aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-02-06 23:37:05 -0800
committerelijah <elijah@riseup.net>2014-02-06 23:37:05 -0800
commit79afefc5c8a80da51fd735edfcd780c8be5b8ffc (patch)
tree90701ade4e865e8249ba4645b1b5e7dec9989d23
parent14534ad41f76d48b1df8a320076e4e42dc9425ba (diff)
downloadleap_cli-79afefc5c8a80da51fd735edfcd780c8be5b8ffc.tar.gz
leap_cli-79afefc5c8a80da51fd735edfcd780c8be5b8ffc.tar.bz2
added support for 'monitor' ssh keys.
-rw-r--r--lib/leap/platform.rb2
-rw-r--r--lib/leap_cli/commands/compile.rb50
-rw-r--r--lib/leap_cli/commands/user.rb30
-rw-r--r--lib/leap_cli/config/macros.rb13
-rw-r--r--lib/leap_cli/version.rb4
5 files changed, 74 insertions, 25 deletions
diff --git a/lib/leap/platform.rb b/lib/leap/platform.rb
index 298e480..7a28bbd 100644
--- a/lib/leap/platform.rb
+++ b/lib/leap/platform.rb
@@ -13,6 +13,8 @@ module Leap
attr_accessor :facts
attr_accessor :paths
attr_accessor :node_files
+ attr_accessor :monitor_username
+ attr_accessor :reserved_usernames
def define(&block)
self.instance_eval(&block)
diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index 8ef7c6b..11e6e35 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -33,11 +33,61 @@ module LeapCli
end
def update_compiled_ssh_configs
+ generate_monitor_ssh_keys
update_authorized_keys
update_known_hosts
end
##
+ ## SSH
+ ##
+
+ #
+ # generates a ssh key pair that is used only by remote monitors
+ # to connect to nodes and run certain allowed commands.
+ #
+ # every node has the public monitor key added to their authorized
+ # keys, and every monitor node has a copy of the private monitor key.
+ #
+ def generate_monitor_ssh_keys
+ priv_key_file = :monitor_priv_key
+ pub_key_file = :monitor_pub_key
+ unless file_exists?(priv_key_file, pub_key_file)
+ cmd = %(ssh-keygen -N '' -C 'monitor' -t ecdsa -b 521 -f '%s') % path(priv_key_file)
+ assert_run! cmd
+ if file_exists?(priv_key_file, pub_key_file)
+ log :created, path(priv_key_file)
+ log :created, path(pub_key_file)
+ else
+ log :failed, 'to create monitor ssh keys'
+ end
+ end
+ end
+
+ #
+ # Compiles the authorized keys file, which gets installed on every during init.
+ # Afterwards, puppet installs an authorized keys file that is generated differently
+ # (see authorized_keys() in macros.rb)
+ #
+ def update_authorized_keys
+ buffer = StringIO.new
+ keys = Dir.glob(path([:user_ssh, '*']))
+ if keys.empty?
+ bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
+ end
+ keys.sort.each do |keyfile|
+ ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
+ buffer << ssh_type
+ buffer << " "
+ buffer << ssh_key
+ buffer << " "
+ buffer << Path.relative_path(keyfile)
+ buffer << "\n"
+ end
+ write_file!(:authorized_keys, buffer.string)
+ end
+
+ ##
## ZONE FILE
##
diff --git a/lib/leap_cli/commands/user.rb b/lib/leap_cli/commands/user.rb
index f96d527..d7c21db 100644
--- a/lib/leap_cli/commands/user.rb
+++ b/lib/leap_cli/commands/user.rb
@@ -24,8 +24,15 @@ module LeapCli
c.action do |global_options,options,args|
username = args.first
- if !username.any? && !options[:self]
- help! "Either 'username' or --self is required."
+ if !username.any?
+ if options[:self]
+ username ||= `whoami`.strip
+ else
+ help! "Either USERNAME argument or --self flag is required."
+ end
+ end
+ if Leap::Platform.reserved_usernames.include? username
+ bail! %(The username "#{username}" is reserved. Sorry, pick another.)
end
ssh_pub_key = nil
@@ -39,7 +46,6 @@ module LeapCli
end
if options[:self]
- username ||= `whoami`.strip
ssh_pub_key ||= pick_ssh_key.to_s
pgp_pub_key ||= pick_pgp_key
end
@@ -118,23 +124,5 @@ module LeapCli
return `gpg --armor --export-options export-minimal --export #{key_id}`.strip
end
- def update_authorized_keys
- buffer = StringIO.new
- keys = Dir.glob(path([:user_ssh, '*']))
- if keys.empty?
- bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
- end
- keys.sort.each do |keyfile|
- ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
- buffer << ssh_type
- buffer << " "
- buffer << ssh_key
- buffer << " "
- buffer << Path.relative_path(keyfile)
- buffer << "\n"
- end
- write_file!(:authorized_keys, buffer.string)
- end
-
end
end \ No newline at end of file
diff --git a/lib/leap_cli/config/macros.rb b/lib/leap_cli/config/macros.rb
index 8cc72f4..aaed77a 100644
--- a/lib/leap_cli/config/macros.rb
+++ b/lib/leap_cli/config/macros.rb
@@ -315,11 +315,15 @@ module LeapCli; module Config
##
#
- # creates a hash from the ssh key info in users directory, for use in updating authorized_keys file
+ # Creates a hash from the ssh key info in users directory, for use in
+ # updating authorized_keys file. Additionally, the 'monitor' public key is
+ # included, which is used by the monitor nodes to run particular commands
+ # remotely.
#
def authorized_keys
hash = {}
- Dir.glob(Path.named_path([:user_ssh, '*'])).sort.each do |keyfile|
+ keys = Dir.glob(Path.named_path([:user_ssh, '*']))
+ keys.sort.each do |keyfile|
ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
name = File.basename(File.dirname(keyfile))
hash[name] = {
@@ -327,6 +331,11 @@ module LeapCli; module Config
"key" => ssh_key
}
end
+ ssh_type, ssh_key = File.read(Path.named_path(:monitor_pub_key)).strip.split(" ")
+ hash[Leap::Platform.monitor_username] = {
+ "type" => ssh_type,
+ "key" => ssh_key
+ }
hash
end
diff --git a/lib/leap_cli/version.rb b/lib/leap_cli/version.rb
index 3e8aee5..db05129 100644
--- a/lib/leap_cli/version.rb
+++ b/lib/leap_cli/version.rb
@@ -1,7 +1,7 @@
module LeapCli
unless defined?(LeapCli::VERSION)
- VERSION = '1.2.5'
- COMPATIBLE_PLATFORM_VERSION = '0.2.4'..'1.99'
+ VERSION = '1.3.0'
+ COMPATIBLE_PLATFORM_VERSION = '0.3.0'..'1.99'
SUMMARY = 'Command line interface to the LEAP platform'
DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.'
LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib']