knife-openvpn 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8dd1f7ab9cad0728ed9c378d00f4572308435bad
-  data.tar.gz: 7426c914244fad2bfd8a9ae0d11b858369d20586
+  metadata.gz: 88392df23f3aa58d807022146707b08fead539ea
+  data.tar.gz: 18252c75306991cb22f8101ae2071c0503632e7f
 SHA512:
-  metadata.gz: 95308e27b0a782af5a32f28687b6d3c53bd1a05778b44bec4177ae14e780b898b70caaae04cea30af14f075cb214b136cf904be272c7249bdf11cac8e221f36f
-  data.tar.gz: 74f43c6fead9c46d76edb409ba435e4aece085be7841f1ec6fd6f5892cc43f05a4326b0323c1f5ebdd57dd3cc8cbca58bb7a3acf0ce3194584a5fcbe8f8d0cee
+  metadata.gz: d9e1e4dff1b795dafd80e1b5ffad74ccc412e819d9fe28c693314fc86a20b00ae041e000de7aa6d726754b898f16ac0a5b3591bfb948b7448fc0a2471ea57fd5
+  data.tar.gz: 724635b4ad05598b6ce0f96cfa8388eb51737f6bca1345a83868a09d623a3d3845dcb7c5dd1aca929c34505f0710e3b6e6bf8b6f8dd91f1350b5843f17b0ca17

data/.gitignore

@@ -0,0 +1,14 @@
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+bin/*
+.bundle/*
+
+# Gem
+*.gem

data/.rubocop.yml

@@ -0,0 +1,14 @@
+Metrics/AbcSize:
+  Enabled: false
+Style/GuardClause:
+  Enabled: false
+Style/Documentation:
+  Enabled: false
+Metrics/LineLength:
+  Enabled: false
+Metrics/MethodLength:
+  Enabled: false
+Metrics/ClassLength:
+  Max: 150
+Metrics/ParameterLists:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 2.1.5
+script:
+  - bundle exec rubocop
+notifications:
+  flowdock: d4fbb65de6c9c868a2dfc4b38fbd34c1

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+group :lint do
+  gem 'rubocop'
+end

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Express 42
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,2 +1,36 @@
+[![Build Status](https://travis-ci.org/express42/knife-openvpn.svg)](https://travis-ci.org/express42/knife-openvpn)
+
 # knife-openvpn
-A knife plugin for Express 42 openvpn cookbook
+## Description
+A knife plugin for [Express 42 OpenVPN cookbook].
+
+## Installation
+This plugin is distributed as a Ruby Gem. To install it, run:
+
+`gem install knife-openvpn`
+
+## Basic Examples
+
+Create server ca, server cert, server key and dh params:
+
+`knife openvpn server create office`
+
+Add openvpn client:
+
+`knife openvpn user create office john`
+
+Export client data (.ovpn config, server ca, client cert and key):
+
+`knife openvpn user export office john`
+
+Revoke access:
+
+`knife openvpn user revoke office john`
+
+## License and Maintainer
+
+Maintainer:: LLC Express 42 (<cookbooks@express42.com>)
+
+License:: MIT
+
+[Express 42 OpenVPN cookbook]: https://github.com/express42-cookbooks/openvpn

data/knife-openvpn.gemspec

@@ -1,9 +1,9 @@
 # -*- encoding: utf-8 -*-
-$:.push File.expand_path('../lib', __FILE__)
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |gem|
   gem.name        = 'knife-openvpn'
-  gem.version     = '0.0.1'
+  gem.version     = '0.0.2'
   gem.summary     = 'A knife plugin for Express 42 openvpn cookbook'
   gem.description = gem.summary
   gem.authors     = ['LLC Express 42']

data/lib/chef/knife/openvpn.rb

@@ -37,7 +37,7 @@ module OpenvpnPlugin
     end
 
     def check_databag_secret
-      databag_secret_file = File.join(Dir.pwd, '.chef/encrypted_data_bag_secret')
+      databag_secret_file = File.join(Dir.pwd, config[:databag_secret_file]) || Chef::Config[:knife][:secret_file]
       unless File.exist? databag_secret_file
         fail_with "Can't find encrypted databag secret file at #{databag_secret_file}."
       end
@@ -68,8 +68,8 @@ module OpenvpnPlugin
       name
     end
 
-    def get_databag_secret
-      databag_secret_file = File.join(Dir.pwd, '.chef/encrypted_data_bag_secret')
+    def load_databag_secret
+      databag_secret_file = File.join(Dir.pwd, config[:databag_secret_file]) || Chef::Config[:knife][:secret_file]
       secret = Chef::EncryptedDataBagItem.load_secret(databag_secret_file)
       secret
     end
@@ -89,13 +89,14 @@ module OpenvpnPlugin
       ca_cert.add_extension(ef.create_extension('authorityKeyIdentifier', 'keyid:always', false))
     end
 
-    def add_endentity_extensions(entity_cert, ca_cert)
+    def add_endentity_extensions(entity_cert, ca_cert, is_user = false)
       ef = get_extensions_factory entity_cert, ca_cert
       entity_cert.add_extension(ef.create_extension('keyUsage', 'digitalSignature', true))
       entity_cert.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
+      entity_cert.add_extension(ef.create_extension('nsCertType', 'server')) unless is_user
     end
 
-    def generate_cert_and_key(subject, cert_config, selfsigned = false, ca_cert = nil, ca_key = nil)
+    def generate_cert_and_key(subject, cert_config, selfsigned = false, ca_cert = nil, ca_key = nil, is_user = false)
       key = OpenSSL::PKey::RSA.generate(cert_config['rsa_keysize'])
       cert = OpenSSL::X509::Certificate.new
       cert.version = 2
@@ -109,15 +110,24 @@ module OpenvpnPlugin
         cert.subject = subject
         cert.issuer = subject
         add_ca_extensions(cert)
-        cert.sign(key, OpenSSL::Digest::SHA1.new)
+        cert.sign(key, OpenSSL::Digest::SHA256.new)
       else
         if ca_cert.nil? || ca_key.nil?
           fail_with "CA key or cert isn't specified"
         end
         cert.subject = subject
         cert.issuer = ca_cert.subject
-        add_endentity_extensions(cert, ca_cert)
-        cert.sign(ca_key, OpenSSL::Digest::SHA1.new)
+        add_endentity_extensions(cert, ca_cert, is_user)
+        cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
+      end
+
+      if is_user
+        require 'highline/import'
+        passphrase = ask('Enter a passphrase [blank for passphraseless]: ') { |q| q.echo = false }
+        unless passphrase == ''
+          cipher = OpenSSL::Cipher.new('AES-256-CBC')
+          key = key.export(cipher, passphrase)
+        end
       end
 
       [cert, key]
@@ -171,18 +181,17 @@ module OpenvpnPlugin
       databag_path = get_databag_path server_name
       item_hash['id'] = id
       item_path = File.join(databag_path, "#{id}.json")
-      secret = get_databag_secret
+      secret = load_databag_secret
       encrypted_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(item_hash, secret)
-      unless File.exist? item_path
-        File.write item_path, JSON.pretty_generate(encrypted_data)
-      else
+      if File.exist? item_path
         fail_with "#{item_path} already exists"
+      else
+        File.write item_path, JSON.pretty_generate(encrypted_data)
       end
     end
 
     def load_databag_item(databag_name, item_id)
-      secret = get_databag_secret
-      # puts "Loading [#{databag_name}:#{item_id}]"
+      secret = load_databag_secret
       item = Chef::EncryptedDataBagItem.load(databag_name, item_id, secret)
       item
     end
@@ -190,10 +199,16 @@ module OpenvpnPlugin
 
   class OpenvpnServerCreate < Openvpn
     banner 'knife openvpn server create NAME (options)'
+
     deps do
       require 'readline'
     end
 
+    option :databag_secret_file,
+           long: '--secret-file PATH',
+           description: 'Specifies path to encrypred data bag secret file.',
+           default: '.chef/encrypted_data_bag_secret'
+
     def run
       check_arguments
       vpn_server_name = name_args.first
@@ -210,7 +225,7 @@ module OpenvpnPlugin
       server_subject = make_name vpn_server_name, cert_config
       server_cert, server_key = generate_cert_and_key server_subject, cert_config, false, ca_cert, ca_key
       dh_params = make_dh_params cert_config
-      crl = issue_crl([], 1, now, now + 3600, [], ca_cert, ca_key, OpenSSL::Digest::SHA1.new)
+      crl = issue_crl([], 1, now, now + 3600, [], ca_cert, ca_key, OpenSSL::Digest::SHA256.new)
       databag_path = get_databag_path vpn_server_name
       ui.info "Creating data bag directory at #{databag_path}"
       create_databag_dir vpn_server_name
@@ -223,9 +238,7 @@ module OpenvpnPlugin
     end
 
     def check_arguments
-      unless name_args.size == 1
-        fail_with 'Specify NAME of new openvpn server!'
-      end
+      fail_with 'Specify NAME of new openvpn server!' unless name_args.size == 1
     end
 
     def create_databag_dir(server_name)
@@ -278,6 +291,11 @@ module OpenvpnPlugin
   class OpenvpnUserCreate < Openvpn
     banner 'knife openvpn user create SERVERNAME USERNAME (options)'
 
+    option :databag_secret_file,
+           long: '--secret-file PATH',
+           description: 'Specifies path to encrypred data bag secret file.',
+           default: '.chef/encrypted_data_bag_secret'
+
     def run
       check_arguments
       server_name = name_args[0]
@@ -294,8 +312,8 @@ module OpenvpnPlugin
       config_item = load_databag_item(databag_name, 'openvpn-config')
       cert_config = config_item.to_hash
       user_subject = make_name user_name, cert_config
-      user_cert, user_key = generate_cert_and_key user_subject, cert_config, false, ca_cert, ca_key
-      save_databag_item(user_name, server_name, 'cert' => user_cert.to_pem, 'key' => user_key.to_pem)
+      user_cert, user_key = generate_cert_and_key user_subject, cert_config, false, ca_cert, ca_key, true
+      save_databag_item(user_name, server_name, 'cert' => user_cert.to_pem, 'key' => user_key.to_s)
       ui.info "Done, now you can upload #{databag_name}/#{user_name}.json"
     end
 
@@ -313,6 +331,11 @@ module OpenvpnPlugin
       require 'chef/search/query'
     end
 
+    option :databag_secret_file,
+           long: '--secret-file PATH',
+           description: 'Specifies path to encrypred data bag secret file.',
+           default: '.chef/encrypted_data_bag_secret'
+
     def run
       check_arguments
       server_name = name_args[0]
@@ -325,19 +348,28 @@ module OpenvpnPlugin
     def export_user(server_name, user_name)
       databag_name = get_databag_name server_name
       ca_item = load_databag_item(databag_name, 'openvpn-ca')
-      ca_cert, ca_key = load_cert_and_key ca_item['cert'], ca_item['key']
+      ca_cert, _ca_key = load_cert_and_key ca_item['cert'], ca_item['key']
+
+      ta_key = ''
+      begin
+        ta_item = load_databag_item(databag_name, 'openvpn-ta')
+        ta_key = ta_item['ta']
+      rescue Net::HTTPServerException
+        ui.warn 'Unable to load openvpn-ta, proceding without it. (Ignore unless you use tls-auth)'
+      end
 
       user_item = load_databag_item(databag_name, user_name)
-      user_cert, user_key = load_cert_and_key user_item['cert'], user_item['key']
+      user_cert, _user_key = load_cert_and_key user_item['cert'], user_item['key']
       tmpdir = Dir.mktmpdir
-      ui.info "tmpdir: #{tmpdir}"
+      ui.debug "created tmpdir: #{tmpdir}"
       begin
         user_dir = "#{tmpdir}/#{user_name}-vpn"
         Dir.mkdir user_dir
-        ui.info "userdir: #{user_dir}"
+        ui.debug "created userdir: #{user_dir}"
         export_file "#{user_dir}/ca.crt", ca_cert.to_pem
         export_file "#{user_dir}/#{user_name}.crt", user_cert.to_pem
-        export_file "#{user_dir}/#{user_name}.key", user_key.to_pem
+        export_file "#{user_dir}/#{user_name}.key", user_item['key'].to_s
+        export_file "#{user_dir}/ta.key", ta_key unless ta_key.empty?
         config_content = generate_client_config server_name, user_name
         export_file "#{user_dir}/#{user_name}.ovpn", config_content
         exitcode = system("cd #{tmpdir} && tar cfz /tmp/#{user_name}-vpn.tar.gz *")
@@ -360,22 +392,27 @@ module OpenvpnPlugin
       query = "openvpn_server_name:#{server_name}"
       query_nodes = Chef::Search::Query.new
       search_result = query_nodes.search('node', query)[0]
-      unless search_result.length == 1
-        fail_with "Found #{search_result.length} vpn servers for #{server_name}"
+      unless search_result.length < 1
+        fail_with "Cant find vpn server named '#{server_name}'"
       end
       config_content = ''
       newline = "\n"
       node = search_result[0]
+      config = Chef::Mixin::DeepMerge.merge(node['openvpn']['default'].to_hash, node['openvpn'][server_name].to_hash)
       config_content << 'client' << newline
-      config_content << "dev  #{node['openvpn'][server_name]['dev']}" << newline
-      config_content << "proto  #{node['openvpn'][server_name]['proto']}" << newline
-      config_content << "remote  #{node['openvpn'][server_name]['remote_host']} "
-      config_content << "#{node['openvpn'][server_name]['port']}" << newline
-      config_content << "verb  #{node['openvpn'][server_name]['verb']}" << newline
+      config_content << "dev  #{config['dev']}" << newline
+      config_content << "proto  #{config['proto']}" << newline
+      search_result.each do |result|
+        config_content << "remote  #{result['openvpn'][server_name]['remote_host']} "
+        config_content << "#{config['port']}" << newline
+      end
+      config_content << "verb  #{config['verb']}" << newline
       config_content << 'comp-lzo' << newline
       config_content << 'ca ca.crt' << newline
       config_content << "cert #{user_name}.crt" << newline
       config_content << "key #{user_name}.key" << newline
+      config_content << 'tls-auth ta.key 1' << newline if config['use_tls_auth']
+      config_content << 'ns-cert-type server' << newline
       config_content << 'nobind' << newline
       config_content << 'persist-key' << newline
       config_content << 'persist-tun' << newline
@@ -396,6 +433,11 @@ module OpenvpnPlugin
       require 'chef/search/query'
     end
 
+    option :databag_secret_file,
+           long: '--secret-file PATH',
+           description: 'Specifies path to encrypred data bag secret file.',
+           default: '.chef/encrypted_data_bag_secret'
+
     def run
       check_arguments
       server_name = name_args[0]
@@ -415,11 +457,11 @@ module OpenvpnPlugin
         old_crl = OpenSSL::X509::CRL.new crl_item['crl']
         revoke_info = crl_item['revoke_info']
       rescue
-        old_crl = issue_crl([], 1, now, now + 3600, [], ca_cert, ca_key, OpenSSL::Digest::SHA1.new)
+        old_crl = issue_crl([], 1, now, now + 3600, [], ca_cert, ca_key, OpenSSL::Digest::SHA256.new)
         revoke_info = []
       end
       user_item = load_databag_item(databag_name, user_name)
-      user_cert, user_key = load_cert_and_key user_item['cert'], user_item['key']
+      user_cert, _user_key = load_cert_and_key user_item['cert'], user_item['key']
       user_revoke_info = [[user_cert.serial, now, 0]]
       new_revoke_info = revoke_info + user_revoke_info
       new_crl = add_user_to_crl ca_cert, ca_key, old_crl, new_revoke_info
@@ -428,7 +470,7 @@ module OpenvpnPlugin
     end
 
     def add_user_to_crl(ca_cert, ca_key, old_crl, revoke_info)
-      new_crl = issue_crl(revoke_info, old_crl.version + 1, Time.at(Time.now.to_i), Time.at(Time.now.to_i) + 3600, [], ca_cert, ca_key, OpenSSL::Digest::SHA1.new)
+      new_crl = issue_crl(revoke_info, old_crl.version + 1, Time.at(Time.now.to_i), Time.at(Time.now.to_i) + 3600, [], ca_cert, ca_key, OpenSSL::Digest::SHA256.new)
       new_crl
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: knife-openvpn
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - LLC Express 42
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-13 00:00:00.000000000 Z
+date: 2015-09-07 00:00:00.000000000 Z
 dependencies: []
 description: A knife plugin for Express 42 openvpn cookbook
 email: cookbooks@express42.com
@@ -16,6 +16,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE
 - README.md
 - knife-openvpn.gemspec
 - lib/chef/knife/openvpn.rb
@@ -39,7 +44,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.1
+rubygems_version: 2.4.4
 signing_key: 
 specification_version: 4
 summary: A knife plugin for Express 42 openvpn cookbook