RubyGems - cfn-vpn - Versions diffs - 0.4.2 → 0.5.0 - Mend

cfn-vpn 0.4.2 → 0.5.0

Files changed (15) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f6be01a5786f8ea62be6d6b7f781ad1036b8edff08ba7d509707565fbeb5862
-  data.tar.gz: 9a9a2038b6c955871983649f1c2627c6c2eedf9a64cae20ceb04ba73c25a3616
+  metadata.gz: 55d1d34bbcec9a355d6b73ce1d9156d4eeaed551ae70d1591771a98bcd81f12a
+  data.tar.gz: 0d79be873bd64fed0f9821c6da9b6f8e39ebbb0c1582a3289046277bf8521bdb
 SHA512:
-  metadata.gz: d0a839efc1e6d5826fc9b9edfcd3c608b0eb3a1f6b79df624de1be888b4d817a4c9c6994e9ea806e002998e0affa9cb5b0db1b25c04fa12677181e7d504fc958
-  data.tar.gz: 051bc8385ced35fafbcffa4b013cb8e4d962dafb74f88c1574df4684f37b64fd074dfa4bdcdba0edafa3bc3dee855bd83217a3c23a00f60be6c18dad6f728052
+  metadata.gz: 80e02dc0d11a30bcc07c509d5f1c5e11c5a176e54ca3fd9e6f41d26a8cedeefe292ce2a48fe4e94b804ed2b6974374034a36092e163a77afe39a39beb9a7c2a7
+  data.tar.gz: 9fb519ef4dc2ccc28a7d03fb9c341c8107084ddf6aaadfece24b8108a07b10a2142e675b8fe563d097d8c2c868eb0835ebaa6483ebd744a93380b14a76641a7a

data/Dockerfile ADDED

@@ -0,0 +1,26 @@
+FROM ruby:2.7-alpine
+RUN apk add --no-cache easy-rsa git \
+    # Hack until easy-rsa 3.0.7 is released https://github.com/OpenVPN/easy-rsa/issues/261
+    && sed -i 's/^RANDFILE\s*=\s\$ENV.*/#&/' /usr/share/easy-rsa/openssl-easyrsa.cnf \
+    && ln -s /usr/share/easy-rsa/easyrsa  /usr/bin/
+ENV EASYRSA=/usr/share/easy-rsa
+ENV EASYRSA_BATCH=yes
+ARG CFNVPN_VERSION="0.5.0"
+COPY . /src
+WORKDIR /src
+RUN gem build cfn-vpn.gemspec \
+    && gem install cfn-vpn-${CFNVPN_VERSION}.gem \
+    && rm -rf /src
+RUN addgroup -g 1000 cfnvpn && \
+    adduser -D -u 1000 -G cfnvpn cfnvpn
+USER cfnvpn
+RUN cfndsl -u 9.0.0

data/cfn-vpn.gemspec CHANGED

@@ -38,7 +38,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor", "~> 0.20"
   spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
-  spec.add_dependency 'cfndsl', '~> 0.17', '<1'
   spec.add_dependency 'netaddr', '2.0.4'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'

data/lib/cfnvpn/certificates.rb CHANGED

@@ -1,4 +1,5 @@
 require 'fileutils'
+require 'mkmf'
 require 'cfnvpn/acm'
 require 'cfnvpn/s3'
 require 'cfnvpn/log'
@@ -7,38 +8,76 @@ module CfnVpn
   class Certificates
     include CfnVpn::Log
-    def initialize(build_dir,cfnvpn_name)
+    def initialize(build_dir, cfnvpn_name, easyrsa_local = false)
       @cfnvpn_name = cfnvpn_name
+      @easyrsa_local = easyrsa_local
+      if @easyrsa_local
+        unless which('easyrsa')
+          raise "Unable to find `easyrsa` in your path. Check your path or remove the `--easyrsa-local` flag to run from docker"
+        end
+      end
+      @build_dir = build_dir
       @config_dir = "#{build_dir}/config"
       @cert_dir = "#{build_dir}/certificates"
+      @pki_dir = "#{build_dir}/pki"
       @docker_cmd = %w(docker run -it --rm)
-      @easyrsa_image = "base2/aws-client-vpn"
+      @easyrsa_image = " base2/aws-client-vpn"
       FileUtils.mkdir_p(@cert_dir)
+      FileUtils.mkdir_p(@pki_dir)
     end
     def generate_ca(server_cn,client_cn)
-      @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'create-ca'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_REQ_CN"] = server_cn
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("easyrsa init-pki")
+        system("easyrsa build-ca nopass")
+        system("easyrsa build-server-full server nopass")
+        system("easyrsa build-client-full #{client_cn} nopass")
+        FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
+        system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
+      else
+        @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'create-ca'"
+        Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
     def generate_client(client_cn)
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'create-client'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("easyrsa build-client-full #{client_cn} nopass")
+        system("tar czfv #{@cert_dir}/#{client_cn}.tar.gz -C #{@build_dir} pki/issued/#{client_cn}.crt pki/private/#{client_cn}.key pki/reqs/#{client_cn}.req")
+      else
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'create-client'"
+        Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
     def revoke_client(client_cn)
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'revoke-client'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("tar xzfv #{@cert_dir}/#{client_cn}.tar.gz --directory #{@build_dir}")
+        system("easyrsa revoke #{client_cn}")
+        system("easyrsa gen-crl")
+        FileUtils.cp("#{@pki_dir}/crl.pem", @cert_dir)
+      else
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'revoke-client'"
+        Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
     def upload_certificates(region,cert,type,cn=nil)
@@ -65,6 +104,17 @@ module CfnVpn
       `tar xzfv #{tar} -C #{@config_dir} --strip 2`
       File.delete(tar) if File.exist?(tar)
     end
+    def which(cmd)
+      exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+      ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+        exts.each do |ext|
+          exe = File.join(path, "#{cmd}#{ext}")
+          return exe if File.executable?(exe) && !File.directory?(exe)
+        end
+      end
+      nil
+    end
   end
 end

data/lib/cfnvpn/client.rb CHANGED

@@ -1,6 +1,8 @@
 require 'thor'
+require 'fileutils'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Client < Thor::Group
@@ -15,6 +17,7 @@ module CfnVpn
     class_option :bucket, desc: 's3 bucket', required: true
     class_option :client_cn, desc: 'client certificate common name', required: true
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     def self.source_root
       File.dirname(__FILE__)
@@ -25,15 +28,16 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @cert_dir = "#{@build_dir}/certificates"
+      FileUtils.mkdir_p(@cert_dir)
     end
     def create_certificate
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
       s3.get_object("#{@cert_dir}/ca.tar.gz")
       Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       Log.logger.debug cert.generate_client(@options['client_cn'])
       s3.store_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
     end

data/lib/cfnvpn/config.rb CHANGED

@@ -1,5 +1,6 @@
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/log'
+require 'cfnvpn/globals'
 module CfnVpn
   class Config < Thor::Group
@@ -13,7 +14,7 @@ module CfnVpn
     class_option :verbose, desc: 'set log level to debug', type: :boolean
     class_option :bucket, required: true, desc: 's3 bucket'
     class_option :client_cn, required: true, desc: "client certificates to download"
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
     def self.source_root
@@ -25,7 +26,7 @@ module CfnVpn
     end
     def create_config_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @config_dir = "#{@build_dir}/config"
       Log.logger.debug("Creating config directory #{@config_dir}")
       FileUtils.mkdir_p(@config_dir)
@@ -48,7 +49,7 @@ module CfnVpn
         Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
         s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
         s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name)
+        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
         Log.logger.debug cert.extract_certificate(@options['client_cn'])
       end
     end

data/lib/cfnvpn/embedded.rb CHANGED

@@ -1,5 +1,6 @@
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Embedded < Thor::Group
@@ -13,7 +14,8 @@ module CfnVpn
     class_option :verbose, desc: 'set log level to debug', type: :boolean
     class_option :bucket, required: true, desc: 'S3 bucket'
-    class_option :client_cn, required: true, desc: 'Client certificates to download'
+    class_option :client_cn, required: true, default: false, desc: 'Client certificates to download'
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     class_option :ignore_routes, alias: :i, type: :boolean, desc: 'Ignore client VPN pushed routes and set routes in config file'
     def self.source_root
@@ -25,7 +27,7 @@ module CfnVpn
     end
     def create_config_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @config_dir = "#{@build_dir}/config"
       Log.logger.debug("Creating config directory #{@config_dir}")
       FileUtils.mkdir_p(@config_dir)
@@ -41,7 +43,7 @@ module CfnVpn
         Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
         s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
         s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name)
+        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
         Log.logger.debug cert.extract_certificate(@options['client_cn'])
       end
     end
@@ -74,7 +76,7 @@ module CfnVpn
     end
     def embed_certs
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       Log.logger.debug cert.extract_certificate(@options['client_cn'])
       Log.logger.debug "Reading extracted certificate and private key"
       key = File.read("#{@config_dir}/#{@options['client_cn']}.key")

