omf_common 6.0.0 → 6.0.2.pre.1

data/example/ls_app.yaml

@@ -0,0 +1,21 @@
+#
+# Describes how to run simple 'ls' on a node
+#
+create:
+  type: application
+  properties:
+    binary_path: /bin/ls
+    state: running
+    membership: apps
+    #environment: # (Hash) the environment variables to set prior to starting this app.
+    parameters:
+      p1:
+        cmd: -l
+        value: true
+        type: Boolean
+        order: 1
+      p2:
+        cmd: /
+        value: true
+        type: Boolean
+        order: 2        

data/lib/omf_common.rb

@@ -6,7 +6,7 @@ require 'omf_common/measure'
 require 'omf_common/message'
 require 'omf_common/comm'
 require 'omf_common/command'
-require 'omf_common/key'
+require 'omf_common/auth'
 require 'omf_common/core_ext/string'
 require 'omf_common/eventloop'
 
@@ -19,8 +19,9 @@ module OmfCommon
         type: 'em'
       },
       logging: {
-        level: 'debug',
-
+        level: { 
+          default: 'debug'
+        },
         appenders: {
           stdout: {
             date_pattern: '%H:%M:%S',
@@ -35,8 +36,35 @@ module OmfCommon
         type: :em
       },
       logging: {
-        level: 'info',
+        level: { 
+          default: 'info'
+        },
+        appenders: {
+          file: {
+            log_dir: '/var/log',
+            #log_file: 'foo.log',
+            date_pattern: '%F %T %z',
+            pattern: '[%d] %-5l %c: %m\n'
+          }
+        }
 
+      }
+    },
+    daemon: {
+      daemonize: {
+        dir_mode: :script,
+        dir: '/tmp',
+        backtrace: true,
+        log_dir: '/var/log',
+        log_output: true
+      },
+      eventloop: {
+        type: :em
+      },
+      logging: {
+        level: { 
+          default: 'info'
+        },
         appenders: {
           file: {
             log_dir: '/var/log',
@@ -54,8 +82,9 @@ module OmfCommon
       },
       eventloop: { type: :local},
       logging: {
-        level: 'debug',
-
+        level: { 
+          default: 'debug'
+        },
         appenders: {
           stdout: {
             date_pattern: '%H:%M:%S',
@@ -65,7 +94,7 @@ module OmfCommon
         }
       }
     },
-    test_dev: {
+    test_daemon: {
       daemonize: {
         dir_mode: :script,
         dir: '/tmp',
@@ -74,10 +103,12 @@ module OmfCommon
         log_output: true
       },
       eventloop: {
-        type: :local
+        type: :em
       },
       logging: {
-        level: 'debug',
+        level: { 
+          default: 'debug'
+        },
         appenders: {
           file: {
             log_dir: '/tmp',
@@ -120,9 +151,14 @@ module OmfCommon
     unless copts = opts[:communication]
       raise "Missing :communication description"
     end
-    eopts = opts[:eventloop]
+
+    if aopts = opts[:auth]
+      require 'omf_common/auth/credential_store'
+      OmfCommon::Auth::CredentialStore.init(aopts)
+    end
 
     # Initialise event loop
+    eopts = opts[:eventloop]
     Eventloop.init(eopts)
     # start eventloop immediately if we received a run block
     eventloop.run do
@@ -151,6 +187,10 @@ module OmfCommon
   #      :same - Look in the same directory as '$0'
   #   :remove_root ROOT_NAME: Remove the root node. Throw exception if not ROOT_NAME
   #   :wait_for_readable SECS: Wait until the yaml file becomes readable. Check every SECS
+  #   :erb_process flag: Run the content of the loaded file through ERB first before YAML parsing
+  #   :erb_safe_level level: If safe_level is set to a non-nil value, ERB code will be run in a 
+  #                                   separate thread with $SAFE set to the provided level.
+  #   :erb_binding binding: Optional binding given to ERB#result 
   #
   def self.load_yaml(file_name, opts = {})
     if path_opt = opts[:path]
@@ -167,7 +207,14 @@ module OmfCommon
         sleep readable_check # wait until file shows up
       end
     end
-    yh = YAML.load_file(file_name)
+
+    str = File.read(file_name)
+    if opts[:erb_process]
+      require 'erb'
+      str = ERB.new(str, opts[:erb_safe_level]).result(opts[:erb_binding] || binding)
+    end
+    yh = YAML.load(str)
+
     if opts[:symbolize_keys]
       yh = _rec_sym_keys(yh)
     end
@@ -209,11 +256,25 @@ module OmfCommon
       end
     end
     if level = opts[:level]
-      logger.level = level.to_sym
+      if level.is_a? Hash
+        # package level settings
+        level.each do |name, lvl|
+          if name.to_s == 'default'
+            logger.level = lvl.to_sym
+          else
+            Logging.logger[name.to_s].level = lvl.to_sym 
+          end
+        end
+      else
+        logger.level = level.to_sym
+      end
     end
   end
 
