reyes 0.2.0 → 0.2.1

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    ZTZhZTI3NWU5Yjk3ZWE1NWI4MzlkYjVjMzg1NDg0NGYwNTAxMzU0OA==
+    ZjZiNjMyZjAyMzg2ZmViYWVkYTkwMWYzZjk4YzJmOWMwYzBhODBmOA==
   data.tar.gz: !binary |-
-    NzE1OGRiMzYxMWE2OWQwNDdhNDc4ZGFhYThlMTZmZDMyMGI1MGQ4NQ==
+    NTljMWY5NGY5MGFjYWI1YTIyN2JhOGExOGFmZTcyYTIzNmQ2YTZjNA==
 SHA512:
   metadata.gz: !binary |-
-    Y2NhNTZjZDI3NTIzOGFhMzJmY2EyY2JhNjdhZWE1OTQ1OTZlM2Q2ZjBhOGUy
-    MzQ5NWRjYzAzNjk2NGZiZTFkYjI5MDczOGZhODA0NTZmYmZmZTZjN2E3ZjM4
-    NmIyZGU4YzBjZTI5ZDY0MTVjODI4NTY4ZGJkNjc0ZjYyYWVhZDE=
+    Yjc2Nzg4YzczNDhlZDZiMjdkZmVhM2ZlN2ViMzY4OTU0Mzk3NmZmZmEwNjJm
+    MTUwMDQ2OWVjOTJjYjI1NjliZmRmZTFkMDg0NTU3YTRjZTcxODA0MDA5YjMz
+    MDBiNTBhOWEzNjI1YTA5NjcwNGE1OWNiNDYzNGFjZmM3NjdiZjM=
   data.tar.gz: !binary |-
-    YjE1MjliYjFmMWJhMmI2YTdlZmQzMGMwYmIyOTg0NWZkMjIxYTE3ZjRhNTky
-    YTNjYWU5OGYyZDhiZjU1ZDcyOGEzNDZlMjUyNWU5MTEzNjI5MzYwNmE3MmFi
-    NmMwOWNmNTQ1NjVhMjRlYmQyYmYwN2I1ZmNiNjlmYjllMWM4OGU=
+    OGMwMmI5MThjNmUwNWJlZDFkNTBiNGUyYTc3MjA1NzYxOWM2ZTcwOWI1MzQ2
+    NTRiZGNkODE5OGI5ZmIxMTM0NzA4MDc4ZDdkNWEzYzYwMDc3YmExOWM5NTUw
+    NGRmMmUxNTFlOWNhYzYzMjYzN2I3ZmM4OWFjY2U4M2VkM2JlYjI=

data/bin/reyes

@@ -64,6 +64,12 @@ def command_upload(options)
   armoured_data = wrapper.clearsign(data)
 
   s3 = Reyes::S3Loader.new(aws, options[:config])
+
+  if options[:archive]
+    archive_name = "#{Socket.gethostname}-#{Time.now.to_i}"
+    s3.archive_rules(armoured_data, archive_name)
+  end
+
   s3.upload_rules(armoured_data)
 end
 
@@ -130,6 +136,10 @@ Options:
       options[:prune] = true
     end
 
+    opts.on('-a', '--archive', 'Store an archived copy of these rules') do
+      options[:archive] = true
+    end
+
     # TODO: known bug: --dry-run does not prevent run generation increment
     opts.on('-n', '--dry-run', 'Print diff without making changes') do
       options[:apply_options][:dry_run] = true

data/lib/reyes/aws_manager.rb

@@ -187,7 +187,7 @@ module Reyes
           groups = i.security_groups.to_a.sort_by(&:name)
 
           data['instances'][i.instance_id] = {
-            'tags' => i.tags.to_h.to_h,
+            'tags' => i.tags.to_h.to_hash,
             'region' => region,
             'availability_zone' => i.availability_zone,
             'private_ip_address' => i.private_ip_address,

data/lib/reyes/pgp_wrapper.rb

@@ -3,6 +3,8 @@ module Reyes
     class VerificationFailed < StandardError
     end
 
+    include Chalk::Log
+
     attr_reader :key_id, :keyring_directory
 
     # Create a PgpVerifier
@@ -26,6 +28,8 @@ module Reyes
     # @return [String] the stripped cleartext data
     #
     def verify!(data)
+      log.info("Verifying #{data.length} bytes against key #{key_id}")
+
       gpg_cmd = %w{gpg --batch --decrypt --status-fd 2} + keyring_args + ['-']
       Subprocess.check_call(gpg_cmd,
                             :stdin => Subprocess::PIPE,
@@ -33,11 +37,17 @@ module Reyes
                             :stderr => Subprocess::PIPE) do |child|
         out, err = child.communicate(data)
 
-        if err =~ PATTERN
-          raise VerificationFailed.new("Bad key match") unless $1 == $2
-          raise VerificationFailed.new("Bad Key ID") unless $1 == key_id
-        else
-          raise VerificationFailed.new("Pattern does not match")
+        begin
+          if err =~ PATTERN
+            raise VerificationFailed.new("Bad key match") unless $1 == $2
+            raise VerificationFailed.new("Bad Key ID") unless $1 == key_id
+          else
+            raise VerificationFailed.new("Pattern does not match")
+          end
+        rescue VerificationFailed => exc
+          log.error("GPG verification failed: #{exc.message}")
+          log_error_output(out, err, data)
+          raise
         end
 
         # Sig looks ok
@@ -46,6 +56,8 @@ module Reyes
     end
 
     def clearsign(data)
+      log.info("Signing #{data.length} bytes with key #{key_id}")
+
       gpg_cmd = %W{gpg --batch --clearsign -u #{key_id}} + keyring_args + ['-']
       Subprocess.check_call(gpg_cmd,
                             :stdin => Subprocess::PIPE,
@@ -57,6 +69,22 @@ module Reyes
 
     private
 
+    def log_error_output(out, err, data)
+      log.error("GPG stderr:")
+      log.error(err)
+      log.error("GPG stdout:")
+      log.error(out)
+
+      write_tmp_file("input data", data) unless data.empty?
+    end
+
+    def write_tmp_file(message, output)
+      TmpPersistentFile.open('reyes.') do |t|
+        log.error("Writing #{message} to #{t.path.inspect}")
+        t.print(output)
+      end
+    end
+
     def keyring_args
       [
         '--no-default-keyring',

data/lib/reyes/s3_loader.rb

@@ -1,23 +1,45 @@
+require 'digest/md5'
+
 module Reyes
   class S3Loader
 
     include Chalk::Log
 
-    def initialize(aws, config)
+    def initialize(aws, config, print_signatures=true)
       @aws = aws
       @config = Reyes::Config.new(config)
+      @print_sig = print_signatures
 
       log.info("Initialized S3Loader: #{bucket.inspect}/#{path.inspect}")
     end
 
     def fetch_rules
-      @aws.s3.buckets[bucket].objects[path].read
+      log.info("fetch_rules from #{bucket.inspect}/#{path.inspect}")
+      data = @aws.s3.buckets[bucket].objects[path].read
+
+      log.info("MD5: #{Digest::MD5.hexdigest(data)}") if @print_sig
+      log.info("size: #{data.length}") if @print_sig
+
+      data
     end
 
     def upload_rules(data)
+      log.info("upload_rules to #{bucket.inspect}/#{path.inspect}")
+      log.info("MD5: #{Digest::MD5.hexdigest(data)}") if @print_sig
+      log.info("size: #{data.length}") if @print_sig
+
       @aws.s3.buckets[bucket].objects[path].write(data)
     end
 
+    def archive_rules(data, slug)
+      archive_path = "archive/#{slug}-#{path}"
+      log.info("archive_rules to #{bucket.inspect}/#{archive_path.inspect}")
+      log.info("MD5: #{Digest::MD5.hexdigest(data)}") if @print_sig
+      log.info("size: #{data.length}") if @print_sig
+
+      @aws.s3.buckets[bucket].objects[archive_path].write(data)
+    end
+
   private
 
     def bucket

data/lib/reyes/tmp_persistent_file.rb

@@ -0,0 +1,17 @@
+module Reyes
+  # Similar to Tempfile::open, but don't unlink the file on exit.
+  class TmpPersistentFile < File
+    # Create a temporary file of mode 0600 in the temporary directory,
+    # open it with mode "w+", and return the open File object.
+    def initialize(prefix='tmp.', tmpdir='/tmp', suffix='')
+      path = File.join(tmpdir, make_tmpname(prefix, suffix))
+      super(path, File::RDWR|File::CREAT|File::EXCL, 0600)
+    end
+
+    # Generate a name for a temporary file.
+    def make_tmpname(prefix, suffix)
+      t = Time.now.strftime("%Y%m%d")
+      "#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}#{suffix}"
+    end
+  end
+end

data/lib/reyes/version.rb

@@ -1,3 +1,3 @@
 module Reyes
-  VERSION = '0.2.0' unless defined?(self::VERSION)
+  VERSION = '0.2.1' unless defined?(self::VERSION)
 end

data/lib/reyes.rb

@@ -19,8 +19,9 @@ require_relative './reyes/group_manager'
 require_relative './reyes/group_tools'
 require_relative './reyes/ipset'
 require_relative './reyes/iptables'
+require_relative './reyes/pgp_wrapper'
 require_relative './reyes/run_generation'
 require_relative './reyes/run_manager'
-require_relative './reyes/utils'
 require_relative './reyes/s3_loader'
-require_relative './reyes/pgp_wrapper'
+require_relative './reyes/tmp_persistent_file'
+require_relative './reyes/utils'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: reyes
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Andy Brody
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-21 00:00:00.000000000 Z
+date: 2015-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -127,6 +127,7 @@ files:
 - lib/reyes/run_manager.rb
 - lib/reyes/s3_loader.rb
 - lib/reyes/set_manager.rb
+- lib/reyes/tmp_persistent_file.rb
 - lib/reyes/utils.rb
 - lib/reyes/version.rb
 - reyes.gemspec