RubyGems - cfn-vpn - Versions diffs - 0.4.2 → 0.5.0 - Mend

cfn-vpn 0.4.2 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f6be01a5786f8ea62be6d6b7f781ad1036b8edff08ba7d509707565fbeb5862
-  data.tar.gz: 9a9a2038b6c955871983649f1c2627c6c2eedf9a64cae20ceb04ba73c25a3616
+  metadata.gz: 55d1d34bbcec9a355d6b73ce1d9156d4eeaed551ae70d1591771a98bcd81f12a
+  data.tar.gz: 0d79be873bd64fed0f9821c6da9b6f8e39ebbb0c1582a3289046277bf8521bdb
 SHA512:
-  metadata.gz: d0a839efc1e6d5826fc9b9edfcd3c608b0eb3a1f6b79df624de1be888b4d817a4c9c6994e9ea806e002998e0affa9cb5b0db1b25c04fa12677181e7d504fc958
-  data.tar.gz: 051bc8385ced35fafbcffa4b013cb8e4d962dafb74f88c1574df4684f37b64fd074dfa4bdcdba0edafa3bc3dee855bd83217a3c23a00f60be6c18dad6f728052
+  metadata.gz: 80e02dc0d11a30bcc07c509d5f1c5e11c5a176e54ca3fd9e6f41d26a8cedeefe292ce2a48fe4e94b804ed2b6974374034a36092e163a77afe39a39beb9a7c2a7
+  data.tar.gz: 9fb519ef4dc2ccc28a7d03fb9c341c8107084ddf6aaadfece24b8108a07b10a2142e675b8fe563d097d8c2c868eb0835ebaa6483ebd744a93380b14a76641a7a

data/Dockerfile ADDED

@@ -0,0 +1,26 @@
+FROM ruby:2.7-alpine
+RUN apk add --no-cache easy-rsa git \
+    # Hack until easy-rsa 3.0.7 is released https://github.com/OpenVPN/easy-rsa/issues/261
+    && sed -i 's/^RANDFILE\s*=\s\$ENV.*/#&/' /usr/share/easy-rsa/openssl-easyrsa.cnf \
+    && ln -s /usr/share/easy-rsa/easyrsa  /usr/bin/
+ENV EASYRSA=/usr/share/easy-rsa
+ENV EASYRSA_BATCH=yes
+ARG CFNVPN_VERSION="0.5.0"
+COPY . /src
+WORKDIR /src
+RUN gem build cfn-vpn.gemspec \
+    && gem install cfn-vpn-${CFNVPN_VERSION}.gem \
+    && rm -rf /src
+RUN addgroup -g 1000 cfnvpn && \
+    adduser -D -u 1000 -G cfnvpn cfnvpn
+USER cfnvpn
+RUN cfndsl -u 9.0.0

data/cfn-vpn.gemspec CHANGED

@@ -38,7 +38,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor", "~> 0.20"
   spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
-  spec.add_dependency 'cfndsl', '~> 0.17', '<1'
   spec.add_dependency 'netaddr', '2.0.4'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'

