leap_cli 1.2.5

data/vendor/certificate_authority/lib/certificate_authority/key_material.rb

@@ -0,0 +1,148 @@
+module CertificateAuthority
+  module KeyMaterial
+    def public_key
+      raise "Required implementation"
+    end
+
+    def private_key
+      raise "Required implementation"
+    end
+
+    def is_in_hardware?
+      raise "Required implementation"
+    end
+
+    def is_in_memory?
+      raise "Required implementation"
+    end
+
+    def self.from_x509_key_pair(pair,password=nil)
+      if password.nil?
+        key = OpenSSL::PKey::RSA.new(pair)
+      else
+        key = OpenSSL::PKey::RSA.new(pair,password)
+      end
+      mem_key = MemoryKeyMaterial.new
+      mem_key.public_key = key.public_key
+      mem_key.private_key = key
+      mem_key
+    end
+
+    def self.from_x509_public_key(public_key_pem)
+      key = OpenSSL::PKey::RSA.new(public_key_pem)
+      signing_request_key = SigningRequestKeyMaterial.new
+      signing_request_key.public_key = key.public_key
+      signing_request_key
+    end
+  end
+
+  class MemoryKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+
+    attr_accessor :keypair
+    attr_accessor :private_key
+    attr_accessor :public_key
+
+    def initialize
+    end
+
+    validates_each :private_key do |record, attr, value|
+        record.errors.add :private_key, "cannot be blank" if record.private_key.nil?
+    end
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+
+    def is_in_hardware?
+      false
+    end
+
+    def is_in_memory?
+      true
+    end
+
+    def generate_key(modulus_bits=2048)
+      self.keypair = OpenSSL::PKey::RSA.new(modulus_bits)
+      self.private_key = keypair
+      self.public_key = keypair.public_key
+      self.keypair
+    end
+
+    def private_key
+      @private_key
+    end
+
+    def public_key
+      @public_key
+    end
+  end
+
+  class SigningRequestKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+
+    attr_accessor :public_key
+
+    def initialize(request=nil)
+      if request.is_a? OpenSSL::X509::Request
+        raise "Invalid certificate signing request" unless request.verify request.public_key
+        self.public_key = request.public_key
+      end
+    end
+
+    def is_in_hardware?
+      false
+    end
+
+    def is_in_memory?
+      true
+    end
+
+    def private_key
+      nil
+    end
+
+    def public_key
+      @public_key
+    end
+  end
+
+  class SigningRequestKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+
+    attr_accessor :public_key
+
+    def initialize(request=nil)
+      if request.is_a? OpenSSL::X509::Request
+        raise "Invalid certificate signing request" unless request.verify request.public_key
+        self.public_key = request.public_key
+      end
+    end
+
+    def is_in_hardware?
+      false
+    end
+
+    def is_in_memory?
+      true
+    end
+
+    def private_key
+      nil
+    end
+
+    def public_key
+      @public_key
+    end
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/ocsp_handler.rb

