puppetserver-ca 0.2.0 → 0.3.0

data/lib/puppetserver/ca/utils.rb

@@ -0,0 +1,80 @@
+module Puppetserver
+  module Ca
+    module Utils
+      def self.parse_without_raising(parser, args)
+        all, not_flags, malformed_flags, unknown_flags = [], [], [], []
+
+        begin
+          # OptionParser calls this block when it finds a value that doesn't
+          # start with one or two dashes and doesn't follow a flag that
+          # consumes a value.
+          parser.order!(args) do |not_flag|
+            not_flags << not_flag
+            all << not_flag
+          end
+        rescue OptionParser::MissingArgument => e
+          malformed_flags += e.args
+          all += e.args
+
+          retry
+        rescue OptionParser::ParseError => e
+          flag = e.args.first
+          unknown_flags << flag
+          all << flag
+
+          if does_not_contain_argument(flag) &&
+              args.first &&
+              next_arg_is_not_another_flag(args.first)
+
+            value = args.shift
+            unknown_flags << value
+            all << value
+          end
+
+          retry
+        end
+
+        return all, not_flags, malformed_flags, unknown_flags
+      end
+
+      def self.parse_with_errors(parser, args)
+        errors = []
+
+        _, non_flags, malformed_flags, unknown_flags = parse_without_raising(parser, args)
+
+        malformed_flags.each {|f| errors << "    Missing argument to flag `#{f}`" }
+        unknown_flags.each   {|f| errors << "    Unknown flag or argument `#{f}`" }
+        non_flags.each       {|f| errors << "    Unknown input `#{f}`" }
+
+        errors
+      end
+
+      def self.handle_errors(log, errors, usage = nil)
+        unless errors.empty?
+          log.err 'Error:'
+          errors.each {|e| log.err e }
+
+          if usage
+            log.err ''
+            log.err usage
+          end
+
+          return true
+        else
+          return false
+        end
+      end
+
+    private
+
+      # eg. --flag=argument-to-flag
+      def self.does_not_contain_argument(flag)
+        !flag.include?('=')
+      end
+
+      def self.next_arg_is_not_another_flag(maybe_an_arg)
+        !maybe_an_arg.start_with?('-')
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/puppetserver/settings/ttl_setting.rb

@@ -0,0 +1,48 @@
+# A setting that represents a span of time to live, and evaluates to Numeric
+# seconds to live where 0 means shortest possible time to live, a positive numeric value means time
+# to live in seconds, and the symbolic entry 'unlimited' is an infinite amount of time.
+#
+module Puppetserver
+  module Settings
+    class TTLSetting
+      # How we convert from various units to seconds.
+      UNITMAP = {
+        # 365 days isn't technically a year, but is sufficient for most purposes
+        "y" => 365 * 24 * 60 * 60,
+        "d" => 24 * 60 * 60,
+        "h" => 60 * 60,
+        "m" => 60,
+        "s" => 1
+      }
+
+      # A regex describing valid formats with groups for capturing the value and units
+      FORMAT = /^(\d+)(y|d|h|m|s)?$/
+
+      attr_reader :errors, :munged_value
+
+      def initialize(name, setting_value)
+        @errors = []
+        @munged_value = munge(setting_value, name)
+      end
+
+      # Convert the value to Numeric, parsing numeric string with units if necessary.
+      def munge(value, name)
+        case
+        when value.is_a?(Numeric)
+          if value < 0
+            @errors << "Invalid negative 'time to live' #{value.inspect} - did you mean 'unlimited'?"
+          end
+          value
+
+        when value == 'unlimited'
+          Float::INFINITY
+
+        when (value.is_a?(String) and value =~ FORMAT)
+          $1.to_i * UNITMAP[$2 || 's']
+        else
+          @errors <<  "Invalid 'time to live' format '#{value.inspect}' for parameter: #{name}"
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/utils/file_utilities.rb

@@ -0,0 +1,78 @@
+require 'fileutils'
+require 'etc'
+
+module Puppetserver
+  module Utils
+    class FileUtilities
+
+      def self.instance
+        @instance ||= new
+      end
+
+      def self.write_file(*args)
+        instance.write_file(*args)
+      end
+
+      def self.ensure_dir(setting)
+        instance.ensure_dir(setting)
+      end
+
+      def self.ensure_file(location, content, mode)
+        if !File.exist?(location)
+          instance.write_file(location, content, mode)
+        end
+      end
+
+      def self.validate_file_paths(one_or_more_paths)
+        errors = []
+        Array(one_or_more_paths).each do |path|
+          if !File.exist?(path) || !File.readable?(path)
+            errors << "Could not read file '#{path}'"
+          end
+        end
+
+        errors
+      end
+
+      def initialize
+        @user, @group = find_user_and_group
+      end
+
+      def find_user_and_group
+        if !running_as_root?
+          return Process.euid, Process.egid
+        else
+          if pe_puppet_exists?
+            return 'pe-puppet', 'pe-puppet'
+          else
+            return 'puppet', 'puppet'
+          end
+        end
+      end
+
+      def running_as_root?
+        !Gem.win_platform? && Process.euid == 0
+      end
+
+      def pe_puppet_exists?
+        !!(Etc.getpwnam('pe-puppet') rescue nil)
+      end
+
+      def write_file(path, one_or_more_objects, mode)
+        File.open(path, 'w', mode) do |f|
+          Array(one_or_more_objects).each do |object|
+            f.puts object.to_s
+          end
+        end
+        FileUtils.chown(@user, @group, path)
+      end
+
+      def ensure_dir(setting)
+        if !File.exist?(setting)
+          FileUtils.mkdir_p(setting, mode: 0750)
+          FileUtils.chown(@user, @group, setting)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/utils/http_client.rb

@@ -0,0 +1,116 @@
+require 'openssl'
+require 'net/https'
+
+module Puppetserver
+  module Utils
+    # Utilities for doing HTTPS against the CA that wraps Net::HTTP constructs
+    class HttpClient
+
+      HEADERS = {
+        'User-Agent'   => 'PuppetserverCaCli',
+        'Content-Type' => 'application/json',
+        'Accept'       => 'application/json'
+      }
+
+      attr_reader :store
+
+      def initialize(localcacert, crl_usage, hostcrl)
+        @store = make_store(localcacert, crl_usage, hostcrl)
+      end
+
+      # Returns a URI-like wrapper around CA specific urls
+      def make_ca_url(host, port, resource_type = nil, certname = nil)
+        URL.new('https', host, port, 'puppet-ca', 'v1', resource_type, certname)
+      end
+
+      # Takes an instance URL (defined lower in the file), and creates a
+      # connection. The given block is passed our own Connection object.
+      # The Connection object should have HTTP verbs defined on it that take
+      # a body (and optional overrides). Returns whatever the block given returned.
+      def with_connection(url, &block)
+        request = ->(conn) { block.call(Connection.new(conn, url)) }
+
+        Net::HTTP.start(url.host, url.port,
+                        use_ssl: true, cert_store: @store,
+                        &request)
+      end
+
+      private
+      # Helper class that wraps a Net::HTTP connection, a HttpClient::URL
+      # and defines methods named after HTTP verbs that are called on the
+      # saved connection, returning a Result.
+      class Connection
+        def initialize(net_http_connection, url_struct)
+          @conn = net_http_connection
+          @url = url_struct
+        end
+
+        def get(url_overide = nil)
+          url = url_overide || @url
+
+          request = Net::HTTP::Get.new(url.to_uri, HEADERS)
+          result = @conn.request(request)
+
+          Result.new(result.code, result.body)
+        end
+
+        def put(body, url_override = nil)
+          url = url_override || @url
+
+          request = Net::HTTP::Put.new(url.to_uri, HEADERS)
+          request.body = body
+          result = @conn.request(request)
+
+          Result.new(result.code, result.body)
+        end
+
+        def delete(url_override = nil)
+          url = url_override || @url
+
+          result = @conn.request(Net::HTTP::Delete.new(url.to_uri, HEADERS))
+
+          Result.new(result.code, result.body)
+        end
+      end
+
+      # Just provide the bits of Net::HTTPResponse we care about
+      Result = Struct.new(:code, :body)
+
+      # Like URI, but not... maybe of suspicious value
+      URL = Struct.new(:protocol, :host, :port,
+                       :endpoint, :version,
+                       :resource_type, :resource_name) do
+              def full_url
+                protocol + '://' + host + ':' + port + '/' +
+                [endpoint, version, resource_type, resource_name].join('/')
+              end
+
+              def to_uri
+                URI(full_url)
+              end
+            end
+
+      def make_store(bundle, crl_usage, crls = nil)
+        store = OpenSSL::X509::Store.new
+        store.purpose = OpenSSL::X509::PURPOSE_ANY
+        store.add_file(bundle)
+
+        if crl_usage != :ignore
+
+          flags = OpenSSL::X509::V_FLAG_CRL_CHECK
+          if crl_usage == :chain
+            flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+          end
+
+          store.flags = flags
+          delimiter = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
+          File.read(crls).scan(delimiter).each do |crl|
+            store.add_crl(OpenSSL::X509::CRL.new(crl))
+          end
+        end
+
+        store
+      end
+    end
+  end
+end

