openvoxserver-ca 3.0.0.pre.rc1

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -0,0 +1,304 @@
+require 'openssl'
+
+require 'puppetserver/ca/host'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/x509_loader'
+
+module Puppetserver
+  module Ca
+    class LocalCertificateAuthority
+
+      # Make the certificate valid as of yesterday, because so many people's
+      # clocks are out of sync.  This gives one more day of validity than people
+      # might expect, but is better than making every person who has a messed up
+      # clock fail, and better than having every cert we generate expire a day
+      # before the user expected it to when they asked for "one year".
+      CERT_VALID_FROM = (Time.now - (60*60*24)).freeze
+
+      SSL_SERVER_CERT = "serverAuth"
+      SSL_CLIENT_CERT = "clientAuth"
+
+      CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
+
+      SERVER_EXTENSIONS = [
+        ["basicConstraints", "CA:FALSE", true],
+        ["nsComment", "Puppet Server Internal Certificate", false],
+        ["authorityKeyIdentifier", "keyid:always", false],
+        ["extendedKeyUsage", "#{SSL_SERVER_CERT}, #{SSL_CLIENT_CERT}", true],
+        ["keyUsage", "keyEncipherment, digitalSignature", true],
+        ["subjectKeyIdentifier", "hash", false]
+      ].freeze
+
+      CA_EXTENSIONS = [
+        ["basicConstraints", "CA:TRUE", true],
+        ["keyUsage", "keyCertSign, cRLSign", true],
+        ["subjectKeyIdentifier", "hash", false],
+        ["nsComment", "Puppet Server Internal Certificate", false],
+        ["authorityKeyIdentifier", "keyid:always", false]
+      ].freeze
+
+      attr_reader :cert, :cert_bundle, :key, :crl, :crl_chain
+
+      def initialize(digest, settings)
+        @digest = digest
+        @host = Host.new(digest)
+        @settings = settings
+        @errors = []
+
+        if ssl_assets_exist?
+          loader = Puppetserver::Ca::X509Loader.new(@settings[:cacert], @settings[:cakey], @settings[:cacrl])
+          if loader.errors.empty?
+            load_ssl_components(loader)
+          else
+            @errors += loader.errors
+            @errors << "CA not initialized. Please set up your CA before attempting to generate certs offline."
+          end
+        end
+      end
+
+      def ssl_assets_exist?
+        File.exist?(@settings[:cacert]) &&
+          File.exist?(@settings[:cakey]) &&
+          File.exist?(@settings[:cacrl])
+      end
+
+      def load_ssl_components(loader)
+        @cert_bundle = loader.certs
+        @key = loader.key
+        @cert = loader.cert
+        @crl_chain = loader.crls
+        @crl = loader.crl
+      end
+
+      # Initialize SSL state
+      #
+      # This method is similar to {#load_ssl_components}, but has extra
+      # logic for initializing components that may not be present when
+      # the CA is set up for the first time. For example, SSL components
+      # provided by an external CA will often not include a pre-generated
+      # leaf CRL.
+      #
+      # @note Check {#errors} after calling this method for issues that
+      #   may have occurred during initialization.
+      #
+      # @param loader [Puppetserver::Ca::X509Loader]
+      # @return [void]
+      def initialize_ssl_components(loader)
+        @cert_bundle = loader.certs
+        @key = loader.key
+        @cert = loader.cert
+
+        if loader.crl.nil?
+          loader.crl = create_crl_for(@cert, @key)
+
+          loader.validate_full_chain(@cert_bundle, loader.crls)
+          @errors += loader.errors
+        end
+
+        @crl_chain = loader.crls
+        @crl = loader.crl
+      end
+
+      def errors
+        @errors += @host.errors
+      end
+
+      def valid_until
+        Time.now + @settings[:ca_ttl]
+      end
+
+      def extension_factory_for(ca, cert = nil)
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.issuer_certificate  = ca
+        ef.subject_certificate = cert if cert
+
+        ef
+      end
+
+      def inventory_entry(cert)
+        "0x%04x %s %s %s" % [cert.serial, format_time(cert.not_before),
+                             format_time(cert.not_after), cert.subject]
+      end
+
+      def next_serial(serial_file)
+        if File.exist?(serial_file)
+          File.read(serial_file).to_i(16)
+        else
+          1
+        end
+      end
+
+      def format_time(time)
+        time.strftime('%Y-%m-%dT%H:%M:%S%Z')
+      end
+
+      def create_server_cert
+        server_cert = nil
+        server_key = @host.create_private_key(@settings[:keylength],
+                                              @settings[:hostprivkey],
+                                              @settings[:hostpubkey])
+        if server_key
+          server_csr = @host.create_csr(name: @settings[:certname], key: server_key)
+          if @settings[:subject_alt_names].empty?
