pantry 0.0.0 → 0.1.0

data/lib/pantry/communication/security.rb

@@ -0,0 +1,44 @@
+module Pantry
+  module Communication
+    module Security
+
+      class UnknownSecurityStrategyError < Exception; end
+
+      AVAILABLE_SECURITY = {
+        nil     => Pantry::Communication::Security::NullSecurity,
+        "curve" => Pantry::Communication::Security::CurveSecurity
+      }
+
+      # Check if ZeroMQ is built properly to support Curve encryption
+      def self.curve_supported?
+        begin
+          ZMQ::Util.curve_keypair
+          true
+        rescue
+          false
+        end
+      end
+
+      # Build a Client implementation of the security strategy
+      # configured in Pantry.config.security
+      def self.new_client(config = Pantry.config)
+        handler_class(config).client
+      end
+
+      # Build a Server implementation of the security strategy
+      # configured in Pantry.config.security
+      def self.new_server(config = Pantry.config)
+        handler_class(config).server
+      end
+
+      def self.handler_class(config)
+        if handler = AVAILABLE_SECURITY[config.security]
+          handler
+        else
+          raise UnknownSecurityStrategyError, "Unknown security strategy #{config.security.inspect}"
+        end
+      end
+
+    end
+  end
+end

data/lib/pantry/communication/security/authentication.rb

@@ -0,0 +1,98 @@
+module Pantry
+  module Communication
+    module Security
+
+      # This class implements and manages the ZAP handler.
+      # For any connecting client, this handler receives a request to
+      # authenticate the Client. If the Client is allowed in, all proceeds as
+      # normal. If a Client is not allowed in then the connection is dropped.
+      #
+      # For Pantry, this is a very strict authentication mechanism that only
+      # allows Clients in whos public keys are in the server_keys.yml keystore.
+      # It also rejects any attempts to authenticate with a mechanism other than CURVE.
+      #
+      # ZAP: ZeroMQ Authentication Protocol :: http://rfc.zeromq.org/spec:27
+      class Authentication
+        include Celluloid::ZMQ
+        finalizer :shutdown
+
+        def initialize(key_store)
+          @key_store = key_store
+
+          @socket = Celluloid::ZMQ::RepSocket.new
+          @socket.linger = 0
+        end
+
+        def open
+          @socket.bind("inproc://zeromq.zap.01")
+          @running = true
+          self.async.process_requests
+        end
+
+        def shutdown
+          @socket.close
+          @running = false
+        end
+
+        def process_requests
+          while @running
+            process_next_request
+          end
+        end
+
+        def process_next_request
+          request = read_next_request
+
+          response_code, response_text = authenticate_request(request)
+
+          if response_code == "200"
+            Pantry.logger.debug("[AUTH] Client authentication successful")
+          else
+            Pantry.logger.debug("[AUTH] Client authentication rejected: #{response_text}")
+          end
+
+          write_response(request, response_code, response_text)
+        end
+
+        def read_next_request
+          request = []
+          begin
+            request << @socket.read
+          end while @socket.more_parts?
+          request
+        end
+
+        def authenticate_request(request)
+          mechanism  = request[5]
+          client_key = request[6]
+
+          if mechanism != "CURVE"
+            ["400", "Invalid Mechanism"]
+          else
+            authenticate_client(client_key)
+          end
+        end
+
+        def authenticate_client(client_key)
+          if @key_store.known_client?(client_key)
+            ["200", "OK"]
+          else
+            ["400", "Unknown Client"]
+          end
+        end
+
+        def write_response(request, response_code, response_text)
+          @socket.write([
+            request[0],    # Version
+            request[1],    # Sequence / Request id
+            response_code,
+            response_text,
+            "",            # username
+            ""             # metadata
+          ])
+        end
+      end
+
+    end
+  end
+end

