RubyGems - leap_cli - Versions diffs - 1.7.4 → 1.8 - Mend

leap_cli 1.7.4 → 1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml +4 -4
data/bin/leap +6 -13
data/lib/leap/platform.rb +2 -0
data/lib/leap_cli.rb +2 -1
data/lib/leap_cli/bootstrap.rb +197 -0
data/lib/leap_cli/commands/common.rb +61 -0
data/lib/leap_cli/commands/new.rb +5 -1
data/lib/leap_cli/commands/pre.rb +1 -66
data/lib/leap_cli/config/environment.rb +180 -0
data/lib/leap_cli/config/manager.rb +100 -197
data/lib/leap_cli/config/node.rb +2 -2
data/lib/leap_cli/config/object.rb +56 -43
data/lib/leap_cli/config/object_list.rb +6 -3
data/lib/leap_cli/config/provider.rb +11 -0
data/lib/leap_cli/config/secrets.rb +14 -1
data/lib/leap_cli/config/tag.rb +2 -2
data/lib/leap_cli/leapfile.rb +1 -0
data/lib/leap_cli/log.rb +1 -0
data/lib/leap_cli/logger.rb +16 -12
data/lib/leap_cli/markdown_document_listener.rb +3 -1
data/lib/leap_cli/path.rb +12 -0
data/lib/leap_cli/remote/leap_plugin.rb +9 -34
data/lib/leap_cli/remote/puppet_plugin.rb +0 -40
data/lib/leap_cli/remote/tasks.rb +9 -34
data/lib/leap_cli/ssh_key.rb +5 -2
data/lib/leap_cli/version.rb +2 -2
metadata +5 -18
data/lib/leap_cli/commands/ca.rb +0 -518
data/lib/leap_cli/commands/clean.rb +0 -16
data/lib/leap_cli/commands/compile.rb +0 -340
data/lib/leap_cli/commands/db.rb +0 -65
data/lib/leap_cli/commands/deploy.rb +0 -368
data/lib/leap_cli/commands/env.rb +0 -76
data/lib/leap_cli/commands/facts.rb +0 -100
data/lib/leap_cli/commands/inspect.rb +0 -144
data/lib/leap_cli/commands/list.rb +0 -132
data/lib/leap_cli/commands/node.rb +0 -165
data/lib/leap_cli/commands/node_init.rb +0 -169
data/lib/leap_cli/commands/ssh.rb +0 -220
data/lib/leap_cli/commands/test.rb +0 -74
data/lib/leap_cli/commands/user.rb +0 -136
data/lib/leap_cli/commands/util.rb +0 -50
data/lib/leap_cli/commands/vagrant.rb +0 -197

data/lib/leap_cli/remote/tasks.rb CHANGED Viewed

@@ -25,44 +25,19 @@ end
 task :install_insecure_vagrant_key, :max_hosts => MAX_HOSTS do
   leap.log :installing, "insecure vagrant key" do
     leap.mkdirs '/root/.ssh'
-    key_file = File.expand_path('../../../vendor/vagrant_ssh_keys/vagrant.pub', File.dirname(__FILE__))
-    upload key_file, '/root/.ssh/authorized_keys2', :mode => '600'
+    upload LeapCli::Path.vagrant_ssh_pub_key_file, '/root/.ssh/authorized_keys2', :mode => '600'
   end
 end
-BAD_APT_GET_UPDATE = /(BADSIG|NO_PUBKEY|KEYEXPIRED|REVKEYSIG|NODATA)/
 task :install_prerequisites, :max_hosts => MAX_HOSTS do
-  apt_get = "DEBIAN_FRONTEND=noninteractive apt-get -q -y -o DPkg::Options::=--force-confold"
-  apt_get_update = "apt-get update -o Acquire::Languages=none"
-  leap.mkdirs Leap::Platform.leap_dir
-  run "echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen"
-  leap.log :updating, "package list" do
-    run apt_get_update do |channel, stream, data|
-      # sadly exitcode is unreliable measure if apt-get update hit a failure.
-      if data =~ BAD_APT_GET_UPDATE
-        LeapCli::Util.bail! do
-          LeapCli::Util.log :fatal_error, "in `apt-get update`: #{data}", :host => channel[:host]
-        end
-      else
-        logger.log(1, data, channel[:host])
-      end
-    end
-  end
-  leap.log :updating, "server time" do
-    run "( test -f /etc/init.d/ntp && /etc/init.d/ntp stop ) || true"
-    run "test -f /usr/sbin/ntpdate || #{apt_get} install ntpdate"
-    leap.log :running, "ntpdate..." do
-      run "test -f /usr/sbin/ntpdate && ntpdate 0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org"
-    end
-    run "( test -f /etc/init.d/ntp && /etc/init.d/ntp start ) || true"
-  end
-  leap.log :installing, "required packages" do
-    run %[#{apt_get} install #{leap.required_wheezy_packages}]
+  bin_dir = File.join(Leap::Platform.leap_dir, 'bin')
+  node_init_path = File.join(bin_dir, 'node_init')
+  leap.log :running, "node_init script" do
+    leap.mkdirs bin_dir
+    upload LeapCli::Path.node_init_script, node_init_path, :mode => '500'
+    run node_init_path
   end
-  #run "locale-gen"
-  leap.mkdirs("/etc/leap", "/srv/leap")
-  leap.mark_initialized
 end
 #
@@ -73,4 +48,4 @@ task :skip_errors_task, :on_error => :continue, :max_hosts => MAX_HOSTS do
 end
 task :standard_task, :max_hosts => MAX_HOSTS do
-end
+end

data/lib/leap_cli/ssh_key.rb CHANGED Viewed

@@ -161,8 +161,11 @@ module LeapCli
     end
     def summary
-      #"%s %s %s (%s)" % [self.type, self.bits, self.fingerprint, self.filename || self.comment || '']
-      "%s %s %s" % [self.type, self.bits, self.fingerprint]
+      if self.filename
+        "%s %s %s (%s)" % [self.type, self.bits, self.fingerprint, File.basename(self.filename)]
+      else
+        "%s %s %s" % [self.type, self.bits, self.fingerprint]
+      end
     end
     def to_s

data/lib/leap_cli/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module LeapCli
   unless defined?(LeapCli::VERSION)
-    VERSION = '1.7.4'
-    COMPATIBLE_PLATFORM_VERSION = '0.7.1'..'0.99'
+    VERSION = '1.8'
+    COMPATIBLE_PLATFORM_VERSION = '0.8'..'0.99'
     SUMMARY = 'Command line interface to the LEAP platform'
     DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.'
     LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib']

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: leap_cli
 version: !ruby/object:Gem::Version
-  version: 1.7.4
+  version: '1.8'
 platform: ruby
 authors:
 - LEAP Encryption Access Project
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-07-29 00:00:00.000000000 Z
+date: 2016-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -187,24 +187,11 @@ files:
 - bin/leap
 - lib/leap/platform.rb
 - lib/leap_cli.rb
-- lib/leap_cli/commands/ca.rb
-- lib/leap_cli/commands/clean.rb
-- lib/leap_cli/commands/compile.rb
-- lib/leap_cli/commands/db.rb
-- lib/leap_cli/commands/deploy.rb
-- lib/leap_cli/commands/env.rb
-- lib/leap_cli/commands/facts.rb
-- lib/leap_cli/commands/inspect.rb
-- lib/leap_cli/commands/list.rb
+- lib/leap_cli/bootstrap.rb
+- lib/leap_cli/commands/common.rb
 - lib/leap_cli/commands/new.rb
-- lib/leap_cli/commands/node.rb
-- lib/leap_cli/commands/node_init.rb
 - lib/leap_cli/commands/pre.rb
-- lib/leap_cli/commands/ssh.rb
-- lib/leap_cli/commands/test.rb
-- lib/leap_cli/commands/user.rb
-- lib/leap_cli/commands/util.rb
-- lib/leap_cli/commands/vagrant.rb
+- lib/leap_cli/config/environment.rb
 - lib/leap_cli/config/filter.rb
 - lib/leap_cli/config/manager.rb
 - lib/leap_cli/config/node.rb

data/lib/leap_cli/commands/ca.rb DELETED Viewed

@@ -1,518 +0,0 @@
-autoload :OpenSSL, 'openssl'
-autoload :CertificateAuthority, 'certificate_authority'
-autoload :Date, 'date'
-require 'digest/md5'
-module LeapCli; module Commands
-  desc "Manage X.509 certificates"
-  command :cert do |cert|
-    cert.desc 'Creates two Certificate Authorities (one for validating servers and one for validating clients).'
