From d3919f44368e3e9e60736fd90f31118f520747a8 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Jun 2014 15:42:51 -0700 Subject: moved json macros to provider_base/lib/macros. requires new unreleased leap_cli --- provider_base/lib/macros/core.rb | 86 +++++++++++++++++++++++++++++++++ provider_base/lib/macros/files.rb | 79 ++++++++++++++++++++++++++++++ provider_base/lib/macros/haproxy.rb | 68 ++++++++++++++++++++++++++ provider_base/lib/macros/hosts.rb | 63 ++++++++++++++++++++++++ provider_base/lib/macros/nodes.rb | 88 ++++++++++++++++++++++++++++++++++ provider_base/lib/macros/secrets.rb | 39 +++++++++++++++ provider_base/lib/macros/stunnel.rb | 95 +++++++++++++++++++++++++++++++++++++ 7 files changed, 518 insertions(+) create mode 100644 provider_base/lib/macros/core.rb create mode 100644 provider_base/lib/macros/files.rb create mode 100644 provider_base/lib/macros/haproxy.rb create mode 100644 provider_base/lib/macros/hosts.rb create mode 100644 provider_base/lib/macros/nodes.rb create mode 100644 provider_base/lib/macros/secrets.rb create mode 100644 provider_base/lib/macros/stunnel.rb (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/core.rb b/provider_base/lib/macros/core.rb new file mode 100644 index 00000000..d4d9171f --- /dev/null +++ b/provider_base/lib/macros/core.rb @@ -0,0 +1,86 @@ +# encoding: utf-8 + +module LeapCli + module Macro + + # + # return a fingerprint for a x509 certificate + # + def fingerprint(filename) + "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename)) + end + + # + # Creates a hash from the ssh key info in users directory, for use in + # updating authorized_keys file. Additionally, the 'monitor' public key is + # included, which is used by the monitor nodes to run particular commands + # remotely. + # + def authorized_keys + hash = {} + keys = Dir.glob(Path.named_path([:user_ssh, '*'])) + keys.sort.each do |keyfile| + ssh_type, ssh_key = File.read(keyfile, :encoding => 'UTF-8').strip.split(" ") + name = File.basename(File.dirname(keyfile)) + hash[name] = { + "type" => ssh_type, + "key" => ssh_key + } + end + ssh_type, ssh_key = File.read(Path.named_path(:monitor_pub_key), :encoding => 'UTF-8').strip.split(" ") + hash[Leap::Platform.monitor_username] = { + "type" => ssh_type, + "key" => ssh_key + } + hash + end + + def assert(assertion) + if instance_eval(assertion) + true + else + raise AssertionFailed.new(assertion) + end + end + + # + # applies a JSON partial to this node + # + def apply_partial(partial_path) + manager.partials(partial_path).each do |partial_data| + self.deep_merge!(partial_data) + end + end + + # + # If at first you don't succeed, then it is time to give up. + # + # try{} returns nil if anything in the block throws an exception. + # + # You can wrap something that might fail in `try`, like so. + # + # "= try{ nodes[:services => 'tor'].first.ip_address } " + # + def try(&block) + yield + rescue NoMethodError + nil + end + + protected + + # + # returns a node list, if argument is not already one + # + def listify(node_list) + if node_list.is_a? Config::ObjectList + node_list + elsif node_list.is_a? Config::Object + Config::ObjectList.new(node_list) + else + raise ArgumentError, 'argument must be a node or node list, not a `%s`' % node_list.class, caller + end + end + + end +end diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb new file mode 100644 index 00000000..0a491325 --- /dev/null +++ b/provider_base/lib/macros/files.rb @@ -0,0 +1,79 @@ +# encoding: utf-8 + +## +## FILES +## + +module LeapCli + module Macro + + # + # inserts the contents of a file + # + def file(filename, options={}) + if filename.is_a? Symbol + filename = [filename, @node.name] + end + filepath = Path.find_file(filename) + if filepath + if filepath =~ /\.erb$/ + ERB.new(File.read(filepath, :encoding => 'UTF-8'), nil, '%<>').result(binding) + else + File.read(filepath, :encoding => 'UTF-8') + end + else + raise FileMissing.new(Path.named_path(filename), options) + "" + end + end + + # + # like #file, but allow missing files + # + def try_file(filename) + return file(filename) + rescue FileMissing + return nil + end + + # + # returns what the file path will be, once the file is rsynced to the server. + # an internal list of discovered file paths is saved, in order to rsync these files when needed. + # + # notes: + # + # * argument 'path' is relative to Path.provider/files or Path.provider_base/files + # * the path returned by this method is absolute + # * the path stored for use later by rsync is relative to Path.provider + # * if the path does not exist locally, but exists in provider_base, then the default file from + # provider_base is copied locally. this is required for rsync to work correctly. + # + def file_path(path) + if path.is_a? Symbol + path = [path, @node.name] + end + actual_path = Path.find_file(path) + if actual_path.nil? + Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + nil + else + if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ + # if file is under Path.provider_base, we must copy the default file to + # to Path.provider in order for rsync to be able to sync the file. + local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider) + FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700 + FileUtils.install actual_path, local_provider_path, :mode => 0600 + Util.log :created, Path.relative_path(local_provider_path) + actual_path = local_provider_path + end + if File.directory?(actual_path) && actual_path !~ /\/$/ + actual_path += '/' # ensure directories end with /, important for building rsync command + end + relative_path = Path.relative_path(actual_path) + @node.file_paths << relative_path + @node.manager.provider.hiera_sync_destination + '/' + relative_path + end + end + + end +end \ No newline at end of file diff --git a/provider_base/lib/macros/haproxy.rb b/provider_base/lib/macros/haproxy.rb new file mode 100644 index 00000000..db0d4db8 --- /dev/null +++ b/provider_base/lib/macros/haproxy.rb @@ -0,0 +1,68 @@ +# encoding: utf-8 + +## +## HAPROXY +## + +module LeapCli + module Macro + + # + # creates a hash suitable for configuring haproxy. the key is the node name of the server we are proxying to. + # + # * node_list - a hash of nodes for the haproxy servers + # * stunnel_client - contains the mappings to local ports for each server node. + # * non_stunnel_port - in case self is included in node_list, the port to connect to. + # + # 1000 weight is used for nodes in the same location. + # 100 otherwise. + # + def haproxy_servers(node_list, stunnel_clients, non_stunnel_port=nil) + default_weight = 10 + local_weight = 100 + + # record the hosts_file + hostnames(node_list) + + # create a simple map for node name -> local stunnel accept port + accept_ports = stunnel_clients.inject({}) do |hsh, stunnel_entry| + name = stunnel_entry.first.sub /_[0-9]+$/, '' + hsh[name] = stunnel_entry.last['accept_port'] + hsh + end + + # if one the nodes in the node list is ourself, then there will not be a stunnel to it, + # but we need to include it anyway in the haproxy config. + if node_list[self.name] && non_stunnel_port + accept_ports[self.name] = non_stunnel_port + end + + # create the first pass of the servers hash + servers = node_list.values.inject(Config::ObjectList.new) do |hsh, node| + weight = default_weight + if self['location'] && node['location'] + if self.location['name'] == node.location['name'] + weight = local_weight + end + end + hsh[node.name] = Config::Object[ + 'backup', false, + 'host', 'localhost', + 'port', accept_ports[node.name] || 0, + 'weight', weight + ] + hsh + end + + # if there are some local servers, make the others backup + if servers.detect{|k,v| v.weight == local_weight} + servers.each do |k,server| + server['backup'] = server['weight'] == default_weight + end + end + + return servers + end + + end +end \ No newline at end of file diff --git a/provider_base/lib/macros/hosts.rb b/provider_base/lib/macros/hosts.rb new file mode 100644 index 00000000..8a4058a5 --- /dev/null +++ b/provider_base/lib/macros/hosts.rb @@ -0,0 +1,63 @@ +# encoding: utf-8 + +module LeapCli + module Macro + + ## + ## HOSTS + ## + + # + # records the list of hosts