back port certificat renewal to 0.5.0

base2Services · Feb 8, 2023 · 1c50e81 · 1c50e81
1 parent f0c5d71
commit 1c50e81
Show file tree

Hide file tree

Showing 10 changed files with 327 additions and 56 deletions.
diff --git a/.github/workflows/build-gem.yml b/.github/workflows/build-gem.yml
@@ -0,0 +1,28 @@
+name: test and build gem
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    name: test + build
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+
+    - name: rspec
+      run: |
+        gem install rspec
+        rspec
+    
+    - name: build gem
+      run: |
+        gem build cfn-vpn.gemspec
diff --git a/.github/workflows/release-gem.yml b/.github/workflows/release-gem.yml
@@ -0,0 +1,34 @@
+name: release gem
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish Gem
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v3
+
+    - name: Set up ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+
+    - name: rspec
+      run: |
+        gem install rspec
+        rspec
+    
+    - name: build gem
+      run: |
+        gem build cfn-vpn.gemspec
+    
+    - name: Publish gem
+      uses: dawidd6/action-publish-gem@v1
+      with:
+        api_key: ${{secrets.RUBYGEMS_API_KEY}}
+        github_token: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
@@ -0,0 +1,33 @@
+name: release docker image
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish Container Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Login to  GitHub Container Repository
+      uses: docker/login-action@v1
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GHCR_PUSH_TOKEN }}
+
+    - name: Build and push Container Image to GitHub Container Repository
+      uses: docker/build-push-action@v3
+      with:
+        context: .
+        file: ./Dockerfile
+        push: true
+        tags: ghcr.io/base2services/cfnvpn:${{ github.event.release.tag_name }}
+        build-args: CFNVPN_VERSION=${{ github.event.release.tag_name }}
diff --git a/.travis.yml b/.travis.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,15 @@
-FROM ruby:2.7-alpine
+FROM ruby:2.7
 
-RUN apk add --no-cache easy-rsa git \
-    # Hack until easy-rsa 3.0.7 is released https://github.com/OpenVPN/easy-rsa/issues/261
-    && sed -i 's/^RANDFILE\s*=\s\$ENV.*/#&/' /usr/share/easy-rsa/openssl-easyrsa.cnf \
+RUN apt-get update -qq \
+    && apt-get install -qqy \
+        easy-rsa \
+        git \
     && ln -s /usr/share/easy-rsa/easyrsa  /usr/bin/
 
 ENV EASYRSA=/usr/share/easy-rsa
 ENV EASYRSA_BATCH=yes
 
-ARG CFNVPN_VERSION="0.5.0"
+ARG CFNVPN_VERSION="1.5.0"
 
 COPY . /src
 
@@ -17,9 +18,9 @@ WORKDIR /src
 RUN gem build cfn-vpn.gemspec \
     && gem install cfn-vpn-${CFNVPN_VERSION}.gem \
     && rm -rf /src
-    
-RUN addgroup -g 1000 cfnvpn && \
-    adduser -D -u 1000 -G cfnvpn cfnvpn
+
+RUN addgroup --gid 1000 cfnvpn && \
+    adduser --home /home/cfnvpn --uid 1000 --disabled-password --gecos GECOS --gid 1000 cfnvpn
 
 USER cfnvpn
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,66 +1,75 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (0.2.0)
+    cfn-vpn (0.5.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
       aws-sdk-s3 (~> 1, < 2)
       cfhighlander (~> 0.9, < 1)
-      cfndsl (~> 0.17, < 1)
+      netaddr (= 2.0.4)
       terminal-table (~> 1, < 2)
       thor (~> 0.20)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.0.3)
-    aws-partitions (1.253.0)
-    aws-sdk-acm (1.23.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    aws-eventstream (1.2.0)
+    aws-partitions (1.707.0)
+    aws-sdk-acm (1.55.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-cloudformation (1.29.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-cloudformation (1.76.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.85.1)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
+    aws-sdk-core (3.170.0)
+      aws-eventstream (~> 1, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-ec2 (1.364.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
       aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.124.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-kms (1.62.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.27.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.59.0)
-      aws-sdk-core (~> 3, >= 3.83.0)
+    aws-sdk-s3 (1.119.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-    cfhighlander (0.10.7)
+      aws-sigv4 (~> 1.4)
+    aws-sigv4 (1.5.2)
+      aws-eventstream (~> 1, >= 1.0.2)
+    cfhighlander (0.12.8)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-core (~> 3, < 4)
       aws-sdk-ec2 (~> 1, < 2)
       aws-sdk-s3 (~> 1, < 2)
-      cfndsl (= 0.17.2)
+      cfndsl (~> 1.3, < 2)
       duplicate (~> 1.1)
       git (~> 1.4, < 2)
       highline (>= 1.7.10, < 1.8)
       rubyzip (>= 2.0.0, < 3)
       thor (~> 0.20, < 1)
-    cfndsl (0.17.2)
+    cfndsl (1.6.0)
+      hana (~> 1.3)
     duplicate (1.1.1)
-    git (1.5.0)
+    git (1.13.2)
+      addressable (~> 2.8)
+      rchardet (~> 1.8)
+    hana (1.3.7)
     highline (1.7.10)
-    jmespath (1.4.0)
+    jmespath (1.6.2)
+    netaddr (2.0.4)
+    public_suffix (5.0.1)
     rake (10.5.0)
-    rubyzip (2.0.0)
+    rchardet (1.8.0)
+    rubyzip (2.3.2)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
-    unicode-display_width (1.6.0)
+    unicode-display_width (1.8.0)
 