+            alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
+          else
+            alt_names = @settings[:subject_alt_names]
+          end
+
+          server_cert = sign_authorized_cert(server_csr, alt_names)
+        end
+
+        return server_key, server_cert
+      end
+
+      def sign_authorized_cert(csr, alt_names = '')
+        cert = OpenSSL::X509::Certificate.new
+        cert.public_key = csr.public_key
+        cert.subject = csr.subject
+        cert.issuer = @cert.subject
+        cert.version = 2
+        cert.serial = next_serial(@settings[:serial])
+        cert.not_before = CERT_VALID_FROM
+        cert.not_after = valid_until
+
+        return unless add_custom_extensions(cert)
+
+        ef = extension_factory_for(@cert, cert)
+        add_authorized_extensions(cert, ef)
+
+        if !alt_names.empty?
+          add_subject_alt_names_extension(alt_names, cert, ef)
+        end
+
+        cert.sign(@key, @digest)
+
+        cert
+      end
+
+      def add_authorized_extensions(cert, ef)
+        SERVER_EXTENSIONS.each do |ext|
+          extension = ef.create_extension(*ext)
+          cert.add_extension(extension)
+        end
+
+        # Status API access for the CA CLI
+        cli_auth_ext = OpenSSL::X509::Extension.new(CLI_AUTH_EXT_OID, OpenSSL::ASN1::UTF8String.new("true").to_der, false)
+        cert.add_extension(cli_auth_ext)
+      end
+
+      def add_subject_alt_names_extension(alt_names, cert, ef)
+        alt_names_ext = ef.create_extension("subjectAltName", alt_names, false)
+        cert.add_extension(alt_names_ext)
+      end
+
+      # This takes all the extension requests from csr_attributes.yaml and
+      # adds those to the cert
+      def add_custom_extensions(cert)
+        extension_requests = @host.get_extension_requests(@settings[:csr_attributes])
+
+        if extension_requests
+          extensions = @host.validated_extensions(extension_requests)
+          extensions.each do |ext|
+            cert.add_extension(ext)
+          end
+        end
+
+        @host.errors.empty?
+      end
+
+      def create_root_cert
+        root_key = @host.create_private_key(@settings[:keylength])
+        root_cert = self_signed_ca(root_key)
+        root_crl = create_crl_for(root_cert, root_key)
+
+        return root_key, root_cert, root_crl
+      end
+
+      def self_signed_ca(key)
+        cert = OpenSSL::X509::Certificate.new
+
+        cert.public_key = key.public_key
+        cert.subject = OpenSSL::X509::Name.new([["CN", @settings[:root_ca_name]]])
+        cert.issuer = cert.subject
+        cert.version = 2
+        cert.serial = 1
+
+        cert.not_before = CERT_VALID_FROM
+        cert.not_after  = valid_until
+
+        ef = extension_factory_for(cert, cert)
+        CA_EXTENSIONS.each do |ext|
+          extension = ef.create_extension(*ext)
+          cert.add_extension(extension)
+        end
+
+        cert.sign(key, @digest)
+
+        cert
+      end
+
+      def create_crl_for(cert, key)
+        crl = OpenSSL::X509::CRL.new
+        crl.version = 1
+        crl.issuer = cert.subject
+
+        ef = extension_factory_for(cert)
+        crl.add_extension(
+          ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
+        crl.add_extension(
+          OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
+
+        crl.last_update = CERT_VALID_FROM
+        crl.next_update = valid_until
+        crl.sign(key, @digest)
+
+        # FIXME: Workaround a bug in jruby-openssl. Without this, #to_pem return an invalid CRL:
+        # ----BEGIN X509 CRL-----
+        # MAA=
+        # -----END X509 CRL-----
+        # See:
+        # https://github.com/jruby/jruby-openssl/issues/163
+        # https://github.com/jruby/jruby-openssl/pull/333
+        crl = OpenSSL::X509::CRL.new(crl.to_der)
+
+        crl
+      end
+
+      def create_intermediate_cert(root_key, root_cert)
+        @key = @host.create_private_key(@settings[:keylength])
+        int_csr = @host.create_csr(name: @settings[:ca_name], key: @key)
+        @cert = sign_intermediate(root_key, root_cert, int_csr)
+        @crl = create_crl_for(@cert, @key)
+
+        return nil
+      end
+
+      def sign_intermediate(ca_key, ca_cert, csr)
+        cert = OpenSSL::X509::Certificate.new
+
+        cert.public_key = csr.public_key
+        cert.subject = csr.subject
+        cert.issuer = ca_cert.subject
+        cert.version = 2
+        cert.serial = 2
+
+        cert.not_before = CERT_VALID_FROM
+        cert.not_after = valid_until
+
+        ef = extension_factory_for(ca_cert, cert)
+        CA_EXTENSIONS.each do |ext|
+          extension = ef.create_extension(*ext)
+          cert.add_extension(extension)
+        end
+
+        cert.sign(ca_key, @digest)
+
+        cert
+      end
+
+      def update_serial_file(serial)
+        Puppetserver::Ca::Utils::FileSystem.write_file(@settings[:serial], serial.to_s(16), 0644)
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/logger.rb

@@ -0,0 +1,49 @@
+module Puppetserver
+  module Ca
+    class Logger
+      LEVELS = {error: 1, warning: 2, info: 3, debug: 4}
+
+      def initialize(level = :info, out = STDOUT, err = STDERR)
+        @level = LEVELS[level]
+        if @level.nil?
+          raise ArgumentError, "Unknown log level #{level}"
+        end
+
+        @out = out
+        @err = err
+      end
+
+      def level
+        @level
+      end
+
+      def debug?
+        return @level >= LEVELS[:debug]
+      end
+
+      def debug(text)
+        if debug?
+          @out.puts(text)
+        end
+      end
+
+      def inform(text)
+        if @level >= LEVELS[:info]
+          @out.puts(text)
+        end
+      end
+
+      def warn(text)
+        if @level >= LEVELS[:warning]
+          @err.puts(text)
+        end
+      end
+
+      def err(text)
+        if @level >= LEVELS[:error]
+          @err.puts(text)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/stub.rb

@@ -0,0 +1,17 @@
+require 'fileutils'
+
+module Puppetserver
+  module Ca
+    module Stub
+      KEY_PATH    = '/etc/puppetlabs/puppet/ssl/ca/ca_key.pem'
+      BUNDLE_PATH = '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem'
+      CRL_PATH    = '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem'
+
+      def self.import(key, bundle, crl)
+        FileUtils.copy(File.absolute_path(key), KEY_PATH)
+        FileUtils.copy(File.absolute_path(bundle), BUNDLE_PATH)
+        FileUtils.copy(File.absolute_path(crl), CRL_PATH)
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/cli_parsing.rb

@@ -0,0 +1,67 @@
+module Puppetserver
+  module Ca
+    module Utils
+      module CliParsing
+        def self.parse_without_raising(parser, args)
+          all, not_flags, malformed_flags, unknown_flags = [], [], [], []
+
+          begin
+            # OptionParser calls this block when it finds a value that doesn't
+            # start with one or two dashes and doesn't follow a flag that
+            # consumes a value.
+            parser.order!(args) do |not_flag|
+              not_flags << not_flag
+              all << not_flag
+            end
+          rescue OptionParser::MissingArgument => e
+            malformed_flags += e.args
+            all += e.args
+
+            retry
+          rescue OptionParser::ParseError => e
+            flag = e.args.first
+            unknown_flags << flag
+            all << flag
+
+            if does_not_contain_argument(flag) &&
+                args.first &&
+                next_arg_is_not_another_flag(args.first)
+
+              value = args.shift
+              unknown_flags << value
+              all << value
+            end
+
+            retry
+          end
+
+          return all, not_flags, malformed_flags, unknown_flags
+        end
+
+        def self.parse_with_errors(parser, args)
+          errors = []
+
+          _, non_flags, malformed_flags, unknown_flags = parse_without_raising(parser, args)
+
+          malformed_flags.each {|f| errors << "    Missing argument to flag `#{f}`" }
+          unknown_flags.each   {|f| errors << "    Unknown flag or argument `#{f}`" }
+          non_flags.each       {|f| errors << "    Unknown input `#{f}`" }
+
+          errors
+        end
+
+
+      private
+
+        # eg. --flag=argument-to-flag
+        def self.does_not_contain_argument(flag)
+          !flag.include?('=')
+        end
+
+        def self.next_arg_is_not_another_flag(maybe_an_arg)
+          !maybe_an_arg.start_with?('-')
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/config.rb

@@ -0,0 +1,61 @@
+require 'puppetserver/ca/utils/file_system'
+
+module Puppetserver
+  module Ca
+    module Utils
+      module Config
+
+        def self.running_as_root?
