added support for 'monitor' ssh keys.

5 files changed, 74 insertions, 25 deletions

diff --git a/lib/leap/platform.rb b/lib/leap/platform.rb
index 298e480..7a28bbd 100644
--- a/lib/leap/platform.rb
+++ b/lib/leap/platform.rb
@@ -13,6 +13,8 @@ module Leap
       attr_accessor :facts
       attr_accessor :paths
       attr_accessor :node_files
+      attr_accessor :monitor_username
+      attr_accessor :reserved_usernames
 
       def define(&block)
         self.instance_eval(&block)
diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index 8ef7c6b..11e6e35 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -33,11 +33,61 @@ module LeapCli
     end
 
     def update_compiled_ssh_configs
+      generate_monitor_ssh_keys
       update_authorized_keys
       update_known_hosts
     end
 
     ##
+    ## SSH
+    ##
+
+    #
+    # generates a ssh key pair that is used only by remote monitors
+    # to connect to nodes and run certain allowed commands.
+    #
+    # every node has the public monitor key added to their authorized
+    # keys, and every monitor node has a copy of the private monitor key.
+    #
+    def generate_monitor_ssh_keys
+      priv_key_file = :monitor_priv_key
+      pub_key_file  = :monitor_pub_key
+      unless file_exists?(priv_key_file, pub_key_file)
+        cmd = %(ssh-keygen -N '' -C 'monitor' -t ecdsa -b 521 -f '%s') % path(priv_key_file)
+        assert_run! cmd
+        if file_exists?(priv_key_file, pub_key_file)
+          log :created, path(priv_key_file)
+          log :created, path(pub_key_file)
+        else
+          log :failed, 'to create monitor ssh keys'
+        end
+      end
+    end
+
+    #
+    # Compiles the authorized keys file, which gets installed on every during init.
+    # Afterwards, puppet installs an authorized keys file that is generated differently
+    # (see authorized_keys() in macros.rb)
+    #
+    def update_authorized_keys
+      buffer = StringIO.new
+      keys = Dir.glob(path([:user_ssh, '*']))
+      if keys.empty?
+        bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
+      end
+      keys.sort.each do |keyfile|
+        ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
+        buffer << ssh_type
+        buffer << " "
+        buffer << ssh_key
+        buffer << " "
+        buffer << Path.relative_path(keyfile)
+        buffer << "\n"
+      end
+      write_file!(:authorized_keys, buffer.string)
+    end
+
+    ##
     ## ZONE FILE
     ##
 
diff --git a/lib/leap_cli/commands/user.rb b/lib/leap_cli/commands/user.rb
index f96d527..d7c21db 100644
--- a/lib/leap_cli/commands/user.rb
+++ b/lib/leap_cli/commands/user.rb
@@ -24,8 +24,15 @@ module LeapCli
 
       c.action do |global_options,options,args|
         username = args.first
-        if !username.any? && !options[:self]
-          help! "Either 'username' or --self is required."
+        if !username.any?
+          if options[:self]
+            username ||= `whoami`.strip
+          else
+            help! "Either USERNAME argument or --self flag is required."
+          end
+        end
+        if Leap::Platform.reserved_usernames.include? username
+          bail! %(The username "#{username}" is reserved. Sorry, pick another.)
         end
 
         ssh_pub_key = nil
@@ -39,7 +46,6 @@ module LeapCli
         end
 
         if options[:self]
-          username ||= `whoami`.strip
           ssh_pub_key ||= pick_ssh_key.to_s
           pgp_pub_key ||= pick_pgp_key
         end
@@ -118,23 +124,5 @@ module LeapCli
       return `gpg --armor --export-options export-minimal --export #{key_id}`.strip
     end
 
-    def update_authorized_keys
-      buffer = StringIO.new
-      keys = Dir.glob(path([:user_ssh, '*']))
-      if keys.empty?
-        bail! "You must have at least one public SSH user key configured in order to proceed. See `leap help add-user`."
-      end
-      keys.sort.each do |keyfile|
-        ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
-        buffer << ssh_type
-        buffer << " "
-        buffer << ssh_key
-        buffer << " "
-        buffer << Path.relative_path(keyfile)
-        buffer << "\n"
-      end
-      write_file!(:authorized_keys, buffer.string)
-    end
-
   end
 end
\ No newline at end of file
diff --git a/lib/leap_cli/config/macros.rb b/lib/leap_cli/config/macros.rb
index 8cc72f4..aaed77a 100644
--- a/lib/leap_cli/config/macros.rb
+++ b/lib/leap_cli/config/macros.rb
@@ -315,11 +315,15 @@ module LeapCli; module Config
     ##
 
     #
-    # creates a hash from the ssh key info in users directory, for use in updating authorized_keys file
+    # Creates a hash from the ssh key info in users directory, for use in
+    # updating authorized_keys file. Additionally, the 'monitor' public key is
+    # included, which is used by the monitor nodes to run particular commands
+    # remotely.
     #
     def authorized_keys
       hash = {}
-      Dir.glob(Path.named_path([:user_ssh, '*'])).sort.each do |keyfile|
+      keys = Dir.glob(Path.named_path([:user_ssh, '*']))
+      keys.sort.each do |keyfile|
         ssh_type, ssh_key = File.read(keyfile).strip.split(" ")
         name = File.basename(File.dirname(keyfile))
         hash[name] = {
@@ -327,6 +331,11 @@ module LeapCli; module Config
           "key" => ssh_key
         }
       end
+      ssh_type, ssh_key = File.read(Path.named_path(:monitor_pub_key)).strip.split(" ")
+      hash[Leap::Platform.monitor_username] = {
+        "type" => ssh_type,
+        "key" => ssh_key
+      }
       hash
     end
 
diff --git a/lib/leap_cli/version.rb b/lib/leap_cli/version.rb
index 3e8aee5..db05129 100644
--- a/lib/leap_cli/version.rb
+++ b/lib/leap_cli/version.rb
@@ -1,7 +1,7 @@
 module LeapCli
   unless defined?(LeapCli::VERSION)
-    VERSION = '1.2.5'
-    COMPATIBLE_PLATFORM_VERSION = '0.2.4'..'1.99'
+    VERSION = '1.3.0'
+    COMPATIBLE_PLATFORM_VERSION = '0.3.0'..'1.99'
     SUMMARY = 'Command line interface to the LEAP platform'
     DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.'
     LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib']