Class: RightScale::EnrollmentResult
- Defined in:
- lib/right_agent/enrollment_result.rb
Defined Under Namespace
Classes: IntegrityFailure, VersionError
Constant Summary collapse
- SUPPORTED_VERSIONS =
Versions 5 and above use an identical format for the enrollment result
5..AgentConfig.protocol_version
Instance Attribute Summary collapse
-
#id_cert ⇒ Object
readonly
Returns the value of attribute id_cert.
-
#id_key ⇒ Object
readonly
Returns the value of attribute id_key.
-
#mapper_cert ⇒ Object
readonly
Returns the value of attribute mapper_cert.
-
#r_s_version ⇒ Object
readonly
Returns the value of attribute r_s_version.
-
#timestamp ⇒ Object
readonly
Returns the value of attribute timestamp.
Class Method Summary collapse
-
.dump(obj) ⇒ Object
Serialize an enrollment result.
-
.load(string, secret) ⇒ Object
Unserialize the MessagePack encoded enrollment result.
Instance Method Summary collapse
-
#==(o) ⇒ Object
Compare this object to another one.
-
#initialize(r_s_version, timestamp, mapper_cert, id_cert, id_key, secret) ⇒ EnrollmentResult
constructor
Create a new instance of this class.
-
#to_s ⇒ Object
Serialize an enrollment result.
Constructor Details
#initialize(r_s_version, timestamp, mapper_cert, id_cert, id_key, secret) ⇒ EnrollmentResult
Create a new instance of this class
Parameters
- timestamp(Time)
-
Timestamp associated with this result
- mapper_cert(String)
-
Arbitrary string
- id_cert(String)
-
Arbitrary string
- id_key(String)
-
Arbitrary string
- secret(String)
-
Shared secret with which the result is encrypted
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
# File 'lib/right_agent/enrollment_result.rb', line 34 def initialize(r_s_version, , mapper_cert, id_cert, id_key, secret) @r_s_version = r_s_version @timestamp = .utc @mapper_cert = mapper_cert @id_cert = id_cert @id_key = id_key @serializer = Serializer.new((:json if r_s_version < 12)) msg = @serializer.dump({ 'mapper_cert' => @mapper_cert.to_s, 'id_cert' => @id_cert, 'id_key' => @id_key }) key = EnrollmentResult.derive_key(secret, @timestamp.to_i.to_s) #TODO switch to new OpenSSL API once we move to Ruby 1.8.7 #cipher = OpenSSL::Cipher.new("aes-256-cbc") cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc") cipher.encrypt cipher.key = key cipher.iv = @iv = cipher.random_iv @ciphertext = cipher.update(msg) + cipher.final key = EnrollmentResult.derive_key(secret.to_s.reverse, @timestamp.to_i.to_s) hmac = OpenSSL::HMAC.new(key, OpenSSL::Digest::SHA1.new) hmac.update(@ciphertext) @mac = hmac.digest end |
Instance Attribute Details
#id_cert ⇒ Object (readonly)
Returns the value of attribute id_cert.
23 24 25 |
# File 'lib/right_agent/enrollment_result.rb', line 23 def id_cert @id_cert end |
#id_key ⇒ Object (readonly)
Returns the value of attribute id_key.
23 24 25 |
# File 'lib/right_agent/enrollment_result.rb', line 23 def id_key @id_key end |
#mapper_cert ⇒ Object (readonly)
Returns the value of attribute mapper_cert.
23 24 25 |
# File 'lib/right_agent/enrollment_result.rb', line 23 def mapper_cert @mapper_cert end |
#r_s_version ⇒ Object (readonly)
Returns the value of attribute r_s_version.
23 24 25 |
# File 'lib/right_agent/enrollment_result.rb', line 23 def r_s_version @r_s_version end |
#timestamp ⇒ Object (readonly)
Returns the value of attribute timestamp.
23 24 25 |
# File 'lib/right_agent/enrollment_result.rb', line 23 def @timestamp end |
Class Method Details
.dump(obj) ⇒ Object
Serialize an enrollment result
Parameters
- obj(EnrollmentResult)
-
Object to serialize
Return
- (String)
-
Serialized object
107 108 109 110 |
# File 'lib/right_agent/enrollment_result.rb', line 107 def self.dump(obj) raise VersionError.new("Unsupported version #{obj.r_s_version}") unless SUPPORTED_VERSIONS.include?(obj.r_s_version) obj.to_s end |
.load(string, secret) ⇒ Object
Unserialize the MessagePack encoded enrollment result
Parameters
- string(String)
-
MessagePack representation of the result
- secret(String)
-
Shared secret with which the result is encrypted
Return
- result
-
An instance of EnrollmentResult
Raise
- IntegrityFailure
-
if the message has been tampered with
- VersionError
-
if the specified protocol version is not locally supported
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
# File 'lib/right_agent/enrollment_result.rb', line 125 def self.load(string, secret) serializer = Serializer.new envelope = serializer.load(string) r_s_version = envelope['r_s_version'].to_i raise VersionError.new("Unsupported version #{r_s_version}") unless SUPPORTED_VERSIONS.include?(r_s_version) = Time.at(envelope['timestamp'].to_i) iv = Base64::decode64(envelope['iv']) ciphertext = Base64::decode64(envelope['ciphertext']) mac = Base64::decode64(envelope['mac']) key = self.derive_key(secret, .to_i.to_s) #TODO switch to new OpenSSL API once we move to Ruby 1.8.7 #cipher = OpenSSL::Cipher.new("aes-256-cbc") cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc") cipher.decrypt cipher.key = key cipher.iv = iv #TODO exclusively use new OpenSSL API (OpenSSL::CipherError) once we move to Ruby 1.8.7 if defined?(OpenSSL::Cipher::CipherError) begin plaintext = cipher.update(ciphertext) + cipher.final rescue OpenSSL::Cipher::CipherError => e raise IntegrityFailure.new(e.) end else begin plaintext = cipher.update(ciphertext) + cipher.final rescue OpenSSL::CipherError => e raise IntegrityFailure.new(e.) end end key = self.derive_key(secret.to_s.reverse, .to_i.to_s) hmac = OpenSSL::HMAC.new(key, OpenSSL::Digest::SHA1.new) hmac.update(ciphertext) my_mac = hmac.digest raise IntegrityFailure.new("MAC mismatch: expected #{my_mac}, got #{mac}") unless (mac == my_mac) msg = serializer.load(plaintext) mapper_cert = msg['mapper_cert'] id_cert = msg['id_cert'] id_key = msg['id_key'] self.new(r_s_version, , mapper_cert, id_cert, id_key, secret) end |
Instance Method Details
#==(o) ⇒ Object
Compare this object to another one. Two results are equal if they have the same payload (certs and keys) and timestamp. The crypto fields are not included in the comparison because they are mutable.
Parameters
- o(EnrollmentResult)
-
Object to compare against
Return
- true|false
-
Whether the objects’ pertinent fields are identical
92 93 94 95 96 97 |
# File 'lib/right_agent/enrollment_result.rb', line 92 def ==(o) self.mapper_cert == o.mapper_cert && self.id_cert == o.id_cert && self.id_key == o.id_key && self..to_i == o..to_i end |
#to_s ⇒ Object
Serialize an enrollment result
Parameters
- obj(EnrollmentResult)
-
Object to serialize
Return
- (String)
-
Serialized object
72 73 74 75 76 77 78 79 80 |
# File 'lib/right_agent/enrollment_result.rb', line 72 def to_s @serializer.dump({ 'r_s_version' => @r_s_version.to_s, 'timestamp' => @timestamp.to_i.to_s, 'iv' => Base64::encode64(@iv).chop, 'ciphertext' => Base64::encode64(@ciphertext).chop, 'mac' => Base64::encode64(@mac).chop }) end |