right_agent 0.5.1

data/lib/right_agent/secure_identity.rb

@@ -0,0 +1,92 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require 'openssl'
+
+module RightScale
+  # Utility class that makes it easier to derive RightAgent identities in a
+  # secure, predictable and globally consistent fashion.
+  #
+  # Given an agent base ID and a secret token shared by all relying parties,
+  # the #derive method will generate a public token that can be printed to
+  # log files, to a console, or sent in the clear over public networks
+  # without compromising the original token. Note that the public token is
+  # not guaranteed to be unique; if uniqueness is required (e.g. for an
+  # Agent ID) the public token should be combined with the base ID.
+  #
+  # The #create_verifier method can be used by parties who both possess
+  # a secret token to prove their knowledge of the token to one another
+  # without disclosing the token. This would facilitate authentication
+  # over a public network. Note that this utility class does not
+  # implement an entire authentication protocol, it merely facilitates
+  # one.
+  class SecureIdentity
+    # Separator used to differentiate between identity components when serialized
+    ID_SEPARATOR = '*'
+
+    # Derive a public Identity Token from a base ID and a secret authentication
+    # token. The public token is useful for including in world-readable values such
+    # as the name of an agent.
+    #
+    # Public tokens are generated by taking the SHA1 hash of the base ID and the
+    # auth token, separated by a delimeter. Thus a public token can always be
+    # deterministically derived from its inputs.
+    #
+    # === Parameters
+    # base_id(Integer):: Numeric ID of the auth token
+    # auth_token(String):: Secret authentication token
+    #
+    # === Return
+    # public_token(String):: Public token
+    def self.derive(base_id, auth_token)
+      sha = OpenSSL::Digest::SHA1.new
+      sha.update(base_id.to_s)
+      sha.update(ID_SEPARATOR)
+      sha.update(auth_token.to_s)
+      return sha.hexdigest
+    end
+
+    # Create a cryptographic token verifier that can be used to demonstrate to another party
+    # that you have knowledge of an authentication token, without disclosing the token itself
+    # via a clear-text communications channel. The other party must also possess the secret
+    # authentication token so they can compute a corresponding verifier for comparison.
+    #
+    # THIS METHOD DOES NOT CHECK TOKENS OR TIMESTAMPS FOR YOU; it is only useful to compute
+    # the token. The caller must check the outputs, compare the timestamp and make a decision
+    # about whether to trust the entity who is supplying the verifier.
+    #
+    # === Parameters
+    # base_id(Integer):: Numeric ID of the auth token
+    # auth_token(String):: Secret authentication token
+    # timestamp(Time|Integer):: Unix-epoch timestamp to help prevent replay attacks
+    #
+    # === Return
+    # verifier(String):: HMAC-SHA1(base_id, timestamp) keyed using auth_token
+    def self.create_verifier(base_id, auth_token, timestamp)
+      hmac =  OpenSSL::HMAC.new(auth_token, OpenSSL::Digest::SHA1.new)
+      hmac.update(base_id.to_s)
+      hmac.update(ID_SEPARATOR)
+      hmac.update(timestamp.to_i.to_s)
+      return hmac.hexdigest
+    end
+  end
+end

data/lib/right_agent/security.rb

@@ -0,0 +1,32 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+SECURITY_BASE_DIR = File.join(File.dirname(__FILE__), 'security')
+
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'cached_certificate_store_proxy'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'certificate'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'certificate_cache'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'distinguished_name'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'encrypted_document'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'rsa_key_pair'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'signature'))
+require File.normalize_path(File.join(SECURITY_BASE_DIR, 'static_certificate_store'))

