leap_cli 1.8.1 → 1.9

data/lib/leap_cli/path.rb

@@ -3,7 +3,7 @@ require 'fileutils'
 module LeapCli; module Path
 
   def self.platform
-    @platform
+    @platform ||= nil
   end
 
   def self.provider_base
@@ -40,14 +40,14 @@ module LeapCli; module Path
     [Path.provider, Path.provider_base].each do |base|
       if arg.is_a?(Symbol) || arg.is_a?(Array)
         named_path(arg, base).tap {|path|
-          return path if File.exists?(path)
+          return path if File.exist?(path)
         }
       else
         File.join(base, arg).tap {|path|
-          return path if File.exists?(path)
+          return path if File.exist?(path)
         }
         File.join(base, 'files', arg).tap {|path|
-          return path if File.exists?(path)
+          return path if File.exist?(path)
         }
       end
     end
@@ -83,7 +83,7 @@ module LeapCli; module Path
   end
 
   def self.exists?(name, provider_dir=nil)
-    File.exists?(named_path(name, provider_dir))
+    File.exist?(named_path(name, provider_dir))
   end
 
   def self.defined?(name)

data/lib/leap_cli/util.rb

@@ -10,6 +10,10 @@ module LeapCli
 
     @@exit_status = nil
 
+    def log(*args, &block)
+      LeapCli.log(*args, &block)
+    end
+
     ##
     ## QUITTING
     ##
@@ -36,15 +40,14 @@ module LeapCli
     #
     # exit with error code and with a message that we are bailing out.
     #
-    def bail!(*message)
-      if block_given?
-        LeapCli.set_log_level(3)
-        yield
-      elsif message
-        log 0, *message
+    def bail!(*message, &block)
+      LeapCli.logger.log_level = 3 if LeapCli.logger.log_level < 3
+      if message.any?
+        log(0, *message, &block)
+      else
+        log(0, :bailing, "out", :color => :red, :style => :bold, &block)
       end
-      log 0, :bail, ""
-      raise SystemExit.new(@exit_status || 1)
+      raise SystemExit.new(exit_status || 1)
     end
 
     #
@@ -52,7 +55,7 @@ module LeapCli
     #
     def quit!(message='')
       puts(message)
-      raise SystemExit.new(@exit_status || 0)
+      raise SystemExit.new(exit_status || 0)
     end
 
     #
@@ -119,7 +122,7 @@ module LeapCli
       base = options[:base] || Path.provider
       file_list = files.collect { |file_path|
         file_path = Path.named_path(file_path, base)
-        File.exists?(file_path) ? Path.relative_path(file_path, base) : nil
+        File.exist?(file_path) ? Path.relative_path(file_path, base) : nil
       }.compact
       if file_list.length > 1
         bail! do
@@ -138,7 +141,7 @@ module LeapCli
       options = files.last.is_a?(Hash) ? files.pop : {}
       file_list = files.collect { |file_path|
         file_path = Path.named_path(file_path)
-        !File.exists?(file_path) ? Path.relative_path(file_path) : nil
+        !File.exist?(file_path) ? Path.relative_path(file_path) : nil
       }.compact
       if file_list.length > 1
         bail! do
@@ -157,7 +160,7 @@ module LeapCli
     def file_exists?(*files)
       files.each do |file_path|
         file_path = Path.named_path(file_path)
-        if !File.exists?(file_path)
+        if !File.exist?(file_path)
           return false
         end
       end
@@ -233,7 +236,7 @@ module LeapCli
     #
     def replace_file!(filepath, &block)
       filepath = Path.named_path(filepath)
-      if !File.exists?(filepath)
+      if !File.exist?(filepath)
         content = yield(nil)
         unless content.nil?
           write_file!(filepath, content)
@@ -258,7 +261,7 @@ module LeapCli
 
     def remove_file!(filepath)
       filepath = Path.named_path(filepath)
-      if File.exists?(filepath)
+      if File.exist?(filepath)
         if File.directory?(filepath)
           remove_directory!(filepath)
         else
@@ -298,7 +301,7 @@ module LeapCli
     def write_file!(filepath, contents)
       filepath = Path.named_path(filepath)
       ensure_dir File.dirname(filepath)
-      existed = File.exists?(filepath)
+      existed = File.exist?(filepath)
       if existed
         if file_content_equals?(filepath, contents)
           log :nochange, filepath, 2
@@ -320,11 +323,11 @@ module LeapCli
     def rename_file!(oldpath, newpath)
       oldpath = Path.named_path(oldpath)
       newpath = Path.named_path(newpath)
-      if File.exists? newpath
+      if File.exist? newpath
         log :skipping, "#{Path.relative_path(newpath)}, file already exists"
         return
       end
-      if !File.exists? oldpath
+      if !File.exist? oldpath
         log :skipping, "#{Path.relative_path(oldpath)}, file is missing"
         return
       end
@@ -425,11 +428,18 @@ module LeapCli
       end
     end
 
+    def is_git_subrepo?(dir)
+      Dir.chdir(dir) do
+        `ls .gitrepo 2>/dev/null`
+        return $? == 0
+      end
+    end
+
     def current_git_branch(dir)
       Dir.chdir(dir) do
         branch = `git symbolic-ref HEAD 2>/dev/null`.strip
         if branch.chars.any?
-          branch.sub /^refs\/heads\//, ''
+          branch.sub(/^refs\/heads\//, '')
         else
           nil
         end

data/lib/leap_cli/version.rb

@@ -1,9 +1,14 @@
 module LeapCli
   unless defined?(LeapCli::VERSION)
-    VERSION = '1.8.1'
-    COMPATIBLE_PLATFORM_VERSION = '0.8'..'0.8.99'
+    VERSION = '1.9'
+    COMPATIBLE_PLATFORM_VERSION = '0.9'..'0.99'
     SUMMARY = 'Command line interface to the LEAP platform'
     DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.'
-    LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib']
+    LOAD_PATHS = ['lib',
+      'vendor/certificate_authority/lib',
+      'vendor/rsync_command/lib',
+      'vendor/base32/lib',
+      'vendor/acme-client/lib'
+    ]
   end
 end

data/vendor/acme-client/lib/acme-client.rb

@@ -0,0 +1 @@
+require 'acme/client'

data/vendor/acme-client/lib/acme/client.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+require 'faraday'
+require 'json'
+require 'openssl'
+require 'digest'
+require 'forwardable'
+require 'base64'
+require 'time'
+
+module Acme; end
+class Acme::Client; end
+
+require 'acme/client/version'
+require 'acme/client/certificate'
+require 'acme/client/certificate_request'
+require 'acme/client/self_sign_certificate'
+require 'acme/client/crypto'
+require 'acme/client/resources'
+require 'acme/client/faraday_middleware'
+require 'acme/client/error'
+
+class Acme::Client
+  DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'.freeze
+  DIRECTORY_DEFAULT = {
+    'new-authz' => '/acme/new-authz',
+    'new-cert' => '/acme/new-cert',
+    'new-reg' => '/acme/new-reg',
+    'revoke-cert' => '/acme/revoke-cert'
+  }.freeze
+
+  def initialize(private_key:, endpoint: DEFAULT_ENDPOINT, directory_uri: nil, connection_options: {})
+    @endpoint, @private_key, @directory_uri, @connection_options = endpoint, private_key, directory_uri, connection_options
+    @nonces ||= []
+    load_directory!
+  end
+
+  attr_reader :private_key, :nonces, :operation_endpoints
+
+  def register(contact:)
+    payload = {
+      resource: 'new-reg', contact: Array(contact)
+    }
+
+    response = connection.post(@operation_endpoints.fetch('new-reg'), payload)
+    ::Acme::Client::Resources::Registration.new(self, response)
+  end
+
+  def authorize(domain:)
+    payload = {
+      resource: 'new-authz',
+      identifier: {
+        type: 'dns',
+        value: domain
+      }
+    }
+
+    response = connection.post(@operation_endpoints.fetch('new-authz'), payload)
+    ::Acme::Client::Resources::Authorization.new(self, response.headers['Location'], response)
+  end
+
+  def fetch_authorization(uri)
+    response = connection.get(uri)
+    ::Acme::Client::Resources::Authorization.new(self, uri, response)
+  end
+
+  def new_certificate(csr)
+    payload = {
+      resource: 'new-cert',
+      csr: Base64.urlsafe_encode64(csr.to_der)
+    }
+
+    response = connection.post(@operation_endpoints.fetch('new-cert'), payload)
+    ::Acme::Client::Certificate.new(OpenSSL::X509::Certificate.new(response.body), response.headers['location'], fetch_chain(response), csr)
+  end
+
+  def revoke_certificate(certificate)
+    payload = { resource: 'revoke-cert', certificate: Base64.urlsafe_encode64(certificate.to_der) }
+    endpoint = @operation_endpoints.fetch('revoke-cert')
+    response = connection.post(endpoint, payload)
+    response.success?
+  end
+
+  def self.revoke_certificate(certificate, *arguments)
+    client = new(*arguments)
+    client.revoke_certificate(certificate)
+  end
+
+  def connection
+    @connection ||= Faraday.new(@endpoint, **@connection_options) do |configuration|
+      configuration.use Acme::Client::FaradayMiddleware, client: self
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
+  private
+
+  def fetch_chain(response, limit = 10)
+    links = response.headers['link']
+    if limit.zero? || links.nil? || links['up'].nil?
+      []
+    else
+      issuer = connection.get(links['up'])
+      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
+    end
+  end
+
+  def load_directory!
+    @operation_endpoints = if @directory_uri
+      response = connection.get(@directory_uri)
+      body = response.body
+      {
+        'new-reg' => body.fetch('new-reg'),
+        'new-authz' => body.fetch('new-authz'),
+        'new-cert' => body.fetch('new-cert'),
+        'revoke-cert' => body.fetch('revoke-cert'),
+      }
+    else
+      DIRECTORY_DEFAULT
+    end
+  end
+end

data/vendor/acme-client/lib/acme/client/certificate.rb

@@ -0,0 +1,30 @@
+class Acme::Client::Certificate
+  extend Forwardable
+
+  attr_reader :x509, :x509_chain, :request, :private_key, :url
+
+  def_delegators :x509, :to_pem, :to_der
+
+  def initialize(certificate, url, chain, request)
+    @x509 = certificate
+    @url = url
+    @x509_chain = chain
+    @request = request
+  end
+
+  def chain_to_pem
+    x509_chain.map(&:to_pem).join
+  end
+
+  def x509_fullchain
+    [x509, *x509_chain]
+  end
+
+  def fullchain_to_pem
+    x509_fullchain.map(&:to_pem).join
+  end
+
+  def common_name
+    x509.subject.to_a.find { |name, _, _| name == 'CN' }[1]
+  end
+end

data/vendor/acme-client/lib/acme/client/certificate_request.rb

@@ -0,0 +1,111 @@
+class Acme::Client::CertificateRequest
+  extend Forwardable
+
+  DEFAULT_KEY_LENGTH = 2048
+  DEFAULT_DIGEST = OpenSSL::Digest::SHA256
+  SUBJECT_KEYS = {
+    common_name:         'CN',
+    country_name:        'C',
+    organization_name:   'O',
+    organizational_unit: 'OU',
+    state_or_province:   'ST',
+    locality_name:       'L'
+  }.freeze
+
+  SUBJECT_TYPES = {
+    'CN' => OpenSSL::ASN1::UTF8STRING,
+    'C'  => OpenSSL::ASN1::UTF8STRING,
+    'O'  => OpenSSL::ASN1::UTF8STRING,
+    'OU' => OpenSSL::ASN1::UTF8STRING,
+    'ST' => OpenSSL::ASN1::UTF8STRING,
+    'L'  => OpenSSL::ASN1::UTF8STRING
+  }.freeze
+
+  attr_reader :private_key, :common_name, :names, :subject
+
+  def_delegators :csr, :to_pem, :to_der
+
+  def initialize(common_name: nil, names: [], private_key: generate_private_key, subject: {}, digest: DEFAULT_DIGEST.new)
+    @digest = digest
+    @private_key = private_key
+    @subject = normalize_subject(subject)
+    @common_name = common_name || @subject[SUBJECT_KEYS[:common_name]] || @subject[:common_name]
+    @names = names.to_a.dup
+    normalize_names
+    @subject[SUBJECT_KEYS[:common_name]] ||= @common_name
+    validate_subject
+  end
+
+  def csr
+    @csr ||= generate
+  end
+
+  private
+
+  def generate_private_key
+    OpenSSL::PKey::RSA.new(DEFAULT_KEY_LENGTH)
+  end
+
+  def normalize_subject(subject)
+    @subject = subject.each_with_object({}) do |(key, value), hash|
+      hash[SUBJECT_KEYS.fetch(key, key)] = value.to_s
+    end
+  end
+
+  def normalize_names
+    if @common_name
+      @names.unshift(@common_name) unless @names.include?(@common_name)
+    else
+      raise ArgumentError, 'No common name and no list of names given' if @names.empty?
+      @common_name = @names.first
+    end
+  end
+
+  def validate_subject
+    validate_subject_attributes
+    validate_subject_common_name
+  end
+
+  def validate_subject_attributes
+    extra_keys = @subject.keys - SUBJECT_KEYS.keys - SUBJECT_KEYS.values
+    return if extra_keys.empty?
+    raise ArgumentError, "Unexpected subject attributes given: #{extra_keys.inspect}"
+  end
+
+  def validate_subject_common_name
+    return if @common_name == @subject[SUBJECT_KEYS[:common_name]]
+    raise ArgumentError, 'Conflicting common name given in arguments and subject'
+  end
+
+  def generate
+    OpenSSL::X509::Request.new.tap do |csr|
+      csr.public_key = @private_key.public_key
+      csr.subject = generate_subject
+      csr.version = 2
+      add_extension(csr)
+      csr.sign @private_key, @digest
+    end
+  end
+
+  def generate_subject
+    OpenSSL::X509::Name.new(
+      @subject.map {|name, value|
+        [name, value, SUBJECT_TYPES[name]]
+      }
+    )
+  end
+
+  def add_extension(csr)
+    return if @names.size <= 1
+
+    extension = OpenSSL::X509::ExtensionFactory.new.create_extension(
+      'subjectAltName', @names.map { |name| "DNS:#{name}" }.join(', '), false
+    )
+    csr.add_attribute(
+      OpenSSL::X509::Attribute.new(
+        'extReq',
+        OpenSSL::ASN1::Set.new([OpenSSL::ASN1::Sequence.new([extension])])
+      )
+    )
+  end
+end