riak-client-noenc 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.document +5 -0
- data/.gitignore +42 -0
- data/.rspec +1 -0
- data/Gemfile +17 -0
- data/Guardfile +20 -0
- data/LICENSE.md +16 -0
- data/README.markdown +640 -0
- data/RELEASE_NOTES.md +392 -0
- data/Rakefile +119 -0
- data/lib/riak.rb +22 -0
- data/lib/riak/bucket.rb +297 -0
- data/lib/riak/bucket_properties.rb +74 -0
- data/lib/riak/bucket_type.rb +77 -0
- data/lib/riak/bucket_typed/bucket.rb +121 -0
- data/lib/riak/client.rb +433 -0
- data/lib/riak/client/beefcake/bucket_properties_operator.rb +178 -0
- data/lib/riak/client/beefcake/crdt/counter_loader.rb +18 -0
- data/lib/riak/client/beefcake/crdt/map_loader.rb +64 -0
- data/lib/riak/client/beefcake/crdt/set_loader.rb +18 -0
- data/lib/riak/client/beefcake/crdt_loader.rb +84 -0
- data/lib/riak/client/beefcake/crdt_operator.rb +223 -0
- data/lib/riak/client/beefcake/footer +4 -0
- data/lib/riak/client/beefcake/header +6 -0
- data/lib/riak/client/beefcake/message_codes.rb +89 -0
- data/lib/riak/client/beefcake/message_overlay.rb +87 -0
- data/lib/riak/client/beefcake/messages.rb +772 -0
- data/lib/riak/client/beefcake/object_methods.rb +112 -0
- data/lib/riak/client/beefcake/protocol.rb +105 -0
- data/lib/riak/client/beefcake/socket.rb +260 -0
- data/lib/riak/client/beefcake_protobuffs_backend.rb +538 -0
- data/lib/riak/client/decaying.rb +36 -0
- data/lib/riak/client/feature_detection.rb +120 -0
- data/lib/riak/client/instrumentation.rb +19 -0
- data/lib/riak/client/node.rb +49 -0
- data/lib/riak/client/protobuffs_backend.rb +143 -0
- data/lib/riak/client/search.rb +27 -0
- data/lib/riak/client/yokozuna.rb +52 -0
- data/lib/riak/conflict.rb +13 -0
- data/lib/riak/core_ext.rb +7 -0
- data/lib/riak/core_ext/blank.rb +53 -0
- data/lib/riak/core_ext/deep_dup.rb +13 -0
- data/lib/riak/core_ext/extract_options.rb +7 -0
- data/lib/riak/core_ext/json.rb +15 -0
- data/lib/riak/core_ext/slice.rb +18 -0
- data/lib/riak/core_ext/stringify_keys.rb +10 -0
- data/lib/riak/core_ext/symbolize_keys.rb +10 -0
- data/lib/riak/core_ext/to_param.rb +31 -0
- data/lib/riak/counter.rb +101 -0
- data/lib/riak/crdt.rb +21 -0
- data/lib/riak/crdt/base.rb +183 -0
- data/lib/riak/crdt/batch_counter.rb +19 -0
- data/lib/riak/crdt/batch_map.rb +41 -0
- data/lib/riak/crdt/counter.rb +82 -0
- data/lib/riak/crdt/inner_counter.rb +81 -0
- data/lib/riak/crdt/inner_flag.rb +42 -0
- data/lib/riak/crdt/inner_map.rb +75 -0
- data/lib/riak/crdt/inner_register.rb +26 -0
- data/lib/riak/crdt/inner_set.rb +102 -0
- data/lib/riak/crdt/map.rb +121 -0
- data/lib/riak/crdt/operation.rb +19 -0
- data/lib/riak/crdt/set.rb +166 -0
- data/lib/riak/crdt/typed_collection.rb +181 -0
- data/lib/riak/encoding.rb +6 -0
- data/lib/riak/errors/backend_creation.rb +9 -0
- data/lib/riak/errors/base.rb +9 -0
- data/lib/riak/errors/connection_error.rb +50 -0
- data/lib/riak/errors/crdt_error.rb +38 -0
- data/lib/riak/errors/failed_request.rb +58 -0
- data/lib/riak/errors/protobuffs_error.rb +11 -0
- data/lib/riak/errors/search_error.rb +35 -0
- data/lib/riak/i18n.rb +7 -0
- data/lib/riak/index_collection.rb +71 -0
- data/lib/riak/instrumentation.rb +6 -0
- data/lib/riak/json.rb +52 -0
- data/lib/riak/link.rb +96 -0
- data/lib/riak/list_buckets.rb +28 -0
