Class | MCollective::Security::Psk |
In: |
plugins/mcollective/security/psk.rb
|
Parent: | Base |
Impliments message authentication using digests and shared keys
You should configure a psk in the configuration file and all requests will be validated for authenticity with this.
Serialization uses Marshal, this is the default security module that is supported out of the box.
Validation is as default and is provided by MCollective::Security::Base
You can configure the caller id being created, this can adjust how you create authorization plugins. For example you can use a unix group instead of uid to do authorization.
# File plugins/mcollective/security/psk.rb, line 84 84: def callerid 85: if @config.pluginconf.include?("psk.callertype") 86: callertype = @config.pluginconf["psk.callertype"].to_sym if @config.pluginconf.include?("psk.callertype") 87: else 88: callertype = :uid 89: end 90: 91: case callertype 92: when :gid 93: id = "gid=#{Process.gid}" 94: 95: when :group 96: id = "group=#{Etc.getgrgid(Process.gid).name}" 97: 98: when :user 99: id = "user=#{Etc.getlogin}" 100: 101: when :identity 102: id = "identity=#{@config.identity}" 103: 104: else 105: id ="uid=#{Process.uid}" 106: end 107: 108: @log.debug("Setting callerid to #{id} based on callertype=#{callertype}") 109: 110: id 111: end
Decodes a message by unserializing all the bits etc, it also validates it as valid using the psk etc
# File plugins/mcollective/security/psk.rb, line 21 21: def decodemsg(msg) 22: body = Marshal.load(msg.payload) 23: 24: if validrequest?(body) 25: body[:body] = Marshal.load(body[:body]) 26: return body 27: else 28: nil 29: end 30: end
Encodes a reply
# File plugins/mcollective/security/psk.rb, line 33 33: def encodereply(sender, target, msg, requestid, filter={}) 34: serialized = Marshal.dump(msg) 35: digest = makehash(serialized) 36: 37: @log.debug("Encoded a message with hash #{digest} for request #{requestid}") 38: 39: Marshal.dump({:senderid => @config.identity, 40: :requestid => requestid, 41: :senderagent => sender, 42: :msgtarget => target, 43: :msgtime => Time.now.to_i, 44: :hash => digest, 45: :body => serialized}) 46: end
Encodes a request msg
# File plugins/mcollective/security/psk.rb, line 49 49: def encoderequest(sender, target, msg, requestid, filter={}) 50: serialized = Marshal.dump(msg) 51: digest = makehash(serialized) 52: 53: @log.debug("Encoding a request for '#{target}' with request id #{requestid}") 54: request = {:body => serialized, 55: :hash => digest, 56: :senderid => @config.identity, 57: :requestid => requestid, 58: :msgtarget => target, 59: :filter => filter, 60: :msgtime => Time.now.to_i} 61: 62: # if we're in use by a client add the callerid to the main client hashes 63: request[:callerid] = callerid if @initiated_by == :client 64: 65: Marshal.dump(request) 66: end
Checks the md5 hash in the request body against our psk, the request sent for validation should not have been deserialized already
# File plugins/mcollective/security/psk.rb, line 70 70: def validrequest?(req) 71: digest = makehash(req[:body]) 72: 73: if digest == req[:hash] 74: @stats.validated 75: 76: return true 77: else 78: @stats.unvalidated 79: 80: raise(SecurityValidationFailed, "Received an invalid signature in message") 81: end 82: end