openvoxserver-ca 3.0.0.pre.rc1

data/lib/puppetserver/ca/utils/http_client.rb

@@ -0,0 +1,232 @@
+require 'net/https'
+require 'openssl'
+require 'uri'
+
+require 'puppetserver/ca/errors'
+
+module Puppetserver
+  module Ca
+    module Utils
+      # Utilities for doing HTTPS against the CA that wraps Net::HTTP constructs
+      class HttpClient
+
+        attr_reader :store
+
+        # Not all connections require a client cert to be present.
+        # For example, when querying the status endpoint.
+        def initialize(logger, settings, with_client_cert: true)
+          @default_headers = make_headers(ENV['HOME'])
+          @logger = logger
+          @store = make_store(settings[:localcacert],
+                              settings[:certificate_revocation],
+                              settings[:hostcrl])
+
+          if with_client_cert
+            @cert = load_cert(settings[:hostcert])
+            @key = load_key(settings[:hostprivkey])
+          else
+            @cert = nil
+            @key = nil
+          end
+        end
+
+        def load_cert(path)
+          load_with_errors(path, 'hostcert') do |content|
+            OpenSSL::X509::Certificate.new(content)
+          end
+        end
+
+        def load_key(path)
+          load_with_errors(path, 'hostprivkey') do |content|
+            OpenSSL::PKey.read(content)
+          end
+        end
+
+        # Takes an instance URL (defined lower in the file), and creates a
+        # connection. The given block is passed our own Connection object.
+        # The Connection object should have HTTP verbs defined on it that take
+        # a body (and optional overrides). Returns whatever the block given returned.
+        def with_connection(url, &block)
+          request = ->(conn) { block.call(Connection.new(conn, url, @logger, @default_headers)) }
+
+          begin
+            Net::HTTP.start(url.host, url.port,
+                            use_ssl: true, cert_store: @store,
+                            cert: @cert, key: @key,
+                            &request)
+          rescue StandardError => e
+            raise ConnectionFailed.create(e,
+                    "Failed connecting to #{url.full_url}\n" +
+                    "  Root cause: #{e.message}")
+          end
+        end
+
+        private
+
+        def make_headers(home)
+          headers = {
+            'User-Agent'   => 'PuppetserverCaCli',
+            'Content-Type' => 'application/json',
+            'Accept'       => 'application/json'
+          }
+
+          token_path = "#{home}/.puppetlabs/token"
+          if File.exist?(token_path)
+            headers['X-Authentication'] = File.read(token_path)
+          end
+
+          headers
+        end
+
+        def load_with_errors(path, setting, &block)
+          begin
+            content = File.read(path)
+            block.call(content)
+          rescue Errno::ENOENT => e
+            raise FileNotFound.create(e,
+                    "Could not find '#{setting}' at '#{path}'")
+
+          rescue OpenSSL::OpenSSLError => e
+            raise InvalidX509Object.create(e,
+                    "Could not parse '#{setting}' at '#{path}'.\n" +
+                    "  OpenSSL returned: #{e.message}")
+          end
+        end
+
+        # Helper class that wraps a Net::HTTP connection, a HttpClient::URL
+        # and defines methods named after HTTP verbs that are called on the
+        # saved connection, returning a Result.
+        class Connection
+
+          def initialize(net_http_connection, url_struct, logger, default_headers)
+            @conn = net_http_connection
+            @url = url_struct
+            @logger = logger
+            @default_headers = default_headers
+          end
+
+          def get(url_overide = nil, header_overrides = {})
+            url = url_overide || @url
+            headers = @default_headers.merge(header_overrides)
+
+            @logger.debug("Making a GET request at #{url.full_url}")
+
+            request = Net::HTTP::Get.new(url.to_uri, headers)
+            result = @conn.request(request)
+            Result.new(result.code, result.body)
+
+          end
+
+          def put(body, url_override = nil, header_overrides = {})
+            url = url_override || @url
+            headers = @default_headers.merge(header_overrides)
+
+            @logger.debug("Making a PUT request at #{url.full_url}")
+
+            request = Net::HTTP::Put.new(url.to_uri, headers)
+            request.body = body
+            result = @conn.request(request)
+
+            Result.new(result.code, result.body)
+          end
+
+          def post(body, url_override = nil, header_overrides = {})
+            url = url_override || @url
+            headers = @default_headers.merge(header_overrides)
+
+            @logger.debug("Making a POST request at #{url.full_url}")
+
+            request = Net::HTTP::Post.new(url.to_uri, headers)
+            request.body = body
+            result = @conn.request(request)
+
+            Result.new(result.code, result.body)
+          end
+
+          def delete(url_override = nil, header_overrides = {})
+            url = url_override || @url
+            headers = @default_headers.merge(header_overrides)
+
+            @logger.debug("Making a DELETE request at #{url.full_url}")
+
+            result = @conn.request(Net::HTTP::Delete.new(url.to_uri, headers))
+
+            Result.new(result.code, result.body)
+          end
+        end
+
+        # Just provide the bits of Net::HTTPResponse we care about
+        Result = Struct.new(:code, :body)
+
+        # Like URI, but not... maybe of suspicious value
+        URL = Struct.new(:protocol, :host, :port,
+                         :endpoint, :version,
+                         :resource_type, :resource_name, :query) do
+                def full_url
+                  url = protocol + '://' + host + ':' + port + '/' +
+                        [endpoint, version, resource_type, resource_name].compact.join('/')
+
+                  url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
+                  return url
+                end
+
+                def to_uri
+                  URI(full_url)
+                end
+              end
+
+        def make_store(bundle, crl_usage, crls = nil)
+          store = OpenSSL::X509::Store.new
+          store.purpose = OpenSSL::X509::PURPOSE_ANY
+          store.add_file(bundle)
+
+          if crl_usage != :ignore
+
+            flags = OpenSSL::X509::V_FLAG_CRL_CHECK
+            if crl_usage == :chain
+              flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+            end
+
+            store.flags = flags
+            delimiter = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
+            File.read(crls).scan(delimiter).each do |crl|
+              store.add_crl(OpenSSL::X509::CRL.new(crl))
+            end
+          end
+
+          store
+        end
+
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def self.check_server_online(settings, logger)
+          status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the server cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            # Additionally, we want to ensure the server is stopped before migrating the CA dir to
+            # avoid issues with writing to the CA dir and moving it.
+            self.new(logger, settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                logger.err "Puppetserver service is running. Please stop it before attempting to run this command."
+                true
+              else
+                false
+              end
+            end
+          rescue Puppetserver::Ca::ConnectionFailed => e
+            if e.wrapped.is_a? Errno::ECONNREFUSED
+              return false
+            else
+              raise e
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/inventory.rb

@@ -0,0 +1,84 @@
+require 'time'
+
+module Puppetserver
+  module Ca
+    module Utils
+      module Inventory
+
+        # Note that the inventory file may have multiple entries for the same certname,
+        # so it should only provide the latest cert for the given certname.
+        def self.parse_inventory_file(path, logger)
+          unless File.exist?(path)
+            logger.err("Could not find inventory at #{path}")
+            return [{}, true]
+          end
+          inventory = {}
+          errored = false
+          File.readlines(path).each do |line|
+            # Shouldn't be any blank lines, but skip them if there are
+            next if line.strip.empty?
+            
+            items = line.strip.split
+            if items.count != 4
+              logger.err("Invalid entry found in inventory.txt: #{line}")
+              errored = true
+              next
+            end
+            unless items[0].match(/^(?:0x)?[A-Fa-f0-9]+$/)
+              logger.err("Invalid serial found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            serial = items[0].hex
+            not_before = nil
+            not_after = nil
+            begin
+              not_before = Time.parse(items[1])
+            rescue ArgumentError
+              logger.err("Invalid not_before time found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            begin
+              not_after = Time.parse(items[2])
+            rescue ArgumentError
+              logger.err("Invalid not_after time found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            unless items[3].start_with?('/CN=')
+              logger.err("Invalid certname found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            certname = items[3][4..-1]
+
+            if !inventory.keys.include?(certname) 
+              inventory[certname] = {
+                :serial => serial,
+                :old_serials => [],
+                :not_before => not_before,
+                :not_after => not_after,
+              }
+            else
+              if not_after >= inventory[certname][:not_after]
+                # This is a newer cert than the one we currently have recorded,
+                # so save the previous serial in :old_serials
+                inventory[certname][:old_serials] << inventory[certname][:serial]
+                inventory[certname][:serial] = serial
+                inventory[certname][:not_before] = not_before
+                inventory[certname][:not_after] = not_after
+              else
+                # This somehow is an older cert (shouldn't really be possible as we just append
+                # to the file with each new cert and we are reading it order)
+                inventory[certname][:old_serials] << serial
+              end
+            end
+          end
+          [inventory, errored]
+        end
+      end
+    end
+  end
+end
+

