ConfigLMM 0.4.0 → 0.5.0

data/Plugins/OS/Linux/Packages.yaml

@@ -6,12 +6,18 @@ Arch Linux:
     CyrusSASL: cyrus-sasl
     Dovecot: dovecot
     firewalld: firewalld
+    go: go
     MariaDB: mariadb
     Nextcloud: nextcloud
     nginx: nginx
+    nodejs: nodejs
+    otelcol-contrib: AUR|otelcol-contrib
     PHP-FPM: php-fpm
     php-pecl: php-pecl
-    Podman: podman
+    pnpm: pnpm
+    Podman:
+        - podman
+        - fuse-overlayfs
     PostgreSQL: postgresql
     Postfix: postfix
     PowerDNS: powerdns
@@ -20,6 +26,7 @@ Arch Linux:
     sshd: openssh
     Valkey: redis
     WireGuard: wireguard-tools
+    xorriso: libisoburn
     Yarn: yarn
 
 openSUSE Leap:
@@ -31,17 +38,22 @@ openSUSE Leap:
     CyrusSASL: cyrus-sasl-plain
     Dovecot: dovecot
     firewalld: firewalld
+    go: go
     MariaDB: mariadb
     Nextcloud: server:php:applications|nextcloud
     nginx: nginx
+    nodejs: nodejs-default
+    otelcol-contrib: GitHub|open-telemetry/opentelemetry-collector-releases:otelcol-contrib_*_linux_amd64.rpm
     PHP-FPM:
         - php8-devel
         - php8-mbstring
         - php8-fpm
+        - php8-imagick
         - php8-redis
         - php8-pgsql
         - php8-mysql
     php-pecl: php8-pecl
+    pnpm: GitHub|pnpm/pnpm:pnpm-linux-x64
     Podman: podman
     PostgreSQL:
         - postgresql-server
@@ -57,6 +69,7 @@ openSUSE Leap:
     sshd: openssh
     Valkey: redis
     WireGuard: wireguard-tools
+    xorriso: xorriso
     Yarn: yarn
 
 Debian:
@@ -70,16 +83,21 @@ Debian:
         - dovecot-lmtpd
         - dovecot-submissiond
     firewalld: firewalld
+    go: golang
     MariaDB: mariadb-server
     Nextcloud:
     nginx: nginx
+    nodejs: nodejs
+    otelcol-contrib: GitHub|open-telemetry/opentelemetry-collector-releases:otelcol-contrib_*_linux_amd64.deb
     PHP-FPM:
         - php-mbstring
         - php-fpm
+        - php-imagick
         - php-redis
         - php-pgsql
         - php-mysql
     php-pecl:
+    pnpm: GitHub|pnpm/pnpm:pnpm-linux-x64
     Podman: podman
     PostgreSQL: postgresql
     Postfix: postfix-lmdb
@@ -93,4 +111,5 @@ Debian:
     sshd: openssh-server
     Valkey: redis
     WireGuard: wireguard
+    xorriso: xorriso
     Yarn: yarnpkg

data/Plugins/OS/Linux/Services.yaml

@@ -0,0 +1,8 @@
+Arch Linux:
+    sshd: sshd
+
+openSUSE Leap:
+    sshd: sshd
+
+Debian:
+    sshd: ssh