   def self._rec_merge(this_hash, other_hash)
+    # if the dominant side is not a hash we stop recursing and pick the primitive value
+    return other_hash unless other_hash.is_a? Hash
+
     r = {}
     this_hash.merge(other_hash) do |key, oldval, newval|
       r[key] = oldval.is_a?(Hash) ? _rec_merge(oldval, newval) : newval

data/lib/omf_common/auth.rb

@@ -0,0 +1,15 @@
+
+
+module OmfCommon
+  module Auth
+
+    class AuthException < StandardError; end
+
+    def self.init(opts = {})
+      CertificateStore.init(opts)
+    end
+  end
+end
+
+require 'omf_common/auth/certificate_store'
+require 'omf_common/auth/certificate'

data/lib/omf_common/auth/certificate.rb

@@ -0,0 +1,174 @@
+require 'openssl'
+require 'omf_common/auth'
+require 'omf_common/auth/ssh_pub_key_convert'
+
+module OmfCommon::Auth
+
+  class Certificate
+    DEF_DOMAIN_NAME = 'acme'
+    DEF_DURATION = 3600
+
+    BEGIN_CERT = "-----BEGIN CERTIFICATE-----\n"
+    END_CERT = "\n-----END CERTIFICATE-----\n"
+    @@serial = 0
+
+    # @param [String] name unique name of the entity (resource name)
+    # @param [String] type type of the entity (resource type)
+    # @param [String] domain of the resource
+    #
+    def self.create(address, name, type, domain = DEF_DOMAIN_NAME, issuer = nil, not_before = Time.now, duration = 3600, key = nil)
+      subject = _create_name(name, type, domain)
+      if key.nil?
+        key, digest = _create_key()
+      else
+        digest = _create_digest
+      end
+
+      c = _create_x509_cert(address, subject, key, digest, issuer, not_before, duration)
+      c[:address] = address if address
+      self.new c
+    end
+
+    # @param [String] pem is the content of existing x509 cert
+    # @param [OpenSSL::PKey::RSA|String] key is the private key which can be attached to the instance for signing.
+    def self.create_from_x509(pem, key = nil)
+      unless pem.start_with? BEGIN_CERT
+        pem = "#{BEGIN_CERT}#{pem}#{END_CERT}"
+      end
+      cert = OpenSSL::X509::Certificate.new(pem)
+
+      key = OpenSSL::PKey::RSA.new(key) if key && key.is_a?(String)
+
+      if key && !cert.check_private_key(key)
+        raise ArgumentError, "Private key provided could not match the public key of given certificate"
+      end
+      self.new({ cert: cert, key: key })
+    end
+
+    # Returns an array with a new RSA key and a SHA1 digest
+    #
+    def self._create_key(size = 2048)
+      [OpenSSL::PKey::RSA.new(size), OpenSSL::Digest::SHA1.new]
+    end
+
+    def self._create_digest
+      OpenSSL::Digest::SHA1.new
+    end
+
+    # @param [String] name unique name of the entity (resource name)
+    # @param [String] type type of the entity (resource type)
+    #
+    def self._create_name(name, type, domain = DEF_DOMAIN_NAME)
+      OpenSSL::X509::Name.new [['CN', "frcp//#{domain}//frcp.#{type}.#{name}"]], {}
+    end
+
+    # Create a X509 certificate
+    #
+    # @param [] address
+    # @return {cert, key}
+    #
+    def self._create_x509_cert(address, subject, key, digest = nil,
