RubyGems - leap_cli - Versions diffs - 1.5.6 → 1.6.2 - Mend

leap_cli 1.5.6 → 1.6.2

Files changed (62) hide show

data/bin/leap +29 -6
data/lib/leap/platform.rb +36 -1
data/lib/leap_cli/commands/ca.rb +97 -20
data/lib/leap_cli/commands/compile.rb +49 -8
data/lib/leap_cli/commands/db.rb +13 -4
data/lib/leap_cli/commands/deploy.rb +138 -29
data/lib/leap_cli/commands/env.rb +76 -0
data/lib/leap_cli/commands/facts.rb +10 -3
data/lib/leap_cli/commands/inspect.rb +2 -2
data/lib/leap_cli/commands/list.rb +10 -10
data/lib/leap_cli/commands/node.rb +7 -132
data/lib/leap_cli/commands/node_init.rb +169 -0
data/lib/leap_cli/commands/pre.rb +4 -27
data/lib/leap_cli/commands/ssh.rb +152 -0
data/lib/leap_cli/commands/test.rb +22 -13
data/lib/leap_cli/commands/user.rb +12 -4
data/lib/leap_cli/commands/vagrant.rb +4 -4
data/lib/leap_cli/config/filter.rb +175 -0
data/lib/leap_cli/config/manager.rb +130 -61
data/lib/leap_cli/config/node.rb +32 -0
data/lib/leap_cli/config/object.rb +69 -44
data/lib/leap_cli/config/object_list.rb +44 -39
data/lib/leap_cli/config/secrets.rb +24 -12
data/lib/leap_cli/config/tag.rb +7 -0
data/lib/{core_ext → leap_cli/core_ext}/boolean.rb +0 -0
data/lib/{core_ext → leap_cli/core_ext}/hash.rb +0 -0
data/lib/{core_ext → leap_cli/core_ext}/json.rb +0 -0
data/lib/{core_ext → leap_cli/core_ext}/nil.rb +0 -0
data/lib/{core_ext → leap_cli/core_ext}/string.rb +0 -0
data/lib/leap_cli/core_ext/yaml.rb +29 -0
data/lib/leap_cli/exceptions.rb +24 -0
data/lib/leap_cli/leapfile.rb +60 -10
data/lib/{lib_ext → leap_cli/lib_ext}/capistrano_connections.rb +0 -0
data/lib/{lib_ext → leap_cli/lib_ext}/gli.rb +0 -0
data/lib/leap_cli/log.rb +1 -1
data/lib/leap_cli/logger.rb +18 -1
data/lib/leap_cli/markdown_document_listener.rb +1 -1
data/lib/leap_cli/override/json.rb +11 -0
data/lib/leap_cli/path.rb +20 -6
data/lib/leap_cli/remote/leap_plugin.rb +2 -2
data/lib/leap_cli/remote/puppet_plugin.rb +1 -1
data/lib/leap_cli/remote/rsync_plugin.rb +1 -1
data/lib/leap_cli/remote/tasks.rb +1 -1
data/lib/leap_cli/ssh_key.rb +63 -1
data/lib/leap_cli/util/remote_command.rb +19 -2
data/lib/leap_cli/util/secret.rb +1 -1
data/lib/leap_cli/util/x509.rb +3 -2
data/lib/leap_cli/util.rb +11 -3
data/lib/leap_cli/version.rb +2 -2
data/lib/leap_cli.rb +24 -14
data/vendor/certificate_authority/lib/certificate_authority/certificate.rb +85 -29
data/vendor/certificate_authority/lib/certificate_authority/distinguished_name.rb +5 -0
data/vendor/certificate_authority/lib/certificate_authority/extensions.rb +406 -41
data/vendor/certificate_authority/lib/certificate_authority/key_material.rb +0 -34
data/vendor/certificate_authority/lib/certificate_authority/serial_number.rb +6 -0
data/vendor/certificate_authority/lib/certificate_authority/signing_request.rb +36 -1
metadata +25 -24
data/lib/leap_cli/commands/shell.rb +0 -89
data/lib/leap_cli/config/macros.rb +0 -430
data/lib/leap_cli/constants.rb +0 -7
data/lib/leap_cli/requirements.rb +0 -19
data/lib/lib_ext/markdown_document_listener.rb +0 -122

