foreman_x509 0.0.1

data/app/models/foreman_x509/generation.rb

@@ -0,0 +1,61 @@
+module ForemanX509
+  class Generation < ::ApplicationRecord
+    belongs_to :owner, class_name: 'ForemanX509::Certificate', inverse_of: :generations
+    has_one :issuer, through: :owner, class_name: 'ForemanX509::Issuer'
+
+    has_one :request, class_name: 'ForemanX509::Request', inverse_of: :generation
+    
+    serialize :certificate, ForemanX509::Serializer::Certificate
+    serialize :key, ForemanX509::Serializer::Key
+
+    delegate :not_before, :not_after, to: :certificate, allow_nil: true
+
+    before_validation :activate_automatically, if: :will_save_change_to_certificate?
+    before_save :deactivate_previous_generation, if: :active?
+    after_save :delete_associated_request, if: :certificate?
+
+    scoped_search relation: :owner, on: :name, complete_value: true, rename: :owner
+
+    validates :active, presence: true, if: :active?
+    validates :active, uniqueness: { scope: :owner_id }, if: :active?
+    validate :validate_certificate_key_pairing, unless: -> { certificate.blank? or key.blank? }
+
+    def status
+      return 'pending' if certificate.nil?
+
+      return 'expired' if expired?
+
+      return 'active' if active?
+
+      'inactive'
+    end
+
+    def activate!
+      update!(active: true)
+    end
+
+    def expired?
+      return false unless certificate?
+      
+      not (certificate.not_before..certificate.not_after).include? Time.now
+    end
+
+    private
+
+    def validate_certificate_key_pairing
+      certificate.check_private_key(key)
+    end
+
+    def deactivate_previous_generation
+      owner.generations.where(active: true).update_all(active: false) unless owner.nil?
+    end
+
+    def delete_associated_request
+      request.destroy unless request.nil?
+    end
+
+    def activate_automatically
+      self[:active] = true # if Setting[:certs_activate_new_generation_automatically]
+    end
+  end
+end

data/app/models/foreman_x509/issuer.rb

@@ -0,0 +1,87 @@
+module ForemanX509
+  class Issuer < ::ApplicationRecord
+    include ForemanX509::Subject
+    include ForemanX509::Extensions
+    include ForemanX509::Digest
+    
+    belongs_to :certificate, class_name: 'ForemanX509::Certificate'
+    accepts_nested_attributes_for :certificate
+
+    has_many :certificates, class_name: 'ForemanX509::Certificate', inverse_of: :issuer
+
+    serialize :serial, ForemanX509::Serializer::BigNumber
+    serialize :certificate_revocation_list, ForemanX509::Serializer::CertificateRevocationList
+
+    delegate :name, :description, :configuration, to: :certificate
+
+    validate :validate_authority_section, unless: -> { configuration.blank? }
+
+    scoped_search relation: :certificate, on: :name, complete_value: true
+
+    def external?
+      configuration.nil?
+    end
+
+    def self_signing?
+      certificate.issuer == self
+    end
+
+    def serial!
+      next_serial = serial || SecureRandom.hex(16)
+      update_attribute(:serial, next_serial + 1) unless new_record?
+      next_serial
+    end
+
+    def start_date
+      start_date = configuration.get_value(authority_section, 'default_startdate')
+      start_date = Time.parse(start_date) unless start_date.nil?
+      start_date || Time.now
+    end
+
+    def end_date
+      end_date = configuration.get_value(authority_section, 'default_enddate')
+      if end_date.nil?
+        duration = configuration.get_value(authority_section, 'default_days')
+        start_date + (duration.nil? ? 3650.days : duration.to_i.days) # TODO: make Setting[:default_certificate_days]
+      else
+        Time.parse(end_date)
+      end
+    end
+
+    def certificate_extensions(requested_extensions, section = nil)
+      section ||= default_certificate_extensions_section
+      case copy_extensions
+      when 'copy'
+        requested_extensions.merge(extensions_from_section(section))
+      when 'copyall'
+        extensions_from_section(section).merge(requested_extensions)
+      else # 'none'
+        extensions_from_section(section)
+      end
+    end
+
+    def bundle
+      return [ certificate.certificate ] if certificate.issuer.nil? or certificate.issuer == self
+
+      [ certificate.certificate ] + certificate.issuer.bundle
+    end
+
+    private
+
+    def default_certificate_extensions_section
+      configuration.get_value(authority_section, 'x509_extensions')
+    end
+
+    def copy_extensions
+      configuration.get_value(authority_section, 'copy_extensions') || 'none'
+    end
+
+    def authority_section
+      configuration.get_value('ca', 'default_ca')
+    end
+
+    def validate_authority_section
+      errors.add(:configuration, "missing 'default_ca' from 'ca' section") if authority_section.nil?
+    end
+  end
+end

data/app/models/foreman_x509/request.rb

@@ -0,0 +1,40 @@
+module ForemanX509
+  class Request < ::ApplicationRecord
+    belongs_to :certificate, class_name: 'ForemanX509::Certificate'
+    belongs_to :generation, class_name: 'ForemanX509::Generation'
+
+    serialize :request, ForemanX509::Serializer::Request
+
+    validates :certificate, presence: true
+    validates :generation, presence: true
+
+    delegate :name, to: :certificate
+    delegate :to_pem, :to_der, to: :request
+
+    before_save :create_request, unless: :request?
+
+    private
+
+    def create_request
+      request = OpenSSL::X509::Request.new
+
+      request.public_key = generation.key.public_key
+      request.version = 0
+      request.subject = certificate.subject
+
+      request.add_attribute OpenSSL::X509::Attribute.new('extReq', OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(request_extensions)]))
+
+      self.request = request.sign(generation.key, certificate.digest)
+    end
+
+    def request_extensions
+      certificate.requested_extensions.map do |key, value|
+        extension_factory.create_extension(key, value)
+      end
+    end
+
+    def extension_factory
+      @extension_factory ||= OpenSSL::X509::ExtensionFactory.new(nil, nil, request)
+    end
+  end
+end

data/app/services/foreman_x509/builder.rb

@@ -0,0 +1,86 @@
+module ForemanX509
+  class Builder
+    def self.create(subject)
+      new(subject).create
+    end
+
+    attr_reader :subject, :issuer, :request, :generation
+    attr_accessor :activate
+
+    def initialize(subject, **options)
+      @subject = subject
+      @issuer = subject.issuer
+      @issuer ||= Issuer.new(certificate: subject) if subject.can_self_sign?
+
+      @activate = options.fetch(:activate, true)
+    end
+
+    def create
+      @generation = subject.generations.create(key: key)
+
+      if issuer
+        build_certificate
+
+        generation.update(certificate: certificate, active: activate)
+      else
+        @request = Request.create(certificate: @subject, generation: @generation)
+      end
+
+      generation
+    end
+
+    private
+
+    def key
+      @key ||= (subject.key || OpenSSL::PKey::RSA.new(subject.key_bits))
+    end
+
+    def certificate
+      @certificate ||= OpenSSL::X509::Certificate.new
+    end
+
+    def self_signing?
+      issuer.certificate == subject
+    end
+
+    def build_certificate
+      return if issuer.external?
+
+      certificate.subject = subject.subject
+      certificate.public_key = key.public_key
+      certificate.version = 2
+
+      certificate.issuer = issuer.subject
+      certificate.serial = issuer.serial!
+      certificate.not_before = issuer.start_date
+      certificate.not_after = issuer.end_date
+      
+      certificate_extensions do |extension|
+        certificate.add_extension extension
+      end
+      
+      certificate.sign(signing_key, issuer.digest)
+    end
+
+    def certificate_extensions
+      issuer.certificate_extensions(subject.requested_extensions, subject.certificate_extensions_section).each do |key, value|
+        extension = extension_factory.create_extension(key, value)
+        yield extension if block_given?
+      end
+    end
+
+    def extension_factory
+      @extension_factory ||= OpenSSL::X509::ExtensionFactory.new(signing_certificate, certificate, nil)
+    end
+
+    def signing_certificate
+      return certificate if self_signing?
+      issuer.certificate.certificate
+    end
+
+    def signing_key
+      return key if self_signing?
+      issuer.certificate.key
+    end
+  end
+end

