mcollective-client 1.3.3

data/lib/mcollective/security.rb

@@ -0,0 +1,26 @@
+module MCollective
+  # Security is implimented using a module structure and installations
+  # can configure which module they want to use.
+  #
+  # Security modules deal with various aspects of authentication and authorization:
+  #
+  # - Determines if a filter excludes this host from dealing with a request
+  # - Serialization and Deserialization of messages
+  # - Validation of messages against keys, certificates or whatever the class choose to impliment
+  # - Encoding and Decoding of messages
+  #
+  # To impliment a new security class using SSL for example you would inherit from the base
+  # class and only impliment:
+  #
+  # - decodemsg
+  # - encodereply
+  # - encoderequest
+  # - validrequest?
+  #
+  # Each of these methods should increment various stats counters, see the default MCollective::Security::Psk module for examples of this
+  #
+  # Filtering can be extended by providing a new validate_filter? method.
+  module Security
+    autoload :Base, "mcollective/security/base"
+  end
+end

data/lib/mcollective/security/base.rb

@@ -0,0 +1,237 @@
+module MCollective
+  module Security
+    # This is a base class the other security modules should inherit from
+    # it handles statistics and validation of messages that should in most
+    # cases apply to all security models.
+    #
+    # To create your own security plugin you should provide a plugin that inherits
+    # from this and provides the following methods:
+    #
+    # decodemsg      - Decodes a message that was received from the middleware
+    # encodereply    - Encodes a reply message to a previous request message
+    # encoderequest  - Encodes a new request message
+    # validrequest?  - Validates a request received from the middleware
+    #
+    # Optionally if you are identifying users by some other means like certificate name
+    # you can provide your own callerid method that can provide the rest of the system
+    # with an id, and you would see this id being usable in SimpleRPC authorization methods
+    #
+    # The @initiated_by variable will be set to either :client or :node depending on
+    # who is using this plugin.  This is to help security providers that operate in an
+    # asymetric mode like public/private key based systems.
+    #
+    # Specifics of each of these are a bit fluid and the interfaces for this is not
+    # set in stone yet, specifically the encode methods will be provided with a helper
+    # that takes care of encoding the core requirements.  The best place to see how security
+    # works is by looking at the provided MCollective::Security::PSK plugin.
+    class Base
+      attr_reader :stats
+      attr_accessor :initiated_by
+
+      # Register plugins that inherits base
+      def self.inherited(klass)
+        PluginManager << {:type => "security_plugin", :class => klass.to_s}
+      end
+
+      # Initializes configuration and logging as well as prepare a zero'd hash of stats
+      # various security methods and filter validators should increment stats, see MCollective::Security::Psk for a sample
+      def initialize
+        @config = Config.instance
+        @log = Log
+        @stats = PluginManager["global_stats"]
+      end
+
+      # Takes a Hash with a filter in it and validates it against host information.
+      #
+      # At present this supports filter matches against the following criteria:
+      #
+      # - puppet_class|cf_class - Presence of a configuration management class in
+      #                           the file configured with classesfile
+      # - agent - Presence of a MCollective agent with a supplied name
+      # - fact - The value of a fact avout this system
+      # - identity - the configured identity of the system
+      #
+      # TODO: Support REGEX and/or multiple filter keys to be AND'd
+      def validate_filter?(filter)
+        failed = 0
+        passed = 0
+
+        passed = 1 if Util.empty_filter?(filter)
+
+        filter.keys.each do |key|
+          case key
+          when /puppet_class|cf_class/
+            filter[key].each do |f|
+              Log.debug("Checking for class #{f}")
+              if Util.has_cf_class?(f) then
+                Log.debug("Passing based on configuration management class #{f}")
+                passed += 1
+              else
+                Log.debug("Failing based on configuration management class #{f}")
+                failed += 1
+              end
+            end
+
+          when "compound"
+            filter[key].each do |compound|
+              result = []
+
+              compound.each do |expression|
+                case expression.keys.first
+                when "statement"
+                  result << Util.eval_compound_statement(expression).to_s
+                when "and"
+                  result << "&&"
+                when "or"
+                  result << "||"
+                when "("
+                  result << "("
+                when ")"
+                  result << ")"
+                when "not"
+                  result << "!"
+                end
+              end
+
+              result = eval(result.join(" "))
+
+              if result
+                Log.debug("Passing based on class and fact composition")
+                passed +=1
+              else
+                Log.debug("Failing based on class and fact composition")
+                failed +=1
+              end
+            end
+
+          when "agent"
+            filter[key].each do |f|
+              if Util.has_agent?(f) || f == "mcollective"
+                Log.debug("Passing based on agent #{f}")
+                passed += 1
+              else
+                Log.debug("Failing based on agent #{f}")
+                failed += 1
+              end
+            end
+
+          when "fact"
+            filter[key].each do |f|
+              if Util.has_fact?(f[:fact], f[:value], f[:operator])
+                Log.debug("Passing based on fact #{f[:fact]} #{f[:operator]} #{f[:value]}")
+                passed += 1
+              else
+                Log.debug("Failing based on fact #{f[:fact]} #{f[:operator]} #{f[:value]}")
+                failed += 1
+              end
+            end
+
+          when "identity"
+            unless filter[key].empty?
+              # Identity filters should not be 'and' but 'or' as each node can only have one identity
+              matched = filter[key].select{|f| Util.has_identity?(f)}.size
+
+              if matched == 1
+                Log.debug("Passing based on identity")
+                passed += 1
+              else
+                Log.debug("Failed based on identity")
+                failed += 1
+              end
+            end
+          end
+        end
+
+        if failed == 0 && passed > 0
+          Log.debug("Message passed the filter checks")
+
+          @stats.passed
+
+          return true
+        else
+          Log.debug("Message failed the filter checks")
+
+          @stats.filtered
+
+          return false
+        end
+      end
+
+      def create_reply(reqid, agent, body)
+        Log.debug("Encoded a message for request #{reqid}")
+
+        {:senderid => @config.identity,
+          :requestid => reqid,
+          :senderagent => agent,
+          :msgtime => Time.now.utc.to_i,
+          :body => body}
+      end
+
+      def create_request(reqid, filter, msg, initiated_by, target_agent, target_collective, ttl=60)
+        Log.debug("Encoding a request for agent '#{target_agent}' in collective #{target_collective} with request id #{reqid}")
+
+        {:body => msg,
+          :senderid => @config.identity,
+          :requestid => reqid,
+          :filter => filter,
+          :collective => target_collective,
+          :agent => target_agent,
+          :callerid => callerid,
+          :ttl => ttl,
+          :msgtime => Time.now.utc.to_i}
+      end
+
+      # Give a MC::Message instance and a message id this will figure out if you the incoming
+      # message id matches the one the Message object is expecting and raise if its not
+      #
+      # Mostly used by security plugins to figure out if they should do the hard work of decrypting
+      # etc messages that would only later on be ignored
+      def should_process_msg?(msg, msgid)
+        if msg.expected_msgid
+          unless msg.expected_msgid == msgid
+            msgtext = "Got a message with id %s but was expecting %s, ignoring message" % [msgid, msg.expected_msgid]
+            Log.debug msgtext
+            raise MsgDoesNotMatchRequestID, msgtext
+          end
+        end
+
+        true
+      end
+
+      # Validates a callerid.  We do not want to allow things like \ and / in
+      # callerids since other plugins make assumptions that these are safe strings.
+      #
+      # callerids are generally in the form uid=123 or cert=foo etc so we do that
+      # here but security plugins could override this for some complex uses
+      def valid_callerid?(id)
+        !!id.match(/^[\w]+=[\w\.\-]+$/)
+      end
+
+      # Returns a unique id for the caller, by default we just use the unix
+      # user id, security plugins can provide their own means of doing ids.
+      def callerid
+        "uid=#{Process.uid}"
+      end
+
+      # Security providers should provide this, see MCollective::Security::Psk
+      def validrequest?(req)
+        Log.error("validrequest? is not implimented in #{self.class}")
+      end
+
+      # Security providers should provide this, see MCollective::Security::Psk
+      def encoderequest(sender, msg, filter={})
+        Log.error("encoderequest is not implimented in #{self.class}")
+      end
+
+      # Security providers should provide this, see MCollective::Security::Psk
+      def encodereply(sender, msg, requestcallerid=nil)
+        Log.error("encodereply is not implimented in #{self.class}")
+      end
+
+      # Security providers should provide this, see MCollective::Security::Psk
+      def decodemsg(msg)
+        Log.error("decodemsg is not implimented in #{self.class}")
+      end
+    end
+  end
+end

data/lib/mcollective/shell.rb

@@ -0,0 +1,87 @@
+module MCollective
+  # Wrapper around systemu that handles executing of system commands
+  # in a way that makes stdout, stderr and status available.  Supports
+  # timeouts and sets a default sane environment.
+  #
+  #   s = Shell.new("date", opts)
+  #   s.runcommand
+  #   puts s.stdout
+  #   puts s.stderr
+  #   puts s.status.exitcode
+  #
+  # Options hash can have:
+  #
+  #   cwd         - the working directory the command will be run from
+  #   stdin       - a string that will be sent to stdin of the program
+  #   stdout      - a variable that will receive stdout, must support <<
+  #   stderr      - a variable that will receive stdin, must support <<
+  #   environment - the shell environment, defaults to include LC_ALL=C
+  #                 set to nil to clear the environment even of LC_ALL
+  #
+  class Shell
+    attr_reader :environment, :command, :status, :stdout, :stderr, :stdin, :cwd
+
+    def initialize(command, options={})
+      @environment = {"LC_ALL" => "C"}
+      @command = command
+      @status = nil
+      @stdout = ""
+      @stderr = ""
+      @stdin = nil
+      @cwd = Dir.tmpdir
+
+      options.each do |opt, val|
+        case opt.to_s
+          when "stdout"
+            raise "stdout should support <<" unless val.respond_to?("<<")
+            @stdout = val
+
+          when "stderr"
+            raise "stderr should support <<" unless val.respond_to?("<<")
+            @stderr = val
+
+          when "stdin"
+            raise "stdin should be a String" unless val.is_a?(String)
+            @stdin = val
+
+          when "cwd"
+            raise "Directory #{val} does not exist" unless File.directory?(val)
+            @cwd = val
+
+          when "environment"
+            if val.nil?
+              @environment = {}
+            else
+              @environment.merge!(val.dup)
+            end
+        end
+      end
+    end
+
+    # Actually does the systemu call passing in the correct environment, stdout and stderr
+    def runcommand
+      opts = {"env"    => @environment,
+              "stdout" => @stdout,
+              "stderr" => @stderr,
+              "cwd"    => @cwd}
+
+      opts["stdin"] = @stdin if @stdin
+
+      # Running waitpid on the cid here will start a thread
+      # with the waitpid in it, this way even if the thread
+      # that started this process gets killed due to agent
+      # timeout or such there will still be a waitpid waiting
+      # for the child to exit and not leave zombies.
+      @status = systemu(@command, opts) do |cid|
+        begin
+          sleep 1
+          Process::waitpid(cid)
+        rescue SystemExit
+        rescue Errno::ECHILD
+        rescue Exception => e
+          Log.info("Unexpected exception received while waiting for child process: #{e.class}: #{e}")
+        end
+      end
+    end
+  end
+end

data/lib/mcollective/ssl.rb

@@ -0,0 +1,246 @@
+require 'openssl'
+require 'base64'
+require 'digest/sha1'
+
+module MCollective
+  # A class that assists in encrypting and decrypting data using a
+  # combination of RSA and AES
+  #
+  # Data will be AES encrypted for speed, the Key used in # the AES
+  # stage will be encrypted using RSA
+  #
+  #   ssl = SSL.new(public_key, private_key, passphrase)
+  #
+  #   data = File.read("largefile.dat")
+  #
+  #   crypted_data = ssl.encrypt_with_private(data)
+  #
+  #   pp crypted_data
+  #
+  # This will result in a hash of data like:
+  #
+  #   crypted = {:key  => "crd4NHvG....=",
+  #              :data => "XWXlqN+i...=="}
+  #
+  # The key and data will all be base 64 encoded already by default
+  # you can pass a 2nd parameter as false to encrypt_with_private and
+  # counterparts that will prevent the base 64 encoding
+  #
+  # You can pass the data hash into ssl.decrypt_with_public which
+  # should return your original data
+  #
+  # There are matching methods for using a public key to encrypt
+  # data to be decrypted using a private key
+  class SSL
+    attr_reader :public_key_file, :private_key_file, :ssl_cipher
+
+    def initialize(pubkey=nil, privkey=nil, passphrase=nil, cipher=nil)
+      @public_key_file = pubkey
+      @private_key_file = privkey
+
+      @public_key  = read_key(:public, pubkey)
+      @private_key = read_key(:private, privkey, passphrase)
+
+      @ssl_cipher = "aes-256-cbc"
+      @ssl_cipher = Config.instance.ssl_cipher if Config.instance.ssl_cipher
+      @ssl_cipher = cipher if cipher
+
+      raise "The supplied cipher '#{@ssl_cipher}' is not supported" unless OpenSSL::Cipher.ciphers.include?(@ssl_cipher)
+    end
+
+    # Encrypts supplied data using AES and then encrypts using RSA
+    # the key and IV
+    #
+    # Return a hash with everything optionally base 64 encoded
+    def encrypt_with_public(plain_text, base64=true)
+      crypted = aes_encrypt(plain_text)
+
+      if base64
+        key = base64_encode(rsa_encrypt_with_public(crypted[:key]))
+        data = base64_encode(crypted[:data])
+      else
+        key = rsa_encrypt_with_public(crypted[:key])
+        data = crypted[:data]
+      end
+
+      {:key => key, :data => data}
+    end
+
+    # Encrypts supplied data using AES and then encrypts using RSA
+    # the key and IV
+    #
+    # Return a hash with everything optionally base 64 encoded
+    def encrypt_with_private(plain_text, base64=true)
+      crypted = aes_encrypt(plain_text)
+
+      if base64
+        key = base64_encode(rsa_encrypt_with_private(crypted[:key]))
+        data = base64_encode(crypted[:data])
+      else
+        key = rsa_encrypt_with_private(crypted[:key])
+        data = crypted[:data]
+      end
+
+      {:key => key, :data => data}
+    end
+
+    # Decrypts data, expects a hash as create with crypt_with_public
+    def decrypt_with_private(crypted, base64=true)
+      raise "Crypted data should include a key" unless crypted.include?(:key)
+      raise "Crypted data should include data" unless crypted.include?(:data)
+
+      if base64
+        key = rsa_decrypt_with_private(base64_decode(crypted[:key]))
+        aes_decrypt(key, base64_decode(crypted[:data]))
+      else
+        key = rsa_decrypt_with_private(crypted[:key])
+        aes_decrypt(key, crypted[:data])
+      end
+    end
+
+    # Decrypts data, expects a hash as create with crypt_with_private
+    def decrypt_with_public(crypted, base64=true)
+      raise "Crypted data should include a key" unless crypted.include?(:key)
+      raise "Crypted data should include data" unless crypted.include?(:data)
+
+      if base64
+        key = rsa_decrypt_with_public(base64_decode(crypted[:key]))
+        aes_decrypt(key, base64_decode(crypted[:data]))