data/lib/right_agent/security/cached_certificate_store_proxy.rb

@@ -0,0 +1,63 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # Proxy to actual certificate store which caches results in an LRU cache
+  class CachedCertificateStoreProxy
+    
+    # Initialize cache proxy with given certificate store
+    #
+    # === Parameters
+    # store(Object):: Certificate store responding to get_recipients and
+    #   get_signer
+    def initialize(store)
+      @signer_cache = CertificateCache.new
+      @store = store
+    end
+
+    # Retrieve recipient certificates
+    # Results are not cached
+    #
+    # === Parameters
+    # packet(RightScale::Packet):: Packet containing recipient identity, ignored
+    #
+    # === Return
+    # (Array):: Recipient certificates
+    def get_recipients(obj)
+      @store.get_recipients(obj)
+    end
+
+    # Check cache for signer certificate
+    #
+    # === Parameters
+    # id(String):: Serialized identity of signer
+    #
+    # === Return
+    # (Array):: Signer certificates
+    def get_signer(id)
+      @signer_cache.get(id) { @store.get_signer(id) }
+    end
+
+  end # CachedCertificateStoreProxy
+
+end # RightScale

data/lib/right_agent/security/certificate.rb

@@ -0,0 +1,102 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # X.509 Certificate management
+  class Certificate
+    
+    # Underlying OpenSSL cert
+    attr_accessor :raw_cert
+  
+    # Generate a signed X.509 certificate
+    #
+    # === Parameters
+    # key(RsaKeyPair):: Key pair used to sign certificate
+    # issuer(DistinguishedName):: Certificate issuer
+    # subject(DistinguishedName):: Certificate subject
+    # valid_for(Integer):: Time in seconds before certificate expires, defaults to 10 years
+    def initialize(key, issuer, subject, valid_for = 3600*24*365*10)
+      @raw_cert = OpenSSL::X509::Certificate.new
+      @raw_cert.version = 2
+      @raw_cert.serial = 1
+      @raw_cert.subject = subject.to_x509
+      @raw_cert.issuer = issuer.to_x509
+      @raw_cert.public_key = key.to_public.raw_key
+      @raw_cert.not_before = Time.now
+      @raw_cert.not_after = Time.now + valid_for
+      @raw_cert.sign(key.raw_key, OpenSSL::Digest::SHA1.new)
+    end
+    
+    # Load certificate from file
+    #
+    # === Parameters
+    # file(String):: File path name
+    #
+    # === Return
+    # res(Certificate):: Certificate
+    def self.load(file)
+      res = nil
+      File.open(file, 'r') { |f| res = from_data(f) } if file
+      res
+    end
+    
+    # Initialize with raw certificate
+    #
+    # === Parameters
+    # data(String):: Raw certificate data
+    #
+    # === Return
+    # res(Certificate):: Certificate
+    def self.from_data(data)
+      cert = OpenSSL::X509::Certificate.new(data)
+      res = Certificate.allocate
+      res.instance_variable_set(:@raw_cert, cert)
+      res
+    end
+    
+    # Save certificate to file in PEM format
+    #
+    # === Parameters
+    # file(String):: File path name
+    #
+    # === Return
+    # true:: Always return true
+    def save(file)
+      File.open(file, "w") do |f|
+        f.write(@raw_cert.to_pem)
+      end
+      true
+    end
+    
+    # Certificate data in PEM format
+    #
+    # === Return
+    # (String):: Certificate data
+    def data
+      @raw_cert.to_pem
+    end
+    alias :to_s :data
+
+  end # Certificate
+
+end # RightScale

data/lib/right_agent/security/certificate_cache.rb

@@ -0,0 +1,89 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # Implements a simple LRU cache: items that are the least accessed are
+  # deleted first.
+  class CertificateCache
+
+    # Max number of items to keep in memory
+    DEFAULT_CACHE_MAX_COUNT = 100
+
+    # Initialize cache
+    def initialize(max_count = DEFAULT_CACHE_MAX_COUNT)
+      @items = {}
+      @list = []
+      @max_count = max_count
+    end
+    
+    # Add item to cache
+    def put(key, item)
+      if @items.include?(key)
+        delete(key)
+      end
+      if @list.size == @max_count
+        delete(@list.first)
+      end
+      @items[key] = item
+      @list.push(key)
+      item
+    end
+    alias :[]= :put
+    
+    # Retrieve item from cache
+    # Store item returned by given block if any
+    def get(key)
+      if @items.include?(key)
+        @list.each_index do |i|
+          if @list[i] == key
+            @list.delete_at(i)
+            break
+          end
+        end
+        @list.push(key)
+        @items[key]
+      else
+        return nil unless block_given?
+         self[key] = yield
+      end
+    end
+    alias :[] :get
+    
+    # Delete item from cache
+    def delete(key)
+      c = @items[key]
+      if c
+        @items.delete(key)
+        @list.each_index do |i|
+  	      if @list[i] == key
+  	        @list.delete_at(i)
+  	        break
+  	      end
+        end
+        c
+      end
+    end
+
+  end # CertificateCache
+
+end # RightScale

data/lib/right_agent/security/distinguished_name.rb

@@ -0,0 +1,56 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # Build X.509 compliant distinguished names
+  # Distinguished names are used to describe both a certificate issuer and subject
+  class DistinguishedName
+    
+    # Initialize distinguished name from hash
+    # e.g.:
+    #   { 'C'  => 'US',
+    #     'ST' => 'California',
+    #     'L'  => 'Santa Barbara',
+    #     'O'  => 'RightScale',
+    #     'OU' => 'Certification Services',
+    #     'CN' => 'rightscale.com/emailAddress=cert@rightscale.com' }
+    #
+    def initialize(hash)
+      @value = hash
+    end
+    
+    # Conversion to OpenSSL X509 DN
+    def to_x509
+      if @value
+        OpenSSL::X509::Name.new(@value.to_a, OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
+      end
+    end
+
+    # Human readable form
+    def to_s
+      '/' + @value.to_a.collect { |p| p.join('=') }.join('/') if @value
+    end
+    
+  end # DistinguishedName
+
+end # RightScale

data/lib/right_agent/security/encrypted_document.rb

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2009-2011 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  # Represents a signed an encrypted document that can be later decrypted using
+  # the right private key and whose signature can be verified using the right
+  # cert.
+  # This class can be used both to encrypt and sign data and to then check the
+  # signature and decrypt an encrypted document.
+  class EncryptedDocument
+  
+    # Encrypt and sign data using certificate and key pair
+    #
+    # === Parameters
+    # data(String):: Data to be encrypted
+    # certs(Array):: Recipient certificates (certificates corresponding to private
+    #   keys that may be used to decrypt data)
+    # cipher(Cipher):: Cipher used for encryption, AES 256 CBC by default
+    def initialize(data, certs, cipher = 'AES-256-CBC')
+      cipher = OpenSSL::Cipher::Cipher.new(cipher)
+      certs = [ certs ] unless certs.respond_to?(:collect)
+      raw_certs = certs.collect { |c| c.raw_cert }
+      @pkcs7 = OpenSSL::PKCS7.encrypt(raw_certs, data, cipher, OpenSSL::PKCS7::BINARY)
+    end
+
+    # Initialize from encrypted data
+    #
+    # === Parameters
+    # encrypted_data(String):: Encrypted data
+    #
+    # === Return
+    # doc(EncryptedDocument):: Encrypted document
+    def self.from_data(encrypted_data)
+      doc = EncryptedDocument.allocate
+      doc.instance_variable_set(:@pkcs7, RightScale::PKCS7.new(encrypted_data))
+      doc
+    end
+    
+    # Encrypted data in PEM (base64) or DER (binary) format
+    #
+    # === Parameters
+    # format(Symbol):: Encode format: :pem or :der, defaults to :pem
+    #
+    # === Return
+    # (String):: Encrypted data
+    def encrypted_data(format = :pem)
+      format == :pem ? @pkcs7.to_pem : @pkcs7.to_der
+    end
+    
+    # Decrypted data
+    #
+    # === Parameters
+    # key(RsaKeyPair):: Key pair used for decryption
+    # cert(Certificate):: Certificate to use for decryption
+    #
+    # === Return
+    # (String):: Decrypted data
+    def decrypted_data(key, cert)
+      @pkcs7.decrypt(key.raw_key, cert.raw_cert)
+    end
+
+  end # EncryptedDocument
+
+end # RightScale