1
<?xml version="1.0" encoding="iso-8859-1"?>
3
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
4
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
6
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
8
<title>Class: MCollective::Security::Aes_security</title>
9
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
10
<meta http-equiv="Content-Script-Type" content="text/javascript" />
11
<link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" />
12
<script type="text/javascript">
15
function popupCode( url ) {
16
window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
19
function toggleCode( id ) {
20
if ( document.getElementById )
21
elem = document.getElementById( id );
22
else if ( document.all )
23
elem = eval( "document.all." + id );
27
elemStyle = elem.style;
29
if ( elemStyle.display != "block" ) {
30
elemStyle.display = "block"
32
elemStyle.display = "none"
38
// Make codeblocks hidden by default
39
document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
49
<div id="classHeader">
50
<table class="header-table">
51
<tr class="top-aligned-row">
52
<td><strong>Class</strong></td>
53
<td class="class-name-in-header">MCollective::Security::Aes_security</td>
55
<tr class="top-aligned-row">
56
<td><strong>In:</strong></td>
58
<a href="../../../files/plugins/mcollective/security/aes_security_rb.html">
59
plugins/mcollective/security/aes_security.rb
65
<tr class="top-aligned-row">
66
<td><strong>Parent:</strong></td>
75
<!-- banner header -->
77
<div id="bodyContent">
81
<div id="contextContent">
83
<div id="description">
85
Impliments a security system that encrypts payloads using AES and secures
86
the AES encrypted data using RSA public/private key encryption.
89
The design goals of this plugin are:
92
<li>Each actor - clients and servers - can have their own set of public and
96
<li>All actors are uniquely and cryptographically identified
99
<li>Requests are encrypted using the clients private key and anyone that has
100
the public key can see the request. Thus an atacker may see the requests
101
given access to network or machine due to the broadcast nature of
105
<li>Replies are encrypted using the calling clients public key. Thus no-one but
106
the caller can view the contents of replies.
109
<li>Servers can all have their own RSA keys, or share one, or reuse keys
110
created by other PKI using software like Puppet
113
<li>Requests from servers - like registration data - can be secured even to
114
external eaves droppers depending on the level of configuration you are
118
<li>Given a network where you can ensure third parties are not able to access
119
the middleware public key distribution can happen automatically
124
Configuration Options:
126
<h6>================</h6>
132
securityprovider = aes_security
134
# Use YAML as serializer
135
plugin.aes.serializer = yaml
137
# Send our public key with every request so servers can learn it
138
plugin.aes.send_pubkey = 1
144
# The clients public and private keys
145
plugin.aes.client_private = /home/user/.mcollective.d/user-private.pem
146
plugin.aes.client_public = /home/user/.mcollective.d/user.pem
152
# Where to cache client keys or find manually distributed ones
153
plugin.aes.client_cert_dir = /etc/mcollective/ssl/clients
155
# Cache public keys promiscuously from the network
156
plugin.aes.learn_pubkeys = 1
158
# The servers public and private keys
159
plugin.aes.server_private = /etc/mcollective/ssl/server-private.pem
160
plugin.aes.server_public = /etc/mcollective/ssl/server-public.pem
168
<div id="method-list">
169
<h3 class="section-bar">Methods</h3>
171
<div class="name-list">
172
<a href="#M000015">callerid</a>
173
<a href="#M000024">certname_from_callerid</a>
174
<a href="#M000023">client_cert_dir</a>
175
<a href="#M000019">client_private_key</a>
176
<a href="#M000020">client_public_key</a>
177
<a href="#M000010">decodemsg</a>
178
<a href="#M000017">decrypt</a>
179
<a href="#M000014">deserialize</a>
180
<a href="#M000011">encodereply</a>
181
<a href="#M000012">encoderequest</a>
182
<a href="#M000016">encrypt</a>
183
<a href="#M000018">public_key_path_for_client</a>
184
<a href="#M000013">serialize</a>
185
<a href="#M000022">server_private_key</a>
186
<a href="#M000021">server_public_key</a>
204
<!-- if method_list -->
206
<h3 class="section-bar">Public Instance methods</h3>
208
<div id="method-M000015" class="method-detail">
209
<a name="M000015"></a>
211
<div class="method-heading">
212
<a href="#M000015" class="method-signature">
213
<span class="method-name">callerid</span><span class="method-args">()</span>
217
<div class="method-description">
219
sets the caller id to the md5 of the public key
221
<p><a class="source-toggle" href="#"
222
onclick="toggleCode('M000015-source');return false;">[Source]</a></p>
223
<div class="method-source-code" id="M000015-source">
225
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 151</span>
226
151: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">callerid</span>
227
152: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@initiated_by</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:client</span>
228
153: <span class="ruby-keyword kw">return</span> <span class="ruby-node">"cert=#{File.basename(client_public_key).gsub(/\.pem$/, '')}"</span>
229
154: <span class="ruby-keyword kw">else</span>
230
155: <span class="ruby-comment cmt"># servers need to set callerid as well, not usually needed but</span>
231
156: <span class="ruby-comment cmt"># would be if you're doing registration or auditing or generating</span>
232
157: <span class="ruby-comment cmt"># requests for some or other reason</span>
233
158: <span class="ruby-keyword kw">return</span> <span class="ruby-node">"cert=#{File.basename(server_public_key).gsub(/\.pem$/, '')}"</span>
234
159: <span class="ruby-keyword kw">end</span>
235
160: <span class="ruby-keyword kw">end</span>
241
<div id="method-M000024" class="method-detail">
242
<a name="M000024"></a>
244
<div class="method-heading">
245
<a href="#M000024" class="method-signature">
246
<span class="method-name">certname_from_callerid</span><span class="method-args">(id)</span>
250
<div class="method-description">
252
Takes our cert=foo callerids and return the foo bit else nil
254
<p><a class="source-toggle" href="#"
255
onclick="toggleCode('M000024-source');return false;">[Source]</a></p>
256
<div class="method-source-code" id="M000024-source">
258
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 249</span>
259
249: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">certname_from_callerid</span>(<span class="ruby-identifier">id</span>)
260
250: <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">id</span> <span class="ruby-operator">=~</span> <span class="ruby-regexp re">/^cert=(.+)/</span>
261
251: <span class="ruby-keyword kw">return</span> <span class="ruby-identifier">$1</span>
262
252: <span class="ruby-keyword kw">else</span>
263
253: <span class="ruby-keyword kw">return</span> <span class="ruby-keyword kw">nil</span>
264
254: <span class="ruby-keyword kw">end</span>
265
255: <span class="ruby-keyword kw">end</span>
271
<div id="method-M000023" class="method-detail">
272
<a name="M000023"></a>
274
<div class="method-heading">
275
<a href="#M000023" class="method-signature">
276
<span class="method-name">client_cert_dir</span><span class="method-args">()</span>
280
<div class="method-description">
282
Figures out where to get client public certs from the plugin.aes.<a
283
href="Aes_security.html#M000023">client_cert_dir</a> config option
285
<p><a class="source-toggle" href="#"
286
onclick="toggleCode('M000023-source');return false;">[Source]</a></p>
287
<div class="method-source-code" id="M000023-source">
289
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 243</span>
290
243: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">client_cert_dir</span>
291
244: <span class="ruby-identifier">raise</span>(<span class="ruby-value str">"No plugin.aes.client_cert_dir configuration option specified"</span>) <span class="ruby-keyword kw">unless</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.client_cert_dir"</span>)
292
245: <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.client_cert_dir"</span>]
293
246: <span class="ruby-keyword kw">end</span>
299
<div id="method-M000019" class="method-detail">
300
<a name="M000019"></a>
302
<div class="method-heading">
303
<a href="#M000019" class="method-signature">
304
<span class="method-name">client_private_key</span><span class="method-args">()</span>
308
