vagrant-certificates 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 939f3ba91b87bf52ab5ee0d9afcb889a0790e5ac95e63fbd0f3cca8ccdc30b1f
+  data.tar.gz: f8887f558673672a53eb1f682c8b18e61e1f62f59ffe9e76139865114e473930
+SHA512:
+  metadata.gz: 68d0108732000c906e4a8a5bb9e2aa00d567c753b81ed2135d3eafe078e8449e109b52db9efdfa129fcd50dca56014da6830fd3abb1cc66d001594dc8aa8b5bf
+  data.tar.gz: 4f41431da09c45f956e877488fc0b7671e9670f8dc1c2e60802846e70552e949e4a5ba6a3857df0fbbbb39764a3a8c59b194e9a691bd61d6e4973b5c31ecc7ee

data/.github/CONTRIBUTING.md

@@ -0,0 +1,8 @@
+## Contributing
+
+1. Fork the repository on Github
+2. Create a named feature branch (i.e. `add-new-recipe`)
+3. Write your change
+4. Write tests for your change (if applicable)
+5. Run the tests, ensuring they all pass
+6. Submit a Pull Request

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.DS_Store

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [1.3.0] 2017-09-25
+- Adds support for managing Windows guest certificates.

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+gemspec
+
+group :development, :test do
+  gem 'rake'
+  gem 'rspec'
+end

data/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright 2019, GFI Informatique.
+Copyright 2014-2017, Bloomberg Finance L.P.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,132 @@
+# CA Certificate Plugin for Vagrant
+![Gem Version](https://img.shields.io/gem/v/vagrant-certificates.svg)
+![License](https://img.shields.io/github/license/gfi-centre-ouest/vagrant-certificates.svg)
+
+A [Vagrant][4] plugin which configures the virtual machine to inject
+the specified certificates into the guest's root bundle. This is
+useful, for example, if your enterprise network has a firewall (or
+appliance) which utilizes [SSL interception][5].
+
+_Warning:_ This plugin adds certificates to the guest operating
+system's [root certificate bundle][6]. You should only use this if you
+know *exactly* what you are doing. This should *never* be used on a
+production machine.
+
+## Fork
+
+This is a fork of original [vagrant-ca-certificates](https://github.com/williambailey/vagrant-ca-certificates) plugin.
+
+## Installation
+The latest stable version of this plugin can be installed using the
+standard `vagrant plugin install` with the `vagrant-certificates`
+argument. If you're looking to hack on the plugin or test a
+development release you'll need to checkout the branch and build the
+gem yourself. That's pretty easy.
+
+The following set of commands checks out the master branch, uses
+bundler to install all of the Ruby dependencies and finally creates
+the gem locally. Once the gem is built we use the Vagrant command-line
+tool to install it.
+```sh
+git clone https://github.com/williambailey/vagrant-certificates ~/Projects/vagrant-certificates
+cd ~/Projects/vagrant-certificates
+bundle install
+rake build
+vagrant plugin install pkg/vagrant-certificates-*.gem
+```
+
+## Using with Test Kitchen
+### Writing a Vagrantfile.rb
+In order to be able to use [test kitchen][2] within an environment that
+has a HTTP proxy with SSL interception we need to ensure that we set
+both the proxies and inject in our new certificate bundles.
+
+If you're following the complete tutorial here we're going to save
+this file in a newly created directory
+`~/.vagrant.d/Vagrantfile`. This will be merged into the final
+Vagrantfile configuration that the test-kitchen run will use to
+provision a new instance.
+```ruby
+Vagrant.configure('2') do |config|
+  config.proxy.enabled = true if Vagrant.has_plugin?('vagrant-proxyconf')
+
+  if Vagrant.has_plugin?('vagrant-certificates')
+    config.certificates.enabled = true
+    config.certificates.certs = [
+      '/etc/pki/ca-trust/source/anchors/root.crt',
+      '/etc/pki/ca-trust/source/anchors/sub.crt'
+    ]
+  end
+end
+```
+### Writing a .kitchen.local.yml
+One goal that we set out when creating internal cookbooks is if that
+they can be open sourced we want to be easily able to do so in the
+future. That means we try to keep out as much of our environment
+specific variables, such as proxy configuration, from the repository's
+base kitchen configuration. Luckily test-kitchen merges in a local
+file, if it exists, at the time of the run.
+
+Here is an example of the local configuration file that we use to
+merge in the Vagrantfile that we've created in the above example. This
+can be saved into `$HOME/.kitchen/config.yml` to be applied to *all*
+test-kitchen runs for this user (on this host machine).
+```yaml
+---
+driver:
+    provision: true
+    http_proxy: "http://proxy.corporate.com:80"
+    https_proxy: "http://proxy.corporate.com:80"
+    ftp_proxy: "http://proxy.corporate.com:80"
+    no_proxy: "localhost,127.0.0.1"
+```
+
+## Vagrant Configuration
+If you're just looking to inject the certificate *only for a single
+Vagrantfile* then you can simply use the following block anywhere
+within the Vagrant configuration. This enables the plugin and injects
+the specified certificates.
+
+```ruby
+Vagrant.configure('2') do |config|
+  if Vagrant.has_plugin?('vagrant-certificates')
+    config.certificates.enabled = true
+    config.certificates.certs = Dir.glob('/etc/pki/ca-trust/source/anchors/*.crt')
+  end
+end
+```
+### System Wide
+At [Bloomberg][1] we often find ourselves in a situation where we do
+not want to make modifications to open source tools, but we need them
+to work within our enterprise network. Using this default base configuration
+for Vagrant we're able to ensure that all runs will inject the appropriate
+certificates into the guest.
+
+Additionally if you need proxies modified in the guest as well an
+excellent choice is the [Vagrant Proxyconf plugin][2] which should
+handle everything you'll run into on a daily basis. Finally, we add the
+[Vagrant cachier plugin][7] so that we are not continually going out to the Internet
+on successive [Test Kitchen][3] and Vagrant runs.
+
+This file should be saved to `$HOME/.kitchen/Vagrantfile.rb`.
+```ruby
+# These are requirements for this base Vagrantfile. If they are not
+# installed there will be a warning message with Vagrant/test-kitchen.
+%w(vagrant-certificates vagrant-proxyconf vagrant-cachier).each do |name|
+  fail "Please install the '#{name}' plugin!" unless Vagrant.has_plugin?(name)
+end
+
+Vagrant.configure('2') do |config|
+  config.cache.scope = :box
+  config.proxy.enabled = true
+  config.certificates.enabled = true
+  config.certificates.certs = Dir.glob('/etc/pki/ca-trust/source/anchors/*.crt')
+end
+```
+[1]: https://careers.bloomberg.com
+[2]: https://github.com/tmatilai/vagrant-proxyconf
+[3]: https://github.com/test-kitchen/test-kitchen
+[4]: https://github.com/mitchellh/vagrant
+[5]: http://en.wikipedia.org/wiki/Man-in-the-middle_attack
+[6]: http://en.wikipedia.org/wiki/Root_certificate
+[7]: https://github.com/fgrehm/vagrant-cachier

data/Rakefile

@@ -0,0 +1 @@
+require 'bundler/gem_tasks'

data/bin/rspec

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/certs/jbellone.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgDCCA2igAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMREwDwYDVQQDDAhqYmVs
+bG9uZTEZMBcGCgmSJomT8ixkARkWCWJsb29tYmVyZzETMBEGCgmSJomT8ixkARkW
+A25ldDAeFw0xNzA5MjUxMjA0NDVaFw0xODA5MjUxMjA0NDVaMEMxETAPBgNVBAMM
+CGpiZWxsb25lMRkwFwYKCZImiZPyLGQBGRYJYmxvb21iZXJnMRMwEQYKCZImiZPy
+LGQBGRYDbmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzRdyupn5
+5gpXivhSDi+lnepuxf4ila+9FDW5znNxbwDLFsfzYFiPecJFLylWyHtJSe9fq8gW
+1G1qWU6wCaw4Jw6fU9wdh+g4GMRdcbbH6EJPNJjV3Z0/E0XAXOzC1AHUpYc/o0Wq
+wS/MmfPHuZnH9IPS0moWDoifKBrNIyPBMRxNTkDnOMo/FtvFmLIN8f0PWF4RW0yr
+KthpgcvpulUZImZEplKYTeGe3P3OmfiddWao5VNbuB/srTcW/yTuHT3lV5jsqMF9
+lvw3jdUfHcZLagKP8xpBnrS/mlfGgA0cnIrdaDFOaJVGZFpCOd1+usen4EmsT6mN
+X5+m7fmvm+aHu8frEsiBG3k5WT+0rHnBIRbdobpLbjcxeFOxa99JXId0fTUiwCOG
+MrZnI/ItsqlxqMXy4RKpTwoB9Ypgejs6FDJA0DH8czJTQ4Y1ePXjgF3VVyXFNxn+
+NeV3s8DF4wgRrLeJb4+kTFZzigp/6IEBgwUKdBOJ5Su1APMsBHNeR2xcY3OMme1Y
+yjq2//uAUZ4CUlhgJzRiHSkuYz9iFJcBUU4QlpRTOwsroeOibEzIoykcoWLEYCAA
+57Gc6myaOt18RElJDoGp3N7HkBBBV5ojfyTWVkNKLlaA9AV+Vvvdw39pH2VylQpz
+sZVuQwW8HYG8smqtxAa3CGnavEnA/rE5HrUCAwEAAaN/MH0wCQYDVR0TBAIwADAL
+BgNVHQ8EBAMCBLAwHQYDVR0OBBYEFNMsCmYsjoVDz/Jma5XJFyXB+5FzMCEGA1Ud
+EQQaMBiBFmpiZWxsb25lQGJsb29tYmVyZy5uZXQwIQYDVR0SBBowGIEWamJlbGxv
+bmVAYmxvb21iZXJnLm5ldDANBgkqhkiG9w0BAQUFAAOCAgEAZ1RNgzHYRQmTUMUL
+DI9l9DCrL01ygTVnfeeuf3CWE4C0alkMgU/V/lC6tgDre4Ya6HA7vPZtgirnXiwM
+wr6HhzmHJHhKUXyY3Nh2yW7lKl/P6Ctt8xyqwEDBodmm0FbOSYatU0PkTgtbKeau
+YgUSw63i3+3SbSkFOsulA6ZAB+3J4oo3l9JFW/hfA9CLFTJnDDwnoaUcxuwmb4n6
+AeKA3Y07jXvVMXMDHfTWIt3hHnkkl2v5U0/FV+hT1RHjmafURNVKln4NYhvEsdpR
+cSKBcJjW+jrCotEDQfquHf5qxxWT9b0+ezExNcY/uzrLQ2m86G8k4zCa8gGrkkDC
+0QrVflrJdCfqHX+nH49SFCOrsbHa9YHE308Bw590rmLOtFoKeHBGmNX8rrfWpjuS
+QRhyoyIAdmFR5py2pEZWpqmQnRNi+6jqYt+X04HKdNgwfzq3J0RuGBZwDvdi+fKT
+UdBgSzKlHRSnwHB21VU8h09M38Mx4LfH9Tnm2nSYH4olf3hAeV8u6R2Wm2CQ7SuO
+C5QSlmvkZgKvBhBVoXKAinNPHzoggayZFXYNfeneBSexPabaC3KX38StLNYOpGtr
+S4nILagJ/gtL67ynCgTIj1xORHEq0H6Lx+p3An8aRHRkCzjFihBqzvtsQ8vlIB+1
+fcoiS9/Mf0US6o3RBgfa+KPVAsE=
+-----END CERTIFICATE-----

data/lib/vagrant-certificates/action/install_certificates.rb

@@ -0,0 +1,114 @@
+require 'vagrant/util/downloader'
+require 'digest/md5'
+require 'log4r'
+
+module VagrantPlugins
+  module Certificates
+    module Action
+      class InstallCertificates
+        attr_accessor :logger
+
+        def initialize(app, env)
+          @app = app
+          @machine = env[:machine]
+          @logger = Log4r::Logger.new('vagrant::certificates')
+        end
+
+        def call(env)
+          @app.call(env)
+          return unless @machine.config.certificates.enabled?
+
+          create_certificates_directory
+          @machine.ui.info(I18n.t('vagrant_certificates.certificate.upload.message'))
+          @machine.config.certificates.certs.each do |file|
+            to = File.join(certs_path, File.basename(file))
+            upload_certificate(file, to)
+          end
+          @machine.guest.capability(:update_certificate_bundle)
+          modify_etc_environment
+        end
+
+        def certs_path
+          @machine.guest.capability(:certificate_upload_path)
+        end
+
+        def modify_etc_environment
+          bundle_path = @machine.guest.capability(:certificate_file_bundle)
+          @logger.debug("Private certificate path: <#{bundle_path}>")
+          @machine.communicate.tap do |sh|
+            case @machine.guest.name
+            when :windows
+              sh.sudo("[Environment]::SetEnvironmentVariable('SSL_CERT_FILE','#{bundle_path}','Machine')")
+            else
+              if sh.test("grep -q 'SSL_CERT_FILE' /etc/environment", shell: '/bin/bash')
+                sh.sudo(%{sed "s#^SSL_CERT_FILE=.*#SSL_CERT_FILE=#{bundle_path}#" -i /etc/environment})
+              else
+                sh.sudo(%{echo "SSL_CERT_FILE=#{bundle_path}" >> /etc/environment})
+              end
+            end
+          end
+        end
+
+        def create_certificates_directory
+          @logger.debug('Checking if private certificate directory is created...')
+          @machine.communicate.tap do |sh|
+            case @machine.guest.name
+            when :windows
+              return if sh.test("$ProgressPreference=\"SilentlyContinue\";if(-not(Test-Path -Path #{certs_path})){Exit 1}")
+              @logger.info("Creating Windows #{certs_path} for private certificates.")
+              sh.sudo("New-Item -Path #{certs_path} -ItemType Directory")
+            else
+              return if sh.test("test -d #{certs_path}")
+              @logger.info("Creating #{certs_path} for private certificates.")
+              sh.sudo("mkdir -p #{certs_path} && chmod 0744 #{certs_path}")
+            end
+          end
+        end
+
+        def upload_certificate(from, to)
+          @logger.debug("Uploading certificates #{from} -> #{to}")
+          if from =~ /^http[s]?/
+            remote = Tempfile.new('vagrant-certificates')
+            Vagrant::Util::Downloader.new(from, remote.path).download!
+            from = remote.path
+          end
+
+          @machine.communicate.tap do |sh|
+            unless certificate_matches?(from, to)
+              tmp_to = Pathname.new(Tempfile.new('vagrant').path).basename
+              @machine.ui.info(I18n.t('vagrant_certificates.certificate.upload.file', from: from, to: to))
+              sh.upload(from.to_s, tmp_to.to_s) # remote.path will build a "C:\" URI on windows, cp to ~ and move.
+              case @machine.guest.name
+              when :windows
+                sh.sudo("Move-Item -path #{tmp_to}/* -Destination #{to} -Force")
+              else
+                sh.sudo("mv #{tmp_to} #{to} && chown root: #{to} && chmod 0644 #{to}")
+              end
+            end
+          end
+        end
+
+        def certificate_matches?(from, to)
+          md5sum = Digest::MD5.file(from)
+          @logger.debug("Verifying #{from} md5sum in guest...")
+          @machine.communicate.tap do |sh|
+            case @machine.guest.name
+            when :windows
+              if sh.test("if(-not((Get-Filehash -path '#{to}' -Algorithm MD5) | Select-Object -ExpandProperty Hash) -eq '#{md5sum}'){Exit 1}")
+                @logger.debug('Certificate md5sum in guest matches!')
+                return true
+              end
+            else
+              return false unless sh.test("test -f #{from}")
+              if sh.test(%{test '#{md5sum}' = '$(md5sum "#{to}")'}, shell: '/bin/bash')
+                @logger.debug('Certificate md5sum in guest matches!')
+                return true
+              end
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/coreos/certificate_file_bundle.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module CoreOS
+        module CertificateFileBundle
+          def self.certificate_file_bundle(m)
+            '/etc/ssl/certs/ca-certificates.crt'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/coreos/certificate_upload_path.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module CoreOS
+        module CertificateUploadPath
+          def self.certificate_upload_path(m)
+            '/etc/ssl/certs'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/coreos/update_certificate_bundle.rb

@@ -0,0 +1,20 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module CoreOS
+        # Capability for configuring the certificate bundle on CoreOS.
+        module UpdateCertificateBundle
+          def self.update_certificate_bundle(m)
+            m.communicate.sudo("ls /etc/ssl/certs | awk '{print \"private/\"$1;}' >> /etc/ca-certificates.conf") # enable our custom certs
+            m.communicate.sudo('update-ca-certificates') do |type, data|
+              if [:stderr, :stdout].include?(type)
+                next if data =~ /stdin: is not a tty/
+                m.env.ui.info data
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/debian/certificate_file_bundle.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Debian
+        module CertificateFileBundle
+          def self.certificate_file_bundle(m)
+            '/etc/ssl/certs/ca-certificates.crt'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/debian/certificate_upload_path.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Debian
+        module CertificateUploadPath
+          def self.certificate_upload_path(m)
+            '/usr/share/ca-certificates/private'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/debian/update_certificate_bundle.rb

@@ -0,0 +1,20 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Debian
+        # Capability for configuring the certificate bundle on Debian.
+        module UpdateCertificateBundle
+          def self.update_certificate_bundle(m)
+            m.communicate.sudo("ls /usr/share/ca-certificates/private | awk '{print \"private/\"$1;}' >> /etc/ca-certificates.conf") # enable our custom certs
+            m.communicate.sudo('update-ca-certificates') do |type, data|
+              if [:stderr, :stdout].include?(type)
+                next if data =~ /stdin: is not a tty/
+                m.env.ui.info data
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/redhat/certificate_file_bundle.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Redhat
+        module CertificateFileBundle
+          def self.certificate_file_bundle(m)
+            '/etc/pki/tls/cert.pem'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/redhat/certificate_upload_path.rb

@@ -0,0 +1,18 @@
+require_relative 'helpers'
+
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Redhat
+        module CertificateUploadPath
+          def self.certificate_upload_path(m)
+            m.communicate.tap do |sh|
+              return '/etc/pki/tls/private' if Redhat.legacy_certificate_bundle?(sh)
+            end
+            '/etc/pki/ca-trust/source/anchors'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/redhat/helpers.rb

@@ -0,0 +1,15 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Redhat
+        # HACK: All versions of EL5 and below EL6.5 do not have
+        # support for the `update-ca-trust` command and thus the
+        # bundles must be managed manually.
+        def self.legacy_certificate_bundle?(sh)
+          command = %q(R=$(sed -E "s/.* ([0-9])\.([0-9]+) .*/\\1.\\2/" /etc/redhat-release))
+          sh.test(%Q(#{command} && [[ $R =~ ^5 || $R =~ ^6\.[0-4]+ ]]), shell: '/bin/bash') || !sh.test("rpm -q ca-certificates", shell:'/bin/bash')
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/redhat/update_certificate_bundle.rb

@@ -0,0 +1,38 @@
+require_relative 'helpers'
+
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Redhat
+        # Capability for configuring the certificate bundle on Redhat.
+        module UpdateCertificateBundle
+          def self.update_certificate_bundle(m)
+            m.communicate.tap do |sh|
+              if Redhat.legacy_certificate_bundle?(sh)
+                sh.sudo(<<-SCRIPT)
+BUNDLE=/etc/pki/tls/certs/ca-bundle.crt; 
+PRIVATE=/etc/pki/tls/ca.private.crt; 
+if ! [ "$(readlink $BUNDLE)" == "$PRIVATE" ]; then 
+  find /etc/pki/tls/private -type f -exec cat {} \\; | cat $BUNDLE - > $PRIVATE ; 
+fi
+SCRIPT
+                sh.sudo('/bin/ln -fsn /etc/pki/tls/ca.private.crt /etc/pki/tls/cert.pem')
+                sh.sudo('/bin/ln -fsn /etc/pki/tls/ca.private.crt /etc/pki/tls/certs/ca-bundle.crt')
+                sh.execute(<<-SCRIPT, shell: '/bin/bash', sudo: true)
+if [ ! -z "$JAVA_HOME" ]; then \
+find /etc/pki/tls/private -type f -exec $JAVA_HOME/bin/keytool -importcert \
+ -trustcacerts -noprompt -storepass changeit \
+ -keystore $JAVA_HOME/jre/lib/security/cacerts -file {} \\; \
+else true; fi
+                SCRIPT
+              else
+                sh.sudo('update-ca-trust enable')
+                sh.sudo('update-ca-trust extract')
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/windows/certificate_file_bundle.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Windows
+        module CertificateFileBundle
+          def self.certificate_file_bundle(m)
+            'C:/ssl/cacert.pem'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/windows/certificate_upload_path.rb

@@ -0,0 +1,13 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Windows
+        module CertificateUploadPath
+          def self.certificate_upload_path(m)
+            'C:/ssl/certs'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/cap/windows/update_certificate_bundle.rb

@@ -0,0 +1,19 @@
+module VagrantPlugins
+  module Certificates
+    module Cap
+      module Windows
+        # Capability for configuring the certificate bundle on CoreOS.
+        module UpdateCertificateBundle
+          def self.update_certificate_bundle(m)
+            # Import the certificates into the local machine root store
+            m.communicate.sudo("Get-ChildItem -Path C:/ssl/certs | Foreach-Object {certutil -addstore -enterprise -f 'Root' $_.FullName}")
+            # Also import the certificates into a bundle to be referenced by SSL_CERT_FILE
+            m.communicate.sudo("Remove-Item -Path C:/ssl/cacert.pem; Get-ChildItem -Path C:/ssl/certs | Get-Content | Out-File -FilePath C:/ssl/cacert.pem -Encoding utf8 -Append")
+            # Convert the cacerts.pem with Windows line endings ('\r\n') to Unix line endings ('\n')
+            m.communicate.sudo("$cacertContents = [io.file]::ReadAllText('C:/ssl/cacert.pem') -replace \"`r`n\",\"`n\"; [io.file]::WriteAllText('C:/ssl/cacert_unix.pem', $cacertContents)")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/config.rb

@@ -0,0 +1,45 @@
+require 'vagrant'
+
+module VagrantPlugins
+  module Certificates
+    class Config < Vagrant.plugin('2', :config)
+      attr_accessor :certs, :enabled
+
+      def initialize
+        @certs = UNSET_VALUE
+        @enabled = UNSET_VALUE
+      end
+
+      def enabled?
+        @enabled == true
+      end
+
+      def disabled?
+        !enabled?
+      end
+
+      def disable!
+        @enabled = false
+      end
+
+      def validate(machine)
+        errors = []
+        if enabled?
+          # If the certificates specified do not exist on the host
+          # disk we should error out very loudly. Because this will
+          # likely affect guest operation.
+          @certs.reject { |f| f =~ /^http[s]?/ || File.exist?(f) }.each do |f|
+            errors << I18n.t('vagrant_certificates.certificate.not_found', filepath: f)
+          end
+        end
+
+        { 'vagrant-certificates' => errors }
+      end
+
+      def finalize!
+        @enabled = false if @enabled == UNSET_VALUE
+        @certs = [] if @certs == UNSET_VALUE
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/plugin.rb

@@ -0,0 +1,88 @@
+I18n.load_path << File.expand_path('../../../locales/en.yml', __FILE__)
+
+unless Gem::Requirement.new('>= 1.5').satisfied_by?(Gem::Version.new(Vagrant::VERSION))
+  fail I18n.t('vagrant_certificates.unsupported.vagrant_version', requirement: '>= 1.5')
+end
+
+module VagrantPlugins
+  module Certificates
+    class Plugin < Vagrant.plugin('2')
+      name 'vagrant-certificates'
+      description <<-DESC
+        Installs root certificates into guest operating system's trusted bundle.
+      DESC
+
+      config(:certificates) do
+        require_relative 'config'
+        Config
+      end
+
+      action_hook(Plugin::ALL_ACTIONS) do |hook|
+        require_relative 'action/install_certificates'
+        hook.after(Vagrant::Action::Builtin::Provision, Action::InstallCertificates)
+      end
+
+      # All supported guest systems must have these capabilities
+      # implemented. If any of them aren't config validate will fail.
+      guest_capability('debian', 'update_certificate_bundle') do
+        require_relative 'cap/debian/update_certificate_bundle'
+        Cap::Debian::UpdateCertificateBundle
+      end
+
+      guest_capability('redhat', 'update_certificate_bundle') do
+        require_relative 'cap/redhat/update_certificate_bundle'
+        Cap::Redhat::UpdateCertificateBundle
+      end
+
+      guest_capability('coreos', 'update_certificate_bundle') do
+        require_relative 'cap/coreos/update_certificate_bundle'
+        Cap::CoreOS::UpdateCertificateBundle
+      end
+
+      guest_capability('windows', 'update_certificate_bundle') do
+        require_relative 'cap/windows/update_certificate_bundle'
+        Cap::Windows::UpdateCertificateBundle
+      end
+
+      guest_capability('debian', 'certificate_upload_path') do
+        require_relative 'cap/debian/certificate_upload_path'
+        Cap::Debian::CertificateUploadPath
+      end
+
+      guest_capability('redhat', 'certificate_upload_path') do
+        require_relative 'cap/redhat/certificate_upload_path'
+        Cap::Redhat::CertificateUploadPath
+      end
+
+      guest_capability('coreos', 'certificate_upload_path') do
+        require_relative 'cap/coreos/certificate_upload_path'
+        Cap::CoreOS::CertificateUploadPath
+      end
+
+      guest_capability('windows', 'certificate_upload_path') do
+        require_relative 'cap/windows/certificate_upload_path'
+        Cap::Windows::CertificateUploadPath
+      end
+
+      guest_capability('debian', 'certificate_file_bundle') do
+        require_relative 'cap/debian/certificate_file_bundle'
+        Cap::Debian::CertificateFileBundle
+      end
+
+      guest_capability('redhat', 'certificate_file_bundle') do
+        require_relative 'cap/redhat/certificate_file_bundle'
+        Cap::Redhat::CertificateFileBundle
+      end
+
+      guest_capability('coreos', 'certificate_file_bundle') do
+        require_relative 'cap/coreos/certificate_file_bundle'
+        Cap::CoreOS::CertificateFileBundle
+      end
+
+      guest_capability('windows', 'certificate_file_bundle') do
+        require_relative 'cap/windows/certificate_file_bundle'
+        Cap::Windows::CertificateFileBundle
+      end
+    end
+  end
+end

data/lib/vagrant-certificates/version.rb

@@ -0,0 +1,5 @@
+module VagrantPlugins
+  module Certificates
+    VERSION = '2.0.0'
+  end
+end

data/lib/vagrant-certificates.rb

@@ -0,0 +1,2 @@
+require_relative 'vagrant-certificates/version'
+require_relative 'vagrant-certificates/plugin'

data/locales/en.yml

@@ -0,0 +1,17 @@
+en:
+  vagrant_certificates:
+    unsupported:
+      guest_system: |
+        Plugin does not support guest operating system.
+      vagrant_version: |
+        Plugin does not support Vagrant version less than '%{requirement}'.
+    not_enabled: |
+      Plugin is not enabled.
+    certificate:
+      not_found: |
+        Certificate '%{filepath}' not found on host system.
+      upload: 
+        message: |
+          Uploading root certificates to guest instance...
+        file: |
+          -- %{from} => %{to}

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+require 'rspec/its'
+require 'vagrant-certificates'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+  config.color = true
+  config.tty = true
+end

data/spec/unit/vagrant-certificates/action/install_certificates_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/action/install_certificates'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Action::InstallCertificates do
+end

data/spec/unit/vagrant-certificates/cap/coreos/certificate_upload_path_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/coreos/certificate_upload_path'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::CoreOS::CertificateUploadPath do
+end

data/spec/unit/vagrant-certificates/cap/coreos/update_certificate_bundle_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/coreos/update_certificate_bundle'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::CoreOS::UpdateCertificateBundle do
+end

data/spec/unit/vagrant-certificates/cap/debian/certificate_upload_path_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/debian/certificate_upload_path'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::Debian::CertificateUploadPath do
+end

data/spec/unit/vagrant-certificates/cap/debian/update_certificate_bundle_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/debian/update_certificate_bundle'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::Debian::UpdateCertificateBundle do
+end

data/spec/unit/vagrant-certificates/cap/redhat/certificate_upload_path_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/redhat/certificate_upload_path'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::Redhat::CertificateUploadPath do
+end

data/spec/unit/vagrant-certificates/cap/redhat/update_certificate_bundle_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/redhat/update_certificate_bundle'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::Redhat::UpdateCertificateBundle do
+end

data/spec/unit/vagrant-certificates/cap/windows/certificate_upload_path_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/windows/certificate_upload_path'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::Windows::CertificateUploadPath do
+end

data/spec/unit/vagrant-certificates/cap/windows/update_certificate_bundle_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/cap/windows/update_certificate_bundle'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Cap::Windows::UpdateCertificateBundle do
+end

data/spec/unit/vagrant-certificates/config_spec.rb

@@ -0,0 +1,5 @@
+require 'vagrant-certificates/config'
+require 'spec_helper'
+
+describe VagrantPlugins::Certificates::Config do
+end

data/vagrant-certificates.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'vagrant-certificates/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'vagrant-certificates'
+  spec.version       = VagrantPlugins::Certificates::VERSION
+  spec.authors       = ['William Bailey', 'John Bellone']
+  spec.email         = ['mail@williambailey.org.uk', 'jbellone@bloomberg.net']
+  spec.summary       = 'A Vagrant plugin that installs CA certificates onto the virtual machine.'
+  spec.description   = <<-EOF
+    A Vagrant plugin that installs CA certificates onto the virtual machine.
+    This is useful, for example, in the case where you are behind a corporate proxy
+    server that injects its own self signed SSL certificates when you visit https sites.
+  EOF
+  spec.homepage      = 'https://github.com/williambailey/vagrant-certificates'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.test_files    = spec.files.grep(/^(test|spec|features)\//)
+  spec.require_paths = %w(lib)
+
+  spec.cert_chain = ['certs/jbellone.pem']
+  spec.signing_key = File.expand_path(File.join(Dir.home, '.ssh', 'gem-private_key.pem')) if $0 =~ /gem\z/
+
+  spec.add_development_dependency 'bundler', '~> 1.7'
+end

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: vagrant-certificates
+version: !ruby/object:Gem::Version
+  version: 2.0.0
+platform: ruby
+authors:
+- William Bailey
+- John Bellone
+autorequire: 
+bindir: bin
+cert_chain:
+- certs/jbellone.pem
+date: 2019-04-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+description: |2
+      A Vagrant plugin that installs CA certificates onto the virtual machine.
+      This is useful, for example, in the case where you are behind a corporate proxy
+      server that injects its own self signed SSL certificates when you visit https sites.
+email:
+- mail@williambailey.org.uk
+- jbellone@bloomberg.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/CONTRIBUTING.md"
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/rspec
+- certs/jbellone.pem
+- lib/vagrant-certificates.rb
+- lib/vagrant-certificates/action/install_certificates.rb
+- lib/vagrant-certificates/cap/coreos/certificate_file_bundle.rb
+- lib/vagrant-certificates/cap/coreos/certificate_upload_path.rb
+- lib/vagrant-certificates/cap/coreos/update_certificate_bundle.rb
+- lib/vagrant-certificates/cap/debian/certificate_file_bundle.rb
+- lib/vagrant-certificates/cap/debian/certificate_upload_path.rb
+- lib/vagrant-certificates/cap/debian/update_certificate_bundle.rb
+- lib/vagrant-certificates/cap/redhat/certificate_file_bundle.rb
+- lib/vagrant-certificates/cap/redhat/certificate_upload_path.rb
+- lib/vagrant-certificates/cap/redhat/helpers.rb
+- lib/vagrant-certificates/cap/redhat/update_certificate_bundle.rb
+- lib/vagrant-certificates/cap/windows/certificate_file_bundle.rb
+- lib/vagrant-certificates/cap/windows/certificate_upload_path.rb
+- lib/vagrant-certificates/cap/windows/update_certificate_bundle.rb
+- lib/vagrant-certificates/config.rb
+- lib/vagrant-certificates/plugin.rb
+- lib/vagrant-certificates/version.rb
+- locales/en.yml
+- spec/spec_helper.rb
+- spec/unit/vagrant-certificates/action/install_certificates_spec.rb
+- spec/unit/vagrant-certificates/cap/coreos/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/coreos/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/cap/debian/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/debian/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/cap/redhat/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/redhat/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/cap/windows/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/windows/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/config_spec.rb
+- vagrant-certificates.gemspec
+homepage: https://github.com/williambailey/vagrant-certificates
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: A Vagrant plugin that installs CA certificates onto the virtual machine.
+test_files:
+- spec/spec_helper.rb
+- spec/unit/vagrant-certificates/action/install_certificates_spec.rb
+- spec/unit/vagrant-certificates/cap/coreos/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/coreos/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/cap/debian/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/debian/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/cap/redhat/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/redhat/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/cap/windows/certificate_upload_path_spec.rb
+- spec/unit/vagrant-certificates/cap/windows/update_certificate_bundle_spec.rb
+- spec/unit/vagrant-certificates/config_spec.rb