foreman_cfssl 0.0.1

data/README.md

@@ -0,0 +1,105 @@
+## foreman_cfssl
+
+A Foreman plugin that uses CFSSL to generate certificates, plus a little management. It adds a "Certificates" sub-item to "Infrastructure" menu.
+
+### Warning
+
+This plugin stores private keys in clear text in database, so think twice before using a certificate generated by it, or importing existing certificates signed by other certificate authorities. However when importing a certificate you can leave the private key field blank or upload an encrypted version.
+
+If you do want to put valuable certificate keys into the system, consider:
+
+* Secure the CFSSL role in Foreman
+* Secure the database Foreman connects
+* Be aware about Rails/Foreman vulnerabilities
+
+### Prerequisites
+
+[CFSSL](https://github.com/cloudflare/cfssl) binary is used for generating/inspecting certificates. The executable `cfssl` must be on $PATH.
+
+### Installation
+
+See [Foreman plugin installation](https://theforeman.org/plugins/#2.3AdvancedInstallationfromGems).
+
+The plugin needs a "certs" table, which can be created by running:
+
+```
+foreman-rake db:migrate
+```
+
+or by running [the SQL](https://github.com/qingbo/foreman_cfssl/blob/master/db/certs.sql).
+
+### Configuration and Usage
+
+#### ini file
+
+Example:
+
+`/etc/foreman/plugins/foreman_cfssl.yaml`:
+
+```
+:foreman_cfssl:
+  :ca: /etc/foreman/plugins/foreman_cfssl/ca.pem
+  :ca_key: /etc/foreman/plugins/foreman_cfssl/ca-key.pem
+  :config: /etc/foreman/plugins/foreman_cfssl/config.json
+  :csr_template: /etc/foreman/plugins/foreman_cfssl/csr-template.json
+  :private_key_import: false
+```
+
+#### CFSSL config
+
+More documentation can be found on CFSSL project page, but here are the two JSON files referenced mentioned above:
+
+`/etc/foreman/plugins/foreman_cfssl/config.json`:
+
+```
+{
+    "signing": {
+        "default": {
+            "expiry": "43800h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            },
+            "client": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}
+```
+
+On certificate generation page, user can select a profile, fill in "common name" and SAN list. Inputs are merged into the CSR template below and fed into cfssl command.
+
+`/etc/foreman/plugins/foreman_cfssl/csr-template.json`:
+
+```
+{
+    "key": {
+        "algo": "rsa",
+        "size": 2048
+    },
+    "names": [
+        {
+            "C": "US",
+            "ST": "MA",
+            "L": "Newton",
+            "OU": "My Corp"
+        }
+    ]
+}
+```
+
+#### Foreman role
+
+A single role "CFSSL" controls all permissions.

data/Rakefile

@@ -0,0 +1,47 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ForemanCfssl'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('../test/dummy/Rakefile', __FILE__)
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+rescue => _
+  puts 'Rubocop not loaded.'
+end
+
+task :default do
+  Rake::Task['rubocop'].execute
+end

data/app/controllers/foreman_cfssl/certs_controller.rb

@@ -0,0 +1,121 @@
+module ForemanCfssl
+  require 'date'
+  require 'open3'
+  require 'json'
+  class CertsController < ApplicationController
+    def index
+      order = params[:order] || 'not_after DESC'
+      @certs = Cert.all.paginate(:page => params[:page]).order(order)
+    end
+
+    def import
+      @cert = Cert.new
+      @allow_key_import = ['allow', 'true'].include?(SETTINGS[:foreman_cfssl][:private_key_import])
+    end
+
+    def import_save
+      @cert = Cert.new(params[:foreman_cfssl_cert].permit(:owner_email, :pem, :key))
+
+      allow_key_import = ['allow', 'true'].include?(SETTINGS[:foreman_cfssl][:private_key_import])
+      if @cert.key.include?('PRIVATE') && !allow_key_import
+        @cert.errors.add(:key, "Don't upload an unencrypted private key. Consider encrypting it.")
+        render 'import' and return
+      end
+
+      @cert.user = User.current
+      @cert.imported_at = Time.now
+
+      self.expand_pem
+
+      if @cert.save
+        flash[:notice] = "Successfully imported certificate"
+        redirect_to @cert
+      else
+        render 'import'
+      end
+    end
+
+    def new
+      @cert = Cert.new
+
+      # profiles for select
+      config_path = SETTINGS[:foreman_cfssl][:config]
+      config = JSON.parse(File.read(config_path))
+      @profiles = config['signing']['profiles'].keys
+
+      # CA information
+      ca_pem = File.read(SETTINGS[:foreman_cfssl][:ca])
+      @ca_info = JSON.pretty_generate(extract_cert_info(ca_pem))
+    end
+
+    def create
+      # Added several attr_accessors in model to ease form processing
+      @cert = Cert.new(params[:foreman_cfssl_cert].permit(:owner_email, :common_name, :profile, :hosts))
+
+      # Read ini configurations
+      configs = SETTINGS[:foreman_cfssl]
+      ca = configs[:ca]
+      ca_key = configs[:ca_key]
+      ca_config = configs[:config]
+      csr_template = configs[:csr_template]
+
+      # fill in details to create certificate signing request config
+      csr = JSON.parse(File.read(csr_template))
+      csr['CN'] = @cert.common_name
+      csr['hosts'] = @cert.hosts.strip.split(%r{\s+})
+
+      # generate certificates
+      stdin, stdout, stderr = Open3.popen3("cfssl gencert -config=#{ca_config} -ca=#{ca} -ca-key=#{ca_key} -profile=#{@cert.profile} -")
+      stdin.puts JSON.dump(csr)
+      stdin.close
+
+      result = JSON.parse(stdout.gets(sep=nil))
+      @cert.pem = result['cert']
+      @cert.key = result['key']
+      @cert.user = User.current
+
+      self.expand_pem
+
+      if @cert.save
+        flash[:notice] = "Successfully issued certificate for #{@cert.common_name}"
+        redirect_to @cert
+      else
+        render 'new'
+      end
+    end
+
+    def show
+      @cert = Cert.find(params[:id])
+    end
+
+    def destroy
+      @cert = Cert.find(params[:id])
+      @cert.destroy
+
+      flash[:notice] = "Certificate deleted"
+      redirect_to certs_path
+    end
+
+    def expand_pem
+      cert_info = self.extract_cert_info(@cert.pem)
+
+      @cert.subject = JSON.dump(cert_info['subject'])
+      @cert.issuer = JSON.dump(cert_info['issuer'])
+      @cert.serial_number = cert_info['serial_number']
+      @cert.sans = cert_info.has_key?('sans') ? JSON.dump(cert_info['sans']) : '[]'
+      @cert.not_before = DateTime.parse(cert_info['not_before'])
+      @cert.not_after = DateTime.parse(cert_info['not_after'])
+      @cert.sigalg = cert_info['sigalg']
+      @cert.authority_key_id = cert_info['authority_key_id']
+      @cert.subject_key_id = cert_info['subject_key_id']
+    end
+
+    def extract_cert_info(pem)
+      stdin, stdout, stderr = Open3.popen3('cfssl certinfo -cert=-')
+      stdin.puts pem
+      stdin.close
+
+      return JSON.parse(stdout.gets(sep=nil))
+    end
+  end
+end

data/app/models/concerns/foreman_cfssl/cert.rb

@@ -0,0 +1,31 @@
+module ForemanCfssl
+  class Cert < ActiveRecord::Base
+    belongs_to :user
+    # quick hack to ease form submission
+    attr_accessor :common_name, :hosts
+
+    def subject_info
+      JSON.parse(subject)
+    end
+
+    def issuer_info
+      JSON.parse(issuer)
+    end
+
+    def sans_info
+      JSON.parse(sans)
+    end
+
+    def source_type
+      imported_at ? "imported" : "issued"
+    end
+
+    def expired?
+      not_after < Time.now
+    end
+
+    def expiring?
+      not_after < Time.now + 30.days && ! expired?
+    end
+  end
+end

data/app/views/dashboard/_foreman_cfssl_widget.html.erb

@@ -0,0 +1,2 @@
+<h4 class="header ca">Certificates</h4>
+<%= _('Widget content') %>

data/app/views/foreman_cfssl/certs/import.html.erb

@@ -0,0 +1,13 @@
+<% title "Certificates - Import" %>
+
+<% title_actions link_to("Back", index_path, class: "btn btn-default") %>
+
+<%= form_for(@cert, url: {controller: 'foreman_cfssl/certs', action: 'import_save'}) do |f| %>
+<%= text_f f, :owner_email, :help_inline => "Who own's this certificate? For reference only." %>
+<%= textarea_f f, :pem, {rows: 20, help_inline: "Certificate signed by CA"} %>
+<%= textarea_f f, :key, {rows: 20, help_inline:
+@private_key_import ? "It's recommended to upload an encrypted version of the private key."
+                    : "Private key upload is disallowed. Leave it blank or upload an encrypted one."} %>
+
+<div><%= f.submit 'Import', class: 'btn btn-primary' %></div>
+<% end %>

