puppetserver-ca 0.3.1 → 0.4.0

data/lib/puppetserver/ca/config/puppetserver.rb

@@ -0,0 +1,85 @@
+require 'hocon'
+require 'puppetserver/ca/utils/config'
+
+module Puppetserver
+  module Ca
+    module Config
+      # Provides an interface for querying Puppetserver settings w/o loading
+      # Puppetserver or any TK config service. Uses the ruby-hocon gem for parsing.
+      class PuppetServer
+
+        include Puppetserver::Ca::Utils::Config
+
+        def self.parse(config_path = nil)
+          instance = new(config_path)
+          instance.load
+
+          return instance
+        end
+
+        attr_reader :errors, :settings
+
+        def initialize(supplied_config_path = nil)
+          @using_default_location = !supplied_config_path
+          @config_path = supplied_config_path || "/etc/puppetlabs/puppetserver/conf.d/ca.conf"
+
+          @settings = nil
+          @errors = []
+        end
+
+        # Populate this config object with the CA-related settings
+        def load
+          if explicitly_given_config_file_or_default_config_exists?
+            begin
+              results = Hocon.load(@config_path)
+            rescue Hocon::ConfigError => e
+              errors << e.message
+            end
+          end
+
+          overrides = results || {}
+          @settings = supply_defaults(overrides).freeze
+        end
+
+        private
+
+        # Return the correct confdir. We check for being root on *nix,
+        # else the user path. We do not include a check for running
+        # as Adminstrator since non-development scenarios for Puppet Server
+        # on Windows are unsupported.
+        # Note that Puppet Server runs as the [pe-]puppet user but to
+        # start/stop it you must be root.
+        def user_specific_ca_dir
+          if running_as_root?
+            '/etc/puppetlabs/puppetserver/ca'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppetserver/ca"
+          end
+        end
+
+        # Supply defaults for any CA settings not present in the config file
+        # @param [Hash] overrides setting names and values loaded from the config file,
+        #                         for overriding the defaults
+        # @return [Hash] CA-related settings
+        def supply_defaults(overrides = {})
+          ca_settings = overrides['certificate-authority'] || {}
+          settings = {}
+
+          cadir = settings[:cadir] = ca_settings.fetch('cadir', user_specific_ca_dir)
+
+          settings[:cacert] = ca_settings.fetch('cacert', "#{cadir}/ca_crt.pem")
+          settings[:cakey] = ca_settings.fetch('cakey', "#{cadir}/ca_key.pem")
+          settings[:cacrl] = ca_settings.fetch('cacrl', "#{cadir}/ca_crl.pem")
+          settings[:serial] = ca_settings.fetch('serial', "#{cadir}/serial")
+          settings[:cert_inventory] = ca_settings.fetch('cert-inventory', "#{cadir}/inventory.txt")
+
+          return settings
+        end
+
+        def explicitly_given_config_file_or_default_config_exists?
+          !@using_default_location || File.exist?(@config_path)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/cli_parsing.rb

@@ -0,0 +1,82 @@
+module Puppetserver
+  module Ca
+    module Utils
+      module CliParsing
+        def self.parse_without_raising(parser, args)
+          all, not_flags, malformed_flags, unknown_flags = [], [], [], []
+
+          begin
+            # OptionParser calls this block when it finds a value that doesn't
+            # start with one or two dashes and doesn't follow a flag that
+            # consumes a value.
+            parser.order!(args) do |not_flag|
+              not_flags << not_flag
+              all << not_flag
+            end
+          rescue OptionParser::MissingArgument => e
+            malformed_flags += e.args
+            all += e.args
+
+            retry
+          rescue OptionParser::ParseError => e
+            flag = e.args.first
+            unknown_flags << flag
+            all << flag
+
+            if does_not_contain_argument(flag) &&
+                args.first &&
+                next_arg_is_not_another_flag(args.first)
+
+              value = args.shift
+              unknown_flags << value
+              all << value
+            end
+
+            retry
+          end
+
+          return all, not_flags, malformed_flags, unknown_flags
+        end
+
+        def self.parse_with_errors(parser, args)
+          errors = []
+
+          _, non_flags, malformed_flags, unknown_flags = parse_without_raising(parser, args)
+
+          malformed_flags.each {|f| errors << "    Missing argument to flag `#{f}`" }
+          unknown_flags.each   {|f| errors << "    Unknown flag or argument `#{f}`" }
+          non_flags.each       {|f| errors << "    Unknown input `#{f}`" }
+
+          errors
+        end
+
+        def self.handle_errors(log, errors, usage = nil)
+          unless errors.empty?
+            log.err 'Error:'
+            errors.each {|e| log.err e }
+
+            if usage
+              log.err ''
+              log.err usage
+            end
+
+            return true
+          else
+            return false
+          end
+        end
+
+      private
+
+        # eg. --flag=argument-to-flag
+        def self.does_not_contain_argument(flag)
+          !flag.include?('=')
+        end
+
+        def self.next_arg_is_not_another_flag(maybe_an_arg)
+          !maybe_an_arg.start_with?('-')
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/config.rb

