rightscale-nanite-dev 0.4.1.10

data/lib/nanite/pid_file.rb

@@ -0,0 +1,52 @@
+module Nanite
+  class PidFile
+    def initialize(identity, options)
+      @pid_dir = File.expand_path(options[:pid_dir] || options[:root] || Dir.pwd)
+      @pid_file = File.join(@pid_dir, "nanite.#{identity}.pid")
+    end
+    
+    def check
+      if pid = read_pid
+        if process_running? pid
+          raise "#{@pid_file} already exists (pid: #{pid})"
+        else
+          Log.info "removing stale pid file: #{@pid_file}"
+          remove
+        end
+      end
+    end
+    
+    def ensure_dir
+      FileUtils.mkdir_p @pid_dir
+    end
+    
+    def write
+      ensure_dir
+      open(@pid_file,'w') {|f| f.write(Process.pid) }
+      File.chmod(0644, @pid_file)
+    end
+    
+    def remove
+      File.delete(@pid_file) if exists?
+    end
+    
+    def read_pid
+      open(@pid_file,'r') {|f| f.read.to_i } if exists?
+    end
+    
+    def exists?
+      File.exists? @pid_file
+    end
+
+    def to_s
+      @pid_file
+    end
+    
+    private
+      def process_running?(pid)
+        Process.getpgid(pid) != -1
+      rescue Errno::ESRCH
+        false
+      end
+  end
+end

data/lib/nanite/reaper.rb

@@ -0,0 +1,39 @@
+module Nanite
+  class Reaper
+    attr_reader :timeouts
+    def initialize(frequency=2)
+      @timeouts = {}
+      EM.add_periodic_timer(frequency) { EM.next_tick { reap } }
+    end
+
+    # Add the specified token to the internal timeout hash.
+    # The reaper will then check this instance on every reap.
+    def register(token, seconds, &blk)
+      @timeouts[token] = {:timestamp => Time.now + seconds, :seconds => seconds, :callback => blk}
+    end
+    
+    def unregister(token)
+      @timeouts.delete(token)
+    end
+
+    # Updates the timeout timestamp for the given token. If the token is
+    # unknown to this reaper instance it will be auto-registered, usually
+    # happening when you have several mappers and not all of them know
+    # this agent yet, but received a ping from it.
+    def update(token, seconds, &blk)
+      unless @timeouts[token]
+        register(token, seconds, &blk)
+      end
+      @timeouts[token][:timestamp] = Time.now + @timeouts[token][:seconds]
+    end
+
+    private
+
+    def reap
+      time = Time.now
+      @timeouts.reject! do |token, data|
+        time > data[:timestamp] and data[:callback].call
+      end
+    end
+  end
+end

data/lib/nanite/redis_tag_store.rb

@@ -0,0 +1,141 @@
+require 'redis'
+
+module Nanite
+
+  # Implementation of a tag store on top of Redis
+  # For a nanite with the identity 'nanite-foobar', we store the following:
+  #
+  # s-nanite-foobar: { /foo/bar, /foo/nik } # a SET of the provided services
+  # tg-nanite-foobar: { foo-42, customer-12 } # a SET of the tags for this agent
+  #
+  # Also we do an inverted index for quick lookup of agents providing a certain
+  # service, so for each service the agent provides, we add the nanite to a SET
+  # of all the nanites that provide said service:
+  #
+  # foo/bar: { nanite-foobar, nanite-nickelbag, nanite-another } # redis SET
+  #
+  # We do that same thing for tags:
+  #
+  # some-tag: { nanite-foobar, nanite-nickelbag, nanite-another } # redis SET
+  #
+  # This way we can do a lookup of what nanites provide a set of services and tags based
+  # on redis SET intersection:
+  #
+  # nanites_for('/gems/list', 'some-tag')
+  # => returns an array of nanites that provide the intersection of these two service tags
+
+  class RedisTagStore
+
+    # Initialize tag store with given redis handle
+    def initialize(redis)
+      @redis = redis
+    end
+
+    # Store services and tags for given agent
+    def store(nanite, services, tags)
+      services = nil if services.compact.empty?
+      tags = nil if tags.compact.empty?
+      log_redis_error do
+        if services
+          obsolete_services = @redis.set_members("s-#{nanite}") - services
+          update_elems(nanite, services, obsolete_services, "s-#{nanite}", 'naniteservices')
+        end
+        if tags
+          obsolete_tags = @redis.set_members("tg-#{nanite}") - tags
+          update_elems(nanite, tags, obsolete_tags, "tg-#{nanite}", 'nanitestags')
+        end
+      end
+    end
+
+    # Update tags for given agent
+    def update(nanite, new_tags, obsolete_tags)
+      update_elems(nanite, new_tags, obsolete_tags, "tg-#{nanite}", 'nanitestags')
+    end
+
+    # Delete services and tags for given agent
+    def delete(nanite)
+      delete_elems(nanite, "s-#{nanite}", 'naniteservices')
+      delete_elems(nanite, "tg-#{nanite}", 'nanitestags')
+    end
+
+    # Services implemented by given agent
+    def services(nanite)
+      @redis.set_members("s-#{nanite}")
+    end
+
+    # Tags exposed by given agent
+    def tags(nanite)
+      @redis.set_members("tg-#{nanite}")
+    end
+
+    # Retrieve all agents services
+    def all_services
+      log_redis_error do
+        @redis.set_members('naniteservices')
+      end
+    end
+
+    # Retrieve all agents tags
+    def all_tags
+      log_redis_error do
+        @redis.set_members('nanitetags')
+      end
+    end
+
+    # Retrieve nanites implementing given service and exposing given tags
+    def nanites_for(from, service, tags)
+      keys = tags && tags.dup || []
+      keys << service
+      log_redis_error do
+        @redis.set_intersect(keys.compact)
+      end
+    end
+
+    private
+
+    # Update values stored for given agent
+    # Also store reverse lookup information using both a unique and
+    # a global key (so it's possible to retrieve that agent value or
+    # all related values)
+    def update_elems(nanite, new_tags, obsolete_tags, elem_key, global_key)
+      new_tags = nil if new_tags.compact.empty?
+      obsolete_tags = nil if obsolete_tags.compact.empty?
+      log_redis_error do
+        obsolete_tags.each do |val|
+          @redis.set_delete(val, nanite)
+          @redis.set_delete(elem_key, val)
+          @redis.set_delete(global_key, val)
+        end if obsolete_tags
+        new_tags.each do |val|
+          @redis.set_add(val, nanite)
+          @redis.set_add(elem_key, val)
+          @redis.set_add(global_key, val)
+        end if new_tags
+      end
+    end
+
+    # Delete all values for given nanite agent
+    # Also delete reverse lookup information
+    def delete_elems(nanite, elem_key, global_key)
+      log_redis_error do
+        (@redis.set_members(elem_key)||[]).each do |val|
+          @redis.set_delete(val, nanite)
+          if @redis.set_count(val) == 0
+            @redis.delete(val)
+            @redis.set_delete(global_key, val)
+          end
+        end
+        @redis.delete(elem_key)
+      end
+    end
+
+    # Helper method, catch and log errors
+    def log_redis_error(&blk)
+      blk.call
+    rescue Exception => e
+      Nanite::Log.warn("redis error in method: #{caller[0]}")
+      raise e
+    end
+
+  end
+end

data/lib/nanite/security/cached_certificate_store_proxy.rb

@@ -0,0 +1,24 @@
+module Nanite
+
+  # Proxy to actual certificate store which caches results in an LRU
+  # cache.
+  class CachedCertificateStoreProxy
+    
+    # Initialize cache proxy with given certificate store.
+    def initialize(store)
+      @signer_cache = CertificateCache.new
+      @store = store
+    end
+    
+    # Results from 'get_recipients' are not cached
+    def get_recipients(obj)
+      @store.get_recipients(obj)
+    end
+
+    # Check cache for signer certificate
+    def get_signer(id)
+      @signer_cache.get(id) { @store.get_signer(id) }
+    end
+
+  end  
+end

data/lib/nanite/security/certificate.rb

@@ -0,0 +1,55 @@
+module Nanite
+
+  # X.509 Certificate management
+  class Certificate
+    
+    # Underlying OpenSSL cert
+    attr_accessor :raw_cert
+  
+    # Generate a signed X.509 certificate
+    #
+    # Arguments:
+    #  - key: RsaKeyPair, key pair used to sign certificate
+    #  - issuer: DistinguishedName, certificate issuer
+    #  - subject: DistinguishedName, certificate subject
+    #  - valid_for: Time in seconds before certificate expires (10 years by default)
+    def initialize(key, issuer, subject, valid_for = 3600*24*365*10)
+      @raw_cert = OpenSSL::X509::Certificate.new
+      @raw_cert.version = 2
+      @raw_cert.serial = 1
+      @raw_cert.subject = subject.to_x509
+      @raw_cert.issuer = issuer.to_x509
+      @raw_cert.public_key = key.to_public.raw_key
+      @raw_cert.not_before = Time.now
+      @raw_cert.not_after = Time.now + valid_for
+      @raw_cert.sign(key.raw_key, OpenSSL::Digest::SHA1.new)
+    end
+    
+    # Load certificate from file
+    def self.load(file)
+      from_data(File.new(file))
+    end
+    
+    # Initialize with raw certificate
+    def self.from_data(data)
+      cert = OpenSSL::X509::Certificate.new(data)
+      res = Certificate.allocate
+      res.instance_variable_set(:@raw_cert, cert)
+      res
+    end
+    
+    # Save certificate to file in PEM format
+    def save(file)
+      File.open(file, "w") do |f|
+        f.write(@raw_cert.to_pem)
+      end
+    end
+    
+    # Certificate data in PEM format
+    def data
+      @raw_cert.to_pem
+    end
+    alias :to_s :data
+
+  end
+end

