpha1'
+
+  s.add_development_dependency 'bundler', '~> 1.13'
+  s.add_development_dependency 'rake', '~> 11.3'
+  s.add_development_dependency 'rspec', '~> 3.5'
+  s.add_development_dependency 'guard-rspec', '~> 4.7'
+  s.add_development_dependency 'pry', '~> 0.10'
+  s.add_development_dependency 'pry-byebug'
+end

data/loom/inventory.yml

@@ -0,0 +1,13 @@
+---
+- ejjohnson.org
+
+- :local-vms:
+    - vm-ubuntu-db
+    - vm-ubuntu-base
+- :digitalocean:
+    - ejjohnson.net
+#    - vos.io
+    - quotes.vos.io
+- :vos.io:
+    - quotes.vos.io
+#    - vos.io

data/scripts/harness.sh

@@ -0,0 +1,242 @@
+# The Harness script for encoding, checksum'ing and running loom
+# patterns.
+#
+# The point of the harness is to safely encode arbitrary commands as
+# base64 strings and execute them in another shell, usually on a
+# remote machine over SSH. The flow for running the harness is:
+#
+# 1. base64 encode an arbitrary shell script, this is the encoded
+#    script
+# 2. get a checksum for the encoded script
+# 3. send the encoded script and checksum to a shell in another
+#    process (local or remote) to invoke the encoded script via this
+#    harness script
+#
+# Given 2 hosts, [local] and [remote] the process looks like this:
+#
+#  [local]$ encoded=$(./scripts/harness.sh --print_base64 - <<'EOS'
+#  echo my sweet script
+#  EOS
+#  )
+#  [local]$ checksum=$(./scripts/harness --print_checksum $encoded)
+#
+#  ... SCP harness.sh to some/path on remote ...
+#
+#  [local]$ ssh user@remote \
+#      some/path/harness.sh --run - $checksum <<EOS
+#  $encoded
+#  EOS
+#
+# There are 2 different shells that the harness deals with. The
+# harness shell, and the command shell.
+#
+# The harness shell is the shell used to run the harness script (this
+# file). Only POSIX features are supported in the harness
+# script. Officially, `bash`, `bash --posix`, and `dash` are suported
+# via the specs, (see spec/scripts/harness_spec.rb). Unofficially, any
+# POSIX compliant shell should work.
+#
+# The command shell is the shell used by the harness to execute the
+# encoded script. By default the command shell is `/bin/sh`. The
+# command shell can be whatever you choose by passing an additonal
+# parameter to `harness.sh --run`. For example, to run the encoded
+# script in dash:
+#
+#  [local]$ harness.sh --run - $checksum --cmd_shell /bin/dash <<EOS
+#  $encoded
+#  EOS
+#
+# To run the harness script in bash POSIX mode and the command script
+# in plain old bash, the following will work:
+#
+#  [local]$ (bash --posix -) <<HARNESS_EOS
+#  harness.sh --run - $checksum --cmd_shell /bin/bash <<COMMAND_EOS
+#  $encoded
+#  COMMAND_EOS
+#  HARNESS_EOS
+#
+# Commands will be recored as they are executed in the record file. By
+# default the record file is /dev/null. To use a record file pass the
+# record_file argument to --run, e.g.:
+#
+#  harness.sh --run - $checksum --record_file /opt/loom/cmds <<CMDS...
+#
+
+declare -r DEFAULT_COMMAND_SHELL="/bin/sh"
+declare -r DEFAULT_RECORD_FILE="/dev/null"
+
+declare -r TRUE=0
+declare -r FALSE=1
+
+declare -r SUCCESS=0
+
+declare -r EXIT_INVALID_BASE64=9
+declare -r EXIT_BAD_CHECKSUM=8
+declare -r EXIT_MISSING_ARG=2
+declare -r EXIT_GENERIC=1
+
+exit_with_usage() {
+    script=$(basename "$0")
+    echo "Usages:"
+    echo "   ${script} --check <base64_blob|-> <golden_checksum>"
+    echo "   ${script} --run <base64_blob|-> <golden_checksum> \\"
+    echo "                   [--cmd_shell shell] \\"
+    echo "                   [--record_file record_file]"
+    echo "   ${script} --print_checksum <base64_blob|->"
+    echo "   ${script} --print_base64 <raw_cmds|->"
+    exit $EXIT_GENERIC
+}
+
+##
+# If $0 equals "-", then consume and return STDIN, otherwise return
+# the value.
+value_or_stdin() {
+    local value="${1}"
+
+    if [ "${value}" = "-" ]; then
+        echo "read stdin" 1>&2
+        (cat)<&0
+    else
+        echo "read value arg" 1>&2
+        echo -n $value
+    fi
+}
+
+base64_encode_cmds() {
+    local raw_cmds="$1"
+    echo $(base64 -w0 <<BASE64_EOF
+${raw_cmds}
+BASE64_EOF
+)
+}
+
+validate_base64_blob() {
+    local unknown_blob="$1"
+    (base64 -d <<BASE64_EOF
+${unknown_blob}
+BASE64_EOF
+) > /dev/null
+    if [ ! "$?" -eq 0 ]; then
+        exit $EXIT_INVALID_BASE64
+    fi
+}
+
+validate_arg_is_present() {
+    arg="$1"
+    msg="$2"
+    if [ -z "${arg}" ]; then
+        echo "${msg}" 1>&2
+        exit $EXIT_MISSING_ARG
+    fi
+}
+
+print_checksum() {
+    local chksum_blob="$1"
+
+    echo "checksum'ing base64 blob: +${chksum_blob}+" 1>&2
+    echo $(sha1sum - <<CHECKSUM_EOF | cut -d' ' -f1
+${chksum_blob}
+CHECKSUM_EOF
+)
+}
+
+check_cmds() {
+    local base64_blob="$1"
+    local golden_sha1="$2"
+    local actual_sha1=$(print_checksum "${base64_blob}")
+
+    test "${golden_sha1}" = "${actual_sha1}"
+}
+
+run_cmds() {
+    local base64_blob="$1"
+    local cmd_shell="${2:-$DEFAULT_COMMAND_SHELL}"
+    local record_file="${3:-$DEFAULT_RECORD_FILE}"
+    (
+        base64 -d | tee -a ${record_file} | ${cmd_shell} -
+    ) <<RUN_EOS
+${base64_blob}
+RUN_EOS
+}
+
+main() {
+    set -xv
+    local flag="$1"
+    local should_run=$FALSE
+    shift
+
+    if [ -z "${flag}" ]; then
+        exit_with_usage
+    fi
+
+    case $flag in
+        --print_base64)
+            declare -r raw_cmds=$(value_or_stdin "$1")
+            declare -r base64_blob=$(base64_encode_cmds "${raw_cmds}")
+            validate_base64_blob "${base64_blob}"
+
+            printf $base64_blob
+            exit $SUCCESS
+            ;;
+        --print_checksum)
+            declare -r base64_blob=$(value_or_stdin "$1")
+            validate_base64_blob "${base64_blob}"
+
+            printf $(print_checksum "${base64_blob}")
+            exit $SUCCESS
+            ;;
+	--check)
+            declare -r base64_blob=$(value_or_stdin "$1")
+            declare -r golden_sha1="$2"
+            shift
+            shift
+            ;;
+	--run)
+            should_run=$TRUE
+            declare -r base64_blob=$(value_or_stdin "$1")
+            declare -r golden_sha1="$2"
+            shift
+            shift
+
+            while (( "$#" >= 2 )); do
+                case "$1" in
+                    --cmd_shell)
+                        declare -r cmd_shell="$2"
+                        shift
+                        shift
+                        ;;
+                    --record_file)
+                        declare -r record_file="$2"
+                        shift
+                        shift
+                        ;;
+                    *)
+                        echo "unknown arg for --run: ${1}" 1>&2
+                        exit_with_usage
+                        shift
+                        ;;
+                esac
+                shift
+            done
+            ;;
+	*)
+            exit_with_usage
+	    ;;
+    esac
+
+    validate_arg_is_present "${base64_blob}" "missing base64_blob"
+    validate_arg_is_present "${golden_sha1}" "missing golden_sha1"
+    validate_base64_blob "${base64_blob}"
+
+    if ! (check_cmds "${base64_blob}" "${golden_sha1}"); then
+        echo "checksum failed, expected ${golden_sha1}" 1>&2
+        exit $EXIT_BAD_CHECKSUM
+    fi
+
+    if [ "${should_run}" -eq $TRUE ]; then
+        echo "running commands" 1>&2
+        run_cmds "${base64_blob}" "${cmd_shell}" "${record_file}"
+    fi
+}
+
+main "$@"