puppetserver-ca 0.3.1 → 0.4.0

data/lib/puppetserver/ca/certificate_authority.rb

@@ -0,0 +1,224 @@
+require 'puppetserver/ca/utils/http_client'
+
+require 'json'
+
+module Puppetserver
+  module Ca
+    class CertificateAuthority
+
+      include Puppetserver::Ca::Utils
+
+      REVOKE_BODY = JSON.dump({ desired_state: 'revoked' })
+      SIGN_BODY =   JSON.dump({ desired_state: 'signed' })
+
+      def initialize(logger, settings)
+        @logger = logger
+        @client = HttpClient.new(settings)
+        @ca_server = settings[:ca_server]
+        @ca_port = settings[:ca_port]
+      end
+
+      # Returns a URI-like wrapper around CA specific urls
+      def make_ca_url(resource_type = nil, certname = nil)
+        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
+      end
+
+      def sign_certs(certnames)
+        put(certnames,
+            resource_type: 'certificate_status',
+            body: SIGN_BODY,
+            type: :sign)
+      end
+
+      def revoke_certs(certnames)
+        put(certnames,
+            resource_type: 'certificate_status',
+            body: REVOKE_BODY,
+            type: :revoke)
+      end
+
+      def submit_certificate_request(certname, csr)
+        put([certname],
+            resource_type: 'certificate_request',
+            body: csr.to_pem,
+            headers: {'Content-Type' => 'text/plain'},
+            type: :submit)
+      end
+
+      # Make an HTTP PUT request to CA
+      # @param resource_type [String] the resource type of url
+      # @param certnames [Array] array of certnames
+      # @param body [JSON/String] body of the put request
+      # @param type [Symbol] type of error processing to perform on result
+      # @return [Boolean] whether all requests were successful
+      def put(certnames, resource_type:, body:, type:, headers: {})
+        url = make_ca_url(resource_type)
+        results = @client.with_connection(url) do |connection|
+          certnames.map do |certname|
+            url.resource_name = certname
+            result = connection.put(body, url, headers)
+            process_results(type, certname, result)
+          end
+        end
+
+        results.all?
+      end
+
+      # logs the action and returns true/false for success
+      def process_results(type, certname, result)
+        case type
+        when :sign
+          case result.code
+          when '204'
+            @logger.inform "Successfully signed certificate request for #{certname}"
+            return true
+          when '404'
+            @logger.err 'Error:'
+            @logger.err "    Could not find certificate request for #{certname}"
+            return false
+          else
+            @logger.err 'Error:'
+            @logger.err "    When attempting to sign certificate request '#{certname}', received"
+            @logger.err "      code: #{result.code}"
+            @logger.err "      body: #{result.body.to_s}" if result.body
+            return false
+          end
+        when :revoke
+          case result.code
+          when '200', '204'
+            @logger.inform "Revoked certificate for #{certname}"
+            return true
+          when '404'
+            @logger.err 'Error:'
+            @logger.err "    Could not find certificate for #{certname}"
+            return false
+          else
+            @logger.err 'Error:'
+            @logger.err "    When attempting to revoke certificate '#{certname}', received:"
+            @logger.err "      code: #{result.code}"
+            @logger.err "      body: #{result.body.to_s}" if result.body
+            return false
+          end
+        when :submit
+          case result.code
+          when '200', '204'
+            @logger.inform "Successfully submitted certificate request for #{certname}"
+            return true
+          else
+            @logger.err 'Error:'
+            @logger.err "    When attempting to submit certificate request for '#{certname}', received:"
+            @logger.err "      code: #{result.code}"
+            @logger.err "      body: #{result.body.to_s}" if result.body
+            return false
+          end
+        end
+      end
+
+      # Make an HTTP request to CA to clean the named certificates
+      # @param certnames [Array] the name of the certificate(s) to have cleaned
+      # @return [Boolean] whether all certificate cleaning and revocation was successful
+      def clean_certs(certnames)
+        url = make_ca_url('certificate_status')
+
+        results = @client.with_connection(url) do |connection|
+          certnames.map do |certname|
+            url.resource_name = certname
+            revoke_result = connection.put(REVOKE_BODY, url)
+            revoked = check_revocation(certname, revoke_result)
+
+            cleaned = nil
+            unless revoked == :error
+              clean_result = connection.delete(url)
+              cleaned = check_clean(certname, clean_result)
+            end
+
+            cleaned == :success && [:success, :not_found].include?(revoked)
+          end
+        end
+
+        return results.all?
+      end
+
+      # possibly logs the action, always returns a status symbol 👑
+      def check_revocation(certname, result)
+        case result.code
+        when '200', '204'
+          @logger.inform "Revoked certificate for #{certname}"
+          return :success
+        when '404'
+          return :not_found
+        else
+          @logger.err 'Error:'
+          @logger.err "    When attempting to revoke certificate '#{certname}', received:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return :error
+        end
+      end
+
+      # logs the action and returns a status symbol 👑
+      def check_clean(certname, result)
+        case result.code
+        when '200', '204'
+          @logger.inform "Cleaned files related to #{certname}"
+          return :success
+        when '404'
+          @logger.err 'Error:'
+          @logger.err "    Could not find files to clean for #{certname}"
+          return :not_found
+        else
+          @logger.err 'Error:'
+          @logger.err "    When attempting to clean certificate '#{certname}', received:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return :error
+        end
+      end
+
+      # Returns nil for errors, else the result of the GET request
+      def get_certificate_statuses
+        result = get('certificate_statuses', 'any_key')
+
+        unless result.code == '200'
+          @logger.err 'Error:'
+          @logger.err "    code: #{result.code}"
+          @logger.err "    body: #{result.body}" if result.body
+          return nil
+        end
+
+        result
+      end
+
+      # Returns nil for errors, else the result of the GET request
+      def get_certificate(certname)
+        result = get('certificate', certname)
+
+        case result.code
+        when '200'
+          return result
+        when '404'
+          @logger.err 'Error:'
+          @logger.err "    Signed certificate #{certname} could not be found on the CA"
+          return nil
+        else
+          @logger.err 'Error:'
+          @logger.err "    When attempting to download certificate '#{certname}', received:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return nil
+        end
+      end
+
+      # Make an HTTP GET request to CA
+      # @param resource_type [String] the resource type of url
+      # @param resource_name [String] the resource name of url
+      # @return [Struct] an instance of the Result struct with :code, :body
+      def get(resource_type, resource_name)
+        url = make_ca_url(resource_type, resource_name)
+        @client.with_connection(url) do |connection|
+          connection.get(url)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/cli.rb

@@ -1,14 +1,15 @@
 require 'optparse'
 require 'puppetserver/ca/version'
 require 'puppetserver/ca/logger'
-require 'puppetserver/ca/clean_action'
-require 'puppetserver/ca/import_action'
-require 'puppetserver/ca/generate_action'
-require 'puppetserver/ca/revoke_action'
-require 'puppetserver/ca/list_action'
-require 'puppetserver/ca/sign_action'
-require 'puppetserver/ca/utils'
-require 'puppetserver/ca/create_action'
+require 'puppetserver/ca/action/clean'
+require 'puppetserver/ca/action/create'
+require 'puppetserver/ca/action/import'
+require 'puppetserver/ca/action/generate'
+require 'puppetserver/ca/action/revoke'
+require 'puppetserver/ca/action/list'
+require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/utils/cli_parsing'
+
 
 module Puppetserver
   module Ca
@@ -21,13 +22,13 @@ Puppet Server's built-in Certificate Authority
 BANNER
 
       VALID_ACTIONS = {
-        'clean'    => CleanAction,
-        'create'   => CreateAction,
-        'generate' => GenerateAction,
-        'import'   => ImportAction,
-        'list'     => ListAction,
-        'revoke'   => RevokeAction,
-        'sign'     => SignAction
+        'clean'    => Action::Clean,
+        'create'   => Action::Create,
+        'generate' => Action::Generate,
+        'import'   => Action::Import,
+        'list'     => Action::List,
+        'revoke'   => Action::Revoke,
+        'sign'     => Action::Sign
       }
 
       ACTION_LIST = "\nAvailable Actions:\n" +
@@ -103,7 +104,7 @@ BANNER
 
         end
 
-        all,_,_,_ = Utils.parse_without_raising(general_parser, inputs)
+        all,_,_,_ = Utils::CliParsing.parse_without_raising(general_parser, inputs)
 
         return general_parser, parsed, all
       end

data/lib/puppetserver/ca/config/puppet.rb

@@ -0,0 +1,242 @@
+require 'puppetserver/ca/utils/config'
+require 'securerandom'
+require 'facter'
+
+module Puppetserver
+  module Ca
+    module Config
+      # Provides an interface for asking for Puppet settings w/o loading
+      # Puppet. Includes a simple ini parser that will ignore Puppet's
+      # more complicated conventions.
+      class Puppet
+        # How we convert from various units to seconds.
+        TTL_UNITMAP = {
+          # 365 days isn't technically a year, but is sufficient for most purposes
+          "y" => 365 * 24 * 60 * 60,
+          "d" => 24 * 60 * 60,
+          "h" => 60 * 60,
+          "m" => 60,
+          "s" => 1
+        }
+
+        # A regex describing valid formats with groups for capturing the value and units
+        TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
+
+        include Puppetserver::Ca::Utils::Config
+
+        def self.parse(config_path = nil)
+          instance = new(config_path)
+          instance.load
+
+          return instance
+        end
+
+        attr_reader :errors, :settings
+
+        def initialize(supplied_config_path = nil)
+          @using_default_location = !supplied_config_path
+          @config_path = supplied_config_path || user_specific_conf_file
+
+          @settings = nil
+          @errors = []
+        end
+
+        # Return the correct confdir. We check for being root on *nix,
+        # else the user path. We do not include a check for running
+        # as Adminstrator since non-development scenarios for Puppet Server
+        # on Windows are unsupported.
+        # Note that Puppet Server runs as the [pe-]puppet user but to
+        # start/stop it you must be root.
+        def user_specific_conf_dir
+          @user_specific_conf_dir ||=
+            if running_as_root?
+              '/etc/puppetlabs/puppet'
+            else
+              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+            end
+        end
+
+        def user_specific_conf_file
+          user_specific_conf_dir + '/puppet.conf'
+        end
+
+        def load
+          if explicitly_given_config_file_or_default_config_exists?
+            results = parse_text(File.read(@config_path))
+          end
+
+          results ||= {}
+          results[:main] ||= {}
+          results[:master] ||= {}
+
+          overrides = results[:main].merge(results[:master])
+
+          @settings = resolve_settings(overrides).freeze
+        end
+
+        def default_certname
+          @certname ||=
+            hostname = Facter.value(:hostname)
+            domain = Facter.value(:domain)
+            if domain and domain != ''
+              fqdn = [hostname, domain].join('.')
+            else
+              fqdn = hostname
+            end
+            fqdn.chomp('.')
+        end
+
+        # Resolve settings from default values, with any overrides for the
+        # specific settings or their dependent settings (ssldir, cadir) taken into account.
+        def resolve_settings(overrides = {})
+          unresolved_setting = /\$[a-z_]+/
+
+          # Returning the key for unknown keys (rather than nil) is required to
+          # keep unknown settings in the string for later verification.
+          substitutions = Hash.new {|h, k| k }
+          settings = {}
+
+          # Order for base settings here matters!
+          # These need to be evaluated before we can construct their dependent
+          # defaults below
+          base_defaults = [
+            [:confdir, user_specific_conf_dir],
+            [:ssldir,'$confdir/ssl'],
+            [:cadir, '$ssldir/ca'],
+            [:certdir, '$ssldir/certs'],
+            [:certname, default_certname],
+            [:server, '$certname'],
+            [:masterport, '8140'],
+            [:privatekeydir, '$ssldir/private_keys'],
+            [:publickeydir, '$ssldir/public_keys'],
+          ]
+
+          dependent_defaults = {
+            :ca_name => 'Puppet CA: $certname',
+            :root_ca_name => "Puppet Root CA: #{SecureRandom.hex(7)}",
+            :keylength => 4096,
+            :cacert => '$cadir/ca_crt.pem',
+            :cakey => '$cadir/ca_key.pem',
+            :capub => '$cadir/ca_pub.pem',
+            :rootkey => '$cadir/root_key.pem',
+            :cacrl => '$cadir/ca_crl.pem',
