leap_cli 1.2.5 → 1.5.0

data/bin/leap

@@ -1,4 +1,9 @@
 #!/usr/bin/env ruby
+
+if ARGV.include?('--debug')
+  require 'debugger'
+end
+
 begin
   require 'leap_cli'
 rescue LoadError

data/lib/leap/platform.rb

@@ -13,9 +13,12 @@ module Leap
       attr_accessor :facts
       attr_accessor :paths
       attr_accessor :node_files
-      attr_accessor :puppet_destination
+      attr_accessor :monitor_username
+      attr_accessor :reserved_usernames
 
       def define(&block)
+        # some sanity defaults:
+        @reserved_usernames = []
         self.instance_eval(&block)
       end
 

data/lib/leap_cli/commands/compile.rb

@@ -33,10 +33,60 @@ module LeapCli
     end
 
     def update_compiled_ssh_configs
+      generate_monitor_ssh_keys
       update_authorized_keys
       update_known_hosts
     end
 
+    ##
+    ## SSH
+    ##
+
+    #
+    # generates a ssh key pair that is used only by remote monitors
+    # to connect to nodes and run certain allowed commands.
+    #
+    # every node has the public monitor key added to their authorized
+    # keys, and every monitor node has a copy of the private monitor key.
+    #
+    def generate_monitor_ssh_keys
+      priv_key_file = :monitor_priv_key
+      pub_key_file  = :monitor_pub_key
+      unless file_exists?(priv_key_file, pub_key_file)
+        cmd = %(ssh-keygen -N '' -C 'monitor' -t ecdsa -b 521 -f '%s') % path(priv_key_file)
+        assert_run! cmd
+        if file_exists?(priv_key_file, pub_key_file)
+          log :created, path(priv_key_file)
+          log :created, path(pub_key_file)
+        else
+          log :failed, 'to create monitor ssh keys'
+        end
+      end
+    end
+
+    #
+    # Compiles the authorized keys file, which gets installed on every during init.
+    # Afterwards, puppet installs an authorized keys file that is generated differently
+    # (see authorized_keys() in macros.rb)
+    #
+    def update_authorized_keys
+      buffer = StringIO.new
+      keys = Dir.glob(path([:user_ssh, '*']))
+      if keys.empty?
+        bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
+      end
+      keys.sort.each do |keyfile|
+        ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
+        buffer << ssh_type
+        buffer << " "
+        buffer << ssh_key
+        buffer << " "
+        buffer << Path.relative_path(keyfile)
+        buffer << "\n"
+      end
+      write_file!(:authorized_keys, buffer.string)
+    end
+
     ##
     ## ZONE FILE
     ##

data/lib/leap_cli/commands/deploy.rb

@@ -11,6 +11,9 @@ module LeapCli
       c.switch :fast, :desc => 'Makes the deploy command faster by skipping some slow steps. A "fast" deploy can be used safely if you recently completed a normal deploy.',
                       :negatable => false
 
+      # --sync
+      c.switch :sync, :desc => "Sync files, but don't actually apply recipes."
+
       # --force
       c.switch :force, :desc => 'Deploy even if there is a lockfile.', :negatable => false
 
@@ -49,8 +52,10 @@ module LeapCli
           ssh.leap.log :synching, "puppet manifests" do
             sync_puppet_files(ssh)
           end
-          ssh.leap.log :applying, "puppet" do
-            ssh.puppet.apply(:verbosity => LeapCli.log_level, :tags => tags(options), :force => options[:force])
+          unless options[:sync]
+            ssh.leap.log :applying, "puppet" do
+              ssh.puppet.apply(:verbosity => LeapCli.log_level, :tags => tags(options), :force => options[:force])
+            end
           end
         end
       end

data/lib/leap_cli/commands/inspect.rb

@@ -39,7 +39,7 @@ module LeapCli; module Commands
           :inspect_service
         elsif path_match?(:tag_config, full_path)
           :inspect_tag
-        elsif path_match?(:provider_config, full_path)
+        elsif path_match?(:provider_config, full_path) || path_match?(:provider_env_config, full_path)
           :inspect_provider
         elsif path_match?(:common_config, full_path)
           :inspect_common
@@ -108,6 +108,8 @@ module LeapCli; module Commands
   def inspect_provider(arg, options)
     if options[:base]
       inspect_json manager.base_provider
+    elsif arg =~ /provider\.(.*)\.json/
+      inspect_json manager.providers[$1]
     else
       inspect_json manager.provider
     end
@@ -130,7 +132,9 @@ module LeapCli; module Commands
   end
 
   def inspect_json(config)
-    puts JSON.sorted_generate(config)
+    if config
+      puts JSON.sorted_generate(config)
+    end
   end
 
   def path_match?(path_symbol, path)

data/lib/leap_cli/commands/node.rb

@@ -63,7 +63,11 @@ module LeapCli; module Commands
           update_compiled_ssh_configs
           ssh_connect_options = connect_options(options).merge({:bootstrap => true, :echo => options[:echo]})
           ssh_connect(node, ssh_connect_options) do |ssh|
-            ssh.install_authorized_keys
+            if node.vagrant?
+              ssh.install_authorized_keys2
+            else
+              ssh.install_authorized_keys
+            end
             ssh.install_prerequisites
             ssh.leap.capture(facter_cmd) do |response|
               if response[:exitcode] == 0

data/lib/leap_cli/commands/pre.rb

@@ -20,6 +20,13 @@ module LeapCli; module Commands
   desc 'Skip prompts and assume "yes"'
   switch :yes, :negatable => false
 
+  desc 'Enable debugging library (leap_cli development only)'
+  switch :debug, :negatable => false
+
+  desc 'Disable colors in output'
+  default_value true
+  switch 'color', :negatable => true
+
   pre do |global,command,options,args|
     #
     # set verbosity
@@ -59,6 +66,7 @@ module LeapCli; module Commands
     LeapCli.log_file = global[:log] || LeapCli.leapfile.log
     LeapCli::Util.log_raw(:log) { $0 + ' ' + ORIGINAL_ARGV.join(' ')}
     log_version
+    LeapCli.log_in_color = global[:color]
 
     #
     # load all the nodes everything

data/lib/leap_cli/commands/shell.rb

@@ -32,18 +32,28 @@ module LeapCli; module Commands
     return connect_options
   end
 
+  def ssh_config_help_message
+    puts ""
+    puts "Are 'too many authentication failures' getting you down?"
+    puts "Then we have the solution for you! Add something like this to your ~/.ssh/config file:"
+    puts "  Host *.#{manager.provider.domain}"
+    puts "  IdentityFile ~/.ssh/id_rsa"
+    puts "  IdentitiesOnly=yes"
+    puts "(replace `id_rsa` with the actual private key filename that you use for this provider)"
+  end
+
   private
 
   def exec_ssh(cmd, args)
     node = get_node_from_args(args, :include_disabled => true)
     options = [
-      "-o 'HostName=#{node.ip_address}'",
+      "-o 'HostName=#{node.domain.full}'",
       # "-o 'HostKeyAlias=#{node.name}'", << oddly incompatible with ports in known_hosts file, so we must not use this or non-standard ports break.
       "-o 'GlobalKnownHostsFile=#{path(:known_hosts)}'",
       "-o 'UserKnownHostsFile=/dev/null'"
     ]
     if node.vagrant?
-      options << "-i #{vagrant_ssh_key_file}"
+      options << "-i #{vagrant_ssh_key_file}"    # use the universal vagrant insecure key
       options << "-o 'StrictHostKeyChecking=no'" # blindly accept host key and don't save it (since userknownhostsfile is /dev/null)
     else
       options << "-o 'StrictHostKeyChecking=yes'"
@@ -56,12 +66,23 @@ module LeapCli; module Commands
     end
     ssh = "ssh -l #{username} -p #{node.ssh.port} #{options.join(' ')}"
     if cmd == :ssh
-      command = "#{ssh} #{node.name}"
+      command = "#{ssh} #{node.domain.full}"
     elsif cmd == :mosh
-      command = "MOSH_TITLE_NOPREFIX=1 mosh --ssh \"#{ssh}\" #{node.name}"
+      command = "MOSH_TITLE_NOPREFIX=1 mosh --ssh \"#{ssh}\" #{node.domain.full}"
     end
     log 2, command
-    exec "#{command}"
+
+    # exec the shell command in a subprocess
+    pid = fork { exec "#{command}" }
+
+    # wait for shell to exit so we can grab the exit status
+    _, status = Process.waitpid2(pid)
+
+    if status.exitstatus == 255
+      ssh_config_help_message
+    elsif status.exitstatus != 0
+      exit_now! status.exitstatus, status.exitstatus
+    end
   end
 
 end; end

data/lib/leap_cli/commands/test.rb

@@ -11,10 +11,16 @@ module LeapCli; module Commands
 
     test.desc 'Run tests.'
     test.command :run do |run|
+      run.switch 'continue', :desc => 'Continue over errors and failures (default is --no-continue).', :negatable => true
       run.action do |global_options,options,args|
-        manager.filter!(args).each_node do |node|
+        test_order = File.join(Path.platform, 'tests/order.rb')
+        if File.exists?(test_order)
+          require test_order
+        end
+        manager.filter!(args).names_in_test_dependency_order.each do |node_name|
+          node = manager.nodes[node_name]
           ssh_connect(node) do |ssh|
-            ssh.run(test_cmd)
+            ssh.run(test_cmd(options))
           end
         end
       end
@@ -25,8 +31,12 @@ module LeapCli; module Commands
 
   private
 
-  def test_cmd
-    "#{PUPPET_DESTINATION}/bin/run_tests"
+  def test_cmd(options)
+    if options[:continue]
+      "#{PUPPET_DESTINATION}/bin/run_tests --continue"
+    else
+      "#{PUPPET_DESTINATION}/bin/run_tests"
+    end
   end
 
   #

data/lib/leap_cli/commands/user.rb

@@ -24,8 +24,15 @@ module LeapCli
 
       c.action do |global_options,options,args|
         username = args.first
-        if !username.any? && !options[:self]
-          help! "Either 'username' or --self is required."
+        if !username.any?
+          if options[:self]
+            username ||= `whoami`.strip
+          else
+            help! "Either USERNAME argument or --self flag is required."
+          end
+        end
+        if Leap::Platform.reserved_usernames.include? username
+          bail! %(The username "#{username}" is reserved. Sorry, pick another.)
         end
 
         ssh_pub_key = nil
@@ -39,7 +46,6 @@ module LeapCli
         end
 
         if options[:self]
-          username ||= `whoami`.strip
           ssh_pub_key ||= pick_ssh_key.to_s
           pgp_pub_key ||= pick_pgp_key
         end
@@ -118,23 +124,5 @@ module LeapCli
       return `gpg --armor --export-options export-minimal --export #{key_id}`.strip
     end
 
-    def update_authorized_keys
-      buffer = StringIO.new
-      keys = Dir.glob(path([:user_ssh, '*']))
-      if keys.empty?
-        bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
-      end
-      keys.sort.each do |keyfile|
-        ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
-        buffer << ssh_type
-        buffer << " "
-        buffer << ssh_key
-        buffer << " "
-        buffer << Path.relative_path(keyfile)
-        buffer << "\n"
-      end
-      write_file!(:authorized_keys, buffer.string)
-    end
-
   end
 end

data/lib/leap_cli/commands/vagrant.rb

@@ -156,7 +156,7 @@ module LeapCli; module Commands
           if node.vagrant?
             lines << %[  config.vm.define :#{node.name} do |config|]
             lines << %[    config.vm.box = "leap-wheezy"]
-            lines << %[    config.vm.box_url = "http://download.leap.se/leap-debian.box"]
+            lines << %[    config.vm.box_url = "https://downloads.leap.se/leap-debian.box"]
             lines << %[    config.vm.network :hostonly, "#{node.ip_address}", :netmask => "#{netmask}"]
             lines << %[    config.vm.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]]
             lines << %[    config.vm.customize ["modifyvm", :id, "--name", "#{node.name}"]]
@@ -170,7 +170,7 @@ module LeapCli; module Commands
           if node.vagrant?
             lines << %[  config.vm.define :#{node.name} do |config|]
             lines << %[    config.vm.box = "leap-wheezy"]
-            lines << %[    config.vm.box_url = "http://download.leap.se/leap-debian.box"]
+            lines << %[    config.vm.box_url = "https://downloads.leap.se/leap-debian.box"]
             lines << %[    config.vm.network :private_network, ip: "#{node.ip_address}"]
             lines << %[    config.vm.provider "virtualbox" do |v|]
             lines << %[      v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]]

data/lib/leap_cli/config/macros.rb

@@ -18,6 +18,13 @@ module LeapCli; module Config
       global.nodes
     end
 
+    #
+    # grab an environment appropriate provider
+    #
+    def provider
+      global.providers[@node.environment] || global.provider
+    end
+
     #
     # returns a list of nodes that match the same environment
     #
@@ -119,7 +126,7 @@ module LeapCli; module Config
     # +length+ is the character length of the generated password.
     #
     def secret(name, length=32)
-      @manager.secrets.set(name, Util::Secret.generate(length))
+      @manager.secrets.set(name, Util::Secret.generate(length), @node[:environment])
     end
 
     #
@@ -128,7 +135,7 @@ module LeapCli; module Config
     # +bit_length+ is the bits in the secret, (ie length of resulting hex string will be bit_length/4)
     #
     def hex_secret(name, bit_length=128)
-      @manager.secrets.set(name, Util::Secret.generate_hex(bit_length))
+      @manager.secrets.set(name, Util::Secret.generate_hex(bit_length), @node[:environment])
     end
 
     #
@@ -157,31 +164,43 @@ module LeapCli; module Config
     end
 
     #
-    # Generates entries needed for updating /etc/hosts on a node, but only including the IPs of the
-    # other nodes we have encountered. Also, for virtual machines, use the local address if this
-    # @node is in the same location.
-    #
-    def hosts_file
-      if @referenced_nodes && @referenced_nodes.any?
-        hosts = {}
-        my_location = @node['location'] ? @node['location']['name'] : nil
-        @referenced_nodes.each_node do |node|
-          next if node.name == @node.name
-          hosts[node.name] = {'ip_address' => node.ip_address, 'domain_internal' => node.domain.internal, 'domain_full' => node.domain.full}
-          node_location = node['location'] ? node['location']['name'] : nil
-          if my_location == node_location
-            if facts = @node.manager.facts[node.name]
-              if facts['ec2_public_ipv4']
-                hosts[node.name]['ip_address'] = facts['ec2_public_ipv4']
-              end
+    # Generates entries needed for updating /etc/hosts on a node (as a hash).
+    #
+    # Argument `nodes` can be nil or a list of nodes. If nil, only include the
+    # IPs of the other nodes this @node as has encountered (plus all mx nodes).
+    #
+    # Also, for virtual machines, we use the local address if this @node is in
+    # the same location as the node in question.
+    #
+    # We include the ssh public key for each host, so that the hash can also
+    # be used to generate the /etc/ssh/known_hosts
+    #
+    def hosts_file(nodes=nil)
+      if nodes.nil?
+        if @referenced_nodes && @referenced_nodes.any?
+          nodes = @referenced_nodes
+          nodes = nodes.merge(nodes_like_me[:services => 'mx'])  # all nodes always need to communicate with mx nodes.
+        end
+      end
+      return nil unless nodes
+      hosts = {}
+      my_location = @node['location'] ? @node['location']['name'] : nil
+      nodes.each_node do |node|
+        hosts[node.name] = {'ip_address' => node.ip_address, 'domain_internal' => node.domain.internal, 'domain_full' => node.domain.full}
+        node_location = node['location'] ? node['location']['name'] : nil
+        if my_location == node_location
+          if facts = @node.manager.facts[node.name]
+            if facts['ec2_public_ipv4']
+              hosts[node.name]['ip_address'] = facts['ec2_public_ipv4']
             end
           end
         end
-        #hosts = @referenced_nodes.pick_fields("ip_address", "domain.internal", "domain.full")
-        return hosts
-      else
-        return nil
+        host_pub_key   = Util::read_file([:node_ssh_pub_key,node.name])
+        if host_pub_key
+          hosts[node.name]['host_pub_key'] = host_pub_key
+        end
       end
+      hosts
     end
 
     ##
@@ -315,11 +334,15 @@ module LeapCli; module Config
     ##
 
     #
-    # creates a hash from the ssh key info in users directory, for use in updating authorized_keys file
+    # Creates a hash from the ssh key info in users directory, for use in
+    # updating authorized_keys file. Additionally, the 'monitor' public key is
+    # included, which is used by the monitor nodes to run particular commands
+    # remotely.
     #
     def authorized_keys
       hash = {}
-      Dir.glob(Path.named_path([:user_ssh, '*'])).sort.each do |keyfile|
+      keys = Dir.glob(Path.named_path([:user_ssh, '*']))
+      keys.sort.each do |keyfile|
         ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
         name = File.basename(File.dirname(keyfile))
         hash[name] = {
@@ -327,21 +350,35 @@ module LeapCli; module Config
           "key" => ssh_key
         }
       end
+      ssh_type, ssh_key = File.read(Path.named_path(:monitor_pub_key)).strip.split(" ")
+      hash[Leap::Platform.monitor_username] = {
+        "type" => ssh_type,
+        "key" => ssh_key
+      }
       hash
     end
 
-    def known_hosts_file
-      return nil unless @referenced_nodes
-      entries = []
-      @referenced_nodes.each_node do |node|
-        hostnames = [node.name, node.domain.internal, node.domain.full, node.ip_address].join(',')
-        pub_key   = Util::read_file([:node_ssh_pub_key,node.name])
-        if pub_key
-          entries << [hostnames, pub_key].join(' ')
-        end
-      end
-      entries.join("\n")
-    end
+    #
+    # this is not currently used, because we put key information in the 'hosts' hash.
+    # see 'hosts_file()'
+    #
+    # def known_hosts_file(nodes=nil)
+    #   if nodes.nil?
+    #     if @referenced_nodes && @referenced_nodes.any?
+    #       nodes = @referenced_nodes
+    #     end
+    #   end
+    #   return nil unless nodes
+    #   entries = []
+    #   nodes.each_node do |node|
+    #     hostnames = [node.name, node.domain.internal, node.domain.full, node.ip_address].join(',')
+    #     pub_key   = Util::read_file([:node_ssh_pub_key,node.name])
+    #     if pub_key
+    #       entries << [hostnames, pub_key].join(' ')
+    #     end
+    #   end
+    #   entries.join("\n")
+    # end
 
     ##
     ## UTILITY

data/lib/leap_cli/config/manager.rb

@@ -16,7 +16,7 @@ module LeapCli
       ## ATTRIBUTES
       ##
 
-      attr_reader :services, :tags, :nodes, :provider, :common, :secrets
+      attr_reader :services, :tags, :nodes, :provider, :providers, :common, :secrets
       attr_reader :base_services, :base_tags, :base_provider, :base_common
 
       #
@@ -48,7 +48,7 @@ module LeapCli
         @base_services = load_all_json(Path.named_path([:service_config, '*'], Path.provider_base), Config::Tag)
         @base_tags     = load_all_json(Path.named_path([:tag_config, '*'], Path.provider_base), Config::Tag)
         @base_common   = load_json(Path.named_path(:common_config, Path.provider_base), Config::Object)
-        @base_provider = load_json(Path.named_path(:provider_config, Path.provider_base), Config::Object)
+        @base_provider = load_json(Path.named_path(:provider_config, Path.provider_base), Config::Provider)
 
         # load provider
         provider_path = Path.named_path(:provider_config, @provider_dir)
@@ -58,9 +58,17 @@ module LeapCli
         @tags     = load_all_json(Path.named_path([:tag_config, '*'],     @provider_dir), Config::Tag)
         @nodes    = load_all_json(Path.named_path([:node_config, '*'],    @provider_dir), Config::Node)
         @common   = load_json(common_path, Config::Object)
-        @provider = load_json(provider_path, Config::Object)
+        @provider = load_json(provider_path, Config::Provider)
         @secrets  = load_json(Path.named_path(:secrets_config,  @provider_dir), Config::Secrets)
 
+        ### BEGIN HACK
+        ### remove this after it is likely that no one has any old-style secrets.json
+        if @secrets['webapp_secret_token']
+          @secrets = Config::Secrets.new
+          Util::log :warning, "Creating all new secrets.json (new version is scoped by environment). Make sure to do a full deploy so that new secrets take effect."
+        end
+        ### END HACK
+
         # inherit
         @services.inherit_from! base_services
         @tags.inherit_from!     base_tags
@@ -75,8 +83,18 @@ module LeapCli
           remove_disabled_nodes
         end
 
-        # validate
+        # load optional environment specific providers
         validate_provider(@provider)
+        @providers = {}
+        environments.each do |env|
+          if Path.defined?(:provider_env_config)
+            provider_path = Path.named_path([:provider_env_config, env], @provider_dir)
+            providers[env] = load_json(provider_path, Config::Provider)
+            providers[env].inherit_from! @provider
+            validate_provider(providers[env])
+          end
+        end
+
       end
 
       #
@@ -100,7 +118,7 @@ module LeapCli
         node_list.each_node do |node|
           filepath = Path.named_path([:node_files_dir, node.name], @provider_dir)
           hierapath = Path.named_path([:hiera, node.name], @provider_dir)
-          Util::write_file!(hierapath, node.dump)
+          Util::write_file!(hierapath, node.dump_yaml)
           updated_files << filepath
           updated_hiera << hierapath
         end

data/lib/leap_cli/config/node.rb

@@ -32,6 +32,14 @@ module LeapCli; module Config
       end
       return vagrant_range.include?(ip_address)
     end
+
+    #
+    # can be overridden by the platform.
+    # returns a list of node names that should be tested before this node
+    #
+    def test_dependencies
+      []
+    end
   end
 
 end; end

data/lib/leap_cli/config/object.rb

@@ -33,24 +33,29 @@ module LeapCli
         @node = node || self
       end
 
+      #
+      # export YAML
       #
       # We use pure ruby yaml exporter ya2yaml instead of SYCK or PSYCH because it
       # allows us greater compatibility regardless of installed ruby version and
       # greater control over how the yaml is exported (sorted keys, in particular).
       #
-      def dump
-        evaluate
+      def dump_yaml
+        evaluate(@node)
         ya2yaml(:syck_compatible => true)
       end
 
+      #
+      # export JSON
+      #
       def dump_json
-        evaluate
+        evaluate(@node)
         JSON.sorted_generate(self)
       end
 
-      def evaluate
-        evaluate_everything
-        late_evaluate_everything
+      def evaluate(context=@node)
+        evaluate_everything(context)
+        late_evaluate_everything(context)
       end
 
       ##
@@ -204,13 +209,13 @@ module LeapCli
       #
       # walks the object tree, eval'ing all the attributes that are dynamic ruby (e.g. value starts with '= ')
       #
-      def evaluate_everything
+      def evaluate_everything(context)
         keys.each do |key|
-          obj = fetch_value(key)
+          obj = fetch_value(key, context)
           if is_required_value_not_set?(obj)
             Util::log 0, :warning, "required key \"#{key}\" is not set in node \"#{node.name}\"."
           elsif obj.is_a? Config::Object
-            obj.evaluate_everything
+            obj.evaluate_everything(context)
           end
         end
       end
@@ -218,10 +223,10 @@ module LeapCli
       #
       # some keys need to be evaluated 'late', after all the other keys have been evaluated.
       #
-      def late_evaluate_everything
+      def late_evaluate_everything(context)
         if @late_eval_list
           @late_eval_list.each do |key, value|
-            self[key] = evaluate_now(key, value)
+            self[key] = context.evaluate_ruby(key, value)
             if is_required_value_not_set?(self[key])
               Util::log 0, :warning, "required key \"#{key}\" is not set in node \"#{node.name}\"."
             end
@@ -229,44 +234,24 @@ module LeapCli
         end
         values.each do |obj|
           if obj.is_a? Config::Object
-            obj.late_evaluate_everything
+            obj.late_evaluate_everything(context)
           end
         end
       end
 
-      private
-
       #
-      # fetches the value for the key, evaluating the value as ruby if it begins with '='
+      # evaluates the string `value` as ruby in the context of self.
+      # (`key` is just passed for debugging purposes)
       #
-      def fetch_value(key)
-        value = fetch(key, nil)
-        if value.is_a?(String) && value =~ /^=/
-          if value =~ /^=> (.*)$/
-            value = evaluate_later(key, $1)
-          elsif value =~ /^= (.*)$/
-            value = evaluate_now(key, $1)
-          end
-          self[key] = value
-        end
-        return value
-      end
-
-      def evaluate_later(key, value)
-        @late_eval_list ||= []
-        @late_eval_list << [key, value]
-        '<evaluate later>'
-      end
-
-      def evaluate_now(key, value)
+      def evaluate_ruby(key, value)
         result = nil
         if LeapCli.log_level >= 2
-          result = @node.instance_eval(value)
+          result = self.instance_eval(value)
         else
           begin
-            result = @node.instance_eval(value)
+            result = self.instance_eval(value)
           rescue SystemStackError => exc
-            Util::log 0, :error, "while evaluating node '#{@node.name}'"
+            Util::log 0, :error, "while evaluating node '#{self.name}'"
             Util::log 0, "offending key: #{key}", :indent => 1
             Util::log 0, "offending string: #{value}", :indent => 1
             Util::log 0, "STACK OVERFLOW, BAILING OUT. There must be an eval loop of death (variables with circular dependencies).", :indent => 1
@@ -274,9 +259,9 @@ module LeapCli
           rescue FileMissing => exc
             Util::bail! do
               if exc.options[:missing]
-                Util::log :missing, exc.options[:missing].gsub('$node', @node.name)
+                Util::log :missing, exc.options[:missing].gsub('$node', self.name)
               else
-                Util::log :error, "while evaluating node '#{@node.name}'"
+                Util::log :error, "while evaluating node '#{self.name}'"
                 Util::log "offending key: #{key}", :indent => 1
                 Util::log "offending string: #{value}", :indent => 1
                 Util::log "error message: no file '#{exc}'", :indent => 1
@@ -284,13 +269,13 @@ module LeapCli
             end
           rescue AssertionFailed => exc
             Util.bail! do
-              Util::log :failed, "assertion while evaluating node '#{@node.name}'"
+              Util::log :failed, "assertion while evaluating node '#{self.name}'"
               Util::log 'assertion: %s' % exc.assertion, :indent => 1
               Util::log "offending key: #{key}", :indent => 1
             end
           rescue SyntaxError, StandardError => exc
             Util::bail! do
-              Util::log :error, "while evaluating node '#{@node.name}'"
+              Util::log :error, "while evaluating node '#{self.name}'"
               Util::log "offending key: #{key}", :indent => 1
               Util::log "offending string: #{value}", :indent => 1
               Util::log "error message: #{exc.inspect}", :indent => 1
@@ -300,6 +285,30 @@ module LeapCli
         return result
       end
 
+      private
+
+      #
+      # fetches the value for the key, evaluating the value as ruby if it begins with '='
+      #
+      def fetch_value(key, context=@node)
+        value = fetch(key, nil)
+        if value.is_a?(String) && value =~ /^=/
+          if value =~ /^=> (.*)$/
+            value = evaluate_later(key, $1)
+          elsif value =~ /^= (.*)$/
+            value = context.evaluate_ruby(key, $1)
+          end
+          self[key] = value
+        end
+        return value
+      end
+
+      def evaluate_later(key, value)
+        @late_eval_list ||= []
+        @late_eval_list << [key, value]
+        '<evaluate later>'
+      end
+
       #
       # when merging, we raise an error if this method returns true for the two values.
       #

data/lib/leap_cli/config/object_list.rb

@@ -1,9 +1,12 @@
+require 'tsort'
+
 module LeapCli
   module Config
     #
     # A list of Config::Object instances (internally stored as a hash)
     #
     class ObjectList < Hash
+      include TSort
 
       def initialize(config=nil)
         if config
@@ -46,7 +49,9 @@ module LeapCli
             each do |name, config|
               value = config[field]
               if value.is_a? Array
-                if value.include?(match_value)
+                if operator == :equal && value.include?(match_value)
+                  results[name] = config
+                elsif operator == :not_equal && !value.include?(match_value)
                   results[name] = config
                 end
               else
@@ -169,6 +174,21 @@ module LeapCli
         end
       end
 
+      #
+      # topographical sort based on test dependency
+      #
+      def tsort_each_node(&block)
+        self.each_key(&block)
+      end
+
+      def tsort_each_child(node_name, &block)
+        self[node_name].test_dependencies.each(&block)
+      end
+
+      def names_in_test_dependency_order
+        self.tsort
+      end
+
     end
   end
 end

data/lib/leap_cli/config/provider.rb

@@ -0,0 +1,11 @@
+#
+# Configuration class for provider.json
+#
+
+module LeapCli; module Config
+  class Provider < Object
+    def provider
+      self
+    end
+  end
+end; end

data/lib/leap_cli/config/secrets.rb

@@ -1,8 +1,6 @@
 #
-#
 # A class for the secrets.json file
 #
-#
 
 module LeapCli; module Config
 
@@ -14,10 +12,13 @@ module LeapCli; module Config
       @discovered_keys = {}
     end
 
-    def set(key, value)
+    def set(key, value, environment=nil)
+      environment ||= 'default'
       key = key.to_s
-      @discovered_keys[key] = true
-      self[key] ||= value
+      @discovered_keys[environment] ||= {}
+      @discovered_keys[environment][key] = true
+      self[environment] ||= {}
+      self[environment][key] ||= value
     end
 
     #
@@ -27,12 +28,16 @@ module LeapCli; module Config
     # this should only be triggered when all nodes have been processed, otherwise
     # secrets that are actually in use will get mistakenly removed.
     #
-    #
     def dump_json(only_discovered_keys=false)
       if only_discovered_keys
-        self.each_key do |key|
-          unless @discovered_keys[key]
-            self.delete(key)
+        self.each_key do |environment|
+          self[environment].each_key do |key|
+            unless @discovered_keys[environment] && @discovered_keys[environment][key]
+              self[environment].delete(key)
+            end
+          end
+          if self[environment].empty?
+            self.delete(environment)
           end
         end
       end

data/lib/leap_cli/log.rb

@@ -9,6 +9,8 @@ require 'paint'
 module LeapCli
   extend self
 
+  attr_accessor :log_in_color
+
   # logging options
   def log_level
     @log_level ||= 1
@@ -112,8 +114,12 @@ module LeapCli
         message = LeapCli::Path.relative_path(message)
       end
 
-      log_raw(:log, nil)                 { [clear_prefix, message].join }
-      log_raw(:stdout, options[:indent]) { [colored_prefix, message].join }
+      log_raw(:log, nil)                   { [clear_prefix, message].join }
+      if LeapCli.log_in_color
+        log_raw(:stdout, options[:indent]) { [colored_prefix, message].join }
+      else
+        log_raw(:stdout, options[:indent]) { [clear_prefix, message].join }
+      end
 
       # run block, if given
       if block_given?

data/lib/leap_cli/logger.rb

@@ -198,7 +198,7 @@ module LeapCli
 
       if color == :hide
         return nil
-      elsif mode == :log || (color == :none && style.nil?)
+      elsif mode == :log || (color == :none && style.nil?) || !LeapCli.log_in_color
         return [message, line_prefix, options]
       else
         term_color = COLORS[color]

data/lib/leap_cli/path.rb

@@ -72,6 +72,10 @@ module LeapCli; module Path
     File.exists?(named_path(name, provider_dir))
   end
 
+  def self.defined?(name)
+    Leap::Platform.paths[name]
+  end
+
   def self.relative_path(path, provider_dir=Path.provider)
     if provider_dir
       path = named_path(path, provider_dir)

data/lib/leap_cli/remote/tasks.rb

@@ -12,6 +12,30 @@ task :install_authorized_keys, :max_hosts => MAX_HOSTS do
   end
 end
 
+#
+# for vagrant nodes, we don't overwrite authorized_keys, because we want to keep the insecure vagrant key.
+# instead we install to authorized_keys2, which is also used by sshd.
+#
+# why?
+#   without it, it might be impossible to re-initialize a node.
+#
+# ok, why is that?
+#   when we init a vagrant node, we force it to use the insecure vagrant key, and not the user's keys
+#   (so re-initialization would be impossible if authorized_keys doesn't include insecure key).
+#
+# ok, why force the insecure vagrant key in the first place?
+#   if we don't do this, then first time initialization might fail if the user has many keys
+#   (ssh will bomb out before it gets to the vagrant key).
+#   and it really doesn't make sense to ask users to pin the insecure vagrant key in their
+#   .ssh/config files.
+#
+task :install_authorized_keys2, :max_hosts => MAX_HOSTS do
+  leap.log :updating, "authorized_keys2" do
+    leap.mkdirs '/root/.ssh'
+    upload LeapCli::Path.named_path(:authorized_keys), '/root/.ssh/authorized_keys2', :mode => '600'
+  end
+end
+
 task :install_prerequisites, :max_hosts => MAX_HOSTS do
   leap.mkdirs LeapCli::PUPPET_DESTINATION
   leap.log :updating, "package list" do

data/lib/leap_cli/util/remote_command.rb

@@ -35,6 +35,12 @@ module LeapCli; module Util; module RemoteCommand
     end
 
     yield cap
+  rescue Capistrano::ConnectionError => exc
+    # not sure if this will work if english is not the locale??
+    if exc.message =~ /Too many authentication failures/
+      at_exit {ssh_config_help_message}
+    end
+    raise exc
   end
 
   private
@@ -99,6 +105,7 @@ module LeapCli; module Util; module RemoteCommand
     opts = {}
     if node.vagrant?
       opts[:keys] = [vagrant_ssh_key_file]
+      opts[:keys_only] = true # only use the keys specified above, and ignore whatever keys the ssh-agent is aware of.
       opts[:paranoid] = false # we skip host checking for vagrant nodes, because fingerprint is different for everyone.
       if LeapCli::log_level <= 1
         opts[:verbose] = :error # suppress all the warnings about adding host keys to known_hosts, since it is not actually doing that.

data/lib/leap_cli/version.rb

@@ -1,7 +1,7 @@
 module LeapCli
   unless defined?(LeapCli::VERSION)
-    VERSION = '1.2.5'
-    COMPATIBLE_PLATFORM_VERSION = '0.2.4'..'1.99'
+    VERSION = '1.5.0'
+    COMPATIBLE_PLATFORM_VERSION = '0.3.0'..'1.99'
     SUMMARY = 'Command line interface to the LEAP platform'
     DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.'
     LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib']

data/lib/leap_cli.rb

@@ -27,6 +27,7 @@ require 'leap_cli/ssh_key'
 require 'leap_cli/config/object'
 require 'leap_cli/config/node'
 require 'leap_cli/config/tag'
+require 'leap_cli/config/provider'
 require 'leap_cli/config/secrets'
 require 'leap_cli/config/object_list'
 require 'leap_cli/config/manager'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: leap_cli
 version: !ruby/object:Gem::Version
-  version: 1.2.5
+  version: 1.5.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,24 +9,8 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-06 00:00:00.000000000 Z
+date: 2014-03-16 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 10.0.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 10.0.3
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -287,6 +271,7 @@ files:
 - lib/leap_cli/config/object.rb
 - lib/leap_cli/config/tag.rb
 - lib/leap_cli/config/object_list.rb
+- lib/leap_cli/config/provider.rb
 - lib/leap_cli/config/secrets.rb
 - lib/leap_cli/config/node.rb
 - lib/leap_cli/config/macros.rb