smart_proxy_chef 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7d2d28589334b1dd4348fdb64179ee703847ff63
-  data.tar.gz: 887c69f465dbf1b6da515f0c9fafcc881077e3a7
+  metadata.gz: d1c5fd05ae72a1469295dedb30ea5b17d6a31c8e
+  data.tar.gz: 2831d4c31cf71833fc813b6dfda6b8f2217cc020
 SHA512:
-  metadata.gz: b04a508b2a54db80f5b5e6106636cb444495d90a74235e16f784ac07cff0626bbe87d1516aa0c5847d3c560975d1f472109d30d3566a695a6be2897b13782832
-  data.tar.gz: 9d6b04059fb1bd4eb3be73fcc9f92008c951c97f2742a656d5c7f7717ce06c3ca723af0ca2668575b04c847aa5d7bf9496f92efe1e480ab89586289db33fbec5
+  metadata.gz: e5219d453c2eabc2ac58187c021b12e05ad689eddeab17c636cd5f8cd0d2ac5a70e5468b9162b6741a4bb6d35f150c6382b66bcdf76ae34152f3b1ef898e43d6
+  data.tar.gz: f133518caf0024b07d9ebd9b36b8c054012550186b29909b784a6710ee7178caa441717a9ad7bfbd53ee3af7ad71b2b567697ece4fb39ec3991099537b5cd5a8

data/lib/smart_proxy_chef_plugin/authentication.rb

@@ -1,47 +1,57 @@
-module ChefPlugin
-  class Authentication
-    require 'smart_proxy_chef_plugin/resources/client'
-    require 'digest/sha2'
-    require 'base64'
-    require 'openssl'
-
-    def verify_signature_request(client_name,signature,body)
-      #We need to retrieve client public key
-      #to verify signature
-      begin
-        client = Resources::Client.new.show(client_name)
-      rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError,
-        Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError,
-        Errno::ECONNREFUSED, OpenSSL::SSL::SSLError => e
-        raise Proxy::Error::Unauthorized, "Failed to authenticate node: "+e.message
-      end
+require 'smart_proxy_chef_plugin/connection_helper'
+require 'digest/sha2'
+require 'base64'
+require 'openssl'
 
-      raise Proxy::Error::Unauthorized, "Could not find client with name #{client_name}" if client.nil?
-      public_key = OpenSSL::PKey::RSA.new(client.public_key)
+module ChefPlugin
+  module Authentication
+    def authenticate_with_chef_signature
+      helpers ConnectionHelper, InstanceMethods, ::Proxy::Helpers
 
-      #signature is base64 encoded
-      decoded_signature = Base64.decode64(signature)
-      hash_body = Digest::SHA256.hexdigest(body)
-      public_key.verify(OpenSSL::Digest::SHA256.new, decoded_signature, hash_body)
+      before do
+        authenticate_chef_signature(request)
+      end
     end
 
-    def authenticated(request, &block)
-      content     = request.env["rack.input"].read
+    module InstanceMethods
+      def verify_signature_request(client_name, signature,body)
+        #We need to retrieve client public key to verify signature
+        begin
+          client = get_connection.clients.fetch(client_name)
+        rescue StandardError => e
+          log_halt 401, "Failed to authenticate node: " + e.message + "\n#{e.backtrace.join("\n")}"
+        end
 
-      auth = true
-      if ChefPlugin::Plugin.settings.chef_authenticate_nodes
-        client_name = request.env['HTTP_X_FOREMAN_CLIENT']
-        signature   = request.env['HTTP_X_FOREMAN_SIGNATURE']
+        log_halt 401, "Could not find client with name #{client_name}" if client.nil?
+        public_key = OpenSSL::PKey::RSA.new(client.public_key)
 
-        raise Proxy::Error::Unauthorized, "Failed to authenticate node #{client_name}. Missing some headers" if client_name.nil? or signature.nil?
-        auth = verify_signature_request(client_name, signature, content)
+        #signature is base64 encoded
+        decoded_signature = Base64.decode64(signature)
+        hash_body = Digest::SHA256.hexdigest(body)
+        public_key.verify(OpenSSL::Digest::SHA256.new, decoded_signature, hash_body)
       end
 