that are encountered for this node + # + def hostnames(nodes) + @referenced_nodes ||= Config::ObjectList.new + nodes = listify(nodes) + nodes.each_node do |node| + @referenced_nodes[node.name] ||= node + end + return nodes.values.collect {|node| node.domain.name} + end + + # + # Generates entries needed for updating /etc/hosts on a node (as a hash). + # + # Argument `nodes` can be nil or a list of nodes. If nil, only include the + # IPs of the other nodes this @node as has encountered (plus all mx nodes). + # + # Also, for virtual machines, we use the local address if this @node is in + # the same location as the node in question. + # + # We include the ssh public key for each host, so that the hash can also + # be used to generate the /etc/ssh/known_hosts + # + def hosts_file(nodes=nil) + if nodes.nil? + if @referenced_nodes && @referenced_nodes.any? + nodes = @referenced_nodes + nodes = nodes.merge(nodes_like_me[:services => 'mx']) # all nodes always need to communicate with mx nodes. + end + end + return {} unless nodes + hosts = {} + my_location = @node['location'] ? @node['location']['name'] : nil + nodes.each_node do |node| + hosts[node.name] = {'ip_address' => node.ip_address, 'domain_internal' => node.domain.internal, 'domain_full' => node.domain.full} + node_location = node['location'] ? node['location']['name'] : nil + if my_location == node_location + if facts = @node.manager.facts[node.name] + if facts['ec2_public_ipv4'] + hosts[node.name]['ip_address'] = facts['ec2_public_ipv4'] + end + end + end + host_pub_key = Util::read_file([:node_ssh_pub_key,node.name]) + if host_pub_key + hosts[node.name]['host_pub_key'] = host_pub_key + end + end + hosts + end + + end +end \ No newline at end of file diff --git a/provider_base/lib/macros/nodes.rb b/provider_base/lib/macros/nodes.rb new file mode 100644 index 00000000..0c6668a0 --- /dev/null +++ b/provider_base/lib/macros/nodes.rb @@ -0,0 +1,88 @@ +# encoding: utf-8 + +## +## node related macros +## + +module LeapCli + module Macro + + # + # the list of all the nodes + # + def nodes + global.nodes + end + + # + # grab an environment appropriate provider + # + def provider + global.env(@node.environment).provider + end + + # + # returns a list of nodes that match the same environment + # + # if @node.environment is not set, we return other nodes + # where environment is not set. + # + def nodes_like_me + nodes[:environment => @node.environment] + end + + # + # returns a list of nodes that match the location name + # and environment of @node. + # + def nodes_near_me + if @node['location'] && @node['location']['name'] + nodes_like_me['location.name' => @node.location.name] + else + nodes_like_me['location' => nil] + end + end + + # + # + # picks a node out from the node list in such a way that: + # + # (1) which nodes picked which nodes is saved in secrets.json + # (2) when other nodes call this macro with the same node list, they are guaranteed to get a different node + # (3) if all the nodes in the pick_node list have been picked, remaining nodes are distributed randomly. + # + # if the node_list is empty, an exception is raised. + # if node_list size is 1, then that node is returned and nothing is + # memorized via the secrets.json file. + # + # `label` is needed to distinguish between pools of nodes for different purposes. + # + # TODO: more evenly balance after all the nodes have been picked. + # + def pick_node(label, node_list) + if node_list.any? + if node_list.size == 1 + return node_list.values.first + else + secrets_key = "pick_node(:#{label},#{node_list.keys.sort.join(',')})" + secrets_value = @manager.secrets.retrieve(secrets_key, @node.environment) || {} + secrets_value[@node.name] ||= begin + node_to_pick = nil + node_list.each_node do |node| + next if secrets_value.values.include?