puppetserver-ca 0.2.0 → 0.3.0

data/lib/puppetserver/ca/generate_action.rb

@@ -0,0 +1,227 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/utils/file_utilities'
+require 'puppetserver/ca/host'
+require 'puppetserver/utils/signing_digest'
+
+module Puppetserver
+  module Ca
+    class GenerateAction
+      include Puppetserver::Utils
+
+      CA_EXTENSIONS = [
+        ["basicConstraints", "CA:TRUE", true],
+        ["keyUsage", "keyCertSign, cRLSign", true],
+        ["subjectKeyIdentifier", "hash", false],
+        ["authorityKeyIdentifier", "keyid:always", false]
+      ].freeze
+
+      # Make the certificate valid as of yesterday, because so many people's
+      # clocks are out of sync.  This gives one more day of validity than people
+      # might expect, but is better than making every person who has a messed up
+      # clock fail, and better than having every cert we generate expire a day
+      # before the user expected it to when they asked for "one year".
+      CERT_VALID_FROM = (Time.now - (60*60*24)).freeze
+
+      SUMMARY = "Generate a root and intermediate signing CA for Puppet Server"
+      BANNER = <<-BANNER
+Usage:
+  puppetserver ca generate [--help]
+  puppetserver ca generate [--config PATH]
+
+Description:
+Generate a root and intermediate signing CA for Puppet Server
+and store generated CA keys, certs, and crls on disk.
+
+To determine the target location, the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+
+      def initialize(logger)
+        @logger = logger
+      end
+
+      def run(input)
+        # Validate config_path provided
+        config_path = input['config']
+        if config_path
+          errors = FileUtilities.validate_file_paths(config_path)
+          return 1 if Utils.handle_errors(@logger, errors)
+        end
+
+        # Load, resolve, and validate puppet config settings
+        puppet = PuppetConfig.parse(config_path)
+        return 1 if Utils.handle_errors(@logger, puppet.errors)
+
+        # Load most secure signing digest we can for cers/crl/csr signing.
+        signer = SigningDigest.new
+        return 1 if Utils.handle_errors(@logger, signer.errors)
+
+        # Generate root and intermediate ca and put all the certificates, crls,
+        # and keys where they should go.
+        generate_root_and_intermediate_ca(puppet.settings, signer.digest)
+
+        # Puppet's internal CA expects these file to exist.
+        FileUtilities.ensure_file(puppet.settings[:serial], "001", 0640)
+        FileUtilities.ensure_file(puppet.settings[:cert_inventory], "", 0640)
+
+        @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
+        return 0
+      end
+
+      def generate_root_and_intermediate_ca(settings, signing_digest)
+        valid_until = Time.now + settings[:ca_ttl]
+        host = Puppetserver::Ca::Host.new(signing_digest)
+
+        root_key = host.create_private_key(settings[:keylength])
+        root_cert = self_signed_ca(root_key, settings[:root_ca_name], valid_until, signing_digest)
+        root_crl = create_crl_for(root_cert, root_key, valid_until, signing_digest)
+
+        int_key = host.create_private_key(settings[:keylength])
+        int_csr = host.create_csr(settings[:ca_name], int_key)
+        int_cert = sign_intermediate(root_key, root_cert, int_csr, valid_until, signing_digest)
+        int_crl = create_crl_for(int_cert, int_key, valid_until, signing_digest)
+
+        FileUtilities.ensure_dir(settings[:cadir])
+
+        file_properties = [
+          [settings[:cacert], [int_cert, root_cert]],
+          [settings[:cakey], int_key],
+          [settings[:rootkey], root_key],
+          [settings[:cacrl], [int_crl, root_crl]]
+        ]
+
+        file_properties.each do |location, content|
+          @logger.warn "#{location} exists, overwriting" if File.exist?(location)
+          FileUtilities.write_file(location, content, 0640)
+        end
+      end
+
+      def self_signed_ca(key, name, valid_until, signing_digest)
+        cert = OpenSSL::X509::Certificate.new
+
+        cert.public_key = key.public_key
+        cert.subject = OpenSSL::X509::Name.new([["CN", name]])
+        cert.issuer = cert.subject
+        cert.version = 2
+        cert.serial = 1
+
+        cert.not_before = CERT_VALID_FROM
+        cert.not_after  = valid_until
+
+        ef = extension_factory_for(cert, cert)
+        CA_EXTENSIONS.each do |ext|
+          extension = ef.create_extension(*ext)
+          cert.add_extension(extension)
+        end
+
+        cert.sign(key, signing_digest)
+
+        cert
+      end
+
+      def extension_factory_for(ca, cert = nil)
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.issuer_certificate  = ca
+        ef.subject_certificate = cert if cert
+
+        ef
+      end
+
+      def create_crl_for(ca_cert, ca_key, valid_until, signing_digest)
+        crl = OpenSSL::X509::CRL.new
+        crl.version = 1
+        crl.issuer = ca_cert.subject
+
+        ef = extension_factory_for(ca_cert)
+        crl.add_extension(
+          ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
+        crl.add_extension(
+          OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
+
+        crl.last_update = CERT_VALID_FROM
+        crl.next_update = valid_until
+        crl.sign(ca_key, signing_digest)
+
+        crl
+      end
+
+      def sign_intermediate(ca_key, ca_cert, csr, valid_until, signing_digest)
+        cert = OpenSSL::X509::Certificate.new
+
+        cert.public_key = csr.public_key
+        cert.subject = csr.subject
+        cert.issuer = ca_cert.subject
+        cert.version = 2
+        cert.serial = 2
+
+        cert.not_before = CERT_VALID_FROM
+        cert.not_after = valid_until
+
+        ef = extension_factory_for(ca_cert, cert)
+        CA_EXTENSIONS.each do |ext|
+          extension = ef.create_extension(*ext)
+          cert.add_extension(extension)
+        end
+        cert.sign(ca_key, signing_digest)
+
+        cert
+      end
+
+      def parse(cli_args)
+        parser, inputs, unparsed = parse_inputs(cli_args)
+
+        if !unparsed.empty?
+          @logger.err 'Error:'
+          @logger.err 'Unknown arguments or flags:'
+          unparsed.each do |arg|
+            @logger.err "    #{arg}"
+          end
+
+          @logger.err ''
+          @logger.err parser.help
+
+          exit_code = 1
+        else
+          exit_code = nil
+        end
+
+        return inputs, exit_code
+      end
+
+      def parse_inputs(inputs)
+        parsed = {}
+        unparsed = []
+
+        parser = self.class.parser(parsed)
+
+        begin
+          parser.order!(inputs) do |nonopt|
+            unparsed << nonopt
+          end
+        rescue OptionParser::ParseError => e
+          unparsed += e.args
+          unparsed << inputs.shift unless inputs.first =~ /^-{1,2}/
+          retry
+        end
+
+        return parser, parsed, unparsed
+      end
+
+      def self.parser(parsed = {})
+        OptionParser.new do |opts|
+          opts.banner = BANNER
+          opts.on('--help', 'Display this generate specific help output') do |help|
+            parsed['help'] = true
+          end
+          opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+            parsed['config'] = conf
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/host.rb

@@ -0,0 +1,26 @@
+require 'openssl'
+
+module Puppetserver
+  module Ca
+    class Host
+
+      def initialize(digest)
+        @digest = digest
+      end
+
+      def create_private_key(keylength)
+        OpenSSL::PKey::RSA.new(keylength)
+      end
+
+      def create_csr(name, key)
+        csr = OpenSSL::X509::Request.new
+        csr.public_key = key.public_key
+        csr.subject = OpenSSL::X509::Name.new([["CN", name]])
+        csr.version = 2
+        csr.sign(key, @digest)
+
+        csr
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/import_action.rb

@@ -1,6 +1,5 @@
-require 'etc'
-require 'fileutils'
 require 'optparse'
+require 'puppetserver/utils/file_utilities'
 require 'puppetserver/ca/x509_loader'
 require 'puppetserver/ca/puppet_config'
 
@@ -11,7 +10,7 @@ module Puppetserver
       SUMMARY = "Import the CA's key, certs, and crls"
       BANNER = <<-BANNER
 Usage:
-  puppetserver ca import [--help|--version]
+  puppetserver ca import [--help]
   puppetserver ca import [--config PATH]
       --private-key PATH --cert-bundle PATH --crl-chain PATH
 
@@ -38,7 +37,7 @@ BANNER
 
         files = [bundle_path, key_path, chain_path, config_path].compact
 
-        errors = validate_file_paths(files)
+        errors = Puppetserver::Utils::FileUtilities.validate_file_paths(files)
         return 1 if log_possible_errors(errors)
 
         loader = X509Loader.new(bundle_path, key_path, chain_path)
@@ -47,65 +46,22 @@ BANNER
         puppet = PuppetConfig.parse(config_path)
         return 1 if log_possible_errors(puppet.errors)
 
-        user, group = find_user_and_group
+        Puppetserver::Utils::FileUtilities.ensure_dir(puppet.settings[:cadir])
 
-        if !File.exist?(puppet.settings[:cadir])
-          FileUtils.mkdir_p(puppet.settings[:cadir], mode: 0750)
-          FileUtils.chown(user, group, puppet.settings[:cadir])
-        end
-
-        write_file(puppet.settings[:cacert], loader.certs, user, group, 0640)
+        Puppetserver::Utils::FileUtilities.write_file(puppet.settings[:cacert], loader.certs, 0640)
 
-        write_file(puppet.settings[:cakey], loader.key, user, group, 0640)
+        Puppetserver::Utils::FileUtilities.write_file(puppet.settings[:cakey], loader.key, 0640)
 
-        write_file(puppet.settings[:cacrl], loader.crls, user, group, 0640)
+        Puppetserver::Utils::FileUtilities.write_file(puppet.settings[:cacrl], loader.crls, 0640)
 
-        if !File.exist?(puppet.settings[:serial])
-          write_file(puppet.settings[:serial], "001", user, group, 0640)
-        end
-
-        if !File.exist?(puppet.settings[:cert_inventory])
-          write_file(puppet.settings[:cert_inventory],
-                     "", user, group, 0640)
-        end
+        # Puppet's internal CA expects these file to exist.
+        Puppetserver::Utils::FileUtilities.ensure_file(puppet.settings[:serial], "001", 0640)
+        Puppetserver::Utils::FileUtilities.ensure_file(puppet.settings[:cert_inventory], "", 0640)
 
+        @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
         return 0
       end
 
-      def find_user_and_group
-        if !running_as_root?
-          return Process.euid, Process.egid
-        else
-          if pe_puppet_exists?
-            return 'pe-puppet', 'pe-puppet'
-          else
-            return 'puppet', 'puppet'
-          end
-        end
-      end
-
-      def running_as_root?
-        !Gem.win_platform? && Process.euid == 0
-      end
-
-      def pe_puppet_exists?
-        !!(Etc.getpwnam('pe-puppet') rescue nil)
-      end
-
-      def write_file(path, one_or_more_objects, user, group, mode)
-        if File.exist?(path)
-          @logger.warn("#{path} exists, overwriting")
-        end
-
-        File.open(path, 'w', mode) do |f|
-          Array(one_or_more_objects).each do |object|
-            f.puts object.to_s
-          end
-        end
-
-        FileUtils.chown(user, group, path)
-      end
-
       def log_possible_errors(maybe_errors)
         errors = Array(maybe_errors).compact
         unless errors.empty?
@@ -178,9 +134,6 @@ BANNER
           opts.on('--help', 'Display this import specific help output') do |help|
             parsed['help'] = true
           end
-          opts.on('--version', 'Output the version') do |v|
-            parsed['version'] = true
-          end
           opts.on('--config CONF', 'Path to puppet.conf') do |conf|
             parsed['config'] = conf
           end
@@ -195,17 +148,6 @@ BANNER
           end
         end
       end
-
-      def validate_file_paths(one_or_more_paths)
-        errors = []
-        Array(one_or_more_paths).each do |path|
-          if !File.exist?(path) || !File.readable?(path)
-            errors << "Could not read file '#{path}'"
-          end
-        end
-
-        errors
-      end
     end
   end
 end

