openvoxserver-ca 3.0.0.pre.rc1

data/lib/puppetserver/ca/action/list.rb

@@ -0,0 +1,253 @@
+require 'json'
+require 'optparse'
+
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+
+module Puppetserver
+  module Ca
+    module Action
+      class List
+
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = 'List certificates and CSRs'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca list [--help]
+  puppetserver ca list [--config]
+  puppetserver ca list [--all]
+  puppetserver ca list --certname NAME[,NAME]
+
+Description:
+  List outstanding certificate requests. If --all is specified, signed and
+  revoked certificates will be listed as well.
+
+Options:
+      BANNER
+
+        BODY = JSON.dump({desired_state: 'signed'})
+        VALID_FORMAT = ['text', 'json']
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--all', 'List all certificates') do |a|
+              parsed['all'] = true
+            end
+            opts.on('--format FORMAT', "Valid formats are: 'text' (default), 'json'") do |f|
+              parsed['format'] = f
+            end
+            opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
+              parsed['certname'] = cert
+            end
+          end
+        end
+
+        def run(input)
+          config = input['config']
+          certnames = input['certname'] || []
+          all = input['all']
+          output_format = input['format'] || "text"
+          missing = []
+
+          unless VALID_FORMAT.include?(output_format)
+            Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
+            return 1
+          end
+
+          if all && certnames.any?
+            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname.'])
+            return 1
+          end
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config, @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          if certnames.any?
+            filter_names = lambda { |x| certnames.include?(x['name']) }
+          else
+            filter_names = lambda { |x| true }
+          end
+
+          if (all || certnames.any?)
+            found_certs = get_certs_or_csrs(puppet.settings)
+            if found_certs.nil?
+               # nil is different from no certs found
+               @logger.err('Error while getting certificates')
+               return 1
+            end
+            all_certs = found_certs.select { |cert| filter_names.call(cert) }
+            requested, signed, revoked = separate_certs(all_certs)
+            missing = certnames - all_certs.map { |cert| cert['name'] }
+            output_certs_by_state(all, output_format, requested, signed, revoked, missing)
+          else
+            all_csrs = get_certs_or_csrs(puppet.settings, "requested")
+            if all_csrs.nil?
+               # nil is different from no certs found
+               @logger.err('Error while getting certificate requests')
+               return 1
+            end
+            output_certs_by_state(all, output_format, all_csrs)
+          end
+
+          return missing.any? ? 1 : 0
+        end
+
+        def output_certs_by_state(all, output_format, requested, signed = [], revoked = [], missing = [])
+          if output_format == 'json'
+            output_certs_json_format(all, requested, signed, revoked, missing)
+          else
+            output_certs_text_format(requested, signed, revoked, missing)
+          end
+        end
+
+        def output_certs_json_format(all, requested, signed, revoked, missing)
+          grouped_cert = {}
+
+          if all
+            grouped_cert = { "requested" => requested,
+                             "signed" => signed,
+                             "revoked" => revoked }.to_json
+            @logger.inform(grouped_cert)
+          else
+            grouped_cert["requested"] = requested unless requested.empty?
+            grouped_cert["signed"] = signed unless signed.empty?
+            grouped_cert["revoked"] = revoked unless revoked.empty?
+            grouped_cert["missing"] = missing unless missing.empty?
+
+            # If neither the '--all' flag or the '--certname' flag was passed in
+            # and the requested cert array is empty, we output a JSON object
+            # with an empty 'requested' key. Otherwise, we display
+            # any of the classes that are currently in grouped_cert
+            if grouped_cert.empty?
+              @logger.inform({ "requested" => requested }.to_json)
+            else
+              @logger.inform(grouped_cert.to_json)
+            end
+          end
+        end
+
+        def output_certs_text_format(requested, signed, revoked, missing)
+          if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
+            @logger.inform "No certificates to list"
+            return
+          end
+
+          unless requested.empty?
+            @logger.inform "Requested Certificates:"
+            output_certs(requested)
+          end
+
+          unless signed.empty?
+            @logger.inform "Signed Certificates:"
+            output_certs(signed)
+          end
+
+          unless revoked.empty?
+            @logger.inform "Revoked Certificates:"
+            output_certs(revoked)
+          end
+
+          unless missing.empty?
+            @logger.inform "Missing Certificates:"
+            missing.each do |name|
+              @logger.inform "    #{name}"
+            end
+          end
+        end
+
+        def output_certs(certs)
+          cert_column_width = certs.map { |c| c['name'].size }.max
+
+          certs.each do |cert|
+            @logger.inform(format_cert(cert, cert_column_width))
+          end
+        end
+
+        def format_cert(cert, cert_column_width)
+          [
+            format_cert_and_sha(cert, cert_column_width),
+            format_alt_names(cert),
+            format_authorization_extensions(cert)
+          ].compact.join("\t")
+        end
+
+        def format_cert_and_sha(cert, cert_column_width)
+          justified_certname = cert['name'].ljust(cert_column_width + 6)
+          sha = cert['fingerprints']['SHA256']
+          "    #{justified_certname} (SHA256)  #{sha}"
+        end
+
+        def format_alt_names(cert)
+          # In newer versions of the CA api we return subject_alt_names
+          # in addition to dns_alt_names, this field includes DNS alt
+          # names but also IP alt names.
+          alt_names = cert['subject_alt_names'] || cert['dns_alt_names']
+          "alt names: #{alt_names}" unless alt_names.empty?
+        end
+
+        def format_authorization_extensions(cert)
+          auth_exts = cert['authorization_extensions']
+          return nil if auth_exts.nil? || auth_exts.empty?
+
+          values = auth_exts.map { |ext, value| "#{ext}: #{value}" }.join(', ')
+          "authorization extensions: [#{values}]"
+        end
+
+        def separate_certs(all_certs)
+          certs = all_certs.group_by { |v| v["state"]}
+          requested = certs.fetch("requested", [])
+          signed = certs.fetch("signed", [])
+          revoked = certs.fetch("revoked", [])
+          return requested, signed, revoked
+        end
+
+        def get_certs_or_csrs(settings, queried_state = nil)
+          query = queried_state ? { :state => queried_state } : {}
+          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses(query)
+
+          if result
+            return JSON.parse(result.body)
+          else
+            return nil
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/migrate.rb

@@ -0,0 +1,97 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/http_client'
+require 'puppetserver/ca/utils/config'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Migrate
+        include Puppetserver::Ca::Utils
+        PUPPETSERVER_CA_DIR = Puppetserver::Ca::Utils::Config.new_default_cadir
+
+        SUMMARY = "Migrate the existing CA directory to #{PUPPETSERVER_CA_DIR}"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca migrate [--help]
+  puppetserver ca migrate [--config PATH]
+
+Description:
+  Migrate an existing CA directory to #{PUPPETSERVER_CA_DIR}. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Uses the default puppet.conf
+  in your installation, or use a different config by supplying the `--config` flag.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config_path = input['config']
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger, ca_dir_warn: false)
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
+          if !errors.empty?
+            instructions = <<-ERR
+Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
+run this migration tool? Is this a puppet 7 installation? It is likely that you have
+already successfully run the migration or do not need to run it.
+ERR
+            errors << instructions
+            Errors.handle_with_usage(@logger, errors)
+            return 1
+          end
+
+          current_cadir = puppet.settings[:cadir]
+          if FileSystem.check_for_existing_files(current_cadir).empty?
+            error_message = <<-ERR
+No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
+puppet.conf file and verify its contents.
+ERR
+            Errors.handle_with_usage(@logger, [error_message])
+            return 1
+          end
+
+          migrate(current_cadir)
+
+          @logger.inform <<-SUCCESS_MESSAGE
+CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
+for backwards compatibility. The puppetserver can be safely restarted now.
+SUCCESS_MESSAGE
+          return 0
+        end
+
+        def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
+          FileUtils.mv(old_cadir, new_cadir)
+          FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/prune.rb

@@ -0,0 +1,289 @@
+require 'optparse'
+require 'openssl'
+require 'set'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/x509_loader'
+require 'puppetserver/ca/config/puppet'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Prune
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Prune the local CRL on disk to remove certificate entries"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca prune [--help]
+  puppetserver ca prune [--config]
+  puppetserver ca prune [--config] [--remove-duplicates]
+  puppetserver ca prune [--config] [--remove-expired]
+  puppetserver ca prune [--config] [--remove-entries] [--serial NUMBER[,NUMBER]] [--certname NAME[,NAME]]
+
+Description:
+  Prune the list of revoked certificates. If no options are provided or
+  --remove-duplicates is specified, prune CRL of any duplicate entries.