data/app/services/foreman_x509/serializer/big_number.rb

@@ -0,0 +1,13 @@
+module ForemanX509
+  module Serializer
+    class BigNumber
+      def self.dump(object)
+        object.to_s(16) unless object.nil?
+      end
+
+      def self.load(data)
+        OpenSSL::BN.new(data, 16) unless data.blank?
+      end
+    end
+  end
+end

data/app/services/foreman_x509/serializer/certificate.rb

@@ -0,0 +1,15 @@
+module ForemanX509
+  module Serializer
+    class Certificate
+      def self.dump(object)
+        object = OpenSSL::X509::Certificate.new(object) if object.is_a? String
+        
+        object.to_pem unless object.blank?
+      end
+
+      def self.load(data)
+        OpenSSL::X509::Certificate.new(data) unless data.blank?
+      end
+    end
+  end
+end

data/app/services/foreman_x509/serializer/certificate_revocation_list.rb

@@ -0,0 +1,14 @@
+module ForemanX509
+  module Serializer
+    class CertificateRevocationList
+
+      def self.dump(object)
+        object.to_s unless object.blank?
+      end
+
+      def self.load(data)
+        OpenSSL::X509::CRL.new(data) unless data.blank?
+      end
+    end
+  end
+end

data/app/services/foreman_x509/serializer/configuration.rb

@@ -0,0 +1,13 @@
+module ForemanX509
+  module Serializer
+    class Configuration
+      def self.dump(object)
+        object.to_s unless object.blank?
+      end
+
+      def self.load(data)
+        OpenSSL::Config.parse(data) unless data.blank?
+      end
+    end
+  end
+end

data/app/services/foreman_x509/serializer/key.rb

@@ -0,0 +1,13 @@
+module ForemanX509
+  module Serializer
+    class Key
+      def self.dump(object)
+        object.to_s unless object.blank?
+      end
+
+      def self.load(data)
+        OpenSSL::PKey.read(data) unless data.blank?
+      end
+    end
+  end
+end

data/app/services/foreman_x509/serializer/request.rb

@@ -0,0 +1,13 @@
+module ForemanX509
+  module Serializer
+    class Request
+      def self.dump(object)        
+        object.to_pem unless object.blank?
+      end
+
+      def self.load(data)
+        OpenSSL::X509::Request.new(data) unless data.blank?
+      end
+    end
+  end
+end

data/app/views/foreman_x509/api/v2/certificates/base.json.rabl

@@ -0,0 +1,3 @@
+object @certificate
+
+attributes :id, :name

data/app/views/foreman_x509/api/v2/certificates/index.json.rabl

@@ -0,0 +1,3 @@
+collection @certificates
+
+extends 'foreman_x509/api/v2/certificates/base'

data/app/views/foreman_x509/api/v2/certificates/show.json.rabl

@@ -0,0 +1,9 @@
+object @certificate
+
+extends 'foreman_x509/api/v2/certificates/base'
+
+attributes :description
+
+child :issuer do
+  extends 'foreman_x509/api/v2/issuers/base'
+end

data/app/views/foreman_x509/api/v2/generations/base.json.rabl

@@ -0,0 +1,11 @@
+object @generation
+
+attribute :id
+
+node(:certificate_link) do |generation|
+  certificate_api_certificate_generation_url(generation.owner, generation) if generation.certificate?
+end
+
+node(:key_link) do |generation|
+  key_api_certificate_generation_url(generation.owner, generation) if generation.key?
+end

data/app/views/foreman_x509/api/v2/generations/show.json.rabl

@@ -0,0 +1,7 @@
+object @generation
+
+extends 'foreman_x509/api/v2/generations/base'
+
+child :owner do
+  extends 'foreman_x509/api/v2/certificates/base'
+end

data/app/views/foreman_x509/api/v2/issuers/base.json.rabl

@@ -0,0 +1,3 @@
+object @issuer
+
+attributes :id, :name

data/app/views/foreman_x509/api/v2/issuers/index.json.rabl

@@ -0,0 +1,3 @@
+collection @issuers
+
+extends 'foreman_x509/api/v2/issuers/base'

data/app/views/foreman_x509/api/v2/requests/show.json.rabl

@@ -0,0 +1,16 @@
+object @request
+
+attribute :id
+
+node :link do |request|
+  download_api_request_url(request)
+end
+
+child :certificate do
+  extends 'foreman_x509/api/v2/certificates/base'
+end
+
+child :generation do
+  extends 'foreman_x509/api/v2/generations/base'
+end
+

