reyes 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- data/bin/reyes +10 -0
- data/lib/reyes/aws_manager.rb +1 -1
- data/lib/reyes/pgp_wrapper.rb +33 -5
- data/lib/reyes/s3_loader.rb +24 -2
- data/lib/reyes/tmp_persistent_file.rb +17 -0
- data/lib/reyes/version.rb +1 -1
- data/lib/reyes.rb +3 -2
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
ZjZiNjMyZjAyMzg2ZmViYWVkYTkwMWYzZjk4YzJmOWMwYzBhODBmOA==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
NTljMWY5NGY5MGFjYWI1YTIyN2JhOGExOGFmZTcyYTIzNmQ2YTZjNA==
|
7
7
|
SHA512:
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
Yjc2Nzg4YzczNDhlZDZiMjdkZmVhM2ZlN2ViMzY4OTU0Mzk3NmZmZmEwNjJm
|
10
|
+
MTUwMDQ2OWVjOTJjYjI1NjliZmRmZTFkMDg0NTU3YTRjZTcxODA0MDA5YjMz
|
11
|
+
MDBiNTBhOWEzNjI1YTA5NjcwNGE1OWNiNDYzNGFjZmM3NjdiZjM=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
OGMwMmI5MThjNmUwNWJlZDFkNTBiNGUyYTc3MjA1NzYxOWM2ZTcwOWI1MzQ2
|
14
|
+
NTRiZGNkODE5OGI5ZmIxMTM0NzA4MDc4ZDdkNWEzYzYwMDc3YmExOWM5NTUw
|
15
|
+
NGRmMmUxNTFlOWNhYzYzMjYzN2I3ZmM4OWFjY2U4M2VkM2JlYjI=
|
data/bin/reyes
CHANGED
@@ -64,6 +64,12 @@ def command_upload(options)
|
|
64
64
|
armoured_data = wrapper.clearsign(data)
|
65
65
|
|
66
66
|
s3 = Reyes::S3Loader.new(aws, options[:config])
|
67
|
+
|
68
|
+
if options[:archive]
|
69
|
+
archive_name = "#{Socket.gethostname}-#{Time.now.to_i}"
|
70
|
+
s3.archive_rules(armoured_data, archive_name)
|
71
|
+
end
|
72
|
+
|
67
73
|
s3.upload_rules(armoured_data)
|
68
74
|
end
|
69
75
|
|
@@ -130,6 +136,10 @@ Options:
|
|
130
136
|
options[:prune] = true
|
131
137
|
end
|
132
138
|
|
139
|
+
opts.on('-a', '--archive', 'Store an archived copy of these rules') do
|
140
|
+
options[:archive] = true
|
141
|
+
end
|
142
|
+
|
133
143
|
# TODO: known bug: --dry-run does not prevent run generation increment
|
134
144
|
opts.on('-n', '--dry-run', 'Print diff without making changes') do
|
135
145
|
options[:apply_options][:dry_run] = true
|
data/lib/reyes/aws_manager.rb
CHANGED
@@ -187,7 +187,7 @@ module Reyes
|
|
187
187
|
groups = i.security_groups.to_a.sort_by(&:name)
|
188
188
|
|
189
189
|
data['instances'][i.instance_id] = {
|
190
|
-
'tags' => i.tags.to_h.
|
190
|
+
'tags' => i.tags.to_h.to_hash,
|
191
191
|
'region' => region,
|
192
192
|
'availability_zone' => i.availability_zone,
|
193
193
|
'private_ip_address' => i.private_ip_address,
|
data/lib/reyes/pgp_wrapper.rb
CHANGED
@@ -3,6 +3,8 @@ module Reyes
|
|
3
3
|
class VerificationFailed < StandardError
|
4
4
|
end
|
5
5
|
|
6
|
+
include Chalk::Log
|
7
|
+
|
6
8
|
attr_reader :key_id, :keyring_directory
|
7
9
|
|
8
10
|
# Create a PgpVerifier
|
@@ -26,6 +28,8 @@ module Reyes
|
|
26
28
|
# @return [String] the stripped cleartext data
|
27
29
|
#
|
28
30
|
def verify!(data)
|
31
|
+
log.info("Verifying #{data.length} bytes against key #{key_id}")
|
32
|
+
|
29
33
|
gpg_cmd = %w{gpg --batch --decrypt --status-fd 2} + keyring_args + ['-']
|
30
34
|
Subprocess.check_call(gpg_cmd,
|
31
35
|
:stdin => Subprocess::PIPE,
|
@@ -33,11 +37,17 @@ module Reyes
|
|
33
37
|
:stderr => Subprocess::PIPE) do |child|
|
34
38
|
out, err = child.communicate(data)
|
35
39
|
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
40
|
+
begin
|
41
|
+
if err =~ PATTERN
|
42
|
+
raise VerificationFailed.new("Bad key match") unless $1 == $2
|
43
|
+
raise VerificationFailed.new("Bad Key ID") unless $1 == key_id
|
44
|
+
else
|
45
|
+
raise VerificationFailed.new("Pattern does not match")
|
46
|
+
end
|
47
|
+
rescue VerificationFailed => exc
|
48
|
+
log.error("GPG verification failed: #{exc.message}")
|
49
|
+
log_error_output(out, err, data)
|
50
|
+
raise
|
41
51
|
end
|
42
52
|
|
43
53
|
# Sig looks ok
|
@@ -46,6 +56,8 @@ module Reyes
|
|
46
56
|
end
|
47
57
|
|
48
58
|
def clearsign(data)
|
59
|
+
log.info("Signing #{data.length} bytes with key #{key_id}")
|
60
|
+
|
49
61
|
gpg_cmd = %W{gpg --batch --clearsign -u #{key_id}} + keyring_args + ['-']
|
50
62
|
Subprocess.check_call(gpg_cmd,
|
51
63
|
:stdin => Subprocess::PIPE,
|
@@ -57,6 +69,22 @@ module Reyes
|
|
57
69
|
|
58
70
|
private
|
59
71
|
|
72
|
+
def log_error_output(out, err, data)
|
73
|
+
log.error("GPG stderr:")
|
74
|
+
log.error(err)
|
75
|
+
log.error("GPG stdout:")
|
76
|
+
log.error(out)
|
77
|
+
|
78
|
+
write_tmp_file("input data", data) unless data.empty?
