openvoxserver-ca 3.0.0.pre.rc1

data/lib/puppetserver/ca/config/puppet.rb

@@ -0,0 +1,309 @@
+require 'facter'
+require 'securerandom'
+
+require 'puppetserver/ca/utils/config'
+
+module Puppetserver
+  module Ca
+    module Config
+      # Provides an interface for asking for Puppet settings w/o loading
+      # Puppet. Includes a simple ini parser that will ignore Puppet's
+      # more complicated conventions.
+      class Puppet
+        # How we convert from various units to seconds.
+        TTL_UNITMAP = {
+          # 365 days isn't technically a year, but is sufficient for most purposes
+          "y" => 365 * 24 * 60 * 60,
+          "d" => 24 * 60 * 60,
+          "h" => 60 * 60,
+          "m" => 60,
+          "s" => 1
+        }
+
+        # A regex describing valid formats with groups for capturing the value and units
+        TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
+
+        def self.parse(config_path, logger)
+          instance = new(config_path)
+          instance.load(logger: logger)
+
+          return instance
+        end
+
+        attr_reader :errors, :settings
+
+        def initialize(supplied_config_path = nil)
+          @using_default_location = !supplied_config_path
+          @config_path = supplied_config_path || user_specific_puppet_config
+
+          @settings = nil
+          @errors = []
+        end
+
+        # Return the correct confdir. We check for being root on *nix,
+        # else the user path. We do not include a check for running
+        # as Adminstrator since non-development scenarios for Puppet Server
+        # on Windows are unsupported.
+        # Note that Puppet Server runs as the [pe-]puppet user but to
+        # start/stop it you must be root.
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
+        end
+
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
+        end
+
+        def load(cli_overrides: {}, logger:, ca_dir_warn: true)
+          if explicitly_given_config_file_or_default_config_exists?
+            results = parse_text(File.read(@config_path))
+          end
+
+          results ||= {}
+          results[:main] ||= {}
+          # The [master] config section is deprecated
+          # We now favor [server], but support both for backwards compatibility
+          results[:master] ||= {}
+          results[:server] ||= {}
+          results[:agent] ||= {}
+
+          overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
+          overrides.merge!(cli_overrides)
+          if overrides[:masterport]
+            overrides[:serverport] ||= overrides.delete(:masterport)
+          end
+
+          @settings = resolve_settings(overrides, logger, ca_dir_warn: ca_dir_warn).freeze
+        end
+
+        def default_certname
+          hostname = Facter.value(:hostname)
+          domain = Facter.value(:domain)
+          if domain and domain != ''
+            fqdn = [hostname, domain].join('.')
+          else
+            fqdn = hostname
+          end
+          fqdn.chomp('.')
+        end
+
+        # Resolve settings from default values, with any overrides for the
+        # specific settings or their dependent settings (ssldir, cadir) taken into account.
+        def resolve_settings(overrides = {}, logger, ca_dir_warn: true)
+          unresolved_setting = /\$[a-z_]+/
+
+          # Returning the key for unknown keys (rather than nil) is required to
+          # keep unknown settings in the string for later verification.
+          substitutions = Hash.new {|h, k| k }
+          settings = {}
+
+          # Order for base settings here matters!
+          # These need to be evaluated before we can construct their dependent
+          # defaults below
+          base_defaults = [
+            [:confdir, user_specific_puppet_confdir],
+            [:ssldir,'$confdir/ssl'],
+            [:certdir, '$ssldir/certs'],
+            [:certname, default_certname],
+            [:server, 'puppet'],
+            [:serverport, '8140'],
+            [:privatekeydir, '$ssldir/private_keys'],
+            [:publickeydir, '$ssldir/public_keys'],
+          ]
+
+          dependent_defaults = {
+            :ca_name => 'Puppet CA: $certname',
+            :root_ca_name => "Puppet Root CA: #{SecureRandom.hex(7)}",
+            :keylength => 4096,
+            :cacert => '$cadir/ca_crt.pem',
+            :cakey => '$cadir/ca_key.pem',
+            :capub => '$cadir/ca_pub.pem',
+            :csr_attributes => '$confdir/csr_attributes.yaml',
+            :rootkey => '$cadir/root_key.pem',
+            :cacrl => '$cadir/ca_crl.pem',
+            :serial => '$cadir/serial',
+            :cert_inventory => '$cadir/inventory.txt',
+            :ca_server => '$server',
+            :ca_port => '$serverport',
+            :localcacert => '$certdir/ca.pem',
+            :hostcrl => '$ssldir/crl.pem',
+            :hostcert => '$certdir/$certname.pem',
+            :hostprivkey => '$privatekeydir/$certname.pem',
+            :hostpubkey => '$publickeydir/$certname.pem',
+            :ca_ttl => '15y',
+            :certificate_revocation => 'true',
+            :signeddir => '$cadir/signed',
+            :server_list => '',
+          }
+
+          # This loops through the base defaults and gives each setting a
+          # default if the value isn't specified in the config file. Default
+          # values given may depend upon the value of a previous base setting,
+          # thus the creation of the substitution hash.
