foreman_x509 0.0.1

data/Rakefile

@@ -0,0 +1,47 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ForemanX509'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+rescue LoadError
+  puts 'Rubocop not loaded.'
+end
+
+task :default do
+  Rake::Task['rubocop'].execute
+end

data/app/controllers/foreman_x509/api/v2/base_controller.rb

@@ -0,0 +1,12 @@
+module ForemanX509
+  module Api
+    module V2
+      class BaseController < ::Api::V2::BaseController
+        resource_description do
+          api_version '2'
+          api_base_url '/foreman_x509/api'
+        end
+      end
+    end
+  end
+end

data/app/controllers/foreman_x509/api/v2/certificates_controller.rb

@@ -0,0 +1,59 @@
+module ForemanX509
+  module Api
+    module V2
+      class CertificatesController < BaseController
+        resource_description do
+          resource_id 'certificates'
+          api_version 'v2'
+          api_base_url '/foreman_x509/api'
+        end
+
+        before_action :find_resource, only: [:show, :destroy]
+
+        api :GET, '/certificates', N_('List certificates')
+        param_group :search_and_pagination, ::Api::V2::BaseController
+        add_scoped_search_description_for(Certificate)
+        def index
+          @certificates = resource_scope_for_index
+        end
+
+        def create
+        end
+
+        def show
+        end
+
+        def update
+        end
+
+        api :GET, '/certificates/:id/chain', N_('Download the PEM format chain')
+        param :id, Integer, desc: N_('Id of the certificate')
+        def chain
+          send_data @certificate.issuer.bundle.map(&:to_pem).join('\n'), filename: "#{@certificate.name}_ca.pem"
+        end
+
+        api :GET, '/certificates/:id/certificate', N_('Download the PEM format certificate')
+        param :id, Integer, desc: N_('Id of the certificate')
+        def certificate
+          send_data @certificate.certificate.to_pem, filename: "#{@certificate.name}_cert.pem"
+        end
+
+        api :GET, '/certificate/:id/key', N_('Download the PEM format key')
+        param :id, Integer, desc: N_('Id of the key')
+        def key
+          send_data @certificate.key.to_pem, filename: "#{@certificate.name}_key.pem"
+        end
+
+        api :DELETE, '/certificates/:id', N_('Destroy a certificate')
+        param :id, Integer, desc: N_('Id of the certificate')
+        def destroy
+          process_response @certificate.destroy
+        end
+
+        def resource_class
+          ForemanX509::Certificate
+        end
+      end
+    end
+  end
+end

data/app/controllers/foreman_x509/api/v2/generations_controller.rb

@@ -0,0 +1,58 @@
+module ForemanX509
+  module Api
+    module V2
+      class GenerationsController < BaseController
+        before_action :find_owner
+        before_action :find_generation, except: [:index, :create]
+
+        api :GET, '/certificates/:owner_id/generations', N_('List certificate generations')
+        param :certificate_id, Integer, desc: N_('ID of the owning certificate')
+        param_group :search_and_pagination, ::Api::V2::BaseController
+        def index
+          @generations = resource_scope_for_index
+        end
+
+        api :GET, '/certificates/:owner_id/generations/:id', N_('Get generation details')
+        param :certificate_id, Integer, desc: N_('ID of the owning certificate')
+        param :id, Integer, desc: N_('ID of the generation')
+        def show
+        end
+
+        api :GET, '/certificates/:owner_id/generations/:id/certificate', N_('Download the generation certificate')
+        param :certificate_id, Integer, desc: N_('ID of the owning certificate')
+        param :id, Integer, desc: N_('ID of the generation')
+        def certificate
+        end
+
+        api :GET, '/certificates/:owner_id/generations/:id/key', N_('Download the generation key')
+        param :certificate_id, Integer, desc: N_('ID of the owning certificate')
+        param :id, Integer, desc: N_('ID of the generation')
+        def key
+          send_data @generation.key.to_pem, filename: "#{@generation.owner.name}-#{@generation.id}_key.pem"
+        end
+
+        api :POST, '/certificates/:owner_id/generations/:id', N_('Activate certificate generation')
+        param :certificate_id, Integer, desc: N_('ID of the owning certificate')
+        param :id, Integer, desc: N_('ID of the generation')
+        def activate
+          @generation.activate!
+        end
+
+        api :DELETE, '/certificates/:owner_id/generations/:id', N_('Delete certificate generation')
+        def destroy
+          @generation.destroy
+        end
+
+        private
+
+        def find_owner
+          @owner ||= ForemanX509::Certificate.find(params[:owner_id])
+        end
+
+        def find_generation
+          @generation ||= find_certificate.generations.find_by(id: params[:id])
+        end
+      end
+    end
+  end
+end