+            :serial => '$cadir/serial',
+            :cert_inventory => '$cadir/inventory.txt',
+            :ca_server => '$server',
+            :ca_port => '$masterport',
+            :localcacert => '$certdir/ca.pem',
+            :localcacrl => '$ssldir/crl.pem',
+            :hostcert => '$certdir/$certname.pem',
+            :hostcrl => '$ssldir/crl.pem',
+            :hostprivkey => '$privatekeydir/$certname.pem',
+            :hostpubkey => '$publickeydir/$certname.pem',
+            :publickeydir => '$ssldir/public_keys',
+            :ca_ttl => '15y',
+            :certificate_revocation => 'true',
+          }
+
+          # This loops through the base defaults and gives each setting a
+          # default if the value isn't specified in the config file. Default
+          # values given may depend upon the value of a previous base setting,
+          # thus the creation of the substitution hash.
+          base_defaults.each do |setting_name, default_value|
+            substitution_name = '$' + setting_name.to_s
+            setting_value = overrides.fetch(setting_name, default_value)
+            subbed_value = setting_value.sub(unresolved_setting, substitutions)
+            settings[setting_name] = substitutions[substitution_name] = subbed_value
+          end
+
+          dependent_defaults.each do |setting_name, default_value|
+            setting_value = overrides.fetch(setting_name, default_value)
+            settings[setting_name] = setting_value
+          end
+
+          # Some special cases where we need to manipulate config settings:
+          settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
+          settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
+
+          # rename dns_alt_names to subject_alt_names now that we support IP alt names
+          settings[:subject_alt_names] = overrides.fetch(:dns_alt_names, "puppet,$certname")
+
+          settings.each do |key, value|
+            next unless value.is_a? String
+            settings[key] = value.gsub(unresolved_setting, substitutions)
+            if match = settings[key].match(unresolved_setting)
+              @errors << "Could not parse #{match[0]} in #{value}, " +
+                         'valid settings to be interpolated are ' +
+                         '$ssldir, $certdir, $cadir, $certname, $server, or $masterport'
+            end
+          end
+
+          return settings
+        end
+
+        # Parse an inifile formatted String. Only captures \word character
+        # class keys/section names but nearly any character values (excluding
+        # leading whitespace) up to one of whitespace, opening curly brace, or
+        # hash sign (Our concern being to capture filesystem path values).
+        # Put values without a section into :main.
+        #
+        # Return Hash of Symbol section names with Symbol setting keys and
+        # String values.
+        def parse_text(text)
+          res = {}
+          current_section = :main
+          text.each_line do |line|
+            case line
+            when /^\s*\[(\w+)\].*/
+              current_section = $1.to_sym
+            when /^\s*(\w+)\s*=\s*([^\s{#]+).*$/
+              # Using a Hash with a default key breaks RSpec expectations.
+              res[current_section] ||= {}
+              res[current_section][$1.to_sym] = $2
+            end
+          end
+
+          res
+        end
+
+       private
+
+        def explicitly_given_config_file_or_default_config_exists?
+          !@using_default_location || File.exist?(@config_path)
+        end
+
+        def run(command)
+          %x( #{command} )
+        end
+
+        # Convert the value to Numeric, parsing numeric string with units if necessary.
+        def munge_ttl_setting(ca_ttl_setting)
+          case
+          when ca_ttl_setting.is_a?(Numeric)
+            if ca_ttl_setting < 0
+              @errors << "Invalid negative 'time to live' #{ca_ttl_setting.inspect} - did you mean 'unlimited'?"
+            end
+            ca_ttl_setting
+
+          when ca_ttl_setting == 'unlimited'
+            Float::INFINITY
+
+          when (ca_ttl_setting.is_a?(String) and ca_ttl_setting =~ TTL_FORMAT)
+            $1.to_i * TTL_UNITMAP[$2 || 's']
+          else
+            @errors <<  "Invalid 'time to live' format '#{ca_ttl_setting.inspect}' for parameter: :ca_ttl"
+          end
+        end
+
+
+        def parse_crl_usage(setting)
+          case setting.to_s
+          when 'true', 'chain'
+            :chain
+          when 'leaf'
+            :leaf
+          when 'false'
+            :ignore
+          end
+        end
+      end
+    end
+  end
+end