leap_cli 1.2.5

data/lib/leap_cli/remote/leap_plugin.rb

@@ -0,0 +1,204 @@
+#
+# these methods are made available in capistrano tasks as 'leap.method_name'
+# (see RemoteCommand::new_capistrano)
+#
+
+module LeapCli; module Remote; module LeapPlugin
+
+  def required_packages
+    "puppet ruby-hiera-puppet rsync lsb-release locales"
+  end
+
+  def log(*args, &block)
+    LeapCli::Util::log(*args, &block)
+  end
+
+  #
+  # creates directories that are owned by root and 700 permissions
+  #
+  def mkdirs(*dirs)
+    raise ArgumentError.new('illegal dir name') if dirs.grep(/[\' ]/).any?
+    run dirs.collect{|dir| "mkdir -m 700 -p #{dir}; "}.join
+  end
+
+  #
+  # echos "ok" if the node has been initialized and the required packages are installed, bails out otherwise.
+  #
+  def assert_initialized
+    begin
+      test_initialized_file = "test -f #{INITIALIZED_FILE}"
+      check_required_packages = "! dpkg-query -W --showformat='${Status}\n' #{required_packages} 2>&1 | grep -q -E '(deinstall|no packages)'"
+      run "#{test_initialized_file} && #{check_required_packages} && echo ok"
+    rescue Capistrano::CommandError => exc
+      LeapCli::Util.bail! do
+        exc.hosts.each do |host|
+          LeapCli::Util.log :error, "running deploy: node not initialized. Run 'leap node init #{host}'", :host => host
+        end
+      end
+    end
+  end
+
+  #
+  # bails out the deploy if the file /etc/leap/no-deploy exists.
+  # This kind of sucks, because it would be better to skip over nodes that have no-deploy set instead
+  # halting the entire deploy. As far as I know, with capistrano, there is no way to close one of the
+  # ssh connections in the pool and make sure it gets no further commands.
+  #
+  def check_for_no_deploy
+    begin
+      run "test ! -f /etc/leap/no-deploy"
+    rescue Capistrano::CommandError => exc
+      LeapCli::Util.bail! do
+        exc.hosts.each do |host|
+          LeapCli::Util.log "Can't continue because file /etc/leap/no-deploy exists", :host => host
+        end
+      end
+    end
+  end
+
+  def mark_initialized
+    run "touch #{INITIALIZED_FILE}"
+  end
+
+  #
+  # This is a hairy ugly hack, exactly the kind of stuff that makes ruby
+  # dangerous and too much fun for its own good.
+  #
+  # In most places, we run remote ssh without a current 'task'. This works fine,
+  # except that in a few places, the behavior of capistrano ssh is controlled by
+  # the options of the current task.
+  #
+  # We don't want to create an actual current task, because tasks are no fun
+  # and can't take arguments or return values. So, when we need to configure
+  # things that can only be configured in a task, we use this handy hack to
+  # fake the current task.
+  #
+  # This is NOT thread safe, but could be made to be so with some extra work.
+  #
+  def with_task(name)
+    task = @config.tasks[name]
+    @config.class.send(:alias_method, :original_current_task, :current_task)
+    @config.class.send(:define_method, :current_task, Proc.new(){ task })
+    begin
+      yield
+    ensure
+      @config.class.send(:remove_method, :current_task)
+      @config.class.send(:alias_method, :current_task, :original_current_task)
+    end
+  end
+
+  #
