Class: GoogleComputeWindowsPassword

Inherits:

Object

• Object
• GoogleComputeWindowsPassword

Defined in:

lib/gcewinpass/version.rb,
lib/gcewinpass.rb

Overview

Author

Chef Partner Engineering (<partnereng@chef.io>)

Copyright

Copyright © 2016 Chef Software, Inc.

License

Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Constant Summary

VERSION =

'1.1.0'.freeze

Instance Attribute Summary

• #api ⇒ Object readonly

  Returns the value of attribute api.

• #debug ⇒ Object readonly

  Returns the value of attribute debug.

• #email ⇒ Object readonly

  Returns the value of attribute email.

• #instance_name ⇒ Object readonly

  Returns the value of attribute instance_name.

• #project ⇒ Object readonly

  Returns the value of attribute project.

• #username ⇒ Object readonly

  Returns the value of attribute username.

• #zone ⇒ Object readonly

  Returns the value of attribute zone.

Instance Method Summary

• #authorization ⇒ Object
• #check_operation_for_errors!(operation_name) ⇒ Object
• #expiration_date ⇒ Object
• #exponent ⇒ Object
• #initialize(opts = {}) ⇒ GoogleComputeWindowsPassword constructor

  A new instance of GoogleComputeWindowsPassword.

• #instance ⇒ Object
• #instance_exists? ⇒ Boolean
• #instance_metadata ⇒ Object
• #log_debug(msg) ⇒ Object
• #modulus ⇒ Object
• #new_password ⇒ Object
• #operation(operation_name) ⇒ Object
• #password_from_instance ⇒ Object
• #password_request ⇒ Object
• #password_request_metadata ⇒ Object
• #private_key ⇒ Object
• #public_key ⇒ Object
• #response_from_console_port ⇒ Object
• #timeout ⇒ Object
• #update_instance_metadata ⇒ Object
• #validate_options!(opts) ⇒ Object
• #wait_for_operation(operation_obj) ⇒ Object

Constructor Details

#initialize(opts = {}) ⇒ GoogleComputeWindowsPassword

Returns a new instance of GoogleComputeWindowsPassword.

# File 'lib/gcewinpass.rb', line 30

def initialize(opts = {})
  validate_options!(opts)

  @api = Google::Apis::ComputeV1::ComputeService.new
  @api.authorization = authorization

  @project       = opts[:project]
  @zone          = opts[:zone]
  @instance_name = opts[:instance_name]
  @email         = opts[:email]
  @username      = opts.fetch(:username, 'Administrator')
  @debug         = opts.fetch(:debug, false)
  @timeout       = opts.fetch(:timeout, 120)
end

Instance Attribute Details

#api ⇒ Object (readonly)

Returns the value of attribute api.

# File 'lib/gcewinpass.rb', line 28

def api
  @api
end

#debug ⇒ Object (readonly)

Returns the value of attribute debug.

# File 'lib/gcewinpass.rb', line 28

def debug
  @debug
end

#email ⇒ Object (readonly)

Returns the value of attribute email.

# File 'lib/gcewinpass.rb', line 28

def email
  @email
end

#instance_name ⇒ Object (readonly)

Returns the value of attribute instance_name.

# File 'lib/gcewinpass.rb', line 28

def instance_name
  @instance_name
end

#project ⇒ Object (readonly)

Returns the value of attribute project.

# File 'lib/gcewinpass.rb', line 28

def project
  @project
end

#username ⇒ Object (readonly)

Returns the value of attribute username.

# File 'lib/gcewinpass.rb', line 28

def username
  @username
end

#zone ⇒ Object (readonly)

Returns the value of attribute zone.

# File 'lib/gcewinpass.rb', line 28

def zone
  @zone
end

Instance Method Details

#authorization ⇒ Object

# File 'lib/gcewinpass.rb', line 59

def authorization
  @authorization ||= Google::Auth.get_application_default(
    [
      'https://www.googleapis.com/auth/cloud-platform',
      'https://www.googleapis.com/auth/compute',
    ]
  )
end

#check_operation_for_errors!(operation_name) ⇒ Object

# File 'lib/gcewinpass.rb', line 189

def check_operation_for_errors!(operation_name)
  operation = operation(operation_name)
  unless operation.error.nil?
    errors = operation.error.errors.each_with_object([]) do |error, memo|
      memo << "#{error.code}: #{error.message}"
    end

    raise "Operation failed: #{errors.join(', ')}"
  end
end

#expiration_date ⇒ Object

# File 'lib/gcewinpass.rb', line 129

def expiration_date
  (Time.now + 300).to_datetime.rfc3339
end

#exponent ⇒ Object

# File 'lib/gcewinpass.rb', line 125

def exponent
  Base64.strict_encode64(public_key.to_der[291, 3])
end

#instance ⇒ Object

# File 'lib/gcewinpass.rb', line 68

def instance
  @instance ||= api.get_instance(project, zone, instance_name)
end

#instance_exists? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gcewinpass.rb', line 72

def instance_exists?
  instance
rescue Google::Apis::ClientError
  false
else
  true
end

