pupistry 1.0.0 → 1.1.0

data/lib/pupistry/bootstrap.rb

@@ -1,5 +1,6 @@
+# rubocop:disable Style/Documentation, Style/GlobalVars
 require 'rubygems'
-require "base64"
+require 'base64'
 require 'erubis'
 
 module Pupistry
@@ -10,98 +11,92 @@ module Pupistry
     attr_accessor :contents
 
     def initialize
-
       # We need to find where the templates are located - either it should be
       # in the current working directory, or if we are an installed gem, we
       # can try the gem's installed path.
 
-      if Dir.exists?("resources/bootstrap/")
+      if Dir.exist?('resources/bootstrap/')
         # Use local PWD version first if possible
         @template_dir = Dir.pwd
       else
         # Check for GEM installed location
         begin
-          @template_dir = Gem::Specification.find_by_name("pupistry").gem_dir
+          @template_dir = Gem::Specification.find_by_name('pupistry').gem_dir
         rescue Gem::LoadError
           $logger.error "Unable to find templates/ directory, doesn't appear we are running from project dir nor as a Gem"
           return false
         end
       end
 
-      @template_dir = @template_dir.chomp("/") + "/resources/bootstrap/"
+      @template_dir = @template_dir.chomp('/') + '/resources/bootstrap/'
 
-      unless Dir.exists?(@template_dir)
+      if Dir.exist?(@template_dir)
+        $logger.debug "Using directory #{@template_dir} for bootstrap templates"
+      else
         $logger.error "Unable to find templates dir at #{@template_dir}, unable to proceed."
         return false
-      else
-        $logger.debug "Using directory #{@template_dir} for bootstrap templates"
       end
-
     end
-    
 
     def list
       # Simply glob the templates directory and list their names.
-      $logger.debug "Finding all available templates"
+      $logger.debug 'Finding all available templates'
 
       Dir.glob("#{@template_dir}/*.erb").each do |file|
-        puts "- #{File.basename(file, ".erb")}"
+        puts "- #{File.basename(file, '.erb')}"
       end
     end
 
-
-    def build template
+    def build(template)
       # Build a template with the configured parameters already to go and save
       # into the object, so it can be outputted in the desired format.
 
       $logger.debug "Generating a bootstrap script for #{template}"
 
-      unless File.exists?("#{@template_dir}/#{template}.erb")
-        $logger.error "The requested template does not exist, unable to build"
+      unless File.exist?("#{@template_dir}/#{template}.erb")
+        $logger.error 'The requested template does not exist, unable to build'
         return 0
       end
 
       # Assume values we care about
       template_values = {
-        s3_bucket: $config["general"]["s3_bucket"],
-        s3_prefix: $config["general"]["s3_prefix"],
-        gpg_disable: $config["general"]["gpg_disable"],
-        gpg_signing_key: $config["general"]["gpg_signing_key"],
-        puppetcode: $config["agent"]["puppetcode"],
-        access_key_id: $config["agent"]["access_key_id"],
-        secret_access_key: $config["agent"]["secret_access_key"],
-        region: $config["agent"]["region"],
-        proxy_uri: $config["agent"]["proxy_uri"],
-        daemon_frequency: $config["agent"]["daemon_frequency"],
-        daemon_minimal: $config["agent"]["daemon_minimal"]
+        s3_bucket: $config['general']['s3_bucket'],
+        s3_prefix: $config['general']['s3_prefix'],
+        gpg_disable: $config['general']['gpg_disable'],
+        gpg_signing_key: $config['general']['gpg_signing_key'],
+        puppetcode: $config['agent']['puppetcode'],
+        access_key_id: $config['agent']['access_key_id'],
+        secret_access_key: $config['agent']['secret_access_key'],
+        region: $config['agent']['region'],
+        proxy_uri: $config['agent']['proxy_uri'],
+        daemon_frequency: $config['agent']['daemon_frequency'],
+        daemon_minimal: $config['agent']['daemon_minimal']
       }
 
