##
# The Vici module implements a native ruby client side library for the
# strongSwan VICI protocol. The Connection class provides a high-level
# interface to issue requests or listen for events.
#
# Copyright (C) 2014 Martin Willi
# Copyright (C) 2014 revosec AG
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
module Vici
##
# Vici specific exception all others inherit from
class Error < StandardError
end
##
# Error while parsing a vici message from the daemon
class ParseError < Error
end
##
# Error while encoding a vici message from ruby data structures
class EncodeError < Error
end
##
# Error while exchanging messages over the vici Transport layer
class TransportError < Error
end
##
# Generic vici command execution error
class CommandError < Error
end
##
# Error if an issued vici command is unknown by the daemon
class CommandUnknownError < CommandError
end
##
# Error if a command failed to execute in the daemon
class CommandExecError < CommandError
end
##
# Generic vici event handling error
class EventError < Error
end
##
# Tried to register to / unregister from an unknown vici event
class EventUnknownError < EventError
end
##
# Exception to raise from an event listening closure to stop listening
class StopEventListening < Exception
end
##
# The Message class provides the low level encoding and decoding of vici
# protocol messages. Directly using this class is usually not required.
class Message
SECTION_START = 1
SECTION_END = 2
KEY_VALUE = 3
LIST_START = 4
LIST_ITEM = 5
LIST_END = 6
def initialize(data = "")
if data == nil
@root = Hash.new()
elsif data.is_a?(Hash)
@root = data
else
@encoded = data
end
end
##
# Get the raw byte encoding of an on-the-wire message
def encoding
if @encoded == nil
@encoded = encode(@root)
end
@encoded
end
##
# Get the root element of the parsed ruby data structures
def root
if @root == nil
@root = parse(@encoded)
end
@root
end
private
def encode_name(name)
[name.length].pack("c") << name
end
def encode_value(value)
if value.class != String
value = value.to_s
end
[value.length].pack("n") << value
end
def encode_kv(encoding, key, value)
encoding << KEY_VALUE << encode_name(key) << encode_value(value)
end
def encode_section(encoding, key, value)
encoding << SECTION_START << encode_name(key)
encoding << encode(value) << SECTION_END
end
def encode_list(encoding, key, value)
encoding << LIST_START << encode_name(key)
value.each do |item|
encoding << LIST_ITEM << encode_value(item)
end
encoding << LIST_END
end
def encode(node)
encoding = ""
node.each do |key, value|
case value.class
when String, Fixnum, true, false
encoding = encode_kv(encoding, key, value)
else
if value.is_a?(Hash)
encoding = encode_section(encoding, key, value)
elsif value.is_a?(Array)
encoding = encode_list(encoding, key, value)
else
encoding = encode_kv(encoding, key, value)
end
end
end
encoding
end
def parse_name(encoding)
len = encoding.unpack("c")[0]
name = encoding[1, len]
return encoding[(1 + len)..-1], name
end
def parse_value(encoding)
len = encoding.unpack("n")[0]
value = encoding[2, len]
return encoding[(2 + len)..-1], value
end
def parse(encoding)
stack = [Hash.new]
list = nil
while encoding.length != 0 do
type = encoding.unpack("c")[0]
encoding = encoding[1..-1]
case type
when SECTION_START
encoding, name = parse_name(encoding)
stack.push(stack[-1][name] = Hash.new)
when SECTION_END
if stack.length() == 1
raise ParseError, "unexpected section end"
end
stack.pop()
when KEY_VALUE
encoding, name = parse_name(encoding)
encoding, value = parse_value(encoding)
stack[-1][name] = value
when LIST_START
encoding, name = parse_name(encoding)
stack[-1][name] = []
list = name
when LIST_ITEM
raise ParseError, "unexpected list item" if list == nil
encoding, value = parse_value(encoding)
stack[-1][list].push(value)
when LIST_END
raise ParseError, "unexpected list end" if list == nil
list = nil
else
raise ParseError, "invalid type: #{type}"
end
end
if stack.length() > 1
raise ParseError, "unexpected message end"
end
stack[0]
end
end
##
# The Transport class implements to low level segmentation of packets
# to the underlying transport stream. Directly using this class is usually
# not required.
class Transport
CMD_REQUEST = 0
CMD_RESPONSE = 1
CMD_UNKNOWN = 2
EVENT_REGISTER = 3
EVENT_UNREGISTER = 4
EVENT_CONFIRM = 5
EVENT_UNKNOWN = 6
EVENT = 7
##
# Create a transport layer using a provided socket for communication.
def initialize(socket)
@socket = socket
@events = Hash.new
end
##
# Receive data from socket, until len bytes read
def recv_all(len)
encoding = ""
while encoding.length < len do
data = @socket.recv(len - encoding.length)
if data.empty?
raise TransportError, "connection closed"
end
encoding << data
end
encoding
end
##
# Send data to socket, until all bytes sent
def send_all(encoding)
len = 0
while len < encoding.length do
len += @socket.send(encoding[len..-1], 0)
end
end
##
# Write a packet prefixed by its length over the transport socket. Type
# specifies the message, the optional label and message get appended.
def write(type, label, message)
encoding = ""
if label
encoding << label.length << label
end
if message
encoding << message.encoding
end
send_all([encoding.length + 1, type].pack("Nc") + encoding)
end
##
# Read a packet from the transport socket. Returns the packet type, and
# if available in the packet a label and the contained message.
def read
len = recv_all(4).unpack("N")[0]
encoding = recv_all(len)
type = encoding.unpack("c")[0]
len = 1
case type
when CMD_REQUEST, EVENT_REGISTER, EVENT_UNREGISTER, EVENT
label = encoding[2, encoding[1].unpack("c")[0]]
len += label.length + 1
when CMD_RESPONSE, CMD_UNKNOWN, EVENT_CONFIRM, EVENT_UNKNOWN
label = nil
else
raise TransportError, "invalid message: #{type}"
end
if encoding.length == len
return type, label, Message.new
end
return type, label, Message.new(encoding[len..-1])
end
def dispatch_event(name, message)
@events[name].each do |handler|
handler.call(name, message)
end
end
def read_and_dispatch_event
type, label, message = read
p
if type == EVENT
dispatch_event(label, message)
else
raise TransportError, "unexpected message: #{type}"
end
end
def read_and_dispatch_events
loop do
type, label, message = read
if type == EVENT
dispatch_event(label, message)
else
return type, label, message
end
end
end
##
# Send a command with a given name, and optionally a message. Returns
# the reply message on success.
def request(name, message = nil)
write(CMD_REQUEST, name, message)
type, label, message = read_and_dispatch_events
case type
when CMD_RESPONSE
return message
when CMD_UNKNOWN
raise CommandUnknownError, name
else
raise CommandError, "invalid response for #{name}"
end
end
##
# Register a handler method for the given event name
def register(name, handler)
write(EVENT_REGISTER, name, nil)
type, label, message = read_and_dispatch_events
case type
when EVENT_CONFIRM
if @events.has_key?(name)
@events[name] += [handler]
else
@events[name] = [handler];
end
when EVENT_UNKNOWN
raise EventUnknownError, name
else
raise EventError, "invalid response for #{name} register"
end
end
##
# Unregister a handler method for the given event name
def unregister(name, handler)
write(EVENT_UNREGISTER, name, nil)
type, label, message = read_and_dispatch_events
case type
when EVENT_CONFIRM
@events[name] -= [handler]
when EVENT_UNKNOWN
raise EventUnknownError, name
else
raise EventError, "invalid response for #{name} unregister"
end
end
end
##
# The Connection class provides the high-level interface to monitor, configure
# and control the IKE daemon. It takes a connected stream-oriented Socket for
# the communication with the IKE daemon.
#
# This class takes and returns ruby objects for the exchanged message data.
# * Sections get encoded as Hash, containing other sections as Hash, or
# * Key/Values, where the values are Strings as Hash values
# * Lists get encoded as Arrays with String values
# Non-String values that are not a Hash nor an Array get converted with .to_s
# during encoding.
class Connection
def initialize(socket = nil)
if socket == nil
socket = UNIXSocket.new("/var/run/charon.vici")
end
@transp = Transport.new(socket)
end
##
# List matching loaded connections. The provided closure is invoked
# for each matching connection.
def list_conns(match = nil, &block)
call_with_event("list-conns", Message.new(match), "list-conn", &block)