+          base_defaults.each do |setting_name, default_value|
+            substitution_name = '$' + setting_name.to_s
+            setting_value = overrides.fetch(setting_name, default_value)
+            subbed_value = setting_value.sub(unresolved_setting, substitutions)
+            settings[setting_name] = substitutions[substitution_name] = subbed_value
+          end
+
+          cadir = find_cadir(overrides.fetch(:cadir, false),
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger,
+                             ca_dir_warn)
+          settings[:cadir] = substitutions['$cadir'] = cadir
+
+
+          dependent_defaults.each do |setting_name, default_value|
+            setting_value = overrides.fetch(setting_name, default_value)
+            settings[setting_name] = setting_value
+          end
+
+          # If subject-alt-names are provided, we need to add the certname in addition
+          overrides[:dns_alt_names] << ',$certname' if overrides[:dns_alt_names]
+
+          # rename dns_alt_names to subject_alt_names now that we support IP alt names
+          settings[:subject_alt_names] = overrides.fetch(:dns_alt_names, "")
+
+          # Some special cases where we need to manipulate config settings:
+          settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
+          settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
+          settings[:subject_alt_names] = Puppetserver::Ca::Utils::Config.munge_alt_names(settings[:subject_alt_names])
+          settings[:keylength] = settings[:keylength].to_i
+          settings[:server_list] = settings[:server_list].
+                                     split(/\s*,\s*/).
+                                     map {|entry| entry.split(":") }
+
+          update_for_server_list!(settings)
+
+          settings.each do |key, value|
+            next unless value.is_a? String
+            settings[key] = value.gsub(unresolved_setting, substitutions)
+            if match = settings[key].match(unresolved_setting)
+              @errors << "Could not parse #{match[0]} in #{value}, " +
+                         'valid settings to be interpolated are ' +
+                         '$ssldir, $certdir, $cadir, $certname, $server, or $masterport'
+            end
+          end
+
+          return settings
+        end
+
+        # Parse an inifile formatted String. Only captures \word character
+        # class keys/section names but nearly any character values (excluding
+        # leading whitespace) up to one of whitespace, opening curly brace, or
+        # hash sign (Our concern being to capture filesystem path values).
+        #
+        # ca_root and root_ca_name values may include whitespace
+        #
+        # Put values without a section into :main.
+        #
+        # Return Hash of Symbol section names with Symbol setting keys and
+        # String values.
+        def parse_text(text)
+          res = {}
+          current_section = :main
+          text.each_line do |line|
+            case line
+            when /^\s*\[(\w+)\].*/
+              current_section = $1.to_sym
+            when /^\s*(\w+)\s*=\s*(.+?)\s*(?=[{#]|$)/
+              # Using a Hash with a default key breaks RSpec expectations.
+              res[current_section] ||= {}
+              res[current_section][$1.to_sym] =
+                if [:ca_name, :root_ca_name].include?($1.to_sym)
+                  $2
+                else
+                  $2.split(' ')[0]
+                end
+            end
+          end
+
+          res
+        end
+
+       private
+
+
+        def find_cadir(configured_cadir, confdir, ssldir, logger, ca_dir_warn)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+
+          if configured_cadir
+            if ca_dir_warn && configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
+            configured_cadir
+
+          else
+            old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
+            new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir}) if ca_dir_warn
+              old_cadir
+            else
+              new_cadir
+            end
+          end
+        end
+
+        def explicitly_given_config_file_or_default_config_exists?
+          !@using_default_location || File.exist?(@config_path)
+        end
+
+        def run(command)
+          %x( #{command} )
+        end
+
+        # Convert the value to Numeric, parsing numeric string with units if necessary.
+        def munge_ttl_setting(ca_ttl_setting)
+          case
+          when ca_ttl_setting.is_a?(Numeric)
+            if ca_ttl_setting < 0
+              @errors << "Invalid negative 'time to live' #{ca_ttl_setting.inspect} - did you mean 'unlimited'?"
+            end
+            ca_ttl_setting
+
+          when ca_ttl_setting == 'unlimited'
+            Float::INFINITY
+
+          when (ca_ttl_setting.is_a?(String) and ca_ttl_setting =~ TTL_FORMAT)
+            $1.to_i * TTL_UNITMAP[$2 || 's']
+          else
+            @errors <<  "Invalid 'time to live' format '#{ca_ttl_setting.inspect}' for parameter: :ca_ttl"
+          end
+        end
+
+        def parse_crl_usage(setting)
+          case setting.to_s
+          when 'true', 'chain'
+            :chain
+          when 'leaf'
+            :leaf
+          when 'false'
+            :ignore
+          end
+        end
+
+        def update_for_server_list!(settings)
+          if settings.dig(:server_list, 0, 0) &&
+              settings[:ca_server] == '$server'
+
+            settings[:ca_server] = settings.dig(:server_list, 0, 0)
+          end
+
+          if settings.dig(:server_list, 0, 1) &&
+              settings[:ca_port] == '$serverport'
+
+            settings[:ca_port] = settings.dig(:server_list, 0, 1)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/config/puppetserver.rb

@@ -0,0 +1,84 @@
+require 'hocon'
+
+require 'puppetserver/ca/utils/config'
+
+module Puppetserver
+  module Ca
+    module Config
+      # Provides an interface for querying Puppetserver settings w/o loading
+      # Puppetserver or any TK config service. Uses the ruby-hocon gem for parsing.
+      class PuppetServer
+
+        def self.parse(config_path = nil)
+          instance = new(config_path)
+          instance.load
+
+          return instance
+        end
+
+        attr_reader :errors, :settings
+
+        def initialize(supplied_config_path = nil)
+          @using_default_location = !supplied_config_path
+          @config_path = supplied_config_path || "/etc/puppetlabs/puppetserver/conf.d/ca.conf"
+
+          @settings = nil
+          @errors = []
+        end
+
+        # Populate this config object with the CA-related settings
+        def load
+          if explicitly_given_config_file_or_default_config_exists?
+            begin
+              results = Hocon.load(@config_path)
+            rescue Hocon::ConfigError => e
+              errors << e.message
+            end
+          end
+
+          overrides = results || {}
+          @settings = supply_defaults(overrides).freeze
+        end
+
+        private
+
+        # Return the correct confdir. We check for being root on *nix,
+        # else the user path. We do not include a check for running
+        # as Adminstrator since non-development scenarios for Puppet Server
+        # on Windows are unsupported.
+        # Note that Puppet Server runs as the [pe-]puppet user but to
+        # start/stop it you must be root.
+        def user_specific_ca_dir
+          if Puppetserver::Ca::Utils::Config.running_as_root?
+            '/etc/puppetlabs/puppetserver/ca'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppetserver/ca"
+          end
+        end
+
+        # Supply defaults for any CA settings not present in the config file
+        # @param [Hash] overrides setting names and values loaded from the config file,
+        #                         for overriding the defaults
+        # @return [Hash] CA-related settings
+        def supply_defaults(overrides = {})
+          ca_settings = overrides['certificate-authority'] || {}
+          settings = {}
+
+          cadir = settings[:cadir] = ca_settings.fetch('cadir', user_specific_ca_dir)
+
+          settings[:cacert] = ca_settings.fetch('cacert', "#{cadir}/ca_crt.pem")
+          settings[:cakey] = ca_settings.fetch('cakey', "#{cadir}/ca_key.pem")
+          settings[:cacrl] = ca_settings.fetch('cacrl', "#{cadir}/ca_crl.pem")
+          settings[:serial] = ca_settings.fetch('serial', "#{cadir}/serial")
+          settings[:cert_inventory] = ca_settings.fetch('cert-inventory', "#{cadir}/inventory.txt")
+
+          return settings
+        end
+
+        def explicitly_given_config_file_or_default_config_exists?
