chef-ssl-client 0.0.6

data/README.rdoc

@@ -0,0 +1,6 @@
+=NAME
+
+"chef-ssl" Client
+
+
+

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new

data/bin/chef-ssl

@@ -0,0 +1,7 @@
+require "rubygems"
+require "commander/import"
+require "chef-ssl/client"
+
+HighLine.colorize_strings
+
+load File.expand_path('../lib/chef-ssl/command.rb', File.dirname(__FILE__))

data/lib/chef-ssl/client/issued_certificate.rb

@@ -0,0 +1,69 @@
+module ChefSSL
+  class Client
+    class CertSaveFailed < StandardError; end
+
+    class IssuedCertificate
+
+      DATABAG = "certificates"
+
+      def initialize(req, cert, ca=nil)
+        @ca = ca
+        @req = req
+        @cert = cert
+      end
+
+      def to_pem
+        @cert.to_pem
+      end
+
+      def sha1_fingerprint
+        @cert.sha1_fingerprint
+      end
+
+      def subject
+        @cert.subject.to_s
+      end
+
+      def issuer
+        @cert.issuer.to_s
+      end
+
+      def not_after
+        @cert.not_after
+      end
+
+      def save!
+        begin
+          Spice.create_data_bag(DATABAG)
+        rescue Spice::Error::Conflict
+          nil
+        end
+
+        data = {
+          :name => DATABAG,
+          :id => @req.id,
+          :dn => @req.subject,
+          :ca => @req.ca,
+          :csr => @req.to_pem,
+          :key => @req.key,
+          :type => @req.type,
+          :date => Time.now.to_s,
+          :host => @req.host,
+          :certificate => @cert.to_pem
+        }
+        unless @ca.nil?
+          data[:cacert] = @ca.certificate.to_pem
+        end
+
+        begin
+          ret = Spice.create_data_bag_item(DATABAG, data)
+        rescue Spice::Error::Conflict
+          raise CertSaveFailed.new("Conflict - certificate data bag exists for #{@req.subject}, id #{@req.id}")
+        rescue Spice::Error::ClientError => e
+          raise CertSaveFailed.new(e.message)
+        end
+      end
+
+    end
+  end
+end

data/lib/chef-ssl/client/request.rb

@@ -0,0 +1,42 @@
+module ChefSSL
+  class Client
+    class Request
+
+      attr_reader :host, :csr, :type, :ca, :id, :name, :key, :days
+
+      def initialize(host, data, csr=nil)
+        @host = host
+        @csr = csr || EaSSL::SigningRequest.new.load(data['csr'])
+        @type = data['type']
+        @ca = data['ca']
+        @id = data['id']
+        @name = data['name']
+        @key = data['key']
+        @days = data['days'] || (365 * 5)
+      end
+
+      def subject
+        @csr.subject.to_s
+      end
+
+      def to_pem
+        @csr.to_pem
+      end
+
+      def issue_certificate(cert_text)
+        cert = EaSSL::Certificate.new({}).load(cert_text)
+        IssuedCertificate.new(self, cert)
+      end
+
+      def self.create(key, type, options)
+        name = EaSSL::CertificateName.new(options)
+        csr  = EaSSL::SigningRequest.new(:name => name, :key => key)
+
+        data = {
+          :type => type
+        }
+        self.new('localhost', data, csr)
+      end
+    end
+  end
+end