       # Generate template using ERB
       begin
         @contents = Erubis::Eruby.new(File.read("#{@template_dir}/#{template}.erb")).result(template_values)
-      rescue Exception => e
-        $logger.error "An unexpected error occured when trying to generate the bootstrap template"
+      rescue StandardError => e
+        $logger.error 'An unexpected error occured when trying to generate the bootstrap template'
         raise e
       end
-
     end
 
     def output_plain
       # Do nothing clever, just output the template data.
-      puts "-- Bootstrap Start --"
+      puts '-- Bootstrap Start --'
       puts @contents
-      puts "-- Bootstrap End --"
+      puts '-- Bootstrap End --'
     end
 
     def output_base64
       # Some providers like AWS can accept the data in Base64 version which is
       # smaller and less likely to get messed up by copy and paste or weird
       # formatting issues.
-      puts "-- Bootstrap Start --"
+      puts '-- Bootstrap Start --'
       puts Base64.encode64(@contents)
-      puts "-- Bootstrap End --"
+      puts '-- Bootstrap End --'
     end
-
   end
 end
 

data/lib/pupistry/config.rb

@@ -1,7 +1,9 @@
+# rubocop:disable Style/Documentation, Style/GlobalVars
 require 'rubygems'
 require 'fileutils'
 require 'tempfile'
 require 'yaml'
+require 'safe_yaml'
 
 module Pupistry
   # Pupistry::Config
@@ -10,50 +12,79 @@ module Pupistry
   #
 
   class Config
-
-    def self.load file
+    def self.load(file)
       $logger.debug "Loading configuration file #{file}"
+     
+      # Load YAML file with minimum safety/basic checks
+      unless File.exist?(file)
+        $logger.fatal 'The configuration file provided does not exist, or cannot be accessed'
+        exit 0
+      end
+
+      begin
+        $config = YAML.load(File.open(file), safe: true, raise_on_unknown_tag: true)
+      rescue => ex
+        $logger.fatal 'The supplied file is not a valid YAML configuration file'
+        $logger.debug ex.message
+        exit 0
+      end
+
 
-      unless File.exists?(file)
-        $logger.fatal "The configuration file provided does not exist, or cannot be accessed"
+      # Run checks for minimum configuration parameters
+      # TODO: Is there a smarter way of doing this? Maybe a better config parser?
+      begin
+        fail 'Missing general:app_cache'         unless defined? $config['general']['app_cache']
+        fail 'Missing general:s3_bucket'         unless defined? $config['general']['s3_bucket']
+        fail 'Missing general:gpg_disable'       unless defined? $config['general']['gpg_disable']
+        fail 'Missing agent:puppetcode'          unless defined? $config['agent']['puppetcode']
+      rescue => ex
+        $logger.fatal 'The supplied configuration files doesn\'t include the minimum expect configuration parameters'
+        $logger.debug ex.message
         exit 0
       end
 
-      $config = YAML::load(File.open(file))
+      
 
       # Make sure cache directory exists, create it otherwise
-      $config["general"]["app_cache"] = File.expand_path($config["general"]["app_cache"]).chomp('/')
+      $config['general']['app_cache'] = File.expand_path($config['general']['app_cache']).chomp('/')
 
-      unless Dir.exists?($config["general"]["app_cache"])
+      unless Dir.exist?($config['general']['app_cache'])
         begin
-          FileUtils.mkdir_p($config["general"]["app_cache"])
-          FileUtils.chmod(0700, $config["general"]["app_cache"]) # Generally only the user running Pupistry should have access
-        rescue Exception => e
-          $logger.fatal "Unable to create cache directory at \"#{$config["general"]["app_cache"]}\"."
+          FileUtils.mkdir_p($config['general']['app_cache'])
+          FileUtils.chmod(0700, $config['general']['app_cache']) # Generally only the user running Pupistry should have access
+        rescue StandardError => e
+          $logger.fatal "Unable to create cache directory at \"#{$config['general']['app_cache']}\"."
           raise e
         end
       end
 
