RubyGems - mcollective-client - Versions diffs - 2.7.0 → 2.8.0 - Mend

mcollective-client 2.7.0 → 2.8.0

Files changed (186) hide show

data/lib/mcollective/security/psk.rb ADDED Viewed

@@ -0,0 +1,117 @@
+module MCollective
+  module Security
+    # Impliments message authentication using digests and shared keys
+    #
+    # You should configure a psk in the configuration file and all requests
+    # will be validated for authenticity with this.
+    #
+    # Serialization uses Marshal, this is the default security module that is
+    # supported out of the box.
+    #
+    # Validation is as default and is provided by MCollective::Security::Base
+    #
+    # You can configure the caller id being created, this can adjust how you
+    # create authorization plugins.  For example you can use a unix group instead
+    # of uid to do authorization.
+    class Psk < Base
+      require 'etc'
+      # Decodes a message by unserializing all the bits etc, it also validates
+      # it as valid using the psk etc
+      def decodemsg(msg)
+        body = Marshal.load(msg.payload)
+        should_process_msg?(msg, body[:requestid])
+        if validrequest?(body)
+          body[:body] = Marshal.load(body[:body])
+          return body
+        else
+          nil
+        end
+      end
+      # Encodes a reply
+      def encodereply(sender, msg, requestid, requestcallerid=nil)
+        serialized  = Marshal.dump(msg)
+        digest = makehash(serialized)
+        req = create_reply(requestid, sender, serialized)
+        req[:hash] = digest
+        Marshal.dump(req)
+      end
+      # Encodes a request msg
+      def encoderequest(sender, msg, requestid, filter, target_agent, target_collective, ttl=60)
+        serialized = Marshal.dump(msg)
+        digest = makehash(serialized)
+        req = create_request(requestid, filter, serialized, @initiated_by, target_agent, target_collective, ttl)
+        req[:hash] = digest
+        Marshal.dump(req)
+      end
+      # Checks the md5 hash in the request body against our psk, the request sent for validation
+      # should not have been deserialized already
+      def validrequest?(req)
+        digest = makehash(req[:body])
+        if digest == req[:hash]
+          @stats.validated
+          return true
+        else
+          @stats.unvalidated
+          raise(SecurityValidationFailed, "Received an invalid signature in message")
+        end
+      end
+      def callerid
+        if @config.pluginconf.include?("psk.callertype")
+          callertype = @config.pluginconf["psk.callertype"].to_sym if @config.pluginconf.include?("psk.callertype")
+        else
+          callertype = :uid
+        end
+        case callertype
+          when :gid
+            id  = "gid=#{Process.gid}"
+          when :group
+            raise "Cannot use the 'group' callertype for the PSK security plugin on the Windows platform" if Util.windows?
+            id = "group=#{Etc.getgrgid(Process.gid).name}"
+          when :user
+            id = "user=#{Etc.getlogin}"
+          when :identity
+            id = "identity=#{@config.identity}"
+          else
+            id ="uid=#{Process.uid}"
+        end
+        Log.debug("Setting callerid to #{id} based on callertype=#{callertype}")
+        id
+      end
+      private
+      # Retrieves the value of plugin.psk and builds a hash with it and the passed body
+      def makehash(body)
+        if ENV.include?("MCOLLECTIVE_PSK")
+          psk = ENV["MCOLLECTIVE_PSK"]
+        else
+          raise("No plugin.psk configuration option specified") unless @config.pluginconf.include?("psk")
+          psk = @config.pluginconf["psk"]
+        end
+        Digest::MD5.hexdigest(body.to_s + psk)
+      end
+    end
+  end
+end

