riak-client-noenc 1.0.0

data/lib/riak/client/beefcake/object_methods.rb

@@ -0,0 +1,112 @@
+require 'riak/robject'
+require 'riak/link'
+require 'riak/client/beefcake/messages'
+
+module Riak
+  class Client
+    class BeefcakeProtobuffsBackend
+      module ObjectMethods
+        ENCODING = "Riak".respond_to?(:encoding)
+
+        # Returns RpbPutReq
+        def dump_object(robject, options = {})
+          req_opts = options.merge(:bucket => maybe_encode(robject.bucket.name))
+          if robject.bucket.respond_to?(:type) && t = robject.bucket.type
+            req_opts[:type] = maybe_encode(t.name)
+          end
+          pbuf = RpbPutReq.new(req_opts)
+          pbuf.key = maybe_encode(robject.key) if robject.key # Put w/o key supported!
+          pbuf.vclock = maybe_encode(Base64.decode64(robject.vclock)) if robject.vclock
+          dump_content pbuf, robject
+          pbuf
+        end
+
+        # Returns RObject
+        def load_object(pbuf, robject)
+          return robject if pbuf.respond_to?(:unchanged) && pbuf.unchanged # Reloading
+          robject.vclock = Base64.encode64(pbuf.vclock).chomp if pbuf.vclock
+          robject.key = maybe_unescape(pbuf.key) if pbuf.respond_to?(:key) && pbuf.key # Put w/o key
+          robject.siblings = (pbuf.content || []).map do |c|
+            RContent.new(robject) do |sibling|
+              load_content(c, sibling)
+            end
+          end
+          robject.conflict? ? robject.attempt_conflict_resolution : robject
+        end
+
+        private
+        def load_content(pbuf, rcontent)
+          if ENCODING && pbuf.charset.present?
+            pbuf.value.force_encoding(pbuf.charset) if Encoding.find(pbuf.charset)
+          end
+          rcontent.raw_data = pbuf.value
+          rcontent.etag = pbuf.vtag if pbuf.vtag.present?
+          rcontent.content_type = pbuf.content_type if pbuf.content_type.present?
+          rcontent.links = Set.new(pbuf.links.map(&method(:decode_link))) if pbuf.links.present?
+          pbuf.usermeta.each {|pair| decode_meta(pair, rcontent.meta) } if pbuf.usermeta.present?
+          if pbuf.indexes.present?
+            rcontent.indexes.clear
+            pbuf.indexes.each {|pair| decode_index(pair, rcontent.indexes) }
+          end
+          if pbuf.last_mod.present?
+            rcontent.last_modified = Time.at(pbuf.last_mod)
+            rcontent.last_modified += pbuf.last_mod_usecs / 1000000 if pbuf.last_mod_usecs.present?
+          end
+          rcontent
+        end
+
+        def dump_content(pbuf, robject)
+          pbuf.content = RpbContent.new(:value => maybe_encode(robject.raw_data),
+                                        :content_type => maybe_encode(robject.content_type),
+                                        :links => robject.links.map {|l| encode_link(l) }.compact,
+                                        :indexes => robject.indexes.map {|k, s| encode_index(k, s) }.flatten)
+
+          pbuf.content.usermeta = robject.meta.map {|k, v| encode_meta(k, v)} if robject.meta.any?
+          pbuf.content.vtag = maybe_encode(robject.etag) if robject.etag.present?
+          if ENCODING # 1.9 support
+            pbuf.content.charset = maybe_encode(robject.raw_data.encoding.name)
+          end
+        end
+
+        def decode_link(pbuf)
+          Riak::Link.new(pbuf.bucket, pbuf.key, pbuf.tag)
+        end
+
+        def encode_link(link)
+          return nil unless link.key.present?
+          RpbLink.new(:bucket => maybe_encode(link.bucket.to_s),
+                      :key => maybe_encode(link.key.to_s),
+                      :tag => maybe_encode(link.tag.to_s))
+        end
+
+        def decode_meta(pbuf, hash)
+          hash[pbuf.key] = pbuf.value
+        end
+
+        def encode_meta(key, value)
+          return nil unless value.present?