@@ -0,0 +1,13 @@
+module Puppetserver
+  module Ca
+    module Utils
+      module Config
+
+        def running_as_root?
+          !Gem.win_platform? && Process::UID.eid == 0
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -0,0 +1,90 @@
+require 'fileutils'
+require 'etc'
+
+module Puppetserver
+  module Ca
+    module Utils
+      class FileSystem
+
+        def self.instance
+          @instance ||= new
+        end
+
+        def self.write_file(*args)
+          instance.write_file(*args)
+        end
+
+        def self.ensure_dir(setting)
+          instance.ensure_dir(setting)
+        end
+
+        def self.ensure_file(location, content, mode)
+          if !File.exist?(location)
+            instance.write_file(location, content, mode)
+          end
+        end
+
+        def self.validate_file_paths(one_or_more_paths)
+          errors = []
+          Array(one_or_more_paths).each do |path|
+            if !File.exist?(path) || !File.readable?(path)
+              errors << "Could not read file '#{path}'"
+            end
+          end
+
+          errors
+        end
+
+        def self.check_for_existing_files(one_or_more_paths)
+          errors = []
+          Array(one_or_more_paths).each do |path|
+            if File.exist?(path)
+              errors << "Existing file at '#{path}'"
+            end
+          end
+          errors
+        end
+
+        def initialize
+          @user, @group = find_user_and_group
+        end
+
+        def find_user_and_group
+          if !running_as_root?
+            return Process.euid, Process.egid
+          else
+            if pe_puppet_exists?
+              return 'pe-puppet', 'pe-puppet'
+            else
+              return 'puppet', 'puppet'
+            end
+          end
+        end
+
+        def running_as_root?
+          !Gem.win_platform? && Process.euid == 0
+        end
+
+        def pe_puppet_exists?
+          !!(Etc.getpwnam('pe-puppet') rescue nil)
+        end
+
+        def write_file(path, one_or_more_objects, mode)
+          File.open(path, 'w', mode) do |f|
+            Array(one_or_more_objects).each do |object|
+              f.puts object.to_s
+            end
+          end
+          FileUtils.chown(@user, @group, path)
+        end
+
+        def ensure_dir(setting)
+          if !File.exist?(setting)
+            FileUtils.mkdir_p(setting, mode: 0750)
+            FileUtils.chown(@user, @group, setting)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -0,0 +1,129 @@
+require 'openssl'
+require 'net/https'
+
+module Puppetserver
+  module Ca
+    module Utils
+      # Utilities for doing HTTPS against the CA that wraps Net::HTTP constructs
+      class HttpClient
+
+        DEFAULT_HEADERS = {
+          'User-Agent'   => 'PuppetserverCaCli',
+          'Content-Type' => 'application/json',
+          'Accept'       => 'application/json'
+        }
+
+        attr_reader :store
+
+        def initialize(settings)
+          @store = make_store(settings[:localcacert],
+                              settings[:certificate_revocation],
+                              settings[:hostcrl])
+          @cert = load_cert(settings[:hostcert])
+          @key = load_key(settings[:hostprivkey])
+        end
+
+        def load_cert(cert_path)
+          OpenSSL::X509::Certificate.new(File.read(cert_path))
+        end
+
+        def load_key(key_path)
+          OpenSSL::PKey.read(File.read(key_path))
+        end
+
+        # Takes an instance URL (defined lower in the file), and creates a
+        # connection. The given block is passed our own Connection object.
+        # The Connection object should have HTTP verbs defined on it that take
+        # a body (and optional overrides). Returns whatever the block given returned.
+        def with_connection(url, &block)
+          request = ->(conn) { block.call(Connection.new(conn, url)) }
+
+          Net::HTTP.start(url.host, url.port,
+                          use_ssl: true, cert_store: @store,
+                          cert: @cert, key: @key,
+                          &request)
+        end
+
+        private
+        # Helper class that wraps a Net::HTTP connection, a HttpClient::URL
+        # and defines methods named after HTTP verbs that are called on the
+        # saved connection, returning a Result.
+        class Connection
+          def initialize(net_http_connection, url_struct)
+            @conn = net_http_connection
+            @url = url_struct
+          end
+
+          def get(url_overide = nil, headers = {})
+            url = url_overide || @url
+            headers = DEFAULT_HEADERS.merge(headers)
+
+            request = Net::HTTP::Get.new(url.to_uri, headers)
+            result = @conn.request(request)
+
+            Result.new(result.code, result.body)
+          end
+
+          def put(body, url_override = nil, headers = {})
+            url = url_override || @url
+            headers = DEFAULT_HEADERS.merge(headers)
+
+            request = Net::HTTP::Put.new(url.to_uri, headers)
+            request.body = body
+            result = @conn.request(request)
+
+            Result.new(result.code, result.body)
+          end
+
+          def delete(url_override = nil, headers = {})
+            url = url_override || @url
+            headers = DEFAULT_HEADERS.merge(headers)
+
+            result = @conn.request(Net::HTTP::Delete.new(url.to_uri, headers))
+
+            Result.new(result.code, result.body)
+          end
+        end
+
+        # Just provide the bits of Net::HTTPResponse we care about
+        Result = Struct.new(:code, :body)
+
+        # Like URI, but not... maybe of suspicious value
+        URL = Struct.new(:protocol, :host, :port,
+                         :endpoint, :version,
+                         :resource_type, :resource_name) do
+                def full_url
+                  protocol + '://' + host + ':' + port + '/' +
+                  [endpoint, version, resource_type, resource_name].join('/')
+                end
+
+                def to_uri
+                  URI(full_url)
+                end
+              end
+
+        def make_store(bundle, crl_usage, crls = nil)
+          store = OpenSSL::X509::Store.new
+          store.purpose = OpenSSL::X509::PURPOSE_ANY
+          store.add_file(bundle)
+
+          if crl_usage != :ignore
+
+            flags = OpenSSL::X509::V_FLAG_CRL_CHECK
+            if crl_usage == :chain
+              flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+            end
+
+            store.flags = flags
+            delimiter = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
+            File.read(crls).scan(delimiter).each do |crl|
+              store.add_crl(OpenSSL::X509::CRL.new(crl))
+            end
+          end
+
+          store
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/utils/signing_digest.rb

