Class: RightScale::EnrollmentResult

Inherits:

Object

• Object
• RightScale::EnrollmentResult

Defined in:

lib/right_agent/enrollment_result.rb

Defined Under Namespace

Classes: IntegrityFailure, VersionError

Constant Summary

SUPPORTED_VERSIONS =

Versions 5 and above use an identical format for the enrollment result

5..AgentConfig.protocol_version

Instance Attribute Summary

• #id_cert ⇒ Object readonly

  Returns the value of attribute id_cert.

• #id_key ⇒ Object readonly

  Returns the value of attribute id_key.

• #mapper_cert ⇒ Object readonly

  Returns the value of attribute mapper_cert.

• #r_s_version ⇒ Object readonly

  Returns the value of attribute r_s_version.

• #timestamp ⇒ Object readonly

  Returns the value of attribute timestamp.

Class Method Summary

• .dump(obj) ⇒ Object

  Serialize an enrollment result.

• .load(string, secret) ⇒ Object

  Unserialize the MessagePack encoded enrollment result.

Instance Method Summary

• #==(o) ⇒ Object

  Compare this object to another one.

• #initialize(r_s_version, timestamp, mapper_cert, id_cert, id_key, secret) ⇒ EnrollmentResult constructor

  Create a new instance of this class.

• #to_s ⇒ Object

  Serialize an enrollment result.

Constructor Details

#initialize(r_s_version, timestamp, mapper_cert, id_cert, id_key, secret) ⇒ EnrollmentResult

Create a new instance of this class

Parameters

timestamp(Time)

Timestamp associated with this result

mapper_cert(String)

Arbitrary string

id_cert(String)

Arbitrary string

id_key(String)

Arbitrary string

secret(String)

Shared secret with which the result is encrypted

# File 'lib/right_agent/enrollment_result.rb', line 34

def initialize(r_s_version, timestamp, mapper_cert, id_cert, id_key, secret)
  @r_s_version = r_s_version
  @timestamp   = timestamp.utc
  @mapper_cert = mapper_cert
  @id_cert     = id_cert
  @id_key      = id_key
  @serializer  = Serializer.new((:json if r_s_version < 12))

  msg = @serializer.dump({
    'mapper_cert' => @mapper_cert.to_s,
    'id_cert'     => @id_cert,
    'id_key'      => @id_key
  })

  key        = EnrollmentResult.derive_key(secret, @timestamp.to_i.to_s)
  #TODO switch to new OpenSSL API once we move to Ruby 1.8.7
  #cipher     = OpenSSL::Cipher.new("aes-256-cbc")
  cipher     = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
  cipher.encrypt
  cipher.key = key
  cipher.iv = @iv = cipher.random_iv

  @ciphertext = cipher.update(msg) + cipher.final

  key   = EnrollmentResult.derive_key(secret.to_s.reverse, @timestamp.to_i.to_s)
  hmac   = OpenSSL::HMAC.new(key, OpenSSL::Digest::SHA1.new)
  hmac.update(@ciphertext)
  @mac  = hmac.digest
end

Instance Attribute Details

#id_cert ⇒ Object (readonly)

Returns the value of attribute id_cert.

# File 'lib/right_agent/enrollment_result.rb', line 23

def id_cert
  @id_cert
end

#id_key ⇒ Object (readonly)

Returns the value of attribute id_key.

# File 'lib/right_agent/enrollment_result.rb', line 23

def id_key
  @id_key
end

#mapper_cert ⇒ Object (readonly)

Returns the value of attribute mapper_cert.

# File 'lib/right_agent/enrollment_result.rb', line 23

def mapper_cert
  @mapper_cert
end

#r_s_version ⇒ Object (readonly)

Returns the value of attribute r_s_version.

# File 'lib/right_agent/enrollment_result.rb', line 23

def r_s_version
  @r_s_version
end

#timestamp ⇒ Object (readonly)

Returns the value of attribute timestamp.