-      if auth
-        raise Proxy::Error::BadRequest, "Body is empty for node #{client_name}" if content.nil?
-        block.call(content)
-      else
-        raise Proxy::Error::Unauthorized, "Failed to authenticate node #{client_name}"
+      def authenticate_chef_signature(request)
+        logger.debug('starting chef signature authentication')
+        content     = request.env["rack.input"].read
+
+        auth = true
+        if ChefPlugin::Plugin.settings.chef_authenticate_nodes
+          client_name = request.env['HTTP_X_FOREMAN_CLIENT']
+          logger.debug("header HTTP_X_FOREMAN_CLIENT: #{client_name}")
+          signature   = request.env['HTTP_X_FOREMAN_SIGNATURE']
+
+          log_halt 401, "Failed to authenticate node #{client_name}. Missing some headers" if client_name.nil? or signature.nil?
+          auth = verify_signature_request(client_name, signature, content)
+        end
+
+        if auth
+          log_halt 406, "Body is empty for node #{client_name}" if content.nil?
+          logger.debug("#{client_name} authenticated successfully")
+          return true
+        else
+          log_halt 401, "Failed to authenticate node #{client_name}"
+        end
       end
     end
   end

data/lib/smart_proxy_chef_plugin/chef_api.rb

@@ -1,50 +1,52 @@
-require 'smart_proxy_chef_plugin/resources/node'
-require 'smart_proxy_chef_plugin/resources/client'
+require 'smart_proxy_chef_plugin/connection_helper'
+require 'smart_proxy_chef_plugin/chef_resource_api'
 
 module ChefPlugin
   class ChefApi < ::Sinatra::Base
-    helpers ::Proxy::Helpers
-
-    get "/nodes/:fqdn" do
-      logger.debug "Showing node #{params[:fqdn]}"
+    helpers ::Proxy::Helpers, ConnectionHelper
+    extend ChefResourceApi
+    authorize_with_trusted_hosts
 
+    before do
       content_type :json
-      if (node = Resources::Node.new.show(params[:fqdn]))
-        node.to_json
-      else
-        log_halt 404, "Node #{params[:fqdn]} not found"
-      end
+      @connection = get_connection
     end
 
-    get "/clients/:fqdn" do
-      logger.debug "Showing client #{params[:fqdn]}"
-
-      content_type :json
-      if (node = Resources::Client.new.show(params[:fqdn]))
-        node.to_json
-      else
-        log_halt 404, "Client #{params[:fqdn]} not found"
-      end
+    error ChefAPI::Error::UnknownAttribute do
+      log_halt 400, {:result => false, :errors => [env['sinatra.error'].message]}.to_json
     end
 
-    delete "/nodes/:fqdn" do
-      logger.debug "Starting deletion of node #{params[:fqdn]}"
-
-      result = Resources::Node.new.delete(params[:fqdn])
-      log_halt 400, "Node #{params[:fqdn]} could not be deleteded" unless result
-
-      logger.debug "Node #{params[:fqdn]} deleted"
-      { :result => result }.to_json
+    error ChefAPI::Error::ResourceNotFound do
+      log_halt 404, {:result => false, :errors => [env['sinatra.error'].message]}.to_json
     end
 
-    delete "/clients/:fqdn" do
-      logger.debug "Starting deletion of client #{params[:fqdn]}"
-
-      result = Resources::Client.new.delete(params[:fqdn])
-      log_halt 400, "Client #{params[:fqdn]} could not be deleted" unless result
+    resource :client
+    put "/clients/:id/regenerate_keys" do
+      logger.debug "Regenerating client #{params[:id]} keys"
+      client = @connection.clients.fetch(params[:id])
+      log_halt 404, "Client #{params[:id]} not found" if client.nil?
 
-      logger.debug "Client #{params[:fqdn]} deleted"
-      { :result => result }.to_json
+      if client.regenerate_keys
+        logger.debug "Client #{params[:id]} keys regenerated"
+        client.to_json
+      else
+        log_halt 400, { :errors => 'Unable to regenerate keys' }.to_json
+      end
     end
+
+    # commented resources do not work since they are scoped under other resource are not standard in other way
+    # resource :collection_proxy, :plural_name => 'collection_proxies'
+    resource :cookbook
+    # resource :cookbook_version
+    resource :data_bag
+    # resource :data_bag_item
+    resource :environment
+    resource :node
+    # resource :organization
+    # resource :partial_search, :plural_name => 'partial_searches'
+    # resource :principal
+    resource :role
+    # resource :search, :plural_name => 'searches'
+    resource :user
   end
 end