data/lib/chef-ssl/client/signing_authority.rb

@@ -0,0 +1,83 @@
+module ChefSSL
+  class Client
+    class SigningAuthority
+
+      def self.load(options)
+        ca = EaSSL::CertificateAuthority.load(
+          :ca_path => options[:path],
+          :ca_password => options[:password]
+          )
+        self.new(ca)
+      end
+
+      def initialize(ca)
+        @ca = ca
+      end
+
+      def dn
+        @ca.certificate.subject.to_s
+      end
+
+      def sign(req)
+        cert = @ca.create_certificate(req.csr, req.type, req.days)
+        IssuedCertificate.new(req, cert, @ca)
+      end
+
+      def self.create(name, path, passphrase)
+        config = {
+          :ca_dir => path,
+          :password => passphrase,
+          :ca_rsa_key_length => 1024,
+          :ca_cert_days => 3650,
+          :name => name
+        }
+        config[:serial_file] = File.join(config[:ca_dir], 'serial.txt')
+        config[:keypair_file] = File.join(config[:ca_dir], 'cakey.pem')
+        config[:cert_file] = File.join(config[:ca_dir], 'cacert.pem')
+
+        Dir.mkdir config[:ca_dir]
+        Dir.mkdir File.join(config[:ca_dir], 'private'), 0700
+        Dir.mkdir File.join(config[:ca_dir], 'newcerts')
+        Dir.mkdir File.join(config[:ca_dir], 'crl')
+
+        File.open config[:serial_file], 'w' do |f| f << '1' end
+
+        keypair = OpenSSL::PKey::RSA.new config[:ca_rsa_key_length]
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.subject = cert.issuer = config[:name]
+        cert.not_before = Time.now
+        cert.not_after = Time.now + config[:ca_cert_days] * 24 * 60 * 60
+        cert.public_key = keypair.public_key
+        cert.serial = 0x0
+        cert.version = 2 # X509v3
+
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = cert
+        ef.issuer_certificate = cert
+        cert.extensions = [
+          ef.create_extension("basicConstraints", "CA:TRUE", true),
+          ef.create_extension("nsComment", "Ruby/OpenSSL/chef-ssl Generated Certificate"),
+          ef.create_extension("subjectKeyIdentifier", "hash"),
+          ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
+        ]
+        cert.add_extension ef.create_extension("authorityKeyIdentifier",
+          "keyid:always,issuer:always")
+        cert.sign keypair, OpenSSL::Digest::SHA1.new
+
+        keypair_export = keypair.export OpenSSL::Cipher::DES.new(:EDE3, :CBC),
+        config[:password]
+
+        File.open config[:keypair_file], "w", 0400 do |fp|
+          fp << keypair_export
+        end
+
+        File.open config[:cert_file], "w", 0644 do |f|
+          f << cert.to_pem
+        end
+      end
+    end
+  end
+end
+
+

data/lib/chef-ssl/client/version.rb

@@ -0,0 +1,5 @@
+module ChefSSL
+  class Client
+    VERSION = '0.0.6'
+  end
+end

data/lib/chef-ssl/client.rb

@@ -0,0 +1,64 @@
+require 'spice'
+require 'eassl'
+require 'json'
+require 'openssl'
+require 'digest/sha2'
+require 'active_support/hash_with_indifferent_access'
+require 'chef/config'
+require 'chef/node'
+
+require 'chef-ssl/client/version'
+require 'chef-ssl/client/request'
+require 'chef-ssl/client/signing_authority'
+require 'chef-ssl/client/issued_certificate'
+
+module ChefSSL
+  class Client
+
+    def initialize
+      path = File.expand_path('knife.rb', '~/.chef')
+      Chef::Config.from_file(path)
+      Spice.reset
+      Spice.setup do |s|
+        s.server_url = Chef::Config.chef_server_url
+        s.client_name = Chef::Config.node_name
+        s.client_key = Spice.read_key_file(File.expand_path(Chef::Config.client_key))
+      end
+    end
+
+    def self.load_authority(options)
+      SigningAuthority.load(
+        :path => options[:path],
+        :password => options[:password]
+      )
+    end
+
+    def ca_search(ca=nil)
+      if ca
+        nodes = Spice.nodes("csr_outbox_*_ca:#{ca}")
+      else
+        nodes = Spice.nodes("csr_outbox_*")
+      end
+      nodes.each do |node|
+        node.normal['csr_outbox'].each do |id, data|
+          next if data['csr'].nil? # XXX warn, raise?
+          yield Request.new(node.name, data)
+        end
+      end
+    end
+
+    def common_name_search(name)
+      name_sha = Digest::SHA256.new << name
+      cert_id = name_sha.to_s
+      nodes = Spice.nodes("csr_outbox_*_id:#{cert_id}")
+      nodes.each do |node|
+        node.normal['csr_outbox'].each do |id, data|
+          next unless data['id'] == cert_id
+          next if data['csr'].nil? # XXX warn, raise?
+          yield Request.new(node.name, data)
+        end
+      end
+    end
+
+  end
+end

