diff options
author | Micah Anderson <micah@riseup.net> | 2016-11-04 10:54:28 -0400 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2016-11-04 10:54:28 -0400 |
commit | 34a381efa8f6295080c843f86bfa07d4e41056af (patch) | |
tree | 9282cf5d4c876688602705a7fa0002bc4a810bde /provider_base | |
parent | 0a72bc6fd292bf9367b314fcb0347c4d35042f16 (diff) | |
parent | 5821964ff7e16ca7aa9141bd09a77d355db492a9 (diff) |
Merge branch 'develop'
Diffstat (limited to 'provider_base')
-rw-r--r-- | provider_base/common.json | 13 | ||||
-rw-r--r-- | provider_base/common.rb | 72 | ||||
-rw-r--r-- | provider_base/provider.rb | 5 | ||||
-rw-r--r-- | provider_base/services/tor.json | 2 | ||||
-rw-r--r-- | provider_base/services/webapp.json | 1 | ||||
-rw-r--r-- | provider_base/tags/vm.json | 2 |
6 files changed, 85 insertions, 10 deletions
diff --git a/provider_base/common.json b/provider_base/common.json index 5e689109..893d5daf 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -29,12 +29,7 @@ "x509": { "use": true, "use_commercial": false, - "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", - "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", - "ca_cert": "= try_file :ca_cert", - "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil", - "commercial_key": "= x509.use_commercial ? file([:commercial_key, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil", - "commercial_ca_cert": "= x509.use_commercial ? try_file(:commercial_ca_cert) : nil" + "ca_cert": "= try_file :ca_cert" }, "service_type": "internal_service", "development": { @@ -64,9 +59,9 @@ }, "sources": { "apt": { - "basic": "http://httpredir.debian.org/debian/", + "basic": "http://deb.debian.org/debian/", "security": "http://security.debian.org/", - "backports": "http://httpredir.debian.org/debian/" + "backports": "http://deb.debian.org/debian/" }, "leap-mx": { "type": "apt", @@ -76,7 +71,7 @@ "nickserver": { "type": "git", "source": "https://leap.se/git/nickserver", - "revision": "origin/version/0.8" + "revision": "origin/version/0.9" }, "platform": { "apt": { diff --git a/provider_base/common.rb b/provider_base/common.rb new file mode 100644 index 00000000..a8cc6717 --- /dev/null +++ b/provider_base/common.rb @@ -0,0 +1,72 @@ +## +## common.rb -- evaluated (last) for every node. +## +## Because common.rb is evaluated last, it is good practice to only modify +## values here if they are empty. This gives a chance for tags and services +## to set values. +## + +# +# X509 server certificates that use our own CA +# + +if self['x509.use'] + if self['x509.cert'].nil? + self.set('x509.cert', lambda{file( + :node_x509_cert, + :missing => "x509 certificate for node $node. Run `leap cert update` to generate it." + )}) + end + if self['x509.key'].nil? + self.set('x509.key', lambda{file( + :node_x509_key, + :missing => "x509 key for node $node. Run `leap cert update` to generate it." + )}) + end +else + self.set('x509.cert', nil) + self.set('x509.key', nil) +end + +# +# X509 server certificates that use an external CA +# + +if self['x509.use_commercial'] + domain = self['webapp.domain'] || self['domain.full_suffix'] + if self['x509.commercial_cert'].nil? + self.set('x509.commercial_cert', lambda{file( + [:commercial_cert, domain], + :missing => "commercial x509 certificate for node `$node`. " + + "Add file $file, or run `leap cert csr %s`." % domain + )}) + end + if self['x509.commercial_key'].nil? + self.set('x509.commercial_key', lambda{file( + [:commercial_key, domain], + :missing => "commercial x509 key for node `$node`. " + + "Add file $file, or run `leap cert csr %s`" % domain + )}) + end + + # + # the content of x509.commercial_cert might include the cert + # and the full CA chain, or it might just be the cert only. + # + # if it is the cert only, then we want to additionally specify + # 'commercial_ca_cert'. Otherwise, we leave this empty. + # + if self['x509.commercial_ca_cert'].nil? + self.set('x509.commercial_ca_cert', lambda{ + if self['x509.commercial_cert'].scan(/BEGIN CERTIFICATE/).length == 1 + try_file(:commercial_ca_cert) + else + nil + end + }) + end +else + self.set('x509.commercial_cert', nil) + self.set('x509.commercial_key', nil) + self.set('x509.commercial_ca_cert', nil) +end diff --git a/provider_base/provider.rb b/provider_base/provider.rb new file mode 100644 index 00000000..40a93574 --- /dev/null +++ b/provider_base/provider.rb @@ -0,0 +1,5 @@ +unless ['open', 'invite', 'closed'].include?(self.enrollment_policy) + LeapCli.log :error, "in provider config" do + LeapCli.log "The value of enrollment_policy must be one of 'open', 'invite', or 'closed'." + end +end
\ No newline at end of file diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 55d3d2ee..e80310fe 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -9,7 +9,7 @@ "key_type": "RSA", "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active", "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active", - "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active" + "address": "=> tor.hidden_service.active && onion_address(:node_tor_pub_key)" } } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index b1d2ca59..feca9524 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -19,6 +19,7 @@ "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth", "allow_anonymous_certs": "= provider.service.allow_anonymous", "allow_registration": "= provider.service.allow_registration", + "invite_required": "= provider.enrollment_policy == 'invite'", "default_service_level": "= provider.service.default_service_level", "service_levels": "= service_levels()", "secret_token": "= secret :webapp_secret_token", diff --git a/provider_base/tags/vm.json b/provider_base/tags/vm.json new file mode 100644 index 00000000..7a73a41b --- /dev/null +++ b/provider_base/tags/vm.json @@ -0,0 +1,2 @@ +{ +}
\ No newline at end of file |