data/lib/cfnvpn/globals.rb ADDED

@@ -0,0 +1,16 @@
+module CfnVpn
+  class << self
+    # Returns the filepath to the location CfnVpn will use for
+    # storage. Used for certificate generation as well as the
+    # download and upload location. Can be overridden by specifying
+    # a value for the ENV variable
+    # 'CFNVPN_PATH'.
+    #
+    # @return [String]
+    def cfnvpn_path
+      @cfnvpn_path ||= File.expand_path(ENV["CFNVPN_PATH"] || "~/.cfnvpn")
+    end
+  end
+end

data/lib/cfnvpn/init.rb CHANGED

@@ -6,6 +6,7 @@ require 'cfnvpn/cfhighlander'
 require 'cfnvpn/cloudformation'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
 module CfnVpn
   class Init < Thor::Group
@@ -20,6 +21,7 @@ module CfnVpn
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     class_option :bucket, required: true, desc: 's3 bucket'
     class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
@@ -40,7 +42,7 @@ module CfnVpn
     end
     def create_build_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       Log.logger.debug "creating directory #{@build_dir}"
       FileUtils.mkdir_p(@build_dir)
     end
@@ -69,13 +71,13 @@ module CfnVpn
     # create certificates
     def generate_server_certificates
       Log.logger.info "Generating certificates using openvpn easy-rsa"
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       @client_cn = @options['client_cn'] ? @options['client_cn'] : "client-vpn.#{@options['server_cn']}"
-      Log.logger.debug cert.generate_ca(@options['server_cn'],@client_cn)
+      cert.generate_ca(@options['server_cn'],@client_cn)
     end
     def upload_certificates
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       @config['parameters']['ServerCertificateArn'] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
       @config['parameters']['ClientCertificateArn'] = cert.upload_certificates(@options['region'],@client_cn,'client')
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)

data/lib/cfnvpn/modify.rb CHANGED

@@ -6,6 +6,7 @@ require 'cfnvpn/cfhighlander'
 require 'cfnvpn/cloudformation'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
 module CfnVpn
   class Modify < Thor::Group
@@ -35,7 +36,7 @@ module CfnVpn
     end
     def create_build_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       Log.logger.debug "creating directory #{@build_dir}"
       FileUtils.mkdir_p(@build_dir)
     end

data/lib/cfnvpn/revoke.rb CHANGED

@@ -1,6 +1,7 @@
 require 'thor'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Revoke < Thor::Group
@@ -15,6 +16,7 @@ module CfnVpn
     class_option :bucket, desc: 's3 bucket', required: true
     class_option :client_cn, desc: 'client certificate common name', required: true
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     def self.source_root
       File.dirname(__FILE__)
@@ -25,12 +27,12 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @cert_dir = "#{@build_dir}/certificates"
     end
     def revoke_certificate
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
       s3.get_object("#{@cert_dir}/ca.tar.gz")
       s3.get_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")

data/lib/cfnvpn/routes.rb CHANGED

@@ -1,6 +1,7 @@
 require 'thor'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Routes < Thor::Group
@@ -26,7 +27,7 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
     end
     def add_route

data/lib/cfnvpn/sessions.rb CHANGED

@@ -2,6 +2,7 @@ require 'thor'
 require 'terminal-table'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
 module CfnVpn
   class Sessions < Thor::Group
@@ -25,7 +26,7 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
     end
     def get_endpoint

data/lib/cfnvpn/version.rb CHANGED

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "0.4.2".freeze
+  VERSION = "0.5.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Guslington
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-02-14 00:00:00.000000000 Z
+date: 2020-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -64,26 +64,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '1'
-- !ruby/object:Gem::Dependency
-  name: cfndsl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.17'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '1'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.17'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '1'
 - !ruby/object:Gem::Dependency
   name: netaddr
   requirement: !ruby/object:Gem::Requirement
@@ -216,6 +196,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -232,6 +213,7 @@ files:
 - lib/cfnvpn/cloudformation.rb
 - lib/cfnvpn/config.rb
 - lib/cfnvpn/embedded.rb
+- lib/cfnvpn/globals.rb
 - lib/cfnvpn/init.rb
 - lib/cfnvpn/log.rb
 - lib/cfnvpn/modify.rb