- data/lib/riak/locale/en.yml +107 -0
- data/lib/riak/locale/fr.yml +51 -0
- data/lib/riak/map_reduce.rb +295 -0
- data/lib/riak/map_reduce/filter_builder.rb +103 -0
- data/lib/riak/map_reduce/phase.rb +98 -0
- data/lib/riak/map_reduce/results.rb +49 -0
- data/lib/riak/map_reduce_error.rb +7 -0
- data/lib/riak/multiget.rb +122 -0
- data/lib/riak/preflist_item.rb +7 -0
- data/lib/riak/rcontent.rb +173 -0
- data/lib/riak/robject.rb +222 -0
- data/lib/riak/search.rb +11 -0
- data/lib/riak/search/index.rb +87 -0
- data/lib/riak/search/query.rb +141 -0
- data/lib/riak/search/result_collection.rb +144 -0
- data/lib/riak/search/result_document.rb +129 -0
- data/lib/riak/search/schema.rb +65 -0
- data/lib/riak/secondary_index.rb +81 -0
- data/lib/riak/serializers.rb +73 -0
- data/lib/riak/stamp.rb +77 -0
- data/lib/riak/util/escape.rb +80 -0
- data/lib/riak/util/tcp_socket_extensions.rb +58 -0
- data/lib/riak/util/translation.rb +18 -0
- data/lib/riak/version.rb +3 -0
- data/lib/riak/walk_spec.rb +145 -0
- data/spec/failover/failover.rb +59 -0
- data/spec/fixtures/bitcask.txt +25 -0
- data/spec/fixtures/cat.jpg +0 -0
- data/spec/fixtures/multipart-basic-conflict.txt +15 -0
- data/spec/fixtures/multipart-blank.txt +7 -0
- data/spec/fixtures/multipart-mapreduce.txt +10 -0
- data/spec/fixtures/multipart-with-body.txt +16 -0
- data/spec/fixtures/multipart-with-marked-tombstones.txt +17 -0
- data/spec/fixtures/multipart-with-unmarked-tombstone.txt +16 -0
- data/spec/fixtures/server.cert.crt +15 -0
- data/spec/fixtures/server.cert.key +15 -0
- data/spec/fixtures/test.pem +1 -0
- data/spec/fixtures/yz_schema_template.xml +18 -0
- data/spec/integration/riak/bucket_types_spec.rb +270 -0
- data/spec/integration/riak/conflict_resolution_spec.rb +96 -0
- data/spec/integration/riak/counters_spec.rb +36 -0
- data/spec/integration/riak/crdt/configuration_spec.rb +37 -0
- data/spec/integration/riak/crdt_search_spec.rb +176 -0
- data/spec/integration/riak/crdt_spec.rb +250 -0
- data/spec/integration/riak/crdt_validation/map_spec.rb +63 -0
- data/spec/integration/riak/crdt_validation/set_spec.rb +122 -0
- data/spec/integration/riak/preflist_spec.rb +31 -0
- data/spec/integration/riak/properties_spec.rb +69 -0
- data/spec/integration/riak/protobuffs/interrupted_request_spec.rb +33 -0
- data/spec/integration/riak/protobuffs_backends_spec.rb +40 -0
- data/spec/integration/riak/search_spec.rb +104 -0
- data/spec/integration/riak/secondary_index_spec.rb +72 -0
- data/spec/integration/riak/security_spec.rb +100 -0
- data/spec/integration/riak/threading_spec.rb +150 -0
- data/spec/integration/yokozuna/index_spec.rb +61 -0
- data/spec/integration/yokozuna/queries_spec.rb +115 -0
- data/spec/integration/yokozuna/schema_spec.rb +49 -0
- data/spec/riak/beefcake_protobuffs_backend/bucket_properties_operator_spec.rb +247 -0
- data/spec/riak/beefcake_protobuffs_backend/crdt_operator_spec.rb +222 -0
- data/spec/riak/beefcake_protobuffs_backend/object_methods_spec.rb +23 -0
- data/spec/riak/beefcake_protobuffs_backend/protocol_spec.rb +189 -0
- data/spec/riak/beefcake_protobuffs_backend_spec.rb +162 -0
- data/spec/riak/bucket_properties_spec.rb +135 -0
- data/spec/riak/bucket_spec.rb +275 -0
- data/spec/riak/bucket_type_spec.rb +50 -0
- data/spec/riak/bucket_typed/bucket_spec.rb +62 -0
- data/spec/riak/client_spec.rb +246 -0
- data/spec/riak/core_ext/to_param_spec.rb +15 -0
- data/spec/riak/counter_spec.rb +122 -0
- data/spec/riak/crdt/counter_spec.rb +55 -0
- data/spec/riak/crdt/inner_counter_spec.rb +21 -0
- data/spec/riak/crdt/inner_flag_spec.rb +39 -0
- data/spec/riak/crdt/inner_map_spec.rb +47 -0
- data/spec/riak/crdt/inner_register_spec.rb +40 -0
- data/spec/riak/crdt/inner_set_spec.rb +33 -0
- data/spec/riak/crdt/map_spec.rb +78 -0
- data/spec/riak/crdt/set_spec.rb +61 -0
- data/spec/riak/crdt/shared_examples.rb +74 -0
- data/spec/riak/crdt/typed_collection_spec.rb +225 -0
- data/spec/riak/escape_spec.rb +72 -0
- data/spec/riak/feature_detection_spec.rb +77 -0
- data/spec/riak/index_collection_spec.rb +53 -0
- data/spec/riak/instrumentation_spec.rb +124 -0
- data/spec/riak/link_spec.rb +85 -0
- data/spec/riak/list_buckets_spec.rb +41 -0
- data/spec/riak/map_reduce/filter_builder_spec.rb +32 -0
- data/spec/riak/map_reduce/phase_spec.rb +142 -0
- data/spec/riak/map_reduce_spec.rb +434 -0
- data/spec/riak/multiget_spec.rb +81 -0
- data/spec/riak/node_spec.rb +26 -0
- data/spec/riak/robject_spec.rb +496 -0
- data/spec/riak/search/index_spec.rb +72 -0
- data/spec/riak/search/query_spec.rb +88 -0
- data/spec/riak/search/result_collection_spec.rb +89 -0
- data/spec/riak/search/result_document_spec.rb +106 -0
- data/spec/riak/search/schema_spec.rb +63 -0
- data/spec/riak/search_spec.rb +107 -0
- data/spec/riak/secondary_index_spec.rb +225 -0
- data/spec/riak/serializers_spec.rb +121 -0
- data/spec/riak/stamp_spec.rb +54 -0
- data/spec/riak/walk_spec_spec.rb +203 -0
- data/spec/spec_helper.rb +66 -0
- data/spec/support/certs/README.md +13 -0
- data/spec/support/certs/ca.crt +21 -0
- data/spec/support/certs/client.crl +13 -0
- data/spec/support/certs/client.crt +94 -0
- data/spec/support/certs/client.csr +18 -0
- data/spec/support/certs/client.key +27 -0
- data/spec/support/certs/empty_ca.crt +21 -0
- data/spec/support/certs/server.crl +13 -0
- data/spec/support/certs/server.crt +94 -0
- data/spec/support/certs/server.key +27 -0
- data/spec/support/crdt_search_config.rb +112 -0
- data/spec/support/crdt_search_fixtures.rb +42 -0
- data/spec/support/integration_setup.rb +10 -0
- data/spec/support/search_config.rb +83 -0
- data/spec/support/search_corpus_setup.rb +39 -0
- data/spec/support/test_client.rb +46 -0
- data/spec/support/test_client.yml.example +10 -0
- data/spec/support/unified_backend_examples.rb +380 -0
- data/spec/support/version_filter.rb +12 -0
- data/spec/support/wait_until.rb +20 -0
- metadata +511 -0
@@ -0,0 +1,112 @@
|
|
1
|
+
require 'riak/robject'
|
2
|
+
require 'riak/link'
|
3
|
+
require 'riak/client/beefcake/messages'
|
4
|
+
|
5
|
+
module Riak
|
6
|
+
class Client
|
7
|
+
class BeefcakeProtobuffsBackend
|
8
|
+
module ObjectMethods
|
9
|
+
ENCODING = "Riak".respond_to?(:encoding)
|
10
|
+
|
11
|
+
# Returns RpbPutReq
|
12
|
+
def dump_object(robject, options = {})
|
13
|
+
req_opts = options.merge(:bucket => maybe_encode(robject.bucket.name))
|
14
|
+
if robject.bucket.respond_to?(:type) && t = robject.bucket.type
|
15
|
+
req_opts[:type] = maybe_encode(t.name)
|
16
|
+
end
|
17
|
+
pbuf = RpbPutReq.new(req_opts)
|
18
|
+
pbuf.key = maybe_encode(robject.key) if robject.key # Put w/o key supported!
|
19
|
+
pbuf.vclock = maybe_encode(Base64.decode64(robject.vclock)) if robject.vclock
|
20
|
+
dump_content pbuf, robject
|
21
|
+
pbuf
|
22
|
+
end
|
23
|
+
|
24
|
+
# Returns RObject
|
25
|
+
def load_object(pbuf, robject)
|
26
|
+
return robject if pbuf.respond_to?(:unchanged) && pbuf.unchanged # Reloading
|
27
|
+
robject.vclock = Base64.encode64(pbuf.vclock).chomp if pbuf.vclock
|
28
|
+
robject.key = maybe_unescape(pbuf.key) if pbuf.respond_to?(:key) && pbuf.key # Put w/o key
|
29
|
+
robject.siblings = (pbuf.content || []).map do |c|
|
30
|
+
RContent.new(robject) do |sibling|
|
31
|
+
load_content(c, sibling)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
robject.conflict? ? robject.attempt_conflict_resolution : robject
|
35
|
+
end
|
36
|
+
|
37
|
+
private
|
38
|
+
def load_content(pbuf, rcontent)
|
39
|
+
if ENCODING && pbuf.charset.present?
|
40
|
+
pbuf.value.force_encoding(pbuf.charset) if Encoding.find(pbuf.charset)
|
41
|
+
end
|
42
|
+
rcontent.raw_data = pbuf.value
|
43
|
+
rcontent.etag = pbuf.vtag if pbuf.vtag.present?
|
44
|
+
rcontent.content_type = pbuf.content_type if pbuf.content_type.present?
|
45
|
+
rcontent.links = Set.new(pbuf.links.map(&method(:decode_link))) if pbuf.links.present?
|
46
|
+
pbuf.usermeta.each {|pair| decode_meta(pair, rcontent.meta) } if pbuf.usermeta.present?
|
47
|
+
if pbuf.indexes.present?
|
48
|
+
rcontent.indexes.clear
|
49
|
+
pbuf.indexes.each {|pair| decode_index(pair, rcontent.indexes) }
|
50
|
+
end
|
51
|
+
if pbuf.last_mod.present?
|
52
|
+
rcontent.last_modified = Time.at(pbuf.last_mod)
|
53
|
+
rcontent.last_modified += pbuf.last_mod_usecs / 1000000 if pbuf.last_mod_usecs.present?
|
54
|
+
end
|
55
|
+
rcontent
|
56
|
+
end
|
57
|
+
|
58
|
+
def dump_content(pbuf, robject)
|
59
|
+
pbuf.content = RpbContent.new(:value => maybe_encode(robject.raw_data),
|
60
|
+
:content_type => maybe_encode(robject.content_type),
|
61
|
+
:links => robject.links.map {|l| encode_link(l) }.compact,
|
62
|
+
:indexes => robject.indexes.map {|k, s| encode_index(k, s) }.flatten)
|
63
|
+
|
64
|
+
pbuf.content.usermeta = robject.meta.map {|k, v| encode_meta(k, v)} if robject.meta.any?
|
65
|
+
pbuf.content.vtag = maybe_encode(robject.etag) if robject.etag.present?
|
66
|
+
if ENCODING # 1.9 support
|
67
|
+
pbuf.content.charset = maybe_encode(robject.raw_data.encoding.name)
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
def decode_link(pbuf)
|
72
|
+
Riak::Link.new(pbuf.bucket, pbuf.key, pbuf.tag)
|
73
|
+
end
|
74
|
+
|
75
|
+
def encode_link(link)
|
76
|
+
return nil unless link.key.present?
|
77
|
+
RpbLink.new(:bucket => maybe_encode(link.bucket.to_s),
|
78
|
+
:key => maybe_encode(link.key.to_s),
|
79
|
+
:tag => maybe_encode(link.tag.to_s))
|
80
|
+
end
|
81
|
+
|
82
|
+
def decode_meta(pbuf, hash)
|
83
|
+
hash[pbuf.key] = pbuf.value
|
84
|
+
end
|
85
|
+
|
86
|
+
def encode_meta(key, value)
|
87
|
+
return nil unless value.present?