+          !@using_default_location || File.exist?(@config_path)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/errors.rb

@@ -0,0 +1,40 @@
+module Puppetserver
+  module Ca
+    class Error < StandardError
+      def self.create(ex, msg)
+        created = new(msg)
+        created.wrap(ex)
+
+        created
+      end
+
+      attr_reader :wrapped
+
+      def wrap(ex)
+        @wrapped = ex
+      end
+    end
+
+    class FileNotFound < Error; end
+    class InvalidX509Object < Error; end
+    class ConnectionFailed < Error; end
+
+    module Errors
+      def self.handle_with_usage(log, errors, usage = nil)
+        unless errors.empty?
+          log.err 'Error:'
+          errors.each {|e| log.err e }
+
+          if usage
+            log.err ''
+            log.err usage
+          end
+
+          return true
+        else
+          return false
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/host.rb

@@ -0,0 +1,176 @@
+require 'fileutils'
+require 'openssl'
+require 'yaml'
+
+module Puppetserver
+  module Ca
+    class Host
+      # Exclude OIDs that may conflict with how Puppet creates CSRs.
+      #
+      # We only have nominal support for Microsoft extension requests, but since we
+      # ultimately respect that field when looking for extension requests in a CSR
+      # we need to prevent that field from being written to directly.
+      PRIVATE_CSR_ATTRIBUTES = [
+        'extReq',   '1.2.840.113549.1.9.14',
+        'msExtReq', '1.3.6.1.4.1.311.2.1.14',
+      ]
+
+      PRIVATE_EXTENSIONS = [
+        'subjectAltName', '2.5.29.17',
+      ]
+
+      # A mapping of Puppet extension short names to their OIDs. These appear in
+      # csr_attributes.yaml.
+      PUPPET_SHORT_NAMES =
+      {'pp_uuid' =>             "1.3.6.1.4.1.34380.1.1.1",
+       'pp_instance_id' =>      "1.3.6.1.4.1.34380.1.1.2",
+       'pp_image_name' =>       "1.3.6.1.4.1.34380.1.1.3",
+       'pp_preshared_key'=>    "1.3.6.1.4.1.34380.1.1.4",
+       'pp_cost_center' =>      "1.3.6.1.4.1.34380.1.1.5",
+       'pp_product' =>          "1.3.6.1.4.1.34380.1.1.6",
+       'pp_project' =>          "1.3.6.1.4.1.34380.1.1.7",
+       'pp_application' =>      "1.3.6.1.4.1.34380.1.1.8",
+       'pp_service'=>          "1.3.6.1.4.1.34380.1.1.9",
+       'pp_employee' =>         "1.3.6.1.4.1.34380.1.1.10",
+       'pp_created_by' =>       "1.3.6.1.4.1.34380.1.1.11",
+       'pp_environment' =>      "1.3.6.1.4.1.34380.1.1.12",
+       'pp_role' =>             "1.3.6.1.4.1.34380.1.1.13",
+       'pp_software_version' => "1.3.6.1.4.1.34380.1.1.14",
+       'pp_department' =>       "1.3.6.1.4.1.34380.1.1.15",
+       'pp_cluster' =>          "1.3.6.1.4.1.34380.1.1.16",
+       'pp_provisioner' =>      "1.3.6.1.4.1.34380.1.1.17",
+       'pp_region' =>           "1.3.6.1.4.1.34380.1.1.18",
+       'pp_datacenter' =>       "1.3.6.1.4.1.34380.1.1.19",
+       'pp_zone' =>             "1.3.6.1.4.1.34380.1.1.20",
+       'pp_network' =>          "1.3.6.1.4.1.34380.1.1.21",
+       'pp_securitypolicy' =>   "1.3.6.1.4.1.34380.1.1.22",
+       'pp_cloudplatform' =>    "1.3.6.1.4.1.34380.1.1.23",
+       'pp_apptier' =>          "1.3.6.1.4.1.34380.1.1.24",
+       'pp_hostname' =>         "1.3.6.1.4.1.34380.1.1.25",
+       'pp_owner' =>            "1.3.6.1.4.1.34380.1.1.26",
+       'pp_authorization' =>    "1.3.6.1.4.1.34380.1.3.1",
+       'pp_auth_role' =>        "1.3.6.1.4.1.34380.1.3.13"}
+
+      attr_reader :errors
+
+      def initialize(digest)
+        @digest = digest
+        @errors = []
+      end
+
+      # If both the private and public keys exist for a server then we want
+      # to honor them here, if only one key exists we want to surface an error,
+      # and if neither exist we generate a new key. This logic is necessary for
+      # proper bootstrapping for certain server workflows.