       # Write test file to confirm writability
       begin
-        FileUtils.touch($config["general"]["app_cache"] + "/testfile")
-        FileUtils.rm($config["general"]["app_cache"] + "/testfile")
-      rescue Exception => e
-        $logger.fatal "Unexpected exception when creating testfile in cache directory at \"#{$config["general"]["app_cache"]}\", is the directory writable?"
+        FileUtils.touch($config['general']['app_cache'] + '/testfile')
+        FileUtils.rm($config['general']['app_cache'] + '/testfile')
+      rescue StandardError => e
+        $logger.fatal "Unexpected exception when creating testfile in cache directory at \"#{$config['general']['app_cache']}\", is the directory writable?"
         raise e
       end
 
+
+      # Check if Puppet is available
+      unless system('puppet --version 2>&1 > /dev/null')
+        $logger.fatal "Unable to find an installation of Puppet - please make sure Puppet is installed from either OS package or Gem"
+        exit 0
+      end
+
     end
 
     def self.find_and_load
-      $logger.debug "Looking for configuration file in common locations"
+      $logger.debug 'Looking for configuration file in common locations'
 
       # If the HOME environmental hasn't been set (which can happen when
       # running via some cloud user-data/init systems) the app will die
       # horribly, we should set a HOME path default.
       unless ENV['HOME']
-        $logger.warn "No HOME environmental set, defaulting to /tmp"
-        ENV['HOME'] = "/tmp"
+        $logger.warn 'No HOME environmental set, defaulting to /tmp'
+        ENV['HOME'] = '/tmp'
       end
 
       # Locations in order of preference:
@@ -64,29 +95,26 @@ module Pupistry
       config    = ''
       local_dir = Dir.pwd
 
-      if File.exists?("#{local_dir}/settings.yaml")
+      if File.exist?("#{local_dir}/settings.yaml")
         config = "#{local_dir}/settings.yaml"
 
-      elsif File.exists?( File.expand_path "~/.pupistry/settings.yaml" )
-        config = File.expand_path "~/.pupistry/settings.yaml"
+      elsif File.exist?(File.expand_path '~/.pupistry/settings.yaml')
+        config = File.expand_path '~/.pupistry/settings.yaml'
 
-      elsif File.exists?("/usr/local/etc/pupistry/settings.yaml")
-        config = "/usr/local/etc/pupistry/settings.yaml"
+      elsif File.exist?('/usr/local/etc/pupistry/settings.yaml')
+        config = '/usr/local/etc/pupistry/settings.yaml'
 
-      elsif File.exists?("/etc/pupistry/settings.yaml")
-        config = "/etc/pupistry/settings.yaml"
+      elsif File.exist?('/etc/pupistry/settings.yaml')
+        config = '/etc/pupistry/settings.yaml'
 
       else
-        $logger.error "No configuration file provided."
-        $logger.error "See pupistry help for information on configuration"
+        $logger.error 'No configuration file provided.'
+        $logger.error 'See pupistry help for information on configuration'
         exit 0
       end
 
-      self.load(config)
-
+      load(config)
     end
-
-
   end
 end
 # vim:shiftwidth=2:tabstop=2:softtabstop=2:expandtab:smartindent

data/lib/pupistry/gpg.rb

@@ -1,5 +1,7 @@
+# rubocop:disable Style/Documentation, Style/GlobalVars
 require 'rubygems'
 require 'yaml'
+require 'safe_yaml'
 require 'fileutils'
 require 'base64'
 
@@ -11,25 +13,22 @@ module Pupistry
     attr_accessor :checksum
     attr_accessor :signature
 
-    def initialize checksum
-
+    def initialize(checksum)
       # Need a checksum to do signing for
       if checksum
         @checksum = checksum
       else
-        $logger.fatal "Probable bug, need a checksum provided with GPG validation"
+        $logger.fatal 'Probable bug, need a checksum provided with GPG validation'
         exit 0
       end
 
       # Make sure that we have GPG available
-      unless system("gpg --version >> /dev/null 2>&1")
+      unless system('gpg --version >> /dev/null 2>&1') # rubocop:disable Style/GuardClause
         $logger.fatal "'gpg' command is not available, unable to do any signature creation or verification."
         exit 0
       end
-
     end
 
-
     # Sign the artifact and return the signature. Does not validation of the signature.
     #
     # false   Failure
@@ -41,19 +40,17 @@ module Pupistry
       # Clean up the existing signature file
       signature_cleanup
 