end
##
# List matching active SAs. The provided closure is invoked for each
# matching SA.
def list_sas(match = nil, &block)
call_with_event("list-sas", Message.new(match), "list-sa", &block)
end
##
# List matching installed policies. The provided closure is invoked
# for each matching policy.
def list_policies(match, &block)
call_with_event("list-policies", Message.new(match), "list-policy",
&block)
end
##
# List matching loaded certificates. The provided closure is invoked
# for each matching certificate definition.
def list_certs(match = nil, &block)
call_with_event("list-certs", Message.new(match), "list-cert", &block)
end
##
# Load a connection into the daemon.
def load_conn(conn)
check_success(@transp.request("load-conn", Message.new(conn)))
end
##
# Unload a connection from the daemon.
def unload_conn(conn)
check_success(@transp.request("unload-conn", Message.new(conn)))
end
##
# Get the names of connections managed by vici.
def get_conns()
@transp.request("get-conns").root
end
##
# Flush credential cache.
def flush_certs((match = nil)
check_success(@transp.request("flush-certs", Message.new(match)))
end
##
# Clear all loaded credentials.
def clear_creds()
check_success(@transp.request("clear-creds"))
end
##
# Load a certificate into the daemon.
def load_cert(cert)
check_success(@transp.request("load-cert", Message.new(cert)))
end
##
# Load a private key into the daemon.
def load_key(key)
check_success(@transp.request("load-key", Message.new(key)))
end
##
# Load a shared key into the daemon.
def load_shared(shared)
check_success(@transp.request("load-shared", Message.new(shared)))
end
##
# Load a virtual IP / attribute pool
def load_pool(pool)
check_success(@transp.request("load-pool", Message.new(pool)))
end
##
# Unload a virtual IP / attribute pool
def unload_pool(pool)
check_success(@transp.request("unload-pool", Message.new(pool)))
end
##
# Get the currently loaded pools.
def get_pools(options)
@transp.request("get-pools", Message.new(options)).root
end
##
# Initiate a connection. The provided closure is invoked for each log line.
def initiate(options, &block)
check_success(call_with_event("initiate", Message.new(options),
"control-log", &block))
end
##
# Terminate a connection. The provided closure is invoked for each log line.
def terminate(options, &block)
check_success(call_with_event("terminate", Message.new(options),
"control-log", &block))
end
##
# Redirect an IKE_SA.
def redirect(options)
check_success(@transp.request("redirect", Message.new(options)))
end
##
# Install a shunt/route policy.
def install(policy)
check_success(@transp.request("install", Message.new(policy)))
end
##
# Uninstall a shunt/route policy.
def uninstall(policy)
check_success(@transp.request("uninstall", Message.new(policy)))
end
##
# Reload strongswan.conf settings.
def reload_settings
check_success(@transp.request("reload-settings", nil))
end
##
# Get daemon statistics and information.
def stats
@transp.request("stats", nil).root
end
##
# Get daemon version information
def version
@transp.request("version", nil).root
end
##
# Listen for a set of event messages. This call is blocking, and invokes
# the passed closure for each event received. The closure receives the
# event name and the event message as argument. To stop listening, the
# closure may raise a StopEventListening exception, the only caught
# exception.
def listen_events(events, &block)
self.class.instance_eval do
define_method(:listen_event) do |label, message|
block.call(label, message.root)
end
end
events.each do |event|
@transp.register(event, method(:listen_event))
end
begin
loop do
@transp.read_and_dispatch_event
end
rescue StopEventListening
ensure
events.each do |event|
@transp.unregister(event, method(:listen_event))
end
end
end
##
# Issue a command request, but register for a specific event while the
# command is active. VICI uses this mechanism to stream potentially large
# data objects continuously. The provided closure is invoked for all
# event messages.
def call_with_event(command, request, event, &block)
self.class.instance_eval do
define_method(:call_event) do |label, message|
block.call(message.root)
end
end
@transp.register(event, method(:call_event))
begin
reply = @transp.request(command, request)
ensure
@transp.unregister(event, method(:call_event))
end
reply
end
##
# Check if the reply of a command indicates "success", otherwise raise a
# CommandExecError exception
def check_success(reply)
root = reply.root
if root["success"] != "yes"
raise CommandExecError, root["errmsg"]
end
root
end
end
end