right_agent 2.0.7-x86-mingw32

data/lib/right_agent/scripts/usage.rb

@@ -0,0 +1,58 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# Scans the 'usage' for a given file and returns the resulting String.
+#
+# Note : no formatting occurs. Rdoc is nice as is.
+#
+
+module Usage
+
+  # Scans the given file from its usage (the top comment block) and
+  # returns it
+  #
+  # === Parameters
+  # file(String)::
+  #   path to file to read
+  #
+  # === Return
+  # String::
+  #   the usage as found in the file
+  #
+  def self.scan(file)
+
+    lines = File.readlines(file)  # Display usage from the given file
+    result = []
+
+    while line = lines.shift
+      if m = line.match(/^ *#(.*)$/)
+        result << m[1]
+      else
+        break unless result.empty?
+      end
+    end
+
+    result.join("\n")
+  end
+
+end
+

data/lib/right_agent/secure_identity.rb

@@ -0,0 +1,92 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require 'openssl'
+
+module RightScale
+  # Utility class that makes it easier to derive RightAgent identities in a
+  # secure, predictable and globally consistent fashion.
+  #
+  # Given an agent base ID and a secret token shared by all relying parties,
+  # the #derive method will generate a public token that can be printed to
+  # log files, to a console, or sent in the clear over public networks
+  # without compromising the original token. Note that the public token is
+  # not guaranteed to be unique; if uniqueness is required (e.g. for an
+  # Agent ID) the public token should be combined with the base ID.
+  #
+  # The #create_verifier method can be used by parties who both possess
+  # a secret token to prove their knowledge of the token to one another
+  # without disclosing the token. This would facilitate authentication
+  # over a public network. Note that this utility class does not
+  # implement an entire authentication protocol, it merely facilitates
+  # one.
+  class SecureIdentity
+    # Separator used to differentiate between identity components when serialized
+    ID_SEPARATOR = '*'
+
+    # Derive a public Identity Token from a base ID and a secret authentication
+    # token. The public token is useful for including in world-readable values such
+    # as the name of an agent.
+    #
+    # Public tokens are generated by taking the SHA1 hash of the base ID and the
+    # auth token, separated by a delimiter. Thus a public token can always be
+    # deterministically derived from its inputs.
+    #
+    # === Parameters
+    # base_id(Integer):: Numeric ID of the auth token
+    # auth_token(String):: Secret authentication token
+    #
+    # === Return
+    # public_token(String):: Public token
+    def self.derive(base_id, auth_token)
+      sha = OpenSSL::Digest::SHA1.new
+      sha.update(base_id.to_s)
+      sha.update(ID_SEPARATOR)
+      sha.update(auth_token.to_s)
+      return sha.hexdigest
+    end
+
+    # Create a cryptographic token verifier that can be used to demonstrate to another party
+    # that you have knowledge of an authentication token, without disclosing the token itself
+    # via a clear-text communications channel. The other party must also possess the secret
+    # authentication token so they can compute a corresponding verifier for comparison.
+    #
+    # THIS METHOD DOES NOT CHECK TOKENS OR TIMESTAMPS FOR YOU; it is only useful to compute
+    # the token. The caller must check the outputs, compare the timestamp and make a decision
+    # about whether to trust the entity who is supplying the verifier.
+    #
+    # === Parameters
+    # base_id(Integer):: Numeric ID of the auth token
+    # auth_token(String):: Secret authentication token
+    # timestamp(Time|Integer):: Unix-epoch timestamp to help prevent replay attacks
+    #
+    # === Return
+    # verifier(String):: HMAC-SHA1(base_id, timestamp) keyed using auth_token
+    def self.create_verifier(base_id, auth_token, timestamp)
+      hmac =  OpenSSL::HMAC.new(auth_token, OpenSSL::Digest::SHA1.new)
+      hmac.update(base_id.to_s)
+      hmac.update(ID_SEPARATOR)
+      hmac.update(timestamp.to_i.to_s)
+      return hmac.hexdigest
+    end
+  end
+end

data/lib/right_agent/security.rb

@@ -0,0 +1,32 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+SECURITY_BASE_DIR = File.join(File.dirname(__FILE__), 'security')
+
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'cached_certificate_store_proxy'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'certificate'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'certificate_cache'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'distinguished_name'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'encrypted_document'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'rsa_key_pair'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'signature'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'static_certificate_store'))

data/lib/right_agent/security/cached_certificate_store_proxy.rb

@@ -0,0 +1,77 @@
+#
+# Copyright (c) 2009-2013 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # Proxy to actual certificate store which caches results in an LRU cache
+  class CachedCertificateStoreProxy
+    
+    # Initialize cache proxy with given certificate store
+    #
+    # === Parameters
+    # store(Object):: Certificate store responding to get_signer, get_target,
+    # and get_receiver
+    def initialize(store)
+      @signer_cache = CertificateCache.new
+      @store = store
+    end
+
+    # Retrieve signer certificates for use in verifying a signature
+    # Check cache first and cache results
+    #
+    # === Parameters
+    # id(String):: Serialized identity of signer
+    #
+    # === Return
+    # (Array|Certificate):: Signer certificate(s)
+    def get_signer(id)
+      @signer_cache.get(id) { @store.get_signer(id) }
+    end
+
+    # Retrieve certificates of target for encryption
+    # Results are not cached
+    #
+    # === Parameters
+    # packet(RightScale::Packet):: Packet containing target identity
+    #
+    # === Return
+    # (Array|Certificate):: Target certificate(s)
+    def get_target(obj)
+      @store.get_target(obj)
+    end
+
+    # Retrieve receiver's certificate and key for decryption
+    # Results are not cached
+    #
+    # === Parameters
+    # id(String|nil):: Optional identifier of source of data for use
+    #   in determining who is the receiver
+    #
+    # === Return
+    # (Array):: Certificate and key
+    def get_receiver(id)
+      @store.get_receiver(id)
+    end
+
+  end # CachedCertificateStoreProxy
+
+end # RightScale

data/lib/right_agent/security/certificate.rb

@@ -0,0 +1,102 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # X.509 Certificate management
+  class Certificate
+    
+    # Underlying OpenSSL cert
+    attr_accessor :raw_cert
+  
+    # Generate a signed X.509 certificate
+    #
+    # === Parameters
+    # key(RsaKeyPair):: Key pair used to sign certificate
+    # issuer(DistinguishedName):: Certificate issuer
+    # subject(DistinguishedName):: Certificate subject
+    # valid_for(Integer):: Time in seconds before certificate expires, defaults to 10 years
+    def initialize(key, issuer, subject, valid_for = 3600*24*365*10)
+      @raw_cert = OpenSSL::X509::Certificate.new
+      @raw_cert.version = 2
+      @raw_cert.serial = 1
+      @raw_cert.subject = subject.to_x509
+      @raw_cert.issuer = issuer.to_x509
+      @raw_cert.public_key = key.to_public.raw_key
+      @raw_cert.not_before = Time.now
+      @raw_cert.not_after = Time.now + valid_for
+      @raw_cert.sign(key.raw_key, OpenSSL::Digest::SHA1.new)
+    end
+    
+    # Load certificate from file
+    #
+    # === Parameters
+    # file(String):: File path name
+    #
+    # === Return
+    # res(Certificate):: Certificate
+    def self.load(file)
+      res = nil
+      File.open(file, 'r') { |f| res = from_data(f) } if file
+      res
+    end
+    
+    # Initialize with raw certificate
+    #
+    # === Parameters
+    # data(String):: Raw certificate data
+    #
+    # === Return
+    # res(Certificate):: Certificate
+    def self.from_data(data)
+      cert = OpenSSL::X509::Certificate.new(data)
+      res = Certificate.allocate
+      res.instance_variable_set(:@raw_cert, cert)
+      res
+    end
+    
+    # Save certificate to file in PEM format
+    #
+    # === Parameters
+    # file(String):: File path name
+    #
+    # === Return
+    # true:: Always return true
+    def save(file)
+      File.open(file, "w") do |f|
+        f.write(@raw_cert.to_pem)
+      end
+      true
+    end
+    
+    # Certificate data in PEM format
+    #
+    # === Return
+    # (String):: Certificate data
+    def data
+      @raw_cert.to_pem
+    end
+    alias :to_s :data
+
+  end # Certificate
+
+end # RightScale

data/lib/right_agent/security/certificate_cache.rb

@@ -0,0 +1,89 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # Implements a simple LRU cache: items that are the least accessed are
+  # deleted first.
+  class CertificateCache
+
+    # Max number of items to keep in memory
+    DEFAULT_CACHE_MAX_COUNT = 100
+
+    # Initialize cache
+    def initialize(max_count = DEFAULT_CACHE_MAX_COUNT)
+      @items = {}
+      @list = []
+      @max_count = max_count
+    end
+    
+    # Add item to cache
+    def put(key, item)
+      if @items.include?(key)
+        delete(key)
+      end
+      if @list.size == @max_count
+        delete(@list.first)
+      end
+      @items[key] = item
+      @list.push(key)
+      item
+    end
+    alias :[]= :put
+    
+    # Retrieve item from cache
+    # Store item returned by given block if any
+    def get(key)
+      if @items.include?(key)
+        @list.each_index do |i|
+          if @list[i] == key
+            @list.delete_at(i)
+            break
+          end
+        end
+        @list.push(key)
+        @items[key]
+      else
+        return nil unless block_given?
+         self[key] = yield
+      end
+    end
+    alias :[] :get
+    
+    # Delete item from cache
+    def delete(key)
+      c = @items[key]
+      if c
+        @items.delete(key)
+        @list.each_index do |i|
+  	      if @list[i] == key
+  	        @list.delete_at(i)
+  	        break
+  	      end
+        end
+        c
+      end
+    end
+
+  end # CertificateCache
+
+end # RightScale