+      def create_private_key(keylength, private_path = '', public_path = '')
+        if File.exist?(private_path) && File.exist?(public_path)
+          return OpenSSL::PKey.read(File.read(private_path))
+        elsif !File.exist?(private_path) && !File.exist?(public_path)
+          return OpenSSL::PKey::RSA.new(keylength)
+        elsif !File.exist?(private_path) && File.exist?(public_path)
+          @errors << "Missing private key to match public key at #{public_path}"
+          return nil
+        elsif File.exist?(private_path) && !File.exist?(public_path)
+          @errors << "Missing public key to match private key at #{private_path}"
+          return nil
+        end
+      end
+
+      def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')
+        csr = OpenSSL::X509::Request.new
+        csr.public_key = key.public_key
+        csr.subject = OpenSSL::X509::Name.new([["CN", name]])
+
+        custom_attributes = get_custom_attributes(csr_attributes_path)
+        extension_requests = get_extension_requests(csr_attributes_path)
+
+        add_csr_attributes(csr, custom_attributes)
+        add_csr_extensions(csr, extension_requests, cli_extensions)
+
+        csr.sign(key, @digest) if @errors.empty?
+
+        csr
+      end
+
+      def extension_attribute(extensions)
+        seq = OpenSSL::ASN1::Sequence(extensions)
+        ext_req = OpenSSL::ASN1::Set([seq])
+        OpenSSL::X509::Attribute.new("extReq", ext_req)
+      end
+
+      def get_custom_attributes(attributes_path)
+        if csr_attributes = load_csr_attributes(attributes_path)
+          csr_attributes['custom_attributes']
+        end
+      end
+
+      def get_extension_requests(attributes_path)
+        if csr_attributes = load_csr_attributes(attributes_path)
+          csr_attributes['extension_requests']
+        end
+      end
+
+      # This loads all the custom_attributes and extension requests
+      # from the csr_attributes.yaml
+      def load_csr_attributes(attributes_path)
+        @custom_csr_attributes ||=
+        if File.exist?(attributes_path)
+          yaml = YAML.load_file(attributes_path)
+          if !yaml.is_a?(Hash)
+            @errors << "Invalid CSR attributes, expected instance of Hash, received instance of #{yaml.class}"
+            return
+          end
+          yaml
+        end
+      end
+
+      def add_csr_attributes(csr, csr_attributes)
+        if csr_attributes
+          csr_attributes.each do |oid, value|
+            begin
+              if PRIVATE_CSR_ATTRIBUTES.include? oid
+                @errors << "Cannot specify CSR attribute #{oid}: conflicts with internally used CSR attribute"
+              end
+              oid = PUPPET_SHORT_NAMES[oid] || oid
+              encoded = OpenSSL::ASN1::PrintableString.new(value.to_s)
+              attr_set = OpenSSL::ASN1::Set.new([encoded])
+
+              csr.add_attribute(OpenSSL::X509::Attribute.new(oid, attr_set))
+            rescue OpenSSL::X509::AttributeError => e
+              @errors << "Cannot create CSR with attribute #{oid}: #{e.message}"
+            end
+          end
+        end
+      end
+
+      def add_csr_extensions(csr, extension_requests, cli_extensions)
+        if extension_requests || cli_extensions.any?
+          extensions =
+            if extension_requests
+              validated_extensions(extension_requests) + cli_extensions
+            else
+              cli_extensions
+            end
+          csr.add_attribute(extension_attribute(extensions))
+        end
+      end
+
+      def validated_extensions(extension_requests)
+        extensions = []
+        extension_requests.each do |oid, value|
+          begin
+            if PRIVATE_EXTENSIONS.include? oid
+              @errors << "Cannot specify CSR extension request #{oid}: conflicts with internally used extension request"
+            end
+            oid = PUPPET_SHORT_NAMES[oid] || oid
+            ext = OpenSSL::X509::Extension.new(oid, OpenSSL::ASN1::UTF8String.new(value.to_s).to_der, false)
+            extensions << ext
+          rescue OpenSSL::X509::ExtensionError => e
+            @errors << "Cannot create CSR with extension request #{oid}: #{e.message}"
+          end
+        end
+        extensions
+      end
+    end
+  end
+end