data/app/views/foreman_cfssl/certs/index.html.erb

@@ -0,0 +1,44 @@
+<% title "Certificates" %>
+
+<% title_actions new_link('Issue'),
+link_to("Import", import_path, class: "btn btn-primary") %>
+
+<table class="<%= table_css_classes 'table-fixed' %>">
+  <thead>
+    <tr>
+      <th>User</th>
+      <th>Source</th>
+      <th>Owner</th>
+      <th>Common Name</th>
+      <th>SANs</th>
+      <th>Issuer</th>
+      <th><%= sort :not_after, :as => "Invalid After" %></th>
+      <th>Actions</th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @certs.each do |cert| %>
+      <tr style="
+       <% if cert.expired? %>text-decoration: line-through;<% end %>
+       <% if cert.expiring? %>background-color: #c33; color: #fff;<% end %>
+      ">
+        <td><%= cert.user.name %></td>
+        <td><%= cert.source_type %></td>
+        <td><%= cert.owner_email %></td>
+        <td><%= cert.subject_info['common_name'] %></td>
+        <td>
+          <ul>
+            <% cert.sans_info.each do |san| %>
+            <li><%= san %></li>
+            <% end %>
+          </ul>
+        </td>
+        <td><%= cert.issuer_info['common_name'] %></td>
+        <td><%= cert.not_after %></td>
+        <td><%= link_to 'show', cert %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<%= will_paginate_with_info @certs %>

data/app/views/foreman_cfssl/certs/new.html.erb

@@ -0,0 +1,16 @@
+<% title "Certificates - Issue New" %>
+
+<% title_actions link_to("Back", index_path, class: "btn btn-default") %>
+
+<%= form_for(@cert, url: {controller: 'foreman_cfssl/certs', action: 'create'}) do |f| %>
+
+<%= text_f f, :owner_email, :help_inline => "Who own's this certificate? For reference only. Not used in generation." %>
+<%= text_f f, :common_name, :help_inline => "Name of the subject"  %>
+<%= select_f f, :profile, @profiles, :to_s, :to_s, :help_inline => "A profile configured in CFSSL" %>
+<%= textarea_f f, :hosts, {rows: 5, help_inline: "List of domain names the subject will be serving"} %>
+
+<p>Signing CA:</p>
+<pre><%= @ca_info %></pre>
+
+<div><%= f.submit 'Issue Certificate', class: 'btn btn-primary' %></div>
+<% end %>

data/app/views/foreman_cfssl/certs/show.html.erb

@@ -0,0 +1,73 @@
+<% title "Certificates - Details" %>
+
+<% title_actions link_to("Back", index_path, class: "btn btn-default"),
+link_to("Delete", @cert, method: 'delete',
+data: {confirm: '!!! Do you want to delete this from database?'}, class: "btn btn-danger")
+ %>
+
+<table class="<%= table_css_classes 'table-fixed' %>">
+  <thead>
+    <tr>
+      <th width="100px">Field</th>
+      <th>Value</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>User</td>
+      <td><%= @cert.user.name %></td>
+    </tr>
+    <tr>
+      <td>Owner</td>
+      <td><%= @cert.owner_email %></td>
+    </tr>
+    <tr>
+      <td>Profile</td>
+      <td><%= @cert.profile %></td>
+    </tr>
+    <tr>
+      <td>Subject</td>
+      <td><pre><%= JSON.pretty_generate(JSON.parse(@cert.subject)) %></pre></td>
+    </tr>
+    <tr>
+      <td>Issuer</td>
+      <td><pre><%= JSON.pretty_generate(JSON.parse(@cert.issuer)) %></pre></td>
+    </tr>
+    <tr>
+      <td>Serial number</td>
+      <td><%= @cert.serial_number %></td>
+    </tr>
+    <tr>
+      <td>SANs</td>
+      <td><pre><%= JSON.pretty_generate(JSON.parse(@cert.sans)) %></pre></td>
+    </tr>
+    <tr>
+      <td>Valid not before</td>
+      <td><%= @cert.not_before %></td>
+    </tr>
+    <tr>
+      <td>Valid not after</td>
+      <td><%= @cert.not_after %></td>
+    </tr>
+    <tr>
+      <td>SigAlg</td>
+      <td><%= @cert.sigalg %></td>
+    </tr>
+    <tr>
+      <td>CA key ID</td>
+      <td><%= @cert.authority_key_id %></td>
+    </tr>
+    <tr>
+      <td>Key ID</td>
+      <td><%= @cert.subject_key_id %></td>
+    </tr>
+    <tr>
+      <td>Certificate</td>
+      <td><pre><%= @cert.pem %></pre></td>
+    </tr>
+    <tr>
+      <td>Key</td>
+      <td><pre><%= @cert.key %></pre></td>
+    </tr>
+  </tbody>
+</table>