openvoxserver-ca 3.0.0.pre.rc1

data/lib/puppetserver/ca/action/revoke.rb

@@ -0,0 +1,108 @@
+require 'optparse'
+
+require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Revoke
+
+        include Puppetserver::Ca::Utils
+
+        CERTNAME_BLOCKLIST = %w{--all --config}
+
+        SUMMARY = 'Revoke certificate(s)'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca revoke [--help]
+  puppetserver ca revoke [--config] --certname NAME[,NAME]
+
+Description:
+  Given one or more valid certnames, instructs the CA to revoke them over
+  HTTPS using the local agent's PKI
+
+Options:
+BANNER
+
+        def self.parser(parsed = {})
+          parsed['certnames'] = []
+          OptionParser.new do |o|
+            o.banner = BANNER
+            o.on('--certname NAME[,NAME]', Array,
+                 'One or more comma separated certnames') do |certs|
+              parsed['certnames'] += certs
+            end
+            o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            o.on('--help', 'Displays this revoke specific help output') do |help|
+              parsed['help'] = true
+            end
+          end
+        end
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          results['certnames'].each do |certname|
+            if CERTNAME_BLOCKLIST.include?(certname)
+              errors << "    Cannot manage cert named `#{certname}` from " +
+                        "the CLI, if needed use the HTTP API directly"
+            end
+          end
+
+          if results['certnames'].empty?
+            errors << '  At least one certname is required to revoke'
+          end
+
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          # if there is an exit_code then Cli will return it early, so we only
+          # return an exit_code if there's an error
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+
+        def run(args)
+          certnames = args['certnames']
+          config = args['config']
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config, @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          result =  revoke_certs(certnames, puppet.settings)
+
+          case result
+          when :success
+            return 0
+          when :invalid
+            return 24
+          when :not_found, :error
+            return 1
+          end
+        end
+
+        def revoke_certs(certnames, settings)
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
+          ca.revoke_certs(certnames)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/setup.rb

@@ -0,0 +1,188 @@
+require 'optparse'
+
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/signing_digest'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Setup
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Setup a self-signed CA chain for Puppet Server"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca setup [--help]
+  puppetserver ca setup [--config PATH] [--subject-alt-names NAME[,NAME]]
+                           [--certname NAME] [--ca-name NAME] [--root-ca-name NAME]
+
+Description:
+  Setup a root and intermediate signing CA for Puppet Server
+  and store generated CA keys, certs, crls, and associated
+  server related files on disk.
+
+  The `--subject-alt-names` flag can be used to add SANs to the
+  certificate generated for the Puppet server. Multiple names can be
+  listed as a comma separated string. These can be either DNS names or
+  IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
+  Names with no prefix will be treated as DNS names.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          # Validate config_path provided
+          config_path = input['config']
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Load, resolve, and validate puppet config settings
+          settings_overrides = {}
+          settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
+          settings_overrides[:ca_name] = input['ca-name'] unless input['ca-name'].empty?
+          settings_overrides[:root_ca_name] = input['root-ca-name'] unless input['root-ca-name'].empty?
+          # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
+          # to ensure that the overriding works correctly.
+          settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
+
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Load most secure signing digest we can for cers/crl/csr signing.
+          signer = SigningDigest.new
+          return 1 if Errors.handle_with_usage(@logger, signer.errors)
+
+          # Generate root and intermediate ca and put all the certificates, crls,
+          # and keys where they should go.
+          errors = generate_pki(puppet.settings, signer.digest)
+          return 1 if Errors.handle_with_usage(@logger, errors)
+
+          @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
+          return 0
+        end
+
+        def generate_pki(settings, signing_digest)
+          ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
+
+          root_key, root_cert, root_crl = ca.create_root_cert
+          ca.create_intermediate_cert(root_key, root_cert)
+          server_key, server_cert = ca.create_server_cert
+          return ca.errors if ca.errors.any?
+
+          FileSystem.ensure_dirs([settings[:ssldir],
+                                  settings[:cadir],
+                                  settings[:certdir],
+                                  settings[:privatekeydir],
+                                  settings[:publickeydir],
+                                  settings[:signeddir]])
+
+          public_files = [
+            [settings[:cacert], [ca.cert, root_cert]],
+            [settings[:cacrl], [ca.crl, root_crl]],
+            [settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
+            [settings[:hostcert], server_cert],
+            [settings[:localcacert], [ca.cert, root_cert]],
+            [settings[:hostcrl], [ca.crl, root_crl]],
+            [settings[:hostpubkey], server_key.public_key],
+            [settings[:capub], ca.key.public_key],
+            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
+            [settings[:cadir] + '/infra_inventory.txt', ''],
+            [settings[:cadir] + '/infra_serials', ''],
+            [settings[:serial], "002"],
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert],
+          ]
+
+          private_files = [
+            [settings[:hostprivkey], server_key],
+            [settings[:rootkey], root_key],
+            [settings[:cakey], ca.key],
+          ]
+
+          files_to_check = public_files + private_files
+          # We don't want to error if server's keys exist. Certain workflows
+          # allow the agent to have already be installed with keys and then
+          # upgraded to be a server. The host class will honor keys, if both
+          # public and private exist, and error if only one exists - as is
+          # previous behavior.
+          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
+          errors = FileSystem.check_for_existing_files(files_to_check)
+
+          if !errors.empty?
+            instructions = <<-ERR
+If you would really like to replace your CA, please delete the existing files first.
+Note that any certificates that were issued by this CA will become invalid if you
+replace it!
+ERR
+            errors << instructions
+            return errors
+          end
+
+          public_files.each do |location, content|
+            FileSystem.write_file(location, content, 0644)
+          end
+
+          private_files.each do |location, content|
+            FileSystem.write_file(location, content, 0640)
+          end
+
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
+          return []
+        end
+
+        def parse(cli_args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, cli_args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          parsed['subject-alt-names'] = ''
+          parsed['ca-name'] = ''
+          parsed['root-ca-name'] = ''
+          parsed['certname'] = ''
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--subject-alt-names NAME[,NAME]',
+                    'Subject alternative names for the server cert') do |sans|
+              parsed['subject-alt-names'] = sans
+            end
+            opts.on('--ca-name NAME',
+                    'Common name to use for the CA signing cert') do |name|
+              parsed['ca-name'] = name
+            end
+            opts.on('--root-ca-name NAME',
+                    'Common name to use for the self-signed Root CA cert') do |name|
+              parsed['root-ca-name'] = name
+            end
+            opts.on('--certname NAME',
+                    'Common name to use for the server cert') do |name|
+              parsed['certname'] = name
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/sign.rb

@@ -0,0 +1,146 @@
+require 'net/https'
+require 'openssl'
+require 'optparse'
+
+require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Sign
+
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = 'Sign certificate request(s)'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca sign [--help]
+  puppetserver ca sign [--config] --certname NAME[,NAME]
+  puppetserver ca sign  --all
+
+Description:
+  Given a comma-separated list of valid certnames, instructs the CA to sign
+  each cert.
+
+Options:
+      BANNER
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--ttl TTL', 'The time-to-live for each cert signed') do |ttl|
+              parsed['ttl'] = ttl
+            end
+            opts.on('--certname NAME[,NAME]', Array, 'the name(s) of the cert(s) to be signed') do |cert|
+              parsed['certname'] = cert
+            end
+            opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--all', 'Operate on all certnames') do |a|
+              parsed['all'] = true
+            end
+          end
+        end
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config = input['config']
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config, @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
+          bulk_sign = ca.server_has_bulk_signing_endpoints
+
+          # Bulk sign endpoints don't allow setting TTL, so
+          # use single signing endpoint if TTL is specified.
+          success = false
+          if input['ttl'] || !bulk_sign
+            if input['all']
+              requested_certnames = get_all_pending_certs(ca)
+              return 1 if requested_certnames.nil?
+              return 24 if requested_certnames.empty?
+            else
+              requested_certnames = input['certname']
+            end
+
+            success = ca.sign_certs(requested_certnames, input['ttl'])
+            return success ? 0 : 1
+          else
+            result = input['all'] ? ca.sign_all : ca.sign_bulk(input['certname'])
+            case result
+            when :success
+              return 0
+            when :no_requests
+              return 24
+            else
+              return 1
+            end
+          end
+        end
+
+        def get_all_pending_certs(ca)
+          if result = ca.get_certificate_statuses
+            select_pending_certs(result.body)
+          end
+        end
+
+        def select_pending_certs(get_result)
+          requested_certnames = JSON.parse(get_result).select{|e| e["state"] == "requested"}.map{|e| e["name"]}
+
+          if requested_certnames.empty?
+            @logger.err 'Error:'
+            @logger.err "    No waiting certificate requests to sign"
+            return requested_certnames
+          end
+
+          return requested_certnames
+        end
+
+        def check_flag_usage(results)
+          if results['certname'] && results['all']
+            '--all and --certname cannot be used together'
+          elsif !results['certname'] && !results['all']
+            'No arguments given'
+          elsif results['certname'] && results['certname'].include?('--all')
+            'Cannot use --all with --certname. If you actually have a certificate request ' +
+                            'for a certifcate named --all, you need to use the HTTP API.'
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          if err = check_flag_usage(results)
+            errors << err
+          end
+
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+      end
+    end
+  end
+end