data/app/controllers/foreman_x509/api/v2/issuers_controller.rb

@@ -0,0 +1,41 @@
+module ForemanX509
+  module Api
+    module V2
+      class IssuersController < BaseController
+        resource_description do
+          resource_id 'issuer'
+          api_version 'v2'
+          api_base_url '/foreman_x509/api'
+        end
+
+        before_action :find_resource, only: [:show, :destroy]
+
+        api :GET, '/issuers', N_('List issuers')
+        param_group :search_and_pagination, ::Api::V2::BaseController
+        add_scoped_search_description_for(ForemanX509::Issuer)
+        def index
+          @issuers = resource_scope_for_index
+        end
+
+        def create
+        end
+
+        def show
+        end
+
+        def update
+        end
+
+        api :DELETE, '/issuer/:id', N_('Destroy an issuer')
+        param :id, Integer, desc: N_('Id of the issuer')
+        def destroy
+          process_response @issuer.destroy
+        end
+
+        def resource_class
+          ForemanX509::Issuer
+        end
+      end
+    end
+  end
+end

data/app/controllers/foreman_x509/api/v2/requests_controller.rb

@@ -0,0 +1,32 @@
+module ForemanX509
+  module Api
+    module V2
+      class RequestsController < BaseController
+        resource_description do
+          resource_id 'requests'
+          api_version 'v2'
+          api_base_url '/foreman_x509/api'
+        end
+
+        before_action :find_resource, only: [:show, :download]
+
+        def index
+          @requests = resource_scope_for_index
+        end
+
+        def show
+          respond_to do |format|
+            format.der { send_data @request.to_der, filename: "#{@request.name}_req.der" }
+            format.pem { send_data @request.to_pem, filename: "#{@request.name}_req.pem" }
+            format.json
+          end
+        end
+
+        def resource_class
+          ForemanX509::Request
+        end
+        
+      end
+    end
+  end
+end