data/Plugins/OS/Linux/Shell.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'open3'
+
+module ConfigLMM
+    module LMM
+        class LinuxShell
+
+            attr_reader :connection
+            attr_reader :user
+
+            def initialize(connection, user)
+                @connection = connection
+                @user = user
+            end
+
+            def distroID
+                @connection.distroID
+            end
+
+            def updateFile(*args, &block)
+                @connection.updateFile(*args, &block)
+            end
+
+            def exec(command, allowFailure = false, options = {})
+                cmd = "su --login #{@user.shellescape} --shell /usr/bin/sh --command #{command.shellescape}"
+                if options[:hide]
+                    cmd = ' ' + cmd
+                end
+                @connection.exec(cmd, allowFailure, options)
+            end
+
+            def rm(*args)
+                @connection.rm(*args)
+            end
+
+            def fileWrite(target, data, options = {})
+                hide = ''
+                hide = ' ' if options[:hide]
+                self.exec("#{hide}echo #{data.shellescape} > #{target}", false, options)
+            end
+
+            def fileAppend(target, data, options = {})
+                hide = ''
+                hide = ' ' if options[:hide]
+                self.exec("#{hide}echo #{data.shellescape} >> #{target}", false, options)
+            end
+
+            def fileMerge(target, file, options = {})
+                self.exec("cat #{file.shellescape} >> #{target}", false, options)
+            end
+
+            def fileReplace(target, placeholder, result, options = {})
+                hide = ''
+                hide = ' ' if options[:hide]
+                pattern = "s|#{placeholder}|#{result.gsub('\\', '\\\\\\').gsub('&', '\\\\&').gsub('|', '\\\\|')}|"
+                self.exec("#{hide}sed -i #{pattern.shellescape} #{target}", false, options)
+            end
+
+            def createDirs(options, *paths)
+                exec("mkdir -p #{paths.join(' ')}", false, options)
+            end
+
+            def self.escapeSingleQuotes(command)
+                command.gsub("'", "'\"'\"'")
+            end
+        end
+    end
+end

data/Plugins/OS/Linux/Syslinux/default

@@ -0,0 +1,8 @@
+
+default auto
+prompt   0
+timeout  1
+
+label auto
+  kernel linux
+  append initrd=initrd splash=silent $OPTIONS

data/Plugins/OS/Linux/WireGuard/WireGuard.lmm.rb

@@ -13,45 +13,64 @@ module ConfigLMM
 
             def actionWireGuardDeploy(id, target, activeState, context, options)
                 self.prepareConfig(target)
-                if target['Location'] && target['Location'] != '@me'
-                    uri = Addressable::URI.parse(target['Location'])
-                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-                    self.class.sshStart(uri) do |ssh|
-                        self.class.sshExec!(ssh, "firewall-cmd -q --permanent --add-port='#{PORT}/udp'")
-                        self.class.sshExec!(ssh, "firewall-cmd -q --add-port='#{PORT}/udp'")
-                        self.class.sshExec!(ssh, "firewall-cmd -q --permanent --zone=trusted --add-source=#{SUBNET}")
-                        self.class.sshExec!(ssh, "firewall-cmd -q --zone=trusted --add-source=#{SUBNET}")
-                        self.class.sshExec!(ssh, "firewall-cmd -q --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE")
-                        self.class.sshExec!(ssh, "firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE")
-
-                        self.class.ensurePackages([WIREGUARD_PACKAGE], ssh)
-                        self.class.ensureServiceAutoStartOverSSH(SERVICE_NAME, ssh)
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.firewallAddPort("#{PORT}/udp", options)
+                        linuxConnection.exec("firewall-cmd -q --permanent --zone=trusted --add-source=#{SUBNET}", options)
+                        linuxConnection.exec("firewall-cmd -q --zone=trusted --add-source=#{SUBNET}", options)
+                        linuxConnection.exec("firewall-cmd -q --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", options)
+                        linuxConnection.exec("firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", options)
+
+                        linuxConnection.ensurePackage(WIREGUARD_PACKAGE, options)
+                        linuxConnection.ensureServiceAutoStart(SERVICE_NAME, options)
 
                         dir = options['output'] + '/' + id + '/etc/wireguard/'
                         mkdir(dir, false)
                         template = ERB.new(File.read(__dir__ + '/wg0.conf.erb'))
 
