From 689ff5e4aabadc38fa7ff6a5df09e56517816d72 Mon Sep 17 00:00:00 2001
From: Aaron Turner <synfinatic@gmail.com>
Date: Wed, 20 Aug 2014 14:25:58 -0700
Subject: [PATCH 1/5] Include the ssh cert serial in the URL so that users can
 have multiple certs available in S3 at the same time (still will only have
 one active/loaded cert in ssh-agent)

---
 scripts/sign_key   | 4 ++--
 ssh_ca/__init__.py | 2 +-
 ssh_ca/s3.py       | 7 ++++---
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/scripts/sign_key b/scripts/sign_key
index 08bae13..6dc2683 100755
--- a/scripts/sign_key
+++ b/scripts/sign_key
@@ -180,13 +180,13 @@ if __name__ == '__main__':
         principal = ['ec2-user', 'ubuntu']
 
     # Sign the key
-    cert_contents = ca.sign_public_user_key(
+    ( cert_contents, serial ) = ca.sign_public_user_key(
         public_path, username, starts_in, expires_in, 
         reason, principal)
 
     print
     print 'Public key signed, certificate available for download here:'
-    print ca.upload_public_key_cert(username, cert_contents, url_expires)
+    print ca.upload_public_key_cert(username, serial, cert_contents, url_expires)
 
     if delete_public_key:
         os.remove(public_path)
diff --git a/ssh_ca/__init__.py b/ssh_ca/__init__.py
index 3d315bc..fb743b3 100755
--- a/ssh_ca/__init__.py
+++ b/ssh_ca/__init__.py
@@ -115,7 +115,7 @@ def sign_public_user_key(self, public_key_filename, username, starts_in,
             serial, starts_in, expires_in, username, self.ca_key, reason,
             principals)
 
-        return self.get_cert_contents(public_key_filename)
+        return [ self.get_cert_contents(public_key_filename), serial ]
 
     def get_cert_contents(self, public_key_filename):
         if public_key_filename.endswith('.pub'):
diff --git a/ssh_ca/s3.py b/ssh_ca/s3.py
index 9167f38..45b3e60 100755
--- a/ssh_ca/s3.py
+++ b/ssh_ca/s3.py
@@ -60,12 +60,13 @@ def upload_public_key(self, username, key_contents):
         k = self.ssh_bucket.new_key('keys/%s' % (username,))
         k.set_contents_from_string(key_contents, replace=True)
 
-    def upload_public_key_cert(self, username, cert_contents, expires=7200):
-        k = self.ssh_bucket.new_key('certs/%s-cert.pub' % (username,))
+    def upload_public_key_cert(self, username, serial, cert_contents,
+            expires=7200):
+        k = self.ssh_bucket.new_key('certs/%s-%s-cert.pub' % (username, serial))
         k.set_contents_from_string(
             cert_contents,
             headers={'Content-Type': 'text/plain'},
-            replace=True,
+            replace=False,
         )
         return k.generate_url(expires)
 

From 73153fa7dccc67fc1b3b3fc5dc125b0eb33aa0ed Mon Sep 17 00:00:00 2001
From: Aaron Turner <synfinatic@gmail.com>
Date: Wed, 20 Aug 2014 14:25:58 -0700
Subject: [PATCH 2/5] Include the ssh cert serial in the URL so that users can
 have multiple certs available in S3 at the same time (still will only have
 one active/loaded cert in ssh-agent)

---
 scripts/sign_key   | 4 ++--
 ssh_ca/__init__.py | 2 +-
 ssh_ca/s3.py       | 7 ++++---
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/scripts/sign_key b/scripts/sign_key
index 08bae13..6dc2683 100755
--- a/scripts/sign_key
+++ b/scripts/sign_key
@@ -180,13 +180,13 @@ if __name__ == '__main__':
         principal = ['ec2-user', 'ubuntu']
 
     # Sign the key
-    cert_contents = ca.sign_public_user_key(
+    ( cert_contents, serial ) = ca.sign_public_user_key(
         public_path, username, starts_in, expires_in, 
         reason, principal)
 
     print
     print 'Public key signed, certificate available for download here:'
-    print ca.upload_public_key_cert(username, cert_contents, url_expires)
+    print ca.upload_public_key_cert(username, serial, cert_contents, url_expires)
 
     if delete_public_key:
         os.remove(public_path)
diff --git a/ssh_ca/__init__.py b/ssh_ca/__init__.py
index 3d315bc..fb743b3 100755
--- a/ssh_ca/__init__.py
+++ b/ssh_ca/__init__.py
@@ -115,7 +115,7 @@ def sign_public_user_key(self, public_key_filename, username, starts_in,
             serial, starts_in, expires_in, username, self.ca_key, reason,
             principals)
 
-        return self.get_cert_contents(public_key_filename)
+        return [ self.get_cert_contents(public_key_filename), serial ]
 
     def get_cert_contents(self, public_key_filename):
         if public_key_filename.endswith('.pub'):
diff --git a/ssh_ca/s3.py b/ssh_ca/s3.py
index 9167f38..45b3e60 100755
--- a/ssh_ca/s3.py
+++ b/ssh_ca/s3.py
@@ -60,12 +60,13 @@ def upload_public_key(self, username, key_contents):
         k = self.ssh_bucket.new_key('keys/%s' % (username,))
         k.set_contents_from_string(key_contents, replace=True)
 
