Class | MCollective::Security::Psk |
In: |
plugins/mcollective/security/psk.rb
|
Parent: | Base |
Impliments message authentication using digests and shared keys
You should configure a psk in the configuration file and all requests will be validated for authenticity with this.
Serialization uses Marshal, this is the default security module that is supported out of the box.
Validation is as default and is provided by MCollective::Security::Base
You can configure the caller id being created, this can adjust how you create authorization plugins. For example you can use a unix group instead of uid to do authorization.
# File plugins/mcollective/security/psk.rb, line 70 70: def callerid 71: if @config.pluginconf.include?("psk.callertype") 72: callertype = @config.pluginconf["psk.callertype"].to_sym if @config.pluginconf.include?("psk.callertype") 73: else 74: callertype = :uid 75: end 76: 77: case callertype 78: when :gid 79: id = "gid=#{Process.gid}" 80: 81: when :group 82: id = "group=#{Etc.getgrgid(Process.gid).name}" 83: 84: when :user 85: id = "user=#{Etc.getlogin}" 86: 87: when :identity 88: id = "identity=#{@config.identity}" 89: 90: else 91: id ="uid=#{Process.uid}" 92: end 93: 94: Log.debug("Setting callerid to #{id} based on callertype=#{callertype}") 95: 96: id 97: end
Decodes a message by unserializing all the bits etc, it also validates it as valid using the psk etc
# File plugins/mcollective/security/psk.rb, line 21 21: def decodemsg(msg) 22: body = Marshal.load(msg.payload) 23: 24: if validrequest?(body) 25: body[:body] = Marshal.load(body[:body]) 26: return body 27: else 28: nil 29: end 30: end
Encodes a reply
# File plugins/mcollective/security/psk.rb, line 33 33: def encodereply(sender, target, msg, requestid, requestcallerid=nil) 34: serialized = Marshal.dump(msg) 35: digest = makehash(serialized) 36: 37: req = create_reply(requestid, sender, target, serialized) 38: req[:hash] = digest 39: 40: Marshal.dump(req) 41: end
Encodes a request msg
# File plugins/mcollective/security/psk.rb, line 44 44: def encoderequest(sender, target, msg, requestid, filter={}, target_agent=nil, target_collective=nil) 45: serialized = Marshal.dump(msg) 46: digest = makehash(serialized) 47: 48: req = create_request(requestid, target, filter, serialized, @initiated_by, target_agent, target_collective) 49: req[:hash] = digest 50: 51: Marshal.dump(req) 52: end
Checks the md5 hash in the request body against our psk, the request sent for validation should not have been deserialized already
# File plugins/mcollective/security/psk.rb, line 56 56: def validrequest?(req) 57: digest = makehash(req[:body]) 58: 59: if digest == req[:hash] 60: @stats.validated 61: 62: return true 63: else 64: @stats.unvalidated 65: 66: raise(SecurityValidationFailed, "Received an invalid signature in message") 67: end 68: end