data/app/views/foreman_x509/certificates/_form.html.erb

@@ -0,0 +1,12 @@
+<%= form_for @certificate do |f| %>
+  <%= base_errors_for @certificate %>
+  <%= text_f f, :name %>
+  <%= textarea_f f, :description %>
+  <%= selectable_f f, :issuer_id, ForemanX509::Issuer.all.collect { |c| [c.name, c.id] }, { include_blank: true }, { label: _('Issuer'), required: false } %>
+  <%= field(f, :configuration) do %>
+    <%= f.text_area :configuration, rows: 10, class: "form-control" %>
+    <%= f.file_field :configuration_file %>
+  <% end %>
+
+  <%= submit_or_cancel f, false, { cancel_path: (@certificate.new_record? ? certificates_path : certificate_path(@certificate)) } %>
+<% end %>

data/app/views/foreman_x509/certificates/_generations.html.erb

@@ -0,0 +1,32 @@
+<table class="<%= table_css_classes 'table-condensed table-fixed' %>">
+  <thead>
+    <tr>
+      <th class="col-md-1"><%= _('Id') %></th>
+      <th class="col-md-2"><%= _('Not Before') %></th>
+      <th class="col-md-2"><%= _('Not After') %></th>
+      <th class="col-md-1"><%= _('Status') %></th>
+      <th class="col-md-1"><%= _('Actions') %></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @certificate.generations.each do |generation| %>
+      <tr>
+        <td>
+          <%= generation.id %>
+        </td>
+        <td>
+          <%= generation.not_before.httpdate unless generation.not_before.nil? %>
+        </td>
+        <td>
+          <%= generation.not_after.httpdate unless generation.not_after.nil? %>
+        </td>
+        <td>
+          <%= generation.status %>
+        </td>
+        <td>
+          <%= generation_actions(generation) %>
+        </td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>

data/app/views/foreman_x509/certificates/index.html.erb

@@ -0,0 +1,34 @@
+<% title _("Certificates") %>
+
+<% title_actions link_to(_("Create Certificate"), hash_for_new_certificate_path, class: 'btn btn-default') %>
+
+<table class="<%= table_css_classes 'table-condensed table-fixed' %>">
+  <thead>
+    <tr>
+      <th class="col-md-2"><%= sort :name, as: _('Name') %></th>
+      <th class="col-md-3"><%= _('Issuer') %></th>
+      <th class="col-md-1"><%= _('Not Before') %></th>
+      <th class="col-md-1"><%= _('Not After') %></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @certificates.each do |certificate| %>
+      <tr>
+        <td>
+          <%= link_to certificate.name, certificate_path(certificate) %>
+        </td>
+        <td>
+          <%= issuer_link certificate %>
+        </td>
+        <td>
+          <%= certificate.not_before.httpdate unless certificate.not_before.nil? %>
+        </td>
+        <td>
+          <%= certificate.not_after.httpdate unless certificate.not_after.nil? %>
+        </td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<%= will_paginate_with_info @certificates %>

data/app/views/foreman_x509/certificates/new.html.erb

@@ -0,0 +1,3 @@
+<% title _('Create Certificate') %>
+
+<%= render partial: 'form' %>

data/app/views/foreman_x509/certificates/show.html.erb

@@ -0,0 +1,31 @@
+<% title @certificate.name %>
+
+<%
+items = [{ caption: _('Certificates'), url: certificates_path },
+         { caption: @certificate.name }]
+
+breadcrumbs(resource_url: api_certificates_path, 
+            name_field: 'name',
+            switcher_item_url: certificate_path(':name'),
+            items: items)
+%>
+
+<% title_actions certificate_download_links %>
+
+<ul id="host-show-tabs" class="nav nav-tabs">
+  <li class="active"><a href="#primary" data-toggle="tab"><%= _("Details") %></a></li>
+  <li><a href="#configuration" data-toggle="tab"><%= _("Configuration") %></a></li>
+  <li><a href="#generations" data-toggle="tab"><%= _("Generations") %></a></li>
+</ul>
+
+<div class="tab-content">
+  <div class="tab-pane active" id="primary">
+    <pre><%= certificate_details %></pre>
+  </div>
+  <div class="tab-pane" id="configuration">
+    <pre><%= @certificate.configuration.to_s %></pre>
+  </div>
+  <div class="tab-pane" id="generations">
+    <%= render partial: "generations" %>
+  </div>
+</div>