data/lib/puppetserver/ca/utils/signing_digest.rb

@@ -0,0 +1,27 @@
+module Puppetserver
+  module Ca
+    module Utils
+      class SigningDigest
+
+        attr_reader :errors, :digest
+
+        def initialize
+          @errors = []
+          if OpenSSL::Digest.const_defined?('SHA256')
+            @digest = OpenSSL::Digest::SHA256.new
+          elsif OpenSSL::Digest.const_defined?('SHA1')
+            @digest = OpenSSL::Digest::SHA1.new
+          elsif OpenSSL::Digest.const_defined?('SHA512')
+            @digest = OpenSSL::Digest::SHA512.new
+          elsif OpenSSL::Digest.const_defined?('SHA384')
+            @digest = OpenSSL::Digest::SHA384.new
+          elsif OpenSSL::Digest.const_defined?('SHA224')
+            @digest = OpenSSL::Digest::SHA224.new
+          else
+            @errors << "Error: No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/version.rb

@@ -0,0 +1,5 @@
+module Puppetserver
+  module Ca
+    VERSION = "3.0.0-rc1"
+  end
+end

data/lib/puppetserver/ca/x509_loader.rb

@@ -0,0 +1,170 @@
+require 'openssl'
+
+module Puppetserver
+  module Ca
+    # Load, validate, and store x509 objects needed by the Puppet Server CA.
+    class X509Loader
+
+      attr_reader :errors, :certs, :cert, :key, :crls, :crl
+
+      def initialize(bundle_path, key_path, chain_path)
+        @errors = []
+
+        @certs = load_certs(bundle_path)
+        @key = load_key(key_path)
+        @crls = load_crls(chain_path)
+        @cert = find_signing_cert
+        @crl = find_leaf_crl
+
+        validate(@certs, @key, @crls)
+      end
+
+      def find_signing_cert
+        return if @key.nil? || @certs.empty?
+
+        signing_cert = @certs.find do |cert|
+          cert.check_private_key(@key)
+        end
+
+        if signing_cert.nil?
+          @errors << "Could not find certificate matching private key"
+        end
+
+        signing_cert
+      end
+
+      # Find a CRL in the chain issued by the signing cert
+      #
+      # @return [OpenSSL::X509::CRL] If a CRL is found.
+      # @return [nil] If no CRL is found.
+      def find_leaf_crl
+        return if @crls.empty? || @cert.nil?
+
+        leaf_crl = @crls.find do |crl|
+          crl.issuer == @cert.subject
+        end
+
+        leaf_crl
+      end
+
+      # Only do as much validation as is possible, assume whoever tried to
+      # load the objects wrote errors about any invalid ones, but that bundle
+      # and chain may be empty arrays and pkey may be nil.
+      def validate(bundle, pkey, chain)
+        if !@crl.nil? && !@cert.nil?
+          validate_crl_and_cert(@crl, @cert)
+        end
+
+        if pkey && !@cert.nil?
+          validate_cert_and_key(pkey, @cert)
+        end
+
+        unless bundle.empty? || @cert.nil? || @crl.nil?
+          validate_full_chain(bundle, chain)
+        end
+      end
+
+      def load_certs(bundle_path)
+        certs, errs = [], []
+
+        bundle_string = File.read(bundle_path)
+        cert_strings = bundle_string.scan(/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m)
+        cert_strings.each do |cert_string|
+          begin
+            certs << OpenSSL::X509::Certificate.new(cert_string)
+          rescue OpenSSL::X509::CertificateError
+            errs << "Could not parse entry:\n#{cert_string}"
+          end
+        end
+
+        if certs.empty?
+          errs << "Could not detect any certs within #{bundle_path}"
+        end
+
+        unless errs.empty?
+          @errors << "Could not parse #{bundle_path}"
+          @errors += errs
+        end
+
+        return certs
+      end
+
+      def load_key(key_path)
+        begin
+          OpenSSL::PKey.read(File.read(key_path))
+        rescue ArgumentError, OpenSSL::PKey::PKeyError => e
+          @errors << "Could not parse #{key_path}"
+
+          return nil
+        end
+      end
+
+      def load_crls(chain_path)
+        errs, crls = [], []
+
+        chain_string = File.read(chain_path)
+        crl_strings = chain_string.scan(/-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m)
+        crl_strings.map do |crl_string|
+          begin
+            crls << OpenSSL::X509::CRL.new(crl_string)
+          rescue OpenSSL::X509::CRLError
+            errs << "Could not parse entry:\n#{crl_string}"
+          end
+        end
+
+        if crls.empty?
+          errs << "Could not detect any crls within #{chain_path}"
+        end
+
+        unless errs.empty?
+          @errors << "Could not parse #{chain_path}"
+          @errors += errs
+        end
+
+        return crls
+      end
+
+      # Replace the CRL for the signing cert of this loader
+      #
+      # @param new_crl [OpenSSL::X509::CRL]
+      # @return [void]
+      def crl=(new_crl)
+        @crl = new_crl
+        @crls = [new_crl] + @crls.reject {|c| c.issuer == new_crl.issuer }
+      end
+
+      def validate_cert_and_key(key, cert)
+        unless cert.check_private_key(key)
+          @errors << 'Private key and certificate do not match'
+        end
+      end
+
+      def validate_crl_and_cert(crl, cert)
+        unless crl.issuer == cert.subject
+          @errors << 'Leaf CRL was not issued by leaf certificate'
+        end
+      end
+
+      # By creating an X509::Store and validating the leaf cert with it we:
+      #   - Ensure a full chain of trust (root to leaf) is within the bundle
+      #   - If provided, there are CRLs for the CAs
+      #   - If provided, no CAs within the chain of trust have been revoked
+      # However this does allow for:
+      #   - Additional, ignored, certs and CRLs in the bundle/chain
+      #   - certs and CRLs in any order
+      def validate_full_chain(certs, crls)
+        store = OpenSSL::X509::Store.new
+        certs.each {|cert| store.add_cert(cert) }
+        if !crls.empty?
+          store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+          crls.each {|crl| store.add_crl(crl) }
+        end
+
+        unless store.verify(@cert)
+          @errors << 'Leaf certificate could not be validated'
+          @errors << "Validating cert store returned: #{store.error} - #{store.error_string}"
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca.rb

