vines-agent 0.1.1 → 0.1.2

data/lib/vines/agent/connection.rb

@@ -23,6 +23,11 @@ module Vines
         jid = Blather::JID.new(fqdn, domain, 'vines')
         @stream = Blather::Client.setup(jid, password, host, port, certs)
 
+        @stream.register_handler(:stream_error) do |e|
+          log.error(e.message)
+          true # prevent EM.stop
+        end
+
         @stream.register_handler(:disconnected) do
           log.info("Stream disconnected, reconnecting . . .")
           EM::Timer.new(rand(16) + 5) do
@@ -35,6 +40,7 @@ module Vines
           # prevent handler called twice
           unless @ready
             log.info("Connected #{@stream.jid} agent to #{host}:#{port}")
+            log.warn("Agent must run as root user to allow user switching") unless root?
             @ready = true
             startup
           end
@@ -270,6 +276,12 @@ module Vines
       def from_service?(node)
         @services.include?(node.from.stripped.to_s.downcase)
       end
+
+      # Return true if the agent process is owned by root. Switching users with
+      # +v user+ is only possible when running as root.
+      def root?
+        Process.uid == 0
+      end
     end
   end
 end

data/lib/vines/agent/shell.rb

@@ -17,8 +17,8 @@ module Vines
       # commands.
       def initialize(jid, permissions)
         @jid, @permissions = jid, permissions
-        @user, @commands = allowed_users.first, EM::Queue.new
-        spawn(@user)
+        @user = allowed_users.first if allowed_users.size == 1
+        @commands = EM::Queue.new
         process_command_queue
       end
 
@@ -55,7 +55,10 @@ module Vines
       end
 
       def run_in_slave(command)
+        return "-> no user selected, run 'v user'" unless @user
         log.info("Running #{command} as #{@user}")
+
+        spawn(@user) unless @shell
         out, err = @shell.execute(command)
         output = [].tap do |arr|
           arr << out if out && !out.empty?
@@ -63,16 +66,21 @@ module Vines
         end.join("\n")
         output.empty? ? '-> command completed' : output
       rescue
-        spawn(@user)
+        close
         '-> restarted shell'
       end
 
+      def close
+        @slave.shutdown(quiet: true) if @slave
+        @slave = @shell = nil
+      end
+
       # Fork a child process in which to run a shell as this user. Return
       # the slave and its remote shell proxy. The agent process must be run
       # as root for the user switch to work.
       def spawn(user)
         log.info("Starting shell as #{user}")
-        @slave.shutdown(quiet: true) if @slave
+        close
         Thread.new do # so em thread won't die on @slave.shutdown
           slave = Slave.new(psname: "vines-session-#{user}") do
             uid = Process.euid
@@ -95,7 +103,7 @@ module Vines
             shell
           end
           File.chmod(0700, slave.socket)
-          @slave, @shell = [slave, slave.object]
+          @slave, @shell = slave, slave.object
         end.join
       end
 
@@ -112,21 +120,49 @@ module Vines
       def run_built_in(command)
         _, command, *args = command.strip.split(/\s+/)
         case command
-          when 'user'  then user_command(args)
-          when 'reset' then reset_command(args)
-          else '-> not a vines command'
+          when 'user'    then user_command(args)
+          when 'reset'   then reset_command(args)
+          when 'version' then version_command(args)
+          when 'help'    then help_command(args)
+          else '-> usage: v user|reset|version|help'
         end
       end
 
+      def help_command(args)
+        [
+          "Usage:",
+          "  v user [name]  Display the current user or switch users.",
+          "  v reset        Stops the shell session and starts a new one.",
+          "  v version      Display the agent's version.",
+          "  v help         Provide help on vines commands."
+        ].join("\n")
+      end
+
+      def version_command(args)
+        return "-> usage: v version" unless args.empty?
+        Vines::Agent::VERSION
+      end
+
       # Run the +v user+ built-in vines command to list or change the current
       # unix account executing shell commands.
       def user_command(args)
-        return "-> current: #{@user}\n   allowed: #{allowed_users.join(', ')}" if args.empty?
         return "-> usage: v user [name]" if args.size > 1
-        return "-> user switch not allowed" unless allowed?(args.first)
-        @user = args.first
-        spawn(@user)
-        "-> switched user to #{@user}"
+
+        if args.empty?
+          current = @user || '<none>'
+          allowed = allowed_users.empty? ? '<none>' : allowed_users.join(', ')
+          return "-> current: #{current}\n   allowed: #{allowed}"
+        end
+
+        user = args.first
+        if allowed?(user)
+          @user = user
+          close
+          "-> switched user to #{@user}"
+        else
+          log.warn("#{@jid} denied access to #{user}")
+          "-> user switch not allowed"
+        end
       end
 
