enfcli 3.3.2.pre.alpha

data/lib/enfcli/commands/xiam.rb

@@ -0,0 +1,562 @@
+#
+# Copyright 2018 Xaptum,Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require 'enfthor'
+require 'enfapi'
+require 'base64'
+require 'digest'
+require 'openssl'
+require 'ipaddr'
+
+module EnfCli
+  module Cmd
+
+    class Xiam < EnfThor
+      no_commands {
+        def write_pem_file keyfile, data
+          # check if keyfile ends with .pem extension
+          keyfile = "#{keyfile}.pem" unless keyfile.end_with?(".pem")
+
+          # Write to file
+          if write_to_file keyfile, data
+            say "Created #{keyfile}", :green
+          end          
+        end
+        
+        def write_to_file filename, data
+          begin
+            # check if file exists
+            filename = EnfCli::expand_path(filename)            
+            if File.exists?( filename ) 
+              proceed = ask("Overwrite #{filename}(type 'yes' to continue...)?")
+              return nil unless (proceed.downcase == 'yes')
+            end
+
+            # write to file
+            open filename, 'w' do |io| io.write data end
+
+            # return success
+            return true
+          rescue
+            raise EnfCli::ERROR, "Unable to write to file #{filename}! Please check file premissions."
+          end
+        end
+
+        def calculate_gid(basename, gpk)
+          Digest::SHA256.hexdigest([gpk].pack("H*") << [basename].pack("H*")).upcase
+        end
+
+        def scan_group_qr_code()
+          # Initalize values
+          gpk_header = ''
+          gpk_info = ''
+
+          # Scan QR Code
+          gpk_header = EnfCli::ask_password('Scan DAA group information:')
+          if gpk_header.length < 16
+            gpk_info = EnfCli::ask_password('')
+          else
+            tmp_header = gpk_header[0..12]
+            gpk_info = gpk_header[13..gpk_header.length]
+            gpk_header = tmp_header
+          end
+
+          gpk_info
+        end
+
+        def read_ec_key_file(keyfile)
+          # expand path
+          keyfile = EnfCli::expand_path(keyfile)
+          
+          ## return if keyfile not found
+          raise EnfCli::ERROR, "#{keyfile} not found!" unless File.exists?(keyfile)
+
+          # read the private key
+          OpenSSL::PKey::EC.new(File.read(keyfile))
+        end
+
+        def display_groups groups
+          headings = ['DAA Group', 'Base Name', 'Provisioned', 'Onboarded', 'Domain' ]
+          rows = groups.map{ |hash|
+            [ Base64.decode64(hash[:gid]).unpack("H*")[0], Base64.decode64(hash[:basename]),
+              hash[:provisioned_count], hash[:onboarded_count],
+              "#{IPAddr::new_ntoh( Base64.decode64(hash[:domain][:prefix]) )}/#{hash[:domain][:prefix_length]}"
+            ]
+          }
+          render_table(headings, rows)
+        end
+
+        def provision_endpoint(ipv6_address, pub)
+          # encode public key
+          hex = pub.to_bn.to_s(16)
+          pubkey = Base64.strict_encode64([hex].pack("H*"))
+
+          # create NEW_CREDENTIAL_ECDSA
+          new_credential = {
+            :type => "ecdsa_p256",
+            :key => pubkey
+          }          
+
+          # create NEW_ENDPOINT_AUTH
+          new_endpoint = {
+            :cred_oneof => {
+              :auth => {
+                :ecdsa_credential => new_credential,
+                :address_request => {
+                  :address_request_oneof => {
+                    :address => Base64.strict_encode64( ipv6_address.hton )
+                  }
+                }
+              }
+            }
+          }
+
+          data = EnfApi::Iam.instance.provision_endpoint new_endpoint
+          provisioned_ip = data[:address]
+          provisioned_ip = EnfCli::IPV6::ntoh Base64.decode64(provisioned_ip)
+
+          # Make sure provisioned ip is same as the requested ip
+          raise EnfCli::ERROR, "Hello World" unless provisioned_ip.to_s.eql?( ipv6_address.to_s )
+          
+          say "Created new ipv6 endpoint #{provisioned_ip}", :green
+        end
+
+        def update_endpoint_credentials(ipv6_address, pub)
+          # encode public key
+          hex = pub.to_bn.to_s(16)
+          pubkey = Base64.strict_encode64([hex].pack("H*"))
+
+          # create NEW_CREDENTIAL_ECDSA
+          new_credential = {
+            :type => "ecdsa_p256",
+            :key => pubkey
+          }
+
+          # create NEW_ECDSA_CREDENTIAL
+          new_cred = {
+            :cred_oneof => {
+              :ecdsa => new_credential
+            }
+          }
+
+          EnfApi::Iam.instance.update_endpoint_key ipv6_address, new_cred
+
+          say "Updated #{ipv6_address} credentials!", :green
+        end
+      }
+
+      desc "list-group", "List DAA Group Information"
+      def list_group
+        try_with_rescue_in_session do
+          qr_code_info = scan_group_qr_code()
+
+          # Extract gpk and basename
+          gpk_info = qr_code_info.split(",")
+          basename = gpk_info[0]
+          gpk = gpk_info[1]
+          
+          # Calculate gid
+          gid = calculate_gid basename, gpk
+
+          # url safe encode gid
+          enc_gid = Base64.urlsafe_encode64([gid].pack("H*"))
+
+          data = EnfApi::Iam.instance.list_group enc_gid
+          groups = [data]
+          
+          # display data
+          display_groups groups
+        end
+      end
+
+      desc "set-group-default-network", "Set /64 network as default for the DAA group"
+      method_option :'network', :type => :string, :required => true
+      method_option :'gid', :type => :string
+      def set_group_default_network
+        try_with_rescue_in_session do
+          network = EnfCli::IPV6Cidr.new options[:network]
+
+          # scan if gid not in options
+          if options[:gid] 
+            gid = options[:gid]
+          else
+            qr_code_info = scan_group_qr_code()
+
+            # Extract gpk and basename
+            gpk_info = qr_code_info.split(",")
+            basename = gpk_info[0]
+            gpk = gpk_info[1]
+
+            # Calculate gid
+            gid = calculate_gid basename, gpk
+          end
+          
+          # create IPV6_NETWORK
+          ipv6_network = {
+            :prefix => Base64.strict_encode64( network.prefix_bytes ),
+            :prefix_length => network.prefix_len
+          }
+
+          # create MODIFIED_GROUP
+          modified_group = {
+            :gid => Base64.strict_encode64([gid].pack("H*")),
+            :default_network => ipv6_network
+          }
+
+          # url safe encode gid
+          enc_gid = Base64.urlsafe_encode64([gid].pack("H*"))
+
+          # Post to server
+          EnfApi::Iam.instance.update_group enc_gid, modified_group
+
+          say "Set #{network} as default network for group #{gid}", :green
+        end
+      end      
+
+      desc "set-group-domain", "Set /48 domain for the DAA group"
+      method_option :'domain', :type => :string, :required => true
+      method_option :'gid', :type => :string
+      def set_group_domain
+        try_with_rescue_in_session do
+          domain_network = EnfCli::IPV6Cidr.new options[:domain]
+
+          # scan if gid not in options
+          if options[:gid] 
+            gid = options[:gid]
+          else
+            qr_code_info = scan_group_qr_code()
+
+            # Extract gpk and basename
+            gpk_info = qr_code_info.split(",")
+            basename = gpk_info[0]
+            gpk = gpk_info[1]
+
+            # Calculate gid
+            gid = calculate_gid basename, gpk
+          end
+          
+          # create IPV6_NETWORK
+          ipv6_network = {
+            :prefix => Base64.strict_encode64( domain_network.prefix_bytes ),
+            :prefix_length => domain_network.prefix_len
+          }
+
+          # create MODIFIED_GROUP
+          modified_group = {
+            :gid => Base64.strict_encode64([gid].pack("H*")),
+            :domain => ipv6_network
+          }
+
+          # url safe encode gid
+          enc_gid = Base64.urlsafe_encode64([gid].pack("H*"))
+
+          # Post to server
+          EnfApi::Iam.instance.update_group enc_gid, modified_group
+
+          say "Associated group #{gid} with #{domain_network}", :green
+        end
+      end
+
+      desc "add-group-to-network", "Associate a DAA Group with /64 network"
+      method_option :'network', :type => :string, :required => true
+      method_option :'gid', :type => :string
+      def add_group_to_network
+        try_with_rescue_in_session do
+          network = EnfCli::IPV6Cidr.new options[:network]
+
+          # scan if gid not in options
+          if options[:gid] 
+            gid = options[:gid]
+          else
+            qr_code_info = scan_group_qr_code()
+
+            # Extract gpk and basename
+            gpk_info = qr_code_info.split(",")
+            basename = gpk_info[0]
+            gpk = gpk_info[1]
+
+            # Calculate gid
+            gid = calculate_gid basename, gpk
+          end
+          
+          # create IPV6_NETWORK
+          ipv6_network = {
+            :prefix => Base64.strict_encode64( network.prefix_bytes ),
+            :prefix_length => network.prefix_len
+          }
+
+          # url safe encode gid
+          enc_gid = Base64.urlsafe_encode64([gid].pack("H*"))
+
+          # Post to server
+          EnfApi::Iam.instance.add_group_to_network enc_gid, ipv6_network
+
+          say "Associated group #{gid} with #{network}", :green
+        end
+      end
+
+      desc "provision-group", "Provision a DAA Group"
+      method_option :'device-count', :type => :numeric, :required => true
+      method_option :'operator', :type => :array, :required => true, :banner => "OPERATOR"
+      def provision_group
+        try_with_rescue_in_session do
+          qr_code_info = scan_group_qr_code()
+
+          # Extract gpk and basename
+          gpk_info = qr_code_info.split(",")
+          basename = gpk_info[0]
+          gpk = gpk_info[1]
+
+          # Calculate gid
+          gid = calculate_gid basename, gpk
+
+          # Extract options
+          operator = options.operator.join(" ").gsub(/\A"+(.*?)"+\Z/m, '\1')
+          quantity = options[:'device-count']
+
+          # base64 encode all binary data: basename, gpk, gid
+          enc_basename = Base64.strict_encode64([basename].pack("H*"))
+          enc_gpk = Base64.strict_encode64([gpk].pack("H*"))
+          enc_gid = Base64.strict_encode64([gid].pack("H*"))          
+
+          # create NEW_PROVISIONING
+          new_provisioning = {
+            :group_id => enc_gid,
+            :quantity => quantity,
+            :operator => operator
+          }
+
+          # create NEW_GROUP
+          new_group = {
+            :group_public_key => enc_gpk,
+            :basename => enc_basename,
+            :provisionings => [ new_provisioning ]
+          }
+            
+          # Post to server
+          EnfApi::Iam.instance.provision_group new_group
+
+          # display success
+          say "Provisioned a new DAA group #{gid}", :green
+        end
+      end
+
+      desc "list-network-groups", "List all DAA groups associated with a /64 network"
+      method_option :'network', :type => :string, :required => true
+      def list_network_groups
+        try_with_rescue_in_session do
+          # validate network
+          network = EnfCli::IPV6Cidr.new options[:network]
+          
+          # call the api
+          data = EnfApi::Iam.instance.list_network_groups network.to_s
+          groups = data[:body]
+
+          # display data
+          display_groups groups
+        end
+      end
+
+      desc "create-endpoint-key", "Generate a pem encoded EC key pair"
+      method_option :'key-out-file', :type => :string, :required => true, :banner => '<file>'
+      method_option :'public-key-out-file', :type => :string, :required => true, :banner => '<file>'
+      def create_endpoint_key
+        try_with_rescue_in_session do
+          # get options
+          keyfile = options['key-out-file']
+          pubfile = options['public-key-out-file']
+
+          # Generate a key pair
+          key = OpenSSL::PKey::EC.new('prime256v1')
+          key.generate_key
+
+          # write key pair to file
+          write_pem_file keyfile, key.to_pem
+
+          # write public key to file
+          key.private_key = nil
+          write_pem_file pubfile, key.to_pem        
+        end
+      end
+
+      desc "create-endpoint-cert", "Creates and signs a certificate for a particular identity using the provided private key"
+      method_option :'identity', :type => :string, :required => true, :banner => '<ipv6>'
+      method_option :'key-in-file', :type => :string, :required => true, :banner => '<file>'
+      method_option :'cert-out-file', :type => :string, :required => true, :banner => '<file>'
+      def create_endpoint_cert
+        try_with_rescue_in_session do
+          # get options
+          ipv6 = EnfCli::IPV6.new(options['identity']).to_s
+          keyfile = EnfCli::expand_path(options['key-in-file'])
+          certfile = EnfCli::expand_path(options['cert-out-file'])
+
+          # read the private key
+          key = read_ec_key_file keyfile
+
+          # generate cert
+          cert = EnfCli::generate_ec_cert(key, ipv6)
+
+          # write to file
+          write_pem_file certfile, cert.to_pem          
+        end
+      end
+
+      desc "create-endpoint-in-network", "Create an IPV6 endpoint in /64 network"
+      method_option :'network', :type => :string, :required => true, :banner => "<ipv6 network>"
+      method_option :'public-key-in-file', :type => :string, :required => true, :banner => "<file>"
+      def create_endpoint_in_network
+        try_with_rescue_in_session do
+          # Read options
+          network = EnfCli::IPV6Cidr.new options[:network]
+          keyfile = EnfCli::expand_path(options['public-key-in-file'])
+
+          # read keyfile
+          key = read_ec_key_file keyfile
+
+          # encode public key
+          pub = key.public_key
+          hex = pub.to_bn.to_s(16)
+          pubkey = Base64.strict_encode64([hex].pack("H*"))
+
+          # create NEW_CREDENTIAL_ECDSA
+          new_credential = {
+            :type => "ecdsa_p256",
+            :key => pubkey
+          }
+          
+          # create IPV6_NETWORK
+          ipv6_network = {
+            :prefix => Base64.strict_encode64( network.prefix_bytes ),
+            :prefix_length => network.prefix_len
+          }
+
+          # create NEW_ENDPOINT_AUTH
+          new_endpoint = {
+            :cred_oneof => {
+              :auth => {
+                :ecdsa_credential => new_credential,
+                :address_request => {
+                  :address_request_oneof => {
+                    :network => ipv6_network
+                  }
+                }
+              }
+            }
+          }
+
+          data = EnfApi::Iam.instance.provision_endpoint new_endpoint
+          provisioned_ip = data[:address]
+          provisioned_ip = EnfCli::IPV6::ntoh Base64.decode64(provisioned_ip)
+          
+          say "Created new ipv6 endpoint #{provisioned_ip}", :green
+        end
+      end
+
+      desc "create-endpoint-with-address", "Create an IPV6 endpoint in /64 network with user specified address"
+      method_option :'address', :type => :string, :required => true, :banner => "<ipv6 address>"
+      method_option :'public-key-in-file', :type => :string, :required => true, :banner => "<file>"      
+      def create_endpoint_with_address
+        try_with_rescue_in_session do
+          # Read address
+          ipv6_address = EnfCli::IPV6.new options[:address]
+
+          # read key
+          keyfile = EnfCli::expand_path(options['public-key-in-file'])
+          key = read_ec_key_file keyfile
+          pub = key.public_key
+
+          # create_endpoint
+          provision_endpoint ipv6_address, pub
+          
+        end
+      end
+
+      desc "create-endpoint-from-cert", "Create an IPV6 endpoint in /64 network with address from cert"
+      method_option :'cert-in-file', :type => :string, :required => true, :banner => "<file>"      
+      def create_endpoint_from_cert
+        try_with_rescue_in_session do
+          # read options
+          certfile = EnfCli::expand_path(options['cert-in-file'])
+          raise EnfCli::ERROR, "#{certfile} does not exist!" unless File.exists?(certfile)
+
+          # read cert file
+          rawcert = File.read certfile
+          cert = OpenSSL::X509::Certificate.new rawcert
+
+          # get subject
+          subject = cert.subject.to_a
+
+          # get ipv6 CN record
+          cn = subject.select { |d| "CN".eql?( d[0].upcase ) }
+          ipv6_address =  EnfCli::IPV6.new cn[0][1]
+
+          # get the public key
+          pub = cert.public_key.public_key
+
+          # create_endpoint
+          provision_endpoint ipv6_address, pub
+          
+        end        
+      end
+
+      desc "update-endpoint-key", "Update an IPV6 endpoint's credentials"
+      method_option :'address', :type => :string, :required => true, :banner => "<ipv6 address>"
+      method_option :'public-key-in-file', :type => :string, :required => true, :banner => "<file>"
+      def update_endpoint_key
+        try_with_rescue_in_session do
+          # Read address
+          ipv6_address = EnfCli::IPV6.new options[:address]
+
+          # read key
+          keyfile = EnfCli::expand_path(options['public-key-in-file'])
+          key = read_ec_key_file keyfile
+          pub = key.public_key
+
+          # update endpoint
+          update_endpoint_credentials ipv6_address, pub
+        end        
+      end
+
+      desc "update-endpoint-cert", "Update an IPV6 endpoint's credentials"
+      method_option :'cert-in-file', :type => :string, :required => true, :banner => "<file>"      
+      def update_endpoint_cert
+        try_with_rescue_in_session do
+          # read options
+          certfile = EnfCli::expand_path(options['cert-in-file'])
+          raise EnfCli::ERROR, "#{certfile} does not exist!" unless File.exists?(certfile)
+
+          # read cert file
+          rawcert = File.read certfile
+          cert = OpenSSL::X509::Certificate.new rawcert
+
+          # get subject
+          subject = cert.subject.to_a
+
+          # get ipv6 CN record
+          cn = subject.select { |d| "CN".eql?( d[0].upcase ) }
+          ipv6_address =  EnfCli::IPV6.new cn[0][1]
+
+          # get the public key
+          pub = cert.public_key.public_key
+
+          # update endpoint
+          update_endpoint_credentials ipv6_address, pub
+        end
+      end
+      
+    end    
+  end
+end
+

data/lib/enfcli/version.rb

@@ -0,0 +1,18 @@
+#
+# Copyright 2018 Xaptum,Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module EnfCli
+  VERSION = '3.3.2-alpha'
+end