data/lib/mcollective/security/ssl.rb ADDED Viewed

@@ -0,0 +1,328 @@
+require 'base64'
+require 'openssl'
+module MCollective
+  module Security
+    # Impliments a public/private key based message validation system using SSL
+    # public and private keys.
+    #
+    # The design goal of the plugin is two fold:
+    #
+    # - give different security credentials to clients and servers to avoid
+    #   a compromised server from sending new client requests.
+    # - create a token that uniquely identify the client - based on the filename
+    #   of the public key
+    #
+    # To setup you need to create a SSL key pair that is shared by all nodes.
+    #
+    #   openssl genrsa -out mcserver-private.pem 1024
+    #   openssl rsa -in mcserver-private.pem -out mcserver-public.pem -outform PEM -pubout
+    #
+    # Distribute the private and public file to /etc/mcollective/ssl on all the nodes.
+    # Distribute the public file to /etc/mcollective/ssl everywhere the client code runs.
+    #
+    # Now you should create a key pair for every one of your clients, here we create one
+    # for user john - you could also if you are less concerned with client id create one
+    # pair and share it with all clients:
+    #
+    #   openssl genrsa -out john-private.pem 1024
+    #   openssl rsa -in john-private.pem -out john-public.pem -outform PEM -pubout
+    #
+    # Each user has a unique userid, this is based on the name of the public key.
+    # In this example case the userid would be 'john-public'.
+    #
+    # Store these somewhere like:
+    #
+    #     /home/john/.mc/john-private.pem
+    #     /home/john/.mc/john-public.pem
+    #
+    # Every users public key needs to be distributed to all the nodes, save the john one
+    # in a file called:
+    #
+    #   /etc/mcollective/ssl/clients/john-public.pem
+    #
+    # If you wish to use registration or auditing that sends connections over MC to a
+    # central host you will need also put the server-public.pem in the clients directory.
+    #
+    # You should be aware if you do add the node public key to the clients dir you will in
+    # effect be weakening your overall security.  You should consider doing this only if
+    # you also set up an Authorization method that limits the requests the nodes can make.
+    #
+    # client.cfg:
+    #
+    #   securityprovider = ssl
+    #   plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
+    #   plugin.ssl_client_private = /home/john/.mc/john-private.pem
+    #   plugin.ssl_client_public = /home/john/.mc/john-public.pem
+    #
+    # If you have many clients per machine and dont want to configure the main config file
+    # with the public/private keys you can set the following environment variables:
+    #
+    #   export MCOLLECTIVE_SSL_PRIVATE=/home/john/.mc/john-private.pem
+    #   export MCOLLECTIVE_SSL_PUBLIC=/home/john/.mc/john-public.pem
+    #
+    # server.cfg:
+    #
+    #   securityprovider = ssl
+    #   plugin.ssl_server_private = /etc/mcollective/ssl/server-private.pem
+    #   plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
+    #   plugin.ssl_client_cert_dir = /etc/mcollective/etc/ssl/clients/
+    #
+    #   # Log but accept messages that may have been tampered with
+    #   plugin.ssl.enforce_ttl = 0
+    #
+    # Serialization can be configured to use either Marshal or YAML, data types
+    # in and out of mcollective will be preserved from client to server and reverse
+    #
+    # You can configure YAML serialization:
+    #
+    #    plugins.ssl_serializer = yaml
+    #
+    # else the default is Marshal.  Use YAML if you wish to write a client using
+    # a language other than Ruby that doesn't support Marshal.
+    #
+    # Validation is as default and is provided by MCollective::Security::Base
+    #
+    # Initial code was contributed by Vladimir Vuksan and modified by R.I.Pienaar
+    class Ssl < Base
+      # Decodes a message by unserializing all the bits etc, it also validates
+      # it as valid using the psk etc
+      def decodemsg(msg)
+        body = deserialize(msg.payload)
+        should_process_msg?(msg, body[:requestid])
+        if validrequest?(body)
+          body[:body] = deserialize(body[:body])
+          unless @initiated_by == :client
+            if body[:body].is_a?(Hash)
+              update_secure_property(body, :ssl_ttl, :ttl, "TTL")
+              update_secure_property(body, :ssl_msgtime, :msgtime, "Message Time")
+              body[:body] = body[:body][:ssl_msg] if body[:body].include?(:ssl_msg)
+            else
+              unless @config.pluginconf["ssl.enforce_ttl"] == nil
+                raise "Message %s is in an unknown or older security protocol, ignoring" % [request_description(body)]
+              end
+            end
+          end
+          return body
+        else
+          nil
+        end
+      end
+      # To avoid tampering we turn the origin body into a hash and copy some of the protocol keys
+      # like :ttl and :msg_time into the hash before hashing it.
+      #
+      # This function compares and updates the unhashed ones based on the hashed ones.  By
+      # default it enforces matching and presense by raising exceptions, if ssl.enforce_ttl is set
+      # to 0 it will only log warnings about violations
+      def update_secure_property(msg, secure_property, property, description)
+        req = request_description(msg)
+        unless @config.pluginconf["ssl.enforce_ttl"] == "0"
+          raise "Request #{req} does not have a secure #{description}" unless msg[:body].include?(secure_property)
+          raise "Request #{req} #{description} does not match encrypted #{description} - possible tampering"  unless msg[:body][secure_property] == msg[property]
+        else
+          if msg[:body].include?(secure_property)
+            Log.warn("Request #{req} #{description} does not match encrypted #{description} - possible tampering") unless msg[:body][secure_property] == msg[property]
+          else
+            Log.warn("Request #{req} does not have a secure #{description}") unless msg[:body].include?(secure_property)
+          end
+        end
+        msg[property] = msg[:body][secure_property] if msg[:body].include?(secure_property)
+        msg[:body].delete(secure_property)
+      end
+      # Encodes a reply
+      def encodereply(sender, msg, requestid, requestcallerid=nil)
