right_agent 2.0.7-x86-mingw32

data/lib/right_agent/enrollment_result.rb

@@ -0,0 +1,221 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+require 'openssl'
+require 'base64'
+require 'json'
+
+# A response to a RightNet enrollment request containing the router's X509 cert,
+# the instance (or other) agent's identity cert, and the agent's private key.
+# Responses are encrypted using a secret key shared between the instance and
+# the Certifying Authority (aka the RightScale core site) and integrity-protected
+# using a similar key.
+module RightScale
+
+  class EnrollmentResult
+
+    include ProtocolVersionMixin
+
+    # Versions 5 and above use an identical format for the enrollment result
+    SUPPORTED_VERSIONS = 5..AgentConfig.protocol_version
+    
+    class IntegrityFailure < Exception; end
+    class VersionError < Exception; end
+
+    attr_reader :r_s_version, :timestamp, :router_cert, :id_cert, :id_key
+
+    # Create a new instance of this class
+    #
+    # === Parameters
+    # timestamp(Time):: Timestamp associated with this result
+    # router_cert(String):: Arbitrary string
+    # id_cert(String):: Arbitrary string
+    # id_key(String):: Arbitrary string
+    # secret(String):: Shared secret with which the result is encrypted
+    #
+    def initialize(r_s_version, timestamp, router_cert, id_cert, id_key, secret)
+      @r_s_version = r_s_version
+      @timestamp   = timestamp.utc
+      @router_cert = router_cert
+      @id_cert     = id_cert
+      @id_key      = id_key
+      @serializer  = Serializer.new(can_handle_msgpack_result?(r_s_version) ? :msgpack : :json)
+
+      cert_name = can_handle_http?(r_s_version) ? 'router_cert' : 'mapper_cert'
+      msg = @serializer.dump({
+        cert_name => @router_cert.to_s,
+        'id_cert' => @id_cert,
+        'id_key'  => @id_key
+      })
+
+      key        = EnrollmentResult.derive_key(secret, @timestamp.to_i.to_s)
+      #TODO switch to new OpenSSL API once we move to Ruby 1.8.7
+      #cipher     = OpenSSL::Cipher.new("aes-256-cbc")
+      cipher     = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+      cipher.encrypt
+      cipher.key = key
+      cipher.iv = @iv = cipher.random_iv
+
+      @ciphertext = cipher.update(msg) + cipher.final
+
+      key   = EnrollmentResult.derive_key(secret.to_s.reverse, @timestamp.to_i.to_s)
+      hmac   = OpenSSL::HMAC.new(key, OpenSSL::Digest::SHA1.new)
+      hmac.update(@ciphertext)
+      @mac  = hmac.digest
+    end
+
+    # Serialize an enrollment result
+    #
+    # === Parameters
+    # obj(EnrollmentResult):: Object to serialize
+    #
+    # === Return
+    # (String):: Serialized object
+    #
+    def to_s
+      @serializer.dump({
+          'r_s_version' => @r_s_version.to_s,
+          'timestamp'   => @timestamp.to_i.to_s,
+          'iv'          => Base64::encode64(@iv).chop,
+          'ciphertext'  => Base64::encode64(@ciphertext).chop,
+          'mac'         => Base64::encode64(@mac).chop
+      })
+    end
+
+    # Compare this object to another one. Two results are equal if they have the same
+    # payload (certs and keys) and timestamp. The crypto fields are not included in
+    # the comparison because they are mutable.
+    #
+    # === Parameters
+    # o(EnrollmentResult):: Object to compare against
+    #
+    # === Return
+    # true|false:: Whether the objects' pertinent fields are identical
+    #
+    def ==(o)
+      self.router_cert == o.router_cert &&
+      self.id_cert == o.id_cert &&
+      self.id_key == o.id_key &&
+      self.timestamp.to_i == o.timestamp.to_i
+    end
+
+    # Serialize an enrollment result
+    #
+    # === Parameters
+    # obj(EnrollmentResult):: Object to serialize
+    #
+    # === Return
+    # (String):: Serialized object
+    #
+    def self.dump(obj)
+      raise VersionError.new("Unsupported version #{obj.r_s_version}") unless SUPPORTED_VERSIONS.include?(obj.r_s_version)
+      obj.to_s
+    end
+
+    # Unserialize the MessagePack encoded enrollment result
+    #
+    # === Parameters
+    # string(String):: MessagePack representation of the result
+    # secret(String):: Shared secret with which the result is encrypted
+    #
+    # === Return
+    # result:: An instance of EnrollmentResult
+    #
+    # === Raise
+    # IntegrityFailure:: if the message has been tampered with
+    # VersionError:: if the specified protocol version is not locally supported
+    #
+    def self.load(string, secret)
+      serializer = Serializer.new
+      envelope = serializer.load(string)
+
+      r_s_version = envelope['r_s_version'].to_i
+      raise VersionError.new("Unsupported version #{r_s_version}") unless SUPPORTED_VERSIONS.include?(r_s_version)
+
+      timestamp  = Time.at(envelope['timestamp'].to_i)
+      iv         = Base64::decode64(envelope['iv'])
+      ciphertext = Base64::decode64(envelope['ciphertext'])
+      mac        = Base64::decode64(envelope['mac'])
+
+      key        = self.derive_key(secret, timestamp.to_i.to_s)
+      #TODO switch to new OpenSSL API once we move to Ruby 1.8.7
+      #cipher     = OpenSSL::Cipher.new("aes-256-cbc")
+      cipher     = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+      cipher.decrypt
+      cipher.key = key
+      cipher.iv  = iv
+
+      #TODO exclusively use new OpenSSL API (OpenSSL::CipherError) once we move to Ruby 1.8.7
+      if defined?(OpenSSL::Cipher::CipherError)
+        begin
+          plaintext = cipher.update(ciphertext) + cipher.final
+        rescue OpenSSL::Cipher::CipherError => e
+          raise IntegrityFailure.new(e.message)
+        end
+      else
+        begin
+          plaintext = cipher.update(ciphertext) + cipher.final
+        rescue OpenSSL::CipherError => e
+          raise IntegrityFailure.new(e.message)
+        end
+      end
+
+      key   = self.derive_key(secret.to_s.reverse, timestamp.to_i.to_s)
+      hmac   = OpenSSL::HMAC.new(key, OpenSSL::Digest::SHA1.new)
+      hmac.update(ciphertext)
+      my_mac  = hmac.digest
+      raise IntegrityFailure.new("MAC mismatch: expected #{my_mac}, got #{mac}") unless (mac == my_mac)
+
+      msg = serializer.load(plaintext)
+      router_cert = msg['router_cert'] || msg['mapper_cert']
+      id_cert   = msg['id_cert']
+      id_key    = msg['id_key']
+
+      self.new(r_s_version, timestamp, router_cert, id_cert, id_key, secret)
+    end
+
+    protected
+
+    def self.derive_key(secret, salt)
+      begin
+        return OpenSSL::PKCS5.pbkdf2_hmac_sha1(secret, salt, 2048, 32)
+      rescue NameError => e
+        return pkcs5_pbkdf2_hmac_sha1(secret, salt, 2048, 32)
+      end
+    end
+
+    def self.pkcs5_pbkdf2_hmac_sha1(pass, salt, iter, len)
+      ret = ''
+      i = 0
+
+      while len > 0
+        i += 1
+        hmac = OpenSSL::HMAC.new(pass, OpenSSL::Digest::SHA1.new)
+        hmac.update(salt)
+        hmac.update([i].pack('N'))
+        digtmp = hmac.digest
+
+        cplen = len > digtmp.length ? digtmp.length : len
+
+        tmp = digtmp.dup
+
+        1.upto(iter - 1) do |j|
+          hmac = OpenSSL::HMAC.new(pass, OpenSSL::Digest::SHA1.new)
+          hmac.update(digtmp)
+          digtmp = hmac.digest
+          0.upto(cplen - 1) do |k|
+            tmp[k] = (tmp[k] ^ digtmp[k]).chr
+          end
+        end
+
+        tmp.slice!((cplen)..-1) if (tmp.length > cplen)
+        ret << tmp
+        len -= tmp.length
+      end
+
+      ret
+    end
+
+  end
+end