+  If --remove-expired is specified, remove expired entries from CRL.
+  If --remove-entries is specified, remove matching entries provided by
+  --serial and/or --certname values. This command will only prune the CRL
+  issued by Puppet's CA cert.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(inputs)
+          config_path = inputs['config']
+          remove_duplicates = inputs['remove-duplicates']
+          remove_expired = inputs['remove-expired']
+          remove_entries = inputs['remove-entries']
+          serialnumbers = inputs['serial']
+          certnames = inputs['certname']
+          exit_code = 0
+
+          # Validate the config path.
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Validate puppet config setting.
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Validate arguments
+          if (remove_entries && (!serialnumbers && !certnames))
+            return 1 if Errors.handle_with_usage(@logger,["--remove-entries option require --serial or --certname values"])
+          end
+
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          # Getting the CRL(s)
+          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+          inventory_file = puppet.settings[:cert_inventory]
+          cadir = puppet.settings[:cadir]
+
+          verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
+          number_of_removed_duplicates = 0
+          number_of_removed_crl_entries = 0
+
+          if verified_crls.length == 1
+            puppet_crl = verified_crls.first
+            @logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
+
+            if remove_entries
+              if serialnumbers
+                number_of_removed_crl_entries += prune_using_serial(puppet_crl, loader.key, serialnumbers)
+              end
+              if certnames
+                number_of_removed_crl_entries += prune_using_certname(puppet_crl, loader.key, inventory_file, cadir, certnames)
+              end
+            end
+
+            if remove_expired
+              number_of_removed_crl_entries += prune_expired(puppet_crl, loader.key, inventory_file, cadir)
+            end
+
+            if (remove_duplicates || (!remove_entries && !remove_expired))
+               number_of_removed_duplicates += prune_CRL(puppet_crl)
+            end
+
+
+            if (number_of_removed_duplicates > 0 || number_of_removed_crl_entries > 0)
+              update_pruned_CRL(puppet_crl, loader.key)
+              FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
+              @logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.") if number_of_removed_duplicates > 0
+              @logger.inform("Removed #{number_of_removed_crl_entries} certs from Puppet's CRL.") if number_of_removed_crl_entries > 0
+            else
+              @logger.inform("No matching revocations found in the CRL for pruning")
+            end
+          else
+            @logger.err("Could not identify Puppet's CRL. Aborting prune action.")
+            exit_code = 1
+          end
+          return exit_code
+        end
+
+        def prune_CRL(crl)
+          number_of_removed_duplicates = 0
+
+          existed_serial_number = Set.new()
+          revoked_list = crl.revoked
+          @logger.debug("Pruning duplicate entries in CRL for issuer " \
+            "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+
+          revoked_list.delete_if do |revoked|
+            if existed_serial_number.add?(revoked.serial)
+              false
+            else
+              number_of_removed_duplicates += 1
+              @logger.debug("Removing duplicate of #{revoked.serial}, " \
+                "revoked on #{revoked.time}\n") if @logger.debug?
+              true
+            end
+          end
+          crl.revoked=(revoked_list)
+
+          return number_of_removed_duplicates
+        end
+
+        def update_pruned_CRL(crl, pkey)
+          # Updating extensions in-place does not work with some ruby versions / implementation. Copy & recreate them.
