fingerpuppet 0.0.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2013 Puppet Labs, info@puppetlabs.com  
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,56 @@
+Usage : fingerpuppet <commandstring>
+
+        Steps for using the API:
+            1:) fingerpuppet --init --certname my.cert.name --server my.server.name
+                    Builds the config file
+                    Generates the certificate and CSR
+                    Submits the CSR to the Puppetmaster
+
+            2:) On puppetmaster: puppet cert sign my.cert.name
+
+            3:) restapi.rb --install
+                    Downloads the signed certificate and installs it
+
+            4:) ...
+
+            5:) Profit!
+
+        Your Puppetmaster must be configured to allow requests other than certificate requests.
+        See http://docs.puppetlabs.com/guides/rest_auth_conf.html for more information.
+
+        The certname can be specified with --certname or with optional CERTNAME argument to many options.
+
+        You may want to use the '-dcn' options to print the cURL equivalent command.
+
+    -d, --debug                      runs in debug mode
+    -h, --help                       Displays this help
+    -c, --curl                       Use commandline curl rather than Net::HTTP.
+    -n, --nop                        No-Op mode. Don't perform action, just output debugging data. Implies --debug.
+
+        --server SERVER              The server address of your Puppetmaster.
+        --certname CERTNAME          The certname you wish to use when connecting to your Puppetmaster
+        --file FILENAME              The file to send to the Puppetmaster.
+        --output FILENAME            The file to save any output to.
+        --state STATE                The desired state you want to set.
+
+        --init                       Initialize application. Generate config file, certificate and submit CSR. Requires --certname and --server.
+        --install                    Download and install signed certificate.
+
+        --catalog                    Download the catalog compiled for your app's certname. Quite often just the default Node.
+        --delete [CERTNAME]          Remove certificate and facts about a node from Puppetmaster.
+        --facts [CERTNAME]           Retrieve the facts known about a given certname.
+        --insert [CERTNAME]          Send facts for a given certname to the Puppetmaster. Requires --file.
+        --node [CERTNAME]            Retrieve the node information (including facts) known about a given certname.
+        --search QUERY               Retrieve the nodes matching a comma separated query string (e.g. kernel=Linux,virtual=vmware)
+
+        --certificate [CERTNAME]     Retrieve the certificate for a given certname or 'ca'.
+        --cert_status [CERTNAME]     Retrieve the certificate status for a given certname. Set the status by using --state.
+        --cert_revocation_list       Retrieve and display the certifiacte revocation list from the master.
+        --sign [CERTNAME]            Instruct the Puppetmaster to sign a certificate. Requires significate privileges in auth.conf.
+
+        --file_metadata PATH         Retrieve the metadata for a file.
+        --getfile PATH               Download a file from the Puppetmaster. Save to --file or output on stdout.
+
+        --resource RESOURCE          Returns a list of resources (e.g. user) or information about a resource (e.g. 'user/elvis')
+        --report [CERTNAME]          Sends a YAML report to the Puppetmaster. Requires --file or --state.
+        --status                     Check to make sure the Puppetmaster is alive and well.

data/bin/fingerpuppet

@@ -0,0 +1,216 @@
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'fingerpuppet/restapi.rb'
+
+options = {}
+optparse = OptionParser.new { |opts|
+    opts.banner = "Usage : restapi.rb <commandstring>
+
+        Steps for using the API:
+            1:) fingerpuppet --init --certname my.cert.name --server my.server.name
+                    Builds the config file
+                    Generates the certificate and CSR
+                    Submits the CSR to the Puppetmaster
+
+            2:) On puppetmaster: puppet cert sign my.cert.name
+
+            3:) restapi.rb --install
+                    Downloads the signed certificate and installs it
+
+            4:) ...
+
+            5:) Profit!
+
+        Your Puppetmaster must be configured to allow requests other than certificate requests.
+        See http://docs.puppetlabs.com/guides/rest_auth_conf.html for more information.
+
+        The certname can be specified with --certname or with optional CERTNAME argument to many options.
+
+        You may want to use the '-dcn' options to print the cURL equivalent command.