data/lib/right_agent/exceptions.rb

@@ -0,0 +1,87 @@
+#
+# Copyright (c) 2009-2013 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RightScale
+
+  class Exceptions
+
+    # Base exception for use in nesting exceptions
+    class NestedException < StandardError
+      attr_reader :nested_exception
+
+      # Exception message and optional nested exception or string
+      def initialize(message, nested_exception = nil)
+        @nested_exception = nested_exception
+        super(message)
+      end
+    end
+
+    # Internal application error
+    class Application < StandardError; end
+
+    # Agent command IO error
+    class IO < RuntimeError; end
+
+    # Agent compute platform error
+    class PlatformError < StandardError; end
+
+    # Terminating service
+    class Terminating < RuntimeError; end
+
+    # Not authorized to make request
+    class Unauthorized < NestedException
+      def initialize(message, nested_exception = nil)
+        super(message, nested_exception)
+      end
+    end
+
+    # Cannot connect to service, lost connection to it, or it is out of service or too busy to respond
+    class ConnectivityFailure < NestedException
+      def initialize(message, nested_exception = nil)
+        super(message, nested_exception)
+      end
+    end
+
+    # Request failed but potentially will succeed if retried
+    class RetryableError < NestedException
+      def initialize(message, nested_exception = nil)
+        super(message, nested_exception)
+      end
+    end
+
+    # Database query failed
+    class QueryFailure < NestedException
+      def initialize(message, nested_exception = nil)
+        super(message, nested_exception)
+      end
+    end
+
+    # Error internal to specified server
+    class InternalServerError < NestedException
+      attr_reader :server
+      def initialize(message, server, nested_exception = nil)
+        @server = server
+        super(message, nested_exception)
+      end
+    end
+  end
+end