+  # similar to run(cmd, &block), but with:
+  #
+  # * exit codes
+  # * stdout and stderr are combined
+  #
+  def stream(cmd, &block)
+    command = '%s 2>&1; echo "exitcode=$?"' % cmd
+    run(command) do |channel, stream, data|
+      exitcode = nil
+      if data =~ /exitcode=(\d+)\n/
+        exitcode = $1.to_i
+        data.sub!(/exitcode=(\d+)\n/,'')
+      end
+      yield({:host => channel[:host], :data => data, :exitcode => exitcode})
+    end
+  end
+
+  #
+  # like stream, but capture all the output before returning
+  #
+  def capture(cmd, &block)
+    command = '%s 2>&1; echo "exitcode=$?" 2>&1;' % cmd
+    host_data = {}
+    run(command) do |channel, stream, data|
+      host_data[channel[:host]] ||= ""
+      if data =~ /exitcode=(\d+)\n/
+        exitcode = $1.to_i
+        data.sub!(/exitcode=(\d+)\n/,'')
+        host_data[channel[:host]] += data
+        yield({:host => channel[:host], :data => host_data[channel[:host]], :exitcode => exitcode})
+      else
+        host_data[channel[:host]] += data
+      end
+    end
+  end
+
+  #
+  # Run a command, with a nice status report and progress indicator.
+  # Only successful results are returned, errors are printed.
+  #
+  # For each successful run on each host, block is yielded with a hash like so:
+  #
+  # {:host => 'bluejay', :exitcode => 0, :data => 'shell output'}
+  #
+  def run_with_progress(cmd, &block)
+    ssh_failures = []
+    exitcode_failures = []
+    succeeded = []
+    task = LeapCli.log_level > 1 ? :standard_task : :skip_errors_task
+    with_task(task) do
+      log :querying, 'facts' do
+        progress "   "
+        call_on_failure do |host|
+          ssh_failures << host
+          progress 'F'
+        end
+        capture(cmd) do |response|
+          if response[:exitcode] == 0
+            progress '.'
+            yield response
+          else
+            exitcode_failures << response
+            progress 'F'
+          end
+        end
+      end
+    end
+    puts "done"
+    if ssh_failures.any?
+      log :failed, 'to connect to nodes: ' + ssh_failures.join(' ')
+    end
+    if exitcode_failures.any?
+      log :failed, 'to run successfully:' do
+        exitcode_failures.each do |response|
+          log "[%s] exit %s - %s" % [response[:host], response[:exitcode], response[:data].strip]
+        end
+      end
+    end
+  rescue Capistrano::RemoteError => err
+    log :error, err.to_s
+  end
+
+  private
+
+  def progress(str='.')
+    $stdout.print str; $stdout.flush;
+  end
+
+  #def mkdir(dir)
+  #  run "mkdir -p #{dir}"
+  #end
+
+  #def chown_root(dir)
+  #  run "chown root -R #{dir} && chmod -R ag-rwx,u+rwX #{dir}"
+  #end
+
+  #def logrun(cmd)
+  #  @streamer ||= LeapCli::Remote::LogStreamer.new
+  #  run cmd do |channel, stream, data|
+  #    @streamer.collect_output(channel[:host], data)
+  #  end
+  #end
+
+#    return_code = nil
+#    run "something; echo return code: $?" do |channel, stream, data|
+#      if data =~ /return code: (\d+)/
+#        return_code = $1.to_i
+#      else
+#        Capistrano::Configuration.default_io_proc.call(channel, stream, data)
+#      end
+#    end
+#    puts "finished with return code: #{return_code}"
+
+end; end; end

data/lib/leap_cli/remote/puppet_plugin.rb

@@ -0,0 +1,66 @@
+#
+# these methods are made available in capistrano tasks as 'puppet.method_name'
+# (see RemoteCommand::new_capistrano)
+#
+
+module LeapCli; module Remote; module PuppetPlugin
+
+  def apply(options)
+    run "#{PUPPET_DESTINATION}/bin/puppet_command set_hostname apply #{flagize(options)}"
+  end
+
+  private
+
+  def flagize(hsh)
+    hsh.inject([]) {|str, item|
+      if item[1] === false
+        str
+      elsif item[1] === true
+        str << "--" + item[0].to_s
+      else
+        str << "--" + item[0].to_s + " " + item[1].to_s
+      end
+    }.join(' ')
+  end
+
+end; end; end
+
+
+    # def puppet(command = :noop)
+    #   #puppet_cmd = "cd #{puppet_destination} && #{sudo_cmd} #{puppet_command} --modulepath=#{puppet_lib} #{puppet_parameters}"
+    #   puppet_cmd = "cd #{puppet_destination} && #{sudo_cmd} #{puppet_command} #{puppet_parameters}"
+    #   flag = command == :noop ? '--noop' : ''
+
+    #   writer = if puppet_stream_output
+    #              SupplyDrop::Writer::Streaming.new(logger)
+    #            else
+    #              SupplyDrop::Writer::Batched.new(logger)
+    #            end
+
+    #   writer = SupplyDrop::Writer::File.new(writer, puppet_write_to_file) unless puppet_write_to_file.nil?
+
+    #   begin
+    #     exitcode = nil
+    #     run "#{puppet_cmd} #{flag}; echo exitcode:$?" do |channel, stream, data|
+    #       if data =~ /exitcode:(\d+)/
+    #         exitcode = $1
+    #         writer.collect_output(channel[:host], "Puppet #{command} complete (#{exitcode_description(exitcode)}).\n")
+    #       else
+    #         writer.collect_output(channel[:host], data)
+    #       end
+    #     end
+    #   ensure
+    #     writer.all_output_collected
+    #   end
+    # end
+
+    # def exitcode_description(code)
+    #   case code
+    #     when "0" then "no changes"
+    #     when "2" then "changes made"
+    #     when "4" then "failed"
+    #     when "6" then "changes and failures"
+    #     else code
+    #   end
+    # end
+

data/lib/leap_cli/remote/rsync_plugin.rb

@@ -0,0 +1,35 @@
+#
+# these methods are made available in capistrano tasks as 'rsync.method_name'
+# (see RemoteCommand::new_capistrano)
+#
+
+require 'rsync_command'
+
+module LeapCli; module Remote; module RsyncPlugin
+
+  #
+  # takes a block, yielded a server, that should return a hash with various rsync options.
+  # supported options include:
+  #
+  #   {:source => '', :dest => '', :flags => '', :includes => [], :excludes => []}
+  #
+  def update
+    rsync = RsyncCommand.new(:logger => logger)
+    rsync.asynchronously(find_servers) do |server|
+      options = yield server
+      next unless options
+      remote_user = server.user || fetch(:user, ENV['USER'])
+      src = options[:source]
+      dest = {:user => remote_user, :host => server.host, :path => options[:dest]}
+      options[:ssh] = ssh_options.merge(server.options[:ssh_options]||{})
+      options[:chdir] ||= Path.provider
+      rsync.exec(src, dest, options)
+    end
+    if rsync.failed?
+      LeapCli::Util.bail! do
+        LeapCli::Util.log :failed, "to rsync to #{rsync.failures.map{|f|f[:dest][:host]}.join(' ')}"
+      end
+    end
+  end
+
+end; end; end

data/lib/leap_cli/remote/tasks.rb

@@ -0,0 +1,36 @@
+#
+# This file is evaluated just the same as a typical capistrano "deploy.rb"
+# For DSL manual, see https://github.com/capistrano/capistrano/wiki
+#
+
+MAX_HOSTS = 10
+
+task :install_authorized_keys, :max_hosts => MAX_HOSTS do
+  leap.log :updating, "authorized_keys" do
+    leap.mkdirs '/root/.ssh'
+    upload LeapCli::Path.named_path(:authorized_keys), '/root/.ssh/authorized_keys', :mode => '600'
+  end
+end
+
+task :install_prerequisites, :max_hosts => MAX_HOSTS do
+  leap.mkdirs LeapCli::PUPPET_DESTINATION
+  leap.log :updating, "package list" do
+    run "apt-get update"
+  end
+  leap.log :installing, "required packages" do
+    run "DEBIAN_FRONTEND=noninteractive apt-get -q -y -o DPkg::Options::=--force-confold install #{leap.required_packages}"
+  end
+  run "echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen; locale-gen"
+  leap.mkdirs("/etc/leap", "/srv/leap")
+  leap.mark_initialized
+end
+
+#
+# just dummies, used to capture task options
+#
+
+task :skip_errors_task, :on_error => :continue, :max_hosts => MAX_HOSTS do
+end
+
+task :standard_task, :max_hosts => MAX_HOSTS do
+end

data/lib/leap_cli/requirements.rb

@@ -0,0 +1,19 @@
+# run 'rake update-requirements' to generate this file.
+module LeapCli
+  REQUIREMENTS = [
+    "provider.ca.name",
+    "provider.ca.server_certificates.bit_size",
+    "provider.ca.server_certificates.digest",
+    "provider.ca.server_certificates.life_span",
+    "common.x509.use",
+    "provider.domain",
+    "provider.name",
+    "provider.ca.server_certificates.bit_size",
+    "provider.ca.server_certificates.digest",
+    "provider.ca.name",
+    "provider.ca.bit_size",
+    "provider.ca.life_span",
+    "provider.ca.client_certificates.unlimited_prefix",
+    "provider.ca.client_certificates.limited_prefix"
+  ]
+end

data/lib/leap_cli/ssh_key.rb

@@ -0,0 +1,130 @@
+#
+# A wrapper around OpenSSL::PKey::RSA instances to provide a better api for dealing with SSH keys.
+#
+#
+
+require 'net/ssh'
+require 'forwardable'
+
+module LeapCli
+  class SshKey
+    extend Forwardable
+
+    attr_accessor :filename
+    attr_accessor :comment
+
+    ##
+    ## CLASS METHODS
+    ##
+
+    def self.load(arg1, arg2=nil)
+      key = nil
+      if arg1.is_a? OpenSSL::PKey::RSA
+        key = SshKey.new arg1
+      elsif arg1.is_a? String
+        if arg1 =~ /^ssh-/
+          type, data = arg1.split(' ')
+          key = SshKey.new load_from_data(data, type)
+        elsif File.exists? arg1
+          key = SshKey.new load_from_file(arg1)
+          key.filename = arg1
+        else
+          key = SshKey.new load_from_data(arg1, arg2)
+        end
+      end
+      return key
+    end
+
+    def self.load_from_file(filename)
+      public_key = nil
+      private_key = nil
+      begin
+        public_key = Net::SSH::KeyFactory.load_public_key(filename)
+      rescue NotImplementedError, Net::SSH::Exception, OpenSSL::PKey::PKeyError
+        begin
+          private_key = Net::SSH::KeyFactory.load_private_key(filename)
+        rescue NotImplementedError, Net::SSH::Exception, OpenSSL::PKey::PKeyError
+        end
+      end
+      public_key || private_key
+    end
+
+    def self.load_from_data(data, type='ssh-rsa')
+      public_key = nil
+      private_key = nil
+      begin
+        public_key = Net::SSH::KeyFactory.load_data_public_key("#{type} #{data}")
+      rescue NotImplementedError, Net::SSH::Exception, OpenSSL::PKey::PKeyError
+        begin
+          private_key = Net::SSH::KeyFactory.load_data_private_key("#{type} #{data}")
+        rescue NotImplementedError, Net::SSH::Exception, OpenSSL::PKey::PKeyError
+        end
+      end
+      public_key || private_key
+    end
+
+    ##
+    ## INSTANCE METHODS
+    ##
+
+    public
+
+    def initialize(rsa_key)
+      @key = rsa_key
+    end
+
+    def_delegator :@key, :fingerprint, :fingerprint
+    def_delegator :@key, :public?, :public?
+    def_delegator :@key, :private?, :private?
+    def_delegator :@key, :ssh_type, :type
+    def_delegator :@key, :public_encrypt, :public_encrypt
+    def_delegator :@key, :public_decrypt, :public_decrypt
+    def_delegator :@key, :private_encrypt, :private_encrypt
+    def_delegator :@key, :private_decrypt, :private_decrypt
+    def_delegator :@key, :params, :params
+    def_delegator :@key, :to_text, :to_text
+
+    def public_key
+      SshKey.new(@key.public_key)
+    end
+
+    def private_key
+      SshKey.new(@key.private_key)
+    end
+
+    #
+    # not sure if this will always work, but is seems to for now.
+    #
+    def bits
+      Net::SSH::Buffer.from(:key, @key).to_s.split("\001\000").last.size * 8
+    end
+
+    def summary
+      "%s %s %s (%s)" % [self.type, self.bits, self.fingerprint, self.filename || self.comment || '']
+    end
+
+    def to_s
+      self.type + " " + self.key
+    end
+
+    def key
+      [Net::SSH::Buffer.from(:key, @key).to_s].pack("m*").gsub(/\s/, "")
+    end
+
+    def ==(other_key)
+      return false if other_key.nil?
+      return false if self.class != other_key.class
+      return self.to_text == other_key.to_text
+    end
+
+    def in_known_hosts?(*identifiers)
+      identifiers.each do |identifier|
+        Net::SSH::KnownHosts.search_for(identifier).each do |key|
+          return true if self == key
+        end
+      end
+      return false
+    end
+
+  end
+end

data/lib/leap_cli/util/remote_command.rb

@@ -0,0 +1,110 @@
+module LeapCli; module Util; module RemoteCommand
+  extend self
+
+  #
+  # FYI
+  #  Capistrano::Logger::IMPORTANT = 0
+  #  Capistrano::Logger::INFO      = 1
+  #  Capistrano::Logger::DEBUG     = 2
+  #  Capistrano::Logger::TRACE     = 3
+  #
+  def ssh_connect(nodes, options={}, &block)
+    options ||= {}
+    node_list = parse_node_list(nodes)
+
+    cap = new_capistrano
+    cap.logger = LeapCli::Logger.new(:level => LeapCli.log_level)
+    user = options[:user] || 'root'
+    cap.set :user, user
+    cap.set :ssh_options, ssh_options # ssh options common to all nodes
+    cap.set :use_sudo, false          # we may want to change this in the future
+
+    # Allow password authentication when we are bootstraping a single node
+    # (and key authentication fails).
+    if options[:bootstrap] && node_list.size == 1
+      hostname = node_list.values.first.name
+      if options[:echo]
+        cap.set(:password) { ask "Root SSH password for #{user}@#{hostname}> " }
+      else
+        cap.set(:password) { Capistrano::CLI.password_prompt " * Typed password will be hidden (use --echo to make it visible)\nRoot SSH password for #{user}@#{hostname}> " }
+      end
+    end
+
+    node_list.each do |name, node|
+      cap.server node.name, :dummy_arg, node_options(node, options[:ssh_options])
+    end
+
+    yield cap
+  end
+
+  private
+
+  #
+  # For available options, see http://net-ssh.github.com/net-ssh/classes/Net/SSH.html#method-c-start
+  #
+  def ssh_options
+    {
+      :config => false,
+      :global_known_hosts_file => path(:known_hosts),
+      :user_known_hosts_file => '/dev/null',
+      :paranoid => true
+    }
+  end
+
+  #
+  # For notes on advanced ways to set server-specific options, see
+  # http://railsware.com/blog/2011/11/02/advanced-server-definitions-in-capistrano/
+  #
+  # if, in the future, we want to do per-node password options, it would be done like so:
+  #
+  #  password_proc = Proc.new {Capistrano::CLI.password_prompt "Root SSH password for #{node.name}"}
+  #  return {:password => password_proc}
+  #
+  def node_options(node, ssh_options_override=nil)
+    ssh_options_override ||= {}
+    {
+      :ssh_options => {
+        # :host_key_alias => node.name, << incompatible with ports in known_hosts
+        :host_name => node.ip_address,
+        :port => node.ssh.port
+      }.merge(contingent_ssh_options_for_node(node)).merge(ssh_options_override)
+    }
+  end
+
+  def new_capistrano
+    # load once the library files
+    @capistrano_enabled ||= begin
+      require 'capistrano'
+      require 'capistrano/cli'
+      require 'lib_ext/capistrano_connections'
+      require 'leap_cli/remote/leap_plugin'
+      require 'leap_cli/remote/puppet_plugin'
+      require 'leap_cli/remote/rsync_plugin'
+      Capistrano.plugin :leap, LeapCli::Remote::LeapPlugin
+      Capistrano.plugin :puppet, LeapCli::Remote::PuppetPlugin
+      Capistrano.plugin :rsync, LeapCli::Remote::RsyncPlugin
+      true
+    end
+
+    # create capistrano instance
+    cap = Capistrano::Configuration.new
+
+    # add tasks to capistrano instance
+    cap.load File.dirname(__FILE__) + '/../remote/tasks.rb'
+
+    return cap
+  end
+
+  def contingent_ssh_options_for_node(node)
+    opts = {}
+    if node.vagrant?
+      opts[:keys] = [vagrant_ssh_key_file]
+      opts[:paranoid] = false # we skip host checking for vagrant nodes, because fingerprint is different for everyone.
+      if LeapCli::log_level <= 1
+        opts[:verbose] = :error # suppress all the warnings about adding host keys to known_hosts, since it is not actually doing that.
+      end
+    end
+    return opts
+  end
+
+end; end; end

data/lib/leap_cli/util/secret.rb

@@ -0,0 +1,54 @@
+#
+# A simple secret generator
+#
+# Uses OpenSSL random number generator instead of Ruby's rand function
+#
+require 'openssl'
+
+module LeapCli; module Util
+  class Secret
+    CHARS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a + "_".split(//u) - "io01lO".split(//u)
+    HEX = (0..9).to_a + ('a'..'f').to_a
+
+    #
+    # generate a secret with with no ambiguous characters.
+    #
+    # +length+ is in chars
+    #
+    # Only alphanumerics are allowed, in order to make these passwords work
+    # for REST url calls and to allow you to easily copy and paste them.
+    #
+    def self.generate(length = 16)
+      seed
+      OpenSSL::Random.random_bytes(length).bytes.to_a.collect { |byte|
+        CHARS[ byte % CHARS.length ]
+      }.join
+    end
+
+    #
+    # generates a hex secret, instead of an alphanumeric on.
+    #
+    # length is in bits
+    #
+    def self.generate_hex(length = 128)
+      seed
+      OpenSSL::Random.random_bytes(length/4).bytes.to_a.collect { |byte|
+        HEX[ byte % HEX.length ]
+      }.join
+    end
+
+    private
+
+    def self.seed
+      @pid ||= 0
+      pid = $$
+      if @pid != pid
+        now = Time.now
+        ary = [now.to_i, now.nsec, @pid, pid]
+        OpenSSL::Random.seed(ary.to_s)
+        @pid = pid
+      end
+    end
+
+  end
+end; end

data/lib/leap_cli/util/x509.rb

@@ -0,0 +1,32 @@
+require 'openssl'
+require 'certificate_authority'
+require 'digest'
+require 'digest/md5'
+require 'digest/sha1'
+
+module LeapCli; module X509
+  extend self
+
+  #
+  # returns a fingerprint of a x509 certificate
+  #
+  def fingerprint(digest, cert_file)
+    if cert_file.is_a? String
+      cert = OpenSSL::X509::Certificate.new(Util.read_file!(cert_file))
+    elsif cert_file.is_a? OpenSSL::X509::Certificate
+      cert = cert_file
+    elsif cert_file.is_a? CertificateAuthority::Certificate
+      cert = cert_file.openssl_body
+    end
+    digester = case digest
+      when "MD5" then Digest::MD5.new
+      when "SHA1" then Digest::SHA1.new
+      when "SHA256" then Digest::SHA256.new
+      when "SHA384" then Digest::SHA384.new
+      when "SHA512" then Digest::SHA512.new
+    end
+    digester.hexdigest(cert.to_der)
+  end
+
+
+end; end