data/lib/smart_proxy_chef_plugin/chef_resource_api.rb

@@ -0,0 +1,88 @@
+module ChefPlugin
+  module ChefResourceApi
+
+    def resource(name, options = {})
+      @name = name
+      @options = options
+      plural = get_plural_name
+
+      show_action(name, plural) if actions.include?(:show)
+      create_action(name, plural) if actions.include?(:create)
+      update_action(name, plural) if actions.include?(:update)
+      delete_action(name, plural) if actions.include?(:delete)
+      list_action(plural) if actions.include?(:list)
+    end
+
+    def list_action(plural)
+      get "/#{plural}" do
+        logger.debug "Listing #{plural}"
+
+        # to workaround chef-api issue, see https://github.com/sethvargo/chef-api/pull/34 for more details
+        resources = get_connection.send(plural).all
+        resources.map(&:to_hash).to_json
+      end
+    end
+
+    def delete_action(name, plural)
+      delete "/#{plural}/:id" do
+        logger.debug "Starting deletion of #{name} #{params[:id]}"
+
+        if (result = get_connection.send(plural).delete(params[:id]))
+          logger.debug "#{name.capitalize} #{params[:id]} deleted"
+        else
+          log_halt 400, "#{name.capitalize} #{params[:id]} could not be deleted" unless result
+        end
+      end
+    end
+
+    # currently broken at least for clients - see https://github.com/sethvargo/chef-api/issues/33
+    def update_action(name, plural)
+      put "/#{plural}/:id" do
+        logger.debug "Updating #{name} with parameters: " + params.inspect
+
+        if (object = get_connection.send(plural).update(params[:id], params[name]))
+          logger.debug "#{name.capitalize} #{params[:id]} updated"
+          object.to_json
+        else
+          log_halt 400, {:errors => object.errors}.to_json
+        end
+      end
+    end
+
+    def create_action(name, plural)
+      post "/#{plural}" do
+        logger.debug "Creating #{name} with parameters: " + params.inspect
+
+        object = get_connection.send(plural).new(params[name])
+        if object.save
+          logger.debug "#{name.capitalize} #{params[:id]} created"
+          object.to_json
+        else
+          log_halt 400, {:errors => object.errors}.to_json
+        end
+      end
+    end
+
+    def show_action(name, plural)
+      get "/#{plural}/:id" do
+        logger.debug "Showing #{name} #{params[:id]}"
+
+        if (object = get_connection.send(plural).fetch(params[:id]))
+          object.to_json
+        else
+          log_halt 404, "#{name.capitalize} #{params[:id]} not found"
+        end
+      end
+    end
+
+    private
+
+    def actions
+      @options[:actions].nil? ? [:create, :show, :list, :update, :delete] : @options[:actions]
+    end
+
+    def get_plural_name
+      @options[:plural_name].nil? ? "#{@name}s" : @options[:plural_name]
+    end
+  end
+end

data/lib/smart_proxy_chef_plugin/connection_helper.rb

@@ -0,0 +1,20 @@
+require 'chef-api'
+
+module ChefPlugin
+  module ConnectionHelper
+    def get_connection
+      connection = ::ChefAPI::Connection.new(
+        :endpoint => ChefPlugin::Plugin.settings.chef_server_url,
+        :client => ChefPlugin::Plugin.settings.chef_smartproxy_clientname,
+        :key => ChefPlugin::Plugin.settings.chef_smartproxy_privatekey,
+      )
+      connection.ssl_verify = ChefPlugin::Plugin.settings.chef_ssl_verify
+      self_signed = ChefPlugin::Plugin.settings.chef_ssl_pem_file
+      if !self_signed.nil? && !self_signed.empty?
+        connection.ssl_pem_file = self_signed
+      end
+
+      connection
+    end
+  end
+end

data/lib/smart_proxy_chef_plugin/foreman_api.rb

@@ -2,9 +2,11 @@ require 'proxy/request'
 require 'smart_proxy_chef_plugin/authentication'
 
 module ChefPlugin
+  ::Sinatra::Base.register Authentication
+
   class ForemanApi < ::Sinatra::Base
     helpers ::Proxy::Helpers
-    authorize_with_trusted_hosts
+    authenticate_with_chef_signature
 
     error Proxy::Error::BadRequest do
       log_halt(400, "Bad request : " + env['sinatra.error'].message )
@@ -16,15 +18,30 @@ module ChefPlugin
 
     post "/hosts/facts" do
       logger.debug 'facts upload request received'
-      ChefPlugin::Authentication.new.authenticated(request) do |content|
-        Proxy::HttpRequest::Facts.new.post_facts(content)
-      end
+      foreman_response = Proxy::HttpRequest::Facts.new.post_facts(get_content)
+      log_result(foreman_response)
     end
 