+
+"
+ 
+    options[:show]=false
+    opts.on("-d", "--debug", "runs in debug mode") do
+        options[:debug] = true
+        #restAPI.debug
+    end
+
+    opts.on("-h", "--help", "Displays this help") do
+        puts opts
+        exit
+    end
+
+    opts.on("-c", "--curl", "Use commandline curl rather than Net::HTTP.") do
+        options[:curl] = true
+    end
+
+    opts.on("-n", "--nop", "No-Op mode. Don't perform action, just output debugging data. Implies --debug.") do
+        options[:nop] = true
+        options[:debug] = true
+    end
+
+    opts.separator('')
+
+    opts.on("--server SERVER", "The server address of your Puppetmaster.") do |server|
+        options[:server] = server
+    end
+
+    opts.on("--certname CERTNAME", "The certname you wish to use when connecting to your Puppetmaster") do |certname|
+        options[:certname] = certname
+    end
+
+    opts.on("--file FILENAME", "The file to send to the Puppetmaster.") do |filename|
+        options[:filename] = filename
+    end
+
+    opts.on("--output FILENAME", "The file to save any output to.") do |filename|
+        options[:output] = filename
+    end
+
+    opts.on("--state STATE", "The desired state you want to set.") do |state|
+        options[:state] = state
+    end
+
+    opts.separator('')
+
+    opts.on("--init", "Initialize application. Generate config file, certificate and submit CSR. Requires --certname and --server.") do
+        options[:action] = 'init'
+    end
+
+    opts.on("--install", "Download and install signed certificate.") do
+        options[:action] = 'install'
+    end
+
+    opts.separator('')
+
+    opts.on("--catalog", "Download the catalog compiled for your app's certname. Quite often just the default Node.") do
+        options[:action] = 'catalog'
+    end
+
+    opts.on("--delete [CERTNAME]", "Remove certificate and facts about a node from Puppetmaster.") do |certname|
+        options[:action] = 'delete'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--facts [CERTNAME]", "Retrieve the facts known about a given certname.") do |certname|
+        options[:action] = 'facts'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--insert [CERTNAME]", "Send facts for a given certname to the Puppetmaster. Requires --file.") do |certname|
+        options[:action] = 'insert'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--node [CERTNAME]", "Retrieve the node information (including facts) known about a given certname.") do |certname|
+        options[:action] = 'node'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--search QUERY", Array, "Retrieve the nodes matching a comma separated query string (e.g. kernel=Linux,virtual=vmware)") do |query|
+        options[:action] = 'search'
+        options[:query]  = query
+    end
+
+    opts.separator('')
+
+    opts.on("--certificate [CERTNAME]", "Retrieve the certificate for a given certname or 'ca'.") do |certname|
+        options[:action] = 'certificate'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--cert_status [CERTNAME]", "Retrieve the certificate status for a given certname. Set the status by using --state.") do |certname|
+        options[:action] = 'certificate_status'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--cert_revocation_list", "Retrieve and display the certifiacte revocation list from the master.") do
+        options[:action] = 'certificate_revocation_list'
+    end
+
+    opts.on("--sign [CERTNAME]", "Instruct the Puppetmaster to sign a certificate. Requires significate privileges in auth.conf.") do |certname|
+        options[:action] = 'sign'
+        options[:certname] ||= certname
+    end
+
+    opts.separator('')
+
+    opts.on("--file_metadata PATH", "Retrieve the metadata for a file.") do |path|
+        options[:action] = 'file_metadata'
+        options[:argument] = path
+    end
+
+    opts.on("--getfile PATH", "Download a file from the Puppetmaster. Save to --file or output on stdout.") do |path|
+        options[:action] = 'getfile'
+        options[:argument] = path
+    end
+
+    opts.separator('')
+
+    opts.on("--resource RESOURCE", "Returns a list of resources (e.g. user) or information about a resource (e.g. 'user/elvis')") do |resource|
+        options[:action] = 'resource'
+        options[:argument] = resource
+    end
+
+    opts.on("--report [CERTNAME]", "Sends a YAML report to the Puppetmaster. Requires --file or --state.") do |certname|
+        options[:action] = 'report'
+        options[:certname] ||= certname
+    end
+
+    opts.on("--status", "Check to make sure the Puppetmaster is alive and well.") do
+        options[:action] = 'status'
+    end
+}
+
+begin
+    optparse.parse!
+
+    restAPI = Fingerpuppet::RestAPI.new( options )
+    # if certname isn't specified, let's default to our certname, except for init
+    if options[:action] != 'init'
+        options[:certname] ||= restAPI.certname
+    end
+
+    case options[:action]
+        when 'init'
+            restAPI.init(options[:certname], options[:server])
+        when 'install'
+            restAPI.install
+        when 'catalog'
+            restAPI.catalog
+        when 'status'
+            restAPI.status
+        when 'facts'
+            restAPI.facts(options[:certname])
+        when 'node'
+            restAPI.node(options[:certname])
+        when 'search'
+            restAPI.search(options[:query])
+        when 'insert'
+            restAPI.insert(options[:certname], options[:filename])
+        when 'delete'
+            restAPI.delete(options[:certname])
+        when 'file_metadata'
+            restAPI.file_metadata(options[:argument])           
+        when 'getfile'
+            restAPI.getfile(options[:argument])
+        when 'certificate'
+            restAPI.certificate(options[:certname])
+        when 'sign'
+            restAPI.sign(options[:certname])
+        when 'certificate_status'
+            restAPI.certificate_status(options[:certname], options[:state])
+        when 'certificate_revocation_list'
+            restAPI.certificate_revocation_list
+        when 'resource'
+            restAPI.resource(options[:argument])
+        when 'report'
+            restAPI.report(options[:certname], options[:filename], options[:state])
+        else
+            puts 'Use -h/--help for usage documentation.'
+    end     
+rescue Exception => e
+    puts e
+end

data/lib/fingerpuppet/restapi.rb

@@ -0,0 +1,331 @@
+require 'yaml'
+require "net/https"
+
+module Fingerpuppet
+  class RestAPI
+      attr_accessor :server, :certname
+  
+      def initialize( options={} )
+          @debug = options[:debug]
+          @curl = options[:curl]
+          @nop = options[:nop]
+          @output = options[:output]
+          @configdir = File.expand_path('~/.fingerpuppet')
+  
+          begin
+              config = YAML.load_file("#{@configdir}/config.yaml")
+              @server   = config['server']
+              @certname = config['certname']
+          rescue Exception => e
+              puts 'Initializing API...'
+          end
+      end
+  
+      # a helper that allows one to use either commandline curl or Net::HTTP
+      # this is useful mostly with -dcn to just print out the curl commandline
+      # you would use to accomplish what you're trying to do
+      def command( opts={} )
+          # this allows a global @output var, but to also override that per call
+          opts[:output] ||= @output
+  
+          if @curl
+              curl(opts)
+          else
+              data = rest(opts)
+  
+              if opts[:output]
+                  save(opts[:output], data)
+              else
+                  # When using the API, you will probably want to consume this data rather than just printing it.
+                  # You might use YAML::load(data) or JSON::parse(data) depending on what's being returned
+                  puts data
+              end
+          end
+      end
+  
+      def save(path, data)
+          file = File.new(path, 'w')
+          file.syswrite(data)
+          file.close
+      end
+  
+      def rest( opts={} )
+          opts[:type] ||= 'yaml'
+          uri = "/production/#{opts[:action]}/#{opts[:argument]}"
+  
+          http = Net::HTTP.new(@server, 8140)
+          http.use_ssl = true
+  
+          unless opts[:noauth]
+              http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+  
+              store = OpenSSL::X509::Store.new
+              store.add_cert(OpenSSL::X509::Certificate.new(File.read("#{@configdir}/ca_crt.pem")))
+              http.cert_store = store
+  
+              http.key = OpenSSL::PKey::RSA.new(File.read("#{@configdir}/#{@certname}.key"))
+              http.cert = OpenSSL::X509::Certificate.new(File.read("#{@configdir}/#{@certname}.pem"))
+          end
+  
+          case opts[:method]
+              when 'PUT'
+                  request = Net::HTTP::Put.new(uri)
+                  request["Content-Type"] = "text/#{opts[:type]}"
+  
+                  if opts[:file]
+                      # set the body to the binary contents of :file
+                      file = File.open(opts[:file], 'rb')
+                      request.body = file.read
+                  else
+                      # set the body to the string value of :data
+                      request.body = opts[:data]
+                  end
+  
+              when 'DELETE'
+                  request = Net::HTTP::Delete.new(uri)
+              when 'HEAD'
+                  request = Net::HTTP::Head.new(uri)
+              else
+                  # default to a GET request
+                  request = Net::HTTP::Get.new(uri)
+          end
+  
+          request["Accept"] = opts[:type]
+  
+          if @debug
+              puts '------ HTTP Request ------'
+              puts request.to_yaml
+              puts '--------------------------'
+          end
+  
+          return @nop ? '' : http.request(request).body
+      end
+  
+      #def command(action, argument='', method='GET', type='yaml', output=false, file=false, data=false)
+      def curl( opts={} )
+          opts[:type] ||= 'yaml'
+  
+          if opts[:noauth]
+              auth = '-k '
+          else
+              auth = "--cert #{@configdir}/#{@certname}.pem --key #{@configdir}/#{@certname}.key --cacert #{@configdir}/ca_crt.pem"
+          end
+  
+          output = opts[:output] ? "-o #{opts[:output]}" : ''
+          header = "-H 'Accept: #{opts[:type]}'"
+          
+          case opts[:method]
+              when 'PUT'
+                  methodstr = '-X PUT'
+                  header = "-H 'Content-Type: text/#{opts[:type]}'"
+  
+                  if opts[:file]
+                      filestr   = "--data-binary @#{opts[:file]}"
+                  end
+  
+                  if opts[:data]
+                      datastr   = "--data '#{opts[:data]}'"
+                  end
+  
+              when 'DELETE'
+                  methodstr = '-X DELETE'
+              when 'HEAD'
+                  methodstr = '-I'
+              else
+                  # default to a GET request
+                  methodstr = ''
+          end
+  
+          uri = "https://#{@server}:8140/production/#{opts[:action]}/#{opts[:argument]}"
+          cmd = "curl #{auth} #{methodstr} #{output} #{filestr} #{datastr} #{header} \"#{uri}\"" #quoted uri for fact ampersands
+          if @debug
+              puts cmd
+          else
+              if not system(cmd)
+                  raise StandardError, 'cURL execution failed.'
+              end
+              puts # newline after curl output
+          end
+      end
+  
+      def init(certname, server)
+          if certname == nil || server == nil
+              puts "Must set server and certname to initialize API"
+              exit
+          end
+  
+          @certname = certname
+          @server = server
+  
+          if File::directory?( @configdir )
+              require 'fileutils'
+              FileUtils.rm_rf( @configdir )
+          end
+  
+          Dir.mkdir( @configdir )
+          configfile = File.new("#{@configdir}/config.yaml", 'w')
+              configfile.syswrite("version: 0.1\n")
+              configfile.syswrite("certname: #{@certname}\n")
+              configfile.syswrite("server: #{@server}\n")
+          configfile.close
+  
+          begin
+              if not system("openssl genrsa -out #{@configdir}/#{@certname}.key 1024")
+                  raise StandardError, 'Certificate generation failed.'
+              end
+  
+              if not system("openssl req -new -key #{@configdir}/#{@certname}.key -subj '/CN=#{@certname}' -out #{@configdir}/#{@certname}.csr")
+                  raise StandardError, 'CSR generation failed.'
+              end
+  
+              self.command( { :action => 'certificate_request',
+                              :argument => @certname,
+                              :file => "#{@configdir}/#{@certname}.csr",
+                              :type => 'plain',
+                              :method => 'PUT',
+                              :noauth => true } )
+  
+              puts "CSR submitted. Now go sign it on the server and rerun this with --install."
+          rescue Exception => e
+              puts "Failure: #{e.message}"
+          end
+      end
+  
+      def install
+          begin
+              self.command( { :action => 'certificate',
+                              :argument => @certname,
+                              :output => "#{@configdir}/#{@certname}.pem",
+                              :type => 's',
+                              :noauth => true } )
+  
+              self.command( { :action => 'certificate',
+                              :argument => 'ca',
+                              :output => "#{@configdir}/ca_crt.pem",
+                              :type => 's',
+                              :noauth => true } )
+  
+              puts "Certificate installed. API ready for use."
+          rescue Exception => e
+              puts "Failure: #{e.message}"
+          end
+      end
+  
+      def catalog
+          self.command( { :action => 'catalog', 
+                          :argument => @certname } )
+      end
+  
+      def status
+          self.command( { :action => 'status', 
+                          :argument => 'no_key' } )
+      end
+  
+      def facts(node)
+          self.command( { :action => 'facts', 
+                          :argument => node } )
+      end
+  
+      def search(query)
+          query.map!{ |item| "facts.#{item}"}
+          self.command( { :action => 'facts_search', 
+                          :argument => "search?#{query.join('&')}" } )
+      end
+  
+      def node(node)
+          self.command( { :action => 'node', 
+                          :argument => node } )
+      end
+  
+      def insert(node, path)
+          self.command( { :action => 'facts', 
+                          :argument => node, 
+                          :method => 'PUT', 
+                          :file => path } )
+      end
+  
+      def file_metadata(path)
+          self.command( { :action => 'file_content',
+                          :argument => path,
+                          :type => 'yaml' } )
+      end
+  
+      def getfile(path)
+          self.command( { :action => 'file_content',
+                          :argument => path,
+                          :type => 'raw' } )
+      end
+  
+      def delete(node)
+          self.certificate_status(node, 'revoked')
+          self.command( { :action => 'certificate_status', 
+                          :argument => node, 
+                          :method => 'DELETE', 
+                          :type => 'pson' } )
+      end
+  
+      def certificate(node)
+          self.command( { :action => 'certificate', 
+                          :argument => node, 
+                          :type => 's' } )
+      end
+  
+      def sign(node)
+          self.command( { :action => 'certificate_status', 
+                          :argument => node, 
+                          :method => 'PUT', 
+                          :type => 'pson',
+                          :noauth => true, 
+                          :data => "{\"desired_state\":\"signed\"}" } )
+      end
+  
+      def certificate_revocation_list
+          self.command( { :action => 'certificate_revocation_list', 
+                          :argument => 'ca', 
+                          :type => 's' } )
+      end
+  
+      def certificate_status(node, state=nil)
+          if node == nil
+              self.command( { :action => 'certificate_statuses', 
+                              :action => 'no_key', 
+                              :type => 'pson' } )
+          elsif state == nil
+              self.command( { :action => 'certificate_status', 
+                              :argument => node, 
+                              :type => 'pson' } )
+          else
+              self.command( { :action => 'certificate_status', 
+                              :argument => node, 
+                              :method => 'PUT', 
+                              :type => 'pson', 
+                              :data => "{\"desired_state\":\"#{state}\"}" } )
+          end
+      end
+  
+      def resource(resource)
+          self.command( { :action => 'resource', 
+                          :argument => resource } )
+      end
+  
+      def report(node, file, data=nil)
+          if data
+              self.command( { :action => 'report', 
+                              :argument => node, 
+                              :method => 'PUT', 
+                              :data => data } )
+          else
+              self.command( { :action => 'report', 
+                              :argument => node, 
+                              :method => 'PUT', 
+                              :file => file } )
+          end
+      end
+  
+      def debug
+          puts "@configdir: #{@configdir}"
+          puts "   @server: #{@server}"
+          puts " @certname: #{@certname}"
+      end
+  end
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification 
+name: fingerpuppet
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Ben Ford
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-03-28 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: "  A simple library and tool to interact with Puppet's REST API without needing Puppet itself installed.\n"
+email: binford2k@gmail.com
+executables: 
+- fingerpuppet
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- README.md
+- LICENSE
+- bin/fingerpuppet
+- lib/fingerpuppet/restapi.rb
+has_rdoc: true
+homepage: http://github.com/binford2k/fingerpuppet
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: A simple library and tool to interact with Puppet's REST API without needing Puppet itself installed.
+test_files: []
+