<div class="method-description">
310
Figures out the client private key either from MCOLLECTIVE_AES_PRIVATE or
311
the plugin.aes.client_private config option
313
<p><a class="source-toggle" href="#"
314
onclick="toggleCode('M000019-source');return false;">[Source]</a></p>
315
<div class="method-source-code" id="M000019-source">
317
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 212</span>
318
212: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">client_private_key</span>
319
213: <span class="ruby-keyword kw">return</span> <span class="ruby-constant">ENV</span>[<span class="ruby-value str">"MCOLLECTIVE_AES_PRIVATE"</span>] <span class="ruby-keyword kw">if</span> <span class="ruby-constant">ENV</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"MCOLLECTIVE_AES_PRIVATE"</span>)
321
215: <span class="ruby-identifier">raise</span>(<span class="ruby-value str">"No plugin.aes.client_private configuration option specified"</span>) <span class="ruby-keyword kw">unless</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.client_private"</span>)
323
217: <span class="ruby-keyword kw">return</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.client_private"</span>]
324
218: <span class="ruby-keyword kw">end</span>
330
<div id="method-M000020" class="method-detail">
331
<a name="M000020"></a>
333
<div class="method-heading">
334
<a href="#M000020" class="method-signature">
335
<span class="method-name">client_public_key</span><span class="method-args">()</span>
339
<div class="method-description">
341
Figures out the client public key either from MCOLLECTIVE_AES_PUBLIC or the
342
plugin.aes.client_public config option
344
<p><a class="source-toggle" href="#"
345
onclick="toggleCode('M000020-source');return false;">[Source]</a></p>
346
<div class="method-source-code" id="M000020-source">
348
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 222</span>
349
222: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">client_public_key</span>
350
223: <span class="ruby-keyword kw">return</span> <span class="ruby-constant">ENV</span>[<span class="ruby-value str">"MCOLLECTIVE_AES_PUBLIC"</span>] <span class="ruby-keyword kw">if</span> <span class="ruby-constant">ENV</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"MCOLLECTIVE_AES_PUBLIC"</span>)
352
225: <span class="ruby-identifier">raise</span>(<span class="ruby-value str">"No plugin.aes.client_public configuration option specified"</span>) <span class="ruby-keyword kw">unless</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.client_public"</span>)
354
227: <span class="ruby-keyword kw">return</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.client_public"</span>]
355
228: <span class="ruby-keyword kw">end</span>
361
<div id="method-M000010" class="method-detail">
362
<a name="M000010"></a>
364
<div class="method-heading">
365
<a href="#M000010" class="method-signature">
366
<span class="method-name">decodemsg</span><span class="method-args">(msg)</span>
370
<div class="method-description">
371
<p><a class="source-toggle" href="#"
372
onclick="toggleCode('M000010-source');return false;">[Source]</a></p>
373
<div class="method-source-code" id="M000010-source">
375
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 56</span>
376
56: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">decodemsg</span>(<span class="ruby-identifier">msg</span>)
377
57: <span class="ruby-identifier">body</span> = <span class="ruby-identifier">deserialize</span>(<span class="ruby-identifier">msg</span>.<span class="ruby-identifier">payload</span>)
379
59: <span class="ruby-comment cmt"># if we get a message that has a pubkey attached and we're set to learn</span>
380
60: <span class="ruby-comment cmt"># then add it to the client_cert_dir this should only happen on servers</span>
381
61: <span class="ruby-comment cmt"># since clients will get replies using their own pubkeys</span>
382
62: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.learn_pubkeys"</span>) <span class="ruby-operator">&&</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.learn_pubkeys"</span>] <span class="ruby-operator">==</span> <span class="ruby-value str">"1"</span>
383
63: <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">body</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">:sslpubkey</span>)
