summaryrefslogtreecommitdiff
path: root/lib/leap_cli/commands
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2012-11-28 14:08:39 -0800
committerelijah <elijah@riseup.net>2012-11-28 14:08:39 -0800
commite2c31618b6f70d86c55c348436dd600b2e4ace21 (patch)
tree2bf27e98fc62af402499c0e7736b02b280dfc320 /lib/leap_cli/commands
parent16f9ee1668a06d6b83dfc312d0601d4f235ab8ef (diff)
command name shuffle -- grouped more commands together as subcommands
Diffstat (limited to 'lib/leap_cli/commands')
-rw-r--r--lib/leap_cli/commands/ca.rb255
-rw-r--r--lib/leap_cli/commands/compile.rb2
-rw-r--r--lib/leap_cli/commands/node.rb58
-rw-r--r--lib/leap_cli/commands/test.rb25
4 files changed, 176 insertions, 164 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index 05bdb2b..f471b5a 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -5,150 +5,155 @@ require 'digest/md5'
module LeapCli; module Commands
- desc 'Creates the public and private key for your Certificate Authority.'
- command :'init-ca' do |c|
- c.action do |global_options,options,args|
- assert_files_missing! :ca_cert, :ca_key
- assert_config! 'provider.ca.name'
- assert_config! 'provider.ca.bit_size'
- assert_config! 'provider.ca.life_span'
-
- provider = manager.provider
- root = CertificateAuthority::Certificate.new
-
- # set subject
- root.subject.common_name = provider.ca.name
- possible = ['country', 'state', 'locality', 'organization', 'organizational_unit', 'email_address']
- provider.ca.keys.each do |key|
- if possible.include?(key)
- root.subject.send(key + '=', provider.ca[key])
+ desc "Manage X.509 certificates"
+ #long_desc ""
+ command :cert do |c|
+
+ c.desc 'Creates a Certificate Authority (private key and CA certificate)'
+ c.command :ca do |c|
+ c.action do |global_options,options,args|
+ assert_files_missing! :ca_cert, :ca_key
+ assert_config! 'provider.ca.name'
+ assert_config! 'provider.ca.bit_size'
+ assert_config! 'provider.ca.life_span'
+
+ provider = manager.provider
+ root = CertificateAuthority::Certificate.new
+
+ # set subject
+ root.subject.common_name = provider.ca.name
+ possible = ['country', 'state', 'locality', 'organization', 'organizational_unit', 'email_address']
+ provider.ca.keys.each do |key|
+ if possible.include?(key)
+ root.subject.send(key + '=', provider.ca[key])
+ end
end
- end
- # set expiration
- root.not_before = today
- root.not_after = years_from_today(provider.ca.life_span.to_i)
+ # set expiration
+ root.not_before = today
+ root.not_after = years_from_today(provider.ca.life_span.to_i)
- # generate private key
- root.serial_number.number = 1
- root.key_material.generate_key(provider.ca.bit_size)
+ # generate private key
+ root.serial_number.number = 1
+ root.key_material.generate_key(provider.ca.bit_size)
- # sign self
- root.signing_entity = true
- root.parent = root
- root.sign!(ca_root_signing_profile)
+ # sign self
+ root.signing_entity = true
+ root.parent = root
+ root.sign!(ca_root_signing_profile)
- # save
- write_file!(:ca_key, root.key_material.private_key.to_pem)
- write_file!(:ca_cert, root.to_pem)
+ # save
+ write_file!(:ca_key, root.key_material.private_key.to_pem)
+ write_file!(:ca_cert, root.to_pem)
+ end
end
- end
- desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes'
- arg_name '<node-name | "all">', :optional => false, :multiple => false
- command :'update-cert' do |c|
- c.action do |global_options,options,args|
- assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them'
- assert_config! 'provider.ca.server_certificates.bit_size'
- assert_config! 'provider.ca.server_certificates.digest'
- assert_config! 'provider.ca.server_certificates.life_span'
- assert_config! 'common.x509.use'
-
- if args.first == 'all' || args.empty?
- manager.each_node do |node|
- if cert_needs_updating?(node)
- generate_cert_for_node(node)
+ c.desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes'
+ c.arg_name 'node-name', :optional => false
+ c.command :update do |c|
+ c.action do |global_options,options,args|
+ assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them'
+ assert_config! 'provider.ca.server_certificates.bit_size'
+ assert_config! 'provider.ca.server_certificates.digest'
+ assert_config! 'provider.ca.server_certificates.life_span'
+ assert_config! 'common.x509.use'
+
+ if args.first == 'all' || args.empty?
+ manager.each_node do |node|
+ if cert_needs_updating?(node)
+ generate_cert_for_node(node)
+ end
end
+ else
+ generate_cert_for_node(get_node_from_args(args))
end
- else
- generate_cert_for_node(get_node_from_args(args))
end
end
- end
- desc 'Generates Diffie-Hellman parameter file (needed for server-side of TLS connections)'
- command :'init-dh' do |c|
- c.action do |global_options,options,args|
- long_running do
- if cmd_exists?('certtool')
- log 0, 'Generating DH parameters (takes a long time)...'
- output = assert_run!('certtool --generate-dh-params --sec-param high')
- output.sub! /.*(-----BEGIN DH PARAMETERS-----.*-----END DH PARAMETERS-----).*/m, '\1'
- output << "\n"
- write_file!(:dh_params, output)
- else
- log 0, 'Generating DH parameters (takes a REALLY long time)...'
- output = OpenSSL::PKey::DH.generate(3248).to_pem
- write_file!(:dh_params, output)
+ c.desc 'Creates a Diffie-Hellman parameter file' # (needed for server-side of some TLS connections)
+ c.command :dh do |c|
+ c.action do |global_options,options,args|
+ long_running do
+ if cmd_exists?('certtool')
+ log 0, 'Generating DH parameters (takes a long time)...'
+ output = assert_run!('certtool --generate-dh-params --sec-param high')
+ output.sub! /.*(-----BEGIN DH PARAMETERS-----.*-----END DH PARAMETERS-----).*/m, '\1'
+ output << "\n"
+ write_file!(:dh_params, output)
+ else
+ log 0, 'Generating DH parameters (takes a REALLY long time)...'
+ output = OpenSSL::PKey::DH.generate(3248).to_pem
+ write_file!(:dh_params, output)
+ end
end
end
end
- end
-
- #
- # hints:
- #
- # inspect CSR:
- # openssl req -noout -text -in files/cert/x.csr
- #
- # generate CSR with openssl to see how it compares:
- # openssl req -sha256 -nodes -newkey rsa:2048 -keyout example.key -out example.csr
- #
- # validate a CSR:
- # http://certlogik.com/decoder/
- #
- # nice details about CSRs:
- # http://www.redkestrel.co.uk/Articles/CSR.html
- #
- desc 'Creates a Certificate Signing Request for use in purchasing a commercial x509 certificate'
- command :'init-csr' do |c|
- #c.switch 'sign', :desc => 'additionally creates a cert that is signed by your own CA (recommended only for testing)', :negatable => false
- c.action do |global_options,options,args|
- assert_config! 'provider.domain'
- assert_config! 'provider.name'
- assert_config! 'provider.default_language'
- assert_config! 'provider.ca.server_certificates.bit_size'
- assert_config! 'provider.ca.server_certificates.digest'
- assert_files_missing! [:commercial_key, manager.provider.domain], [:commercial_csr, manager.provider.domain], :msg => 'If you really want to create a new key and CSR, remove these files first.'
- if options[:sign]
- assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them'
- end
- # RSA key
- keypair = CertificateAuthority::MemoryKeyMaterial.new
- log :generating, "%s bit RSA key" % manager.provider.ca.server_certificates.bit_size do
- keypair.generate_key(manager.provider.ca.server_certificates.bit_size)
- write_file! [:commercial_key, manager.provider.domain], keypair.private_key.to_pem
- end
+ #
+ # hints:
+ #
+ # inspect CSR:
+ # openssl req -noout -text -in files/cert/x.csr
+ #
+ # generate CSR with openssl to see how it compares:
+ # openssl req -sha256 -nodes -newkey rsa:2048 -keyout example.key -out example.csr
+ #
+ # validate a CSR:
+ # http://certlogik.com/decoder/
+ #
+ # nice details about CSRs:
+ # http://www.redkestrel.co.uk/Articles/CSR.html
+ #
+ c.desc 'Creates a CSR for use in buying a commercial X.509 certificate'
+ c.command :csr do |c|
+ #c.switch 'sign', :desc => 'additionally creates a cert that is signed by your own CA (recommended only for testing)', :negatable => false
+ c.action do |global_options,options,args|
+ assert_config! 'provider.domain'
+ assert_config! 'provider.name'
+ assert_config! 'provider.default_language'
+ assert_config! 'provider.ca.server_certificates.bit_size'
+ assert_config! 'provider.ca.server_certificates.digest'
+ assert_files_missing! [:commercial_key, manager.provider.domain], [:commercial_csr, manager.provider.domain], :msg => 'If you really want to create a new key and CSR, remove these files first.'
+ if options[:sign]
+ assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them'
+ end
- # CSR
- dn = CertificateAuthority::DistinguishedName.new
- csr = CertificateAuthority::SigningRequest.new
- dn.common_name = manager.provider.domain
- dn.organization = manager.provider.name[manager.provider.default_language]
- log :generating, "CSR with commonName => '%s', organization => '%s'" % [dn.common_name, dn.organization] do
- csr.distinguished_name = dn
- csr.key_material = keypair
- csr.digest = manager.provider.ca.server_certificates.digest
- request = csr.to_x509_csr
- write_file! [:commercial_csr, manager.provider.domain], csr.to_pem
- end
+ # RSA key
+ keypair = CertificateAuthority::MemoryKeyMaterial.new
+ log :generating, "%s bit RSA key" % manager.provider.ca.server_certificates.bit_size do
+ keypair.generate_key(manager.provider.ca.server_certificates.bit_size)
+ write_file! [:commercial_key, manager.provider.domain], keypair.private_key.to_pem
+ end
- # Sign using our own CA, for use in testing but hopefully not production.
- # It is not that commerical CAs are so secure, it is just that signing your own certs is
- # a total drag for the user because they must click through dire warnings.
- #if options[:sign]
- log :generating, "self-signed x509 server certificate for testing purposes" do
- cert = csr.to_cert
- cert.serial_number.number = cert_serial_number(manager.provider.domain)
- cert.not_before = today
- cert.not_after = years_from_today(1)
- cert.parent = ca_root
- cert.sign! domain_test_signing_profile
- write_file! [:commercial_cert, manager.provider.domain], cert.to_pem
- log "please replace this file with the real certificate you get from a CA using #{Path.relative_path([:commercial_csr, manager.provider.domain])}"
+ # CSR
+ dn = CertificateAuthority::DistinguishedName.new
+ csr = CertificateAuthority::SigningRequest.new
+ dn.common_name = manager.provider.domain
+ dn.organization = manager.provider.name[manager.provider.default_language]
+ log :generating, "CSR with commonName => '%s', organization => '%s'" % [dn.common_name, dn.organization] do
+ csr.distinguished_name = dn
+ csr.key_material = keypair
+ csr.digest = manager.provider.ca.server_certificates.digest
+ request = csr.to_x509_csr
+ write_file! [:commercial_csr, manager.provider.domain], csr.to_pem
end
- #end
+
+ # Sign using our own CA, for use in testing but hopefully not production.
+ # It is not that commerical CAs are so secure, it is just that signing your own certs is
+ # a total drag for the user because they must click through dire warnings.
+ #if options[:sign]
+ log :generating, "self-signed x509 server certificate for testing purposes" do
+ cert = csr.to_cert
+ cert.serial_number.number = cert_serial_number(manager.provider.domain)
+ cert.not_before = today
+ cert.not_after = years_from_today(1)
+ cert.parent = ca_root
+ cert.sign! domain_test_signing_profile
+ write_file! [:commercial_cert, manager.provider.domain], cert.to_pem
+ log "please replace this file with the real certificate you get from a CA using #{Path.relative_path([:commercial_csr, manager.provider.domain])}"
+ end
+ #end
+ end
end
end
diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index 9882e6a..45e4f2b 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -2,7 +2,7 @@
module LeapCli
module Commands
- desc 'Compile json files to hiera configs'
+ desc 'Compiles node configuration files into hiera files used for deployment'
command :compile do |c|
c.action do |global_options,options,args|
# these must come first
diff --git a/lib/leap_cli/commands/node.rb b/lib/leap_cli/commands/node.rb
index 28e250a..678bebd 100644
--- a/lib/leap_cli/commands/node.rb
+++ b/lib/leap_cli/commands/node.rb
@@ -6,41 +6,43 @@ module LeapCli; module Commands
##
## COMMANDS
##
-
- desc 'not yet implemented... Create a new configuration for a node'
- command :'add-node' do |c|
- c.action do |global_options,options,args|
+ desc 'Node management'
+ command :node do |c|
+ c.desc 'Create a new configuration file for a node'
+ c.command :add do |c|
+ c.action do |global_options,options,args|
+ end
end
- end
- desc 'Bootstraps a node, setting up ssh keys and installing prerequisites'
- arg_name '<node-name>', :optional => false, :multiple => false
- command :'init-node' do |c|
- c.switch 'echo', :desc => 'if set, passwords are visible as you type them (default is hidden)', :negatable => false
- c.action do |global_options,options,args|
- node = get_node_from_args(args)
- ping_node(node)
- save_public_host_key(node)
- update_compiled_ssh_configs
- ssh_connect(node, :bootstrap => true, :echo => options[:echo]) do |ssh|
- ssh.install_authorized_keys
- ssh.install_prerequisites
+ c.desc 'Bootstraps a node, setting up ssh keys and installing prerequisites'
+ c.arg_name 'node-name', :optional => false, :multiple => false
+ c.command :init do |c|
+ c.switch 'echo', :desc => 'if set, passwords are visible as you type them (default is hidden)', :negatable => false
+ c.action do |global_options,options,args|
+ node = get_node_from_args(args)
+ ping_node(node)
+ save_public_host_key(node)
+ update_compiled_ssh_configs
+ ssh_connect(node, :bootstrap => true, :echo => options[:echo]) do |ssh|
+ ssh.install_authorized_keys
+ ssh.install_prerequisites
+ end
+ log :completed, "node init #{node.name}"
end
- log :completed, "init-node #{node.name}"
end
- end
- desc 'not yet implemented'
- command :'rename-node' do |c|
- c.action do |global_options,options,args|
+ c.desc 'Renames a node file, and all its related files'
+ c.command :mv do |c|
+ c.action do |global_options,options,args|
+ end
end
- end
- desc 'not yet implemented'
- arg_name '<node-name>', :optional => false, :multiple => false
- command :'rm-node' do |c|
- c.action do |global_options,options,args|
- remove_file!()
+ c.desc 'Removes a node file, and all its related files'
+ c.arg_name '<node-name>', :optional => false, :multiple => false
+ c.command :rm do |c|
+ c.action do |global_options,options,args|
+ remove_file!()
+ end
end
end
diff --git a/lib/leap_cli/commands/test.rb b/lib/leap_cli/commands/test.rb
index dc08652..dd505b6 100644
--- a/lib/leap_cli/commands/test.rb
+++ b/lib/leap_cli/commands/test.rb
@@ -1,18 +1,23 @@
module LeapCli; module Commands
- desc 'Creates files needed to run tests'
- command :'init-test' do |c|
- c.action do |global_options,options,args|
- generate_test_client_cert
- generate_test_client_openvpn_config
- end
- end
-
desc 'Run tests'
command :test do |c|
- c.action do |global_options,options,args|
- log 'not yet implemented'
+ c.desc 'Creates files needed to run tests'
+ c.command :init do |c|
+ c.action do |global_options,options,args|
+ generate_test_client_cert
+ generate_test_client_openvpn_config
+ end
end
+
+ c.desc 'Run tests'
+ c.command :run do |c|
+ c.action do |global_options,options,args|
+ log 'not yet implemented'
+ end
+ end
+
+ c.default_command :run
end
private