diff options
author | elijah <elijah@riseup.net> | 2014-02-06 23:37:05 -0800 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-02-06 23:37:05 -0800 |
commit | 79afefc5c8a80da51fd735edfcd780c8be5b8ffc (patch) | |
tree | 90701ade4e865e8249ba4645b1b5e7dec9989d23 | |
parent | 14534ad41f76d48b1df8a320076e4e42dc9425ba (diff) | |
download | leap_cli-79afefc5c8a80da51fd735edfcd780c8be5b8ffc.tar.gz leap_cli-79afefc5c8a80da51fd735edfcd780c8be5b8ffc.tar.bz2 |
added support for 'monitor' ssh keys.
-rw-r--r-- | lib/leap/platform.rb | 2 | ||||
-rw-r--r-- | lib/leap_cli/commands/compile.rb | 50 | ||||
-rw-r--r-- | lib/leap_cli/commands/user.rb | 30 | ||||
-rw-r--r-- | lib/leap_cli/config/macros.rb | 13 | ||||
-rw-r--r-- | lib/leap_cli/version.rb | 4 |
5 files changed, 74 insertions, 25 deletions
diff --git a/lib/leap/platform.rb b/lib/leap/platform.rb index 298e480..7a28bbd 100644 --- a/lib/leap/platform.rb +++ b/lib/leap/platform.rb @@ -13,6 +13,8 @@ module Leap attr_accessor :facts attr_accessor :paths attr_accessor :node_files + attr_accessor :monitor_username + attr_accessor :reserved_usernames def define(&block) self.instance_eval(&block) diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb index 8ef7c6b..11e6e35 100644 --- a/lib/leap_cli/commands/compile.rb +++ b/lib/leap_cli/commands/compile.rb @@ -33,11 +33,61 @@ module LeapCli end def update_compiled_ssh_configs + generate_monitor_ssh_keys update_authorized_keys update_known_hosts end ## + ## SSH + ## + + # + # generates a ssh key pair that is used only by remote monitors + # to connect to nodes and run certain allowed commands. + # + # every node has the public monitor key added to their authorized + # keys, and every monitor node has a copy of the private monitor key. + # + def generate_monitor_ssh_keys + priv_key_file = :monitor_priv_key + pub_key_file = :monitor_pub_key + unless file_exists?(priv_key_file, pub_key_file) + cmd = %(ssh-keygen -N '' -C 'monitor' -t ecdsa -b 521 -f '%s') % path(priv_key_file) + assert_run! cmd + if file_exists?(priv_key_file, pub_key_file) + log :created, path(priv_key_file) + log :created, path(pub_key_file) + else + log :failed, 'to create monitor ssh keys' + end + end + end + + # + # Compiles the authorized keys file, which gets installed on every during init. + # Afterwards, puppet installs an authorized keys file that is generated differently + # (see authorized_keys() in macros.rb) + # + def update_authorized_keys + buffer = StringIO.new + keys = Dir.glob(path([:user_ssh, '*'])) + if keys.empty? + bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`." + end + keys.sort.each do |keyfile| + ssh_type, ssh_key = File.read(keyfile).strip.split(" ") + buffer << ssh_type + buffer << " " + buffer << ssh_key + buffer << " " + buffer << Path.relative_path(keyfile) + buffer << "\n" + end + write_file!(:authorized_keys, buffer.string) + end + + ## ## ZONE FILE ## diff --git a/lib/leap_cli/commands/user.rb b/lib/leap_cli/commands/user.rb index f96d527..d7c21db 100644 --- a/lib/leap_cli/commands/user.rb +++ b/lib/leap_cli/commands/user.rb @@ -24,8 +24,15 @@ module LeapCli c.action do |global_options,options,args| username = args.first - if !username.any? && !options[:self] - help! "Either 'username' or --self is required." + if !username.any? + if options[:self] + username ||= `whoami`.strip + else + help! "Either USERNAME argument or --self flag is required." + end + end + if Leap::Platform.reserved_usernames.include? username + bail! %(The username "#{username}" is reserved. Sorry, pick another.) end ssh_pub_key = nil @@ -39,7 +46,6 @@ module LeapCli end if options[:self] - username ||= `whoami`.strip ssh_pub_key ||= pick_ssh_key.to_s pgp_pub_key ||= pick_pgp_key end @@ -118,23 +124,5 @@ module LeapCli return `gpg --armor --export-options export-minimal --export #{key_id}`.strip end - def update_authorized_keys - buffer = StringIO.new - keys = Dir.glob(path([:user_ssh, '*'])) - if keys.empty? - bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`." - end - keys.sort.each do |keyfile| - ssh_type, ssh_key = File.read(keyfile).strip.split(" ") - buffer << ssh_type - buffer << " " - buffer << ssh_key - buffer << " " - buffer << Path.relative_path(keyfile) - buffer << "\n" - end - write_file!(:authorized_keys, buffer.string) - end - end end
\ No newline at end of file diff --git a/lib/leap_cli/config/macros.rb b/lib/leap_cli/config/macros.rb index 8cc72f4..aaed77a 100644 --- a/lib/leap_cli/config/macros.rb +++ b/lib/leap_cli/config/macros.rb @@ -315,11 +315,15 @@ module LeapCli; module Config ## # - # creates a hash from the ssh key info in users directory, for use in updating authorized_keys file + # Creates a hash from the ssh key info in users directory, for use in + # updating authorized_keys file. Additionally, the 'monitor' public key is + # included, which is used by the monitor nodes to run particular commands + # remotely. # def authorized_keys hash = {} - Dir.glob(Path.named_path([:user_ssh, '*'])).sort.each do |keyfile| + keys = Dir.glob(Path.named_path([:user_ssh, '*'])) + keys.sort.each do |keyfile| ssh_type, ssh_key = File.read(keyfile).strip.split(" ") name = File.basename(File.dirname(keyfile)) hash[name] = { @@ -327,6 +331,11 @@ module LeapCli; module Config "key" => ssh_key } end + ssh_type, ssh_key = File.read(Path.named_path(:monitor_pub_key)).strip.split(" ") + hash[Leap::Platform.monitor_username] = { + "type" => ssh_type, + "key" => ssh_key + } hash end diff --git a/lib/leap_cli/version.rb b/lib/leap_cli/version.rb index 3e8aee5..db05129 100644 --- a/lib/leap_cli/version.rb +++ b/lib/leap_cli/version.rb @@ -1,7 +1,7 @@ module LeapCli unless defined?(LeapCli::VERSION) - VERSION = '1.2.5' - COMPATIBLE_PLATFORM_VERSION = '0.2.4'..'1.99' + VERSION = '1.3.0' + COMPATIBLE_PLATFORM_VERSION = '0.3.0'..'1.99' SUMMARY = 'Command line interface to the LEAP platform' DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.' LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib'] |