leap_cli 1.5.6 → 1.6.2

data/lib/leap_cli/commands/node_init.rb

@@ -0,0 +1,169 @@
+#
+# Node initialization.
+# Most of the fun stuff is in tasks.rb.
+#
+
+module LeapCli; module Commands
+
+  desc 'Node management'
+  command :node do |node|
+    node.desc 'Bootstraps a node or nodes, setting up SSH keys and installing prerequisite packages'
+    node.long_desc "This command prepares a server to be used with the LEAP Platform by saving the server's SSH host key, " +
+                   "copying the authorized_keys file, installing packages that are required for deploying, and registering important facts. " +
+                   "Node init must be run before deploying to a server, and the server must be running and available via the network. " +
+                   "This command only needs to be run once, but there is no harm in running it multiple times."
+    node.arg_name 'FILTER'
+    node.command :init do |init|
+      init.switch 'echo', :desc => 'If set, passwords are visible as you type them (default is hidden)', :negatable => false
+      init.flag :port, :desc => 'Override the default SSH port.', :arg_name => 'PORT'
+      init.flag :ip,   :desc => 'Override the default SSH IP address.', :arg_name => 'IPADDRESS'
+
+      init.action do |global,options,args|
+        assert! args.any?, 'You must specify a FILTER'
+        finished = []
+        manager.filter!(args).each_node do |node|
+          is_node_alive(node, options)
+          save_public_host_key(node, global, options) unless node.vagrant?
+          update_compiled_ssh_configs
+          ssh_connect_options = connect_options(options).merge({:bootstrap => true, :echo => options[:echo]})
+          ssh_connect(node, ssh_connect_options) do |ssh|
+            if node.vagrant?
+              ssh.install_insecure_vagrant_key
+            end
+            ssh.install_authorized_keys
+            ssh.install_prerequisites
+            unless node.vagrant?
+              ssh.leap.log(:checking, "SSH host keys") do
+                ssh.leap.capture(get_ssh_keys_cmd) do |response|
+                  update_local_ssh_host_keys(node, response[:data]) if response[:exitcode] == 0
+                end
+              end
+            end
+            ssh.leap.log(:updating, "facts") do
+              ssh.leap.capture(facter_cmd) do |response|
+                if response[:exitcode] == 0
+                  update_node_facts(node.name, response[:data])
+                else
+                  log :failed, "to run facter on #{node.name}"
+                end
+              end
+            end
+          end
+          finished << node.name
+        end
+        log :completed, "initialization of nodes #{finished.join(', ')}"
+      end
+    end
+  end
+
+  private
+
+  ##
+  ## PRIVATE HELPERS
+  ##
+
+  def is_node_alive(node, options)
+    address = options[:ip] || node.ip_address
+    port = options[:port] || node.ssh.port
+    log :connecting, "to node #{node.name}"
+    assert_run! "nc -zw3 #{address} #{port}",
+      "Failed to reach #{node.name} (address #{address}, port #{port}). You can override the configured IP address and port with --ip or --port."
+  end
+
+  #
+  # saves the public ssh host key for node into the provider directory.
+  #
+  # see `man sshd` for the format of known_hosts
+  #
+  def save_public_host_key(node, global, options)
+    log :fetching, "public SSH host key for #{node.name}"
+    address = options[:ip] || node.ip_address
+    port = options[:port] || node.ssh.port
+    host_keys = get_public_keys_for_ip(address, port)
+    pub_key_path = Path.named_path([:node_ssh_pub_key, node.name])
+
+    if Path.exists?(pub_key_path)
+      if host_keys.include? SshKey.load(pub_key_path)
+        log :trusted, "- Public SSH host key for #{node.name} matches previously saved key", :indent => 1
+      else
+        bail! do
+          log :error, "The public SSH host keys we just fetched for #{node.name} doesn't match what we have saved previously.", :indent => 1
+          log "Delete the file #{pub_key_path} if you really want to remove the trusted SSH host key.", :indent => 2
+        end
+      end
+    else
+      known_key = host_keys.detect{|k|k.in_known_hosts?(node.name, node.ip_address, node.domain.name)}
+      if known_key
+        log :trusted, "- Public SSH host key for #{node.name} is trusted (key found in your ~/.ssh/known_hosts)"
+      else
+        public_key = SshKey.pick_best_key(host_keys)
+        if public_key.nil?
+          bail!("We got back #{host_keys.size} host keys from #{node.name}, but we can't support any of them.")
+        else
+          say("   This is the SSH host key you got back from node \"#{node.name}\"")
+          say("   Type        -- #{public_key.bits} bit #{public_key.type.upcase}")
+          say("   Fingerprint -- " + public_key.fingerprint)
+          say("   Public Key  -- " + public_key.key)
+          if !global[:yes] && !agree("   Is this correct? ")
+            bail!
+          else
+            known_key = public_key
+          end
+        end
+      end
+      puts
+      write_file! [:node_ssh_pub_key, node.name], known_key.to_s
+    end
+  end
+
+  #
+  # Get the public host keys for a host using ssh-keyscan.
+  # Return an array of SshKey objects, one for each key.
+  #
+  def get_public_keys_for_ip(address, port=22)
+    assert_bin!('ssh-keyscan')
+    output = assert_run! "ssh-keyscan -p #{port} #{address}", "Could not get the public host key from #{address}:#{port}. Maybe sshd is not running?"
+    if output.empty?
+      bail! :failed, "ssh-keyscan returned empty output."
+    end
+
+    if output =~ /No route to host/
+      bail! :failed, 'ssh-keyscan: no route to %s' % address
+    else
+      keys = SshKey.parse_keys(output)
+      if keys.empty?
+        bail! "ssh-keyscan got zero host keys back (that we understand)! Output was: #{output}"
+      else
+        return keys
+      end
+    end
+  end
+
+  # run on the server to generate a string suitable for passing to SshKey.parse_keys()
+  def get_ssh_keys_cmd
+    "/bin/grep ^HostKey /etc/ssh/sshd_config | /usr/bin/awk '{print $2 \".pub\"}' | /usr/bin/xargs /bin/cat"
+  end
+
+  #
+  # Sometimes the ssh host keys on the server will be better than what we have
+  # stored locally. In these cases, ask the user if they want to upgrade.
+  #
+  def update_local_ssh_host_keys(node, remote_keys_string)
+    remote_keys = SshKey.parse_keys(remote_keys_string)
+    return unless remote_keys.any?
+    current_key = SshKey.load(Path.named_path([:node_ssh_pub_key, node.name]))
+    best_key = SshKey.pick_best_key(remote_keys)
+    return unless best_key && current_key
+    if current_key != best_key
+      say("   One of the SSH host keys for node '#{node.name}' is better than what you currently have trusted.")
+      say("     Current key: #{current_key.summary}")
+      say("     Better key: #{best_key.summary}")
+      if agree("   Do you want to use the better key? ")
+        write_file! [:node_ssh_pub_key, node.name], best_key.to_s
+      end
+    else
+      log(3, "current host key does not need updating")
+    end
+  end
+
+end; end