 PLATFORMS
   ruby
@@ -71,4 +80,4 @@ DEPENDENCIES
   rake (~> 10.0)
 
 BUNDLED WITH
-   2.0.1
+   2.3.13
diff --git a/lib/cfnvpn.rb b/lib/cfnvpn.rb
@@ -9,6 +9,7 @@
 require 'cfnvpn/routes'
 require 'cfnvpn/share'
 require 'cfnvpn/embedded'
+require 'cfnvpn/renew_certificate'
 
 module CfnVpn
   class Cli < Thor
@@ -21,6 +22,9 @@ def __print_version
 
     register CfnVpn::Init, 'init', 'init [name]', 'Create a AWS Client VPN'
     tasks["init"].options = CfnVpn::Init.class_options
+
+    register CfnVpn::RenewCertificate, 'renew', 'renew [name]', 'Create a AWS Client VPN'
+    tasks["renew"].options = CfnVpn::RenewCertificate.class_options
 
     register CfnVpn::Modify, 'modify', 'modify [name]', 'Modify your AWS Client VPN'
     tasks["modify"].options = CfnVpn::Modify.class_options

diff --git a/lib/cfnvpn/certificates.rb b/lib/cfnvpn/certificates.rb
@@ -48,6 +48,65 @@ def generate_ca(server_cn,client_cn)
       end
     end
 
+    def renew(server_cn,client_cn,expiry=nil)
+      opts = ""
+      unless expiry.nil?
+        opts += "--days=#{expiry}"
+      end
+
+      if @easyrsa_local
+        ENV["EASYRSA_REQ_CN"] = server_cn
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("easyrsa #{opts} renew server nopass")
+        system("easyrsa #{opts} renew #{client_cn} nopass")
+        FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
+        system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
+      else
+        @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-e EASYRSA_OPTS=\"#{opts}\""
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'renew'"
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
+    end
+
+    def rebuild(server_cn,client_cn,expiry=nil)
+      timestamp = Time.now.getutc.to_i
+      opts = ""
+      unless expiry.nil?
+        opts += "--days=#{expiry}"
+      end
+
+      if @easyrsa_local
+        ENV["EASYRSA_REQ_CN"] = server_cn
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+
+        FileUtils.mv("#{@pki_dir}/reqs/server.req", "#{@pki_dir}/reqs/server.req.bak-#{timestamp}")
+        FileUtils.mv("#{@pki_dir}/issued/server.crt", "#{@pki_dir}/issued/server.req.bak-#{timestamp}")
+        FileUtils.mv("#{@pki_dir}/private/server.key", "#{@pki_dir}/private/server.req.bak-#{timestamp}")
+        FileUtils.mv("#{@pki_dir}/reqs/#{client_cn}.req", "#{@pki_dir}/reqs/#{client_cn}.req.bak-#{timestamp}")
+        FileUtils.mv("#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/issued/#{client_cn}.req.bak-#{timestamp}")
+        FileUtils.mv("#{@pki_dir}/private/#{client_cn}.key", "#{@pki_dir}/private/#{client_cn}.req.bak-#{timestamp}")
+
+        system("easyrsa #{opts} build-server-full server nopass")
+        system("easyrsa #{opts} build-client-full #{client_cn} nopass")
+        FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
+        system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
+      else
+        @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-e EASYRSA_OPTS=\"#{opts}\""
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'rebuild'"
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
+    end
+
     def generate_client(client_cn)
       if @easyrsa_local
         ENV["EASYRSA_PKI"] = @pki_dir