384
64: <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">client_cert_dir</span>
385
65: <span class="ruby-identifier">certname</span> = <span class="ruby-identifier">certname_from_callerid</span>(<span class="ruby-identifier">body</span>[<span class="ruby-identifier">:callerid</span>])
386
66: <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">certname</span>
387
67: <span class="ruby-identifier">certfile</span> = <span class="ruby-node">"#{client_cert_dir}/#{certname}.pem"</span>
388
68: <span class="ruby-keyword kw">unless</span> <span class="ruby-constant">File</span>.<span class="ruby-identifier">exist?</span>(<span class="ruby-identifier">certfile</span>)
389
69: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-node">"Caching client cert in #{certfile}"</span>)
390
70: <span class="ruby-constant">File</span>.<span class="ruby-identifier">open</span>(<span class="ruby-identifier">certfile</span>, <span class="ruby-value str">"w"</span>) {<span class="ruby-operator">|</span><span class="ruby-identifier">f</span><span class="ruby-operator">|</span> <span class="ruby-identifier">f</span>.<span class="ruby-identifier">print</span> <span class="ruby-identifier">body</span>[<span class="ruby-identifier">:sslpubkey</span>]}
391
71: <span class="ruby-keyword kw">end</span>
392
72: <span class="ruby-keyword kw">end</span>
393
73: <span class="ruby-keyword kw">end</span>
394
74: <span class="ruby-keyword kw">end</span>
395
75: <span class="ruby-keyword kw">end</span>
397
77: <span class="ruby-identifier">cryptdata</span> = {<span class="ruby-identifier">:key</span> =<span class="ruby-operator">></span> <span class="ruby-identifier">body</span>[<span class="ruby-identifier">:sslkey</span>], <span class="ruby-identifier">:data</span> =<span class="ruby-operator">></span> <span class="ruby-identifier">body</span>[<span class="ruby-identifier">:body</span>]}
399
79: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@initiated_by</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:client</span>
400
80: <span class="ruby-identifier">body</span>[<span class="ruby-identifier">:body</span>] = <span class="ruby-identifier">deserialize</span>(<span class="ruby-identifier">decrypt</span>(<span class="ruby-identifier">cryptdata</span>, <span class="ruby-keyword kw">nil</span>))
401
81: <span class="ruby-keyword kw">else</span>
402
82: <span class="ruby-identifier">body</span>[<span class="ruby-identifier">:body</span>] = <span class="ruby-identifier">deserialize</span>(<span class="ruby-identifier">decrypt</span>(<span class="ruby-identifier">cryptdata</span>, <span class="ruby-identifier">body</span>[<span class="ruby-identifier">:callerid</span>]))
403
83: <span class="ruby-keyword kw">end</span>
405
85: <span class="ruby-keyword kw">return</span> <span class="ruby-identifier">body</span>
406
86: <span class="ruby-keyword kw">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>
407
87: <span class="ruby-identifier">raise</span> <span class="ruby-constant">MsgDoesNotMatchRequestID</span>, <span class="ruby-value str">"Could not decrypt message using our key, possibly directed at another client"</span>
409
89: <span class="ruby-keyword kw">rescue</span> <span class="ruby-constant">Exception</span> =<span class="ruby-operator">></span> <span class="ruby-identifier">e</span>
410
90: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">warn</span>(<span class="ruby-node">"Could not decrypt message from client: #{e.class}: #{e}"</span>)
411
91: <span class="ruby-identifier">raise</span> <span class="ruby-constant">SecurityValidationFailed</span>, <span class="ruby-value str">"Could not decrypt message"</span>
412
92: <span class="ruby-keyword kw">end</span>
418
<div id="method-M000017" class="method-detail">
419
<a name="M000017"></a>
421
<div class="method-heading">
422
<a href="#M000017" class="method-signature">
423
<span class="method-name">decrypt</span><span class="method-args">(string, certid)</span>
427
<div class="method-description">
428
<p><a class="source-toggle" href="#"
429
onclick="toggleCode('M000017-source');return false;">[Source]</a></p>
430
<div class="method-source-code" id="M000017-source">
432
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 185</span>
433
185: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">decrypt</span>(<span class="ruby-identifier">string</span>, <span class="ruby-identifier">certid</span>)
434
186: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@initiated_by</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:client</span>
435
187: <span class="ruby-ivar">@ssl</span> <span class="ruby-operator">||=</span> <span class="ruby-constant">SSL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">client_public_key</span>, <span class="ruby-identifier">client_private_key</span>)
437
189: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-value str">"Decrypting message using private key"</span>)
438
190: <span class="ruby-keyword kw">return</span> <span class="ruby-ivar">@ssl</span>.<span class="ruby-identifier">decrypt_with_private</span>(<span class="ruby-identifier">string</span>)
439
191: <span class="ruby-keyword kw">else</span>
440
192: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-node">"Decrypting message using public key for #{certid}"</span>)
442
194: <span class="ruby-identifier">ssl</span> = <span class="ruby-constant">SSL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">public_key_path_for_client</span>(<span class="ruby-identifier">certid</span>))
443
195: <span class="ruby-keyword kw">return</span> <span class="ruby-identifier">ssl</span>.<span class="ruby-identifier">decrypt_with_public</span>(<span class="ruby-identifier">string</span>)
444
196: <span class="ruby-keyword kw">end</span>
445
197: <span class="ruby-keyword kw">end</span>
451
<div id="method-M000014" class="method-detail">
452
<a name="M000014"></a>
454
<div class="method-heading">
455
<a href="#M000014" class="method-signature">
456
<span class="method-name">deserialize</span><span class="method-args">(msg)</span>
460
<div class="method-description">
462
De-Serializes a message using the configured encoder
464
<p><a class="source-toggle" href="#"
465
onclick="toggleCode('M000014-source');return false;">[Source]</a></p>
466
<div class="method-source-code" id="M000014-source">
468
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 137</span>
469
137: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">deserialize</span>(<span class="ruby-identifier">msg</span>)
470
138: <span class="ruby-identifier">serializer</span> = <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.serializer"</span>] <span class="ruby-operator">||</span> <span class="ruby-value str">"marshal"</span>
472
140: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-node">"De-Serializing using #{serializer}"</span>)
474
142: <span class="ruby-keyword kw">case</span> <span class="ruby-identifier">serializer</span>
475
143: <span class="ruby-keyword kw">when</span> <span class="ruby-value str">"yaml"</span>
476
144: <span class="ruby-keyword kw">return</span> <span class="ruby-constant">YAML</span>.<span class="ruby-identifier">load</span>(<span class="ruby-identifier">msg</span>)
477
145: <span class="ruby-keyword kw">else</span>
478
146: <span class="ruby-keyword kw">return</span> <span class="ruby-constant">Marshal</span>.<span class="ruby-identifier">load</span>(<span class="ruby-identifier">msg</span>)
479
147: <span class="ruby-keyword kw">end</span>
480
148: <span class="ruby-keyword kw">end</span>
486
<div id="method-M000011" class="method-detail">
487
<a name="M000011"></a>
489
<div class="method-heading">
490
<a href="#M000011" class="method-signature">
491
<span class="method-name">encodereply</span><span class="method-args">(sender, target, msg, requestid, requestcallerid)</span>
495
<div class="method-description">
499
<p><a class="source-toggle" href="#"
500
onclick="toggleCode('M000011-source');return false;">[Source]</a></p>
501
<div class="method-source-code" id="M000011-source">
503
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 95</span>
504
95: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">encodereply</span>(<span class="ruby-identifier">sender</span>, <span class="ruby-identifier">target</span>, <span class="ruby-identifier">msg</span>, <span class="ruby-identifier">requestid</span>, <span class="ruby-identifier">requestcallerid</span>)
505
