From 7f4dea648d1f5a6b357933706abdb0f902043172 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 10 Jul 2013 10:24:10 -0700 Subject: fixed bug where unused certs were not being deleted. --- lib/leap_cli/commands/ca.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index da5bee9..b5a8765 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -36,11 +36,11 @@ module LeapCli; module Commands nodes = manager.filter!(args) nodes.each_node do |node| - if options[:force] || cert_needs_updating?(node) - generate_cert_for_node(node) - elsif !node.x509.use + if !node.x509.use remove_file!([:node_x509_key, node.name]) remove_file!([:node_x509_cert, node.name]) + elsif options[:force] || cert_needs_updating?(node) + generate_cert_for_node(node) end end end @@ -203,7 +203,7 @@ module LeapCli; module Commands dns_names << $1 if value =~ /^DNS:(.*)$/ end if ips.first != node.ip_address - log :updating, "cert for node '#{node.name}' because ip_address has changed (from #{ips} to #{node.ip_address})" + log :updating, "cert for node '#{node.name}' because ip_address has changed (from #{ips.first} to #{node.ip_address})" return true elsif dns_names != dns_names_for_node(node) log :updating, "cert for node '#{node.name}' because domain name aliases have changed (from #{dns_names.inspect} to #{dns_names_for_node(node).inspect})" -- cgit v1.2.3 From df68d335c9c6fa8fd1638fb023b55f0993e43fe4 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 10 Jul 2013 10:44:25 -0700 Subject: security fix - for a little while now, since the switch to rsync_command, permissions on rsync'ed files allowed world read. bad bad. now permissions are limited to root. --- lib/leap_cli/remote/rsync_plugin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/leap_cli/remote/rsync_plugin.rb b/lib/leap_cli/remote/rsync_plugin.rb index 2c89f26..495ca1d 100644 --- a/lib/leap_cli/remote/rsync_plugin.rb +++ b/lib/leap_cli/remote/rsync_plugin.rb @@ -14,7 +14,7 @@ module LeapCli; module Remote; module RsyncPlugin # {:source => '', :dest => '', :flags => '', :includes => [], :excludes => []} # def update - rsync = RsyncCommand.new(:logger => logger, :flags => '-a') + rsync = RsyncCommand.new(:logger => logger, :flags => '-rltp --chmod=u+rX,go-rwx') rsync.asynchronously(find_servers) do |server| options = yield server next unless options -- cgit v1.2.3 From eec3e1760cec10cdd508771ddb71efeff04cfff8 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 10 Jul 2013 22:03:30 -0700 Subject: file permissions -- no longer force restrictive chmod on the rsync of /srv/leap/[puppet|bin], because doing so messes up the permissions of /srv/leap. --- lib/leap_cli/commands/deploy.rb | 10 +++++++--- lib/leap_cli/remote/rsync_plugin.rb | 2 +- lib/leap_cli/version.rb | 4 ++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/lib/leap_cli/commands/deploy.rb b/lib/leap_cli/commands/deploy.rb index 8130111..239af2a 100644 --- a/lib/leap_cli/commands/deploy.rb +++ b/lib/leap_cli/commands/deploy.rb @@ -63,7 +63,11 @@ module LeapCli node = manager.node(server.host) hiera_file = Path.relative_path([:hiera, node.name]) ssh.leap.log hiera_file + ' -> ' + node.name + ':' + dest_dir + '/hiera.yaml' - {:source => hiera_file, :dest => dest_dir + '/hiera.yaml'} + { + :source => hiera_file, + :dest => dest_dir + '/hiera.yaml', + :flags => "-rltp --chmod=u+rX,go-rwx" + } end end @@ -80,7 +84,7 @@ module LeapCli :dest => dest_dir, :excludes => "*", :includes => calculate_includes_from_files(files_to_sync), - :flags => "--relative --dirs --delete --delete-excluded --filter='protect hiera.yaml' --copy-links" + :flags => "-ltp --chmod=u+rX,go-rwx --relative --dirs --delete --delete-excluded --filter='protect hiera.yaml' --copy-links" } else nil @@ -97,7 +101,7 @@ module LeapCli :chdir => Path.platform, :excludes => '*', :includes => ['/bin', '/bin/**', '/puppet', '/puppet/**'], - :flags => "--relative --dirs --delete --copy-links" + :flags => "-rlt --relative --delete --copy-links" } end end diff --git a/lib/leap_cli/remote/rsync_plugin.rb b/lib/leap_cli/remote/rsync_plugin.rb index 495ca1d..48f82d3 100644 --- a/lib/leap_cli/remote/rsync_plugin.rb +++ b/lib/leap_cli/remote/rsync_plugin.rb @@ -14,7 +14,7 @@ module LeapCli; module Remote; module RsyncPlugin # {:source => '', :dest => '', :flags => '', :includes => [], :excludes => []} # def update - rsync = RsyncCommand.new(:logger => logger, :flags => '-rltp --chmod=u+rX,go-rwx') + rsync = RsyncCommand.new(:logger => logger) rsync.asynchronously(find_servers) do |server| options = yield server next unless options diff --git a/lib/leap_cli/version.rb b/lib/leap_cli/version.rb index 072dfbd..7f019c4 100644 --- a/lib/leap_cli/version.rb +++ b/lib/leap_cli/version.rb @@ -1,7 +1,7 @@ module LeapCli unless defined?(LeapCli::VERSION) - VERSION = '1.1.2' - COMPATIBLE_PLATFORM_VERSION = '0.2.2'..'1.99' + VERSION = '1.1.3' + COMPATIBLE_PLATFORM_VERSION = '0.2.3'..'1.99' SUMMARY = 'Command line interface to the LEAP platform' DESCRIPTION = 'The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.' LOAD_PATHS = ['lib', 'vendor/certificate_authority/lib', 'vendor/rsync_command/lib'] -- cgit v1.2.3