data/lib/leap_cli/commands/pre.rb

@@ -20,8 +20,8 @@ module LeapCli; module Commands
   desc 'Skip prompts and assume "yes"'
   switch :yes, :negatable => false
 
-  desc 'Enable debugging library (leap_cli development only)'
-  switch :debug, :negatable => false
+  desc 'Print full stack trace for exceptions and load `debugger` gem if installed.'
+  switch [:d, :debug], :negatable => false
 
   desc 'Disable colors in output'
   default_value true
@@ -31,12 +31,7 @@ module LeapCli; module Commands
     #
     # set verbosity
     #
-    LeapCli.log_level = global[:verbose].to_i
-    if LeapCli.log_level > 1
-      ENV['GLI_DEBUG'] = "true"
-    else
-      ENV['GLI_DEBUG'] = "false"
-    end
+    LeapCli.set_log_level(global[:verbose].to_i)
 
     #
     # load Leapfile
@@ -53,13 +48,6 @@ module LeapCli; module Commands
       bail! { log :missing, "platform directory '#{Path.platform}'" }
     end
 
-    if LeapCli.leapfile.platform_branch && LeapCli::Util.is_git_directory?(Path.platform)
-      branch = LeapCli::Util.current_git_branch(Path.platform)
-      if branch != LeapCli.leapfile.platform_branch
-        bail! "Wrong branch for #{Path.platform}. Was '#{branch}', should be '#{LeapCli.leapfile.platform_branch}'. Edit Leapfile to disable this check."
-      end
-    end
-
     #
     # set log file
     #
@@ -68,18 +56,7 @@ module LeapCli; module Commands
     log_version
     LeapCli.log_in_color = global[:color]
 
-    #
-    # load all the nodes everything
-    #
-    manager
-
-    #
-    # check requirements
-    #
-    REQUIREMENTS.each do |key|
-      assert_config! key
-    end
-
+    true
   end
 
   private

data/lib/leap_cli/commands/ssh.rb

@@ -0,0 +1,152 @@
+module LeapCli; module Commands
+
+  desc 'Log in to the specified node with an interactive shell.'
+  arg_name 'NAME' #, :optional => false, :multiple => false
+  command :ssh do |c|
+    c.flag 'ssh', :desc => "Pass through raw options to ssh (e.g. `--ssh '-F ~/sshconfig'`)."
+    c.flag 'port', :arg_name => 'SSH_PORT', :desc => 'Override default SSH port used when trying to connect to the server. Same as `--ssh "-p SSH_PORT"`.'
+    c.action do |global_options,options,args|
+      exec_ssh(:ssh, options, args)
+    end
+  end
+
+  desc 'Log in to the specified node with an interactive shell using mosh (requires node to have mosh.enabled set to true).'
+  arg_name 'NAME'
+  command :mosh do |c|
+    c.flag 'ssh', :desc => "Pass through raw options to ssh (e.g. `--ssh '-F ~/sshconfig'`)."
+    c.flag 'port', :arg_name => 'SSH_PORT', :desc => 'Override default SSH port used when trying to connect to the server. Same as `--ssh "-p SSH_PORT"`.'
+    c.action do |global_options,options,args|
+      exec_ssh(:mosh, options, args)
+    end
+  end
+
+  desc 'Creates an SSH port forward (tunnel) to the node NAME. REMOTE_PORT is the port on the remote node that the tunnel will connect to. LOCAL_PORT is the optional port on your local machine. For example: `leap tunnel couch1:5984`.'
+  arg_name '[LOCAL_PORT:]NAME:REMOTE_PORT'
+  command :tunnel do |c|
+    c.flag 'ssh', :desc => "Pass through raw options to ssh (e.g. --ssh '-F ~/sshconfig')."
+    c.flag 'port', :arg_name => 'SSH_PORT', :desc => 'Override default SSH port used when trying to connect to the server. Same as `--ssh "-p SSH_PORT"`.'
+    c.action do |global_options,options,args|
+      local_port, node, remote_port = parse_tunnel_arg(args.first)
+      options[:ssh] = [options[:ssh], "-N -L 127.0.0.1:#{local_port}:0.0.0.0:#{remote_port}"].join(' ')
+      log("Forward port localhost:#{local_port} to #{node.name}:#{remote_port}")
+      if is_port_available?(local_port)
+        exec_ssh(:ssh, options, [node.name])
+      end
+    end
+  end
+
+  protected
+
+  #
+  # allow for ssh overrides of all commands that use ssh_connect
+  #
+  def connect_options(options)
+    connect_options = {:ssh_options=>{}}
+    if options[:port]
+      connect_options[:ssh_options][:port] = options[:port]
+    end
+    if options[:ip]
+      connect_options[:ssh_options][:host_name] = options[:ip]
+    end
+    return connect_options
+  end
+
+  def ssh_config_help_message
+    puts ""
+    puts "Are 'too many authentication failures' getting you down?"
+    puts "Then we have the solution for you! Add something like this to your ~/.ssh/config file:"
+    puts "  Host *.#{manager.provider.domain}"
+    puts "  IdentityFile ~/.ssh/id_rsa"
+    puts "  IdentitiesOnly=yes"
+    puts "(replace `id_rsa` with the actual private key filename that you use for this provider)"
+  end
+
+  require 'socket'
+  def is_port_available?(port)
+    TCPServer.open('127.0.0.1', port) {}
+    true
+  rescue Errno::EACCES
+    bail!("You don't have permission to bind to port #{port}.")
+  rescue Errno::EADDRINUSE
+    bail!("Local port #{port} is already in use. Specify LOCAL_PORT to pick another.")
+  rescue Exception => exc
+    bail!(exc.to_s)
+  end
+
+  private
+
+  def exec_ssh(cmd, cli_options, args)
+    node = get_node_from_args(args, :include_disabled => true)
+    port = node.ssh.port
+    options = [
+      "-o 'HostName=#{node.ip_address}'",
+      # "-o 'HostKeyAlias=#{node.name}'", << oddly incompatible with ports in known_hosts file, so we must not use this or non-standard ports break.
+      "-o 'GlobalKnownHostsFile=#{path(:known_hosts)}'",
+      "-o 'UserKnownHostsFile=/dev/null'"
+    ]
+    if node.vagrant?
+      options << "-i #{vagrant_ssh_key_file}"    # use the universal vagrant insecure key
+      options << "-o IdentitiesOnly=yes"         # force the use of the insecure vagrant key
+      options << "-o 'StrictHostKeyChecking=no'" # blindly accept host key and don't save it (since userknownhostsfile is /dev/null)
+    else
+      options << "-o 'StrictHostKeyChecking=yes'"
+    end
+    if !node.supported_ssh_host_key_algorithms.empty?
+      options << "-o 'HostKeyAlgorithms=#{node.supported_ssh_host_key_algorithms}'"
+    end
+    username = 'root'
+    if LeapCli.log_level >= 3
+      options << "-vv"
+    elsif LeapCli.log_level >= 2
+      options << "-v"
+    end
+    if cli_options[:port]
+      port = cli_options[:port]
+    end
+    if cli_options[:ssh]
+      options << cli_options[:ssh]
+    end
+    ssh = "ssh -l #{username} -p #{port} #{options.join(' ')}"
+    if cmd == :ssh
+      command = "#{ssh} #{node.domain.full}"
+    elsif cmd == :mosh
+      command = "MOSH_TITLE_NOPREFIX=1 mosh --ssh \"#{ssh}\" #{node.domain.full}"
+    end
+    log 2, command
+
+    # exec the shell command in a subprocess
+    pid = fork { exec "#{command}" }
+
+    Signal.trap("SIGINT") do
+      Process.kill("KILL", pid)
+      Process.wait(pid)
+      exit(0)
+    end
+
+    # wait for shell to exit so we can grab the exit status
+    _, status = Process.waitpid2(pid)
+
+    if status.exitstatus == 255
+      ssh_config_help_message
+    elsif status.exitstatus != 0
+      exit(status.exitstatus)
+    end
+  end
+
+  def parse_tunnel_arg(arg)
+    if arg.count(':') == 1
+      node_name, remote = arg.split(':')
+      local = nil
+    elsif arg.count(':') == 2
+      local, node_name, remote = arg.split(':')
+    else
+      bail!('Argument NAME:REMOTE_PORT required.')
+    end
+    node = get_node_from_args([node_name], :include_disabled => true)
+    remote = remote.to_i
+    local = local || remote
+    local = local.to_i
+    return [local, node, remote]
+  end
+
+end; end

data/lib/leap_cli/commands/test.rb

@@ -1,15 +1,9 @@
 module LeapCli; module Commands
 
   desc 'Run tests.'
-  command :test do |test|
-    test.desc 'Creates files needed to run tests.'
-    test.command :init do |init|
-      init.action do |global_options,options,args|
-        generate_test_client_openvpn_configs
-      end
-    end
-
-    test.desc 'Run tests.'
+  command [:test, :t] do |test|
+    test.desc 'Run the test suit on FILTER nodes.'
+    test.arg_name 'FILTER', :optional => true
     test.command :run do |run|
       run.switch 'continue', :desc => 'Continue over errors and failures (default is --no-continue).', :negatable => true
       run.action do |global_options,options,args|
@@ -19,13 +13,28 @@ module LeapCli; module Commands
         end
         manager.filter!(args).names_in_test_dependency_order.each do |node_name|
           node = manager.nodes[node_name]
-          ssh_connect(node) do |ssh|
-            ssh.run(test_cmd(options))
+          begin
+            ssh_connect(node) do |ssh|
+              ssh.run(test_cmd(options))
+            end
+          rescue Capistrano::CommandError => exc
+            if options[:continue]
+              exit_status(1)
+            else
+              bail!
+            end
           end
         end
       end
     end
 
+    test.desc 'Creates files needed to run tests.'
+    test.command :init do |init|
+      init.action do |global_options,options,args|
+        generate_test_client_openvpn_configs
+      end
+    end
+
     test.default_command :run
   end
 
@@ -33,9 +42,9 @@ module LeapCli; module Commands
 
   def test_cmd(options)
     if options[:continue]
-      "#{PUPPET_DESTINATION}/bin/run_tests --continue"
+      "#{Leap::Platform.leap_dir}/bin/run_tests --continue"
     else
-      "#{PUPPET_DESTINATION}/bin/run_tests"
+      "#{Leap::Platform.leap_dir}/bin/run_tests"
     end
   end
 

data/lib/leap_cli/commands/user.rb

@@ -1,4 +1,3 @@
-require 'gpgme'
 
 #
 # perhaps we want to verify that the key files are actually the key files we expect.
@@ -75,8 +74,10 @@ module LeapCli
       if `which ssh-add`.strip.any?
         `ssh-add -L 2> /dev/null`.split("\n").compact.each do |line|
           key = SshKey.load(line)
-          key.comment = 'ssh-agent'
-          ssh_keys << key unless ssh_keys.include?(key)
+          if key
+            key.comment = 'ssh-agent'
+            ssh_keys << key unless ssh_keys.include?(key)
+          end
         end
       end
       ssh_keys.compact!
@@ -98,13 +99,20 @@ module LeapCli
     # let the the user choose among the gpg public keys that we encounter, or just pick the key if there is only one.
     #
     def pick_pgp_key
+      begin
+        return unless `which gpg`.strip.any?
+        require 'gpgme'
+      rescue LoadError
+        return
+      end
+
       secret_keys = GPGME::Key.find(:secret)
       if secret_keys.empty?
         log "Skipping OpenPGP setup because I could not find any OpenPGP keys for you"
         return nil
       end
 
-      assert_bin! 'gpg'
+      secret_keys.select!{|key| !key.expired}
 
       if secret_keys.length > 1
         key_index = numbered_choice_menu('Choose your OpenPGP public key', secret_keys) do |key, i|

data/lib/leap_cli/commands/vagrant.rb

@@ -1,11 +1,11 @@
-require 'ipaddr'
+autoload :IPAddr, 'ipaddr'
 require 'fileutils'
 
 module LeapCli; module Commands
 
   desc "Manage local virtual machines."
   long_desc "This command provides a convient way to manage Vagrant-based virtual machines. If FILTER argument is missing, the command runs on all local virtual machines. The Vagrantfile is automatically generated in 'test/Vagrantfile'. If you want to run vagrant commands manually, cd to 'test'."
-  command :local do |local|
+  command [:local, :l] do |local|
     local.desc 'Starts up the virtual machine(s)'
     local.arg_name 'FILTER', :optional => true #, :multiple => false
     local.command :start do |start|
@@ -156,7 +156,7 @@ module LeapCli; module Commands
           if node.vagrant?
             lines << %[  config.vm.define :#{node.name} do |config|]
             lines << %[    config.vm.box = "leap-wheezy"]
-            lines << %[    config.vm.box_url = "https://downloads.leap.se/platform/leap-debian.box"]
+            lines << %[    config.vm.box_url = "https://downloads.leap.se/platform/vagrant/virtualbox/leap-wheezy.box"]
             lines << %[    config.vm.network :hostonly, "#{node.ip_address}", :netmask => "#{netmask}"]
             lines << %[    config.vm.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]]
             lines << %[    config.vm.customize ["modifyvm", :id, "--name", "#{node.name}"]]
@@ -170,7 +170,7 @@ module LeapCli; module Commands
           if node.vagrant?
             lines << %[  config.vm.define :#{node.name} do |config|]
             lines << %[    config.vm.box = "leap-wheezy"]
-            lines << %[    config.vm.box_url = "https://downloads.leap.se/platform/leap-debian.box"]
+            lines << %[    config.vm.box_url = "https://downloads.leap.se/platform/vagrant/virtualbox/leap-wheezy.box"]
             lines << %[    config.vm.network :private_network, ip: "#{node.ip_address}"]
             lines << %[    config.vm.provider "virtualbox" do |v|]
             lines << %[      v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]]

data/lib/leap_cli/config/filter.rb

@@ -0,0 +1,175 @@
+#
+# Many leap_cli commands accept a list of filters to select a subset of nodes for the command to
+# be applied to. This class is a helper for manager to run these filters.
+#
+# Classes other than Manager should not use this class.
+#
+# Filter rules:
+#
+# * A filter consists of a list of tokens
+# * A token may be a service name, tag name, environment name, or node name.
+# * Each token may be optionally prefixed with a plus sign.
+# * Multiple tokens with a plus are treated as an OR condition,
+#   but treated as an AND condition with the plus sign.
+#
+# For example
+#
+# * openvpn +development => all nodes with service 'openvpn' AND environment 'development'
+# * openvpn seattle => all nodes with service 'openvpn' OR tag 'seattle'.
+#
+# There can only be one environment specified. Typically, there are also tags
+# for each environment name. These name are treated as environments, not tags.
+#
+module LeapCli
+  module Config
+    class Filter
+
+      #
+      # filter -- array of strings, each one a filter
+      # options -- hash, possible keys include
+      #   :nopin -- disregard environment pinning
+      #   :local -- if false, disallow local nodes
+      #
+      # A nil value in the filters array indicates
+      # the default environment. This is in order to support
+      # calls like `manager.filter(environments)`
+      #
+      def initialize(filters, options, manager)
+        @filters = filters.nil? ? [] : filters.dup
+        @environments = []
+        @options = options
+        @manager = manager
+
+        # split filters by pulling out items that happen
+        # to be environment names.
+        if LeapCli.leapfile.environment.nil? || @options[:nopin]
+          @environments = []
+        else
+          @environments = [LeapCli.leapfile.environment]
+        end
+        @filters.select! do |filter|
+          if filter.nil?
+            @environments << nil unless @environments.include?(nil)
+            false
+          else
+            filter_text = filter.sub(/^\+/,'')
+            if is_environment?(filter_text)
+              if filter_text == LeapCli.leapfile.environment
+                # silently ignore already pinned environments
+              elsif (filter =~ /^\+/ || @filters.first == filter) && !@environments.empty?
+                LeapCli::Util.bail! do
+                  LeapCli::Util.log "Environments are exclusive: no node is in two environments." do
+                    LeapCli::Util.log "Tried to filter on '#{@environments.join('\' AND \'')}' AND '#{filter_text}'"
+                  end
+                end
+              else
+                @environments << filter_text
+              end
+              false
+            else
+              true
+            end
+          end
+        end
+
+        # don't let the first filter have a + prefix
+        if @filters[0] =~ /^\+/
+          @filters[0] = @filters[0][1..-1]
+        end
+      end
+
+      # actually run the filter, returns a filtered list of nodes
+      def nodes()
+        if @filters.empty?
+          return nodes_for_empty_filter
+        else
+          return nodes_for_filter
+        end
+      end
+
+      private
+
+      def nodes_for_empty_filter
+        node_list = @manager.nodes
+        if @environments.any?
+          node_list = node_list[ @environments.collect{|e|[:environment, env_to_filter(e)]} ]
+        end
+        if @options[:local] === false
+          node_list = node_list[:environment => '!local']
+        end
+        node_list
+      end
+
+      def nodes_for_filter
+        node_list = Config::ObjectList.new
+        @filters.each do |filter|
+          if filter =~ /^\+/
+            keep_list = nodes_for_name(filter[1..-1])
+            node_list.delete_if do |name, node|
+              if keep_list[name]
+                false
+              else
+                true
+              end
+            end
+          else
+            node_list.merge!(nodes_for_name(filter))
+          end
+        end
+        node_list
+      end
+
+      private
+
+      #
+      # returns a set of nodes corresponding to a single name,
+      # where name could be a node name, service name, or tag name.
+      #
+      # For services and tags, we only include nodes for the
+      # environments that are active
+      #
+      def nodes_for_name(name)
+        if node = @manager.nodes[name]
+          return Config::ObjectList.new(node)
+        elsif @environments.empty?
+          if @manager.services[name]
+            return @manager.env('_all_').services[name].node_list
+          elsif @manager.tags[name]
+            return @manager.env('_all_').tags[name].node_list
+          else
+            LeapCli::Util.log :warning, "filter '#{name}' does not match any node names, tags, services, or environments."
+            return Config::ObjectList.new
+          end
+        else
+          node_list = Config::ObjectList.new
+          if @manager.services[name]
+            @environments.each do |env|
+              node_list.merge!(@manager.env(env).services[name].node_list)
+            end
+          elsif @manager.tags[name]
+            @environments.each do |env|
+              node_list.merge!(@manager.env(env).tags[name].node_list)
+            end
+          else
+            LeapCli::Util.log :warning, "filter '#{name}' does not match any node names, tags, services, or environments."
+          end
+          return node_list
+        end
+      end
+
+      #
+      # when pinning, we use the name 'default' to specify nodes
+      # without an environment set, but when filtering, we need to filter
+      # on :environment => nil.
+      #
+      def env_to_filter(environment)
+        environment == 'default' ? nil : environment
+      end
+
+      def is_environment?(text)
+        text == 'default' || @manager.environment_names.include?(text)
+      end
+
+    end
+  end
+end