keyman 1.0.0 → 1.1.1

data/Gemfile.lock

@@ -1,12 +1,14 @@
 PATH
   remote: .
   specs:
-    keyman (1.0.0)
+    keyman (1.1.0)
+      highline
       net-ssh (~> 2.6.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    highline (1.6.15)
     net-ssh (2.6.3)
 
 PLATFORMS

data/README.md

@@ -4,10 +4,6 @@ This simple little utility allows you to manage the authorized_keys files for a
 number of servers & users. It is designed to provide easy access to ensure that
 you can revoke & grant access to appropriate people on multiple servers.
 
-**Please Note: this utility is somewhat un-tested and not currently used in any 
-production environment. Your mileage may vary and we recommend testing in a 
-non-production environment prior to use.**
-
 ## Installation
 
 To install, just install the Rubygem.
@@ -17,12 +13,19 @@ $ gem install keyman
 ```
 
 Once installed, you will need to create yourself a **manifest directory**. This
-directory will contain all your configuration for your key manager. You should
-create an empty directory and add two files, a `servers.rb` and a `users.rb` file.
+directory will contain all your configuration for your key manager. You can easily
+do this using the `init` command:
+
+```bash
+$ keyman init path/to/manifest
+```
+
+This will create a directory containing two files, a `users.km` and a `servers.km`.
+These files contain examples and comments which should help you get started.
 
 ## Example Users/Groups Manifest File
 
-The below file is an example of a `users.rb` manifest file.
+The below file is an example of a `users.km` manifest file.
 
 ```ruby
 group :admins do
@@ -39,7 +42,7 @@ end
 
 ## Example Server Manifest File
 
-The below file is an example of a `servers.rb` file.
+The below file is an example of a `servers.km` file.
 
 ```ruby
 # An example configuration for a server where all admin users have
@@ -56,13 +59,30 @@ server do
   host 'database01.myapplication.com'
   user 'root', :admins, :dan
 end
+
+# An example of a group of servers each with the same permissions. These 
+# will create servers with the same 
+server_group :load_balancers do
+  host 'lb01.myapplication.com'
+  host 'lb02.myapplication.com'
+  host 'lb03.myapplication.com'
+  user 'root', :admins
+  user 'app', :admins, :staff
+end
 ```
 
+You may add as many `.km` files as you wish to to your manifest directory and they
+will be loaded. However, all **users** should be defined in `users.km` and nowhere 
+else.
+
 ## Pushing files to servers
 
-In order to push files to the server, you must already have YOUR key on the
-machine in order to authenticate. If you do not, you will not have access
-and will therefore be unable to push configuration.
+In order to push your authorized_keys files to your servers, keyman must be able
+to authenticate. In the first instance, we will attempt to use your local SSH keys
+to do this. If we cannot authenticate with these, you will be prompted for the password
+when you attempt to push. This password, if accepted, will then be cached for your
+"session" and attempted for any subsequent servers which cannot be authenticated with
+your SSH keys.
 
 ```bash
 $ cd path/to/manifest
@@ -70,6 +90,8 @@ $ cd path/to/manifest
 $ keyman push
 # to push configuration to a specific server
 $ keyman push database01.myapplication.com
+# to push configuration to a server group
+$ keyman push load_balancers
 ```
 
 There are other commands available within the app, you can view these by 
@@ -78,3 +100,13 @@ viewing the inline help.
 ```bash
 $ keyman help
 ```
+
+## Storing your manifest directory
+
+It is recommended to store your manifest directory in a Git repository. Once in a 
+repository, you will be required to ensure that your local branch is always the same
+as your remote branch before you can push to a server. This ensures that you cannot
+overwrite someone elses changes should you forget to pull before pushing. 
+
+This behaviour is automatic and currently non-optional when there is a .git directory
+in your manifest.

data/bin/keyman

@@ -22,17 +22,36 @@ begin
     puts "commands. In order to use this, you must be currently within your"
     puts "manifest directory."
     puts
-    puts "    keys {server} {user}  - displays the authorized keys file for a server's user"
-    puts "    push                  - pushes the latest files to all servers"
-    puts "    push {server}         - pushes the latest file to the specified server"
-    puts "    servers               - displays a list of all servers"
-    puts "    permissions {server}  - displays the permissions for given server"
-    puts "    users                 - displays a list of all users & groups"
+    puts "  init {path}           - creates a new manifest directory"
+    puts "  keys {server} {user}  - displays the authorized keys file for a server's user"
+    puts "  push                  - pushes the latest files to all servers"
+    puts "  push {server}         - pushes the latest file to the specified server"
+    puts "  servers               - displays a list of all servers"
+    puts "  permissions {server}  - displays the permissions for given server"
+    puts "  users                 - displays a list of all users & groups"
     puts
+  when 'init'
+    require 'fileutils'
+    if path = final_args[1]
+      if File.exist?(path)
+        raise Keyman::Error, "A file/directory already exists at #{path}"
+      else
+        FileUtils.mkdir(path)
+        template_root = File.expand_path(File.join('..', '..', 'templates'), __FILE__)
+        File.open(File.join(path, 'users.km'), 'w') { |f| f.write(File.read(File.join(template_root, 'users.km')))}
+        File.open(File.join(path, 'servers.km'), 'w') { |f| f.write(File.read(File.join(template_root, 'servers.km')))}
+        puts "\e[32mKeyman manifest directory created at #{path} successfully.\e[0m"
+      end
+    else
+      raise Keyman::Error, "You should pass a directory name to the init command to create a new manifest directory."
+    end
   else
+    puts "\e[37mUsing manifest from #{Keyman.manifest_dir}\e[0m"
     Keyman.run(final_args, options)
   end
   
+rescue SystemExit, Interrupt
+  Process.exit(0)
 rescue Keyman::Error => e
   puts "\e[31m" + e.message + "\e[0m"
   Process.exit(1)

data/keyman.gemspec

@@ -16,5 +16,6 @@ Gem::Specification.new do |s|
   s.email = "adam@atechmedia.com"
   s.homepage = "http://atechmedia.com"
   s.add_dependency('net-ssh', '~> 2.6.3')
+  s.add_dependency('highline')
 end
 

data/lib/keyman.rb

@@ -1,45 +1,55 @@
+require 'yaml'
 require 'net/ssh'
+require 'highline/import'
 
 require 'keyman/user'
 require 'keyman/group'
 require 'keyman/server'
-require 'keyman/keyfile'
-
+require 'keyman/server_group'
+require 'keyman/manifest'
 
 module Keyman
   
   # The current version of the keyman system
-  VERSION = '1.0.0'
+  VERSION = '1.1.1'
   
   # An error which will be raised
   class Error < StandardError; end
   
   class << self
+    # Stores the actual manifest object
+    attr_accessor :manifest
+    
+    # Storage for the manifest directory to work with
+    attr_accessor :manifest_dir
+    
     # Storage for all the users, groups & servers which are loaded
     # from the manifest
     attr_accessor :users
     attr_accessor :groups
     attr_accessor :servers
-
-    # Load a manifest from the given folder
-    def load(directory)
-      self.users    = []
-      self.groups   = []
-      self.servers  = []
-      if File.directory?(directory)
-        ['groups.rb', 'servers.rb'].each do |file|
-          path = File.join(directory, file)
-          if File.exist?(path)
-            Keyman::Keyfile.class_eval(File.read(path)) 
-          else
-            raise Error, "No '#{file}' was found in your manifest directory. Abandoning..."
-          end
+    attr_accessor :server_groups
+    
+    # Storage for a password cache to use within the current session
+    attr_accessor :password_cache
+    
+    # Sets the default manifest_dir dir
+    def manifest_dir
+      @manifest_dir || self.config['manifest_dir'] || "./"
+    end
+    
+    # Sets the configuration options
+    def config
+      @config ||= begin
+        config_dir = File.join(ENV['HOME'], '.keyman')
+        if File.exist?(config_dir)
+          YAML.load_file(config_dir)
+        else
+          {}
         end
-      else
-        raise Error, "No folder found at '#{directory}'"
       end
     end
-    
+
     # Return a user or a group for the given name
     def user_or_group_for(name)
       self.users.select { |u| u.name == name.to_sym }.first || self.groups.select { |u| u.name == name.to_sym }.first
@@ -47,7 +57,7 @@ module Keyman
     
     # Execute a CLI command
     def run(args, options = {})
-      load('./')
+      Manifest.load
       case args.first
       when 'keys'
         if server = self.servers.select { |s| s.host == args[1] }.first
@@ -73,10 +83,26 @@ module Keyman
           raise Error, "No server found with the hostname '#{args[1]}'"
         end
       when 'push'
+        
+        if self.manifest.uses_git?
+          unless self.manifest.clean?
+            raise Error, "Your manifest is not clean. You should push to your repository before pushing."
+          end
+          
+          unless self.manifest.latest_commit?
+            raise Error, "The remote server has a more up-to-date manifest. Pull first."
+          end
+          
+          puts "\e[32mRepository check passed!\e[0m"
+        end
+        
         if args[1]
-          # push single server
-          if server = self.servers.select { |s| s.host == args[1] }.first
+          server = self.servers.select { |s| s.host == args[1] }.first
+          server = self.server_groups.select { |s| s.name == args[1].to_sym }.first if server.nil?
+          if server.is_a?(Keyman::Server)
             server.push!
+          elsif server.is_a?(Keyman::ServerGroup)
+            server.servers.each(&:push!)
           else
             raise Error, "No server found with the hostname '#{args[1]}'"
           end
@@ -84,9 +110,21 @@ module Keyman
           self.servers.each(&:push!)
         end
       when 'servers'
-        self.servers.each do |server|
-          puts " * " + server.host
+        self.server_groups.sort_by(&:name).each do |group|
+          puts '-' * 80
+          puts group.name.to_s
+          puts '-' * 80
+          group.servers.each do |s|
+            puts " * #{s.host}"
+          end
+        end
+        puts '-' * 80
+        puts 'no group'
+        puts '-' * 80
+        self.servers.select { |s| s.group.nil?}.each do |s|
+          puts " * #{s.host}"
         end
+        
       when 'users'
         self.groups.each do |group|
           puts "-" * 80
@@ -97,6 +135,27 @@ module Keyman
             puts "\e[37m#{u.key}\e[0m"
           end
         end
+        
+      when 'status'
+        if Keyman.manifest.uses_git?
+          puts "Your manifest is using a remote git repository."
+          if Keyman.manifest.clean?
+            puts " * Your working copy is clean"
+          else
+            puts " * You have an un-clean working copy. You must commit before pushing."
+          end
+          
+          if Keyman.manifest.latest_commit?
+            puts " * You have the latest commit fetched."
+          else
+            puts " * There is a newer version of this repo on the server."
+          end
+        else
+          puts "Your manifest does not use git. There is no status to display."
+        end
+        
+      else
+        raise Error, "Invalid command '#{args.first}'"
       end
     end
   end

data/lib/keyman/group.rb

@@ -9,6 +9,9 @@ module Keyman
     
     # Add a new group with the given name
     def self.add(name, &block)
+      if existing = Keyman.user_or_group_for(name)
+        raise Error, "#{existing.class.to_s.split('::').last} already exists for '#{name}' - cannot define user with this name."
+      end
       g = Group.new
       g.name = name
       g.instance_eval(&block)

data/lib/keyman/manifest.rb

@@ -0,0 +1,77 @@
+module Keyman
+  class Manifest
+    
+    # Loads a manifest directory as live
+    def self.load(directory = Keyman.manifest_dir)
+      Keyman.users          = []
+      Keyman.groups         = []
+      Keyman.servers        = []
+      Keyman.server_groups  = []
+      manifest       = self.new(directory)
+      if File.directory?(directory)
+        [File.join(directory, 'users.km'), Dir[File.join(directory, '*.km')]].flatten.uniq.compact.each do |file|
+          if File.exist?(file)
+            manifest.instance_eval(File.read(file))
+          else
+            raise Error, "No '#{file}' was found in your manifest directory. Abandoning..."
+          end
+        end
+        Keyman.manifest = manifest
+      else
+        raise Error, "No folder found at '#{directory}'"
+      end
+    end
+    
+    # Initialize a new manifest with the current directory
+    def initialize(directory)
+      @directory = directory
+    end
+    
+    # Adds a new group
+    def group(name, &users_block)
+      Group.add(name, &users_block)
+    end
+    
+    # Adds a new server
+    def server(&block)
+      Server.add(&block)
+    end
+    
+    # Adds a new user
+    def user(username, key)
+      User.add(username, key)
+    end
+    
+    # Adds a new server group
+    def server_group(name, &block)
+      ServerGroup.add(name, &block)
+    end
+    
+    # Does this manifest directory use git?
+    def uses_git?
+      File.directory?(File.join(@directory, '.git'))
+    end
+    
+    # Is the current repo clean?
+    def clean?
+      `cd #{@directory} && git status`.chomp.include?('nothing to commit')
+    end
+    
+    # Does the latest commit on the current branch match the remote brandh
+    def latest_commit?
+      local = `cd #{@directory} && git log --pretty=%H -n 1`.chomp
+      if `cd #{@directory} && git status`.chomp.match(/On branch (.*)\n/)
+        branch = $1
+      else
+        raise Error, "Unable to determine the local repository branch."
+      end
+      remote = `cd #{@directory} && git ls-remote 2> /dev/null | grep refs/heads/#{branch} `.chomp.split(/\s+/).first
+      if local.length == 40 && remote.length == 40
+        local == remote
+      else
+        raise Error, "Unable to determine local & remote commits"
+      end
+    end
+
+  end
+end

data/lib/keyman/server.rb

@@ -1,7 +1,7 @@
 module Keyman
   class Server
     
-    attr_accessor :host, :users, :location
+    attr_accessor :host, :users, :location, :group
     
     def initialize
       @users = {}
@@ -15,6 +15,17 @@ module Keyman
       s
     end
     
+    # Adds a new server based on it's name and location
+    def self.add_by_name(host, options = {})
+      s = self.new
+      s.host = host
+      s.location = options[:location]
+      s.users = options[:users]
+      s.group = options[:group]
+      Keyman.servers << s
+      s
+    end
+    
     # Returns or sets the hostname of the server which should be used when connecting
     # and identifying this server
     def host(host = nil)
@@ -24,6 +35,7 @@ module Keyman
     # Sets a user on the server along with the access objects which should be
     # granted access
     def user(name, *access_objects)
+      access_objects.each { |ao| raise Error, "!! Invalid access object '#{ao}' on '#{self.host}'" unless Keyman.user_or_group_for(ao) }
       @users[name] = access_objects
     end
     
@@ -36,9 +48,12 @@ module Keyman
     # all objects from within the server
     def authorized_users(username)
       @users[username].map do |k|
-        obj = Keyman.user_or_group_for(k)
-        obj.is_a?(Group) ? obj.users : obj
-      end.flatten.uniq
+        if obj = Keyman.user_or_group_for(k)
+          obj.is_a?(Group) ? obj.users : obj
+        else
+          nil
+        end
+      end.flatten.compact.uniq
     end
     
     # Returns a full string output for the authorized_keys file. Passes
@@ -59,20 +74,39 @@ module Keyman
     # configured here. This will not succeed if the current user does not
     # already have a key on the server.
     def push!
+      passwords_to_try = (Keyman.password_cache ||= [nil]).dup
       @users.each do |user, objects|
         begin
-          Timeout.timeout(10) do |t|
-            Net::SSH.start(self.host, user) do |ssh|
-              ssh.exec!("mkdir -p ~/.ssh")
-              file = authorized_keys(user).gsub("\n", "\\n").gsub("\t", "\\t")
-              ssh.exec!("echo -e '#{file}' > ~/.ssh/authorized_keys")
+          passwords_to_try.each do |password|
+            Timeout.timeout(10) do |t|
+              Net::SSH.start(self.host, user, :password => password) do |ssh|
+                ssh.exec!("mkdir -p ~/.ssh")
+                file = authorized_keys(user).gsub("\n", "\\n").gsub("\t", "\\t")
+                ssh.exec!("echo -e '#{file}' > ~/.ssh/authorized_keys")
+              end
+              Keyman.password_cache << password if password
             end
           end
           puts "\e[32mPushed authorized_keys to #{user}@#{self.host}\e[0m"
+        rescue Net::SSH::AuthenticationFailed
+          passwords_to_try.shift
+          if passwords_to_try.empty?
+            puts "\e[35mAuthorization failed on to #{user}@#{self.host}.\e[0m"
+            password = HighLine.ask("Enter password: ") { |q| q.echo = "*" }
+            if password.length > 0
+              passwords_to_try << password
+              retry
+            else
+              puts "\e[37mSkipping #{user}@#{self.host}\e[0m"
+            end
+          else
+            retry
+          end
         rescue Timeout::Error
           puts "\e[31mTimed out while uploading authorized_keys to #{user}@#{self.host}\e[0m"
-        rescue
-          puts "\e[31mFailed to upload authorized_keys to #{user}@#{self.host}\e[0m"
+        rescue => e
+          puts "\e[31mFailed to upload authorized_keys to #{user}@#{self.host} (#{e.class})\e[0m"
+          puts e.message
         end
       end
     end

data/lib/keyman/server_group.rb

@@ -0,0 +1,29 @@
+module Keyman
+  class ServerGroup
+    
+    attr_accessor :servers, :users, :name
+    
+    def initialize
+      @servers = []
+      @users = {}
+    end
+    
+    def self.add(name, &block)
+      s = self.new
+      s.name = name
+      s.instance_eval(&block)
+      Keyman.server_groups << s
+      s
+    end
+    
+    def server(host, location = nil)
+      @servers << Server.add_by_name(host, :users => @users, :group => self)
+    end
+    
+    def user(name, *access_objects)
+      @users[name] = access_objects
+      @servers.each { |s| s.user(name, *access_objects) }
+    end
+    
+  end
+end

data/lib/keyman/user.rb

@@ -9,6 +9,10 @@ module Keyman
       if existing
         existing
       else
+        if existing = Keyman.user_or_group_for(name)
+          raise Error, "#{existing.class.to_s.split('::').last} already exists for '#{name}' - cannot define user with this name."
+        end
+        
         u = self.new
         u.name = name.to_sym
         u.key = key

data/templates/servers.km

@@ -0,0 +1,22 @@
+# Example Keyman server configuration file
+# This file should contain all your server & server group definitions which should
+# be used within this manifest.
+#
+# You may also create other files with the extension .km within your manifest directory.
+# These must only contain server/server group definitions.
+#
+# server_group :app_servers do
+#   server 'app01.myapplication.com'
+#   server 'app02.myapplication.com'
+#   server 'app03.myapplication.com'
+#
+#   user 'root', :admins
+#   user 'app', :admins, :staff
+# end
+#
+# server do
+#   host 'db-a.myapplication.com'
+#   location :london
+#   user 'root', :admins
+#   user 'db', :admins, :database_admins
+# end

data/templates/users.km

@@ -0,0 +1,8 @@
+# Example Keyman user/group configuration file
+# This file should contain all your user & group definitions which should
+# be used within this manifest.
+#
+# group :admins do
+#   user :adam, 'ssh-rsa AAAAA=='
+#   user :dave, 'ssh-rsa BBBBB=='
+# end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: keyman
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-29 00:00:00.000000000 Z
+date: 2013-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ssh
@@ -27,6 +27,22 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: 2.6.3
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A simple library for managing distributed SSH keys
 email: adam@atechmedia.com
 executables:
@@ -39,11 +55,14 @@ files:
 - Gemfile.lock
 - keyman.gemspec
 - lib/keyman/group.rb
-- lib/keyman/keyfile.rb
+- lib/keyman/manifest.rb
 - lib/keyman/server.rb
+- lib/keyman/server_group.rb
 - lib/keyman/user.rb
 - lib/keyman.rb
 - README.md
+- templates/servers.km
+- templates/users.km
 homepage: http://atechmedia.com
 licenses: []
 post_install_message: 

data/lib/keyman/keyfile.rb

@@ -1,19 +0,0 @@
-module Keyman
-  class Keyfile
-    
-    class << self
-      def group(name, &users_block)
-        Group.add(name, &users_block)
-      end
-      
-      def server(&block)
-        Server.add(&block)
-      end
-      
-      def user(username, key)
-        User.add(username, key)
-      end
-    end
-    
-  end
-end