96: <span class="ruby-identifier">crypted</span> = <span class="ruby-identifier">encrypt</span>(<span class="ruby-identifier">serialize</span>(<span class="ruby-identifier">msg</span>), <span class="ruby-identifier">requestcallerid</span>)
507
98: <span class="ruby-identifier">req</span> = <span class="ruby-identifier">create_reply</span>(<span class="ruby-identifier">requestid</span>, <span class="ruby-identifier">sender</span>, <span class="ruby-identifier">target</span>, <span class="ruby-identifier">crypted</span>[<span class="ruby-identifier">:data</span>])
508
99: <span class="ruby-identifier">req</span>[<span class="ruby-identifier">:sslkey</span>] = <span class="ruby-identifier">crypted</span>[<span class="ruby-identifier">:key</span>]
510
101: <span class="ruby-identifier">serialize</span>(<span class="ruby-identifier">req</span>)
511
102: <span class="ruby-keyword kw">end</span>
517
<div id="method-M000012" class="method-detail">
518
<a name="M000012"></a>
520
<div class="method-heading">
521
<a href="#M000012" class="method-signature">
522
<span class="method-name">encoderequest</span><span class="method-args">(sender, target, msg, requestid, filter={}, target_agent=nil, target_collective=nil)</span>
526
<div class="method-description">
528
Encodes a request msg
530
<p><a class="source-toggle" href="#"
531
onclick="toggleCode('M000012-source');return false;">[Source]</a></p>
532
<div class="method-source-code" id="M000012-source">
534
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 105</span>
535
105: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">encoderequest</span>(<span class="ruby-identifier">sender</span>, <span class="ruby-identifier">target</span>, <span class="ruby-identifier">msg</span>, <span class="ruby-identifier">requestid</span>, <span class="ruby-identifier">filter</span>={}, <span class="ruby-identifier">target_agent</span>=<span class="ruby-keyword kw">nil</span>, <span class="ruby-identifier">target_collective</span>=<span class="ruby-keyword kw">nil</span>)
536
106: <span class="ruby-identifier">crypted</span> = <span class="ruby-identifier">encrypt</span>(<span class="ruby-identifier">serialize</span>(<span class="ruby-identifier">msg</span>), <span class="ruby-identifier">callerid</span>)
538
108: <span class="ruby-identifier">req</span> = <span class="ruby-identifier">create_request</span>(<span class="ruby-identifier">requestid</span>, <span class="ruby-identifier">target</span>, <span class="ruby-identifier">filter</span>, <span class="ruby-identifier">crypted</span>[<span class="ruby-identifier">:data</span>], <span class="ruby-ivar">@initiated_by</span>, <span class="ruby-identifier">target_agent</span>, <span class="ruby-identifier">target_collective</span>)
539
109: <span class="ruby-identifier">req</span>[<span class="ruby-identifier">:sslkey</span>] = <span class="ruby-identifier">crypted</span>[<span class="ruby-identifier">:key</span>]
541
111: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.send_pubkey"</span>) <span class="ruby-operator">&&</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.send_pubkey"</span>] <span class="ruby-operator">==</span> <span class="ruby-value str">"1"</span>
542
112: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@initiated_by</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:client</span>
543
113: <span class="ruby-identifier">req</span>[<span class="ruby-identifier">:sslpubkey</span>] = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">client_public_key</span>)
544
114: <span class="ruby-keyword kw">else</span>
545
115: <span class="ruby-identifier">req</span>[<span class="ruby-identifier">:sslpubkey</span>] = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">server_public_key</span>)
546
116: <span class="ruby-keyword kw">end</span>
547
117: <span class="ruby-keyword kw">end</span>
549
119: <span class="ruby-identifier">serialize</span>(<span class="ruby-identifier">req</span>)
550
120: <span class="ruby-keyword kw">end</span>
556
<div id="method-M000016" class="method-detail">
557
<a name="M000016"></a>
559
<div class="method-heading">
560
<a href="#M000016" class="method-signature">
561
<span class="method-name">encrypt</span><span class="method-args">(string, certid)</span>
565
<div class="method-description">
566