data/app/views/foreman_x509/generations/edit.html.erb

@@ -0,0 +1,8 @@
+<pre><%= @generation.request.to_pem %></pre>
+<%= form_for @generation, url: certificate_generation_path(certificate_id: @owner, id: @generation) do |f| %>
+  <%= field(f, :certificate) do %>
+    <%= f.text_area :certificate, rows: 10, class: "form-control" %>
+    <%= f.file_field :certificate_file %>
+  <% end %>
+  <%= submit_or_cancel f, false, { cancel_path: certificate_path(@owner) } %>
+<% end %>

data/app/views/foreman_x509/issuers/index.html.erb

@@ -0,0 +1,24 @@
+<% title _("Issuers") %>
+
+<table class="<%= table_css_classes 'table-condensed table-fixed' %>">
+  <thead>
+    <tr>
+      <th><%= sort :name, as: _('Name') %></th>
+      <th class="col-md-1"><%= _('Certificates') %></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @issuers.each do |issuer| %>
+      <tr>
+        <td>
+          <%= link_to issuer.name, issuer_path(issuer) %>
+        </td>
+        <td>
+          <%= issuer.certificates.count %>
+        </td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<%= will_paginate_with_info @issuers %>

data/app/views/foreman_x509/issuers/show.html.erb

@@ -0,0 +1,52 @@
+<% title @issuer.name %>
+
+<%
+items = [{ caption: _('Issuers'), url: issuers_path },
+         { caption: @issuer.name }]
+
+breadcrumbs(resource_url: api_issuers_path, 
+            name_field: 'name',
+            switcher_item_url: issuer_path(':id'),
+            items: items)
+%>
+
+<ul id="host-show-tabs" class="nav nav-tabs">
+  <li class="active"><a href="#primary" data-toggle="tab"><%= _("Details") %></a></li>
+  <li><a href="#configuration" data-toggle="tab"><%= _("Configuration") %></a></li>
+  <li><a href="#certificates" data-toggle="tab"><%= _("Certificates") %></a></li>
+</ul>
+
+<div class="tab-content">
+  <div class="tab-pane active" id="primary">
+    <pre><%= @issuer.certificate.certificate.to_text %></pre>
+  </div>
+  <div class="tab-pane" id="configuration">
+    <pre><%= @issuer.configuration.to_s %></pre>
+  </div>
+  <div class="tab-pane" id="certificates">
+    <table class="<%= table_css_classes 'table-condensed table-fixed' %>">
+      <thead>
+        <tr>
+          <th class="col-md-2"><%= sort :name, as: _('Name') %></th>
+          <th class="col-md-1"><%= _('Not Before') %></th>
+          <th class="col-md-1"><%= _('Not After') %></th>
+        </tr>
+      </thead>
+      <tbody>
+        <% @issuer.certificates.each do |certificate| %>
+          <tr>
+            <td>
+              <%= link_to certificate.name, certificate_path(certificate) %>
+            </td>
+            <td>
+              <%= certificate.not_before.httpdate unless certificate.not_before.nil? %>
+            </td>
+            <td>
+              <%= certificate.not_after.httpdate unless certificate.not_after.nil? %>
+            </td>
+          </tr>
+        <% end %>
+      </tbody>
+    </table>
+  </div>
+</div>

data/app/views/foreman_x509/requests/show.html.erb

@@ -0,0 +1,15 @@
+<%= form_for @request.generation, url: generation_path(@request.certificate, @request.generation) do |f| %>
+  <div class="clearfix">
+    <div class="form-group">
+      <label class="col-md-2 control-label">Request</label>
+      <div class="col-md-5">
+        <pre><%= @request.to_pem %></pre>
+      </div>
+    </div>
+  </div>
+  <%= field(f, :certificate, size: "col-md-5") do %>
+    <%= f.text_area :certificate, rows: 10, class: "form-control" %>
+    <%= f.file_field :certificate_file %>
+  <% end %>
+  <%= submit_or_cancel f, false, { cancel_path: certificate_path(@request.certificate) } %>
+<% end %>