#instance_metadata ⇒ Object

# File 'lib/gcewinpass.rb', line 80

def instance_metadata
  instance.metadata
end

#log_debug(msg) ⇒ Object

# File 'lib/gcewinpass.rb', line 204

def log_debug(msg)
  $stderr.puts msg if debug
end

#modulus ⇒ Object

# File 'lib/gcewinpass.rb', line 121

def modulus
  Base64.strict_encode64(public_key.to_der[33, 256])
end

#new_password ⇒ Object

# File 'lib/gcewinpass.rb', line 45

def new_password
  raise "Unable to locate instance #{instance_name} in project #{project}, zone #{zone}" unless instance_exists?

  update_instance_metadata
  password_from_instance
end

#operation(operation_name) ⇒ Object

# File 'lib/gcewinpass.rb', line 200

def operation(operation_name)
  api.get_zone_operation(project, zone, operation_name)
end

#password_from_instance ⇒ Object

# File 'lib/gcewinpass.rb', line 133

def password_from_instance
  response = response_from_console_port
  raise 'Password agent attempted the reset but did not succeed' if response['passwordFound'] == false

  private_key.private_decrypt(Base64.strict_decode64(response['encryptedPassword']), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
end

#password_request ⇒ Object

# File 'lib/gcewinpass.rb', line 84

def password_request
  {
    'userName' => username,
    'modulus'  => modulus,
    'exponent' => exponent,
    'email'    => email,
    'expireOn' => expiration_date,
  }
end

#password_request_metadata ⇒ Object

# File 'lib/gcewinpass.rb', line 94

def password_request_metadata
  Google::Apis::ComputeV1::Metadata::Item.new.tap do |item|
    item.key = 'windows-keys'
    item.value = password_request.to_json
  end
end

#private_key ⇒ Object

# File 'lib/gcewinpass.rb', line 113

def private_key
  @private_key ||= OpenSSL::PKey::RSA.new(2048)
end

#public_key ⇒ Object

# File 'lib/gcewinpass.rb', line 117

def public_key
  @public_key ||= private_key.public_key
end

#response_from_console_port ⇒ Object

# File 'lib/gcewinpass.rb', line 140

def response_from_console_port
  log_debug('fetching password from console port')

  Timeout.timeout(timeout) do
    loop do
      api.get_instance_serial_port_output(project, zone, instance_name, port: 4).contents.lines.reverse_each do |line|
        line.strip!

        begin
          event = JSON.parse(line)
        rescue JSON::ParserError
          next
        end

        if event['modulus'] == modulus && event['exponent'] == exponent
          log_debug('modulus and exponent found - returning event')
          return event
        end
      end

      log_debug('event not found, sleeping...')
      sleep 5
    end
  end
rescue Timeout::Error
  raise Timeout::Error, 'Timeout while waiting for password agent to perform password reset'
end

#timeout ⇒ Object

# File 'lib/gcewinpass.rb', line 208

def timeout
  @timeout.to_i
end

#update_instance_metadata ⇒ Object

# File 'lib/gcewinpass.rb', line 101

def update_instance_metadata
  instance_metadata.items = [] if instance_metadata.items.nil?
  instance_metadata.items = instance_metadata.items.select { |item| item.key != 'windows-keys' }
  instance_metadata.items << password_request_metadata

  log_debug("Updating instance #{instance_name} metadata with: #{instance_metadata.inspect}")

  wait_for_operation(api.set_instance_metadata(project, zone, instance_name, instance_metadata))

  log_debug('Instance metadata updated.')
end

#validate_options!(opts) ⇒ Object

# File 'lib/gcewinpass.rb', line 52

def validate_options!(opts)
  raise 'Project not specified'                   unless opts[:project]
  raise 'Zone not specified'                      unless opts[:zone]
  raise 'Instance name not specified'             unless opts[:instance_name]
  raise 'Email address of GCE user not specified' unless opts[:email]
end

#wait_for_operation(operation_obj) ⇒ Object

# File 'lib/gcewinpass.rb', line 168

def wait_for_operation(operation_obj)
  operation_name = operation_obj.name

  begin
    Timeout.timeout(timeout) do
      loop do
        operation = operation(operation_name)
        log_debug("Current operation status: #{operation.status}")
        break if operation.status == 'DONE'

        sleep 2
      end
    end
  rescue Timeout::Error
    raise Timeout::Error, 'Timeout while performing GCE API operation'
  end

  check_operation_for_errors!(operation_name)
  log_debug('Operation completed successfully.')
end