@@ -0,0 +1,144 @@
+module CertificateAuthority
+  class OCSPResponseBuilder
+    attr_accessor :ocsp_response
+    attr_accessor :verification_mechanism
+    attr_accessor :ocsp_request_reader
+    attr_accessor :parent
+    attr_accessor :next_update
+
+    GOOD = OpenSSL::OCSP::V_CERTSTATUS_GOOD
+    REVOKED = OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+
+    NO_REASON=0
+    KEY_COMPROMISED=OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE
+    UNSPECIFIED=OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED
+
+    def build_response()
+      raise "Requires a parent for signing" if @parent.nil?
+      if @verification_mechanism.nil?
+        ## If no verification callback is provided we're marking it GOOD
+        @verification_mechanism = lambda {|cert_id| [GOOD,NO_REASON] }
+      end
+
+      @ocsp_request_reader.ocsp_request.certid.each do |cert_id|
+        result,reason = verification_mechanism.call(cert_id.serial)
+
+        ## cert_id, status, reason, rev_time, this update, next update, ext
+        ## - unit of time is seconds
+        ## - rev_time is currently set to "now"
+        @ocsp_response.add_status(cert_id,
+        result, reason,
+          0, 0, @next_update, nil)
+      end
+
+      @ocsp_response.sign(OpenSSL::X509::Certificate.new(@parent.to_pem), @parent.key_material.private_key, nil, nil)
+      OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, @ocsp_response)
+    end
+
+    def self.from_request_reader(request_reader,verification_mechanism=nil)
+      response_builder = OCSPResponseBuilder.new
+      response_builder.ocsp_request_reader = request_reader
+
+      ocsp_response = OpenSSL::OCSP::BasicResponse.new
+      ocsp_response.copy_nonce(request_reader.ocsp_request)
+      response_builder.ocsp_response = ocsp_response
+      response_builder.next_update = 60*15 #Default of 15 minutes
+      response_builder
+    end
+  end
+
+  class OCSPRequestReader
+    attr_accessor :raw_ocsp_request
+    attr_accessor :ocsp_request
+
+    def serial_numbers
+      @ocsp_request.certid.collect do |cert_id|
+        cert_id.serial
+      end
+    end
+
+    def self.from_der(request_body)
+      reader = OCSPRequestReader.new
+      reader.raw_ocsp_request = request_body
+      reader.ocsp_request = OpenSSL::OCSP::Request.new(request_body)
+
+      reader
+    end
+  end
+
+  ## DEPRECATED
+  class OCSPHandler
+    include ActiveModel::Validations
+
+    attr_accessor :ocsp_request
+    attr_accessor :certificate_ids
+
+    attr_accessor :certificates
+    attr_accessor :parent
+
+    attr_accessor :ocsp_response_body
+
+    validate do |crl|
+      errors.add :parent, "A parent entity must be set" if parent.nil?
+    end
+    validate :all_certificates_available
+
+    def initialize
+      self.certificates = {}
+    end
+
+    def <<(cert)
+      self.certificates[cert.serial_number.number.to_s] = cert
+    end
+
+    def extract_certificate_serials
+      openssl_request = OpenSSL::OCSP::Request.new(@ocsp_request)
+
+      self.certificate_ids = openssl_request.certid.collect do |cert_id|
+        cert_id.serial
+      end
+
+      self.certificate_ids
+    end
+
+
+    def response
+      raise "Invalid response" unless valid?
+
+      openssl_ocsp_response = OpenSSL::OCSP::BasicResponse.new
+      openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+      openssl_ocsp_response.copy_nonce(openssl_ocsp_request)
+
+      openssl_ocsp_request.certid.each do |cert_id|
+        certificate = self.certificates[cert_id.serial.to_s]
+
+        openssl_ocsp_response.add_status(cert_id,
+        OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0,
+          0, 0, 30, nil)
+      end
+
+
+      openssl_ocsp_response.sign(OpenSSL::X509::Certificate.new(self.parent.to_pem), self.parent.key_material.private_key, nil, nil)
+      final_response = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, openssl_ocsp_response)
+      self.ocsp_response_body = final_response
+      self.ocsp_response_body
+    end
+
+    def to_der
+      raise "No signed OCSP response body available" if self.ocsp_response_body.nil?
+      self.ocsp_response_body.to_der
+    end
+
+    private
+
+    def all_certificates_available
+      openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+
+      openssl_ocsp_request.certid.each do |cert_id|
+        certificate = self.certificates[cert_id.serial.to_s]
+        errors.add(:base, "Certificate #{cert_id.serial} has not been added yet") if certificate.nil?
+      end
+    end
+
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb

@@ -0,0 +1,65 @@
+module CertificateAuthority
+  class Pkcs11KeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+    include ActiveModel::Serialization
+
+    attr_accessor :engine
+    attr_accessor :token_id
+    attr_accessor :pkcs11_lib
+    attr_accessor :openssl_pkcs11_engine_lib
+    attr_accessor :pin
+
+    def initialize(attributes = {})
+      @attributes = attributes
+      initialize_engine
+    end
+
+    def is_in_hardware?
+      true
+    end
+
+    def is_in_memory?
+      false
+    end
+
+    def generate_key(modulus_bits=1024)
+      puts "Key generation is not currently supported in hardware"
+      nil
+    end
+
+    def private_key
+      initialize_engine
+      self.engine.load_private_key(self.token_id)
+    end
+
+    def public_key
+      initialize_engine
+      self.engine.load_public_key(self.token_id)
+    end
+
+    private
+
+    def initialize_engine
+      ## We're going to return early and try again later if params weren't passed in
+      ## at initialization.  Any attempt at getting a public/private key will try
+      ## again.
+      return false if self.openssl_pkcs11_engine_lib.nil? or self.pkcs11_lib.nil?
+      return self.engine unless self.engine.nil?
+      OpenSSL::Engine.load
+
+      pkcs11 = OpenSSL::Engine.by_id("dynamic") do |e|
+        e.ctrl_cmd("SO_PATH",self.openssl_pkcs11_engine_lib)
+        e.ctrl_cmd("ID","pkcs11")
+        e.ctrl_cmd("LIST_ADD","1")
+        e.ctrl_cmd("LOAD")
+        e.ctrl_cmd("PIN",self.pin) unless self.pin.nil? or self.pin == ""
+        e.ctrl_cmd("MODULE_PATH",self.pkcs11_lib)
+      end
+
+      self.engine = pkcs11
+      pkcs11
+    end
+
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/revocable.rb

@@ -0,0 +1,14 @@
+module CertificateAuthority
+  module Revocable
+    attr_accessor :revoked_at
+
+    def revoke!(time=Time.now)
+      @revoked_at = time
+    end
+
+    def revoked?
+      # If we have a time, then we're revoked
+      !@revoked_at.nil?
+    end
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/serial_number.rb

@@ -0,0 +1,10 @@
+module CertificateAuthority
+  class SerialNumber
+    include ActiveModel::Validations
+    include Revocable
+
+    attr_accessor :number
+
+    validates :number, :presence => true, :numericality => {:greater_than => 0}
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/signing_entity.rb

@@ -0,0 +1,16 @@
+module CertificateAuthority
+  module SigningEntity
+
+    def self.included(mod)
+      mod.class_eval do
+        attr_accessor :signing_entity
+      end
+    end
+
+    def signing_entity=(val)
+      raise "invalid param" unless [true,false].include?(val)
+      @signing_entity = val
+    end
+
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/signing_request.rb

@@ -0,0 +1,56 @@
+module CertificateAuthority
+  class SigningRequest
+    attr_accessor :distinguished_name
+    attr_accessor :key_material
+    attr_accessor :raw_body
+    attr_accessor :openssl_csr
+    attr_accessor :digest
+
+    def to_cert
+      cert = Certificate.new
+      if !@distinguished_name.nil?
+        cert.distinguished_name = @distinguished_name
+      end
+      cert.key_material = @key_material
+      cert
+    end
+
+    def to_pem
+      to_x509_csr.to_pem
+    end
+
+    def to_x509_csr
+      raise "Must specify a DN/subject on csr" if @distinguished_name.nil?
+      raise "Invalid DN in request" unless @distinguished_name.valid?
+      raise "CSR must have key material" if @key_material.nil?
+      raise "CSR must include a public key on key material" if @key_material.public_key.nil?
+
+      opensslcsr = OpenSSL::X509::Request.new
+      opensslcsr.subject = @distinguished_name.to_x509_name
+      opensslcsr.public_key = @key_material.public_key
+      opensslcsr.sign @key_material.private_key, OpenSSL::Digest::Digest.new(@digest || "SHA512")
+      opensslcsr
+    end
+
+    def self.from_x509_csr(raw_csr)
+      csr = SigningRequest.new
+      openssl_csr = OpenSSL::X509::Request.new(raw_csr)
+      csr.distinguished_name = DistinguishedName.from_openssl openssl_csr.subject
+      csr.raw_body = raw_csr
+      csr.openssl_csr = openssl_csr
+      key_material = SigningRequestKeyMaterial.new
+      key_material.public_key = openssl_csr.public_key
+      csr.key_material = key_material
+      csr
+    end
+
+    def self.from_netscape_spkac(raw_spkac)
+      openssl_spkac = OpenSSL::Netscape::SPKI.new raw_spkac
+      csr = SigningRequest.new
+      csr.raw_body = raw_spkac
+      key_material = SigningRequestKeyMaterial.new
+      key_material.public_key = openssl_spkac.public_key
+      csr
+    end
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority.rb

@@ -0,0 +1,21 @@
+$:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
+
+#Exterior requirements
+require 'openssl'
+require 'active_model'
+
+#Internal modules
+require 'certificate_authority/signing_entity'
+require 'certificate_authority/revocable'
+require 'certificate_authority/distinguished_name'
+require 'certificate_authority/serial_number'
+require 'certificate_authority/key_material'
+require 'certificate_authority/pkcs11_key_material'
+require 'certificate_authority/extensions'
+require 'certificate_authority/certificate'
+require 'certificate_authority/certificate_revocation_list'
+require 'certificate_authority/ocsp_handler'
+require 'certificate_authority/signing_request'
+
+module CertificateAuthority
+end

data/vendor/rsync_command/lib/rsync_command/ssh_options.rb

@@ -0,0 +1,159 @@
+#
+# Converts capistrano-style ssh configuration (which uses Net::SSH) into a OpenSSH command line flags suitable for rsync.
+#
+# For a list of the options normally support by Net::SSH (and thus Capistrano), see
+# http://net-ssh.github.com/net-ssh/classes/Net/SSH.html#method-c-start
+#
+# Also, to see how Net::SSH does the opposite of the conversion we are doing here, check out:
+# https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/config.rb
+#
+# API mismatch:
+#
+# * many OpenSSH options not supported
+# * some options only make sense for Net::SSH
+# * compression: for Net::SSH, this option is supposed to accept true, false, or algorithm. OpenSSH accepts 'yes' or 'no'
+#
+class RsyncCommand
+  class SshOptions
+
+    def initialize(options={})
+      @options = parse_options(options)
+    end
+
+    def to_flags
+      if @options.empty?
+        nil
+      else
+        %[-e "ssh #{@options.join(' ')}"]
+      end
+    end
+
+    private
+
+    def parse_options(options)
+      options.map do |key, value|
+        next if value.nil?
+        # Convert Net::SSH options into OpenSSH options.
+        case key
+        when :auth_methods            then opt_auth_methods(value)
+        when :bind_address            then opt('BindAddress', value)
+        when :compression             then opt('Compression', value ? 'yes' : 'no')
+        when :compression_level       then opt('CompressionLevel', value.to_i)
+        when :config                  then value ? "-F '#{value}'" : nil
+        when :encryption              then opt('Ciphers', [value].flatten.join(','))
+        when :forward_agent           then opt('ForwardAgent', value)
+        when :global_known_hosts_file then opt('GlobalKnownHostsFile', value)
+        when :hmac                    then opt('MACs', [value].flatten.join(','))
+        when :host_key                then opt('HostKeyAlgorithms', [value].flatten.join(','))
+        when :host_key_alias          then opt('HostKeyAlias', value)
+        when :host_name               then opt('HostName', value)
+        when :kex                     then opt('KexAlgorithms', [value].flatten.join(','))
+        when :key_data                then nil # not supported
+        when :keys                    then [value].flatten.select { |k| File.exist?(k) }.map { |k| "-i '#{k}'" }
+        when :keys_only               then opt('IdentitiesOnly', value ? 'yes' : 'no')
+        when :languages               then nil # not applicable
+        when :logger                  then nil # not applicable
+        when :paranoid                then opt('StrictHostKeyChecking', value ? 'yes' : 'no')
+        when :passphrase              then nil # not supported
+        when :password                then nil # not supported
+        when :port                    then "-p #{value.to_i}"
+        when :properties              then nil # not applicable
+        when :proxy                   then nil # not applicable
+        when :rekey_blocks_limit      then nil # not supported
+        when :rekey_limit             then opt('RekeyLimit', reverse_interpret_size(value))
+        when :rekey_packet_limit      then nil # not supported
+        when :timeout                 then opt('ConnectTimeout', value.to_i)
+        when :user                    then "-l #{value}"
+        when :user_known_hosts_file   then multi_opt('UserKnownHostsFile', value)
+        when :verbose                 then opt('LogLevel', interpret_log_level(value))
+        end
+      end.compact
+    end
+
+    private
+
+    def opt(option_name, option_value)
+      "-o #{option_name}='#{option_value}'"
+    end
+
+    def multi_opt(option_name, option_values)
+      [option_values].flatten.map do |value|
+        opt(option_name, value)
+      end.join(' ')
+    end
+
+    #
+    # In OpenSSH, password and pubkey default to 'yes', hostbased defaults to 'no'.
+    # Regardless, if :auth_method is configured, then we explicitly set the auth method.
+    #
+    def opt_auth_methods(value)
+      value = [value].flatten
+      opts = []
+      if value.any?
+        if value.include? 'password'
+          opts << opt('PasswordAuthentication', 'yes')
+        else
+          opts << opt('PasswordAuthentication', 'no')
+        end
+        if value.include? 'publickey'
+          opts << opt('PubkeyAuthentication', 'yes')
+        else
+          opts << opt('PubkeyAuthentication', 'no')
+        end
+        if value.include? 'hostbased'
+          opts << opt('HostbasedAuthentication', 'yes')
+        else
+          opts << opt('HostbasedAuthentication', 'no')
+        end
+      end
+      if opts.any?
+        return opts.join(' ')
+      else
+        nil
+      end
+    end
+
+    #
+    # Converts the given integer size in bytes into a string with 'K', 'M', 'G' suffix, as appropriate.
+    #
+    # reverse of interpret_size in https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/config.rb
+    #
+    def reverse_interpret_size(size)
+      size = size.to_i
+      if size < 1024
+        "#{size}"
+      elsif size < 1024 * 1024
+        "#{size/1024}K"
+      elsif size < 1024 * 1024 * 1024
+        "#{size/(1024*1024)}M"
+      else
+        "#{size/(1024*1024*1024)}G"
+      end
+    end
+
+    def interpret_log_level(level)
+      if level.is_a? Symbol
+        case level
+          when :debug then "DEBUG"
+          when :info then "INFO"
+          when :warn then "ERROR"
+          when :error then "ERROR"
+          when :fatal then "FATAL"
+          else "INFO"
+        end
+      elsif level.is_a?(Integer) && defined?(Logger)
+        case level
+          when Logger::DEBUG then "DEBUG"
+          when Logger::INFO then "INFO"
+          when Logger::WARN then "ERROR"
+          when Logger::ERROR then "ERROR"
+          when Logger::FATAL then "FATAL"
+          else "INFO"
+        end
+      else
+        "INFO"
+      end
+    end
+
+  end
+end

data/vendor/rsync_command/lib/rsync_command/thread_pool.rb

@@ -0,0 +1,36 @@
+require 'thread'
+
+class RsyncCommand
+  class ThreadPool
+    class << self
+      attr_accessor :default_size
+    end
+
+    def initialize(size=nil)
+      @size = size || ThreadPool.default_size || 10
+      @jobs = Queue.new
+      @retvals = []
+      @pool = Array.new(@size) do |i|
+        Thread.new do
+          Thread.current[:id] = i
+          catch(:exit) do
+            loop do
+              job, args = @jobs.pop
+              @retvals << job.call(*args)
+            end
+          end
+        end
+      end
+    end
+    def schedule(*args, &block)
+      @jobs << [block, args]
+    end
+    def shutdown
+      @size.times do
+        schedule { throw :exit }
+      end
+      @pool.map(&:join)
+      @retvals
+    end
+  end
+end

data/vendor/rsync_command/lib/rsync_command/version.rb

@@ -0,0 +1,3 @@
+class RsyncCommand
+  VERSION = "0.0.1"
+end