data/lib/puppetserver/ca/list_action.rb

@@ -0,0 +1,155 @@
+require 'puppetserver/ca/utils'
+require 'puppetserver/utils/http_client'
+require 'puppetserver/utils/file_utilities'
+require 'puppetserver/ca/puppet_config'
+require 'optparse'
+require 'json'
+
+module Puppetserver
+  module Ca
+    class ListAction
+
+      include Puppetserver::Utils
+
+      SUMMARY = 'List all certificate requests'
+      BANNER = <<-BANNER
+Usage:
+  puppetserver ca list [--help]
+  puppetserver ca list [--config]
+  puppetserver ca list [--all]
+
+Description:
+List outstanding certificate requests. If --all is specified, signed and revoked certificates will be listed as well.
+
+Options:
+      BANNER
+
+      BODY = JSON.dump({desired_state: 'signed'})
+
+      def initialize(logger)
+        @logger = logger
+      end
+
+      def self.parser(parsed = {})
+        OptionParser.new do |opts|
+          opts.banner = BANNER
+          opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
+            parsed['config'] = conf
+          end
+          opts.on('--help', 'Display this command specific help output') do |help|
+            parsed['help'] = true
+          end
+          opts.on('--all', 'List all certificates') do |a|
+            parsed['all'] = true
+          end
+        end
+      end
+
+      def run(input)
+        config = input['config']
+
+        if config
+          errors = FileUtilities.validate_file_paths(config)
+          return 1 if Utils.handle_errors(@logger, errors)
+        end
+
+        puppet = PuppetConfig.parse(config)
+        return 1 if Utils.handle_errors(@logger, puppet.errors)
+
+        all_certs = get_all_certs(puppet.settings)
+        return 1 if all_certs.nil?
+
+        requested, signed, revoked = separate_certs(all_certs)
+        input['all'] ? output_certs_by_state(requested, signed, revoked) : output_certs_by_state(requested)
+
+        return 0
+      end
+
+      def output_certs_by_state(requested, signed = [], revoked = [])
+        if revoked.empty? && signed.empty? && requested.empty?
+          @logger.inform "No certificates to list"
+          return
+        end
+
+        unless requested.empty?
+          @logger.inform "Requested Certificates:"
+          output_certs(requested)
+        end
+
+        unless signed.empty?
+          @logger.inform "Signed Certificates:"
+          output_certs(signed)
+        end
+
+        unless revoked.empty?
+          @logger.inform "Revoked Certificates:"
+          output_certs(revoked)
+        end
+      end
+
+      def output_certs(certs)
+        padded = 0
+        certs.each do |cert|
+          cert_size = cert["name"].size
+          padded = cert_size if cert_size > padded
+        end
+
+        certs.each do |cert|
+          @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
+                             (cert["dns_alt_names"].empty? ? "" : "\talt names: #{cert["dns_alt_names"]}")
+          end
+      end
+
+      def http_client(settings)
+        @client ||= HttpClient.new(settings[:localcacert],
+                                   settings[:certificate_revocation],
+                                   settings[:hostcrl])
+      end
+
+      def get_certificate_statuses(settings)
+        client = http_client(settings)
+        url = client.make_ca_url(settings[:ca_server],
+                                 settings[:ca_port],
+                                 'certificate_statuses',
+                                 'any_key')
+        client.with_connection(url) do |connection|
+          connection.get(url)
+        end
+      end
+
+      def separate_certs(all_certs)
+        certs = all_certs.group_by { |v| v["state"]}
+        requested = certs.fetch("requested", [])
+        signed = certs.fetch("signed", [])
+        revoked = certs.fetch("revoked", [])
+        return requested, signed, revoked
+      end
+
+      def get_all_certs(settings)
+        result = get_certificate_statuses(settings)
+
+        unless result.code == '200'
+          @logger.err 'Error:'
+          @logger.err "    code: #{result.code}"
+          @logger.err "    body: #{result.body}" if result.body
+          return nil
+        end
+
+        JSON.parse(result.body)
+      end
+
+      def parse(args)
+        results = {}
+        parser = self.class.parser(results)
+
+        errors = Utils.parse_with_errors(parser, args)
+
+        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
+
+        exit_code = errors_were_handled ? 1 : nil
+
+        return results, exit_code
+      end
+    end
+  end
+end