+        serialized  = serialize(msg)
+        digest = makehash(serialized)
+        req = create_reply(requestid, sender, serialized)
+        req[:hash] = digest
+        serialize(req)
+      end
+      # Encodes a request msg
+      def encoderequest(sender, msg, requestid, filter, target_agent, target_collective, ttl=60)
+        req = create_request(requestid, filter, "", @initiated_by, target_agent, target_collective, ttl)
+        ssl_msg = {:ssl_msg => msg,
+                   :ssl_ttl => ttl,
+                   :ssl_msgtime => req[:msgtime]}
+        serialized = serialize(ssl_msg)
+        digest = makehash(serialized)
+        req[:hash] = digest
+        req[:body] = serialized
+        serialize(req)
+      end
+      # Checks the SSL signature in the request body
+      def validrequest?(req)
+        message = req[:body]
+        signature = req[:hash]
+        Log.debug("Validating request from #{req[:callerid]}")
+        if verify(public_key_file(req[:callerid]), signature, message.to_s)
+          @stats.validated
+          return true
+        else
+          @stats.unvalidated
+          raise(SecurityValidationFailed, "Received an invalid signature in message")
+        end
+      end
+      # sets the caller id to the md5 of the public key
+      def callerid
+        if @initiated_by == :client
+          id = "cert=#{File.basename(client_public_key).gsub(/\.pem$/, '')}"
+          raise "Invalid callerid generated from client public key" unless valid_callerid?(id)
+        else
+          # servers need to set callerid as well, not usually needed but
+          # would be if you're doing registration or auditing or generating
+          # requests for some or other reason
+          id = "cert=#{File.basename(server_public_key).gsub(/\.pem$/, '')}"
+          raise "Invalid callerid generated from server public key" unless valid_callerid?(id)
+        end
+        return id
+      end
+      private
+      # Serializes a message using the configured encoder
+      def serialize(msg)
+        serializer = @config.pluginconf["ssl_serializer"] || "marshal"
+        Log.debug("Serializing using #{serializer}")
+        case serializer
+          when "yaml"
+            return YAML.dump(msg)
+          else
+            return Marshal.dump(msg)
+        end
+      end
+      # De-Serializes a message using the configured encoder
+      def deserialize(msg)
+        serializer = @config.pluginconf["ssl_serializer"] || "marshal"
+        Log.debug("De-Serializing using #{serializer}")
+        case serializer
+        when "yaml"
+          return YAML.load(msg)
+        else
+          return Marshal.load(msg)
+        end
+      end
+      # Figures out where to get our private key
+      def private_key_file
+        if ENV.include?("MCOLLECTIVE_SSL_PRIVATE")
+          return ENV["MCOLLECTIVE_SSL_PRIVATE"]
+        else
+          if @initiated_by == :node
+            return server_private_key
+          else
+            return client_private_key
+          end
+        end
+      end
+      # Figures out the public key to use
+      #
+      # If the node is asking do it based on caller id
+      # If the client is asking just get the node public key
+      def public_key_file(callerid = nil)
+        if @initiated_by == :client
+          return server_public_key
+        else
+          if callerid =~ /cert=([\w\.\-]+)/
+            cid = $1
+            if File.exist?("#{client_cert_dir}/#{cid}.pem")
+              return "#{client_cert_dir}/#{cid}.pem"
+            else
+              raise("Could not find a public key for #{cid} in #{client_cert_dir}/#{cid}.pem")
+            end
+          else
+            raise("Caller id is not in the expected format")
+          end
+        end
+      end
+      # Figures out the client private key either from MCOLLECTIVE_SSL_PRIVATE or the
+      # plugin.ssl_client_private config option
+      def client_private_key
+        return ENV["MCOLLECTIVE_SSL_PRIVATE"] if ENV.include?("MCOLLECTIVE_SSL_PRIVATE")
+        raise("No plugin.ssl_client_private configuration option specified") unless @config.pluginconf.include?("ssl_client_private")
+        return @config.pluginconf["ssl_client_private"]
+      end
+      # Figures out the client public key either from MCOLLECTIVE_SSL_PUBLIC or the
+      # plugin.ssl_client_public config option
+      def client_public_key
+        return ENV["MCOLLECTIVE_SSL_PUBLIC"] if ENV.include?("MCOLLECTIVE_SSL_PUBLIC")
+        raise("No plugin.ssl_client_public configuration option specified") unless @config.pluginconf.include?("ssl_client_public")
+        return @config.pluginconf["ssl_client_public"]
+      end
+      # Figures out the server private key from the plugin.ssl_server_private config option
+      def server_private_key
+        raise("No plugin.ssl_server_private configuration option specified") unless @config.pluginconf.include?("ssl_server_private")
+        @config.pluginconf["ssl_server_private"]
+      end
+      # Figures out the server public key from the plugin.ssl_server_public config option
+      def server_public_key
+        raise("No ssl_server_public configuration option specified") unless @config.pluginconf.include?("ssl_server_public")
+        return @config.pluginconf["ssl_server_public"]
+      end
+      # Figures out where to get client public certs from the plugin.ssl_client_cert_dir config option
+      def client_cert_dir
+        raise("No plugin.ssl_client_cert_dir configuration option specified") unless @config.pluginconf.include?("ssl_client_cert_dir")
+        @config.pluginconf["ssl_client_cert_dir"]
+      end
+      # Retrieves the value of plugin.psk and builds a hash with it and the passed body
+      def makehash(body)
+        Log.debug("Creating message hash using #{private_key_file}")
+        sign(private_key_file, body.to_s)
+      end
+      # Code adapted from http://github.com/adamcooke/basicssl
+      # signs a message
+      def sign(key, string)
+        SSL.new(nil, key).sign(string, true)
+      end
+      # verifies a signature
+      def verify(key, signature, string)
+        SSL.new(key).verify_signature(signature, string, true)
+      end
+      def request_description(msg)
+        "%s from %s@%s" % [msg[:requestid], msg[:callerid], msg[:senderid]]
+      end
+    end
+  end
+end

data/lib/mcollective/security.rb CHANGED Viewed

@@ -21,6 +21,6 @@ module MCollective
   #
   # Filtering can be extended by providing a new validate_filter? method.
   module Security
-    autoload :Base, "mcollective/security/base"
+    require "mcollective/security/base"
   end
 end

data/lib/mcollective/util.rb CHANGED Viewed

@@ -155,28 +155,28 @@ module MCollective
     # Picks a config file defaults to ~/.mcollective
     # else /etc/mcollective/client.cfg
     def self.config_file_for_user
-      # expand_path is pretty lame, it relies on HOME environment
-      # which isnt't always there so just handling all exceptions
-      # here as cant find reverting to default
+      # the set of acceptable config files
+      config_paths = []
+      # user dotfile
       begin
-        config = File.expand_path("~/.mcollective")
+        # File.expand_path will raise if HOME isn't set, catch it
+        user_path = File.expand_path("~/.mcollective")
+        config_paths << user_path
+      rescue Exception
+      end
-        unless File.readable?(config) && File.file?(config)
-          if self.windows?
-            config = File.join(self.windows_prefix, "etc", "client.cfg")
-          else
-            config = "/etc/mcollective/client.cfg"
-          end
-        end
-      rescue Exception => e
-        if self.windows?
-          config = File.join(self.windows_prefix, "etc", "client.cfg")
-        else
-          config = "/etc/mcollective/client.cfg"
-        end
+      # standard locations
+      if self.windows?
+        config_paths << File.join(self.windows_prefix, 'etc', 'client.cfg')
+      else
+        config_paths << '/etc/puppetlabs/agent/mcollective/client.cfg'
+        config_paths << '/etc/mcollective/client.cfg'
       end
-      return config
+      # use the first readable config file, or if none are the first listed
+      found = config_paths.find_index { |file| File.readable?(file) } || 0
+      return config_paths[found]
     end
     # Creates a standard options hash

data/lib/mcollective/validator/array_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "Array",
+            :description => "Validates that a value is included in a list",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/array_validator.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module MCollective
+  module Validator
+    class ArrayValidator
+      def self.validate(validator, array)
+        raise ValidatorError, "value should be one of %s" % [ array.join(", ") ] unless array.include?(validator)
+      end
+    end
+  end
+end

data/lib/mcollective/validator/ipv4address_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "IPv4 Address",
+            :description => "Validates that a value is an ipv4 address",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/ipv4address_validator.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module MCollective
+  module Validator
+    class Ipv4addressValidator
+      require 'ipaddr'
+      def self.validate(validator)
+        begin
+          ip = IPAddr.new(validator)
+          raise ValidatorError, "value should be an ipv4 adddress" unless ip.ipv4?
+        rescue
+          raise ValidatorError, "value should be an ipv4 address"
+        end
+      end
+    end
+  end
+end

data/lib/mcollective/validator/ipv6address_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "IPv6 Address",
+            :description => "Validates that a value is an ipv6 address",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/ipv6address_validator.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module MCollective
+  module Validator
+    class Ipv6addressValidator
+      require 'ipaddr'
+      def self.validate(validator)
+        begin
+          ip = IPAddr.new(validator)
+          raise ValidatorError, "value should be an ipv6 adddress" unless ip.ipv6?
+        rescue
+          raise ValidatorError, "value should be an ipv6 address"
+        end
+      end
+    end
+  end
+end

data/lib/mcollective/validator/length_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "Length",
+            :description => "Validates that the length of a string is less or equal to a specified value",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/length_validator.rb ADDED Viewed

@@ -0,0 +1,11 @@
+module MCollective
+  module Validator
+    class LengthValidator
+      def self.validate(validator, length)
+        if (validator.size > length) && (length > 0)
+          raise ValidatorError, "Input string is longer than #{length} character(s)"
+        end
+      end
+    end
+  end
+end

data/lib/mcollective/validator/regex_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "Regex",
+            :description => "Validates that a string matches a supplied regular expression",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/regex_validator.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module MCollective
+  module Validator
+    class RegexValidator
+      def self.validate(validator, regex)
+        raise ValidatorError, "value should match #{regex}" unless validator.match(regex)
+      end
+    end
+  end
+end

data/lib/mcollective/validator/shellsafe_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "Shellsafe",
+            :description => "Validates that a string is shellsafe",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/shellsafe_validator.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module MCollective
+  module Validator
+    class ShellsafeValidator
+      def self.validate(validator)
+        raise ValidatorError, "value should be a String" unless validator.is_a?(String)
+        ['`', '$', ';', '|', '&&', '>', '<'].each do |chr|
+          raise ValidatorError, "value should not have #{chr} in it" if validator.match(Regexp.escape(chr))
+        end
+      end
+    end
+  end
+end

data/lib/mcollective/validator/typecheck_validator.ddl ADDED Viewed

@@ -0,0 +1,7 @@
+metadata    :name        => "Typecheck",
+            :description => "Validates that a value is of a certain type",
+            :author      => "P. Loubser <pieter.loubser@puppetlabs.com>",
+            :license     => "ASL 2.0",
+            :version     => "1.0",
+            :url         => "http://marionette-collective.org/",
+            :timeout     => 1

data/lib/mcollective/validator/typecheck_validator.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module MCollective
+  module Validator
+    class TypecheckValidator
+      def self.validate(validator, validation_type)
+        raise ValidatorError, "value should be a #{validation_type.to_s}" unless check_type(validator, validation_type)
+      end
+      def self.check_type(validator, validation_type)
+        case validation_type
+          when Class
+            validator.is_a?(validation_type)
+          when :integer
+            validator.is_a?(Fixnum)
+          when :float
+            validator.is_a?(Float)
+          when :number
+            validator.is_a?(Numeric)
+          when :string
+            validator.is_a?(String)
+          when :boolean
+            [TrueClass, FalseClass].include?(validator.class)
+          else
+            false
+        end
+      end
+    end
+  end
+end