+          extensions = crl.extensions
+          crl.extensions = []
+
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.crl = crl
+
+          extensions.each do |ext|
+            if ext.oid == "crlNumber"
+              if RUBY_ENGINE == "jruby"
+                # Creating a crlNumber extension without an ExtensionFactory produce incorrect result on jruby
+                crl.add_extension(ef.create_extension("crlNumber", ext.value.next))
+              else
+                # Creating a crlNumber extension with an ExtensionFactory rais on exception on MRI
+                crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", ext.value.next))
+              end
+            else
+              crl.add_extension(ext)
+            end
+          end
+
+          crl.sign(pkey, OpenSSL::Digest::SHA256.new)
+        end
+
+        def prune_using_serial(crl, key, serialnumbers)
+          removed_serials = []
+          revoked_list = crl.revoked
+          @logger.debug("Removing entries in CRL for issuer " \
+            "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+          serialnumbers.each do |serial|
+            if serial.match(/^(?:0[xX])?[A-Fa-f0-9]+$/)
+              revoked_list.delete_if do |revoked|
+                if revoked.serial == OpenSSL::BN.new(serial.hex)
+                  removed_serials.push(serial)
+                  true
+                end
+              end
+            end
+          end
+          crl.revoked = (revoked_list)
+          @logger.debug("Removed these CRL entries : #{removed_serials}") if @logger.debug?
+          return removed_serials.length
+        end
+
+        def prune_using_certname(crl, key, inventory_file, cadir, certnames)
+          serialnumbers = []
+          @logger.debug("Checking inventory file #{inventory_file} for matching cert names") if @logger.debug?
+          errors = FileSystem.validate_file_paths(inventory_file)
+          if errors.empty?
+            File.open(inventory_file).each_line do |line|
+              certnames.each do |certname|
+                if line.match(/\/CN=#{certname}$/) && line.split.length == 4
+                  serialnumbers.push(line.split.first)
+                  certnames.delete(certname)
+                end
+              end
+            end
+          else
+            @logger.warn "Reading inventory file at #{inventory_file} failed with error #{errors}"
+          end
+          if certnames
+            @logger.debug("Checking CA dir #{cadir} for matching cert names")
+            certnames.each do |certname|
+              cert_file = "#{cadir}/signed/#{certname}.pem"
+              if File.file?(cert_file)
+                raw = File.read(cert_file)
+                certificate = OpenSSL::X509::Certificate.new(raw)
+                serial = certificate.serial
+                serialnumbers.push(serial.to_s(16))
+              end
+            end
+            prune_using_serial(crl, key, serialnumbers)
+          end
+        end
+
+        def prune_expired (crl, key, inventory_file, cadir)
+          serialnumbers = []
+          signed_dir = "#{cadir}/signed"
+          @logger.debug("Checking inventory file #{inventory_file} for expired entries") if @logger.debug?
+          errors = FileSystem.validate_file_paths(inventory_file)
+          if errors.empty?
+            File.open(inventory_file).each_line do |line|
+              if line.match(/\/CN=.*$/) && line.split.length == 4
+                not_after = line.split[2]
+                begin
+                  not_after = Time.parse(line.split[2])
+                  serialnumbers.push(line.split.first) if not_after < Time.now
+                rescue ArgumentError
+                  @logger.warn "Invalid not_after time found in inventory.txt file at #{line}"
+                  next
+                end
+              end
+            end
+          else
+            @logger.warn "Reading inventory file at #{inventory_file} failed with error #{errors}"
+          end
+          @logger.debug("Checking CA dir #{cadir} for expired certs")
+          Dir.foreach(signed_dir) do |filename|
+            if File.extname(filename) == '.pem'
+              raw = File.read("#{signed_dir}/#{filename}")
+              certificate = OpenSSL::X509::Certificate.new(raw)
+              serialnumbers.push(certificate.serial.to_s(16)) if certificate.not_after < Time.now
+            end
+          end
+          prune_using_serial(crl, key, serialnumbers)
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--remove-duplicates', 'Remove duplicate entries from CRL(default)') do |remove_duplicates|
+              parsed['remove-duplicates'] = true
+            end
+            opts.on('--remove-expired', 'Remove expired  entries from CRL') do |remove_expired|
+              parsed['remove-expired'] = true
+            end
+            opts.on('--remove-entries', 'Remove entries from CRL') do |remove_entries|
+              parsed['remove-entries'] = true
+            end
+            opts.on('--serial NUMBER[,NUMBER]', Array, 'Serial numbers(s) in HEX to be removed from CRL') do |serialnumbers|
+              parsed['serial'] = serialnumbers
+            end
+            opts.on('--certname NAME[,NAME]', Array, 'Name(s) of the cert(s) to be removed from CRL') do |certnames|
+              parsed['certname'] = certnames
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end