data/lib/cfnvpn/certificates.rb CHANGED

@@ -1,4 +1,5 @@
 require 'fileutils'
+require 'mkmf'
 require 'cfnvpn/acm'
 require 'cfnvpn/s3'
 require 'cfnvpn/log'
@@ -7,38 +8,76 @@ module CfnVpn
   class Certificates
     include CfnVpn::Log
-    def initialize(build_dir,cfnvpn_name)
+    def initialize(build_dir, cfnvpn_name, easyrsa_local = false)
       @cfnvpn_name = cfnvpn_name
+      @easyrsa_local = easyrsa_local
+      if @easyrsa_local
+        unless which('easyrsa')
+          raise "Unable to find `easyrsa` in your path. Check your path or remove the `--easyrsa-local` flag to run from docker"
+        end
+      end
+      @build_dir = build_dir
       @config_dir = "#{build_dir}/config"
       @cert_dir = "#{build_dir}/certificates"
+      @pki_dir = "#{build_dir}/pki"
       @docker_cmd = %w(docker run -it --rm)
-      @easyrsa_image = "base2/aws-client-vpn"
+      @easyrsa_image = " base2/aws-client-vpn"
       FileUtils.mkdir_p(@cert_dir)
+      FileUtils.mkdir_p(@pki_dir)
     end
     def generate_ca(server_cn,client_cn)
-      @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'create-ca'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_REQ_CN"] = server_cn
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("easyrsa init-pki")
+        system("easyrsa build-ca nopass")
+        system("easyrsa build-server-full server nopass")
+        system("easyrsa build-client-full #{client_cn} nopass")
+        FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
+        system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
+      else
+        @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'create-ca'"
+        Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
     def generate_client(client_cn)
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'create-client'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("easyrsa build-client-full #{client_cn} nopass")
+        system("tar czfv #{@cert_dir}/#{client_cn}.tar.gz -C #{@build_dir} pki/issued/#{client_cn}.crt pki/private/#{client_cn}.key pki/reqs/#{client_cn}.req")
+      else
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'create-client'"
+        Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
     def revoke_client(client_cn)
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'revoke-client'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("tar xzfv #{@cert_dir}/#{client_cn}.tar.gz --directory #{@build_dir}")
+        system("easyrsa revoke #{client_cn}")
+        system("easyrsa gen-crl")
+        FileUtils.cp("#{@pki_dir}/crl.pem", @cert_dir)
+      else
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'revoke-client'"
+        Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
     def upload_certificates(region,cert,type,cn=nil)
@@ -65,6 +104,17 @@ module CfnVpn
       `tar xzfv #{tar} -C #{@config_dir} --strip 2`
       File.delete(tar) if File.exist?(tar)
     end
+    def which(cmd)
+      exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+      ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+        exts.each do |ext|
+          exe = File.join(path, "#{cmd}#{ext}")
+          return exe if File.executable?(exe) && !File.directory?(exe)
+        end
+      end
+      nil
+    end
   end
 end

data/lib/cfnvpn/client.rb CHANGED

@@ -1,6 +1,8 @@
 require 'thor'
+require 'fileutils'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Client < Thor::Group
@@ -15,6 +17,7 @@ module CfnVpn
     class_option :bucket, desc: 's3 bucket', required: true
     class_option :client_cn, desc: 'client certificate common name', required: true
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     def self.source_root
       File.dirname(__FILE__)
@@ -25,15 +28,16 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @cert_dir = "#{@build_dir}/certificates"
+      FileUtils.mkdir_p(@cert_dir)
     end
     def create_certificate
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
       s3.get_object("#{@cert_dir}/ca.tar.gz")
       Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       Log.logger.debug cert.generate_client(@options['client_cn'])
       s3.store_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
     end

data/lib/cfnvpn/config.rb CHANGED

@@ -1,5 +1,6 @@
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/log'
+require 'cfnvpn/globals'
 module CfnVpn
   class Config < Thor::Group
@@ -13,7 +14,7 @@ module CfnVpn
     class_option :verbose, desc: 'set log level to debug', type: :boolean
     class_option :bucket, required: true, desc: 's3 bucket'
     class_option :client_cn, required: true, desc: "client certificates to download"
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
     def self.source_root
@@ -25,7 +26,7 @@ module CfnVpn
     end
     def create_config_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @config_dir = "#{@build_dir}/config"
       Log.logger.debug("Creating config directory #{@config_dir}")
       FileUtils.mkdir_p(@config_dir)
@@ -48,7 +49,7 @@ module CfnVpn
         Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
         s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
         s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name)
+        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
         Log.logger.debug cert.extract_certificate(@options['client_cn'])
       end
     end

data/lib/cfnvpn/embedded.rb CHANGED

@@ -1,5 +1,6 @@
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Embedded < Thor::Group
@@ -13,7 +14,8 @@ module CfnVpn
     class_option :verbose, desc: 'set log level to debug', type: :boolean
     class_option :bucket, required: true, desc: 'S3 bucket'
-    class_option :client_cn, required: true, desc: 'Client certificates to download'
+    class_option :client_cn, required: true, default: false, desc: 'Client certificates to download'
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     class_option :ignore_routes, alias: :i, type: :boolean, desc: 'Ignore client VPN pushed routes and set routes in config file'
     def self.source_root
@@ -25,7 +27,7 @@ module CfnVpn
     end
     def create_config_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @config_dir = "#{@build_dir}/config"
       Log.logger.debug("Creating config directory #{@config_dir}")
       FileUtils.mkdir_p(@config_dir)
@@ -41,7 +43,7 @@ module CfnVpn
         Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
         s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
         s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name)
+        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
         Log.logger.debug cert.extract_certificate(@options['client_cn'])
       end
     end
@@ -74,7 +76,7 @@ module CfnVpn
     end
     def embed_certs
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       Log.logger.debug cert.extract_certificate(@options['client_cn'])
       Log.logger.debug "Reading extracted certificate and private key"
       key = File.read("#{@config_dir}/#{@options['client_cn']}.key")

data/lib/cfnvpn/globals.rb ADDED

@@ -0,0 +1,16 @@
+module CfnVpn
+  class << self
+    # Returns the filepath to the location CfnVpn will use for
+    # storage. Used for certificate generation as well as the
+    # download and upload location. Can be overridden by specifying
+    # a value for the ENV variable
+    # 'CFNVPN_PATH'.
+    #
+    # @return [String]
+    def cfnvpn_path
+      @cfnvpn_path ||= File.expand_path(ENV["CFNVPN_PATH"] || "~/.cfnvpn")
+    end
+  end
+end

data/lib/cfnvpn/init.rb CHANGED

@@ -6,6 +6,7 @@ require 'cfnvpn/cfhighlander'
 require 'cfnvpn/cloudformation'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
 module CfnVpn
   class Init < Thor::Group
@@ -20,6 +21,7 @@ module CfnVpn
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     class_option :bucket, required: true, desc: 's3 bucket'
     class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
@@ -40,7 +42,7 @@ module CfnVpn
     end
     def create_build_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       Log.logger.debug "creating directory #{@build_dir}"
       FileUtils.mkdir_p(@build_dir)
     end
@@ -69,13 +71,13 @@ module CfnVpn
     # create certificates
     def generate_server_certificates
       Log.logger.info "Generating certificates using openvpn easy-rsa"
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       @client_cn = @options['client_cn'] ? @options['client_cn'] : "client-vpn.#{@options['server_cn']}"
-      Log.logger.debug cert.generate_ca(@options['server_cn'],@client_cn)
+      cert.generate_ca(@options['server_cn'],@client_cn)
     end
     def upload_certificates
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       @config['parameters']['ServerCertificateArn'] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
       @config['parameters']['ClientCertificateArn'] = cert.upload_certificates(@options['region'],@client_cn,'client')
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)

data/lib/cfnvpn/modify.rb CHANGED

@@ -6,6 +6,7 @@ require 'cfnvpn/cfhighlander'
 require 'cfnvpn/cloudformation'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
 module CfnVpn
   class Modify < Thor::Group
@@ -35,7 +36,7 @@ module CfnVpn
     end
     def create_build_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       Log.logger.debug "creating directory #{@build_dir}"
       FileUtils.mkdir_p(@build_dir)
     end

data/lib/cfnvpn/revoke.rb CHANGED

@@ -1,6 +1,7 @@
 require 'thor'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Revoke < Thor::Group
@@ -15,6 +16,7 @@ module CfnVpn
     class_option :bucket, desc: 's3 bucket', required: true
     class_option :client_cn, desc: 'client certificate common name', required: true
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
     def self.source_root
       File.dirname(__FILE__)
@@ -25,12 +27,12 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @cert_dir = "#{@build_dir}/certificates"
     end
     def revoke_certificate
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
       s3.get_object("#{@cert_dir}/ca.tar.gz")
       s3.get_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")

data/lib/cfnvpn/routes.rb CHANGED

@@ -1,6 +1,7 @@
 require 'thor'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 module CfnVpn
   class Routes < Thor::Group
@@ -26,7 +27,7 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
     end
     def add_route

data/lib/cfnvpn/sessions.rb CHANGED

@@ -2,6 +2,7 @@ require 'thor'
 require 'terminal-table'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
 module CfnVpn
   class Sessions < Thor::Group
@@ -25,7 +26,7 @@ module CfnVpn
     end
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
     end
     def get_endpoint

data/lib/cfnvpn/version.rb CHANGED

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "0.4.2".freeze
+  VERSION = "0.5.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Guslington
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-02-14 00:00:00.000000000 Z
+date: 2020-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -64,26 +64,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '1'
-- !ruby/object:Gem::Dependency
-  name: cfndsl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.17'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '1'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.17'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '1'
 - !ruby/object:Gem::Dependency
   name: netaddr
   requirement: !ruby/object:Gem::Requirement
@@ -216,6 +196,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -232,6 +213,7 @@ files:
 - lib/cfnvpn/cloudformation.rb
 - lib/cfnvpn/config.rb
 - lib/cfnvpn/embedded.rb
+- lib/cfnvpn/globals.rb
 - lib/cfnvpn/init.rb
 - lib/cfnvpn/log.rb
 - lib/cfnvpn/modify.rb