-    def upload_public_key_cert(self, username, cert_contents, expires=7200):
-        k = self.ssh_bucket.new_key('certs/%s-cert.pub' % (username,))
+    def upload_public_key_cert(self, username, serial, cert_contents,
+            expires=7200):
+        k = self.ssh_bucket.new_key('certs/%s-%s-cert.pub' % (username, serial))
         k.set_contents_from_string(
             cert_contents,
             headers={'Content-Type': 'text/plain'},
-            replace=True,
+            replace=False,
         )
         return k.generate_url(expires)
 

From 0c0c5bb360248d1e44dfab5cd86689979fc784c7 Mon Sep 17 00:00:00 2001
From: Aaron Turner <synfinatic@gmail.com>
Date: Wed, 20 Aug 2014 14:31:02 -0700
Subject: [PATCH 3/5] fix pep8

---
 scripts/sign_key   | 4 ++--
 ssh_ca/__init__.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/sign_key b/scripts/sign_key
index 6dc2683..a4ebf70 100755
--- a/scripts/sign_key
+++ b/scripts/sign_key
@@ -180,8 +180,8 @@ if __name__ == '__main__':
         principal = ['ec2-user', 'ubuntu']
 
     # Sign the key
-    ( cert_contents, serial ) = ca.sign_public_user_key(
-        public_path, username, starts_in, expires_in, 
+    (cert_contents, serial) = ca.sign_public_user_key(
+        public_path, username, starts_in, expires_in,
         reason, principal)
 
     print
diff --git a/ssh_ca/__init__.py b/ssh_ca/__init__.py
index fb743b3..17a7d11 100755
--- a/ssh_ca/__init__.py
+++ b/ssh_ca/__init__.py
@@ -115,7 +115,7 @@ def sign_public_user_key(self, public_key_filename, username, starts_in,
             serial, starts_in, expires_in, username, self.ca_key, reason,
             principals)
 
-        return [ self.get_cert_contents(public_key_filename), serial ]
+        return [self.get_cert_contents(public_key_filename), serial]
 
     def get_cert_contents(self, public_key_filename):
         if public_key_filename.endswith('.pub'):

From 501ae8cef891034bf3e53ecf7cebe9a444f342dc Mon Sep 17 00:00:00 2001
From: Aaron Turner <synfinatic@gmail.com>
Date: Wed, 20 Aug 2014 15:54:20 -0700
Subject: [PATCH 4/5] switch to using the envirtonment instead of serial fix
 last pep8 error

---
 scripts/sign_key   | 5 +++--
 ssh_ca/__init__.py | 2 +-
 ssh_ca/s3.py       | 6 +++---
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/scripts/sign_key b/scripts/sign_key
index a4ebf70..81a7d51 100755
--- a/scripts/sign_key
+++ b/scripts/sign_key
@@ -180,13 +180,14 @@ if __name__ == '__main__':
         principal = ['ec2-user', 'ubuntu']
 
     # Sign the key
-    (cert_contents, serial) = ca.sign_public_user_key(
+    cert_contents = ca.sign_public_user_key(
         public_path, username, starts_in, expires_in,
         reason, principal)
 
     print
     print 'Public key signed, certificate available for download here:'
-    print ca.upload_public_key_cert(username, serial, cert_contents, url_expires)
+    print ca.upload_public_key_cert(username, environment, cert_contents,
+            url_expires)
 
     if delete_public_key:
         os.remove(public_path)
diff --git a/ssh_ca/__init__.py b/ssh_ca/__init__.py
index 17a7d11..3d315bc 100755
--- a/ssh_ca/__init__.py
+++ b/ssh_ca/__init__.py
@@ -115,7 +115,7 @@ def sign_public_user_key(self, public_key_filename, username, starts_in,
             serial, starts_in, expires_in, username, self.ca_key, reason,
             principals)
 
-        return [self.get_cert_contents(public_key_filename), serial]
+        return self.get_cert_contents(public_key_filename)
 
     def get_cert_contents(self, public_key_filename):
         if public_key_filename.endswith('.pub'):
diff --git a/ssh_ca/s3.py b/ssh_ca/s3.py
index 45b3e60..82caa81 100755
--- a/ssh_ca/s3.py
+++ b/ssh_ca/s3.py
@@ -60,9 +60,9 @@ def upload_public_key(self, username, key_contents):
         k = self.ssh_bucket.new_key('keys/%s' % (username,))
         k.set_contents_from_string(key_contents, replace=True)
 
-    def upload_public_key_cert(self, username, serial, cert_contents,
-            expires=7200):
-        k = self.ssh_bucket.new_key('certs/%s-%s-cert.pub' % (username, serial))
+    def upload_public_key_cert(self, username, env, cert_contents,
+                               expires=7200):
+        k = self.ssh_bucket.new_key('certs/%s-%s-cert.pub' % (username, env))
         k.set_contents_from_string(
             cert_contents,
             headers={'Content-Type': 'text/plain'},

From 46cca6d804618615fba2f0fed228880cdb1a50dd Mon Sep 17 00:00:00 2001
From: Aaron Turner <synfinatic@gmail.com>
Date: Thu, 21 Aug 2014 10:30:01 -0700
Subject: [PATCH 5/5] need to be able to replace user public key certs

---
 ssh_ca/s3.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssh_ca/s3.py b/ssh_ca/s3.py
index 82caa81..1e9ed03 100755
--- a/ssh_ca/s3.py
+++ b/ssh_ca/s3.py
@@ -66,7 +66,7 @@ def upload_public_key_cert(self, username, env, cert_contents,
         k.set_contents_from_string(
             cert_contents,
             headers={'Content-Type': 'text/plain'},
-            replace=False,
+            replace=True,
         )
         return k.generate_url(expires)