leap_cli 1.5.6 → 1.6.2

data/bin/leap

@@ -1,7 +1,13 @@
 #!/usr/bin/env ruby
 
-if ARGV.include?('--debug')
-  require 'debugger'
+if ARGV.include?('--debug') || ARGV.include?('-d')
+  DEBUG=true
+  begin
+    require 'debugger'
+  rescue LoadError
+  end
+else
+  DEBUG=false
 end
 
 begin
@@ -18,7 +24,6 @@ rescue LoadError
   # This allows you to run the command directly while developing the gem, and also lets you
   # run from anywhere (I like to link 'bin/leap' to /usr/local/bin/leap).
   #
-  require 'rubygems'
   base_dir = File.expand_path('..', File.dirname(File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__))
   require File.join(base_dir, 'lib','leap_cli','load_paths')
   require 'leap_cli'
@@ -27,7 +32,7 @@ end
 require 'gli'
 require 'highline'
 require 'forwardable'
-require 'lib_ext/gli' # our custom extensions to gli
+require 'leap_cli/lib_ext/gli' # our custom extensions to gli
 
 #
 # Typically, GLI and Highline methods are loaded into the global namespace.
@@ -78,9 +83,27 @@ module LeapCli::Commands
     exit(0)
   end
 
+  # disable GLI error catching
+  ENV['GLI_DEBUG'] = "true"
+  def error_message(msg)
+  end
+
   # load commands and run
   commands_from('leap_cli/commands')
   ORIGINAL_ARGV = ARGV.dup
-  exit_status = run(ARGV)
-  exit(LeapCli::Util.exit_status || exit_status)
+  begin
+    exit_status = run(ARGV)
+    exit(LeapCli::Util.exit_status || exit_status)
+  rescue StandardError => exc
+    if exc.respond_to? :log
+      exc.log
+    else
+      puts
+      LeapCli.log :error, "%s: %s" % [exc.class, exc.message]
+      puts
+    end
+    if DEBUG
+      raise exc
+    end
+  end
 end

data/lib/leap/platform.rb

@@ -16,10 +16,25 @@ module Leap
       attr_accessor :monitor_username
       attr_accessor :reserved_usernames
 
+      attr_accessor :hiera_path
+      attr_accessor :files_dir
+      attr_accessor :leap_dir
+      attr_accessor :init_path
+
+      attr_accessor :default_puppet_tags
+
       def define(&block)
-        # some sanity defaults:
+        # some defaults:
         @reserved_usernames = []
+        @hiera_path = '/etc/leap/hiera.yaml'
+        @leap_dir   = '/srv/leap'
+        @files_dir  = '/srv/leap/files'
+        @init_path  = '/srv/leap/initialized'
+        @default_puppet_tags = []
+
         self.instance_eval(&block)
+
+        @version ||= Versionomy.parse("0.0")
       end
 
       def version=(version)
@@ -44,10 +59,30 @@ module Leap
       # return true if the platform version is within the specified range.
       #
       def version_in_range?(range)
+        if range.is_a? String
+          range = range.split('..')
+        end
         minimum_platform_version = Versionomy.parse(range.first)
         maximum_platform_version = Versionomy.parse(range.last)
         @version >= minimum_platform_version && @version <= maximum_platform_version
       end
+
+      def major_version
+        if @version.major == 0
+          "#{@version.major}.#{@version.minor}"
+        else
+          @version.major
+        end
+      end
+
+      def method_missing(method, *args)
+        puts
+        puts "WARNING:"
+        puts "  leap_cli is out of date and does not understand `#{method}`."
+        puts "  called from: #{caller.first}"
+        puts "  please upgrade to a newer leap_cli"
+      end
+
     end
 
   end

data/lib/leap_cli/commands/ca.rb

@@ -1,6 +1,6 @@
-require 'openssl'
-require 'certificate_authority'
-require 'date'
+autoload :OpenSSL, 'openssl'
+autoload :CertificateAuthority, 'certificate_authority'
+autoload :Date, 'date'
 require 'digest/md5'
 
 module LeapCli; module Commands
@@ -36,6 +36,7 @@ module LeapCli; module Commands
 
         nodes = manager.filter!(args)
         nodes.each_node do |node|
+          warn_if_commercial_cert_will_soon_expire(node)
           if !node.x509.use
             remove_file!([:node_x509_key, node.name])
             remove_file!([:node_x509_cert, node.name])
@@ -81,9 +82,19 @@ module LeapCli; module Commands
     #   http://www.redkestrel.co.uk/Articles/CSR.html
     #
     cert.desc "Creates a CSR for use in buying a commercial X.509 certificate."
-    cert.long_desc "Unless specified, the CSR is created for the provider's primary domain. The properties used for this CSR come from `provider.ca.server_certificates`."
+    cert.long_desc "Unless specified, the CSR is created for the provider's primary domain. "+
+      "The properties used for this CSR come from `provider.ca.server_certificates`, "+
+      "but may be overridden here."
     cert.command :csr do |csr|
       csr.flag 'domain', :arg_name => 'DOMAIN', :desc => 'Specify what domain to create the CSR for.'
+      csr.flag ['organization', 'O'], :arg_name => 'ORGANIZATION', :desc => "Override default O in distinguished name."
+      csr.flag ['unit', 'OU'], :arg_name => 'UNIT', :desc => "Set OU in distinguished name."
+      csr.flag 'email', :arg_name => 'EMAIL', :desc => "Set emailAddress in distinguished name."
+      csr.flag ['locality', 'L'], :arg_name => 'LOCALITY', :desc => "Set L in distinguished name."
+      csr.flag ['state', 'ST'], :arg_name => 'STATE', :desc => "Set ST in distinguished name."
+      csr.flag ['country', 'C'], :arg_name => 'COUNTRY', :desc => "Set C in distinguished name."
+      csr.flag :bits, :arg_name => 'BITS', :desc => "Override default certificate bit length"
+      csr.flag :digest, :arg_name => 'DIGEST', :desc => "Override default signature digest"
       csr.action do |global_options,options,args|
         assert_config! 'provider.domain'
         assert_config! 'provider.name'
@@ -97,24 +108,25 @@ module LeapCli; module Commands
 
         # RSA key
         keypair = CertificateAuthority::MemoryKeyMaterial.new
-        log :generating, "%s bit RSA key" % server_certificates.bit_size do
-          keypair.generate_key(server_certificates.bit_size)
+        bit_size = (options[:bits] || server_certificates.bit_size).to_i
+        log :generating, "%s bit RSA key" % bit_size do
+          keypair.generate_key(bit_size)
           write_file! [:commercial_key, domain], keypair.private_key.to_pem
         end
 
         # CSR
         dn  = CertificateAuthority::DistinguishedName.new
-        csr = CertificateAuthority::SigningRequest.new
-        dn.common_name  = domain
-        dn.organization = provider.name[provider.default_language]
-        dn.country      = server_certificates['country']   # optional
-        dn.state        = server_certificates['state']     # optional
-        dn.locality     = server_certificates['locality']  # optional
-
-        log :generating, "CSR with commonName => '%s', organization => '%s'" % [dn.common_name, dn.organization] do
-          csr.distinguished_name = dn
-          csr.key_material = keypair
-          csr.digest = server_certificates.digest
+        dn.common_name   = domain
+        dn.organization  = options[:organization] || provider.name[provider.default_language]
+        dn.ou            = options[:organizational_unit] # optional
+        dn.email_address = options[:email] # optional
+        dn.country       = options[:country] || server_certificates['country']   # optional
+        dn.state         = options[:state] || server_certificates['state']       # optional
+        dn.locality      = options[:locality] || server_certificates['locality'] # optional
+
+        digest = options[:digest] || server_certificates.digest
+        log :generating, "CSR with #{digest} digest and #{print_dn(dn)}" do
+          csr = create_csr(dn, keypair, digest)
           request = csr.to_x509_csr
           write_file! [:commercial_csr, domain], csr.to_pem
         end
@@ -191,7 +203,7 @@ module LeapCli; module Commands
       return true
     else
       cert = load_certificate_file([:node_x509_cert, node.name])
-      if cert.not_after < months_from_yesterday(1)
+      if cert.not_after < months_from_yesterday(2)
         log :updating, "cert for node '#{node.name}' because it will expire soon"
         return true
       end
@@ -208,11 +220,12 @@ module LeapCli; module Commands
             ips << $1          if value =~ /^IP Address:(.*)$/
             dns_names << $1    if value =~ /^DNS:(.*)$/
           end
+          dns_names.sort!
           if ips.first != node.ip_address
             log :updating, "cert for node '#{node.name}' because ip_address has changed (from #{ips.first} to #{node.ip_address})"
             return true
           elsif dns_names != dns_names_for_node(node)
-            log :updating, "cert for node '#{node.name}' because domain name aliases have changed (from #{dns_names.inspect} to #{dns_names_for_node(node).inspect})"
+            log :updating, "cert for node '#{node.name}' because domain name aliases have changed\n    from: #{dns_names.inspect}\n    to: #{dns_names_for_node(node).inspect})"
             return true
           end
         end
@@ -221,6 +234,22 @@ module LeapCli; module Commands
     return false
   end
 
+  def warn_if_commercial_cert_will_soon_expire(node)
+    dns_names_for_node(node).each do |domain|
+      if file_exists?([:commercial_cert, domain])
+        cert = load_certificate_file([:commercial_cert, domain])
+        path = Path.relative_path([:commercial_cert, domain])
+        if cert.not_after < Time.now.utc
+          log :error, "the commercial certificate '#{path}' has EXPIRED! " +
+            "You should renew it with `leap cert csr --domain #{domain}`."
+        elsif cert.not_after < months_from_yesterday(2)
+          log :warning, "the commercial certificate '#{path}' will expire soon. "+
+            "You should renew it with `leap cert csr --domain #{domain}`."
+        end
+      end
+    end
+  end
+
   def generate_cert_for_node(node)
     return if node.x509.use == false
 
@@ -261,6 +290,43 @@ module LeapCli; module Commands
     yield cert.key_material.private_key.to_pem, cert.to_pem
   end
 
+  #
+  # creates a CSR and returns it.
+  # with the correct extReq attribute so that the CA
+  # doens't generate certs with extensions we don't want.
+  #
+  def create_csr(dn, keypair, digest)
+    csr = CertificateAuthority::SigningRequest.new
+    csr.distinguished_name = dn
+    csr.key_material = keypair
+    csr.digest = digest
+
+    # define extensions manually (library doesn't support setting these on CSRs)
+    extensions = []
+    extensions << CertificateAuthority::Extensions::BasicConstraints.new.tap {|basic|
+      basic.ca = false
+    }
+    extensions << CertificateAuthority::Extensions::KeyUsage.new.tap {|keyusage|
+      keyusage.usage = ["digitalSignature", "keyEncipherment"]
+    }
+    extensions << CertificateAuthority::Extensions::ExtendedKeyUsage.new.tap {|extkeyusage|
+      extkeyusage.usage = [ "serverAuth"]
+    }
+
+    # convert extensions to attribute 'extReq'
+    # aka "Requested Extensions"
+    factory = OpenSSL::X509::ExtensionFactory.new
+    attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(
+      extensions.map{|e| factory.create_ext(e.openssl_identifier, e.to_s, e.critical)}
+    )])
+    attrs = [
+      OpenSSL::X509::Attribute.new("extReq", attrval),
+    ]
+    csr.attributes = attrs
+
+    return csr
+  end
+
   def ca_root
     @ca_root ||= begin
       load_certificate_file(:ca_cert, :ca_key)
@@ -381,8 +447,10 @@ module LeapCli; module Commands
     names = [node.domain.internal, node.domain.full]
     if node['dns'] && node.dns['aliases'] && node.dns.aliases.any?
       names += node.dns.aliases
-      names.compact!
     end
+    names.compact!
+    names.sort!
+    names.uniq!
     return names
   end
 
@@ -403,6 +471,15 @@ module LeapCli; module Commands
     cert_serial_number(domain_name).to_s(36)
   end
 
+  # prints CertificateAuthority::DistinguishedName fields
+  def print_dn(dn)
+    fields = {}
+    [:common_name, :locality, :state, :country, :organization, :organizational_unit, :email_address].each do |attr|
+      fields[attr] = dn.send(attr) if dn.send(attr)
+    end
+    fields.inspect
+  end
+
   ##
   ## TIME HELPERS
   ##

data/lib/leap_cli/commands/compile.rb

@@ -3,11 +3,20 @@ module LeapCli
   module Commands
 
     desc "Compile generated files."
-    command :compile do |c|
+    command [:compile, :c] do |c|
       c.desc 'Compiles node configuration files into hiera files used for deployment.'
+      c.arg_name 'ENVIRONMENT', :optional => true
       c.command :all do |all|
         all.action do |global_options,options,args|
-          compile_hiera_files
+          environment = args.first
+          if !LeapCli.leapfile.environment.nil? && !environment.nil? && environment != LeapCli.leapfile.environment
+            bail! "You cannot specify an ENVIRONMENT argument while the environment is pinned."
+          end
+          if environment && manager.environment_names.include?(environment)
+            compile_hiera_files(manager.filter([environment]))
+          else
+            compile_hiera_files(manager.filter)
+          end
         end
       end
 
@@ -29,7 +38,10 @@ module LeapCli
 
       # export generated files
       manager.export_nodes(nodes)
-      manager.export_secrets(nodes.nil?) # only do a "clean" export if we are examining all the nodes
+      # a "clean" export of secrets will also remove keys that are no longer used,
+      # but this should not be done if we are not examining all possible nodes.
+      clean_export = nodes.nil?
+      manager.export_secrets(clean_export)
     end
 
     def update_compiled_ssh_configs
@@ -50,14 +62,16 @@ module LeapCli
     # keys, and every monitor node has a copy of the private monitor key.
     #
     def generate_monitor_ssh_keys
-      priv_key_file = :monitor_priv_key
-      pub_key_file  = :monitor_pub_key
+      priv_key_file = path(:monitor_priv_key)
+      pub_key_file  = path(:monitor_pub_key)
       unless file_exists?(priv_key_file, pub_key_file)
-        cmd = %(ssh-keygen -N '' -C 'monitor' -t ecdsa -b 521 -f '%s') % path(priv_key_file)
+        ensure_dir(File.dirname(priv_key_file))
+        ensure_dir(File.dirname(pub_key_file))
+        cmd = %(ssh-keygen -N '' -C 'monitor' -t rsa -b 4096 -f '%s') % priv_key_file
         assert_run! cmd
         if file_exists?(priv_key_file, pub_key_file)
-          log :created, path(priv_key_file)
-          log :created, path(pub_key_file)
+          log :created, priv_key_file
+          log :created, pub_key_file
         else
           log :failed, 'to create monitor ssh keys'
         end
@@ -75,6 +89,9 @@ module LeapCli
       if keys.empty?
         bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
       end
+      if file_exists?(path(:monitor_pub_key))
+        keys << path(:monitor_pub_key)
+      end
       keys.sort.each do |keyfile|
         ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
         buffer << ssh_type
@@ -87,6 +104,30 @@ module LeapCli
       write_file!(:authorized_keys, buffer.string)
     end
 
+    #
+    # generates the known_hosts file.
+    #
+    # we do a 'late' binding on the hostnames and ip part of the ssh pub key record in order to allow
+    # for the possibility that the hostnames or ip has changed in the node configuration.
+    #
+    def update_known_hosts
+      buffer = StringIO.new
+      buffer << "#\n"
+      buffer << "# This file is automatically generated by the command `leap`. You should NOT modify this file.\n"
+      buffer << "# Instead, rerun `leap node init` on whatever node is causing SSH problems.\n"
+      buffer << "#\n"
+      manager.nodes.keys.sort.each do |node_name|
+        node = manager.nodes[node_name]
+        hostnames = [node.name, node.domain.internal, node.domain.full, node.ip_address].join(',')
+        pub_key = read_file([:node_ssh_pub_key,node.name])
+        if pub_key
+          buffer << [hostnames, pub_key].join(' ')
+          buffer << "\n"
+        end
+      end
+      write_file!(:known_hosts, buffer.string)
+    end
+
     ##
     ## ZONE FILE
     ##

data/lib/leap_cli/commands/db.rb

@@ -2,14 +2,23 @@ module LeapCli; module Commands
 
   desc 'Database commands.'
   command :db do |db|
-    db.desc 'Destroy all the databases.'
+    db.desc 'Destroy all the databases. If present, limit to FILTER nodes.'
+    db.arg_name 'FILTER', :optional => true
     db.command :destroy do |destroy|
       destroy.action do |global_options,options,args|
         say 'You are about to permanently destroy all database data.'
         return unless agree("Continue? ")
-        nodes = manager.nodes[:services => 'couchdb']
-        ssh_connect(nodes, connect_options(options)) do |ssh|
-          ssh.run('/etc/init.d/bigcouch stop && test ! -z "$(ls /opt/bigcouch/var/lib/ 2> /dev/null)" && rm -r /opt/bigcouch/var/lib/* && echo "db destroyed" || echo "db already destroyed"')
+        nodes = manager.filter(args)
+        if nodes.any?
+          nodes = nodes[:services => 'couchdb']
+        end
+        if nodes.any?
+          ssh_connect(nodes, connect_options(options)) do |ssh|
+            ssh.run('/etc/init.d/bigcouch stop && test ! -z "$(ls /opt/bigcouch/var/lib/ 2> /dev/null)" && rm -r /opt/bigcouch/var/lib/* && echo "db destroyed" || echo "db already destroyed"')
+            ssh.run('grep ^seq_file /etc/leap/tapicero.yaml | cut -f2 -d\" | xargs rm -v')
+          end
+        else
+          say 'No nodes'
         end
       end
     end