<p><a class="source-toggle" href="#"
567
onclick="toggleCode('M000016-source');return false;">[Source]</a></p>
568
<div class="method-source-code" id="M000016-source">
570
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 162</span>
571
162: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">encrypt</span>(<span class="ruby-identifier">string</span>, <span class="ruby-identifier">certid</span>)
572
163: <span class="ruby-keyword kw">if</span> <span class="ruby-ivar">@initiated_by</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">:client</span>
573
164: <span class="ruby-ivar">@ssl</span> <span class="ruby-operator">||=</span> <span class="ruby-constant">SSL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">client_public_key</span>, <span class="ruby-identifier">client_private_key</span>)
575
166: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-value str">"Encrypting message using private key"</span>)
576
167: <span class="ruby-keyword kw">return</span> <span class="ruby-ivar">@ssl</span>.<span class="ruby-identifier">encrypt_with_private</span>(<span class="ruby-identifier">string</span>)
577
168: <span class="ruby-keyword kw">else</span>
578
169: <span class="ruby-comment cmt"># when the server is initating requests like for registration</span>
579
170: <span class="ruby-comment cmt"># then the certid will be our callerid</span>
580
171: <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">certid</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">callerid</span>
581
172: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-node">"Encrypting message using private key #{server_private_key}"</span>)
583
174: <span class="ruby-identifier">ssl</span> = <span class="ruby-constant">SSL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">server_public_key</span>, <span class="ruby-identifier">server_private_key</span>)
584
175: <span class="ruby-keyword kw">return</span> <span class="ruby-identifier">ssl</span>.<span class="ruby-identifier">encrypt_with_private</span>(<span class="ruby-identifier">string</span>)
585
176: <span class="ruby-keyword kw">else</span>
586
177: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-node">"Encrypting message using public key for #{certid}"</span>)
588
179: <span class="ruby-identifier">ssl</span> = <span class="ruby-constant">SSL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">public_key_path_for_client</span>(<span class="ruby-identifier">certid</span>))
589
180: <span class="ruby-keyword kw">return</span> <span class="ruby-identifier">ssl</span>.<span class="ruby-identifier">encrypt_with_public</span>(<span class="ruby-identifier">string</span>)
590
181: <span class="ruby-keyword kw">end</span>
591
182: <span class="ruby-keyword kw">end</span>
592
183: <span class="ruby-keyword kw">end</span>
598
<div id="method-M000018" class="method-detail">
599
<a name="M000018"></a>
601
<div class="method-heading">
602
<a href="#M000018" class="method-signature">
603
<span class="method-name">public_key_path_for_client</span><span class="method-args">(clientid)</span>
607
<div class="method-description">
609
On servers this will look in the aes.client_cert_dir for public keys
610
matching the clientid, clientid is expected to be in the format set by <a
611
href="Aes_security.html#M000015">callerid</a>
613
<p><a class="source-toggle" href="#"
614
onclick="toggleCode('M000018-source');return false;">[Source]</a></p>
615
<div class="method-source-code" id="M000018-source">
617
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 202</span>
618
202: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">public_key_path_for_client</span>(<span class="ruby-identifier">clientid</span>)
619
203: <span class="ruby-identifier">raise</span> <span class="ruby-node">"Unknown callerid format in '#{clientid}'"</span> <span class="ruby-keyword kw">unless</span> <span class="ruby-identifier">clientid</span>.<span class="ruby-identifier">match</span>(<span class="ruby-regexp re">/^cert=(.+)$/</span>)
621
205: <span class="ruby-identifier">clientid</span> = <span class="ruby-identifier">$1</span>
623
207: <span class="ruby-identifier">client_cert_dir</span> <span class="ruby-operator">+</span> <span class="ruby-node">"/#{clientid}.pem"</span>
624
