leap_cli 1.8.1 → 1.9

data/vendor/acme-client/lib/acme/client/self_sign_certificate.rb

@@ -0,0 +1,60 @@
+class Acme::Client::SelfSignCertificate
+  attr_reader :private_key, :subject_alt_names, :not_before, :not_after
+
+  extend Forwardable
+  def_delegators :certificate, :to_pem, :to_der
+
+  def initialize(subject_alt_names:, not_before: default_not_before, not_after: default_not_after, private_key: generate_private_key)
+    @private_key = private_key
+    @subject_alt_names = subject_alt_names
+    @not_before = not_before
+    @not_after = not_after
+  end
+
+  def certificate
+    @certificate ||= begin
+      certificate = generate_certificate
+
+      extension_factory = generate_extension_factory(certificate)
+      subject_alt_name_entry = subject_alt_names.map { |d| "DNS: #{d}" }.join(',')
+      subject_alt_name_extension = extension_factory.create_extension('subjectAltName', subject_alt_name_entry)
+      certificate.add_extension(subject_alt_name_extension)
+
+      certificate.sign(private_key, digest)
+    end
+  end
+
+  private
+
+  def generate_private_key
+    OpenSSL::PKey::RSA.new(2048)
+  end
+
+  def default_not_before
+    Time.now - 3600
+  end
+
+  def default_not_after
+    Time.now + 30 * 24 * 3600
+  end
+
+  def digest
+    OpenSSL::Digest::SHA256.new
+  end
+
+  def generate_certificate
+    certificate = OpenSSL::X509::Certificate.new
+    certificate.not_before = not_before
+    certificate.not_after = not_after
+    certificate.public_key = private_key.public_key
+    certificate.version = 2
+    certificate
+  end
+
+  def generate_extension_factory(certificate)
+    extension_factory = OpenSSL::X509::ExtensionFactory.new
+    extension_factory.subject_certificate = certificate
+    extension_factory.issuer_certificate = certificate
+    extension_factory
+  end
+end

data/vendor/acme-client/lib/acme/client/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Acme
+  class Client
+    VERSION = '0.4.1'.freeze
+  end
+end

data/vendor/base32/lib/base32.rb

@@ -0,0 +1,67 @@
+require 'openssl'
+
+# Module for encoding and decoding in Base32 per RFC 3548
+module Base32
+  TABLE = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'.freeze
+
+  class Chunk
+    def initialize(bytes)
+      @bytes = bytes
+    end
+
+    def decode
+      bytes = @bytes.take_while {|c| c != 61} # strip padding
+      n = (bytes.length * 5.0 / 8.0).floor
+      p = bytes.length < 8 ? 5 - (n * 8) % 5 : 0
+      c = bytes.inject(0) {|m,o| (m << 5) + Base32.table.index(o.chr)} >> p
+      (0..n-1).to_a.reverse.collect {|i| ((c >> i * 8) & 0xff).chr}
+    end
+
+    def encode
+      n = (@bytes.length * 8.0 / 5.0).ceil
+      p = n < 8 ? 5 - (@bytes.length * 8) % 5 : 0
+      c = @bytes.inject(0) {|m,o| (m << 8) + o} << p
+      [(0..n-1).to_a.reverse.collect {|i| Base32.table[(c >> i * 5) & 0x1f].chr},
+       ("=" * (8-n))]
+    end
+  end
+
+  def self.chunks(str, size)
+    result = []
+    bytes = str.bytes
+    while bytes.any? do
+      result << Chunk.new(bytes.take(size))
+      bytes = bytes.drop(size)
+    end
+    result
+  end
+
+  def self.encode(str)
+    chunks(str, 5).collect(&:encode).flatten.join
+  end
+
+  def self.decode(str)
+    chunks(str, 8).collect(&:decode).flatten.join
+  end
+
+  def self.random_base32(length=16, padding=true)
+    random = ''
+    OpenSSL::Random.random_bytes(length).each_byte do |b|
+      random << self.table[b % 32]
+    end
+    padding ? random.ljust((length / 8.0).ceil * 8, '=') : random
+  end
+
+  def self.table=(table)
+    raise ArgumentError, "Table must have 32 unique characters" unless self.table_valid?(table)
+    @table = table
+  end
+
+  def self.table
+    @table || TABLE
+  end
+
+  def self.table_valid?(table)
+    table.bytes.to_a.size == 32 && table.bytes.to_a.uniq.size == 32
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority.rb

