class CfnVpn::Certificates
Public Class Methods
new(build_dir, cfnvpn_name, easyrsa_local = false)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 11 def initialize(build_dir, cfnvpn_name, easyrsa_local = false) @cfnvpn_name = cfnvpn_name @easyrsa_local = easyrsa_local if @easyrsa_local unless which('easyrsa') raise "Unable to find `easyrsa` in your path. Check your path or remove the `--easyrsa-local` flag to run from docker" end end @build_dir = build_dir @config_dir = "#{build_dir}/config" @cert_dir = "#{build_dir}/certificates" @pki_dir = "#{build_dir}/pki" @docker_cmd = %w(docker run -it --rm) @easyrsa_image = " base2/aws-client-vpn" FileUtils.mkdir_p(@cert_dir) FileUtils.mkdir_p(@pki_dir) end
Public Instance Methods
extract_certificate(client_cn)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 102 def extract_certificate(client_cn) tar = "#{@config_dir}/#{client_cn}.tar.gz" `tar xzfv #{tar} -C #{@config_dir} --strip 2` File.delete(tar) if File.exist?(tar) end
generate_ca(server_cn,client_cn)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 31 def generate_ca(server_cn,client_cn) if @easyrsa_local ENV["EASYRSA_REQ_CN"] = server_cn ENV["EASYRSA_PKI"] = @pki_dir system("easyrsa init-pki") system("easyrsa build-ca nopass") system("easyrsa build-server-full server nopass") system("easyrsa build-client-full #{client_cn} nopass") FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir) system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/") else @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}" @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}" @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output" @docker_cmd << @easyrsa_image @docker_cmd << "sh -c 'create-ca'" CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}` end end
generate_client(client_cn)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 51 def generate_client(client_cn) if @easyrsa_local ENV["EASYRSA_PKI"] = @pki_dir system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}") system("easyrsa build-client-full #{client_cn} nopass") system("tar czfv #{@cert_dir}/#{client_cn}.tar.gz -C #{@build_dir} pki/issued/#{client_cn}.crt pki/private/#{client_cn}.key pki/reqs/#{client_cn}.req") else @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}" @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output" @docker_cmd << @easyrsa_image @docker_cmd << "sh -c 'create-client'" CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}` end end
retrieve_certificate(bucket,bundle)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 97 def retrieve_certificate(bucket,bundle) s3 = CfnVpn::S3.new(@region,bucket,@name) s3.get_object("#{@cert_dir}/#{bundle}") end
revoke_client(client_cn)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 66 def revoke_client(client_cn) if @easyrsa_local ENV["EASYRSA_PKI"] = @pki_dir system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}") system("tar xzfv #{@cert_dir}/#{client_cn}.tar.gz --directory #{@build_dir}") system("easyrsa revoke #{client_cn}") system("easyrsa gen-crl") FileUtils.cp("#{@pki_dir}/crl.pem", @cert_dir) else @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}" @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output" @docker_cmd << @easyrsa_image @docker_cmd << "sh -c 'revoke-client'" CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}` end end
store_certificate(bucket,bundle)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 92 def store_certificate(bucket,bundle) s3 = CfnVpn::S3.new(@region,bucket,@name) s3.store_object("#{@cert_dir}/#{bundle}") end
upload_certificates(region,cert,type,cn=nil)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 83 def upload_certificates(region,cert,type,cn=nil) cn = cn.nil? ? cert : cn acm = CfnVpn::Acm.new(region, @cert_dir) arn = acm.import_certificate("#{cert}.crt", "#{cert}.key", "ca.crt") CfnVpn::Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}" acm.tag_certificate(arn,cn,type,@cfnvpn_name) return arn end
which(cmd)
click to toggle source
# File lib/cfnvpn/certificates.rb, line 108 def which(cmd) exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : [''] ENV['PATH'].split(File::PATH_SEPARATOR).each do |path| exts.each do |ext| exe = File.join(path, "#{cmd}#{ext}") return exe if File.executable?(exe) && !File.directory?(exe) end end nil end