From 6eed87b4d428cf9c617f99928727fe3f87549a7e Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Thu, 4 Aug 2016 10:22:15 -0400
Subject: switch to deb.d.o from httpredir.d.o (#8288).

The deb.debian.org method may be a better one than httpredir:

. deb.debian.org is maintained much more reliably than httpredir

. httpredir is backed by the mirror network; deb.d.o is by a CDN

. httpredir redirects to the mirror network. deb.d.o is a cache
  that sits in front of ftp.d.o (and security, and debug, and ports)

. one potential disadvantage: deb.d.o's CDN is a commercial
  service (fastly) that donates its traffic to debian

. in stretch and later, apt uses the SRV records of deb.d.o to find
  places instead of HTTP redirects

. local peering arrangements of fastly are likely to result in mirror
  choices that are more local (and thus faster) to the machine

Peering arrangements for the deb.d.o CDN can be seen here:
https://www.peeringdb.com/asn/54113

Change-Id: I4dee089a3b2f674860bfff21eb25a6e37c491d32
---
 provider_base/common.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'provider_base')

diff --git a/provider_base/common.json b/provider_base/common.json
index 5e689109..e9531eee 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -64,9 +64,9 @@
   },
   "sources": {
     "apt": {
-      "basic": "http://httpredir.debian.org/debian/",
+      "basic": "http://deb.debian.org/debian/",
       "security": "http://security.debian.org/",
-      "backports": "http://httpredir.debian.org/debian/"
+      "backports": "http://deb.debian.org/debian/"
     },
     "leap-mx": {
       "type": "apt",
-- 
cgit v1.2.3


From 205b61dfe721e6d88fc06b050a0497eeb35f4e02 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Thu, 21 Jul 2016 00:55:12 -0700
Subject: added 'leap vm' command

---
 provider_base/tags/vm.json | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 provider_base/tags/vm.json

(limited to 'provider_base')

diff --git a/provider_base/tags/vm.json b/provider_base/tags/vm.json
new file mode 100644
index 00000000..7a73a41b
--- /dev/null
+++ b/provider_base/tags/vm.json
@@ -0,0 +1,2 @@
+{
+}
\ No newline at end of file
-- 
cgit v1.2.3


From 8116e007cfd4dbee8282247348cf45473dcde45e Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Wed, 31 Aug 2016 14:54:46 -0700
Subject: added support for Let's Encrypt

---
 provider_base/common.json |  7 +----
 provider_base/common.rb   | 72 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+), 6 deletions(-)
 create mode 100644 provider_base/common.rb

(limited to 'provider_base')

diff --git a/provider_base/common.json b/provider_base/common.json
index e9531eee..622bca38 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -29,12 +29,7 @@
   "x509": {
     "use": true,
     "use_commercial": false,
-    "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil",
-    "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil",
-    "ca_cert": "= try_file :ca_cert",
-    "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil",
-    "commercial_key": "= x509.use_commercial ? file([:commercial_key, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil",
-    "commercial_ca_cert": "= x509.use_commercial ? try_file(:commercial_ca_cert) : nil"
+    "ca_cert": "= try_file :ca_cert"
   },
   "service_type": "internal_service",
   "development": {
diff --git a/provider_base/common.rb b/provider_base/common.rb
new file mode 100644
index 00000000..a8cc6717
--- /dev/null
+++ b/provider_base/common.rb
@@ -0,0 +1,72 @@
+##
+## common.rb -- evaluated (last) for every node.
+##
+## Because common.rb is evaluated last, it is good practice to only modify
+## values here if they are empty. This gives a chance for tags and services
+## to set values.
+##
+
+#
+# X509 server certificates that use our own CA
+#
+
+if self['x509.use']
+  if self['x509.cert'].nil?
+    self.set('x509.cert', lambda{file(
+      :node_x509_cert,
+      :missing => "x509 certificate for node $node. Run `leap cert update` to generate it."
+    )})
+  end
+  if self['x509.key'].nil?
+    self.set('x509.key', lambda{file(
+     :node_x509_key,
+      :missing => "x509 key for node $node. Run `leap cert update` to generate it."
+    )})
+  end
+else
+  self.set('x509.cert', nil)
+  self.set('x509.key', nil)
+end
+
+#
+# X509 server certificates that use an external CA
+#
+
+if self['x509.use_commercial']
+  domain = self['webapp.domain'] || self['domain.full_suffix']
+  if self['x509.commercial_cert'].nil?
+    self.set('x509.commercial_cert', lambda{file(
+      [:commercial_cert, domain],
+      :missing => "commercial x509 certificate for node `$node`. " +
+        "Add file $file, or run `leap cert csr %s`." % domain
+    )})
+  end
+  if self['x509.commercial_key'].nil?
+    self.set('x509.commercial_key', lambda{file(
+      [:commercial_key, domain],
+      :missing => "commercial x509 key for node `$node`. " +
+        "Add file $file, or run `leap cert csr %s`" % domain
+    )})
+  end
+
+  #
+  # the content of x509.commercial_cert might include the cert
+  # and the full CA chain, or it might just be the cert only.
+  #
+  # if it is the cert only, then we want to additionally specify
+  # 'commercial_ca_cert'. Otherwise, we leave this empty.
+  #
+  if self['x509.commercial_ca_cert'].nil?
+    self.set('x509.commercial_ca_cert', lambda{
+      if self['x509.commercial_cert'].scan(/BEGIN CERTIFICATE/).length == 1
+        try_file(:commercial_ca_cert)
+      else
+        nil
+      end
+    })
+  end
+else
+  self.set('x509.commercial_cert', nil)
+  self.set('x509.commercial_key', nil)
+  self.set('x509.commercial_ca_cert', nil)
+end
-- 
cgit v1.2.3


From ad9415a5e2885e940e99a07a9d6cdb2b1600e1bd Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Tue, 4 Oct 2016 11:06:13 -0700
Subject: [bug] fix Tor hidden service key generation

---
 provider_base/services/tor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'provider_base')

diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index 55d3d2ee..e80310fe 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -9,7 +9,7 @@
       "key_type": "RSA",
       "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active",
       "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active",
-      "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active"
+      "address": "=> tor.hidden_service.active && onion_address(:node_tor_pub_key)"
     }
   }
 }
-- 
cgit v1.2.3


From e6042f3fd169207ef3991bbb1116e86f06add679 Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Tue, 18 Oct 2016 16:34:37 +0200
Subject: upgrade: nickserver version 0.9.x

---
 provider_base/common.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'provider_base')

diff --git a/provider_base/common.json b/provider_base/common.json
index 622bca38..893d5daf 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -71,7 +71,7 @@
     "nickserver": {
       "type": "git",
       "source": "https://leap.se/git/nickserver",
-      "revision": "origin/version/0.8"
+      "revision": "origin/version/0.9"
     },
     "platform": {
       "apt": {
-- 
cgit v1.2.3


From 15f8dd13c6d26fa1ad0d06d3ea03e8df260224db Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Fri, 7 Oct 2016 15:41:21 -0700
Subject: [bug] properly set 'enrollment_policy' in provider.json

---
 provider_base/provider.rb          | 5 +++++
 provider_base/services/webapp.json | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 provider_base/provider.rb

(limited to 'provider_base')

diff --git a/provider_base/provider.rb b/provider_base/provider.rb
new file mode 100644
index 00000000..40a93574
--- /dev/null
+++ b/provider_base/provider.rb
@@ -0,0 +1,5 @@
+unless ['open', 'invite', 'closed'].include?(self.enrollment_policy)
+  LeapCli.log :error, "in provider config" do
+    LeapCli.log "The value of enrollment_policy must be one of 'open', 'invite', or 'closed'."
+  end
+end
\ No newline at end of file
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index b1d2ca59..feca9524 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -19,6 +19,7 @@
     "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
     "allow_anonymous_certs": "= provider.service.allow_anonymous",
     "allow_registration": "= provider.service.allow_registration",
+    "invite_required": "= provider.enrollment_policy == 'invite'",
     "default_service_level": "= provider.service.default_service_level",
     "service_levels": "= service_levels()",
     "secret_token": "= secret :webapp_secret_token",
-- 
cgit v1.2.3