-                        if self.class.remoteFilePresent?(CONFIG_FILE, ssh)
+                        target = target.dup
+                        target['PrivateKey'] = context.secrets.load(target['SecretId'], 'PRIVATEKEY')
+                        if target['PrivateKey'].nil?
+                            target['PrivateKey'] = genkey(connection, options)
+                            if !options['dry']
+                                context.secrets.store(target['SecretId'], 'PRIVATEKEY', target['PrivateKey'])
+                                context.secrets.print("Private Key", target['PrivateKey'])
+                            end
+                        end
+
+                        if connection.filePresent?(CONFIG_FILE, { **options, 'dry' => false })
                             # TODO Implement adding and removing peers
                         else
-                            if !target['PrivateKey']
-                                target['PrivateKey'] = ENV['WIREGUARD_PRIVATEKEY_' + id]
-                                if !target['PrivateKey']
-                                    target['PrivateKey'] = genkeyOverSSH(ssh)
-                                end
-                            end
-                            publicKey = pubkeyOverSSH(target['PrivateKey'], ssh)
-                            self.class.sshExec!(ssh, "echo '#{publicKey}' > /etc/wireguard/pubkey")
+                            publicKey = pubkey(target['PrivateKey'], connection, options)
+                            context.secrets.store(target['SecretId'], 'PUBLICKEY', publicKey) unless options['dry']
+                            connection.exec("echo '#{publicKey}' > /etc/wireguard/pubkey", false, options)
+
                             target['Peers'].each do |name, data|
-                                if !data['PublicKey']
-                                    data['PrivateKey'] = genkeyOverSSH(ssh)
-                                    data['PublicKey'] = pubkeyOverSSH(data['PrivateKey'], ssh)
-                                end
-                                if !data['PresharedKey']
-                                    data['PresharedKey'] = ENV['WIREGUARD_PRESHAREDKEY_' + id + '_' + name]
-                                    if !data['PresharedKey']
-                                        data['PresharedKey'] = genpskOverSSH(ssh)
+                                if data['SecretId']
+                                    data['PublicKey'] = context.secrets.load(data['SecretId'], 'PUBLICKEY')
+                                    data['PrivateKey'] = context.secrets.load(data['SecretId'], 'PRIVATEKEY')
+                                    if data['PublicKey'].nil?
+                                        data['PrivateKey'] = genkey(connection, options)
+                                        data['PublicKey'] = pubkey(data['PrivateKey'], connection, options)
+                                        if !options['dry']
+                                            context.secrets.store(data['SecretId'], 'PRIVATEKEY', data['PrivateKey'])
+                                            context.secrets.store(data['SecretId'], 'PUBLICKEY', data['PublicKey'])
+                                        end
                                     end
+                                    sharedSecretId = "#{target['SecretId'].upcase}_#{data['SecretId'].upcase}"
+                                    data['PresharedKey'] = context.secrets.load(sharedSecretId, 'PRESHAREDKEY')
+                                    if data['PresharedKey'].nil?
+                                        sharedSecretId2 = "#{data['SecretId'].upcase}_#{target['SecretId'].upcase}"
+                                        data['PresharedKey'] = context.secrets.load(sharedSecretId2, 'PRESHAREDKEY')
+                                        if data['PresharedKey'].nil?
+                                            data['PresharedKey'] = genpsk(connection, options)
+                                            context.secrets.store(sharedSecretId, 'PRESHAREDKEY', data['PresharedKey']) unless options['dry']
+                                        end
+                                    end
+                                else
+                                    data['PrivateKey'] = genkey(connection, options)
+                                    data['PublicKey'] = pubkey(data['PrivateKey'], connection, options)
+                                    data['PresharedKey'] = genpsk(connection, options)
                                 end
                             end
 
@@ -68,7 +87,7 @@ module ConfigLMM
                                         psk = otherData[pskIdB]
                                     else
                                         pskIdA = 'PresharedKey_' + name + '_' + otherName
-                                        data[pskIdA] = genpskOverSSH(ssh)
+                                        data[pskIdA] = genpsk(connection, options)
                                         psk = data[pskIdA]
                                     end
                                     templateData['Peers'][otherName] = { 'PublicKey' => otherData['PublicKey'], 'PresharedKey' => psk }
@@ -78,59 +97,64 @@ module ConfigLMM
                             end
 
                             renderTemplate(template, target, dir + 'wg0.conf', options)
-                            ssh.scp.upload!(dir + 'wg0.conf', CONFIG_FILE)
+                            connection.upload(dir + 'wg0.conf', CONFIG_FILE, options)
                         end
 
+                        linuxConnection.restartService(SERVICE_NAME, options)
                     end
-                else
-                    # TODO
                 end
-                self.startService(SERVICE_NAME, target['Location'])
-
-                activeState['Status'] = State::STATUS_DEPLOYED
             end
 
             def cleanup(configs, state, context, options)
-                cleanupType(:WireGuard, configs, state, context, options) do |item, id, state, context, options, ssh|
-                    Framework::LinuxApp.stopService(SERVICE_NAME, ssh, options[:dry])
-                    Framework::LinuxApp.disableService(SERVICE_NAME, ssh, options[:dry])
-                    Framework::LinuxApp.removePackage(WIREGUARD_PACKAGE, ssh, options[:dry])
-
-                    self.class.exec("firewall-cmd -q --permanent --remove-port='#{PORT}/udp'", ssh, false, options[:dry])
-                    self.class.exec("firewall-cmd -q --remove-port='#{PORT}/udp'", ssh, false, options[:dry])
-                    self.class.exec("firewall-cmd -q --permanent --zone=trusted --remove-source=#{SUBNET}", ssh, false, options[:dry])
-                    self.class.exec("firewall-cmd -q --zone=trusted --remove-source=#{SUBNET}", ssh, false, options[:dry])
-                    self.class.exec("firewall-cmd -q --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", ssh, false, options[:dry])
-                    self.class.exec("firewall-cmd -q --direct --remove-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", ssh, false, options[:dry])
+                cleanupType(:WireGuard, configs, state, context, options) do |item, id, state, context, options, connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.stopService(SERVICE_NAME, options[:dry])
+                        linuxConnection.disableService(SERVICE_NAME, options[:dry])
+                        linuxConnection.removePackage(WIREGUARD_PACKAGE, options[:dry])
+
+                        linuxConnection.firewallRemovePort("#{PORT}/udp", options)
+                        linuxConnection.exec("firewall-cmd -q --permanent --zone=trusted --remove-source=#{SUBNET}", false, options[:dry])
+                        linuxConnection.exec("firewall-cmd -q --zone=trusted --remove-source=#{SUBNET}", false, options[:dry])
+                        linuxConnection.exec("firewall-cmd -q --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", false, options[:dry])
+                        linuxConnection.exec("firewall-cmd -q --direct --remove-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", false, options[:dry])
+                    end
 
                     state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
 
                     if options[:destroy]
-                        rm('/etc/wireguard', options[:dry], ssh)
+                        connection.rm('/etc/wireguard', options[:dry])
 
                         state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
                     end
                 end
             end
 
-            def genkeyOverSSH(ssh)
-              self.class.sshExec!(ssh, 'wg genkey')
+            def genkey(connection, options)
+                key = connection.exec('wg genkey', false, options).strip
+                if options['dry']
+                    key = connection.exec('wg genkey', false, { **options, 'dry' => false }).strip
+                end
+                key
             end
 
-            def genpskOverSSH(ssh)
-              self.class.sshExec!(ssh, 'wg genpsk')
+            def genpsk(connection, options)
+                key = connection.exec('wg genpsk', false, options).strip
+                if options['dry']
+                    key = connection.exec('wg genpsk', false, { **options, 'dry' => false }).strip
+                end
+                key
             end
 
-            def pubkeyOverSSH(privateKey, ssh)
-              self.class.sshExec!(ssh, " echo '#{privateKey}' | wg pubkey")
+            def pubkey(privateKey, connection, options)
+                key = connection.exec(" echo '#{privateKey}' | wg pubkey", false, { **options, hide: true }).strip
+                if options['dry']
+                    key = connection.exec(" echo '#{privateKey}' | wg pubkey", false, { **options, 'dry' => false, hide: true }).strip
+                end
+                key
             end
 
             def prepareConfig(target)
                 target['Address'] = '172.20.0.1' unless target['Address']
-                target['Peers'].each do |name, data|
-                    target['Peers'][name] ||= {}
-                    target['Peers'][name]['AllowedIPs'] = SUBNET unless target['Peers'][name]['AllowedIPs']
-                end
             end
         end
     end

data/Plugins/OS/Linux/WireGuard/wg0.conf.erb

@@ -12,4 +12,7 @@ AllowedIPs = <%= peer['AllowedIPs'] %>
 <% if peer['Endpoint'] %>
 Endpoint = <%= peer['Endpoint'] %>:51820
 <% end %>
+<% if peer['PersistentKeepalive'] %>
+PersistentKeepalive = <%= peer['PersistentKeepalive'] %>
+<% end %>
 <% end %>

data/Plugins/OS/Linux/openSUSE/autoinst.xml.erb

@@ -31,9 +31,35 @@
     <dns t="map">
       <hostname><%= config['HostName'] %></hostname>
       <% if config['Domain'] %>
-        <domain><%= config['Domain'] %></domain>
+        <domain><%= Addressable::IDNA.to_ascii(config['Domain']) %></domain>
+      <% end %>
+      <% if config['DefaultNetwork']['DNS'] %>
+        <nameservers config:type="list">
+          <nameserver><%= config['DefaultNetwork']['DNS'] %></nameserver>
+        </nameservers>
       <% end %>
     </dns>
+    <% if config['DefaultNetwork']['IP'] %>
+      <interfaces config:type="list">
+        <interface>
+          <bootproto><%= config['DefaultNetwork']['IP'] == 'dhcp' ? 'dhcp' : 'static' %></bootproto>
+          <name>eth0</name>
+          <% if config['DefaultNetwork']['IP'] != 'dhcp' %><ipaddr><%= config['DefaultNetwork']['IP'] %></ipaddr><% end %>
+          <startmode>auto</startmode>
+        </interface>
+      </interfaces>
+    <% end %>
+    <% if config['DefaultNetwork']['Gateway'] %>
+      <routing>
+        <routes config:type="list">
+          <route>
+            <destination>default</destination>
+            <device>eth0</device>
+            <gateway><%= config['DefaultNetwork']['Gateway'] %></gateway>
+          </route>
+        </routes>
+      </routing>
+    <% end %>
   </networking>
   <software t="map">
     <% if !config['Apps'].to_a.empty? %>
@@ -49,7 +75,7 @@
       <% if !config['Services'].to_a.empty? %>
         <enable t="list">
           <% config['Services'].each do |service| %>
-            <service><%= service %></service>
+            <service><%= service.to_s %></service>
           <% end %>
         </enable>
       <% end %>
@@ -62,7 +88,7 @@
     <users config:type="list">
       <% config['Users'].each do |user, info| %>
         <user>
-          <username>root</username>
+          <username><%= user %></username>
           <% if info['PasswordHash'] %>
             <encrypted config:type="boolean">true</encrypted>
             <user_password><%= info['PasswordHash'] %></user_password>

data/Plugins/OS/Linux/systemd/systemd.lmm.rb

@@ -7,20 +7,22 @@ module ConfigLMM
             USER_SERVICE_DIR = '/etc/systemd/system/user@.service.d/'
 
             def actionSystemdDeploy(id, target, activeState, context, options)
-                if target['Location'] && target['Location'] != '@me'
-                    if target['UserCgroups']
-                        uri = Addressable::URI.parse(target['Location'])
-                        raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-                        self.class.sshStart(uri) do |ssh|
-                            self.class.sshExec!(ssh, "mkdir -p #{USER_SERVICE_DIR}")
-                            ssh.scp.upload!(__dir__ + '/user-0.slice', SYSTEMD_CONFIG_PATH)
-                            ssh.scp.upload!(__dir__ + '/user@.service.d/delegate.conf', USER_SERVICE_DIR)
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        if target['UserCgroups']
+                            linuxConnection.createDirs(options, USER_SERVICE_DIR)
+                            linuxConnection.upload(__dir__ + '/user-0.slice', SYSTEMD_CONFIG_PATH, options)
+                            linuxConnection.upload(__dir__ + '/user@.service.d/delegate.conf', USER_SERVICE_DIR, options)
+                        end
+                        if target['InstallServices']
+                            target['InstallServices'].each do |file, data|
+                                linuxConnection.upload(file, SYSTEMD_CONFIG_PATH, options)
+                                linuxConnection.reloadServiceManager(options)
+                                linuxConnection.ensureServiceAutoStart(File.basename(file), options)
+                            end
                         end
                     end
-                else
-                    # TODO
                 end
-
             end
 
         end

data/Plugins/OS/Routers/Aruba/ArubaInstant.lmm.rb

@@ -46,7 +46,7 @@ module ConfigLMM
                     end
 
                     creds = parseLocation(target['Location'])
-                    password = ENV['ARUBA_INSTANT_PASSWORD']
+                    password = context.secrets.load(target['SecretId'], 'PASSWORD')
 
                     # Couldn't get it working with net-ssh gem so using `ssh` as workaround
                     # Net::SSH.start(creds[:hostname], creds[:user], password: password, port: creds[:port]) do |ssh|
@@ -128,14 +128,15 @@ module ConfigLMM
             end
 
             def authenticate(actionMethod, target, activeState, context, options)
-                if ENV['ARUBA_INSTANT_PASSWORD'].to_s.empty? || ENV['ARUBA_INSTANT_PASSWORD'].to_s.empty?
-                    prompt.error('Set your Aruba Instant SSH password to ARUBA_INSTANT_PASSWORD as Environment Variable')
-                    raise Framework::PluginPrerequisite.new('Need ARUBA_INSTANT_PASSWORD')
+                authSecret = context.secrets.load(target['SecretId'], 'PASSWORD')
+                if authSecret.to_s.empty?
+                    prompt.error("Set your Aruba Instant SSH password in #{target['SecretId']}_PASSWORD")
+                    raise Framework::PluginPrerequisite.new('Need Aruba Instant password!')
                 else
                     if !target['Location']
                         raise Framework::PluginProcessError.new('Location must be provided!')
                     end
-                    checkSSHAuth!(target['Location'], ENV['ARUBA_INSTANT_PASSWORD'])
+                    checkSSHAuth!(target['Location'], authSecret)
                 end
                 true
             end

data/Plugins/Platforms/GitHub.lmm.rb

@@ -5,53 +5,98 @@ module ConfigLMM
     module LMM
         class GitHub < Framework::Plugin
 
-            def actionGitHubOrganizationRefresh(id, target, activeState, context, options)
-
-                client = Octokit::Client.new(:access_token => ENV['GITHUB_TOKEN'])
-                orgs = client.organizations.select { |org| org[:login] == target['Name'] }
-                if orgs.empty?
-                    prompt.say("Didn\'t find organization with name #{target['Name']}")
-                    prompt.say('You need to create it manually - https://github.com/organizations/plan')
-                    raise Framework::PluginPrerequisite.new('Organization must exist!')
+            def actionGitHubRefresh(id, target, activeState, context, options)
+                if !target['Organizations'].to_h.empty?
+                    activeState['Organizations'] = {}
+                    target['Organizations'].each do |name, organization|
+                        organizationRefresh(name, target, activeState, context, options)
+                    end
                 end
+            end
 
-                raise "This shouldn't happen!" if orgs.length != 1
-
-                activeState.clear
+            def actionGitHubDiff(id, target, activeState, context, options)
+                state = prepareState(target, activeState)
+                shouldMatch(id, state, 'Organizations', target, 'Organizations')
+            end
 