-    cert.long_desc 'See see what values are used in the generation of the certificates (like name and key size), run `leap inspect provider` and look for the "ca" property. To see the details of the created certs, run `leap inspect <file>`.'
-    cert.command :ca do |ca|
-      ca.action do |global_options,options,args|
-        assert_config! 'provider.ca.name'
-        generate_new_certificate_authority(:ca_key, :ca_cert, provider.ca.name)
-        generate_new_certificate_authority(:client_ca_key, :client_ca_cert, provider.ca.name + ' (client certificates only!)')
-      end
-    end
-    cert.desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes, but only if needed.'
-    cert.long_desc 'This command will a generate new certificate for a node if some value in the node has changed ' +
-                   'that is included in the certificate (like hostname or IP address), or if the old certificate will be expiring soon. ' +
-                   'Sometimes, you might want to force the generation of a new certificate, ' +
-                   'such as in the cases where you have changed a CA parameter for server certificates, like bit size or digest hash. ' +
-                   'In this case, use --force. If <node-filter> is empty, this command will apply to all nodes.'
-    cert.arg_name 'FILTER'
-    cert.command :update do |update|
-      update.switch 'force', :desc => 'Always generate new certificates', :negatable => false
-      update.action do |global_options,options,args|
-        update_certificates(manager.filter!(args), options)
-      end
-    end
-    cert.desc 'Creates a Diffie-Hellman parameter file, needed for forward secret OpenVPN ciphers.' # (needed for server-side of some TLS connections)
-    cert.command :dh do |dh|
-      dh.action do |global_options,options,args|
-        long_running do
-          if cmd_exists?('certtool')
-            log 0, 'Generating DH parameters (takes a long time)...'
-            output = assert_run!('certtool --generate-dh-params --sec-param high')
-            output.sub! /.*(-----BEGIN DH PARAMETERS-----.*-----END DH PARAMETERS-----).*/m, '\1'
-            output << "\n"
-            write_file!(:dh_params, output)
-          else
-            log 0, 'Generating DH parameters (takes a REALLY long time)...'
-            output = OpenSSL::PKey::DH.generate(3248).to_pem
-            write_file!(:dh_params, output)
-          end
-        end
-      end
-    end
-    #
-    # hints:
-    #
-    # inspect CSR:
-    #   openssl req -noout -text -in files/cert/x.csr
-    #
-    # generate CSR with openssl to see how it compares:
-    #   openssl req -sha256 -nodes -newkey rsa:2048 -keyout example.key -out example.csr
-    #
-    # validate a CSR:
-    #   http://certlogik.com/decoder/
-    #
-    # nice details about CSRs:
-    #   http://www.redkestrel.co.uk/Articles/CSR.html
-    #
-    cert.desc "Creates a CSR for use in buying a commercial X.509 certificate."
-    cert.long_desc "Unless specified, the CSR is created for the provider's primary domain. "+
-      "The properties used for this CSR come from `provider.ca.server_certificates`, "+
-      "but may be overridden here."
-    cert.command :csr do |csr|
-      csr.flag 'domain', :arg_name => 'DOMAIN', :desc => 'Specify what domain to create the CSR for.'
-      csr.flag ['organization', 'O'], :arg_name => 'ORGANIZATION', :desc => "Override default O in distinguished name."