data/lib/nanite/security/certificate_cache.rb

@@ -0,0 +1,66 @@
+module Nanite
+
+  # Implements a simple LRU cache: items that are the least accessed are
+  # deleted first.
+  class CertificateCache
+
+    # Max number of items to keep in memory
+    DEFAULT_CACHE_MAX_COUNT = 100
+
+    # Initialize cache
+    def initialize(max_count = DEFAULT_CACHE_MAX_COUNT)
+      @items = {}
+      @list = []
+      @max_count = max_count
+    end
+    
+    # Add item to cache
+    def put(key, item)
+      if @items.include?(key)
+        delete(key)
+      end
+      if @list.size == @max_count
+        delete(@list.first)
+      end
+      @items[key] = item
+      @list.push(key)
+      item
+    end
+    alias :[]= :put
+    
+    # Retrieve item from cache
+    # Store item returned by given block if any
+    def get(key)
+      if @items.include?(key)
+        @list.each_index do |i|
+          if @list[i] == key
+            @list.delete_at(i)
+            break
+          end
+        end
+        @list.push(key)
+        @items[key]
+      else
+        return nil unless block_given?
+         self[key] = yield
+      end
+    end
+    alias :[] :get
+    
+    # Delete item from cache
+    def delete(key)
+      c = @items[key]
+      if c
+        @items.delete(key)
+        @list.each_index do |i|
+  	      if @list[i] == key
+  	        @list.delete_at(i)
+  	        break
+  	      end
+        end
+        c
+      end
+    end
+
+  end
+end

data/lib/nanite/security/distinguished_name.rb

@@ -0,0 +1,34 @@
+module Nanite
+
+  # Build X.509 compliant distinguished names
+  # Distinghuished names are used to desccribe both a certificate issuer and
+  # subject.
+  class DistinguishedName
+    
+    # Initialize distinguished name from hash
+    # e.g.:
+    #   { 'C'  => 'US',
+    #     'ST' => 'California',
+    #     'L'  => 'Santa Barbara',
+    #     'O'  => 'RightScale',
+    #     'OU' => 'Certification Services',
+    #     'CN' => 'rightscale.com/emailAddress=cert@rightscale.com' }
+    #
+    def initialize(hash)
+      @value = hash
+    end
+    
+    # Conversion to OpenSSL X509 DN
+    def to_x509
+      if @value
+        OpenSSL::X509::Name.new(@value.to_a, OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
+      end
+    end
+
+    # Human readable form
+    def to_s
+      '/' + @value.to_a.collect { |p| p.join('=') }.join('/') if @value
+    end
+    
+  end
+end

data/lib/nanite/security/encrypted_document.rb

@@ -0,0 +1,46 @@
+module Nanite
+
+  # Represents a signed an encrypted document that can be later decrypted using
+  # the right private key and whose signature can be verified using the right
+  # cert.
+  # This class can be used both to encrypt and sign data and to then check the
+  # signature and decrypt an encrypted document.
+  class EncryptedDocument
+  
+    # Encrypt and sign data using certificate and key pair.
+    #
+    # Arguments:
+    #  - 'data':   Data to be encrypted
+    #  - 'certs':  Recipient certificates (certificates corresponding to private
+    #              keys that may be used to decrypt data)
+    #  - 'cipher': Cipher used for encryption, AES 256 CBC by default
+    #
+    def initialize(data, certs, cipher = 'AES-256-CBC')
+      cipher = OpenSSL::Cipher::Cipher.new(cipher)
+      certs = [ certs ] unless certs.respond_to?(:collect)
+      raw_certs = certs.collect { |c| c.raw_cert }
+      @pkcs7 = OpenSSL::PKCS7.encrypt(raw_certs, data, cipher, OpenSSL::PKCS7::BINARY)
+    end
+
+    # Initialize from encrypted data.
+    def self.from_data(encrypted_data)
+      doc = EncryptedDocument.allocate
+      doc.instance_variable_set(:@pkcs7, Nanite::PKCS7.new(encrypted_data))
+      doc
+    end
+    
+    # Encrypted data using DER format
+    def encrypted_data
+      @pkcs7.to_pem
+    end
+    
+    # Decrypted data
+    #
+    # Arguments:
+    #   - 'key':  Key used for decryption
+    #   - 'cert': Certificate to use for decryption
+    def decrypted_data(key, cert)
+      @pkcs7.decrypt(key.raw_key, cert.raw_cert)
+    end
+  end
+end