|
79
|
+
end
|
80
|
+
|
81
|
+
def write_tmp_file(message, output)
|
82
|
+
TmpPersistentFile.open('reyes.') do |t|
|
83
|
+
log.error("Writing #{message} to #{t.path.inspect}")
|
84
|
+
t.print(output)
|
85
|
+
end
|
86
|
+
end
|
87
|
+
|
60
88
|
def keyring_args
|
61
89
|
[
|
62
90
|
'--no-default-keyring',
|
data/lib/reyes/s3_loader.rb
CHANGED
@@ -1,23 +1,45 @@
|
|
1
|
+
require 'digest/md5'
|
2
|
+
|
1
3
|
module Reyes
|
2
4
|
class S3Loader
|
3
5
|
|
4
6
|
include Chalk::Log
|
5
7
|
|
6
|
-
def initialize(aws, config)
|
8
|
+
def initialize(aws, config, print_signatures=true)
|
7
9
|
@aws = aws
|
8
10
|
@config = Reyes::Config.new(config)
|
11
|
+
@print_sig = print_signatures
|
9
12
|
|
10
13
|
log.info("Initialized S3Loader: #{bucket.inspect}/#{path.inspect}")
|
11
14
|
end
|
12
15
|
|
13
16
|
def fetch_rules
|
14
|
-
|
17
|
+
log.info("fetch_rules from #{bucket.inspect}/#{path.inspect}")
|
18
|
+
data = @aws.s3.buckets[bucket].objects[path].read
|
19
|
+
|
20
|
+
log.info("MD5: #{Digest::MD5.hexdigest(data)}") if @print_sig
|
21
|
+
log.info("size: #{data.length}") if @print_sig
|
22
|
+
|
23
|
+
data
|
15
24
|
end
|
16
25
|
|
17
26
|
def upload_rules(data)
|
27
|
+
log.info("upload_rules to #{bucket.inspect}/#{path.inspect}")
|
28
|
+
log.info("MD5: #{Digest::MD5.hexdigest(data)}") if @print_sig
|
29
|
+
log.info("size: #{data.length}") if @print_sig
|
30
|
+
|
18
31
|
@aws.s3.buckets[bucket].objects[path].write(data)
|
19
32
|
end
|
20
33
|
|
34
|
+
def archive_rules(data, slug)
|
35
|
+
archive_path = "archive/#{slug}-#{path}"
|
36
|
+
log.info("archive_rules to #{bucket.inspect}/#{archive_path.inspect}")
|
37
|
+
log.info("MD5: #{Digest::MD5.hexdigest(data)}") if @print_sig
|
38
|
+
log.info("size: #{data.length}") if @print_sig
|
39
|
+
|
40
|
+
@aws.s3.buckets[bucket].objects[archive_path].write(data)
|
41
|
+
end
|
42
|
+
|
21
43
|
private
|
22
44
|
|
23
45
|
def bucket
|
@@ -0,0 +1,17 @@
|
|
1
|
+
module Reyes
|
2
|
+
# Similar to Tempfile::open, but don't unlink the file on exit.
|
3
|
+
class TmpPersistentFile < File
|
4
|
+
# Create a temporary file of mode 0600 in the temporary directory,
|
5
|
+
# open it with mode "w+", and return the open File object.
|
6
|
+
def initialize(prefix='tmp.', tmpdir='/tmp', suffix='')
|
7
|
+
path = File.join(tmpdir, make_tmpname(prefix, suffix))
|
8
|
+
super(path, File::RDWR|File::CREAT|File::EXCL, 0600)
|
9
|
+
end
|
10
|
+
|
11
|
+
# Generate a name for a temporary file.
|
12
|
+
def make_tmpname(prefix, suffix)
|
13
|
+
t = Time.now.strftime("%Y%m%d")
|
14
|
+
"#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}#{suffix}"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
data/lib/reyes/version.rb
CHANGED
data/lib/reyes.rb
CHANGED
@@ -19,8 +19,9 @@ require_relative './reyes/group_manager'
|
|
19
19
|
require_relative './reyes/group_tools'
|
20
20
|
require_relative './reyes/ipset'
|
21
21
|
require_relative './reyes/iptables'
|
22
|
+
require_relative './reyes/pgp_wrapper'
|
22
23
|
require_relative './reyes/run_generation'
|
23
24
|
require_relative './reyes/run_manager'
|
24
|
-
require_relative './reyes/utils'
|
25
25
|
require_relative './reyes/s3_loader'
|
26
|
-
require_relative './reyes/
|
26
|
+
require_relative './reyes/tmp_persistent_file'
|
27
|
+
require_relative './reyes/utils'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: reyes
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andy Brody
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2015-02-
|
12
|
+
date: 2015-02-24 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -127,6 +127,7 @@ files:
|
|
127
127
|
- lib/reyes/run_manager.rb
|
128
128
|
- lib/reyes/s3_loader.rb
|
129
129
|
- lib/reyes/set_manager.rb
|
130
|
+
- lib/reyes/tmp_persistent_file.rb
|
130
131
|
- lib/reyes/utils.rb
|
131
132
|
- lib/reyes/version.rb
|
132
133
|
- reyes.gemspec
|