data/lib/chef-ssl/command.rb

@@ -0,0 +1,260 @@
+program :name, "chef-ssl"
+program :version, ChefSSL::Client::VERSION
+program :description, "Chef-automated SSL certificate signing tool"
+program :help_formatter, :compact
+
+default_command :help
+
+command :issue do |c|
+  c.syntax = "chef-ssl issue [options]"
+  c.description = "Issue an ad hoc certificate"
+  c.example "Issue cert for www.venda.com",
+            "chef-ssl issue --ca-path ./myCA --dn /CN=foo --type server"
+
+  c.option "--ca-path=STRING", String, "the path to the new CA"
+  c.option "--dn=STRING", String, "the distinguished name for the new certificate"
+  c.option "--type=STRING", String, "the type of certificate, client or server"
+
+  c.action do |args, options|
+    raise "CA path is required" unless options.ca_path
+    raise "DN is required" unless options.dn
+    raise "type is required" unless options.type
+
+    begin
+      dn = OpenSSL::X509::Name.parse(options.dn)
+    rescue NoMethodError
+      raise "--dn is required and must be a distinguished name"
+    rescue TypeError
+      raise "--dn is required and must be a distinguished name"
+    rescue OpenSSL::X509::NameError => e
+      raise "--dn must specify a valid DN: #{e.message}"
+    end
+
+    unless options.type == 'server' || options.type == 'client'
+      raise "type must be server or client"
+    end
+
+    authority = ChefSSL::Client.load_authority(
+      :password => ask("Enter CA passphrase:  ") { |q| q.echo = false },
+      :path => options.ca_path
+    )
+
+    key = EaSSL::Key.new
+
+    h = dn.to_a.reduce({}) { |h, elem| h[elem[0]] = elem[1]; h }
+    name = {
+      :city => h['L'],
+      :state => h['ST'],
+      :country => h['C'],
+      :department => h['OU'],
+      :common_name => h['CN'],
+      :organization => h['O'],
+      :email => h['emailAddress']
+    }
+
+    req = ChefSSL::Client::Request.create(key, options.type, name)
+    cert = authority.sign(req)
+
+    puts "#{'Key:'.cyan}"
+    puts HighLine.color(key.private_key.to_s, :bright_black)
+    puts
+    puts "#{'Certificate:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+    puts HighLine.color(cert.to_pem, :bright_black)
+  end
+end
+
+command :makeca do |c|
+  c.syntax = "chef-ssl makeca [options]"
+  c.description = "Creates a new CA"
+  c.example "Upload cert for CSR www.venda.com",
+            "chef-ssl makeca --ca-name '/CN=My New CA' --ca-path ./newCA"
+
+  c.option "--ca-path=STRING", String, "the path to the new CA"
+  c.option "--ca-name=STRING", String, "the distinguished name of the new CA"
+
+  c.action do |args, options|
+    begin
+      name = OpenSSL::X509::Name.parse(options.ca_name)
+    rescue NoMethodError
+      raise "--ca-name is required and must be a distinguished name"
+    rescue TypeError
+      raise "--ca-name is required and must be a distinguished name"
+    rescue OpenSSL::X509::NameError => e
+      raise "--ca-name must specify a valid DN: #{e.message}"
+    end
+
+    raise "CA path is required" unless options.ca_path
+    raise "CA path must not already exist" if Dir.glob(options.ca_path).length > 0
+
+    puts "#{'New CA DN'.cyan}: #{name.to_s}"
+    puts
+
+    passphrase = ask("Enter new CA passphrase:  ") { |q| q.echo = false }
+    passphrase2 = ask("Re-enter new CA passphrase:  ") { |q| q.echo = false }
+    raise "passphrases do not match" unless passphrase == passphrase2
+
+    print "\n#{'Creating new CA'.cyan}: "
+    ChefSSL::Client::SigningAuthority.create(name, options.ca_path, passphrase)
+    puts "done"
+  end
+end
+
+command :search do |c|
+  c.syntax = "chef-ssl search [options]"
+  c.description = "Searches for outstanding CSRs"
+  c.example "Search for all CSRs awaiting signing by CA bob",
+            "chef-ssl search --ca-name bob"
+
+  c.option "--ca-name=STRING", String, "a name of a CA to limit the search by"
+
+  c.action do |args, options|
+    client = ChefSSL::Client.new
+
+    puts "#{'Search CA'.cyan}: #{options.ca_name}" if options.ca_name
+
+    client.ca_search(options.ca_name) do |req|
+      puts
+      puts "#{'     Node Hostname'.cyan}: #{req.host}"
+      puts "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      puts "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      puts "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      puts "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      puts
+      puts HighLine.color(req.to_pem, :bright_black)
+    end
+  end
+end
+
+command :sign do |c|
+  c.syntax = "chef-ssl sign [options]"
+  c.description = "Search for the given CSR by name and provide a signed certificate"
+  c.example "Provide signed cert for CSR www.venda.com",
+            "chef-ssl --name www.venda.com"
+
+  c.option "--name=STRING", String, "common name of the CSR to search for"
+
+  c.action do |args, options|
+
+    raise "--name is required" unless options.name
+
+    client = ChefSSL::Client.new
+
+    puts "#{'Search name'.cyan}: #{options.name}"
+
+    client.common_name_search(options.name) do |req|
+      puts
+      puts "#{'     Node Hostname'.cyan}: #{req.host}"
+      puts "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      puts "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      puts "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      puts "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      puts
+      puts HighLine.color(req.to_pem, :bright_black)
+
+      cert = nil
+
+      HighLine.new.choose do |menu|
+        menu.layout = :one_line
+        menu.prompt = "Sign this? "
+
+        menu.choice :yes do
+          cert_text = ask("Paste cert text") do |q|
+            q.gather = ""
+          end
+          cert = req.issue_certificate(cert_text.join("\n"))
+        end
+        menu.choice :no do
+          nil
+        end
+      end
+
+      if cert
+        puts "#{' Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+        puts "#{'Subject:'.cyan} #{cert.subject}"
+        puts "#{' Issuer:'.cyan} #{cert.issuer}"
+        puts HighLine.color(cert.to_pem, :bright_black)
+
+        unless cert.subject == req.subject
+          puts "#{'WARNING:'.red.bold} #{'Issued certificate DN does not match request DN!'.bold}"
+        end
+
+        HighLine.new.choose do |menu|
+          menu.layout = :one_line
+          menu.prompt = "Save certificate? "
+
+          menu.choice :yes do
+            begin
+              cert.save!
+              puts "Saved OK"
+            rescue ChefSSL::Client::CertSaveFailed => e
+              puts "Error saving: #{e.message}"
+            end
+          end
+          menu.choice :no do
+            nil
+          end
+        end
+      end
+    end
+  end
+end
+
+command :autosign do |c|
+  c.syntax = "chef-ssl autosign [options]"
+  c.description = "Search for CSRs and sign them with the given CA"
+  c.example "Sign with 'CA'",
+            "chef-ssl --ca-path CA --ca-name autoCA"
+
+  c.option "--ca-path=STRING", String, "the path to the signing CA"
+  c.option "--ca-name=STRING", String, "the name of the signing CA"
+
+  c.action do |args, options|
+
+    raise "--ca-path is required" unless options.ca_path
+    raise "--ca-name is required" unless options.ca_name
+
+    authority = ChefSSL::Client.load_authority(
+      :password => ask("Enter CA passphrase:  ") { |q| q.echo = false },
+      :path => options.ca_path
+    )
+
+    client = ChefSSL::Client.new
+
+    puts "#{'Search CA'.cyan}: #{options.ca_name}"
+
+    client.ca_search(options.ca_name) do |req|
+      puts
+      puts "#{'     Node Hostname'.cyan}: #{req.host}"
+      puts "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      puts "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      puts "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      puts "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      puts
+      puts HighLine.color(req.to_pem, :bright_black)
+
+      HighLine.new.choose do |menu|
+        menu.layout = :one_line
+        menu.prompt = "#{'Sign with'.cyan}: #{HighLine.color(authority.dn, :bold)}\nSign this? "
+
+        menu.choice :yes do
+          cert = authority.sign(req)
+          puts
+          puts "#{'Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+          puts HighLine.color(cert.to_pem, :bright_black)
+          begin
+            cert.save!
+            puts "Saved OK"
+          rescue ChefSSL::Client::CertSaveFailed => e
+            puts "Error saving: #{e.message}"
+          end
+        end
+
+        menu.choice :no do
+          nil
+        end
+      end
+    end
+
+    puts "All CSRs processed."
+  end
+end

metadata

@@ -0,0 +1,177 @@
+--- !ruby/object:Gem::Specification
+name: chef-ssl-client
+version: !ruby/object:Gem::Version
+  version: 0.0.6
+  prerelease: 
+platform: ruby
+authors:
+- Venda
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-23 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: chef
+  requirement: &2163253520 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.10.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163253520
+- !ruby/object:Gem::Dependency
+  name: spice
+  requirement: &2163252940 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163252940
+- !ruby/object:Gem::Dependency
+  name: eassl2
+  requirement: &2163252120 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163252120
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: &2163251220 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163251220
+- !ruby/object:Gem::Dependency
+  name: commander
+  requirement: &2163250360 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 4.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163250360
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: &2163249800 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163249800
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: &2163249120 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2163249120
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2163248560 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.10.0
+  type: :development
+  prerelease: false
+  version_requirements: *2163248560
+- !ruby/object:Gem::Dependency
+  name: flexmock
+  requirement: &2163247960 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :development
+  prerelease: false
+  version_requirements: *2163247960
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: &2163247420 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2163247420
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &2163246840 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2163246840
+description: A command-line client the ssl cookbook's signing requirements
+email: auto-ssl@venda.com
+executables:
+- chef-ssl
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+files:
+- README.rdoc
+- Rakefile
+- bin/chef-ssl
+- lib/chef-ssl/client/issued_certificate.rb
+- lib/chef-ssl/client/request.rb
+- lib/chef-ssl/client/signing_authority.rb
+- lib/chef-ssl/client/version.rb
+- lib/chef-ssl/client.rb
+- lib/chef-ssl/command.rb
+homepage: http://docs.uk.venda.com/vendadocs/TeamAwesome/Project☃/pki
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.6
+signing_key: 
+specification_version: 3
+summary: A command-line client the ssl cookbook's signing requirements
+test_files: []
+has_rdoc: true