+          !Gem.win_platform? && Process::UID.eid == 0
+        end
+
+        def self.munge_alt_names(names)
+          raw_names = names.split(/\s*,\s*/).map(&:strip)
+          munged_names = raw_names.map do |name|
+            # Prepend the DNS tag if no tag was specified
+            if !name.start_with?("IP:") && !name.start_with?("DNS:")
+              "DNS:#{name}"
+            else
+              name
+            end
+          end.sort.uniq.join(", ")
+        end
+
+        def self.puppet_confdir
+          if running_as_root?
+            '/etc/puppetlabs/puppet'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+          end
+        end
+
+        def self.puppetserver_confdir(puppet_confdir)
+          File.join(File.dirname(puppet_confdir), 'puppetserver')
+        end
+
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+
+        def self.old_default_cadir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl', 'ca')
+        end
+
+        def self.new_default_cadir(confdir = puppet_confdir)
+          File.join(puppetserver_confdir(confdir), 'ca')
+        end
+
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -0,0 +1,109 @@
+require 'etc'
+require 'fileutils'
+
+module Puppetserver
+  module Ca
+    module Utils
+      class FileSystem
+
+        DIR_MODES = {
+          :ssldir => 0771,
+          :cadir => 0755,
+          :certdir => 0755,
+          :privatekeydir => 0750,
+          :publickeydir => 0755,
+          :signeddir => 0755
+        }
+
+        def self.instance
+          @instance ||= new
+        end
+
+        def self.write_file(*args)
+          instance.write_file(*args)
+        end
+
+        def self.ensure_dirs(one_or_more_dirs)
+          Array(one_or_more_dirs).each do |directory|
+            instance.ensure_dir(directory)
+          end
+        end
+
+        def self.validate_file_paths(one_or_more_paths)
+          errors = []
+          Array(one_or_more_paths).each do |path|
+            if !File.exist?(path) || !File.readable?(path)
+              errors << "Could not read file '#{path}'"
+            end
+          end
+
+          errors
+        end
+
+        def self.check_for_existing_files(one_or_more_paths)
+          errors = []
+          Array(one_or_more_paths).each do |path|
+            if File.exist?(path)
+              errors << "Existing file at '#{path}'"
+            end
+          end
+          errors
+        end
+
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+          # Ensure the symlink has the same ownership as the source.
+          # This requires using `FileUtils.chown` rather than `File.chown`, as
+          # the latter will update the ownership of the source rather than the
+          # link itself.
+          # Symlink permissions are ignored in favor of the source's permissions,
+          # so we don't have to change those.
+          source_info = File.stat(source)
+          FileUtils.chown(source_info.uid, source_info.gid, link_target)
+        end
+
+        def initialize
+          @user, @group = find_user_and_group
+        end
+
+        def find_user_and_group
+          if !running_as_root?
+            return Process.euid, Process.egid
+          else
+            if pe_puppet_exists?
+              return 'pe-puppet', 'pe-puppet'
+            else
+              return 'puppet', 'puppet'
+            end
+          end
+        end
+
+        def running_as_root?
+          !Gem.win_platform? && Process.euid == 0
+        end
+
+        def pe_puppet_exists?
+          !!(Etc.getpwnam('pe-puppet') rescue nil)
+        end
+
+        def write_file(path, one_or_more_objects, mode)
+          File.open(path, 'w', mode) do |f|
+            Array(one_or_more_objects).each do |object|
+              f.puts object.to_s
+            end
+          end
+          FileUtils.chown(@user, @group, path)
+        end
+
+        # Warning: directory mode should be specified in DIR_MODES above
+        def ensure_dir(directory)
+          if !File.exist?(directory)
+            FileUtils.mkdir_p(directory, mode: DIR_MODES[directory])
+            FileUtils.chown(@user, @group, directory)
+          end
+        end
+      end
+    end
+  end
+end