class CfnVpn::Certificates

Public Class Methods

new(build_dir, cfnvpn_name, easyrsa_local = false) click to toggle source
# File lib/cfnvpn/certificates.rb, line 11
def initialize(build_dir, cfnvpn_name, easyrsa_local = false)
  @cfnvpn_name = cfnvpn_name
  @easyrsa_local = easyrsa_local
  
  if @easyrsa_local
    unless which('easyrsa')
      raise "Unable to find `easyrsa` in your path. Check your path or remove the `--easyrsa-local` flag to run from docker"
    end
  end
  
  @build_dir = build_dir
  @config_dir = "#{build_dir}/config"
  @cert_dir = "#{build_dir}/certificates"
  @pki_dir = "#{build_dir}/pki"
  @docker_cmd = %w(docker run -it --rm)
  @easyrsa_image = " base2/aws-client-vpn"
  FileUtils.mkdir_p(@cert_dir)
  FileUtils.mkdir_p(@pki_dir)
end

Public Instance Methods

extract_certificate(client_cn) click to toggle source
# File lib/cfnvpn/certificates.rb, line 102
def extract_certificate(client_cn)
  tar = "#{@config_dir}/#{client_cn}.tar.gz"
  `tar xzfv #{tar} -C #{@config_dir} --strip 2`
  File.delete(tar) if File.exist?(tar)
end
generate_ca(server_cn,client_cn) click to toggle source
# File lib/cfnvpn/certificates.rb, line 31
def generate_ca(server_cn,client_cn)
  if @easyrsa_local
    ENV["EASYRSA_REQ_CN"] = server_cn
    ENV["EASYRSA_PKI"] = @pki_dir
    system("easyrsa init-pki")
    system("easyrsa build-ca nopass")
    system("easyrsa build-server-full server nopass")
    system("easyrsa build-client-full #{client_cn} nopass")
    FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
    system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
  else
    @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
    @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
    @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
    @docker_cmd << @easyrsa_image
    @docker_cmd << "sh -c 'create-ca'"
    CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
  end
end
generate_client(client_cn) click to toggle source
# File lib/cfnvpn/certificates.rb, line 51
def generate_client(client_cn)
  if @easyrsa_local
    ENV["EASYRSA_PKI"] = @pki_dir
    system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
    system("easyrsa build-client-full #{client_cn} nopass")
    system("tar czfv #{@cert_dir}/#{client_cn}.tar.gz -C #{@build_dir} pki/issued/#{client_cn}.crt pki/private/#{client_cn}.key pki/reqs/#{client_cn}.req")
  else
    @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
    @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
    @docker_cmd << @easyrsa_image
    @docker_cmd << "sh -c 'create-client'"
    CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
  end
end
retrieve_certificate(bucket,bundle) click to toggle source
# File lib/cfnvpn/certificates.rb, line 97
def retrieve_certificate(bucket,bundle)
  s3 = CfnVpn::S3.new(@region,bucket,@name)
  s3.get_object("#{@cert_dir}/#{bundle}")
end
revoke_client(client_cn) click to toggle source
# File lib/cfnvpn/certificates.rb, line 66
def revoke_client(client_cn)
  if @easyrsa_local
    ENV["EASYRSA_PKI"] = @pki_dir
    system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
    system("tar xzfv #{@cert_dir}/#{client_cn}.tar.gz --directory #{@build_dir}")
    system("easyrsa revoke #{client_cn}")
    system("easyrsa gen-crl")
    FileUtils.cp("#{@pki_dir}/crl.pem", @cert_dir)
  else
    @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
    @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
    @docker_cmd << @easyrsa_image
    @docker_cmd << "sh -c 'revoke-client'"
    CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
  end
end
store_certificate(bucket,bundle) click to toggle source
# File lib/cfnvpn/certificates.rb, line 92
def store_certificate(bucket,bundle)
  s3 = CfnVpn::S3.new(@region,bucket,@name)
  s3.store_object("#{@cert_dir}/#{bundle}")
end
upload_certificates(region,cert,type,cn=nil) click to toggle source
# File lib/cfnvpn/certificates.rb, line 83
def upload_certificates(region,cert,type,cn=nil)
  cn = cn.nil? ? cert : cn
  acm = CfnVpn::Acm.new(region, @cert_dir)
  arn = acm.import_certificate("#{cert}.crt", "#{cert}.key", "ca.crt")
  CfnVpn::Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
  acm.tag_certificate(arn,cn,type,@cfnvpn_name)
  return arn
end
which(cmd) click to toggle source
# File lib/cfnvpn/certificates.rb, line 108
def which(cmd)
  exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
  ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
    exts.each do |ext|
      exe = File.join(path, "#{cmd}#{ext}")
      return exe if File.executable?(exe) && !File.directory?(exe)
    end
  end
  nil
end