+      else
+        key = rsa_decrypt_with_public(crypted[:key])
+        aes_decrypt(key, crypted[:data])
+      end
+    end
+
+    # Use the public key to RSA encrypt data
+    def rsa_encrypt_with_public(plain_string)
+      raise "No public key set" unless @public_key
+
+      @public_key.public_encrypt(plain_string)
+    end
+
+    # Use the private key to RSA decrypt data
+    def rsa_decrypt_with_private(crypt_string)
+      raise "No private key set" unless @private_key
+
+      @private_key.private_decrypt(crypt_string)
+    end
+
+    # Use the private key to RSA encrypt data
+    def rsa_encrypt_with_private(plain_string)
+      raise "No private key set" unless @private_key
+
+      @private_key.private_encrypt(plain_string)
+    end
+
+    # Use the public key to RSA decrypt data
+    def rsa_decrypt_with_public(crypt_string)
+      raise "No public key set" unless @public_key
+
+      @public_key.public_decrypt(crypt_string)
+    end
+
+    # encrypts a string, returns a hash of key, iv and data
+    def aes_encrypt(plain_string)
+      cipher = OpenSSL::Cipher::Cipher.new(ssl_cipher)
+      cipher.encrypt
+
+      key = cipher.random_key
+
+      cipher.key = key
+      cipher.pkcs5_keyivgen(key)
+      encrypted_data = cipher.update(plain_string) + cipher.final
+
+      {:key => key, :data => encrypted_data}
+    end
+
+    # decrypts a string given key, iv and data
+    def aes_decrypt(key, crypt_string)
+      cipher = OpenSSL::Cipher::Cipher.new(ssl_cipher)
+
+      cipher.decrypt
+      cipher.key = key
+      cipher.pkcs5_keyivgen(key)
+      decrypted_data = cipher.update(crypt_string) + cipher.final
+    end
+
+    # Signs a string using the private key
+    def sign(string, base64=false)
+      sig = @private_key.sign(OpenSSL::Digest::SHA1.new, string)
+
+      base64 ? base64_encode(sig) : sig
+    end
+
+    # Using the public key verifies that a string was signed using the private key
+    def verify_signature(signature, string, base64=false)
+      signature = base64_decode(signature) if base64
+
+      @public_key.verify(OpenSSL::Digest::SHA1.new, signature, string)
+    end
+
+    # base 64 encode a string
+    def base64_encode(string)
+      SSL.base64_encode(string)
+    end
+
+    def self.base64_encode(string)
+      Base64.encode64(string)
+    end
+
+    # base 64 decode a string
+    def base64_decode(string)
+      SSL.base64_decode(string)
+    end
+
+    def self.base64_decode(string)
+      Base64.decode64(string)
+    end
+
+    def md5(string)
+      SSL.md5(string)
+    end
+
+    def self.md5(string)
+      Digest::MD5.hexdigest(string)
+    end
+
+    # Reads either a :public or :private key from disk, uses an
+    # optional passphrase to read the private key
+    def read_key(type, key=nil, passphrase=nil)
+      return key if key.nil?
+
+      raise "Could not find key #{key}" unless File.exist?(key)
+
+      if type == :public
+        begin
+          key = OpenSSL::PKey::RSA.new(File.read(key))
+        rescue OpenSSL::PKey::RSAError
+          key = OpenSSL::X509::Certificate.new(File.read(key)).public_key
+        end
+
+        # Ruby < 1.9.3 had a bug where it does not correctly clear the
+        # queue of errors while reading a key.  It tries various ways
+        # to read the key and each failing attempt pushes an error onto
+        # the queue.  With pubkeys only the 3rd attempt pass leaving 2
+        # stale errors on the error queue.
+        #
+        # In 1.9.3 they fixed this by simply discarding the errors after
+        # every attempt.  So we simulate this fix here for older rubies
+        # as without it we get SSL_read errors from the Stomp+TLS sessions
+        #
+        # We do this only on 1.8 relying on 1.9.3 to do the right thing
+        # and we do not support 1.9 less than 1.9.3
+        #
+        # See  http://bugs.ruby-lang.org/issues/4550
+        OpenSSL.errors if Util.ruby_version =~ /^1.8/
+
+        return key
+      elsif type == :private
+        return OpenSSL::PKey::RSA.new(File.read(key), passphrase)
+      else
+        raise "Can only load :public or :private keys"
+      end
+    end
+
+  end
+end