@@ -0,0 +1,27 @@
+module Puppetserver
+  module Ca
+    module Utils
+      class SigningDigest
+
+        attr_reader :errors, :digest
+
+        def initialize
+          @errors = []
+          if OpenSSL::Digest.const_defined?('SHA256')
+            @digest = OpenSSL::Digest::SHA256.new
+          elsif OpenSSL::Digest.const_defined?('SHA1')
+            @digest = OpenSSL::Digest::SHA1.new
+          elsif OpenSSL::Digest.const_defined?('SHA512')
+            @digest = OpenSSL::Digest::SHA512.new
+          elsif OpenSSL::Digest.const_defined?('SHA384')
+            @digest = OpenSSL::Digest::SHA384.new
+          elsif OpenSSL::Digest.const_defined?('SHA224')
+            @digest = OpenSSL::Digest::SHA224.new
+          else
+            @errors << "Error: No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.3.1"
+    VERSION = "0.4.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-08-15 00:00:00.000000000 Z
+date: 2018-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -93,27 +93,27 @@ files:
 - bin/setup
 - exe/puppetserver-ca
 - lib/puppetserver/ca.rb
-- lib/puppetserver/ca/clean_action.rb
+- lib/puppetserver/ca/action/clean.rb
+- lib/puppetserver/ca/action/create.rb
+- lib/puppetserver/ca/action/generate.rb
+- lib/puppetserver/ca/action/import.rb
+- lib/puppetserver/ca/action/list.rb
+- lib/puppetserver/ca/action/revoke.rb
+- lib/puppetserver/ca/action/sign.rb
+- lib/puppetserver/ca/certificate_authority.rb
 - lib/puppetserver/ca/cli.rb
-- lib/puppetserver/ca/config_utils.rb
-- lib/puppetserver/ca/create_action.rb
-- lib/puppetserver/ca/generate_action.rb
+- lib/puppetserver/ca/config/puppet.rb
+- lib/puppetserver/ca/config/puppetserver.rb
 - lib/puppetserver/ca/host.rb
-- lib/puppetserver/ca/import_action.rb
-- lib/puppetserver/ca/list_action.rb
 - lib/puppetserver/ca/logger.rb
-- lib/puppetserver/ca/puppet_config.rb
-- lib/puppetserver/ca/puppetserver_config.rb
-- lib/puppetserver/ca/revoke_action.rb
-- lib/puppetserver/ca/sign_action.rb
 - lib/puppetserver/ca/stub.rb
-- lib/puppetserver/ca/utils.rb
+- lib/puppetserver/ca/utils/cli_parsing.rb
+- lib/puppetserver/ca/utils/config.rb
+- lib/puppetserver/ca/utils/file_system.rb
+- lib/puppetserver/ca/utils/http_client.rb
+- lib/puppetserver/ca/utils/signing_digest.rb
 - lib/puppetserver/ca/version.rb
 - lib/puppetserver/ca/x509_loader.rb
-- lib/puppetserver/settings/ttl_setting.rb
-- lib/puppetserver/utils/file_utilities.rb
-- lib/puppetserver/utils/http_client.rb
-- lib/puppetserver/utils/signing_digest.rb
 - puppetserver-ca.gemspec
 homepage: https://github.com/puppetlabs/puppetserver-ca-cli/
 licenses: