class MCollective::Security::Psk

Impliments message authentication using digests and shared keys

You should configure a psk in the configuration file and all requests will be validated for authenticity with this.

Serialization uses Marshal, this is the default security module that is supported out of the box.

Validation is as default and is provided by MCollective::Security::Base

You can configure the caller id being created, this can adjust how you create authorization plugins. For example you can use a unix group instead of uid to do authorization.

Public Instance Methods

callerid() click to toggle source
    # File lib/mcollective/security/psk.rb
 72 def callerid
 73   if @config.pluginconf.include?("psk.callertype")
 74     callertype = @config.pluginconf["psk.callertype"].to_sym if @config.pluginconf.include?("psk.callertype")
 75   else
 76     callertype = :uid
 77   end
 78 
 79   case callertype
 80     when :gid
 81       id  = "gid=#{Process.gid}"
 82 
 83     when :group
 84       raise "Cannot use the 'group' callertype for the PSK security plugin on the Windows platform" if Util.windows?
 85 
 86       id = "group=#{Etc.getgrgid(Process.gid).name}"
 87 
 88     when :user
 89       id = "user=#{Etc.getlogin}"
 90 
 91     when :identity
 92       id = "identity=#{@config.identity}"
 93 
 94     else
 95       id ="uid=#{Process.uid}"
 96   end
 97 
 98   Log.debug("Setting callerid to #{id} based on callertype=#{callertype}")
 99 
100   id
101 end
decodemsg(msg) click to toggle source

Decodes a message by unserializing all the bits etc, it also validates it as valid using the psk etc

   # File lib/mcollective/security/psk.rb
21 def decodemsg(msg)
22   body = Marshal.load(msg.payload)
23 
24   should_process_msg?(msg, body[:requestid])
25 
26   if validrequest?(body)
27     body[:body] = Marshal.load(body[:body])
28     return body
29   else
30     nil
31   end
32 end
encodereply(sender, msg, requestid, requestcallerid=nil) click to toggle source

Encodes a reply

   # File lib/mcollective/security/psk.rb
35 def encodereply(sender, msg, requestid, requestcallerid=nil)
36   serialized  = Marshal.dump(msg)
37   digest = makehash(serialized)
38 
39   req = create_reply(requestid, sender, serialized)
40   req[:hash] = digest
41 
42   Marshal.dump(req)
43 end
encoderequest(sender, msg, requestid, filter, target_agent, target_collective, ttl=60) click to toggle source

Encodes a request msg

   # File lib/mcollective/security/psk.rb
46 def encoderequest(sender, msg, requestid, filter, target_agent, target_collective, ttl=60)
47   serialized = Marshal.dump(msg)
48   digest = makehash(serialized)
49 
50   req = create_request(requestid, filter, serialized, @initiated_by, target_agent, target_collective, ttl)
51   req[:hash] = digest
52 
53   Marshal.dump(req)
54 end
validrequest?(req) click to toggle source

Checks the md5 hash in the request body against our psk, the request sent for validation should not have been deserialized already

   # File lib/mcollective/security/psk.rb
58 def validrequest?(req)
59   digest = makehash(req[:body])
60 
61   if digest == req[:hash]
62     @stats.validated
63 
64     return true
65   else
66     @stats.unvalidated
67 
68     raise(SecurityValidationFailed, "Received an invalid signature in message")
69   end
70 end