       def reset?(command)
@@ -137,7 +173,7 @@ module Vines
       def reset_command(args)
         return "-> usage: v reset" unless args.empty?
         @commands = EM::Queue.new
-        spawn(@user)
+        close
         process_command_queue
         "-> reset shell"
       end
@@ -145,21 +181,30 @@ module Vines
       # Return true if the current JID is allowed to run commands as the given
       # user name on this system.
       def allowed?(user)
-        jids = @permissions[user] || []
-        valid = jids.include?(@jid) && exists?(user)
-        log.warn("#{@jid} denied access to #{user}") unless valid
-        valid
+        allowed = (@permissions[user] || []).include?(@jid)
+        allowed && exists?(user) && (root? || current?(user))
+      end
+
+      # Return true if the agent process is owned by root. Switching users with
+      # +v user+ is only possible when running as root.
+      def root?
+        Process.uid == 0
+      end
+
+      # Return true if the user name is the current agent process owner.
+      def current?(user)
+        Process.uid == Etc.getpwnam(user).uid
+      rescue
+        false
       end
 
       def exists?(user)
-        Etc::getpwnam(user) rescue false
+        Etc.getpwnam(user) rescue false
       end
 
       # Return the list of unix user accounts this user is allowed to access.
       def allowed_users
-        @permissions.select do |unix, jids|
-          jids.include?(@jid) && exists?(unix)
-        end.keys.sort
+        @permissions.keys.sort.select {|unix| allowed?(unix) }
       end
     end
   end

data/lib/vines/agent/version.rb

@@ -2,6 +2,6 @@
 
 module Vines
   module Agent
-    VERSION = '0.1.1'
+    VERSION = '0.1.2'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vines-agent
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-10-20 00:00:00.000000000Z
+date: 2011-10-28 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: blather
-  requirement: &70352868783740 !ruby/object:Gem::Requirement
+  requirement: &70257751095360 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 0.5.8
   type: :runtime
   prerelease: false
-  version_requirements: *70352868783740
+  version_requirements: *70257751095360
 - !ruby/object:Gem::Dependency
   name: ohai
-  requirement: &70352868782180 !ruby/object:Gem::Requirement
+  requirement: &70257751094400 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.6.8
   type: :runtime
   prerelease: false
-  version_requirements: *70352868782180
+  version_requirements: *70257751094400
 - !ruby/object:Gem::Dependency
   name: session
-  requirement: &70352868780480 !ruby/object:Gem::Requirement
+  requirement: &70257751093700 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70352868780480
+  version_requirements: *70257751093700
 - !ruby/object:Gem::Dependency
   name: slave
-  requirement: &70352868778940 !ruby/object:Gem::Requirement
+  requirement: &70257751092940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.3.0
   type: :runtime
   prerelease: false
-  version_requirements: *70352868778940
+  version_requirements: *70257751092940
 - !ruby/object:Gem::Dependency
   name: vines
-  requirement: &70352868777680 !ruby/object:Gem::Requirement
+  requirement: &70257751092280 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: '0.3'
   type: :runtime
   prerelease: false
-  version_requirements: *70352868777680
+  version_requirements: *70257751092280
 - !ruby/object:Gem::Dependency
   name: minitest
-  requirement: &70352865325120 !ruby/object:Gem::Requirement
+  requirement: &70257751091680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70352865325120
+  version_requirements: *70257751091680
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &70352865324580 !ruby/object:Gem::Requirement
+  requirement: &70257751091220 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70352865324580
+  version_requirements: *70257751091220
 description: ! 'Vines Agent executes shell commands sent by users after
 
   authorizing them against an access control list, provided by the Vines Services