-      csr.flag ['unit', 'OU'], :arg_name => 'UNIT', :desc => "Set OU in distinguished name."
-      csr.flag 'email', :arg_name => 'EMAIL', :desc => "Set emailAddress in distinguished name."
-      csr.flag ['locality', 'L'], :arg_name => 'LOCALITY', :desc => "Set L in distinguished name."
-      csr.flag ['state', 'ST'], :arg_name => 'STATE', :desc => "Set ST in distinguished name."
-      csr.flag ['country', 'C'], :arg_name => 'COUNTRY', :desc => "Set C in distinguished name."
-      csr.flag :bits, :arg_name => 'BITS', :desc => "Override default certificate bit length"
-      csr.flag :digest, :arg_name => 'DIGEST', :desc => "Override default signature digest"
-      csr.action do |global_options,options,args|
-        assert_config! 'provider.domain'
-        assert_config! 'provider.name'
-        assert_config! 'provider.default_language'
-        assert_config! 'provider.ca.server_certificates.bit_size'
-        assert_config! 'provider.ca.server_certificates.digest'
-        domain = options[:domain] || provider.domain
-        unless global_options[:force]
-          assert_files_missing! [:commercial_key, domain], [:commercial_csr, domain],
-            :msg => 'If you really want to create a new key and CSR, remove these files first or run with --force.'
-        end
-        server_certificates = provider.ca.server_certificates
-        # RSA key
-        keypair = CertificateAuthority::MemoryKeyMaterial.new
-        bit_size = (options[:bits] || server_certificates.bit_size).to_i
-        log :generating, "%s bit RSA key" % bit_size do
-          keypair.generate_key(bit_size)
-          write_file! [:commercial_key, domain], keypair.private_key.to_pem
-        end
-        # CSR
-        dn  = CertificateAuthority::DistinguishedName.new
-        dn.common_name   = domain
-        dn.organization  = options[:organization] || provider.name[provider.default_language]
-        dn.ou            = options[:organizational_unit] # optional
-        dn.email_address = options[:email] # optional
-        dn.country       = options[:country] || server_certificates['country']   # optional
-        dn.state         = options[:state] || server_certificates['state']       # optional
-        dn.locality      = options[:locality] || server_certificates['locality'] # optional
-        digest = options[:digest] || server_certificates.digest
-        log :generating, "CSR with #{digest} digest and #{print_dn(dn)}" do
-          csr = create_csr(dn, keypair, digest)
-          request = csr.to_x509_csr
-          write_file! [:commercial_csr, domain], csr.to_pem
-        end
-        # Sign using our own CA, for use in testing but hopefully not production.
-        # It is not that commerical CAs are so secure, it is just that signing your own certs is
-        # a total drag for the user because they must click through dire warnings.
-        #if options[:sign]
-          log :generating, "self-signed x509 server certificate for testing purposes" do
-            cert = csr.to_cert
-            cert.serial_number.number = cert_serial_number(domain)
-            cert.not_before = yesterday
-            cert.not_after  = yesterday.advance(:years => 1)
-            cert.parent = ca_root
-            cert.sign! domain_test_signing_profile
-            write_file! [:commercial_cert, domain], cert.to_pem
-            log "please replace this file with the real certificate you get from a CA using #{Path.relative_path([:commercial_csr, domain])}"
-          end
-        #end
-        # FAKE CA
-        unless file_exists? :commercial_ca_cert
-          log :using, "generated CA in place of commercial CA for testing purposes" do
-            write_file! :commercial_ca_cert, read_file!(:ca_cert)
-            log "please also replace this file with the CA cert from the commercial authority you use."
-          end
-        end
-      end
-    end
-  end
-  protected
-  #
-  # will generate new certificates for the specified nodes, if needed.
-  #
-  def update_certificates(nodes, options={})
-    assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them'
-    assert_config! 'provider.ca.server_certificates.bit_size'
-    assert_config! 'provider.ca.server_certificates.digest'
-    assert_config! 'provider.ca.server_certificates.life_span'
-    assert_config! 'common.x509.use'
-    nodes.each_node do |node|
-      warn_if_commercial_cert_will_soon_expire(node)
-      if !node.x509.use
-        remove_file!([:node_x509_key, node.name])
-        remove_file!([:node_x509_cert, node.name])
-      elsif options[:force] || cert_needs_updating?(node)
-        generate_cert_for_node(node)
-      end
-    end
-  end
-  private
-  def generate_new_certificate_authority(key_file, cert_file, common_name)
-    assert_files_missing! key_file, cert_file
-    assert_config! 'provider.ca.name'
-    assert_config! 'provider.ca.bit_size'
-    assert_config! 'provider.ca.life_span'
-    root = CertificateAuthority::Certificate.new
-    # set subject
-    root.subject.common_name = common_name
-    possible = ['country', 'state', 'locality', 'organization', 'organizational_unit', 'email_address']
-    provider.ca.keys.each do |key|
-      if possible.include?(key)
-        root.subject.send(key + '=', provider.ca[key])
-      end
-    end
-    # set expiration
-    root.not_before = yesterday
-    root.not_after = yesterday_advance(provider.ca.life_span)
-    # generate private key
-    root.serial_number.number = 1
-    root.key_material.generate_key(provider.ca.bit_size)
-    # sign self
-    root.signing_entity = true
-    root.parent = root
-    root.sign!(ca_root_signing_profile)
-    # save
-    write_file!(key_file, root.key_material.private_key.to_pem)
-    write_file!(cert_file, root.to_pem)
-  end
-  #
-  # returns true if the certs associated with +node+ need to be regenerated.
-  #
-  def cert_needs_updating?(node)
-    if !file_exists?([:node_x509_cert, node.name], [:node_x509_key, node.name])
-      return true
-    else
-      cert = load_certificate_file([:node_x509_cert, node.name])
-      if cert.not_after < Time.now.advance(:months => 2)
-        log :updating, "cert for node '#{node.name}' because it will expire soon"
-        return true
-      end
-      if cert.subject.common_name != node.domain.full
-        log :updating, "cert for node '#{node.name}' because domain.full has changed (was #{cert.subject.common_name}, now #{node.domain.full})"
-        return true
-      end
-      cert.openssl_body.extensions.each do |ext|
-        if ext.oid == "subjectAltName"
-          ips = []
-          dns_names = []
-          ext.value.split(",").each do |value|
-            value.strip!
-            ips << $1          if value =~ /^IP Address:(.*)$/
-            dns_names << $1    if value =~ /^DNS:(.*)$/
-          end
-          dns_names.sort!
-          if ips.first != node.ip_address
-            log :updating, "cert for node '#{node.name}' because ip_address has changed (from #{ips.first} to #{node.ip_address})"
-            return true
-          elsif dns_names != dns_names_for_node(node)
-            log :updating, "cert for node '#{node.name}' because domain name aliases have changed\n    from: #{dns_names.inspect}\n    to: #{dns_names_for_node(node).inspect})"
-            return true
-          end
-        end
-      end
-    end
-    return false
-  end
-  def warn_if_commercial_cert_will_soon_expire(node)
-    dns_names_for_node(node).each do |domain|
-      if file_exists?([:commercial_cert, domain])
-        cert = load_certificate_file([:commercial_cert, domain])
-        path = Path.relative_path([:commercial_cert, domain])
-        if cert.not_after < Time.now.utc
-          log :error, "the commercial certificate '#{path}' has EXPIRED! " +
-            "You should renew it with `leap cert csr --domain #{domain}`."
-        elsif cert.not_after < Time.now.advance(:months => 2)
-          log :warning, "the commercial certificate '#{path}' will expire soon. "+
-            "You should renew it with `leap cert csr --domain #{domain}`."
-        end
-      end
-    end
-  end
-  def generate_cert_for_node(node)
-    return if node.x509.use == false
-    cert = CertificateAuthority::Certificate.new
-    # set subject
-    cert.subject.common_name = node.domain.full
-    cert.serial_number.number = cert_serial_number(node.domain.full)
-    # set expiration
-    cert.not_before = yesterday
-    cert.not_after = yesterday_advance(provider.ca.server_certificates.life_span)
-    # generate key
-    cert.key_material.generate_key(provider.ca.server_certificates.bit_size)
-    # sign
-    cert.parent = ca_root
-    cert.sign!(server_signing_profile(node))
-    # save
-    write_file!([:node_x509_key, node.name], cert.key_material.private_key.to_pem)
-    write_file!([:node_x509_cert, node.name], cert.to_pem)
-  end
-  #
-  # yields client key and cert suitable for testing
-  #
-  def generate_test_client_cert(prefix=nil)
-    cert = CertificateAuthority::Certificate.new
-    cert.serial_number.number = cert_serial_number(provider.domain)
-    cert.subject.common_name = [prefix, random_common_name(provider.domain)].join
-    cert.not_before = yesterday
-    cert.not_after  = yesterday.advance(:years => 1)
-    cert.key_material.generate_key(1024) # just for testing, remember!
-    cert.parent = client_ca_root
-    cert.sign! client_test_signing_profile
-    yield cert.key_material.private_key.to_pem, cert.to_pem
-  end
-  #
-  # creates a CSR and returns it.
-  # with the correct extReq attribute so that the CA
-  # doens't generate certs with extensions we don't want.
-  #
-  def create_csr(dn, keypair, digest)
-    csr = CertificateAuthority::SigningRequest.new
-    csr.distinguished_name = dn
-    csr.key_material = keypair
-    csr.digest = digest
-    # define extensions manually (library doesn't support setting these on CSRs)
-    extensions = []
-    extensions << CertificateAuthority::Extensions::BasicConstraints.new.tap {|basic|
-      basic.ca = false
-    }
-    extensions << CertificateAuthority::Extensions::KeyUsage.new.tap {|keyusage|
-      keyusage.usage = ["digitalSignature", "keyEncipherment"]
-    }
-    extensions << CertificateAuthority::Extensions::ExtendedKeyUsage.new.tap {|extkeyusage|
-      extkeyusage.usage = [ "serverAuth"]
-    }
-    # convert extensions to attribute 'extReq'
-    # aka "Requested Extensions"
-    factory = OpenSSL::X509::ExtensionFactory.new
-    attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(
-      extensions.map{|e| factory.create_ext(e.openssl_identifier, e.to_s, e.critical)}
-    )])
-    attrs = [
-      OpenSSL::X509::Attribute.new("extReq", attrval),
-    ]
-    csr.attributes = attrs
-    return csr
-  end
-  def ca_root
-    @ca_root ||= begin
-      load_certificate_file(:ca_cert, :ca_key)
-    end
-  end
-  def client_ca_root
-    @client_ca_root ||= begin
-      load_certificate_file(:client_ca_cert, :client_ca_key)
-    end
-  end
-  def load_certificate_file(crt_file, key_file=nil, password=nil)
-    crt = read_file!(crt_file)
-    openssl_cert = OpenSSL::X509::Certificate.new(crt)
-    cert = CertificateAuthority::Certificate.from_openssl(openssl_cert)
-    if key_file
-      key = read_file!(key_file)
-      cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, password)
-    end
-    return cert
-  end
-  def ca_root_signing_profile
-    {
-      "extensions" => {
-        "basicConstraints" => {"ca" => true},
-        "keyUsage" => {
-          "usage" => ["critical", "keyCertSign"]
-        },
-        "extendedKeyUsage" => {
-          "usage" => []
-        }
-      }
-    }
-  end
-  #
-  # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement.
-  # Web browsers seem to break without keyEncipherment.
-  # For now, I am using digitalSignature + keyEncipherment
-  #
-  # * digitalSignature -- for (EC)DHE cipher suites
-  #   "The digitalSignature bit is asserted when the subject public key is used
-  #    with a digital signature mechanism to support security services other
-  #    than certificate signing (bit 5), or CRL signing (bit 6). Digital
-  #    signature mechanisms are often used for entity authentication and data
-  #    origin authentication with integrity."
-  #
-  # * keyEncipherment  ==> for plain RSA cipher suites
-  #   "The keyEncipherment bit is asserted when the subject public key is used for
-  #    key transport. For example, when an RSA key is to be used for key management,
-  #    then this bit is set."
-  #
-  # * keyAgreement     ==> for used with DH, not RSA.
-  #   "The keyAgreement bit is asserted when the subject public key is used for key
-  #    agreement. For example, when a Diffie-Hellman key is to be used for key
-  #    management, then this bit is set."
-  #
-  # digest options: SHA512, SHA256, SHA1
-  #
-  def server_signing_profile(node)
-    {
-      "digest" => provider.ca.server_certificates.digest,
-      "extensions" => {
-        "keyUsage" => {
-          "usage" => ["digitalSignature", "keyEncipherment"]
-        },
-        "extendedKeyUsage" => {
-          "usage" => ["serverAuth", "clientAuth"]
-        },
-        "subjectAltName" => {
-          "ips" => [node.ip_address],
-          "dns_names" => dns_names_for_node(node)
-        }
-      }
-    }
-  end
-  #
-  # This is used when signing the main cert for the provider's domain
-  # with our own CA (for testing purposes). Typically, this cert would
-  # be purchased from a commercial CA, and not signed this way.
-  #
-  def domain_test_signing_profile
-    {
-      "digest" => "SHA256",
-      "extensions" => {
-        "keyUsage" => {
-          "usage" => ["digitalSignature", "keyEncipherment"]
-        },
-        "extendedKeyUsage" => {
-          "usage" => ["serverAuth"]
-        }
-      }
-    }
-  end
-  #
-  # This is used when signing a dummy client certificate that is only to be
-  # used for testing.
-  #
-  def client_test_signing_profile
-    {
-      "digest" => "SHA256",
-      "extensions" => {
-        "keyUsage" => {
-          "usage" => ["digitalSignature"]
-        },
-        "extendedKeyUsage" => {
-          "usage" => ["clientAuth"]
-        }
-      }
-    }
-  end
-  def dns_names_for_node(node)
-    names = [node.domain.internal, node.domain.full]
-    if node['dns'] && node.dns['aliases'] && node.dns.aliases.any?
-      names += node.dns.aliases
-    end
-    names.compact!
-    names.sort!
-    names.uniq!
-    return names
-  end
-  #
-  # For cert serial numbers, we need a non-colliding number less than 160 bits.
-  # md5 will do nicely, since there is no need for a secure hash, just a short one.
-  # (md5 is 128 bits)
-  #
-  def cert_serial_number(domain_name)
-    Digest::MD5.hexdigest("#{domain_name} -- #{Time.now}").to_i(16)
-  end
-  #
-  # for the random common name, we need a text string that will be unique across all certs.
-  # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid
-  #
-  def random_common_name(domain_name)
-    cert_serial_number(domain_name).to_s(36)
-  end
-  # prints CertificateAuthority::DistinguishedName fields
-  def print_dn(dn)
-    fields = {}
-    [:common_name, :locality, :state, :country, :organization, :organizational_unit, :email_address].each do |attr|
-      fields[attr] = dn.send(attr) if dn.send(attr)
-    end
-    fields.inspect
-  end
-  ##
-  ## TIME HELPERS
-  ##
-  ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
-  ## are behind UTC.
-  ##
-  def yesterday
-    t = Time.now - 24*24*60
-    Time.utc t.year, t.month, t.day
-  end
-  def yesterday_advance(string)
-    number, unit = string.split(' ')
-    unless ['years', 'months', 'days', 'hours', 'minutes'].include? unit
-      bail!("The time property '#{string}' is missing a unit (one of: years, months, days, hours, minutes).")
-    end
-    unless number.to_i.to_s == number
-      bail!("The time property '#{string}' is missing a number.")
-    end
-    yesterday.advance(unit.to_sym => number.to_i)
-  end
-end; end