# File 'lib/right_agent/enrollment_result.rb', line 23

def timestamp
  @timestamp
end

Class Method Details

.dump(obj) ⇒ Object

Serialize an enrollment result

Parameters

obj(EnrollmentResult)

Object to serialize

Return

(String)

Serialized object

Raises:

• (VersionError)

# File 'lib/right_agent/enrollment_result.rb', line 107

def self.dump(obj)
  raise VersionError.new("Unsupported version #{obj.r_s_version}") unless SUPPORTED_VERSIONS.include?(obj.r_s_version)
  obj.to_s
end

.load(string, secret) ⇒ Object

Unserialize the MessagePack encoded enrollment result

Parameters

string(String)

MessagePack representation of the result

secret(String)

Shared secret with which the result is encrypted

Return

result

An instance of EnrollmentResult

Raise

IntegrityFailure

if the message has been tampered with

VersionError

if the specified protocol version is not locally supported

Raises:

• (VersionError)

# File 'lib/right_agent/enrollment_result.rb', line 125

def self.load(string, secret)
  serializer = Serializer.new
  envelope = serializer.load(string)

  r_s_version = envelope['r_s_version'].to_i
  raise VersionError.new("Unsupported version #{r_s_version}") unless SUPPORTED_VERSIONS.include?(r_s_version)

  timestamp  = Time.at(envelope['timestamp'].to_i)
  iv         = Base64::decode64(envelope['iv'])
  ciphertext = Base64::decode64(envelope['ciphertext'])
  mac        = Base64::decode64(envelope['mac'])

  key        = self.derive_key(secret, timestamp.to_i.to_s)
  #TODO switch to new OpenSSL API once we move to Ruby 1.8.7
  #cipher     = OpenSSL::Cipher.new("aes-256-cbc")
  cipher     = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
  cipher.decrypt
  cipher.key = key
  cipher.iv  = iv

  #TODO exclusively use new OpenSSL API (OpenSSL::CipherError) once we move to Ruby 1.8.7
  if defined?(OpenSSL::Cipher::CipherError)
    begin
      plaintext = cipher.update(ciphertext) + cipher.final
    rescue OpenSSL::Cipher::CipherError => e
      raise IntegrityFailure.new(e.message)
    end
  else
    begin
      plaintext = cipher.update(ciphertext) + cipher.final
    rescue OpenSSL::CipherError => e
      raise IntegrityFailure.new(e.message)
    end
  end

  key   = self.derive_key(secret.to_s.reverse, timestamp.to_i.to_s)
  hmac   = OpenSSL::HMAC.new(key, OpenSSL::Digest::SHA1.new)
  hmac.update(ciphertext)
  my_mac  = hmac.digest
  raise IntegrityFailure.new("MAC mismatch: expected #{my_mac}, got #{mac}") unless (mac == my_mac)

  msg = serializer.load(plaintext)
  mapper_cert = msg['mapper_cert']
  id_cert   = msg['id_cert']
  id_key    = msg['id_key']

  self.new(r_s_version, timestamp, mapper_cert, id_cert, id_key, secret)
end

Instance Method Details

#==(o) ⇒ Object

Compare this object to another one. Two results are equal if they have the same payload (certs and keys) and timestamp. The crypto fields are not included in the comparison because they are mutable.

Parameters

o(EnrollmentResult)

Object to compare against

Return

true|false

Whether the objects’ pertinent fields are identical

# File 'lib/right_agent/enrollment_result.rb', line 92

def ==(o)
  self.mapper_cert == o.mapper_cert &&
  self.id_cert == o.id_cert &&
  self.id_key == o.id_key &&
  self.timestamp.to_i == o.timestamp.to_i
end

#to_s ⇒ Object

Serialize an enrollment result

Parameters

obj(EnrollmentResult)

Object to serialize

Return

(String)

Serialized object

# File 'lib/right_agent/enrollment_result.rb', line 72

def to_s
  @serializer.dump({
      'r_s_version' => @r_s_version.to_s,
      'timestamp'   => @timestamp.to_i.to_s,
      'iv'          => Base64::encode64(@iv).chop,
      'ciphertext'  => Base64::encode64(@ciphertext).chop,
      'mac'         => Base64::encode64(@mac).chop
  })
end