data/lib/pantry/communication/security/curve_key_store.rb

@@ -0,0 +1,120 @@
+module Pantry
+  module Communication
+    module Security
+
+      # CurveKeyStore manages the storage, reading, and writing of all
+      # Curve-related key-pairs.
+      #
+      # Clients keep track of the public key of the server they talk to
+      # Servers keep track of the list of public keys of Clients who are
+      # allowed to connect.
+      #
+      # All keys are stored under Pantry.root/security/curve
+      class CurveKeyStore
+
+        attr_reader :public_key, :private_key, :server_public_key
+
+        def initialize(my_key_pair_name)
+          @base_key_dir  = Pantry.root.join("security", "curve")
+          @my_keys_file  = @base_key_dir.join("#{my_key_pair_name}.yml")
+          @known_clients = []
+
+          ensure_directory_structure
+          check_or_generate_my_keys
+        end
+
+        # Check if the given client public key is known by this server or
+        # not. To facilitate the initial setup process of a new Pantry Server,
+        # this will allow and store the first client to connect to this server
+        # and will write out that client's public key as valid.
+        #
+        # Used solely by the Server
+        def known_client?(client_public_key)
+          encoded_key = z85_encode(client_public_key)
+          if @known_clients.empty?
+            store_known_client(encoded_key)
+            true
+          else
+            @known_clients.include?(encoded_key)
+          end
+        end
+
+        # Generate and store a new Client pub/priv key pair
+        # Only the Public key is stored locally for authentication purposes.
+        # Returns a hash of all relevant keys for the Client to connect
+        # and Auth.
+        def create_client
+          client_public, client_private = ZMQ::Util.curve_keypair
+          store_known_client(client_public)
+
+          {
+            server_public_key: @public_key,
+            public_key: client_public,
+            private_key: client_private
+          }
+        end
+
+        protected
+
+        # TODO Move this logic into ffi-rzmq proper
+        def z85_encode(binary_key)
+          encoded = FFI::MemoryPointer.from_string(' ' * 41)
+          LibZMQ::zmq_z85_encode(encoded, binary_key, 32)
+        end
+
+        def ensure_directory_structure
+          FileUtils.mkdir_p(@base_key_dir)
+          FileUtils.chmod(0700, @base_key_dir)
+        end
+
+        def check_or_generate_my_keys
+          if File.exists?(@my_keys_file)
+            load_current_key_pair
+          end
+
+          generate_missing_keys
+        end
+
+        def load_current_key_pair
+          keys = YAML.load_file(@my_keys_file)
+          @public_key = keys["public_key"]
+          @private_key = keys["private_key"]
+          @server_public_key = keys["server_public_key"]
+          @known_clients = keys["client_keys"] || []
+        end
+
+        def generate_missing_keys
+          if @public_key.nil? && @private_key.nil?
+            @public_key, @private_key = ZMQ::Util.curve_keypair
+            save_keys
+          end
+        end
+
+        def store_known_client(client_public_key)
+          @known_clients << client_public_key
+          save_keys
+        end
+
+        def save_keys
+          File.open(@my_keys_file, "w+") do |f|
+            keys = {
+              "private_key" => @private_key,
+              "public_key" => @public_key
+            }
+
+            if @server_public_key
+              keys["server_public_key"] = @server_public_key
+            end
+
+            if @known_clients.length > 0
+              keys["client_keys"] = @known_clients
+            end
+
+            f.write YAML.dump(keys)
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/pantry/communication/security/curve_security.rb

@@ -0,0 +1,70 @@
+module Pantry
+  module Communication
+    module Security
+
+      # ZeroMQ Curve encryption strategy.
+      # For details about how the Curve encryption works in ZeroMQ, check out
+      # the following:
+      #
+      # * http://api.zeromq.org/4-0:zmq-curve
+      # * http://curvezmq.org/
+      #
+      class CurveSecurity
+
+        def self.client
+          Client.new
+        end
+
+        def self.server
+          Server.new
+        end
+
+        # Client-side handling of Curve encryption.
+        class Client
+
+          def initialize
+            @key_store = CurveKeyStore.new("client_keys")
+            Pantry.logger.info("Configuring Client to use Curve encryption")
+          end
+
+          def configure_socket(socket)
+            socket.set(::ZMQ::CURVE_SERVERKEY, @key_store.server_public_key)
+            socket.set(::ZMQ::CURVE_PUBLICKEY, @key_store.public_key)
+            socket.set(::ZMQ::CURVE_SECRETKEY, @key_store.private_key)
+          end
+
+        end
+
+        class Server
+
+          attr_reader :authentication
+
+          def initialize
+            @key_store = CurveKeyStore.new("server_keys")
+            @authentication = Authentication.new(@key_store)
+            @authentication.open
+
+            # We log the server's public key here to make it accessible for initial setup.
+            Pantry.logger.info("Configuring Server to use Curve encryption :: #{@key_store.public_key}")
+          end
+
+          def link_to(parent)
+            parent.link(@authentication)
+          end
+
+          def configure_socket(socket)
+            socket.set(::ZMQ::CURVE_SERVER,    1)
+            socket.set(::ZMQ::CURVE_SECRETKEY, @key_store.private_key)
+          end
+
+          def create_client
+            @key_store.create_client
+          end
+
+        end
+
+      end
+
+    end
+  end
+end

data/lib/pantry/communication/security/null_security.rb

@@ -0,0 +1,32 @@
+module Pantry
+  module Communication
+    module Security
+
+      # The no-security security strategy
+      class NullSecurity
+
+        def self.client
+          new
+        end
+
+        def self.server
+          new
+        end
+
+        def link_to(parent)
+          # no-op
+        end
+
+        def configure_socket(socket)
+          # no-op
+        end
+
+        def create_client
+          {}
+        end
+
+      end
+
+    end
+  end
+end

data/lib/pantry/communication/send_socket.rb

@@ -0,0 +1,19 @@
+module Pantry
+  module Communication
+
+    # The SendSocket allows one-way asynchronous communication to the server.
+    # This is implemented through the ZMQ DEALER socket, which communicates with
+    # the Server's ROUTER socket.
+    class SendSocket < WritingSocket
+
+      def build_socket
+        Celluloid::ZMQ::DealerSocket.new
+      end
+
+      def open_socket(socket)
+        socket.connect("tcp://#{host}:#{port}")
+      end
+
+    end
+  end
+end

data/lib/pantry/communication/serialize_message.rb

@@ -0,0 +1,84 @@
+module Pantry
+  module Communication
+
+    # Handles all serialization of Pantry::Messages to and from the ZeroMQ
+    # communication stack
+    class SerializeMessage
+
+      # To prevent accidents like trying to send the raw contents of a
+      # JSON file and end up with a Ruby hash on the other side, we designate
+      # messages as being JSON using a simple one character prefix. This way
+      # we don't have to guess if it's JSON or not and will leave non encoded
+      # strings alone. Don't want to dive into anything more complicated unless
+      # it's really necessary (like msgpack).
+      IS_JSON = '⁂'
+
+      # Convert a message into an array of message parts that will
+      # be sent through ZeroMQ.
+      def self.to_zeromq(message)
+        ToZeromq.new(message).perform
+      end
+
+      # Given an array of message parts from ZeroMQ, built up a Pantry::Message
+      # containing the included information.
+      def self.from_zeromq(parts)
+        FromZeromq.new(parts).perform
+      end
+
+      class ToZeromq
+        def initialize(message)
+          @message = message
+        end
+
+        def perform
+          [
+            @message.to || "",
+            @message.metadata.to_json,
+            encode_message_body
+          ].flatten.compact
+        end
+
+        protected
+
+        def encode_message_body
+          @message.body.map do |entry|
+            case entry
+            when Hash, Array
+              "#{IS_JSON}#{entry.to_json}"
+            else
+              entry.to_s
+            end
+          end
+        end
+      end
+
+      class FromZeromq
+        def initialize(parts)
+          @parts = parts
+        end
+
+        def perform
+          Pantry::Message.new.tap do |message|
+            message.metadata = JSON.parse(@parts[1], symbolize_names: true)
+            message.to       = @parts[0]
+            message.body     = parse_body_parts(@parts[2..-1])
+          end
+        end
+
+        protected
+
+        def parse_body_parts(body_parts)
+          body_parts.map do |raw_part|
+            part = raw_part.force_encoding("UTF-8")
+
+            if part.start_with?(IS_JSON)
+              JSON.parse(part[1..-1], symbolize_names: true) rescue part
+            else
+              raw_part
+            end
+          end
+        end
+      end
+    end
+  end
+end