+          RpbPair.new(:key => maybe_encode(key.to_s),
+                      :value => maybe_encode(value.to_s))
+        end
+
+        def decode_index(pbuf, hash)
+          value = pbuf.key =~ /int$/ ? pbuf.value.to_i : pbuf.value
+          hash[pbuf.key] << value
+        end
+
+        def encode_index(key, set)
+          set.map do |v|
+            RpbPair.new(:key => maybe_encode(key.to_s),
+                        :value => maybe_encode(v.to_s))
+          end
+        end
+
+        def maybe_encode(string)
+          ENCODING ? string.dup.force_encoding('BINARY') : string
+        end
+      end
+
+      include ObjectMethods
+    end
+  end
+end

data/lib/riak/client/beefcake/protocol.rb

@@ -0,0 +1,105 @@
+require 'riak/client/beefcake/messages'
+require 'riak/client/beefcake/message_codes'
+require 'riak/errors/failed_request'
+require 'riak/errors/protobuffs_error'
+
+module Riak
+  class Client
+    class BeefcakeProtobuffsBackend < ProtobuffsBackend
+      class Protocol
+        include Riak::Util::Translation
+        attr_reader :socket
+
+        def initialize(socket)
+          @socket = socket
+        end
+
+        # Encodes and writes a Riak-formatted message, including protocol buffer
+        # payload if given.
+        #
+        # @param [Symbol, Integer] code the symbolic or numeric code for the
+        #   message
+        # @param [Beefcake::Message, nil] message the protocol buffer message
+        #   payload, or nil if the message carries no payload
+        def write(code, message = nil)
+          if code.is_a? Symbol
+            code = BeefcakeMessageCodes.index code
+          end
+
+          serialized = serialize message
+
+          header = [serialized.length + 1, code].pack 'NC'
+
+          payload = header + serialized
+
+          socket.write payload
+          socket.flush
+        end
+
+        # Receives a Riak-formatted message, and returns the symbolic name of
+        # the message along with the string payload from the network.
+        #
+        # @return [Array<Symbol, String>]
+        def receive
+          header = socket.read 5
+
+          raise ProtobuffsFailedHeader.new if header.nil?
+          message_length, code = header.unpack 'NC'
+          body_length = message_length - 1
+          body = nil
+          body = socket.read body_length if body_length > 0
+
+          name = BeefcakeMessageCodes[code]
+
+          return name, body
+        end
+
+        # Receives a Riak-formatted message, checks the symbolic name against
+        # the given code, decodes it if it matches, and can optionally return
+        # success if the payload is empty.
+        #
+        # @param [Symbol] code the code for the message
+        # @param [Class, nil] decoder_class the class to attempt to decode
+        #   the payload with
+        # @param [Hash] options
+        # @option options [Boolean] :empty_body_acceptable Whether to accept
+        #   an empty body and not attempt decoding. In this case, this method
+        #   will return the symbol `:empty` instead of a `Beefcake::Message`
+        #   instance
+        # @return [Beefcake::Message, :empty]
+        # @raise {ProtobuffsErrorResponse} if the message from Riak was a
+        #   255-ErrorResp
+        # @raise {ProtobuffsUnexpectedResponse} if the message from riak did
+        #   not match `code`
+        def expect(code, decoder_class = nil, options = { })
+          code = BeefcakeMessageCodes[code] unless code.is_a? Symbol
+          name, body = receive
+
+          if name == :ErrorResp
+            raise ProtobuffsErrorResponse.new RpbErrorResp.decode(body)
+          end
+
+          if name != code
+            raise ProtobuffsUnexpectedResponse.new name, code
+          end
+
+          return true if decoder_class.nil?
+
+          return :empty if body.nil? && options[:empty_body_acceptable]
+
+          return decoder_class.decode body
+        end
+
+        private
+
+        def serialize(message)
+          return '' if message.nil?
+          return message if message.is_a? String
+          return message.encode.to_s if message.is_a? Beefcake::Message
+
+          raise ArgumentError.new t('pbc.unknown_serialize', message: message)
+        end
+      end
+    end
+  end
+end

data/lib/riak/client/beefcake/socket.rb

@@ -0,0 +1,260 @@
+require 'openssl'
+require 'cert_validator'
+require 'riak/client/beefcake/messages'
+require 'riak/errors/connection_error'
+
+module Riak
+  class Client
+    class BeefcakeProtobuffsBackend
+      # A factory class for making sockets, whether secure or not
+      # @api private
+      class BeefcakeSocket
+        include Client::BeefcakeMessageCodes
+        # Only create class methods, don't initialize
+        class << self
+          def new(host, port, options = {})
+            return start_tcp_socket(host, port) if options[:authentication].blank?
+            return start_tls_socket(host, port, options[:authentication])
+          end
+
+          private
+          def start_tcp_socket(host, port)
+            TCPSocket.new(host, port).tap do |sock|
+              sock.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, true)
+            end
+          end
+
+          def start_tls_socket(host, port, authentication)
+            raise Riak::UserConfigurationError.new if authentication[:username]
+
+            tcp = start_tcp_socket(host, port)
+            TlsInitiator.new(tcp, host, authentication).tls_socket
+          end
+
+          # Wrap up the logic to turn a TCP socket into a TLS socket.
+          # Depends on Beefcake, which should be relatively safe.
+          class TlsInitiator
+            BC = ::Riak::Client::BeefcakeProtobuffsBackend
+            include Util::Translation
+
+            # Create a TLS Initiator
+            #
+            # @param tcp_socket [TCPSocket] the {TCPSocket} to start TLS on
+            # @param authentication [Hash] a hash of authentication details
+            def initialize(tcp_socket, host, authentication)
+              @sock = @tcp = tcp_socket
+              @host = host
+              @auth = authentication
+            end
+
+            # Return the SSLSocket that has a TLS session running. (TLS is a
+            # better and safer SSL).
+            #
+            # @return [OpenSSL::SSL::SSLSocket]
+            def tls_socket
+              configure_context
+              start_tls
+              validate_session
+              send_authentication
+              validate_connection
+              return @tls
+            end
+
+            private
+            def riak_cert
+              @riak_cert ||= @tls.peer_cert
+            end
+
+            def ca_cert
+              @ca_cert ||= @tls.peer_cert_chain[1]
+            end
+
+            # Set up an SSL context with appropriate defaults for Riak TLS
+            def configure_context
+              @context = OpenSSL::SSL::SSLContext.new
+
+              # Replace insecure defaults
+              @context.ssl_version = (@auth[:ssl_version] || default_ssl_version).to_sym
+              @context.verify_mode = (@auth[:verify_mode] || OpenSSL::SSL::VERIFY_PEER).to_i
+
+              cert_ify
+              key_ify
+
+              # Defer to defaults
+              %w{ cert key client_ca ca_file ca_path timeout }.each do |k|
+                @context.send(:"#{k}=", @auth[k.to_sym]) if @auth[k.to_sym]
+              end
+            end
+
+            # Choose the most secure SSL version available
+            def default_ssl_version
+              available = OpenSSL::SSL::SSLContext::METHODS
+              selected = %w{TLSv1_2_client TLSv1_1_client TLSv1.1 TLSv1_client TLS}.detect do |v|
+                available.include? v.to_sym
+              end
+
+              raise TlsError::SslVersionConfigurationError.new unless selected
+
+              return selected
+            end
+
+            # Convert cert and client_ca fields to X509 Certs
+            def cert_ify
+              %w{ cert client_ca }.each do |k|
+                candidate = @auth[k.to_sym]
+                next if candidate.nil?
+                next if candidate.is_a? OpenSSL::X509::Certificate
+
+                @auth[k.to_sym] = OpenSSL::X509::Certificate.new try_load candidate
+              end
+            end
+
+            def key_ify
+              candidate = @auth[:key]
+              return if candidate.nil?
+              return if candidate.is_a? OpenSSL::PKey::PKey
+
+              candidate = try_load candidate
+
+              pkey_class_names = OpenSSL::PKey.
+                constants.
+                reject{|s| s.to_s =~ /Error$/}
+
+              pkey_classes = pkey_class_names.map{ |n| OpenSSL::PKey.const_get n }
+
+              pkey_classes.each do |klass|
+                begin
+                  successfully_initialized = klass.new candidate
+                  @auth[:key] = successfully_initialized
+                  return
+                rescue
+                  next
+                end
+              end
+
+              # Don't try and guess what the key is
+              raise TlsError::UnknownKeyTypeError.new
+            end
+
+            # Figure out if the given string is the data itself or a path to the data
+            def try_load(data_or_path)
+              begin
+                data_or_path = File.read data_or_path
+              rescue Errno::ENOENT
+                # couldn't read the file, it might be a string containing
+                # a key
+              rescue Errno::ENAMETOOLONG
+                # the filename is too long, it's almost certainly a string
+                # containing a key
+              rescue => e
+                raise TlsError::ReadDataError.new e, data_or_path
+              end
+
+              return data_or_path
+            end
+
+            # Attempt to exchange the TCP socket for a TLS socket.
+            def start_tls
+              write_message :StartTls
+              expect_message :StartTls
+              # Swap the tls socket in for the tcp socket, so write_message and
+              # read_message continue working
+              @sock = @tls = OpenSSL::SSL::SSLSocket.new @tcp, @context
+              @tls.connect
+            end
+
+            # Validate the TLS session
+            def validate_session
+              if @auth[:verify_hostname] &&
+                  !OpenSSL::SSL::verify_certificate_identity(riak_cert, @host)
+                raise TlsError::CertHostMismatchError.new
+              end
+
+              unless (riak_cert.not_before..riak_cert.not_after).cover? Time.now
+                raise TlsError::CertNotValidError.new
+              end
+
+              validator = CertValidator.new riak_cert, ca_cert
+
+              validator.crl = try_load @auth[:crl_file] if @auth[:crl_file]
+
+              if @auth[:crl]
+                raise TlsError::CertRevokedError.new unless validator.crl_valid?
+              end
+
+              if @auth[:ocsp]
+                raise TlsError::CertRevokedError.new unless validator.ocsp_valid?
+              end
+            end
+
+            def validator_options
+              o = {
+                ocsp: !!@auth[:ocsp],
+                crl: !!@auth[:crl]
+              }
+
+              if @auth[:crl_file]
+                o[:crl_file] = @auth[:crl_file]
+                o[:crl] = true
+              end
+
+              return o
+            end
+
+            # Send an AuthReq with the authentication data. Rely on beefcake
+            # discarding message parts it doesn't understand.
+            def send_authentication
+              req = BC::RpbAuthReq.new @auth
+              write_message :AuthReq, req.encode
+              expect_message :AuthResp
+            end
+
+            # Ping the Riak node and make sure it actually works.
+            def validate_connection
+              write_message :PingReq
+              expect_message :PingResp
+            end
+
+            # Write a protocol buffers message to whatever the current
+            # socket is.
+            def write_message(code, message = '')
+              if code.is_a? Symbol
+                code = BeefcakeMessageCodes.index code
+              end
+
+              header = [message.length+1, code].pack 'NC'
+              @sock.write header + message
+            end
+
+            def read_message
+              header = @sock.read 5
+              raise TlsError.new(t('ssl.eof_during_init')) if header.nil?
+              len, code = header.unpack 'NC'
+              decode = BeefcakeMessageCodes[code]
+              return decode, '' if len == 1
+
+              message = @sock.read(len - 1)
+              return decode, message
+            end
+
+            def expect_message(expected_code)
+              if expected_code.is_a? Numeric
+                expected_code = BeefcakeMessageCodes[code]
+              end
+
+              candidate_code, message = read_message
+              return message if expected_code == candidate_code
+
+              raise TlsError.new(t('ssl.unexpected_during_init',
+                                   expected: expected_code.inspect,
+                                   actual: candidate_code.inspect,
+                                   body: message.inspect
+                                   ))
+
+            end
+          end
+        end
+      end
+    end
+  end
+end