puppetserver-ca 0.3.1 → 0.4.0

data/lib/puppetserver/ca/action/import.rb

@@ -0,0 +1,132 @@
+require 'optparse'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/x509_loader'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/utils/cli_parsing'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Import
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Import the CA's key, certs, and crls"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca import [--help]
+  puppetserver ca import [--config PATH]
+      --private-key PATH --cert-bundle PATH --crl-chain PATH
+
+Description:
+Given a private key, cert bundle, and a crl chain,
+validate and import to the Puppet Server CA.
+
+To determine the target location the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          bundle_path = input['cert-bundle']
+          key_path = input['private-key']
+          chain_path = input['crl-chain']
+          config_path = input['config']
+
+          files = [bundle_path, key_path, chain_path, config_path].compact
+
+          errors = FileSystem.validate_file_paths(files)
+          return 1 if CliParsing.handle_errors(@logger, errors)
+
+          loader = X509Loader.new(bundle_path, key_path, chain_path)
+          return 1 if CliParsing.handle_errors(@logger, loader.errors)
+
+          puppet = Config::Puppet.parse(config_path)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          target_locations = [puppet.settings[:cacert],
+                              puppet.settings[:cakey],
+                              puppet.settings[:cacrl],
+                              puppet.settings[:serial],
+                              puppet.settings[:cert_inventory]]
+          errors = FileSystem.check_for_existing_files(target_locations)
+          if !errors.empty?
+            instructions = <<-ERR
+If you would really like to replace your CA, please delete the existing files first.
+Note that any certificates that were issued by this CA will become invalid if you
+replace it!
+ERR
+            errors << instructions
+            CliParsing.handle_errors(@logger, errors)
+            return 1
+          end
+
+          FileSystem.ensure_dir(puppet.settings[:cadir])
+
+          FileSystem.write_file(puppet.settings[:cacert], loader.certs, 0640)
+
+          FileSystem.write_file(puppet.settings[:cakey], loader.key, 0640)
+
+          FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0640)
+
+          # Puppet's internal CA expects these file to exist.
+          FileSystem.ensure_file(puppet.settings[:serial], "0x0001", 0640)
+          FileSystem.ensure_file(puppet.settings[:cert_inventory], "", 0640)
+
+          @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
+          return 0
+        end
+
+        def check_flag_usage(results)
+          if results['cert-bundle'].nil? || results['private-key'].nil? || results['crl-chain'].nil?
+            '    Missing required argument' + "\n" +
+            '    --cert-bundle, --private-key, --crl-chain are required'
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          if err = check_flag_usage(results)
+            errors << err
+          end
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this import specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--private-key KEY', 'Path to PEM encoded key') do |key|
+              parsed['private-key'] = key
+            end
+            opts.on('--cert-bundle BUNDLE', 'Path to PEM encoded bundle') do |bundle|
+              parsed['cert-bundle'] = bundle
+            end
+            opts.on('--crl-chain CHAIN', 'Path to PEM encoded chain') do |chain|
+              parsed['crl-chain'] = chain
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/list.rb

@@ -0,0 +1,132 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/config/puppet'
+require 'optparse'
+require 'json'
+
+module Puppetserver
+  module Ca
+    module Action
+      class List
+
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = 'List all certificate requests'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca list [--help]
+  puppetserver ca list [--config]
+  puppetserver ca list [--all]
+
+Description:
+List outstanding certificate requests. If --all is specified, signed and revoked certificates will be listed as well.
+
+Options:
+      BANNER
+
+        BODY = JSON.dump({desired_state: 'signed'})
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--help', 'Display this command specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--all', 'List all certificates') do |a|
+              parsed['all'] = true
+            end
+          end
+        end
+
+        def run(input)
+          config = input['config']
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          all_certs = get_all_certs(puppet.settings)
+          return 1 if all_certs.nil?
+
+          requested, signed, revoked = separate_certs(all_certs)
+          input['all'] ? output_certs_by_state(requested, signed, revoked) : output_certs_by_state(requested)
+
+          return 0
+        end
+
+        def output_certs_by_state(requested, signed = [], revoked = [])
+          if revoked.empty? && signed.empty? && requested.empty?
+            @logger.inform "No certificates to list"
+            return
+          end
+
+          unless requested.empty?
+            @logger.inform "Requested Certificates:"
+            output_certs(requested)
+          end
+
+          unless signed.empty?
+            @logger.inform "Signed Certificates:"
+            output_certs(signed)
+          end
+
+          unless revoked.empty?
+            @logger.inform "Revoked Certificates:"
+            output_certs(revoked)
+          end
+        end
+
+        def output_certs(certs)
+          padded = 0
+          certs.each do |cert|
+            cert_size = cert["name"].size
+            padded = cert_size if cert_size > padded
+          end
+
+          certs.each do |cert|
+            @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
+                               (cert["dns_alt_names"].empty? ? "" : "\talt names: #{cert["dns_alt_names"]}")
+            end
+        end
+
+        def separate_certs(all_certs)
+          certs = all_certs.group_by { |v| v["state"]}
+          requested = certs.fetch("requested", [])
+          signed = certs.fetch("signed", [])
+          revoked = certs.fetch("revoked", [])
+          return requested, signed, revoked
+        end
+
+        def get_all_certs(settings)
+          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
+          JSON.parse(result.body)
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/revoke.rb

@@ -0,0 +1,101 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/certificate_authority'
+
+require 'optparse'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Revoke
+
+        include Puppetserver::Ca::Utils
+
+        CERTNAME_BLACKLIST = %w{--all --config}
+
+        SUMMARY = 'Revoke a given certificate'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca revoke [--help]
+  puppetserver ca revoke [--config] --certname CERTNAME[,ADDLCERTNAME]
+
+Description:
+Given one or more valid certnames, instructs the CA to revoke them over
+HTTPS using the local agent's PKI
+
+Options:
+BANNER
+
+        def self.parser(parsed = {})
+          parsed['certnames'] = []
+          OptionParser.new do |o|
+            o.banner = BANNER
+            o.on('--certname foo,bar', Array,
+                 'One or more comma separated certnames') do |certs|
+              parsed['certnames'] += certs
+            end
+            o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            o.on('--help', 'Displays this revoke specific help output') do |help|
+              parsed['help'] = true
+            end
+          end
+        end
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          results['certnames'].each do |certname|
+            if CERTNAME_BLACKLIST.include?(certname)
+              errors << "    Cannot manage cert named `#{certname}` from " +
+                        "the CLI, if needed use the HTTP API directly"
+            end
+          end
+
+          if results['certnames'].empty?
+            errors << '  At least one certname is required to revoke'
+          end
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          # if there is an exit_code then Cli will return it early, so we only
+          # return an exit_code if there's an error
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+
+        def run(args)
+          certnames = args['certnames']
+          config = args['config']
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          passed = revoke_certs(certnames, puppet.settings)
+
+          return passed ? 0 : 1
+        end
+
+        def revoke_certs(certnames, settings)
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
+          ca.revoke_certs(certnames)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/sign.rb

@@ -0,0 +1,126 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/certificate_authority'
+
+require 'optparse'
+require 'openssl'
+require 'net/https'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Sign
+
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = 'Sign a given certificate'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca sign [--help]
+  puppetserver ca sign [--config] --certname CERTNAME[,CERTNAME]
+  puppetserver ca sign  --all
+
+Description:
+Given a comma-separated list of valid certnames, instructs the CA to sign each cert.
+
+Options:
+      BANNER
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--certname x,y,z', Array, 'the name(s) of the cert(s) to be signed') do |cert|
+              parsed['certname'] = cert
+            end
+            opts.on('--config PUPPET.CONF', 'Custom path to Puppet\'s config file') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--help', 'Display this command specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--all', 'Operate on all certnames') do |a|
+              parsed['all'] = true
+            end
+          end
+        end
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config = input['config']
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
+
+          if input['all']
+            requested_certnames = get_all_pending_certs(ca)
+            if requested_certnames.nil?
+              return 1
+            end
+          else
+            requested_certnames = input['certname']
+          end
+
+          success = ca.sign_certs(requested_certnames)
+          return success ? 0 : 1
+        end
+
+        def get_all_pending_certs(ca)
+          if result = ca.get_certificate_statuses
+            select_pending_certs(result.body)
+          end
+        end
+
+        def select_pending_certs(get_result)
+          requested_certnames = JSON.parse(get_result).select{|e| e["state"] == "requested"}.map{|e| e["name"]}
+
+          if requested_certnames.empty?
+            @logger.err 'Error:'
+            @logger.err "    No waiting certificate requests to sign"
+            return nil
+          end
+
+          return requested_certnames
+        end
+
+        def check_flag_usage(results)
+          if results['certname'] && results['all']
+            '--all and --certname cannot be used together'
+          elsif !results['certname'] && !results['all']
+            'No arguments given'
+          elsif results['certname'] && results['certname'].include?('--all')
+            'Cannot use --all with --certname. If you actually have a certificate request ' +
+                            'for a certifcate named --all, you need to use the HTTP API.'
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          if err = check_flag_usage(results)
+            errors << err
+          end
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+      end
+    end
+  end
+end