data/vendor/certificate_authority/lib/certificate_authority/certificate.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module CertificateAuthority
       self.serial_number = SerialNumber.new
       self.key_material = MemoryKeyMaterial.new
       self.not_before = Time.now
-      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.not_after = Time.now + 60 * 60 * 24 * 365 # One year
       self.parent = self
       self.extensions = load_extensions()
@@ -41,12 +41,31 @@ module CertificateAuthority
     end
+=begin
+    def self.from_openssl openssl_cert
+      unless openssl_cert.is_a? OpenSSL::X509::Certificate
+        raise "Can only construct from an OpenSSL::X509::Certificate"
+      end
+      certificate = Certificate.new
+      # Only subject, key_material, and body are used for signing
+      certificate.distinguished_name = DistinguishedName.from_openssl openssl_cert.subject
+      certificate.key_material.public_key = openssl_cert.public_key
+      certificate.openssl_body = openssl_cert
+      certificate.serial_number.number = openssl_cert.serial.to_i
+      certificate.not_before = openssl_cert.not_before
+      certificate.not_after = openssl_cert.not_after
+      # TODO extensions
+      certificate
+    end
+=end
     def sign!(signing_profile={})
       raise "Invalid certificate #{self.errors.full_messages}" unless valid?
       merge_profile_with_extensions(signing_profile)
       openssl_cert = OpenSSL::X509::Certificate.new
-      openssl_cert.version    = 2
+      openssl_cert.version = 2
       openssl_cert.not_before = self.not_before
       openssl_cert.not_after = self.not_after
       openssl_cert.public_key = self.key_material.public_key
@@ -58,7 +77,6 @@ module CertificateAuthority
       require 'tempfile'
       t = Tempfile.new("bullshit_conf")
-      # t = File.new("/tmp/openssl.cnf")
       ## The config requires a file even though we won't use it
       openssl_config = OpenSSL::Config.new(t.path)
@@ -85,7 +103,7 @@ module CertificateAuthority
       self.extensions.keys.sort{|a,b| b<=>a}.each do |k|
         e = extensions[k]
         next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
-        ext = factory.create_ext(e.openssl_identifier, e.to_s)
+        ext = factory.create_ext(e.openssl_identifier, e.to_s, e.critical)
         openssl_cert.add_extension(ext)
       end
@@ -94,9 +112,10 @@ module CertificateAuthority
       else
         digest = OpenSSL::Digest::Digest.new(signing_profile["digest"])
       end
-      self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
-      t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
-      self.openssl_body
+      self.openssl_body = openssl_cert.sign(parent.key_material.private_key, digest)
+    ensure
+      t.close! if t # We can get rid of the ridiculous temp file
     end
     def is_signing_entity?
@@ -116,6 +135,34 @@ module CertificateAuthority
       self.openssl_body.to_pem
     end
+    def to_csr
+      csr = SigningRequest.new
+      csr.distinguished_name = self.distinguished_name
+      csr.key_material = self.key_material
+      factory = OpenSSL::X509::ExtensionFactory.new
+      exts = []
+      self.extensions.keys.each do |k|
+        ## Don't copy over key identifiers for CSRs
+        next if k == "subjectKeyIdentifier" || k == "authorityKeyIdentifier"
+        e = extensions[k]
+        ## If the extension returns an empty string we won't include it
+        next if e.to_s.nil? or e.to_s == ""
+        exts << factory.create_ext(e.openssl_identifier, e.to_s, e.critical)
+      end
+      attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
+      attrs = [
+        OpenSSL::X509::Attribute.new("extReq", attrval),
+        OpenSSL::X509::Attribute.new("msExtReq", attrval)
+      ]
+      csr.attributes = attrs
+      csr
+    end
+    def self.from_x509_cert(raw_cert)
+      openssl_cert = OpenSSL::X509::Certificate.new(raw_cert)
+      Certificate.from_openssl(openssl_cert)
+    end
     def is_root_entity?
       self.parent == self && is_signing_entity?
     end
@@ -134,6 +181,16 @@ module CertificateAuthority
         items = signing_config[k]
         items.keys.each do |profile_item_key|
           if extension.respond_to?("#{profile_item_key}=".to_sym)
+            if k == 'subjectAltName' && profile_item_key == 'emails'
+              items[profile_item_key].map do |email|
+                if email == 'email:copy'
+                  fail "no email address provided for subject: #{subject.to_x509_name}" unless subject.email_address
+                  "email:#{subject.email_address}"
+                else
+                  email
+                end
+              end
+            end
             extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
           else
             p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
@@ -142,30 +199,25 @@ module CertificateAuthority
       end
     end
+    # Enumeration of the extensions. Not the worst option since
+    # the likelihood of these needing to be updated is low at best.
+    EXTENSIONS = [
+        CertificateAuthority::Extensions::BasicConstraints,
+        CertificateAuthority::Extensions::CrlDistributionPoints,
+        CertificateAuthority::Extensions::SubjectKeyIdentifier,
+        CertificateAuthority::Extensions::AuthorityKeyIdentifier,
+        CertificateAuthority::Extensions::AuthorityInfoAccess,
+        CertificateAuthority::Extensions::KeyUsage,
+        CertificateAuthority::Extensions::ExtendedKeyUsage,
+        CertificateAuthority::Extensions::SubjectAlternativeName,
+        CertificateAuthority::Extensions::CertificatePolicies
+    ]
     def load_extensions
       extension_hash = {}
-      temp_extensions = []
-      basic_constraints = CertificateAuthority::Extensions::BasicConstraints.new
-      temp_extensions << basic_constraints
-      crl_distribution_points = CertificateAuthority::Extensions::CrlDistributionPoints.new
-      temp_extensions << crl_distribution_points
-      subject_key_identifier = CertificateAuthority::Extensions::SubjectKeyIdentifier.new
-      temp_extensions << subject_key_identifier
-      authority_key_identifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
-      temp_extensions << authority_key_identifier
-      authority_info_access = CertificateAuthority::Extensions::AuthorityInfoAccess.new
-      temp_extensions << authority_info_access
-      key_usage = CertificateAuthority::Extensions::KeyUsage.new
-      temp_extensions << key_usage
-      extended_key_usage = CertificateAuthority::Extensions::ExtendedKeyUsage.new
-      temp_extensions << extended_key_usage
-      subject_alternative_name = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      temp_extensions << subject_alternative_name
-      certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
-      temp_extensions << certificate_policies
-      temp_extensions.each do |extension|
+      EXTENSIONS.each do |klass|
+        extension = klass.new
         extension_hash[extension.openssl_identifier] = extension
       end
@@ -192,7 +244,11 @@ module CertificateAuthority
       certificate.serial_number.number = openssl_cert.serial.to_i
       certificate.not_before = openssl_cert.not_before
       certificate.not_after = openssl_cert.not_after
-      # TODO extensions
+      EXTENSIONS.each do |klass|
+        _,v,c = (openssl_cert.extensions.detect { |e| e.to_a.first == klass::OPENSSL_IDENTIFIER } || []).to_a
+        certificate.extensions[klass::OPENSSL_IDENTIFIER] = klass.parse(v, c) if v
+      end
       certificate
     end

data/vendor/certificate_authority/lib/certificate_authority/distinguished_name.rb CHANGED Viewed

@@ -32,11 +32,16 @@ module CertificateAuthority
     alias :emailAddress :email_address
     alias :emailAddress= :email_address=
+    attr_accessor :serial_number
+    alias :serialNumber :serial_number
+    alias :serialNumber= :serial_number=
     def to_x509_name
       raise "Invalid Distinguished Name" unless valid?
       # NB: the capitalization in the strings counts
       name = OpenSSL::X509::Name.new
+      name.add_entry("serialNumber", serial_number) unless serial_number.blank?
       name.add_entry("C", country) unless country.blank?
       name.add_entry("ST", state) unless state.blank?
       name.add_entry("L", locality) unless locality.blank?