-                orgs.first.each do |name, value|
-                    activeState[name.to_s] = value
+            def actionGitHubDeploy(id, target, activeState, context, options)
+                actionGitHubDiff(id, target, activeState, context, options)
+                diff.each do |name, states|
+                    # TODO FIXME
                 end
             end
 
-            def actionGitHubOrganizationDiff(id, target, activeState, context, options)
-                shouldMatch(id, 'Name', 'login', target, activeState)
-                shouldMatch(id, 'Description', 'description', target, activeState)
+            def prepareState(target, activeState)
+                state = activeState.dup
+                state['Organizations'] ||= {}
+                state['Organizations'].each do |name, data|
+                    #state['Organizations'][name]['Name'] = state['Organizations'][name].delete('Login')
+                    state['Organizations'][name]['Description'] = state['Organizations'][name].delete('description')
+                end
+                state
             end
 
-            def actionGitHubOrganizationDeploy(id, target, activeState, context, options)
-                actionGitHubOrganizationDiff(id, target, activeState, context, options)
-                diff.each do |name, states|
-                    if name == 'Name'
-                        # TODO
-                    elsif name == 'Description'
-                        # TODO
+            def organizationRefresh(name, target, activeState, context, options)
+                authToken = context.secrets.load(target['SecretId'], 'TOKEN')
+                authToken = context.secrets.load('GITHUB', 'TOKEN') if authToken.nil?
+                client = Octokit::Client.new(:access_token => authToken)
+
+                allOrgs = client.organizations
+                if allOrgs.empty?
+                    # Fine-grained access token never returns any orgs
+                    org = client.organization(name)
+                else
+                    orgs = allOrgs.select { |org| org[:login] == name }
+                    if orgs.empty?
+                        prompt.say("Didn\'t find organization with name #{name}")
+                        prompt.say('You need to create it manually - https://github.com/organizations/plan')
+                        raise Framework::PluginPrerequisite.new('Organization must exist!')
                     end
+                    org = orgs.first
+                end
+
+                activeState['Organizations'][org.login] ||= {}
+
+                org.each do |name, value|
+                    data = value
+                    data = value.to_h if value && value.respond_to?(:to_h)
+                    data = value.to_s if value.is_a?(Time)
+                    activeState['Organizations'][org.login][name.to_s] = data
                 end
-                # TODO FIXME
-                raise 'Not implemented!'
             end
 
             def authenticate(actionMethod, target, activeState, context, options)
-                authToken = ENV['GITHUB_TOKEN']
+                authToken = context.secrets.load(target['SecretId'], 'TOKEN')
+                authToken = context.secrets.load('GITHUB', 'TOKEN') if authToken.nil?
                 if authToken.to_s.empty?
                     prompt.say('Open https://github.com/settings/tokens and create a token!')
-                    prompt.say('Then set it\'s value to GITHUB_TOKEN as Environment Variable')
-                    raise Framework::PluginPrerequisite.new('Need GITHUB_TOKEN!')
+                    prompt.say("Then set it\'s value in #{target['SecretId']}_TOKEN")
+                    raise Framework::PluginPrerequisite.new('Need GitHub token!')
                 end
                 true
             end
 
+            def self.getReleases(repoId, logger, context, options)
+                response = HTTP.get("https://api.github.com/repos/#{repoId}/releases")
+                if response.status.success?
+                    releases = response.parse
+                    releases.reject! { |release| release['draft'] || release['prerelease'] }
+                    return releases
+                end
+                logger.error("Failed to load GitHub release for #{repoId}")
+                raise response
+            end
+
+            def self.getReleaseAsset(name, releases)
+                pattern = name.gsub('.', '\\.').gsub('*', '.*')
+                releases.each do |release|
+                    release['assets'].each do |asset|
+                        return asset if asset['name'].match?(pattern)
+                    end
+                end
+                raise "Couldn't find GitHub asset #{name}!"
+            end
+
         end
     end
 end