-
-      Dir.chdir("#{$config["general"]["app_cache"]}/artifacts/") do
-
+      Dir.chdir("#{$config['general']['app_cache']}/artifacts/") do
         # Generate the signature file and pick up the signature data
         unless system "gpg --use-agent --detach-sign artifact.#{@checksum}.tar.gz"
-          $logger.error "Unable to sign the artifact, an unexpected failure occured. No file uploaded."
+          $logger.error 'Unable to sign the artifact, an unexpected failure occured. No file uploaded.'
           return false
         end
 
-        if File.exists?("artifact.#{@checksum}.tar.gz.sig")
-          $logger.info "A signature file was successfully generated."
+        if File.exist?("artifact.#{@checksum}.tar.gz.sig")
+          $logger.info 'A signature file was successfully generated.'
         else
-          $logger.error "A signature file was NOT generated."
+          $logger.error 'A signature file was NOT generated.'
           return false
         end
 
@@ -61,43 +58,37 @@ module Pupistry
         # metadata into a single file and extracting it out when needed, than
         # having to keep track of yet-another-file. Because we encode into
         # ASCII here, no need to call GPG with --armor either.
-        
+
         @signature = Base64.encode64(File.read("artifact.#{@checksum}.tar.gz.sig"))
 
         unless @signature
-          $logger.error "An unexpected issue occured and no signature was generated"
+          $logger.error 'An unexpected issue occured and no signature was generated'
           return false
         end
       end
 
-
       # Make sure the public key has been uploaded if it hasn't already
       pubkey_upload
 
-      return @signature
+      @signature
     end
 
-
     # Verify the signature for a particular artifact.
     #
     # true  Signature is legit
     # false Signature is invalid (security issue!)
     #
     def artifact_verify
-
-      Dir.chdir("#{$config["general"]["app_cache"]}/artifacts/") do
-
-        if File.exists?("artifact.#{@checksum}.tar.gz.sig")
-          $logger.debug "Signature already extracted on disk, running verify...."
+      Dir.chdir("#{$config['general']['app_cache']}/artifacts/") do
+        if File.exist?("artifact.#{@checksum}.tar.gz.sig")
+          $logger.debug 'Signature already extracted on disk, running verify....'
         else
-          $logger.debug "Extracting signature from manifest data..."
+          $logger.debug 'Extracting signature from manifest data...'
           signature_extract
         end
 
         # Verify the signature
-        unless pubkey_exists?
-          pubkey_install
-        end
+        pubkey_install unless pubkey_exist?
 
         output_verify = `gpg --quiet --status-fd 1 --verify artifact.#{@checksum}.tar.gz.sig 2>&1`
 
@@ -106,9 +97,8 @@ module Pupistry
 
         # Was it valid?
         output_verify.each_line do |line|
-
           if /\[GNUPG:\]\sGOODSIG\s[A-Z0-9]*#{$config["general"]["gpg_signing_key"]}\s/.match(line)
-            $logger.info "Artifact #{@checksum} has a valid signature belonging to #{$config["general"]["gpg_signing_key"]}"
+            $logger.info "Artifact #{@checksum} has a valid signature belonging to #{$config['general']['gpg_signing_key']}"
             return true
           end
 
@@ -116,32 +106,27 @@ module Pupistry
             $logger.fatal "Artifact #{@checksum} has AN INVALID GPG SECURITY SIGNATURE and could be CORRUPT or TAMPERED with."
             exit 0
           end
-
         end
 
         # Unexpected error
-        $logger.error "An unexpected validation issue occured, see below debug information:"
+        $logger.error 'An unexpected validation issue occured, see below debug information:'
 
         output_verify.each_line do |line|
           $logger.error "GPG: #{line}"
         end
-
       end
 
       # Something went wrong
       $logger.fatal "Artifact #{@checksum} COULD NOT BE GPG VALIDATED and could be CORRUPT or TAMPERED with."
       exit 0
-
     end
 
-
     # Generally we should clean up old signature files before and after using them
     #
     def signature_cleanup
-      FileUtils.rm("#{$config["general"]["app_cache"]}/artifacts/artifact.#{@checksum}.tar.gz.sig", :force => true)
+      FileUtils.rm("#{$config['general']['app_cache']}/artifacts/artifact.#{@checksum}.tar.gz.sig", force: true)
     end
 