     post "/reports" do
       logger.debug 'report upload request received'
-      ChefPlugin::Authentication.new.authenticated(request) do |content|
-        Proxy::HttpRequest::Reports.new.post_report(content)
+      foreman_response = Proxy::HttpRequest::Reports.new.post_report(get_content)
+      log_result(foreman_response)
+    end
+
+    private
+
+    def get_content
+      input = request.env['rack.input']
+      input.rewind
+      input.read
+    end
+
+    def log_result(foreman_response)
+      code = foreman_response.code.to_i
+      if code >= 200 && code < 300
+        logger.debug "upload forwarded to Foreman successfully, response was #{code}"
+      else
+        logger.error "forwarding failed, Foreman responded with #{code}, check Foreman access and production logs for more details"
       end
     end
   end

data/lib/smart_proxy_chef_plugin/version.rb

@@ -1,3 +1,3 @@
 module ChefPlugin
-  VERSION = '0.1.2'
+  VERSION = '0.1.3'
 end

data/settings.d/chef.yml.example

@@ -8,7 +8,7 @@
 # :chef_smartproxy_clientname: 'host.example.net'
 # :chef_smartproxy_privatekey: '/etc/chef/client.pem'
 
-# by default ssl verification of request to you chef server is enabled,
+# by default ssl verification of request to your chef server is enabled,
 # you're supposed to install CA certificate yourself
 # this usually consist of two steps
 #   download the CA cert to /etc/pki/tls/certs/, e.g. ca-cert-root.pem

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_chef
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Marek Hulan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-13 00:00:00.000000000 Z
+date: 2015-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -134,17 +134,16 @@ files:
 - lib/smart_proxy_chef_plugin/http_config.ru
 - lib/smart_proxy_chef_plugin/chef_api.rb
 - lib/smart_proxy_chef_plugin/foreman_api.rb
+- lib/smart_proxy_chef_plugin/connection_helper.rb
+- lib/smart_proxy_chef_plugin/chef_resource_api.rb
 - lib/smart_proxy_chef_plugin/authentication.rb
-- lib/smart_proxy_chef_plugin/resources/client.rb
-- lib/smart_proxy_chef_plugin/resources/base.rb
-- lib/smart_proxy_chef_plugin/resources/node.rb
 - lib/smart_proxy_chef_plugin/chef_plugin.rb
 - lib/smart_proxy_chef_plugin/version.rb
 - lib/smart_proxy_chef.rb
 - settings.d/chef.yml.example
 - LICENSE
 - Gemfile
-homepage: https://github.com/theforeman/smart-proxy-chef-plugin
+homepage: https://github.com/theforeman/smart_proxy_chef
 licenses:
 - GPLv3
 metadata: {}

data/lib/smart_proxy_chef_plugin/resources/base.rb

@@ -1,20 +0,0 @@
-require 'chef-api'
-
-module ChefPlugin
-  module Resources
-    class Base
-      def initialize
-        @connection = ChefAPI::Connection.new(
-            :endpoint => ChefPlugin::Plugin.settings.chef_server_url,
-            :client => ChefPlugin::Plugin.settings.chef_smartproxy_clientname,
-            :key => ChefPlugin::Plugin.settings.chef_smartproxy_privatekey,
-        )
-        @connection.ssl_verify = ChefPlugin::Plugin.settings.chef_ssl_verify
-        self_signed = ChefPlugin::Plugin.settings.chef_ssl_pem_file
-        if !self_signed.nil? && !self_signed.empty?
-          @connection.ssl_pem_file = self_signed
-        end
-      end
-    end
-  end
-end

data/lib/smart_proxy_chef_plugin/resources/client.rb

@@ -1,18 +0,0 @@
-require 'smart_proxy_chef_plugin/resources/base'
-
-module ChefPlugin::Resources
-  class Client < Base
-    def initialize
-      super
-      @base = @connection.clients
-    end
-
-    def delete(fqdn)
-       @base.delete(fqdn)
-    end
-
-    def show(fqdn)
-      @base.fetch(fqdn)
-    end
-  end
-end

data/lib/smart_proxy_chef_plugin/resources/node.rb

@@ -1,18 +0,0 @@
-require 'smart_proxy_chef_plugin/resources/base'
-
-module ChefPlugin::Resources
-  class Node < Base
-    def initialize
-      super
-      @base = @connection.nodes
-    end
-
-    def delete(fqdn)
-      @base.delete(fqdn)
-    end
-
-    def show(fqdn)
-      @base.fetch(fqdn)
-    end
-  end
-end