(node.name) + node_to_pick = node.name + end + node_to_pick ||= secrets_value.values.shuffle.first # all picked already, so pick a random one. + node_to_pick + end + picked_node_name = secrets_value[@node.name] + @manager.secrets.set(secrets_key, secrets_value, @node.environment) + return node_list[picked_node_name] + end + else + raise ArgumentError.new('pick_node(node_list): node_list cannot be empty') + end + end + + end +end \ No newline at end of file diff --git a/provider_base/lib/macros/secrets.rb b/provider_base/lib/macros/secrets.rb new file mode 100644 index 00000000..51bf3971 --- /dev/null +++ b/provider_base/lib/macros/secrets.rb @@ -0,0 +1,39 @@ +# encoding: utf-8 + +require 'base32' + +module LeapCli + module Macro + + # + # inserts a named secret, generating it if needed. + # + # manager.export_secrets should be called later to capture any newly generated secrets. + # + # +length+ is the character length of the generated password. + # + def secret(name, length=32) + @manager.secrets.set(name, Util::Secret.generate(length), @node[:environment]) + end + + # inserts a base32 encoded secret + def base32_secret(name, length=20) + @manager.secrets.set(name, Base32.encode(Util::Secret.generate(length)), @node[:environment]) + end + + # Picks a random obfsproxy port from given range + def rand_range(name, range) + @manager.secrets.set(name, rand(range), @node[:environment]) + end + + # + # inserts an hexidecimal secret string, generating it if needed. + # + # +bit_length+ is the bits in the secret, (ie length of resulting hex string will be bit_length/4) + # + def hex_secret(name, bit_length=128) + @manager.secrets.set(name, Util::Secret.generate_hex(bit_length), @node[:environment]) + end + + end +end \ No newline at end of file diff --git a/provider_base/lib/macros/stunnel.rb b/provider_base/lib/macros/stunnel.rb new file mode 100644 index 00000000..f16308c7 --- /dev/null +++ b/provider_base/lib/macros/stunnel.rb @@ -0,0 +1,95 @@ +## +## STUNNEL +## + +# +# About stunnel +# -------------------------- +# +# The network looks like this: +# +# From the client's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# consumer app -> localhost:accept_port -> connect:connect_port -> ?? +# +# From the server's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# ?? -> *:accept_port -> localhost:connect_port -> service +# + +module LeapCli + module Macro + + # + # stunnel configuration for the client side. + # + # +node_list+ is a ObjectList of nodes running stunnel servers. + # + # +port+ is the real port of the ultimate service running on the servers + # that the client wants to connect to. + # + # * accept_port is the port on localhost to which local clients + # can connect. it is auto generated serially. + # + # * connect_port is the port on the stunnel server to connect to. + # it is auto generated from the +port+ argument. + # + # generates an entry appropriate to be passed directly to + # create_resources(stunnel::service, hiera('..'), defaults) + # + # local ports are automatically generated, starting at 4000 + # and incrementing in sorted order (by node name). + # + def stunnel_client(node_list, port, options={}) + @next_stunnel_port ||= 4000 + node_list = listify(node_list) + hostnames(node_list) # record the hosts + result = Config::ObjectList.new + node_list.each_node do |node| + if node.name != self.name || options[:include_self] + result["#{node.name}_#{port}"] = Config::Object[ + 'accept_port', @next_stunnel_port, + 'connect', node.domain.internal, + 'connect_port', stunnel_port(port), + 'original_port', port + ] + @next_stunnel_port += 1 + end + end + result + end + + # + # generates a stunnel server entry. + # + # +port+ is the real port targeted service. + # + # * `accept_port` is the publicly bound port + # * `connect_port` is the port that the local service is running on. + # + def stunnel_server(port) + { + "accept_port" => stunnel_port(port), + "connect_port" => port + } + end + + private + + # + # maps a real port to a stunnel port (used as the connect_port in the client config + # and the accept_port in the server config) + # + def stunnel_port(port) + port = port.to_i + if port < 50000 + return port + 10000 + else + return port - 10000 + end + end + + end +end \ No newline at end of file -- cgit v1.2.3 From 26cbd9a70c4b19b591a6f865812f0ad98de2668c Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 21 Jun 2014 02:52:43 -0700 Subject: haproxy: support read only couchdb mirrors --- provider_base/lib/macros/haproxy.rb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/haproxy.rb b/provider_base/lib/macros/haproxy.rb index db0d4db8..c0f9ede5 100644 --- a/provider_base/lib/macros/haproxy.rb +++ b/provider_base/lib/macros/haproxy.rb @@ -40,17 +40,18 @@ module LeapCli # create the first pass of the servers hash servers = node_list.values.inject(Config::ObjectList.new) do |hsh, node| weight = default_weight - if self['location'] && node['location'] - if self.location['name'] == node.location['name'] - weight = local_weight - end - end + try { + weight = local_weight if self.location.name == node.location.name + } hsh[node.name] = Config::Object[ 'backup', false, 'host', 'localhost', 'port', accept_ports[node.name] || 0, 'weight', weight ] + if node.services.include?('couchdb') + hsh[node.name]['writable'] = node.couch.mode != 'mirror' + end hsh end -- cgit v1.2.3 From 787eb366d80cee7c89348e11c1befa86255bbe85 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 26 Jun 2014 13:57:33 -0700 Subject: make try{} macro also catch ArgumentErrors --- provider_base/lib/macros/core.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/core.rb b/provider_base/lib/macros/core.rb index d4d9171f..609111ac 100644 --- a/provider_base/lib/macros/core.rb +++ b/provider_base/lib/macros/core.rb @@ -64,6 +64,7 @@ module LeapCli def try(&block) yield rescue NoMethodError + rescue ArgumentError nil end -- cgit v1.2.3 From 15ec7cbcb2b9a4c230c4b8a7f7b720c7dc047c61 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 27 Jun 2014 23:30:58 -0700 Subject: added error() macro. --- provider_base/lib/macros/core.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/core.rb b/provider_base/lib/macros/core.rb index 609111ac..2ab2e71b 100644 --- a/provider_base/lib/macros/core.rb +++ b/provider_base/lib/macros/core.rb @@ -39,10 +39,14 @@ module LeapCli if instance_eval(assertion) true else - raise AssertionFailed.new(assertion) + raise AssertionFailed.new(assertion), assertion, caller end end + def error(msg) + raise ConfigError.new(@node, msg), msg, caller + end + # # applies a JSON partial to this node # -- cgit v1.2.3 From d341c90c1493a78ed0ee2e216797651ff0aebfa9 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 16 Jul 2014 10:32:27 +0200 Subject: haproxy connects to a local couch if available When running a service that requires couch (webapp or mx) on a node that also had couch running the haproxy was confused because it did not have an stunnel port for the local couch. Emit a more useful error and fixed this for webapp and mx --- provider_base/lib/macros/haproxy.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/haproxy.rb b/provider_base/lib/macros/haproxy.rb index c0f9ede5..602ae726 100644 --- a/provider_base/lib/macros/haproxy.rb +++ b/provider_base/lib/macros/haproxy.rb @@ -39,6 +39,10 @@ module LeapCli # create the first pass of the servers hash servers = node_list.values.inject(Config::ObjectList.new) do |hsh, node| + # make sure we have a port to talk to + unless accept_ports[node.name] + error "haproxy needs a local port to talk to when connecting to #{node.name}" + end weight = default_weight try { weight = local_weight if self.location.name == node.location.name @@ -46,7 +50,7 @@ module LeapCli hsh[node.name] = Config::Object[ 'backup', false, 'host', 'localhost', - 'port', accept_ports[node.name] || 0, + 'port', accept_ports[node.name], 'weight', weight ] if node.services.include?('couchdb') @@ -66,4 +70,4 @@ module LeapCli end end -end \ No newline at end of file +end -- cgit v1.2.3 From 51a1e1c6db33ed2868ec74728f854237e3dfd86a Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 Oct 2014 15:14:23 -0700 Subject: update platform to take advantage of new platform.rb. requires leap_cli 1.6 --- provider_base/lib/macros/files.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index 0a491325..b3ba4a06 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -71,7 +71,7 @@ module LeapCli end relative_path = Path.relative_path(actual_path) @node.file_paths << relative_path - @node.manager.provider.hiera_sync_destination + '/' + relative_path + File.join(Leap::Platform.files_dir, relative_path) end end -- cgit v1.2.3 From 1d4670f8b9b4c1f3d4cd8017a3f6145ccdd41312 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 31 Oct 2014 00:01:57 -0700 Subject: add support for property tor.key --- provider_base/lib/macros/files.rb | 14 ++++++- provider_base/lib/macros/keys.rb | 78 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 provider_base/lib/macros/keys.rb (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index b3ba4a06..958958bc 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -48,13 +48,22 @@ module LeapCli # * if the path does not exist locally, but exists in provider_base, then the default file from # provider_base is copied locally. this is required for rsync to work correctly. # - def file_path(path) + def file_path(path, options={}) if path.is_a? Symbol path = [path, @node.name] + elsif path.is_a? String + # ensure it prefixed with files/ + unless path =~ /^files\// + path = "files/" + path + end end actual_path = Path.find_file(path) if actual_path.nil? - Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + if options[:missing] + raise FileMissing.new(Path.named_path(path), options) + else + Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + end nil else if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ @@ -70,6 +79,7 @@ module LeapCli actual_path += '/' # ensure directories end with /, important for building rsync command end relative_path = Path.relative_path(actual_path) + relative_path.sub!(/^files\//, '') # remove "files/" prefix @node.file_paths << relative_path File.join(Leap::Platform.files_dir, relative_path) end diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb new file mode 100644 index 00000000..0d46acb5 --- /dev/null +++ b/provider_base/lib/macros/keys.rb @@ -0,0 +1,78 @@ +# encoding: utf-8 + +# +# Macro for dealing with cryptographic keys +# + +module LeapCli + module Macro + + # + # return the path to the tor public key + # generating key if it is missing + # + def tor_public_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + end + return path + end + + # + # return the path to the tor private key + # generating key if it is missing + # + def tor_private_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + end + return path + end + + # + # on the command line an onion address can be created + # from an rsa public key using this: + # + # base64 -d < ./pubkey | sha1sum | awk '{print $1}' | + # perl -e '$l=<>; chomp $l; print pack("H*", $l)' | + # python -c 'import base64, sys; t=sys.stdin.read(); print base64.b32encode(t[:10]).lower()' + # + # path_name is the named path of the tor public key. + # + def onion_address(path_name) + require 'base32' + require 'base64' + require 'openssl' + path = Path.find_file([path_name, self.name]) + if path && File.exists?(path) + public_key_str = File.readlines(path).grep(/^[^-]/).join + public_key = Base64.decode64(public_key_str) + sha1sum_string = Digest::SHA1.new.hexdigest(public_key) + sha1sum_binary = [sha1sum_string].pack('H*') + Base32.encode(sha1sum_binary.slice(0,10)).downcase + else + LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path + end + end + + private + + def generate_tor_key(key_type) + if key_type == 'RSA' + require 'certificate_authority' + keypair = CertificateAuthority::MemoryKeyMaterial.new + bit_size = 1024 + LeapCli.log :generating, "%s bit RSA Tor key" % bit_size do + keypair.generate_key(bit_size) + LeapCli::Util.write_file! [:node_tor_priv_key, self.name], keypair.private_key.to_pem + LeapCli::Util.write_file! [:node_tor_pub_key, self.name], keypair.public_key.to_pem + end + else + LeapCli.bail! 'tor.key.type of %s is not yet supported' % key_type + end + end + + end +end -- cgit v1.2.3 From 90b672ed58982b232b1c96febcd9736ae5fc4faf Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 4 Nov 2014 12:25:54 -0800 Subject: tor - to activate hidden service, now set tor.hidden_service.active = true --- provider_base/lib/macros/keys.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb index 0d46acb5..ea4c3df2 100644 --- a/provider_base/lib/macros/keys.rb +++ b/provider_base/lib/macros/keys.rb @@ -15,8 +15,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # @@ -27,8 +29,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # -- cgit v1.2.3 From 83267a00f272a6f3f52a66eca44d9ca85924cc8e Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 25 Nov 2014 16:25:43 -0800 Subject: include a host information in ssh_config for ever possible host a given node might communicate with. this includes port and host key algorithm. closes #6432 --- provider_base/lib/macros/hosts.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/hosts.rb b/provider_base/lib/macros/hosts.rb index 8a4058a5..8281329f 100644 --- a/provider_base/lib/macros/hosts.rb +++ b/provider_base/lib/macros/hosts.rb @@ -42,7 +42,12 @@ module LeapCli hosts = {} my_location = @node['location'] ? @node['location']['name'] : nil nodes.each_node do |node| - hosts[node.name] = {'ip_address' => node.ip_address, 'domain_internal' => node.domain.internal, 'domain_full' => node.domain.full} + hosts[node.name] = { + 'ip_address' => node.ip_address, + 'domain_internal' => node.domain.internal, + 'domain_full' => node.domain.full, + 'port' => node.ssh.port + } node_location = node['location'] ? node['location']['name'] : nil if my_location == node_location if facts = @node.manager.facts[node.name] -- cgit v1.2.3 From 1f9f5f11cbf5ee3e9929203ceb2053f5ca164f5a Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 21 Dec 2014 16:45:17 -0800 Subject: fixed bug that prevented all users/*/*_ssh.pub keys from getting added to authorized_keys --- provider_base/lib/macros/core.rb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/core.rb b/provider_base/lib/macros/core.rb index 2ab2e71b..7de50f2f 100644 --- a/provider_base/lib/macros/core.rb +++ b/provider_base/lib/macros/core.rb @@ -22,6 +22,9 @@ module LeapCli keys.sort.each do |keyfile| ssh_type, ssh_key = File.read(keyfile, :encoding => 'UTF-8').strip.split(" ") name = File.basename(File.dirname(keyfile)) + until hash[name].nil? + i ||= 1; name = "#{name}#{i+=1}" + end hash[name] = { "type" => ssh_type, "key" => ssh_key -- cgit v1.2.3 From 9eb4c55ef0f477afd9c0d74aff62c2bb74c16e8e Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 21 Dec 2014 20:53:38 -0800 Subject: correctly generate .onion addresses. closes #6559 --- provider_base/lib/macros/keys.rb | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'provider_base/lib/macros') diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb index ea4c3df2..0ed7ccd0 100644 --- a/provider_base/lib/macros/keys.rb +++ b/provider_base/lib/macros/keys.rb @@ -36,14 +36,15 @@ module LeapCli end # - # on the command line an onion address can be created - # from an rsa public key using this: + # Generates a onion_address from a public RSA key file. # - # base64 -d < ./pubkey | sha1sum | awk '{print $1}' | - # perl -e '$l=<>; chomp $l; print pack("H*", $l)' | - # python -c 'import base64, sys; t=sys.stdin.read(); print base64.b32encode(t[:10]).lower()' + # path_name is the named path of the Tor public key. # - # path_name is the named path of the tor public key. + # Basically, an onion address is nothing more than a base32 encoding + # of the first 10 bytes of a sha1 digest of the public key. + # + # Additionally, Tor ignores the 22 byte header of the public key + # before taking the sha1 digest. # def onion_address(path_name) require 'base32' @@ -53,9 +54,9 @@ module LeapCli if path && File.exists?(path) public_key_str = File.readlines(path).grep(/^[^-]/).join public_key = Base64.decode64(public_key_str) - sha1sum_string = Digest::SHA1.new.hexdigest(public_key) - sha1sum_binary = [sha1sum_string].pack('H*') - Base32.encode(sha1sum_binary.slice(0,10)).downcase + public_key = public_key.slice(22..-1) # Tor ignores the 22 byte SPKI header + sha1sum = Digest::SHA1.new.digest(public_key) + Base32.encode(sha1sum.slice(0,10)).downcase else LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path end -- cgit v1.2.3