data/app/controllers/foreman_x509/certificates_controller.rb

@@ -0,0 +1,82 @@
+module ForemanX509
+  class CertificatesController < ::ApplicationController
+    before_action :upload_certificate_file, only: [:create, :update]
+    before_action :upload_key_file, only: [:create, :update]
+    before_action :upload_configuration_file, only: [:create, :update]
+    before_action :find_resource, except: [:index, :new, :create]
+
+    def index
+      @certificates = resource_base_search_and_page
+    end
+
+    def new
+      @certificate = Certificate.new
+    end
+  
+    def create
+      @certificate = Certificate.new(certificate_params)
+      if @certificate.save
+        process_success object: @certificate
+      else
+        process_error object: @certificate
+      end
+    end
+  
+    def show
+    end
+  
+    def update
+      if @certificate.update(certificate_params)
+        process_success object: @certificate
+      else
+        process_error object: @certificate
+      end
+    end
+
+    def chain
+      send_date @certificate.issuer.bundle.map(&:to_pem).join('\n'), filename: "#{@certificate.name}_ca.pem"
+    end
+  
+    def certificate
+      send_data @certificate.certificate.to_pem, filename: "#{@certificate.name}_cert.pem"
+    end
+  
+    def key
+      send_data @certificate.key.to_pem, filename: "#{@certificate.name}_key.pem"
+    end
+  
+    def destroy
+      if @certificate.destroy
+        process_success object: @certificate
+      else
+        process_error object: @certificate
+      end
+    end
+
+    def resource_class
+      ForemanX509::Certificate
+    end
+  
+    private
+
+    def upload_configuration_file
+      return if (configuration = params.dig(:certificate, :configuration_file)).nil?
+      params[:certificate][:configuration] = configuration.read if configuration.respond_to?(:read)
+    end
+  
+    def upload_certificate_file
+      return if (certificate = params.dig(:certificate, :generation_attributes, :certificate_file)).nil?
+      params[:certificate][:generation_attributes][:certificate] = certificate.read if certificate.respond_to?(:read)
+    end
+  
+    def upload_key_file
+      return if (key = params.dig(:certificate, :generation_attributes, :key_file)).nil?
+      params[:certificate][:generation_attributes][:key] = key.read if key.respond_to?(:read)
+    end
+
+    def certificate_params
+      params.require(:certificate).permit(:name, :description, :issuer_id, :configuration, generation_attributes: [:certificate, :key])
+    end
+
+  end
+end

data/app/controllers/foreman_x509/generations_controller.rb

@@ -0,0 +1,71 @@
+module ForemanX509
+  class GenerationsController < ::ApplicationController
+
+    before_action :find_owner
+    before_action :find_generation, except: [:new, :create]
+    before_action :upload_certificate_file, only: [:create, :update]
+
+    def new
+      @generation = ForemanX509::Generation.new(owner: @owner)
+    end
+
+    def create
+      @generation = ForemanX509::Builder.create(@owner) if generation_params.empty?
+      @generation = @owner.generations.create(generation_params) unless generation_params.empty?
+      if @generation
+        process_success object: @generation, success_redirect: certificate_path(@owner)
+      else
+        process_error object: @generation, redirect: certificate_path(@owner)
+      end
+    end
+
+    def update
+      if @generation.update(generation_params)
+        process_success object: @generation, success_redirect: certificate_path(@owner)
+      else
+        process_error object: @generation, redirect: request_path(@generation.request)
+      end
+    end
+
+    def activate
+      @generation.activate!
+      
+      redirect_to certificate_path(@owner)
+    end
+
+    def certificate
+      send_data @generation.certificate.to_pem, filename: "#{@generation.owner.name}-#{@generation.id}_cert.pem"
+    end
+
+    def key
+      send_data @generation.key.to_pem, filename: "#{@generation.owner.name}-#{@generation.id}_key.pem"
+    end
+
+    def destroy
+      if @generation.destroy
+        process_success object: @generation, success_redirect: certificate_path(@owner)
+      else
+        process_error object: @generation, redirect: certificate_path(@owner)
+      end
+    end
+
+    private
+
+    def find_owner
+      @owner ||= ForemanX509::Certificate.friendly.find(params[:owner_id])
+    end
+
+    def find_generation
+      @generation ||= ForemanX509::Generation.find_by(owner: find_owner, id: params[:id])
+    end
+
+    def upload_certificate_file
+      return if (certificate = params.dig(:generation, :certificate_file)).nil?
+      params[:generation][:certificate] = certificate.read if certificate.respond_to?(:read)
+    end
+
+    def generation_params
+      params.require(:generation).permit(:certificate, :active)
+    end
+  end
+end

data/app/controllers/foreman_x509/issuers_controller.rb

@@ -0,0 +1,49 @@
+module ForemanX509
+  class IssuersController < ::ApplicationController
+
+    before_action :find_resource, only: [:show, :destroy]
+
+    def index
+      @issuers = resource_base_search_and_page
+    end
+
+    def new
+      @issuer = Issuer.new
+    end
+
+    def create
+      if @issuer.create(issuer_params)
+        process_success object: @issuer
+      else
+        process_error object: @issuer
+      end
+    end
+
+    def show
+    end
+
+    def bundle
+      send_data @issuer.bundle.map(&:to_pem).join('\n'), filename: "#{@issuer.name}_bundle.pem"
+    end
+
+    def destroy
+      if @issuer.destroy
+        process_success object: @issuer
+      else
+        process_error object: @issuer
+      end
+    end
+
+    def resource_class
+      ForemanX509::Issuer
+    end
+
+    private
+
+    def issuer_params_for_create
+      params.require(:issuer).permit(:certificate_id, :serial, :crl_number, :certificate_revocation_list,
+                                     certificate_attributes: [:name, :issuer_id, :description, :configuration, generation_attributes: [:certificate, :key]])
+    end
+
+  end
+end

data/app/controllers/foreman_x509/requests_controller.rb

@@ -0,0 +1,17 @@
+module ForemanX509
+  class RequestsController < ::ApplicationController
+    before_action :find_resource
+
+    def show
+      respond_to do |format|
+        format.der { send_data @request.to_der, filename: "#{@request.name}_req.der" }
+        format.pem { send_data @request.to_pem, filename: "#{@request.name}_req.pem" }
+        format.html
+      end
+    end
+
+    def resource_class
+      ForemanX509::Request
+    end
+  end
+end

data/app/helpers/foreman_x509/certificates_helper.rb

@@ -0,0 +1,49 @@
+module ForemanX509
+  module CertificatesHelper
+    def certificate_details
+      if @certificate.certificate.present?
+        @certificate.certificate.to_text
+      else
+        @certificate.subject.to_s(OpenSSL::X509::Name::MULTILINE)
+      end
+    end
+
+    def issuer_link(certificate)
+      return if certificate.issuer.nil?
+      link_to certificate.issuer.name, issuer_path(certificate.issuer)
+    end
+
+    def certificate_download_links
+      links = []
+
+      links << link_to(_('Download Certificate'), certificate_certificate_path(@certificate),
+                       class: 'btn btn-default',
+                       title: _('Download the PEM format certificate')) unless @certificate.certificate.nil?
+
+      links << link_to(_('Sign Request'), request_path(@certificate.request),
+                       class: 'btn btn-default',
+                       title: _('Upload the signed certificate')) unless @certificate.request.nil?
+
+      links << link_to(_('Download Key'), key_certificate_path(@certificate),
+                       class: 'btn btn-default',
+                       title: _('Download the PEM format private key')) unless @certificate.key.nil?
+
+      links
+    end
+
+    def generation_actions(generation)
+      buttons = []
+
+      params = [generation.owner, generation]
+
+      buttons << link_to(_('Activate'), generation_path(*params, generation: { active: true }), method: :put) if generation.status == 'inactive'
+      buttons << link_to(_('Download Certificate'), certificate_generation_path(*params)) unless generation.status == 'pending'
+      buttons << link_to(_('Upload Certificate'), request_path(generation.request)) if generation.status == 'pending'
+      buttons << link_to(_('Download Request'), request_path(generation.request, format: :pem)) if generation.status == 'pending'
+      buttons << link_to(_('Download Key'), key_generation_path(*params)) unless generation.key.nil?
+      buttons << link_to(_('Delete'), generation_path(*params), method: :delete, data: { confirm: _("Are you sure?") }) unless generation.active?
+
+      action_buttons(buttons)
+    end
+  end
+end

data/app/models/concerns/foreman_x509/digest.rb

@@ -0,0 +1,11 @@
+module ForemanX509
+  module Digest
+    extend ActiveSupport::Concern
+
+    def digest
+      algorithm = configuration.get_value(authority_section, 'default_md') if respond_to?(:authority_section)
+      algorithm ||= configuration.get_value('req', 'default_md')
+      OpenSSL::Digest.new(algorithm || 'sha256') # TODO: make Setting[:default_digest_algorithm]
+    end
+  end
+end

data/app/models/concerns/foreman_x509/extensions.rb

@@ -0,0 +1,20 @@
+module ForemanX509
+  module Extensions
+    extend ActiveSupport::Concern
+
+    EXTENSION_ENTRY_FORMAT = /\A(?<critical>critical,)?\s*(?:@(?<section>[a-zA-Z_]+)|(?<value>[^@].*))\Z/.freeze
+
+    def extensions_from_section(section)
+      return {} if section.nil?
+
+      configuration[section].transform_values do |value|
+        data = EXTENSION_ENTRY_FORMAT.match(value)
+        data[:critical].to_s + (data[:value] || extension_value_from_section(data[:section])).to_s
+      end
+    end
+
+    def extension_value_from_section(section)
+      configuration[section].entries.map { |entry| entry.join(':') }.join(',')
+    end
+  end
+end

data/app/models/concerns/foreman_x509/subject.rb

@@ -0,0 +1,23 @@
+module ForemanX509
+  module Subject
+    extend ActiveSupport::Concern
+
+    def subject
+      @subject ||= subject_from_certificate
+      @subject ||= subject_from_configuration
+    end
+
+    def subject_from_certificate
+      certificate.subject unless certificate.nil?
+    end
+
+    def subject_from_configuration
+      return if configuration.blank?
+
+      section = configuration.get_value('req', 'distinguished_name')
+
+      OpenSSL::X509::Name.new(configuration[section].to_a) unless section.nil?
+    end
+
+  end
+end

data/app/models/foreman_x509/certificate.rb

@@ -0,0 +1,75 @@
+module ForemanX509
+  class Certificate < ::ApplicationRecord
+    include ForemanX509::Subject
+    include ForemanX509::Extensions
+    include ForemanX509::Digest
+    extend FriendlyId
+    friendly_id :name
+
+    belongs_to :issuer, class_name: 'ForemanX509::Issuer', inverse_of: :certificates
+
+    has_many :generations, class_name: 'ForemanX509::Generation', foreign_key: :owner_id, inverse_of: :owner
+    has_one :generation, -> { where(foreman_x509_generations: { active: true }) }, class_name: 'ForemanX509::Generation', foreign_key: :owner_id
+    accepts_nested_attributes_for :generation
+
+    delegate :certificate, :key, to: :generation, allow_nil: true
+
+    has_one :request, class_name: 'ForemanX509::Request', inverse_of: :certificate
+    
+    serialize :configuration, ForemanX509::Serializer::Configuration
+
+    validates :name, format: { with: /\A[a-z][a-z0-9.-]*(?<!-)\z/, message: _("Invalid name format!") }
+    validates :certificate, presence: true, if: -> { configuration.nil? }
+    validate :configuration_has_required_fields, unless: -> { configuration.nil? }
+
+    after_save :ensure_active_generation, if: -> { generations.empty? }
+
+    scoped_search on: :name, complete_value: true
+
+    def can_self_sign?
+      return false if configuration.nil?
+
+      section = configuration.get_value('req', 'x509_extensions')
+      configuration[section].present?
+    end
+
+    def active?
+      return false if certificate.nil?
+
+      (not_before..not_after).include? Time.now
+    end
+
+    def not_before
+      certificate.not_before unless certificate.nil?
+    end
+
+    def not_after
+      certificate.not_after unless certificate.nil?
+    end
+
+    def requested_extensions
+      extensions_from_section(configuration.get_value('req', 'req_extensions'))
+    end
+
+    def certificate_extensions_section
+      configuration.get_value('req', 'x509_extensions')
+    end
+
+    def key_bits
+      return 4096 if configuration.get_value('req', 'default_bits').nil?
+      configuration.get_value('req', 'default_bits').to_i
+    end
+
+    private
+
+    def configuration_has_required_fields
+      errors.add("Configuration missing distinguished name definition") if subject_from_configuration.nil?
+    end
+
+    def ensure_active_generation
+      return if configuration.blank?
+
+      ForemanX509::Builder.create(self)
+    end
+  end
+end