Class MCollective::Security::Psk
In: plugins/mcollective/security/psk.rb
Parent: Base

Impliments message authentication using digests and shared keys

You should configure a psk in the configuration file and all requests will be validated for authenticity with this.

Serialization uses Marshal, this is the default security module that is supported out of the box.

Validation is as default and is provided by MCollective::Security::Base

You can configure the caller id being created, this can adjust how you create authorization plugins. For example you can use a unix group instead of uid to do authorization.

Methods

Public Instance methods

[Source]

     # File plugins/mcollective/security/psk.rb, line 84
 84:             def callerid
 85:                 if @config.pluginconf.include?("psk.callertype")
 86:                     callertype = @config.pluginconf["psk.callertype"].to_sym if @config.pluginconf.include?("psk.callertype")
 87:                 else
 88:                     callertype = :uid
 89:                 end
 90: 
 91:                 case callertype
 92:                     when :gid
 93:                         id  = "gid=#{Process.gid}"
 94: 
 95:                     when :group
 96:                         id = "group=#{Etc.getgrgid(Process.gid).name}"
 97: 
 98:                     when :user
 99:                         id = "user=#{Etc.getlogin}"
100: 
101:                     when :identity
102:                         id = "identity=#{@config.identity}"
103: 
104:                     else
105:                         id ="uid=#{Process.uid}"
106:                 end
107: 
108:                 @log.debug("Setting callerid to #{id} based on callertype=#{callertype}")
109: 
110:                 id
111:             end

Decodes a message by unserializing all the bits etc, it also validates it as valid using the psk etc

[Source]

    # File plugins/mcollective/security/psk.rb, line 21
21:             def decodemsg(msg)
22:                 body = Marshal.load(msg.payload)
23: 
24:                 if validrequest?(body)
25:                     body[:body] = Marshal.load(body[:body])
26:                     return body
27:                 else
28:                     nil
29:                 end
30:             end

Encodes a reply

[Source]

    # File plugins/mcollective/security/psk.rb, line 33
33:             def encodereply(sender, target, msg, requestid, filter={})
34:                 serialized  = Marshal.dump(msg)
35:                 digest = makehash(serialized)
36: 
37:                 @log.debug("Encoded a message with hash #{digest} for request #{requestid}")
38: 
39:                 Marshal.dump({:senderid => @config.identity,
40:                               :requestid => requestid,
41:                               :senderagent => sender,
42:                               :msgtarget => target,
43:                               :msgtime => Time.now.to_i,
44:                               :hash => digest,
45:                               :body => serialized})
46:             end

Encodes a request msg

[Source]

    # File plugins/mcollective/security/psk.rb, line 49
49:             def encoderequest(sender, target, msg, requestid, filter={})
50:                 serialized = Marshal.dump(msg)
51:                 digest = makehash(serialized)
52: 
53:                 @log.debug("Encoding a request for '#{target}' with request id #{requestid}")
54:                 request = {:body => serialized,
55:                            :hash => digest,
56:                            :senderid => @config.identity,
57:                            :requestid => requestid,
58:                            :msgtarget => target,
59:                            :filter => filter,
60:                            :msgtime => Time.now.to_i}
61: 
62:                 # if we're in use by a client add the callerid to the main client hashes
63:                 request[:callerid] = callerid if @initiated_by == :client
64: 
65:                 Marshal.dump(request)
66:             end

Checks the md5 hash in the request body against our psk, the request sent for validation should not have been deserialized already

[Source]

    # File plugins/mcollective/security/psk.rb, line 70
70:             def validrequest?(req)
71:                 digest = makehash(req[:body])
72: 
73:                 if digest == req[:hash]
74:                     @stats.validated
75: 
76:                     return true
77:                 else
78:                     @stats.unvalidated
79: 
80:                     raise(SecurityValidationFailed, "Received an invalid signature in message")
81:                 end
82:             end

[Validate]