@@ -2,11 +2,12 @@ $:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__)) ||
 
 #Exterior requirements
 require 'openssl'
-require 'active_model'
 
 #Internal modules
+require 'certificate_authority/core_extensions'
 require 'certificate_authority/signing_entity'
 require 'certificate_authority/revocable'
+require 'certificate_authority/validations'
 require 'certificate_authority/distinguished_name'
 require 'certificate_authority/serial_number'
 require 'certificate_authority/key_material'

data/vendor/certificate_authority/lib/certificate_authority/certificate.rb

@@ -1,6 +1,6 @@
 module CertificateAuthority
   class Certificate
-    include ActiveModel::Validations
+    include Validations
     include Revocable
 
     attr_accessor :distinguished_name
@@ -15,7 +15,7 @@ module CertificateAuthority
 
     attr_accessor :parent
 
-    validate do |certificate|
+    def validate
       errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
       errors.add :base, "Key material must be valid" unless key_material.valid?
       errors.add :base, "Serial number must be valid" unless serial_number.valid?
@@ -32,8 +32,8 @@ module CertificateAuthority
       self.distinguished_name = DistinguishedName.new
       self.serial_number = SerialNumber.new
       self.key_material = MemoryKeyMaterial.new
-      self.not_before = Time.now
-      self.not_after = Time.now + 60 * 60 * 24 * 365 # One year
+      self.not_before = Date.today.utc
+      self.not_after = Date.today.advance(:years => 1).utc
       self.parent = self
       self.extensions = load_extensions()
 

data/vendor/certificate_authority/lib/certificate_authority/certificate_revocation_list.rb

@@ -1,20 +1,22 @@
 module CertificateAuthority
   class CertificateRevocationList
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :certificates
     attr_accessor :parent
     attr_accessor :crl_body
     attr_accessor :next_update
+    attr_accessor :last_update_skew_seconds
 
-    validate do |crl|
-      errors.add :next_update, "Next update must be a positive value" if crl.next_update < 0
-      errors.add :parent, "A parent entity must be set" if crl.parent.nil?
+    def validate
+      errors.add :next_update, "Next update must be a positive value" if self.next_update < 0
+      errors.add :parent, "A parent entity must be set" if self.parent.nil?
     end
 
     def initialize
       self.certificates = []
       self.next_update = 60 * 60 * 4 # 4 hour default
+      self.last_update_skew_seconds = 0
     end
 
     def <<(revocable)
@@ -54,7 +56,7 @@ module CertificateAuthority
       end
 
       crl.version = 1
-      crl.last_update = Time.now
+      crl.last_update = Time.now - self.last_update_skew_seconds
       crl.next_update = Time.now + self.next_update
 
       signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)

data/vendor/certificate_authority/lib/certificate_authority/core_extensions.rb

@@ -0,0 +1,46 @@
+#
+# ActiveSupport has these modifications. Now that we don't use ActiveSupport,
+# these are added here as a kindness.
+#
+
+require 'date'
+
+unless nil.respond_to?(:blank?)
+  class NilClass
+    def blank?
+      true
+    end
+  end
+end
+
+unless String.respond_to?(:blank?)
+  class String
+    def blank?
+      self.empty?
+    end
+  end
+end
+
+class Date
+
+  def today
+    t = Time.now.utc
+    Date.new(t.year, t.month, t.day)
+  end
+
+  def utc
+    self.to_datetime.to_time.utc
+  end
+
+  unless Date.respond_to?(:advance)
+    def advance(options)
+      options = options.dup
+      d = self
+      d = d >> options.delete(:years) * 12 if options[:years]
+      d = d >> options.delete(:months)     if options[:months]
+      d = d +  options.delete(:weeks) * 7  if options[:weeks]
+      d = d +  options.delete(:days)       if options[:days]
+      d
+    end
+  end
+end

data/vendor/certificate_authority/lib/certificate_authority/distinguished_name.rb

@@ -1,8 +1,12 @@
 module CertificateAuthority
   class DistinguishedName
-    include ActiveModel::Validations
+    include Validations
 
-    validates_presence_of :common_name
+    def validate
+      if self.common_name.nil? || self.common_name.empty?
+        errors.add :common_name, 'cannot be blank'
+      end
+    end
 
     attr_accessor :common_name
     alias :cn :common_name

data/vendor/certificate_authority/lib/certificate_authority/extensions.rb

@@ -31,13 +31,20 @@ module CertificateAuthority
       OPENSSL_IDENTIFIER = "basicConstraints"
 
       include ExtensionAPI
-      include ActiveModel::Validations
+      include Validations
 
       attr_accessor :critical
       attr_accessor :ca
       attr_accessor :path_len
-      validates :critical, :inclusion => [true,false]
-      validates :ca, :inclusion => [true,false]
+
+      def validate
+        unless [true, false].include? self.critical
+          errors.add :critical, 'must be true or false'
+        end
+        unless [true, false].include? self.ca
+          errors.add :ca, 'must be true or false'
+        end
+      end
 
       def initialize
         @critical = false

data/vendor/certificate_authority/lib/certificate_authority/key_material.rb

@@ -38,7 +38,7 @@ module CertificateAuthority
 
   class MemoryKeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :keypair
     attr_accessor :private_key
@@ -47,11 +47,13 @@ module CertificateAuthority
     def initialize
     end
 
-    validates_each :private_key do |record, attr, value|
-        record.errors.add :private_key, "cannot be blank" if record.private_key.nil?
-    end
-    validates_each :public_key do |record, attr, value|
-      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    def validate
+      if private_key.nil?
+        errors.add :private_key, "cannot be blank"
+      end
+      if public_key.nil?
+        errors.add :public_key, "cannot be blank"
+      end
     end
 
     def is_in_hardware?
@@ -80,10 +82,10 @@ module CertificateAuthority
 
   class SigningRequestKeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
+    include Validations
 
-    validates_each :public_key do |record, attr, value|
-      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    def validate
+      errors.add :public_key, "cannot be blank" if public_key.nil?
     end
 
     attr_accessor :public_key

data/vendor/certificate_authority/lib/certificate_authority/ocsp_handler.rb

@@ -68,7 +68,7 @@ module CertificateAuthority
 
   ## DEPRECATED
   class OCSPHandler
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :ocsp_request
     attr_accessor :certificate_ids
@@ -78,10 +78,10 @@ module CertificateAuthority
 
     attr_accessor :ocsp_response_body
 
-    validate do |crl|
+    def validate
       errors.add :parent, "A parent entity must be set" if parent.nil?
+      all_certificates_available
     end
-    validate :all_certificates_available
 
     def initialize
       self.certificates = {}

data/vendor/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb

@@ -1,8 +1,6 @@
 module CertificateAuthority
   class Pkcs11KeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
-    include ActiveModel::Serialization
 
     attr_accessor :engine
     attr_accessor :token_id

data/vendor/certificate_authority/lib/certificate_authority/serial_number.rb

@@ -2,12 +2,18 @@ require 'securerandom'
 
 module CertificateAuthority
   class SerialNumber
-    include ActiveModel::Validations
+    include Validations
     include Revocable
 
     attr_accessor :number
 
-    validates :number, :presence => true, :numericality => {:greater_than => 0}
+    def validate
+      if self.number.nil?
+        errors.add :number, "must not be empty"
+      elsif self.number.to_i <= 0
+        errors.add :number, "must be greater than zero"
+      end
+    end
 
     def initialize
       self.number = SecureRandom.random_number(2**128-1)

data/vendor/certificate_authority/lib/certificate_authority/validations.rb

@@ -0,0 +1,31 @@
+#
+# This is a super simple replacement for ActiveSupport::Validations
+#
+
+module CertificateAuthority
+  class Errors < Array
+    def add(symbol, msg)
+      self.push([symbol, msg])
+    end
+    def full_messages
+      self.map {|i| i[0].to_s + ": " + i[1]}.join("\n")
+    end
+  end
+
+  module Validations
+    def valid?
+      @errors = Errors.new
+      validate
+      errors.empty?
+    end
+
+    # must be overridden
+    def validate
+      raise NotImplementedError
+    end
+
+    def errors
+      @errors ||= Errors.new
+    end
+  end
+end

data/vendor/rsync_command/lib/rsync_command.rb

@@ -4,6 +4,44 @@ require "rsync_command/thread_pool"
 
 require 'monitor'
 
+class RsyncRunner
+  attr_accessor :logger
+  attr_accessor :source, :dest, :flags, :includes, :excludes
+  attr_accessor :user, :host
+  attr_accessor :chdir, :ssh
+  def initialize(rsync_command)
+    @logger = nil
+    @source = ""
+    @dest   = ""
+    @flags  = ""
+    @includes = []
+    @excludes = []
+    @rsync_command = rsync_command
+  end
+  def log(*args)
+    @logger.log(*args)
+  end
+  def valid?
+    !@source.empty? || !@dest.empty?
+  end
+  def to_hash
+    fields = [:flags, :includes, :excludes, :logger, :ssh, :chdir]
+    fields.inject({}){|hsh, i|
+      hsh[i] = self.send(i); hsh
+    }
+  end
+  def exec
+    return unless valid?
+    dest = {
+      :user => self.user,
+      :host => self.host,
+      :path => self.dest
+    }
+    src = self.source
+    @rsync_command.exec_rsync(src, dest, self.to_hash)
+  end
+end
+
 class RsyncCommand
   attr_accessor :failures, :logger
 
@@ -21,15 +59,23 @@ class RsyncCommand
   def asynchronously(array, &block)
     pool = ThreadPool.new
     array.each do |item|
-      pool.schedule(item, &block)
+      pool.schedule(RsyncRunner.new(self), item, &block)
     end
     pool.shutdown
   end
 
+  #
+  # returns true if last exec returned a failure
+  #
+  def failed?
+    @failures && @failures.any?
+  end
+
   #
   # runs rsync, recording failures
   #
-  def exec(src, dest, options={})
+  def exec_rsync(src, dest, options={})
+    logger = options[:logger] || @logger
     @failures.synchronize do
       @failures.clear
     end
@@ -37,7 +83,7 @@ class RsyncCommand
     if options[:chdir]
       rsync_cmd = "cd '#{options[:chdir]}'; #{rsync_cmd}"
     end
-    @logger.debug rsync_cmd if @logger
+    logger.debug rsync_cmd if logger
     ok = system(rsync_cmd)
     unless ok
       @failures.synchronize do
@@ -46,13 +92,6 @@ class RsyncCommand
     end
   end
 
-  #
-  # returns true if last exec returned a failure
-  #
-  def failed?
-    @failures && @failures.any?
-  end
-
   #
   # build rsync command
   #
@@ -70,8 +109,6 @@ class RsyncCommand
     "rsync #{flags.compact.join(' ')} #{src} #{dest}"
   end
 
-  private
-
   #
   # Creates an rsync location if the +address+ is a hash with keys :user, :host, and :path
   # (each component is optional). If +address+ is a string, we just pass it through.