simp-cli 1.0.12

data/lib/simp/cli/commands/check.rb

@@ -0,0 +1,163 @@
+module Simp::Cli::Commands; end
+
+class Simp::Cli::Commands::Check < Simp::Cli
+  @opt_parser = OptionParser.new do |opts|
+    opts.banner = "*Options*"
+
+    opts.on("-A", "--all", "Run all checks, equivalent to -nkl") do
+      @check_network = true
+      @check_keys = true
+      @check_ldap = true
+    end
+
+    opts.on("-p", "--pre", "Run checks that should pass before first run, equivalent to -nk") do
+      @check_network = true
+      @check_keys = true
+    end
+
+    opts.on("-n", "--network", "Check network items") do
+      @check_network = true
+    end
+
+    opts.on("-k", "--keys", "Check that keys have been generated for the host") do
+      @check_keys = true
+    end
+
+    opts.on("-l", "--ldap", "Check validity of ldap passwords") do
+      @check_ldap = true
+    end
+
+    opts.on("-v", "--verbose", "Run verbosely") do
+      @verbose = true
+    end
+
+    opts.on("-r", "--report FILE", "Create a report in FILE. NOTE: if FILE exists, it will be overwritten!") do |file|
+      @report_file = file
+    end
+
+    opts.on("-h", "--help", "Print this message") do
+      puts opts
+      exit
+    end
+  end
+
+  def self.run(args)
+    raise "simp check Requires Arguments" if args.empty?
+
+    super
+
+    @version = Simp.version
+
+    report = []
+
+    system('clear')
+
+    if @check_network
+      report.push "\n***Starting Network Check***\n"
+
+      hostname = `hostname`.gsub!(/\s+/, '')
+
+      begin
+        network_hostname = `grep HOSTNAME /etc/sysconfig/network`.strip.match(/HOSTNAME\s*=\s*([^ ]*)/)[1]
+      rescue
+        report.push "ERROR: No hostname in /etc/sysconfig/network"
+      end
+
+      if hostname == network_hostname
+        report.push "Hostname matches hostname in /etc/sysconfig/network"
+      else
+        report.push "ERROR: Hostname does not match hostname in /etc/sysconfig/network"
+      end
+
+      if `grep ^127.0.0.1 /etc/hosts`.split("\n").any? { |line| line =~ /localhost.localdomain[\s+\z]/ and line =~ /localhost[\s+\z]/ }
+        report.push "Found valid entry for 127.0.0.1 in /etc/hosts"
+      else
+        report.push "ERROR: Did not find valid entry for 127.0.0.1 in /etc/hosts"
+      end
+
+      if `grep ^::1 /etc/hosts`.split("\n").any? { |line| line =~ /localhost6\.localdomain6(\s+|$)/ and line =~ /localhost6(\s+|$)/ }
+        report.push "Found valid entry for ::1 in /etc/hosts"
+      else
+        report.push "ERROR: Did not find valid entry for ::1 in /etc/hosts"
+      end
+    end
+
+    if @check_keys
+      report.push "\n***Starting Keys Check***\n"
+
+      key_count = 0
+      valid_key_count = 0
+
+      Dir.foreach("/etc/puppet/keydist") do |host|
+        if (host !~ /\A\.+\z/) and (host !~ /\Acacerts\z/) and File::directory?("/etc/puppet/keydist/#{host}")
+          Dir.foreach("/etc/puppet/keydist/#{host}") do |key|
+            if key =~ /\.pem\z/ or key =~ /\.pub\z/
+              key_count += 1
+
+              if `openssl verify -CApath /etc/puppet/keydist/cacerts /etc/puppet/keydist/#{host}/#{key}`.strip =~ /\s+OK\z/
+                valid_key_count += 1
+                report.push "Key /etc/puppet/keydist/#{host}/#{key} validated\n"
+              else
+                report.push "ERROR: Key /etc/puppet/keydist/#{host}/#{key} did not validate\n"
+              end
+            end
+          end
+        end
+      end
+
+      if key_count == 0
+        report.push "ERROR: No keys found (recursively) in /etc/puppet/keydist\n"
+      else
+        report.push "#{valid_key_count}/#{key_count} keys validated\n"
+      end
+    end
+
+    if @check_ldap
+      report.push "\n***Starting Ldap Check***\n"
+
+      binddn = ""
+      bindpw = ""
+      host = ""
+      base = ""
+
+      ldap_conf = '/etc/ldap.conf'
+      ldap_conf = '/etc/pam_ldap.conf' unless File.file?(ldap_conf)
+
+      File.open(ldap_conf).each_line do |line|
+        if (line =~ /\Abinddn\s+/) != nil
+          binddn = line.gsub(/\Abinddn\s+/, "").chomp
+        elsif (line =~ /\Abindpw\s+/) != nil
+          bindpw = line.gsub(/\Abindpw\s+/, "").chomp
+        elsif (line =~ /\Auri\s+/) != nil
+          host = line.gsub(/\Auri\s+/, "").chomp
+        elsif (line =~ /\Anss_base_passwd\s+/) != nil
+          base = line.gsub(/\Anss_base_passwd\s+/, "").chomp.gsub(/\?.*/, "")
+        end
+      end
+
+      exit_code = `ldapsearch -Z -LLLL -D "#{binddn}" -x -w "#{bindpw}" -H "#{host}" -b "#{base}" -s one uid sshPublidKey`.to_i
+
+      if exit_code == 0
+        report.push "Ldap appears to be working\n"
+      else
+        report.push "ERROR: Ldap does not appear to be working; ldapsearch exited with code #{exit_code}\n"
+      end
+    end
+
+    report = report.select { |line| line =~ /\A(\*\*\*|WARNING|ERROR)/ } unless @verbose
+
+    report = report.join("\n")
+
+    unless @report_file.nil?
+      begin
+        f = File.open(File.expand_path(@report_file), 'w')
+        f.puts report
+        f.close
+      rescue
+        raise "An error occurred while writing the report:#{$!}"
+      end
+    end
+
+    puts report
+  end
+end

data/lib/simp/cli/commands/cleancerts.rb

@@ -0,0 +1,114 @@
+module Simp::Cli::Commands; end
+
+class Simp::Cli::Commands::Cleancerts < Simp::Cli
+  @conf_dif = File.expand_path('~/.simp')
+  @host_file = "#{@conf_dir}/hosts"
+  @gen_host_list = true
+  @host_list = Array.new
+  @host_errors = Array.new
+
+  @opt_parser = OptionParser.new do |opts|
+    opts.banner = "\n === The SIMP CleanCerts Tool ==="
+    opts.separator ""
+    opts.separator "The SIMP CleanCerts Tool revokes and removes the Puppet certificates from a"
+    opts.separator "list of hosts."
+    opts.separator ""
+    opts.separator "Some requirements to use this tool:"
+    opts.separator " * the user must have SSH access to all of the list hosts"
+    opts.separator " * the user cannot be root"
+    opts.separator " * each target host must be able to run, with sudo, the following commands:"
+    opts.separator "    - /usr/sbin/puppetd"
+    opts.separator "    - /usr/sbin/puppetca"
+    opts.separator "    - /bin/rm -rf /var/lib/puppet/ssl"
+    opts.separator ""
+    opts.separator "This tool will not clean the certificates for the hostname of the current box"
+    opts.separator "or the Puppet server listed in puppet.conf."
+    opts.separator ""
+    opts.separator "OPTIONS:\n"
+
+    opts.on("-H", "--hosts FILE", "FILE containing a list of hosts to clean.") do |file|
+      @host_file = file
+      @gen_host_list = false
+    end
+
+    opts.on("-h", "--help", "Print this message") do
+      puts opts
+      exit 0
+    end
+  end
+
+
+  def self.clean_certs
+
+    success
+  end
+
+  def self.run(args = Array.new)
+    File.exists?('/usr/sbin/puppetd') && File.exists?('/usr/sbin/puppetca')
+
+    raise "SIMP CleanCerts cannot be run as 'root'." if Process.uid == 0
+
+    @host_list = Array.new
+    if @gen_host_list
+      @host_list = %x{cd /;sudo /usr/sbin/puppetca --list --all}.split("\n").map { |host| host.split(/\(.*\)/).first.split(/\s+/).last }
+    else
+      File.open(@host_file).each_line do |line|
+        @host_list << line.chomp
+      end
+    end
+    @host_list.compact!
+
+    if @host_list.size == 0
+      puts "No known hosts to clean!"
+      exit 0
+    end
+
+    system("echo 'Please review the list of hosts to clean certificates on:\n - #{@host_list.join("\n - ")}' | less -f")
+
+    if Utils.yes_or_no("Clean certificates for all listed hosts?", false)
+      if @gen_host_list
+        file = File.open(@host_file, 'w')
+        @host_list.each do |host|
+          file.puts host
+        end
+        file.close
+      end
+
+      @host_list.each do |host|
+        %{sudo /usr/sbin/puppetca --revoke #{host}}
+        %{sudo /usr/sbin/puppetca --clean #{host}}
+      end
+
+      result = %x{pssh -f -h #{@host_file} -OStrictHostKeyChecking=no "sudo /bin/rm -rf /var/lib/puppet/ssl"}
+      result.each_line do |line|
+        if line =~ /.*\[FAILURE\]\s([A-Za-z0-9\-\.]+).*/
+          success = false
+          @host_errors << $1
+        end
+      end
+
+      if @host_errors.empty?
+        puts "Successfully cleaned certificates for the #{@host_list.size} hosts listed in #{@host_file.path}."
+      else
+        filename = "#{@conf_dir}/pssh_error#{Time.now.strftime("%Y%m%d%H%M")}"
+        File.open(filename, 'w') do
+          @host_errors.each { |err| file.puts err }
+        end
+        raise "Errors occured while cleaning certificates, outputting list of hosts with errors to #{filename}"
+      end
+    else
+      if @gen_host_list
+        puts "If you do not want to clean all certificates, you can place"
+        puts "all hosts you want to clean in a newline-delimited file and"
+        puts "use the '--hosts <hosts_file>' command line option."
+      end
+
+      puts "If you want to manually clean certificates on all boxes,"
+      puts "follow the steps to clean certificates from the "
+      puts "'\033[1mChanging Puppet Masters\033[21m' users guide."
+      puts "Also look through the '\033[1mPerforming One Shot Operations\033[21m'"
+      puts "users guide for guidance on doing this with PSSH.\n"
+      puts "Users guides can be found using '\033[1msimp doc\033[21m'."
+    end
+  end
+end

data/lib/simp/cli/commands/config.rb

@@ -0,0 +1,235 @@
+require 'highline/import'
+require 'yaml'
+require 'fileutils'
+require 'find'
+
+require File.expand_path( '../../cli', File.dirname(__FILE__) )
+require File.expand_path( '../config/item', File.dirname(__FILE__) )
+require File.expand_path( '../config/questionnaire', File.dirname(__FILE__) )
+require File.expand_path( '../config/item_list_factory', File.dirname(__FILE__) )
+
+module Simp::Cli::Commands; end
+
+# Handle CLI interactions for "simp config"
+class Simp::Cli::Commands::Config  < Simp::Cli
+  default_outfile = '~/.simp/simp_conf.yaml'
+
+  @version         = Simp::Cli::VERSION
+  @advanced_config = false
+  @options         = {
+    :verbose            => 0,
+    :noninteractive     => 0,
+    :dry_run            => false, # TODO: between these two, we should choose better names
+
+    :input_file         => nil,
+    :output_file        => File.expand_path( default_outfile ),
+    :puppet_system_file => '/etc/puppet/environments/simp/hieradata/simp_def.yaml',
+
+    :use_safety_save         => true,
+    :autoaccept_safety_save  => false,
+    :fail_on_missing_answers => false,
+  }
+
+  @opt_parser      = OptionParser.new do |opts|
+    opts_separator = ' '*4 + '-'*76
+    opts.banner = "\n=== The SIMP Configuration Tool === "
+    opts.separator ""
+    opts.separator "The SIMP Configuration Tool is designed to assist the configuration of a SIMP"
+    opts.separator "machine. It offers two main features:"
+    opts.separator ""
+    opts.separator "   (1) create/edit system configurations, and"
+    opts.separator "   (2) apply system configurations."
+    opts.separator ""
+    opts.separator "The features that will be used is dependent upon the options specified."
+    opts.separator ""
+    opts.separator "USAGE:"
+    opts.separator "  #{File.basename($0)} config [KEY=VALUE] [KEY=VALUE1,,VALUE2,,VALUE3] [...]"
+    opts.separator ""
+    opts.separator "OPTIONS:\n"
+    opts.separator opts_separator
+
+    opts.on("-o", "--output FILE", "The answers FILE where the created/edited ",
+                                   "system configuration will be written.  ",
+                                   "  (defaults to '#{default_outfile}')") do |file|
+      @options[:output_file] = file
+    end
+
+    opts.on("-i", "-a", "-e", "--apply FILE", "Apply answers FILE (fails on missing items)"
+                                              ) do |file|
+      @options[:input_file] = file
+      @options[:fail_on_missing_answers] = true
+    end
+
+    opts.on("-I", "-A", "-E", "--apply-with-questions FILE",
+                                              "Apply answers FILE (asks on missing items) ",
+                                              "  Note that the edited configuration",
+                                              "  will be written to the file specified in ",
+                                              "   --output.") do |file|
+      @options[:input_file] = file
+      @options[:fail_on_missing_answers] = false
+    end
+
+    opts.separator opts_separator
+
+    # TODO: improve nomenclature
+    opts.on("-v", "--verbose", "Verbose output (stacks)") do
+      @options[:verbose] += 1
+    end
+
+    opts.on("-q", "--quiet", "Quiet output (clears any verbosity)") do
+      @options[:verbose] = -1
+    end
+
+    opts.on("-n", "--dry-run",         "Do not apply system changes",
+                                       "  (e.g., NICs, puppet.conf, etc)" ) do
+      @options[:dry_run] = true
+    end
+
+    opts.on("-f", "--non-interactive", "Force default answers (prompt if unknown)"
+                                       #"  (-ff fails instead of prompting)"
+                                       ) do |file|
+      @options[:noninteractive] += 1
+    end
+
+    opts.on("-s", "--skip-safety-save",         "Ignore any safety-save files") do
+      @options[:use_safety_save] = false
+    end
+
+    opts.on("-S", "--accept-safety-save",  "Automatically apply any safety-save files") do
+      @options[:autoaccept_safety_save] = true
+    end
+
+    opts.separator opts_separator
+
+    opts.on("-h", "--help", "Print this message") do
+      puts opts
+      exit 0
+    end
+  end
+
+
+  def self.saved_session
+    result = {}
+    if @options.fetch( :use_safety_save, false ) && file = @options.fetch( :output_file )
+      _file = File.join( File.dirname( file ), ".#{File.basename( file )}" )
+      if File.file?( _file )
+        lines      = File.open( _file, 'r' ).readlines
+        saved_hash = read_answers_file _file
+        last_item  = nil
+        if saved_hash.keys.size > 0
+          last_item = {saved_hash.keys.last =>
+                       saved_hash[ saved_hash.keys.last ]}.to_yaml.gsub( /^---/, '' ).strip
+        end
+
+        message = %Q{WARNING: interrupted session detected!}
+        say "<%= color(%q{*** #{message} ***}, YELLOW, BOLD) %> \n\n"
+        say "<%= color(%q{An automatic safety-save file from a previous session has been found at:}, YELLOW) %> \n\n"
+        say "      <%= color( %q{#{_file}}, BOLD ) %>\n\n"
+        if last_item
+          say "<%= color(%q{The most recent answer from this session was:}, YELLOW) %> \n\n"
+          say "<%= color( %q{#{last_item.gsub( /^/, "      \0" )}} ) %>\n\n"
+        end
+
+        if @options.fetch( :autoaccept_safety_save, false )
+          color = 'YELLOW'
+          say "<%= color(%q{Automatically resuming these answers because }, #{color}) %>" +
+              "<%= color(%q{--accept-safety-save}, BOLD, #{color}) %>" +
+              "<%= color(%q{ is active.}, #{color}) %>\n\n"
+          result = saved_hash
+        else
+          say "<%= color(%q{You can resume these answers or delete the file.}, YELLOW) %>\n\n"
+
+          if agree( "resume the session? (no = deletes file)" ){ |q| q.default = 'yes' }
+            say "\n<%= color( %q{applying answers from '#{_file}'}, GREEN )%>\n"
+            result = saved_hash
+          else
+            say "\n<%= color( %q{removing file '#{_file}'}, RED )%>\n"
+            FileUtils.rm_f _file, :verbose => true
+          end
+        end
+        sleep 1
+      end
+    end
+    result
+  end
+
+
+  def self.remove_saved_session
+    if file = @options.fetch( :output_file )
+      _file = File.join( File.dirname( file ), ".#{File.basename( file )}" )
+      FileUtils.rm_f( _file, :verbose => false ) if File.file?( _file )
+    end
+  end
+
+
+  def self.read_answers_file file
+    answers_hash = {}    # Read the input file
+
+    if file
+      unless File.exist?(file)
+        raise "Could not access the file '#{file}'!"
+      end
+    else
+      file = @options[:system_file]
+    end
+
+    begin
+      answers_hash = YAML.load(File.read(file))
+      answers_hash.empty?
+    rescue Errno::EACCES
+      error = "WARNING: Could not access the answers file '#{file}'!"
+      say "<%= color(%q{#{error}}, YELLOW) %>\n"
+    rescue
+      # If the file existed, but ingest failed, then there's a problem
+      raise "System Configuration File: '#{file}' is corrupted.\nReview the file and either fix or remove it before trying again."
+    end
+
+    answers_hash
+  end
+
+  def self.run(args = [])
+    begin
+      super # parse @options
+    rescue OptionParser::InvalidOption=> e
+      error = "ERROR: #{e.message}"
+      say "\n<%= color(%q{#{error}}, RED) %>\n"
+      puts @opt_parser
+      exit 1
+    end
+
+    # Ensure that custom facts are available before the first pluginsync
+    %x{puppet config print modulepath}.strip.split(':').each do |dir|
+      next unless File.directory?(dir)
+      Find.find(dir) do |mod_path|
+        fact_path = File.expand_path('lib/facter', mod_path)
+        Facter.search(fact_path) if File.directory?(fact_path)
+        Find.prune unless mod_path == dir
+      end
+    end
+
+    # read in answers file
+    answers_hash = {}
+    if file = @options.fetch( :input_file )
+      answers_hash = read_answers_file( file )
+    end
+
+    # NOTE: answers from an interrupted session take precedence over input file
+    answers_hash = saved_session.merge( answers_hash )
+
+    # NOTE: answers provided from the cli take precedence over everything else
+    cli_answers  = Hash[ ARGV[1..-1].map{ |x| x.split '=' } ]
+    answers_hash = answers_hash.merge( cli_answers )
+
+    # get the list of items
+    #  - applies any known answers at this point
+    item_list          = Simp::Cli::Config::ItemListFactory.new( @options ).process( nil, answers_hash )
+
+    # process items:
+    #  - get any remaining answers
+    #  - apply changes as needed
+    questionnaire      = Simp::Cli::Config::Questionnaire.new( @options )
+    answers            = questionnaire.process( item_list, {} )
+
+    remove_saved_session
+  end
+end