+                              issuer = nil, not_before = Time.now, duration = DEF_DURATION, extensions = [])
+      extensions << ["subjectAltName", "URI:#{address}", false] if address
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2
+      # TODO change serial to non-sequential secure random numbers for production use
+      cert.serial = (@@serial += 1)
+      cert.subject = subject
+      cert.public_key = key.public_key
+      cert.not_before = not_before
+      cert.not_after = not_before + duration
+      unless extensions.empty?
+        issuer_cert = issuer ? issuer.to_x509 : cert
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = cert
+        ef.issuer_certificate = issuer_cert
+        extensions.each{|oid, value, critical|
+          cert.add_extension(ef.create_extension(oid, value, critical))
+        }
+      end
+      if issuer
+        cert.issuer = issuer.subject
+        cert.sign(issuer.key, issuer.digest)
+      else
+        # self signed
+        cert.issuer = subject
+        cert.sign(key, digest)
+      end
+      { cert: cert, key: key }
+    end
+
+    attr_reader :address, :subject, :key, :digest
+
+    def initialize(opts)
+      if @cert = opts[:cert]
+        @subject = @cert.subject
+      end
+      unless @address = opts[:address]
+        # try to see it it is in cert
+        if @cert
+          @cert.extensions.each do |ext|
+            if ext.oid == 'subjectAltName'
+              @address = ext.value[4 .. -1] # strip off 'URI:'
+            end
+          end
+        end
+      end
+      if @key = opts[:key]
+        @digest = opts[:digest] || OpenSSL::Digest::SHA1.new
+      end
+      unless @subject ||= opts[:subject]
+        name = opts[:name]
+        type = opts[:type]
+        domain = opts[:domain]
+        @subject = _create_name(name, type, domain)
+      end
+      @cert ||= _create_x509_cert(@address, @subject, @key, @digest)[:cert]
+    end
+
+    def create_for(address, name, type, domain = DEF_DOMAIN_NAME, duration = 3600, key = nil)
+      raise ArgumentError, "Address required" unless address
+      cert = self.class.create(address, name, type, domain, self, Time.now, duration, key)
+      CertificateStore.instance.register(cert, address)
+      cert
+    end
+
+    # Return the X509 certificate. If it hasn't been passed in, return a self-signed one
+    def to_x509()
+      @cert
+    end
+
+    def can_sign?
+      !@key.nil? && @key.private?
+    end
+
+    def to_pem
+      to_x509.to_pem
+    end
+
+    def to_pem_compact
+      to_pem.lines.to_a[1 ... -1].join.strip
+    end
+
+    def verify_cert
+      if @cert.issuer == self.subject # self signed cert
+        @cert.verify(@cert.public_key)
+      else
+        @cert.verify(CertificateStore.instance.cert_for(@cert.issuer).to_x509.public_key)
+      end
+    end
+
+    # Will return one of the following
+    #
+    # :HS256, :HS384, :HS512, :RS256, :RS384, :RS512, :ES256, :ES384, :ES512
+    #
+    # def key_algorithm
+#
+    # end
+
+    def to_s
+      "#<#{self.class} addr=#{@address} subj=#{@subject} can-sign=#{@key != nil}>"
+    end
+  end # class
+end # module

data/lib/omf_common/auth/certificate_store.rb

@@ -0,0 +1,72 @@
+require 'openssl'
+
+require 'omf_common/auth'
+
+#require 'singleton'
+
+# module OmfCommon
+  # class Key
+    # include Singleton
+#
+    # attr_accessor :private_key
+#
+    # def import(filename)
+      # self.private_key = OpenSSL::PKey.read(File.read(filename))
+    # end
+  # end
+# end
+
+module OmfCommon::Auth
+
+  class MissingPrivateKeyException < AuthException; end
+
+  class CertificateStore
+
+
+    @@instance = nil
+
+    def self.init(opts = {})
+      if @@instance
+        raise "CertificateStore already iniitalised"
+      end
+      @@instance = self.new(opts)
+    end
+
+    def self.instance
+      throw "CertificateStore not initialized" unless @@instance
+      @@instance
+    end
+
+    def register(certificate, address = nil)
+      if address ||= certificate.address
+        @certs[address] = certificate if address
+      else
+        warn "Register certificate without address - #{certificate}"
+      end
+      @certs[certificate.subject] = certificate
+    end
+
+    def register_x509(cert_pem, address = nil)
+      if (cert = Certificate.create_from_x509(cert_pem))
+        debug "REGISTERED #{cert}"
+        register(cert, address)
+      end
+    end
+
+    def cert_for(url)
+      @certs[url]
+    end
+
+
+    private
+    def initialize(opts)
+      @certs = {}
+      if store = opts[:store]
+      else
+        @store = {private: {}, public: {}}
+      end
+      @serial = 0
+    end
+  end # class
+
+end # module

data/lib/omf_common/auth/ssh_pub_key_convert.rb

@@ -0,0 +1,80 @@
+require 'base64'
+require 'openssl'
+require 'omf_common/auth'
+
+module OmfCommon::Auth
+  # This file provides a converter that accepts an SSH public key string
+  # and converts it to an OpenSSL::PKey::RSA object for use in verifying
+  # received messages.  (DSA support pending).
+  #
+  class SSHPubKeyConvert
+    # Unpack a 4-byte unsigned integer from the +bytes+ array.
+    #
+    # Returns a pair (+u32+, +bytes+), where +u32+ is the extracted
+    # unsigned integer, and +bytes+ is the remainder of the original
+    # +bytes+ array that follows +u32+.
+    #
+    def self.unpack_u32(bytes)
+      return bytes.unpack("N")[0], bytes[4..-1]
+    end
+
+    # Unpack a string from the +bytes+ array.  Exactly +len+ bytes will
+    # be extracted.
+    #
+    # Returns a pair (+string+, +bytes+), where +string+ is the
+    # extracted string (of length +len+), and +bytes+ is the remainder
+    # of the original +bytes+ array that follows +string+.
+    #
+    def self.unpack_string(bytes, len)
+      return bytes.unpack("A#{len}")[0], bytes[len..-1]
+    end
+
+    # Convert a string in SSH public key format to a key object
+    # suitable for use with OpenSSL.  If the key is an RSA key then an
+    # OpenSSL::PKey::RSA object is returned.  If the key is a DSA key
+    # then an OpenSSL::PKey::DSA object is returned.  In either case,
+    # the object returned is suitable for encrypting data or verifying
+    # signatures, but cannot be used for decrypting or signing.
+    #
+    # The +keystring+ should be a single line, as per an SSH public key
+    # file as generated by +ssh-keygen+, or a line from an SSH
+    # +authorized_keys+ file.
+    #
+    def self.convert(keystring)
+      (type, b64, id) = keystring.split(' ')
+      decoded_key = Base64.decode64(b64)
+      (n, bytes) = unpack_u32(decoded_key)
+      (keytype, bytes) = unpack_string(bytes, n)
+
+      if keytype == "ssh-rsa"
+        (n, bytes) = unpack_u32(bytes)
+        (estr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (nstr, bytes) = unpack_string(bytes, n)
+
+        key = OpenSSL::PKey::RSA.new
+        key.n = OpenSSL::BN.new(nstr, 2)
+        key.e = OpenSSL::BN.new(estr, 2)
+        key
+      elsif keytype == 'ssh-dss'
+        (n, bytes) = unpack_u32(bytes)
+        (pstr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (qstr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (gstr, bytes) = unpack_string(bytes, n)
+        (n, bytes) = unpack_u32(bytes)
+        (pkstr, bytes) = unpack_string(bytes, n)
+
+        key = OpenSSL::PKey::DSA.new
+        key.p = OpenSSL::BN.new(pstr, 2)
+        key.q = OpenSSL::BN.new(qstr, 2)
+        key.g = OpenSSL::BN.new(gstr, 2)
+        key.pub_key = OpenSSL::BN.new(pkstr, 2)
+        key
+      else
+        raise ArgumentError, "Unknown key type '#{keytype}'"
+      end
+    end
+  end
+end