data/lib/puppetserver/utils/signing_digest.rb

@@ -0,0 +1,25 @@
+module Puppetserver
+  module Utils
+    class SigningDigest
+
+      attr_reader :errors, :digest
+
+      def initialize
+        @errors = []
+        if OpenSSL::Digest.const_defined?('SHA256')
+          @digest = OpenSSL::Digest::SHA256.new
+        elsif OpenSSL::Digest.const_defined?('SHA1')
+          @digest = OpenSSL::Digest::SHA1.new
+        elsif OpenSSL::Digest.const_defined?('SHA512')
+          @digest = OpenSSL::Digest::SHA512.new
+        elsif OpenSSL::Digest.const_defined?('SHA384')
+          @digest = OpenSSL::Digest::SHA384.new
+        elsif OpenSSL::Digest.const_defined?('SHA224')
+          @digest = OpenSSL::Digest::SHA224.new
+        else
+          @errors << "Error: No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest"
+        end
+      end
+    end
+  end
+end

data/puppetserver-ca.gemspec

@@ -20,6 +20,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
+
   spec.add_development_dependency "bundler", "~> 1.16"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"

metadata

@@ -1,15 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-07-27 00:00:00.000000000 Z
+date: 2018-08-14 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: facter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -73,15 +93,27 @@ files:
 - bin/setup
 - exe/puppetserver-ca
 - lib/puppetserver/ca.rb
+- lib/puppetserver/ca/clean_action.rb
 - lib/puppetserver/ca/cli.rb
 - lib/puppetserver/ca/config_utils.rb
+- lib/puppetserver/ca/create_action.rb
+- lib/puppetserver/ca/generate_action.rb
+- lib/puppetserver/ca/host.rb
 - lib/puppetserver/ca/import_action.rb
+- lib/puppetserver/ca/list_action.rb
 - lib/puppetserver/ca/logger.rb
 - lib/puppetserver/ca/puppet_config.rb
 - lib/puppetserver/ca/puppetserver_config.rb
+- lib/puppetserver/ca/revoke_action.rb
+- lib/puppetserver/ca/sign_action.rb
 - lib/puppetserver/ca/stub.rb
+- lib/puppetserver/ca/utils.rb
 - lib/puppetserver/ca/version.rb
 - lib/puppetserver/ca/x509_loader.rb
+- lib/puppetserver/settings/ttl_setting.rb
+- lib/puppetserver/utils/file_utilities.rb
+- lib/puppetserver/utils/http_client.rb
+- lib/puppetserver/utils/signing_digest.rb
 - puppetserver-ca.gemspec
 homepage: https://github.com/puppetlabs/puppetserver-ca-cli/
 licenses: