Merge branch 'develop'

author: Micah Anderson <micah@riseup.net> 2016-11-04 10:54:28 -0400
committer: Micah Anderson <micah@riseup.net> 2016-11-04 10:54:28 -0400
commit: 34a381efa8f6295080c843f86bfa07d4e41056af (patch)
tree: 9282cf5d4c876688602705a7fa0002bc4a810bde /provider_base
parent: 0a72bc6fd292bf9367b314fcb0347c4d35042f16 (diff)
parent: 5821964ff7e16ca7aa9141bd09a77d355db492a9 (diff)
6 files changed, 85 insertions, 10 deletions
diff --git a/provider_base/common.json b/provider_base/common.json
index 5e689109..893d5daf 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -29,12 +29,7 @@
   "x509": {
     "use": true,
     "use_commercial": false,
-    "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil",
-    "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil",
-    "ca_cert": "= try_file :ca_cert",
-    "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil",
-    "commercial_key": "= x509.use_commercial ? file([:commercial_key, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil",
-    "commercial_ca_cert": "= x509.use_commercial ? try_file(:commercial_ca_cert) : nil"
+    "ca_cert": "= try_file :ca_cert"
   },
   "service_type": "internal_service",
   "development": {
@@ -64,9 +59,9 @@
   },
   "sources": {
     "apt": {
-      "basic": "http://httpredir.debian.org/debian/",
+      "basic": "http://deb.debian.org/debian/",
       "security": "http://security.debian.org/",
-      "backports": "http://httpredir.debian.org/debian/"
+      "backports": "http://deb.debian.org/debian/"
     },
     "leap-mx": {
       "type": "apt",
@@ -76,7 +71,7 @@
     "nickserver": {
       "type": "git",
       "source": "https://leap.se/git/nickserver",
-      "revision": "origin/version/0.8"
+      "revision": "origin/version/0.9"
     },
     "platform": {
       "apt": {
diff --git a/provider_base/common.rb b/provider_base/common.rb
new file mode 100644
index 00000000..a8cc6717
--- /dev/null
+++ b/provider_base/common.rb
@@ -0,0 +1,72 @@
+##
+## common.rb -- evaluated (last) for every node.
+##
+## Because common.rb is evaluated last, it is good practice to only modify
+## values here if they are empty. This gives a chance for tags and services
+## to set values.
+##
+
+#
+# X509 server certificates that use our own CA
+#
+
+if self['x509.use']
+  if self['x509.cert'].nil?
+    self.set('x509.cert', lambda{file(
+      :node_x509_cert,
+      :missing => "x509 certificate for node $node. Run `leap cert update` to generate it."
+    )})
+  end
+  if self['x509.key'].nil?
+    self.set('x509.key', lambda{file(
+     :node_x509_key,
+      :missing => "x509 key for node $node. Run `leap cert update` to generate it."
+    )})
+  end
+else
+  self.set('x509.cert', nil)
+  self.set('x509.key', nil)
+end
+
+#
+# X509 server certificates that use an external CA
+#
+
+if self['x509.use_commercial']
+  domain = self['webapp.domain'] || self['domain.full_suffix']
+  if self['x509.commercial_cert'].nil?
+    self.set('x509.commercial_cert', lambda{file(
+      [:commercial_cert, domain],
+      :missing => "commercial x509 certificate for node `$node`. " +
+        "Add file $file, or run `leap cert csr %s`." % domain
+    )})
+  end
+  if self['x509.commercial_key'].nil?
+    self.set('x509.commercial_key', lambda{file(
+      [:commercial_key, domain],
+      :missing => "commercial x509 key for node `$node`. " +
+        "Add file $file, or run `leap cert csr %s`" % domain
+    )})
+  end
+
+  #
+  # the content of x509.commercial_cert might include the cert
+  # and the full CA chain, or it might just be the cert only.
+  #
+  # if it is the cert only, then we want to additionally specify
+  # 'commercial_ca_cert'. Otherwise, we leave this empty.
+  #
+  if self['x509.commercial_ca_cert'].nil?
+    self.set('x509.commercial_ca_cert', lambda{
+      if self['x509.commercial_cert'].scan(/BEGIN CERTIFICATE/).length == 1
+        try_file(:commercial_ca_cert)
+      else
+        nil
+      end
+    })
+  end
+else
+  self.set('x509.commercial_cert', nil)
+  self.set('x509.commercial_key', nil)
+  self.set('x509.commercial_ca_cert', nil)
+end
diff --git a/provider_base/provider.rb b/provider_base/provider.rb
new file mode 100644
index 00000000..40a93574
--- /dev/null
+++ b/provider_base/provider.rb
@@ -0,0 +1,5 @@
+unless ['open', 'invite', 'closed'].include?(self.enrollment_policy)
+  LeapCli.log :error, "in provider config" do
+    LeapCli.log "The value of enrollment_policy must be one of 'open', 'invite', or 'closed'."
+  end
+end
+\ No newline at end of file
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index 55d3d2ee..e80310fe 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -9,7 +9,7 @@
       "key_type": "RSA",
       "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active",
       "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active",
-      "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active"
+      "address": "=> tor.hidden_service.active && onion_address(:node_tor_pub_key)"
     }
   }
 }
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index b1d2ca59..feca9524 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -19,6 +19,7 @@
     "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
     "allow_anonymous_certs": "= provider.service.allow_anonymous",
     "allow_registration": "= provider.service.allow_registration",
+    "invite_required": "= provider.enrollment_policy == 'invite'",
     "default_service_level": "= provider.service.default_service_level",
     "service_levels": "= service_levels()",
     "secret_token": "= secret :webapp_secret_token",
diff --git a/provider_base/tags/vm.json b/provider_base/tags/vm.json
new file mode 100644
index 00000000..7a73a41b
--- /dev/null
+++ b/provider_base/tags/vm.json
@@ -0,0 +1,2 @@
+{
+}
+\ No newline at end of file
author	Micah Anderson <micah@riseup.net>	2016-11-04 10:54:28 -0400
committer	Micah Anderson <micah@riseup.net>	2016-11-04 10:54:28 -0400
commit	34a381efa8f6295080c843f86bfa07d4e41056af (patch)
tree	9282cf5d4c876688602705a7fa0002bc4a810bde /provider_base
parent	0a72bc6fd292bf9367b314fcb0347c4d35042f16 (diff)
parent	5821964ff7e16ca7aa9141bd09a77d355db492a9 (diff)