data/lib/right_agent/history.rb

@@ -0,0 +1,145 @@
+#
+# Copyright (c) 2009-2012 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require 'fileutils'
+
+module RightScale
+
+  # Agent history manager
+  class History
+
+    # Initialize history
+    #
+    # === Parameters
+    # identity(String):: Serialized agent identity
+    # pid(Integer):: Process ID of agent, defaults to ID if current process
+    def initialize(identity, pid = nil)
+      @pid = pid || Process.pid
+      @history = File.join(AgentConfig.pid_dir, identity + ".history")
+    end
+
+    # Append event to history file
+    #
+    # === Parameters
+    # event(Object):: Event to be stored in the form String or {String => Object},
+    #   where String is the event name and Object is any associated JSON-encodable data
+    #
+    # === Return
+    # true:: Always return true
+    def update(event)
+      @last_update = {:time => Time.now.to_i, :pid => @pid, :event => event}
+      FileUtils.mkdir_p(File.dirname(@history)) unless File.exists?(File.dirname(@history))
+      File.open(@history, "a") { |f| f.puts @last_update.to_json }
+      true
+    end
+
+    # Load events from history file
+    #
+    # === Return
+    # events(Array):: List of historical events with each being a hash of
+    #   :time(Integer):: Time in seconds in Unix-epoch when event occurred
+    #   :pid(Integer):: Process id of agent recording the event
+    #   :event(Object):: Event object in the form String or {String => Object},
+    #     where String is the event name and Object is any associated JSON-encodable data
+    def load
+      events = []
+      File.open(@history, "r") { |f| events = f.readlines.map { |l| JSON.load(l) } } if File.readable?(@history)
+      events
+    end
+
+    # Analyze history to determine service attributes like uptime and restart/crash counts
+    #
+    # === Return
+    # (Hash):: Results of analysis
+    #   :uptime(Integer):: Current time in service
+    #   :total_uptime(Integer):: Total time in service (but if there were crashes
+    #     this total includes recovery time, which makes it inaccurate)
+    #   :restarts(Integer|nil):: Number of restarts, if any
+    #   :graceful_exits(Integer|nil):: Number of graceful terminations, if any
+    #   :crashes(Integer|nil):: Number of crashes, if any
+    #   :last_crash_time(Integer|nil):: Time in seconds in Unix-epoch when last crash occurred, if any
+    #   :crashed_last(Boolean):: Whether crashed last time it was started
+    def analyze_service
+      now = Time.now.to_i
+      if @last_analysis && @last_event == @last_update
+        delta = now - @last_analysis_time
+        @last_analysis[:uptime] += delta
+        @last_analysis[:total_uptime] += delta
+      else
+        last_run = last_crash = @last_event = {:time => 0, :pid => 0, :event => nil}
+        restarts = graceful_exits = crashes = accumulated_uptime = 0
+        crashed_last = false
+        load.each do |event|
+          event = SerializationHelper.symbolize_keys(event)
+          case event[:event]
+          when "start"
+            case @last_event[:event]
+            when "stop", "graceful exit"
+              restarts += 1
+            when "start"
+              crashes += 1
+              last_crash = event
+              crashed_last = true
+            when "run"
+              crashes += 1
+              last_crash = event
+              crashed_last = true
+              # Accumulating uptime here although this will wrongly include recovery time
+              accumulated_uptime += (event[:time] - @last_event[:time])
+            end
+          when "run"
+            last_run = event
+          when "stop"
+            crashed_last = false
+            if @last_event[:event] == "run" && @last_event[:pid] == event[:pid]
+              accumulated_uptime += (event[:time] - @last_event[:time])
+            end
+          when "graceful exit"
+            crashed_last = false
+            graceful_exits += 1
+          else
+            next
+          end
+          @last_event = event
+        end
+        current_uptime = last_run[:pid] == @pid ? (now - last_run[:time]) : 0
+        @last_analysis = {
+          :uptime => current_uptime,
+          :total_uptime => accumulated_uptime + current_uptime
+        }
+        if restarts > 0
+          @last_analysis[:restarts] = restarts
+          @last_analysis[:graceful_exits] = graceful_exits
+        end
+        if crashes > 0
+          @last_analysis[:crashes] = crashes
+          @last_analysis[:last_crash_time] = last_crash[:time]
+          @last_analysis[:crashed_last] = crashed_last
+        end
+      end
+      @last_analysis_time = now
+      @last_analysis
+    end
+
+  end # History
+
+end # RightScale