-
     # Extract the signature from the manifest file and write it to file in native binary format.
     #
     # false     Unable to extract
@@ -149,103 +134,90 @@ module Pupistry
     # base64    Encoded signature
     #
     def signature_extract
-      begin
-        manifest            = YAML::load(File.open($config["general"]["app_cache"] + "/artifacts/manifest.#{@checksum}.yaml"))
-        
-        if manifest['gpgsig']
-          # We have the base64 version
-          @signature = manifest['gpgsig']
+      manifest = YAML.load(File.open($config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml"), safe: true, raise_on_unknown_tag: true)
 
-          # Decode the base64 and write the signature file
-          File.write("#{$config["general"]["app_cache"]}/artifacts/artifact.#{@checksum}.tar.gz.sig", Base64.decode64(@signature))
+      if manifest['gpgsig']
+        # We have the base64 version
+        @signature = manifest['gpgsig']
 
-          return @signature
-        else
-          return false
-        end
+        # Decode the base64 and write the signature file
+        File.write("#{$config['general']['app_cache']}/artifacts/artifact.#{@checksum}.tar.gz.sig", Base64.decode64(@signature))
 
-      rescue Exception => e
-        $logger.error "Something unexpected occured when reading the manifest file"
-        raise e
+        return @signature
+      else
+        return false
       end
 
+    rescue StandardError => e
+      $logger.error 'Something unexpected occured when reading the manifest file'
+      raise e
     end
 
-
     # Save the signature into the manifest file
     #
     def signature_save
-      begin
-        manifest            = YAML::load(File.open($config["general"]["app_cache"] + "/artifacts/manifest.#{@checksum}.yaml"))
-        manifest['gpgsig']  = @signature
-
-        File.open("#{$config["general"]["app_cache"]}/artifacts/manifest.#{@checksum}.yaml",'w') do |fh|
-          fh.write YAML::dump(manifest)
-        end
+      manifest            = YAML.load(File.open($config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml"), safe: true, raise_on_unknown_tag: true)
+      manifest['gpgsig']  = @signature
 
-        return true
-
-      rescue Exception => e
-        $logger.error "Something unexpected occured when updating the manifest file with GPG signature"
-        return false
+      File.open("#{$config['general']['app_cache']}/artifacts/manifest.#{@checksum}.yaml", 'w') do |fh|
+        fh.write YAML.dump(manifest)
       end
 
-    end
+      return true
 
+    rescue StandardError
+      $logger.error 'Something unexpected occured when updating the manifest file with GPG signature'
+      return false
+    end
 
     # Check if the public key is installed on this machine?
     #
-    def pubkey_exists?
-
+    def pubkey_exist?
       # We prefix with 0x to avoid matching on strings in key names
-      if system "gpg --status-fd a --list-keys 0x#{$config["general"]["gpg_signing_key"]} 2>&1 >> /dev/null"
-        $logger.debug "Public key exists on this system"
+      if system "gpg --status-fd a --list-keys 0x#{$config['general']['gpg_signing_key']} 2>&1 >> /dev/null"
+        $logger.debug 'Public key exists on this system'
         return true
       else
-        $logger.debug "Public key does not exist on this system"
+        $logger.debug 'Public key does not exist on this system'
         return false
       end
     end
-    
 
     # Extract & upload the public key to the s3 bucket for other users
     #
     def pubkey_upload
-      unless File.exists?("#{$config["general"]["app_cache"]}/artifacts/#{$config["general"]["gpg_signing_key"]}.publickey")
+      unless File.exist?("#{$config['general']['app_cache']}/artifacts/#{$config['general']['gpg_signing_key']}.publickey")
 
         # GPG key does not exist locally, we therefore assume it's not in the S3
         # bucket either, so we should export out and upload. Technically this may
         # result in a few extra uploads (once for any new machine using Pupistry)
         # but it doesn't cause any issue and saves me writing more code ;-)
-        
-        $logger.info "Exporting GPG key #{$config["general"]["gpg_signing_key"]} and uploading to S3 bucket..."
+
+        $logger.info "Exporting GPG key #{$config['general']['gpg_signing_key']} and uploading to S3 bucket..."
 
         # If it doesn't exist on this machine, then we're a bit stuck!
-        unless pubkey_exists?
-          $logger.error "The public key #{$config["general"]["gpg_signing_key"]} does not exist on this system, so unable to export it out"
+        unless pubkey_exist?
+          $logger.error "The public key #{$config['general']['gpg_signing_key']} does not exist on this system, so unable to export it out"
           return false
         end
 
         # Export out key
-        unless system "gpg --export --armour 0x#{$config["general"]["gpg_signing_key"]} > #{$config["general"]["app_cache"]}/artifacts/#{$config["general"]["gpg_signing_key"]}.publickey"
-         $logger.error "A fault occured when trying to export the GPG key"
-         return false
-       end
-
+        unless system "gpg --export --armour 0x#{$config['general']['gpg_signing_key']} > #{$config['general']['app_cache']}/artifacts/#{$config['general']['gpg_signing_key']}.publickey"
+          $logger.error 'A fault occured when trying to export the GPG key'
+          return false
+        end
 
         # Upload
-        s3 = Pupistry::Storage_AWS.new 'build'
+        s3 = Pupistry::StorageAWS.new 'build'
 
-        unless s3.upload "#{$config["general"]["app_cache"]}/artifacts/#{$config["general"]["gpg_signing_key"]}.publickey", "#{$config["general"]["gpg_signing_key"]}.publickey"
-          $logger.error "Unable to upload GPG key to S3 bucket"
+        unless s3.upload "#{$config['general']['app_cache']}/artifacts/#{$config['general']['gpg_signing_key']}.publickey", "#{$config['general']['gpg_signing_key']}.publickey"
+          $logger.error 'Unable to upload GPG key to S3 bucket'
           return false
         end
 
       end
-
     end
 
-
     # Install the public key. This is a potential avenue for exploit, if a
     # machine is being built for the first time, it has no existing trust of
     # the GPG key, other than transit encryption to the S3 bucket. To protect
@@ -256,28 +228,25 @@ module Pupistry
     # the GPG public key for them direct from the S3 repo.
     #
     def pubkey_install
-      begin
-        $logger.warn "Installing GPG key #{$config["general"]["gpg_signing_key"]}..."
+      $logger.warn "Installing GPG key #{$config['general']['gpg_signing_key']}..."
 
-        s3 = Pupistry::Storage_AWS.new 'agent'
+      s3 = Pupistry::StorageAWS.new 'agent'
 
-        unless s3.download "#{$config["general"]["gpg_signing_key"]}.publickey", "#{$config["general"]["app_cache"]}/artifacts/#{$config["general"]["gpg_signing_key"]}.publickey"
-          $logger.error "Unable to download GPG key from S3 bucket, this will prevent validation of signature"
-          return false
-        end
-
-        unless system "gpg --import < #{$config["general"]["app_cache"]}/artifacts/#{$config["general"]["gpg_signing_key"]}.publickey > /dev/null 2>&1"
-         $logger.error "A fault occured when trying to import the GPG key"
-         return false
-       end
+      unless s3.download "#{$config['general']['gpg_signing_key']}.publickey", "#{$config['general']['app_cache']}/artifacts/#{$config['general']['gpg_signing_key']}.publickey"
+        $logger.error 'Unable to download GPG key from S3 bucket, this will prevent validation of signature'
+        return false
+      end
 
-      rescue Exception => e
-        $logger.error "Something unexpected occured when installing the GPG public key"
+      unless system "gpg --import < #{$config['general']['app_cache']}/artifacts/#{$config['general']['gpg_signing_key']}.publickey > /dev/null 2>&1"
+        $logger.error 'A fault occured when trying to import the GPG key'
         return false
       end
-    end
 
-  end 
+    rescue StandardError
+      $logger.error 'Something unexpected occured when installing the GPG public key'
+      return false
+    end
+  end
 end
 
 # vim:shiftwidth=2:tabstop=2:softtabstop=2:expandtab:smartindent