|
88
|
+
RpbPair.new(:key => maybe_encode(key.to_s),
|
89
|
+
:value => maybe_encode(value.to_s))
|
90
|
+
end
|
91
|
+
|
92
|
+
def decode_index(pbuf, hash)
|
93
|
+
value = pbuf.key =~ /int$/ ? pbuf.value.to_i : pbuf.value
|
94
|
+
hash[pbuf.key] << value
|
95
|
+
end
|
96
|
+
|
97
|
+
def encode_index(key, set)
|
98
|
+
set.map do |v|
|
99
|
+
RpbPair.new(:key => maybe_encode(key.to_s),
|
100
|
+
:value => maybe_encode(v.to_s))
|
101
|
+
end
|
102
|
+
end
|
103
|
+
|
104
|
+
def maybe_encode(string)
|
105
|
+
ENCODING ? string.dup.force_encoding('BINARY') : string
|
106
|
+
end
|
107
|
+
end
|
108
|
+
|
109
|
+
include ObjectMethods
|
110
|
+
end
|
111
|
+
end
|
112
|
+
end
|
@@ -0,0 +1,105 @@
|
|
1
|
+
require 'riak/client/beefcake/messages'
|
2
|
+
require 'riak/client/beefcake/message_codes'
|
3
|
+
require 'riak/errors/failed_request'
|
4
|
+
require 'riak/errors/protobuffs_error'
|
5
|
+
|
6
|
+
module Riak
|
7
|
+
class Client
|
8
|
+
class BeefcakeProtobuffsBackend < ProtobuffsBackend
|
9
|
+
class Protocol
|
10
|
+
include Riak::Util::Translation
|
11
|
+
attr_reader :socket
|
12
|
+
|
13
|
+
def initialize(socket)
|
14
|
+
@socket = socket
|
15
|
+
end
|
16
|
+
|
17
|
+
# Encodes and writes a Riak-formatted message, including protocol buffer
|
18
|
+
# payload if given.
|
19
|
+
#
|
20
|
+
# @param [Symbol, Integer] code the symbolic or numeric code for the
|
21
|
+
# message
|
22
|
+
# @param [Beefcake::Message, nil] message the protocol buffer message
|
23
|
+
# payload, or nil if the message carries no payload
|
24
|
+
def write(code, message = nil)
|
25
|
+
if code.is_a? Symbol
|
26
|
+
code = BeefcakeMessageCodes.index code
|
27
|
+
end
|
28
|
+
|
29
|
+
serialized = serialize message
|
30
|
+
|
31
|
+
header = [serialized.length + 1, code].pack 'NC'
|
32
|
+
|
33
|
+
payload = header + serialized
|
34
|
+
|
35
|
+
socket.write payload
|
36
|
+
socket.flush
|
37
|
+
end
|
38
|
+
|
39
|
+
# Receives a Riak-formatted message, and returns the symbolic name of
|
40
|
+
# the message along with the string payload from the network.
|
41
|
+
#
|
42
|
+
# @return [Array<Symbol, String>]
|
43
|
+
def receive
|
44
|
+
header = socket.read 5
|
45
|
+
|
46
|
+
raise ProtobuffsFailedHeader.new if header.nil?
|
47
|
+
message_length, code = header.unpack 'NC'
|
48
|
+
body_length = message_length - 1
|
49
|
+
body = nil
|
50
|
+
body = socket.read body_length if body_length > 0
|
51
|
+
|
52
|
+
name = BeefcakeMessageCodes[code]
|
53
|
+
|
54
|
+
return name, body
|
55
|
+
end
|
56
|
+
|
57
|
+
# Receives a Riak-formatted message, checks the symbolic name against
|
58
|
+
# the given code, decodes it if it matches, and can optionally return
|
59
|
+
# success if the payload is empty.
|
60
|
+
#
|
61
|
+
# @param [Symbol] code the code for the message
|
62
|
+
# @param [Class, nil] decoder_class the class to attempt to decode
|
63
|
+
# the payload with
|
64
|
+
# @param [Hash] options
|
65
|
+
# @option options [Boolean] :empty_body_acceptable Whether to accept
|
66
|
+
# an empty body and not attempt decoding. In this case, this method
|
67
|
+
# will return the symbol `:empty` instead of a `Beefcake::Message`
|
68
|
+
# instance
|
69
|
+
# @return [Beefcake::Message, :empty]
|
70
|
+
# @raise {ProtobuffsErrorResponse} if the message from Riak was a
|
71
|
+
# 255-ErrorResp
|
72
|
+
# @raise {ProtobuffsUnexpectedResponse} if the message from riak did
|
73
|
+
# not match `code`
|
74
|
+
def expect(code, decoder_class = nil, options = { })
|
75
|
+
code = BeefcakeMessageCodes[code] unless code.is_a? Symbol
|
76
|
+
name, body = receive
|
77
|
+
|
78
|
+
if name == :ErrorResp
|
79
|
+
raise ProtobuffsErrorResponse.new RpbErrorResp.decode(body)
|
80
|
+
end
|
81
|
+
|
82
|
+
if name != code
|
83
|
+
raise ProtobuffsUnexpectedResponse.new name, code
|
84
|
+
end
|
85
|
+
|
86
|
+
return true if decoder_class.nil?
|
87
|
+
|
88
|
+
return :empty if body.nil? && options[:empty_body_acceptable]
|
89
|
+
|
90
|
+
return decoder_class.decode body
|
91
|
+
end
|
92
|
+
|
93
|
+
private
|
94
|
+
|
95
|
+
def serialize(message)
|
96
|
+
return '' if message.nil?
|
97
|
+
return message if message.is_a? String
|
98
|
+
return message.encode.to_s if message.is_a? Beefcake::Message
|
99
|
+
|
100
|
+
raise ArgumentError.new t('pbc.unknown_serialize', message: message)
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
@@ -0,0 +1,260 @@
|
|
1
|
+
require 'openssl'
|
2
|
+
require 'cert_validator'
|
3
|
+
require 'riak/client/beefcake/messages'
|
4
|
+
require 'riak/errors/connection_error'
|
5
|
+
|
6
|
+
module Riak
|
7
|
+
class Client
|
8
|
+
class BeefcakeProtobuffsBackend
|
9
|
+
# A factory class for making sockets, whether secure or not
|
10
|
+
# @api private
|
11
|
+
class BeefcakeSocket
|
12
|
+
include Client::BeefcakeMessageCodes
|
13
|
+
# Only create class methods, don't initialize
|
14
|
+
class << self
|
15
|
+
def new(host, port, options = {})
|
16
|
+
return start_tcp_socket(host, port) if options[:authentication].blank?
|
17
|
+
return start_tls_socket(host, port, options[:authentication])
|
18
|
+
end
|
19
|
+
|
20
|
+
private
|
21
|
+
def start_tcp_socket(host, port)
|
22
|
+
TCPSocket.new(host, port).tap do |sock|
|
23
|
+
sock.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, true)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
def start_tls_socket(host, port, authentication)
|
28
|
+
raise Riak::UserConfigurationError.new if authentication[:username]
|
29
|
+
|
30
|
+
tcp = start_tcp_socket(host, port)
|
31
|
+
TlsInitiator.new(tcp, host, authentication).tls_socket
|
32
|
+
end
|
33
|
+
|
34
|
+
# Wrap up the logic to turn a TCP socket into a TLS socket.
|
35
|
+
# Depends on Beefcake, which should be relatively safe.
|
36
|
+
class TlsInitiator
|
37
|
+
BC = ::Riak::Client::BeefcakeProtobuffsBackend
|
38
|
+
include Util::Translation
|
39
|
+
|
40
|
+
# Create a TLS Initiator
|
41
|
+
#
|
42
|
+
# @param tcp_socket [TCPSocket] the {TCPSocket} to start TLS on
|
43
|
+
# @param authentication [Hash] a hash of authentication details
|
44
|
+
def initialize(tcp_socket, host, authentication)
|
45
|
+
@sock = @tcp = tcp_socket
|
46
|
+
@host = host
|
47
|
+
@auth = authentication
|
48
|
+
end
|
49
|
+
|
50
|
+
# Return the SSLSocket that has a TLS session running. (TLS is a
|
51
|
+
# better and safer SSL).
|
52
|
+
#
|
53
|
+
# @return [OpenSSL::SSL::SSLSocket]
|
54
|
+
def tls_socket
|
55
|
+
configure_context
|
56
|
+
start_tls
|
57
|
+
validate_session
|
58
|
+
send_authentication
|
59
|
+
validate_connection
|
60
|
+
return @tls
|
61
|
+
end
|
62
|
+
|
63
|
+
private
|
64
|
+
def riak_cert
|
65
|
+
@riak_cert ||= @tls.peer_cert
|
66
|
+
end
|
67
|
+
|
68
|
+
def ca_cert
|
69
|
+
@ca_cert ||= @tls.peer_cert_chain[1]
|
70
|
+
end
|
71
|
+
|
72
|
+
# Set up an SSL context with appropriate defaults for Riak TLS
|
73
|
+
def configure_context
|
74
|
+
@context = OpenSSL::SSL::SSLContext.new
|
75
|
+
|
76
|
+
# Replace insecure defaults
|
77
|
+
@context.ssl_version = (@auth[:ssl_version] || default_ssl_version).to_sym
|
78
|
+
@context.verify_mode = (@auth[:verify_mode] || OpenSSL::SSL::VERIFY_PEER).to_i
|
79
|
+
|
80
|
+
cert_ify
|
81
|
+
key_ify
|
82
|
+
|
83
|
+
# Defer to defaults
|
84
|
+
%w{ cert key client_ca ca_file ca_path timeout }.each do |k|
|
85
|
+
@context.send(:"#{k}=", @auth[k.to_sym]) if @auth[k.to_sym]
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
# Choose the most secure SSL version available
|
90
|
+
def default_ssl_version
|
91
|
+
available = OpenSSL::SSL::SSLContext::METHODS
|
92
|
+
selected = %w{TLSv1_2_client TLSv1_1_client TLSv1.1 TLSv1_client TLS}.detect do |v|
|
93
|
+
available.include? v.to_sym
|
94
|
+
end
|
95
|
+
|
96
|
+
raise TlsError::SslVersionConfigurationError.new unless selected
|
97
|
+
|
98
|
+
return selected
|
99
|
+
end
|
100
|
+
|
101
|
+
# Convert cert and client_ca fields to X509 Certs
|
102
|
+
def cert_ify
|
103
|
+
%w{ cert client_ca }.each do |k|
|
104
|
+
candidate = @auth[k.to_sym]
|
105
|
+
next if candidate.nil?
|
106
|
+
next if candidate.is_a? OpenSSL::X509::Certificate
|
107
|
+
|
108
|
+
@auth[k.to_sym] = OpenSSL::X509::Certificate.new try_load candidate
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
112
|
+
def key_ify
|
113
|
+
candidate = @auth[:key]
|
114
|
+
return if candidate.nil?
|
115
|
+
return if candidate.is_a? OpenSSL::PKey::PKey
|
116
|
+
|
117
|
+
candidate = try_load candidate
|
118
|
+
|
119
|
+
pkey_class_names = OpenSSL::PKey.
|
120
|
+
constants.
|
121
|
+
reject{|s| s.to_s =~ /Error$/}
|
122
|
+
|
123
|
+
pkey_classes = pkey_class_names.map{ |n| OpenSSL::PKey.const_get n }
|
124
|
+
|
125
|
+
pkey_classes.each do |klass|
|
126
|
+
begin
|
127
|
+
successfully_initialized = klass.new candidate
|
128
|
+
@auth[:key] = successfully_initialized
|
129
|
+
return
|
130
|
+
rescue
|
131
|
+
next
|
132
|
+
end
|
133
|
+
end
|
134
|
+
|
135
|
+
# Don't try and guess what the key is
|
136
|
+
raise TlsError::UnknownKeyTypeError.new
|
137
|
+
end
|
138
|
+
|
139
|
+
# Figure out if the given string is the data itself or a path to the data
|
140
|
+
def try_load(data_or_path)
|
141
|
+
begin
|
142
|
+
data_or_path = File.read data_or_path
|
143
|
+
rescue Errno::ENOENT
|
144
|
+
# couldn't read the file, it might be a string containing
|
145
|
+
# a key
|
146
|
+
rescue Errno::ENAMETOOLONG
|
147
|
+
# the filename is too long, it's almost certainly a string
|
148
|
+
# containing a key
|
149
|
+
rescue => e
|
150
|
+
raise TlsError::ReadDataError.new e, data_or_path
|
151
|
+
end
|
152
|
+
|
153
|
+
return data_or_path
|
154
|
+
end
|
155
|
+
|
156
|
+
# Attempt to exchange the TCP socket for a TLS socket.
|
157
|
+
def start_tls
|
158
|
+
write_message :StartTls
|
159
|
+
expect_message :StartTls
|
160
|
+
# Swap the tls socket in for the tcp socket, so write_message and
|
161
|
+
# read_message continue working
|
162
|
+
@sock = @tls = OpenSSL::SSL::SSLSocket.new @tcp, @context
|
163
|
+
@tls.connect
|
164
|
+
end
|
165
|
+
|
166
|
+
# Validate the TLS session
|
167
|
+
def validate_session
|
168
|
+
if @auth[:verify_hostname] &&
|
169
|
+
!OpenSSL::SSL::verify_certificate_identity(riak_cert, @host)
|
170
|
+
raise TlsError::CertHostMismatchError.new
|
171
|
+
end
|
172
|
+
|
173
|
+
unless (riak_cert.not_before..riak_cert.not_after).cover? Time.now
|
174
|
+
raise TlsError::CertNotValidError.new
|
175
|
+
end
|
176
|
+
|
177
|
+
validator = CertValidator.new riak_cert, ca_cert
|
178
|
+
|
179
|
+
validator.crl = try_load @auth[:crl_file] if @auth[:crl_file]
|
180
|
+
|
181
|
+
if @auth[:crl]
|
182
|
+
raise TlsError::CertRevokedError.new unless validator.crl_valid?
|
183
|
+
end
|
184
|
+
|
185
|
+
if @auth[:ocsp]
|
186
|
+
raise TlsError::CertRevokedError.new unless validator.ocsp_valid?
|
187
|
+
end
|
188
|
+
end
|
189
|
+
|
190
|
+
def validator_options
|
191
|
+
o = {
|
192
|
+
ocsp: !!@auth[:ocsp],
|
193
|
+
crl: !!@auth[:crl]
|
194
|
+
}
|
195
|
+
|
196
|
+
if @auth[:crl_file]
|
197
|
+
o[:crl_file] = @auth[:crl_file]
|
198
|
+
o[:crl] = true
|
199
|
+
end
|
200
|
+
|
201
|
+
return o
|
202
|
+
end
|
203
|
+
|
204
|
+
# Send an AuthReq with the authentication data. Rely on beefcake
|
205
|
+
# discarding message parts it doesn't understand.
|
206
|
+
def send_authentication
|
207
|
+
req = BC::RpbAuthReq.new @auth
|
208
|
+
write_message :AuthReq, req.encode
|
209
|
+
expect_message :AuthResp
|
210
|
+
end
|
211
|
+
|
212
|
+
# Ping the Riak node and make sure it actually works.
|
213
|
+
def validate_connection
|
214
|
+
write_message :PingReq
|
215
|
+
expect_message :PingResp
|
216
|
+
end
|
217
|
+
|
218
|
+
# Write a protocol buffers message to whatever the current
|
219
|
+
# socket is.
|
220
|
+
def write_message(code, message = '')
|
221
|
+
if code.is_a? Symbol
|
222
|
+
code = BeefcakeMessageCodes.index code
|
223
|
+
end
|
224
|
+
|
225
|
+
header = [message.length+1, code].pack 'NC'
|
226
|
+
@sock.write header + message
|
227
|
+
end
|
228
|
+
|
229
|
+
def read_message
|
230
|
+
header = @sock.read 5
|
231
|
+
raise TlsError.new(t('ssl.eof_during_init')) if header.nil?
|
232
|
+
len, code = header.unpack 'NC'
|
233
|
+
decode = BeefcakeMessageCodes[code]
|
234
|
+
return decode, '' if len == 1
|
235
|
+
|
236
|
+
message = @sock.read(len - 1)
|
237
|
+
return decode, message
|
238
|
+
end
|
239
|
+
|
240
|
+
def expect_message(expected_code)
|
241
|
+
if expected_code.is_a? Numeric
|
242
|
+
expected_code = BeefcakeMessageCodes[code]
|
243
|
+
end
|
244
|
+
|
245
|
+
candidate_code, message = read_message
|
246
|
+
return message if expected_code == candidate_code
|
247
|
+
|
248
|
+
raise TlsError.new(t('ssl.unexpected_during_init',
|
249
|
+
expected: expected_code.inspect,
|
250
|
+
actual: candidate_code.inspect,
|
251
|
+
body: message.inspect
|
252
|
+
))
|
253
|
+
|
254
|
+
end
|
255
|
+
end
|
256
|
+
end
|
257
|
+
end
|
258
|
+
end
|
259
|
+
end
|
260
|
+
end
|