208: <span class="ruby-keyword kw">end</span>
630
<div id="method-M000013" class="method-detail">
631
<a name="M000013"></a>
633
<div class="method-heading">
634
<a href="#M000013" class="method-signature">
635
<span class="method-name">serialize</span><span class="method-args">(msg)</span>
639
<div class="method-description">
641
Serializes a message using the configured encoder
643
<p><a class="source-toggle" href="#"
644
onclick="toggleCode('M000013-source');return false;">[Source]</a></p>
645
<div class="method-source-code" id="M000013-source">
647
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 123</span>
648
123: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">serialize</span>(<span class="ruby-identifier">msg</span>)
649
124: <span class="ruby-identifier">serializer</span> = <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.serializer"</span>] <span class="ruby-operator">||</span> <span class="ruby-value str">"marshal"</span>
651
126: <span class="ruby-constant">Log</span>.<span class="ruby-identifier">debug</span>(<span class="ruby-node">"Serializing using #{serializer}"</span>)
653
128: <span class="ruby-keyword kw">case</span> <span class="ruby-identifier">serializer</span>
654
129: <span class="ruby-keyword kw">when</span> <span class="ruby-value str">"yaml"</span>
655
130: <span class="ruby-keyword kw">return</span> <span class="ruby-constant">YAML</span>.<span class="ruby-identifier">dump</span>(<span class="ruby-identifier">msg</span>)
656
131: <span class="ruby-keyword kw">else</span>
657
132: <span class="ruby-keyword kw">return</span> <span class="ruby-constant">Marshal</span>.<span class="ruby-identifier">dump</span>(<span class="ruby-identifier">msg</span>)
658
133: <span class="ruby-keyword kw">end</span>
659
134: <span class="ruby-keyword kw">end</span>
665
<div id="method-M000022" class="method-detail">
666
<a name="M000022"></a>
668
<div class="method-heading">
669
<a href="#M000022" class="method-signature">
670
<span class="method-name">server_private_key</span><span class="method-args">()</span>
674
<div class="method-description">
676
Figures out the server private key from the plugin.aes.server_private
679
<p><a class="source-toggle" href="#"
680
onclick="toggleCode('M000022-source');return false;">[Source]</a></p>
681
<div class="method-source-code" id="M000022-source">
683
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 237</span>
684
237: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">server_private_key</span>
685
238: <span class="ruby-identifier">raise</span>(<span class="ruby-value str">"No plugin.aes.server_private configuration option specified"</span>) <span class="ruby-keyword kw">unless</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.server_private"</span>)
686
239: <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.server_private"</span>]
687
240: <span class="ruby-keyword kw">end</span>
693
<div id="method-M000021" class="method-detail">
694
<a name="M000021"></a>
696
<div class="method-heading">
697
<a href="#M000021" class="method-signature">
698
<span class="method-name">server_public_key</span><span class="method-args">()</span>
702
<div class="method-description">
704
Figures out the server public key from the plugin.aes.server_public config
707
<p><a class="source-toggle" href="#"
708
onclick="toggleCode('M000021-source');return false;">[Source]</a></p>
709
<div class="method-source-code" id="M000021-source">
711
<span class="ruby-comment cmt"># File plugins/mcollective/security/aes_security.rb, line 231</span>
712
231: <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">server_public_key</span>
713
232: <span class="ruby-identifier">raise</span>(<span class="ruby-value str">"No aes.server_public configuration option specified"</span>) <span class="ruby-keyword kw">unless</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-value str">"aes.server_public"</span>)
714
233: <span class="ruby-keyword kw">return</span> <span class="ruby-ivar">@config</span>.<span class="ruby-identifier">pluginconf</span>[<span class="ruby-value str">"aes.server_public"</span>]
715
234: <span class="ruby-keyword kw">end</span>
728
<div id="validator-badges">
729
<p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
b'\\ No newline at end of file'