@@ -0,0 +1,7 @@
+require "puppetserver/ca/version"
+require "puppetserver/ca/stub"
+
+module Puppetserver
+  module Ca
+  end
+end

data/openvoxserver-ca.gemspec

@@ -0,0 +1,31 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "puppetserver/ca/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "openvoxserver-ca"
+  spec.version       = Puppetserver::Ca::VERSION
+  spec.authors       = ["OpenVox Project"]
+  spec.email         = ["openvox@voxpupuli.org"]
+  spec.license       = "Apache-2.0"
+
+  spec.summary       = %q{A simple CLI tool for interacting with OpenVox Server's Certificate Authority}
+  spec.homepage      = "https://github.com/OpenVoxProject/openvoxserver-ca/"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "openfact", [">= 5.0.0", "< 6"]
+
+  spec.add_development_dependency "bundler", ">= 1.16"
+  spec.add_development_dependency "rake", ">= 12.3.3"
+  spec.add_development_dependency "rspec", "~> 3.0"
+
+  # openvoxserver 7 uses jruby 9.3 which is compatible with MRI ruby 2.6
+  spec.required_ruby_version = '>= 2.6.0'
+end

data/tasks/spec.rake

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+begin
+  require 'rspec/core/rake_task'
+
+  desc 'Run rspec test in sequential order'
+  RSpec::Core::RakeTask.new(:spec)
+
+  desc 'Run rspec test in random order'
+  RSpec::Core::RakeTask.new(:spec_random) do |t|
+    t.rspec_opts = '--order random'
+  end
+rescue LoadError
+  puts 'Could not load rspec'
+end

data/tasks/vox.rake

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+namespace :vox do
+  desc 'Update the version in preparation for a release'
+  task 'version:bump:full', [:version] do |_, args|
+    abort 'You must provide a tag.' if args[:version].nil? || args[:version].empty?
+    version = args[:version]
+    abort "#{version} does not appear to be a valid version string in x.y.z format" unless Gem::Version.correct?(version)
+
+    # Update lib/facter/version.rb and openvox.gemspec
+    puts "Setting version to #{version}"
+
+    data = File.read('lib/puppetserver/ca/version.rb')
+    new_data = data.sub(/VERSION = "\d+\.\d+\.\d+(\.rc\d+)?"/, %(VERSION = "#{version}"))
+    warn 'Failed to update version in lib/facter/version.rb' if data == new_data
+
+    File.write('lib/puppetserver/ca/version.rb', new_data)
+  end
+end