puppetserver-ca 0.3.1 → 0.4.0

data/lib/puppetserver/ca/clean_action.rb

@@ -1,157 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/puppet_config'
-require 'puppetserver/ca/revoke_action'
-
-require 'optparse'
-require 'json'
-
-module Puppetserver
-  module Ca
-    class CleanAction
-
-      include Puppetserver::Utils
-
-      CERTNAME_BLACKLIST = %w{--all --config}
-
-      SUMMARY = 'Clean files from the CA for certificate(s)'
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca clean [--help|--version]
-  puppetserver ca clean [--config] --certname CERTNAME[,ADDLCERTNAME]
-
-Description:
-Given one or more valid certnames, instructs the CA to revoke certificates
-matching the given certnames if they exist, and then remove files pertaining
-to them (keys, cert, and certificate request) over HTTPS using the local
-agent's PKI
-
-Options:
-BANNER
-
-      def self.parser(parsed = {})
-        parsed['certnames'] = []
-        OptionParser.new do |o|
-          o.banner = BANNER
-          o.on('--certname foo,bar', Array,
-               'One or more comma separated certnames') do |certs|
-            parsed['certnames'] += certs
-          end
-          o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
-            parsed['config'] = conf
-          end
-          o.on('--help', 'Displays this clean specific help output') do |help|
-            parsed['help'] = help
-          end
-        end
-      end
-
-      def initialize(logger)
-        @logger = logger
-      end
-
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-
-        errors = Utils.parse_with_errors(parser, args)
-
-        results['certnames'].each do |certname|
-          if CERTNAME_BLACKLIST.include?(certname)
-            errors << "    Cannot manage cert named `#{certname}` from " +
-                      "the CLI, if needed use the HTTP API directly"
-          end
-        end
-
-        if results['certnames'].empty?
-          errors << '  At least one certname is required to clean'
-        end
-
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-
-        exit_code = errors_were_handled ? 1 : nil
-
-        return results, exit_code
-      end
-
-      def run(args)
-        certnames = args['certnames']
-        config = args['config']
-
-        if config
-          errors = FileUtilities.validate_file_paths(config)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-
-        puppet = PuppetConfig.parse(config)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-
-        passed = clean_certs(certnames, puppet.settings)
-
-        return passed ? 0 : 1
-      end
-
-      def clean_certs(certnames, settings)
-        client = HttpClient.new(settings)
-
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_status')
-
-        results = client.with_connection(url) do |connection|
-          certnames.map do |certname|
-            url.resource_name = certname
-            revoke_result = connection.put(RevokeAction::REQUEST_BODY, url)
-            revoked = check_revocation(revoke_result, certname)
-
-            cleaned = nil
-            unless revoked == :error
-              clean_result = connection.delete(url)
-              cleaned = check_result(clean_result, certname)
-            end
-
-            cleaned == :success && [:success, :not_found].include?(revoked)
-          end
-        end
-
-        return results.all?
-      end
-
-      # possibly logs the action, always returns a status symbol 👑
-      def check_revocation(result, certname)
-        case result.code
-        when '200', '204'
-          @logger.inform "Revoked certificate for #{certname}"
-          return :success
-        when '404'
-          return :not_found
-        else
-          @logger.err 'Error:'
-          @logger.err "    Failed revoking certificate for #{certname}"
-          @logger.err "    Received code: #{result.code}, body: #{result.body}"
-          return :error
-        end
-      end
-
-      # logs the action and returns a status symbol 👑
-      def check_result(result, certname)
-        case result.code
-        when '200', '204'
-          @logger.inform "Cleaned files related to #{certname}"
-          return :success
-        when '404'
-          @logger.err 'Error:'
-          @logger.err "    Could not find files for #{certname}"
-          return :not_found
-        else
-          @logger.err 'Error:'
-          @logger.err "    When cleaning #{certname} received:"
-          @logger.err "      code: #{result.code}"
-          @logger.err "      body: #{result.body.to_s}" if result.body
-          return :error
-        end
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/config_utils.rb

@@ -1,11 +0,0 @@
-module Puppetserver
-  module Ca
-    module ConfigUtils
-
-      def running_as_root?
-        !Gem.win_platform? && Process::UID.eid == 0
-      end
-
-    end
-  end
-end

data/lib/puppetserver/ca/create_action.rb

@@ -1,265 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/ca/host'
-require 'puppetserver/ca/puppet_config'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/signing_digest'
-require 'json'
-
-module Puppetserver
-  module Ca
-    class CreateAction
-
-      include Puppetserver::Utils
-
-      # Only allow printing ascii characters, excluding /
-      VALID_CERTNAME = /\A[ -.0-~]+\Z/
-      CERTNAME_BLACKLIST = %w{--all --config}
-
-      SUMMARY = "Create a new certificate signed by the CA"
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca create [--help]
-  puppetserver ca create [--config] --certname CERTNAME[,ADDLCERTNAME]
-
-Description:
-Creates a new certificate signed by the intermediate CA
-and stores generated keys and certs on disk.
-
-To determine the target location, the default puppet.conf
-is consulted for custom values. If using a custom puppet.conf
-provide it with the --config flag
-
-Options:
-BANNER
-      def initialize(logger)
-        @logger = logger
-      end
-
-      def self.parser(parsed = {})
-        parsed['certnames'] = []
-        OptionParser.new do |opts|
-          opts.banner = BANNER
-          opts.on('--certname FOO,BAR', Array,
-               'One or more comma separated certnames') do |certs|
-            parsed['certnames'] += certs
-          end
-          opts.on('--help', 'Display this create specific help output') do |help|
-            parsed['help'] = true
-          end
-          opts.on('--config CONF', 'Path to puppet.conf') do |conf|
-            parsed['config'] = conf
-          end
-        end
-      end
-
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-
-        errors = Utils.parse_with_errors(parser, args)
-
-        if results['certnames'].empty?
-          errors << '    At least one certname is required to create'
-        else
-          results['certnames'].each do |certname|
-            if CERTNAME_BLACKLIST.include?(certname)
-              errors << "    Cannot manage cert named `#{certname}` from " +
-                        "the CLI, if needed use the HTTP API directly"
-            end
-
-            if certname.match(/\p{Upper}/)
-              errors << "    Certificate names must be lower case"
-            end
-
-            unless certname =~ VALID_CERTNAME
-              errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
-            end
-          end
-        end
-
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-
-        exit_code = errors_were_handled ? 1 : nil
-
-        return results, exit_code
-      end
-
-      def run(input)
-        certnames = input['certnames']
-        config_path = input['config']
-
-        # Validate config_path provided
-        if config_path
-          errors = FileUtilities.validate_file_paths(config_path)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-
-        # Load, resolve, and validate puppet config settings
-        puppet = PuppetConfig.parse(config_path)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-
-        # Load most secure signing digest we can for csr signing.
-        signer = SigningDigest.new
-        return 1 if Utils.handle_errors(@logger, signer.errors)
-
-        # Make sure we have all the directories where we will be writing files
-        FileUtilities.ensure_dir(puppet.settings[:certdir])
-        FileUtilities.ensure_dir(puppet.settings[:privatekeydir])
-        FileUtilities.ensure_dir(puppet.settings[:publickeydir])
-
-        # Generate and save certs and associated keys
-        all_passed = generate_certs(certnames, puppet.settings, signer.digest)
-        return all_passed ? 0 : 1
-      end
-
-      # Create csrs and keys, then submit them to CA, request for the CA to sign
-      # them, download the signed certificates from the CA, and finally save
-      # the signed certs and associated keys. Returns true if all certs were
-      # successfully created and saved.
-      def generate_certs(certnames, settings, digest)
-        passed = certnames.map do |certname|
-          key, csr = generate_key_csr(certname, settings, digest)
-          return false unless submit_certificate_request(certname, csr.to_s, settings)
-          return false unless sign_cert(certname, settings)
-          if download_cert(certname, settings)
-            save_keys(key, certname, settings)
-            true
-          else
-            false
-          end
-        end
-        passed.all?
-      end
-
-      def generate_key_csr(certname, settings, digest)
-        host = Puppetserver::Ca::Host.new(digest)
-        private_key = host.create_private_key(settings[:keylength])
-        csr = host.create_csr(certname, private_key)
-
-        return private_key, csr
-      end
-
-      def http_client(settings)
-        @client ||= HttpClient.new(settings)
-      end
-
-      # Make an HTTP request to submit certificate requests to CA
-      # @param certname [String] the name of the certificate to fetch
-      # @param csr [String] string version of a OpenSSL::X509::Request
-      # @param settings [Hash] a hash of config settings
-      # @return [Boolean] success of all csrs being submitted to CA
-      def submit_certificate_request(certname, csr, settings)
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                       settings[:ca_port],
-                       'certificate_request',
-                       certname)
-
-        client.with_connection(url) do |connection|
-          result = connection.put(csr, url)
-          check_submit_result(result, certname)
-        end
-      end
-
-      def check_submit_result(result, certname)
-        case result.code
-        when '200', '204'
-          @logger.inform "Successfully submitted certificate request for #{certname}"
-          return true
-        else
-          @logger.err 'Error:'
-          @logger.err "    When certificate request submitted for #{certname}:"
-          @logger.err "      code: #{result.code}"
-          @logger.err "      body: #{result.body.to_s}" if result.body
-          return false
-        end
-      end
-
-      # Make an HTTP request to CA to sign the named certificates
-      # @param certname [String] the name of the certificate to have signed
-      # @param settings [Hash] a hash of config settings
-      # @return [Boolean] the success of certificates being signed
-      def sign_cert(certname, settings)
-        client = http_client(settings)
-
-        url = client.make_ca_url(settings[:ca_server],
-                       settings[:ca_port],
-                       'certificate_status',
-                       certname)
-
-        client.with_connection(url) do |connection|
-          body = JSON.dump({desired_state: 'signed'})
-          result = connection.put(body, url)
-          check_sign_result(result, certname)
-        end
-      end
-
-      def check_sign_result(result, certname)
-        case result.code
-        when '204'
-          @logger.inform "Successfully signed certificate request for #{certname}"
-          return true
-        else
-          @logger.err 'Error:'
-          @logger.err "    When signing request submitted for #{certname}:"
-          @logger.err "      code: #{result.code}"
-          @logger.err "      body: #{result.body.to_s}" if result.body
-          return false
-        end
-      end
-
-      # Make an HTTP request to fetch the named certificates from CA
-      # @param certname [String] the name of the certificate to fetch
-      # @param settings [Hash] a hash of config settings
-      # @return [Boolean] the success of certificate being downloaded
-      def download_cert(certname, settings)
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                       settings[:ca_port],
-                       'certificate',
-                       certname)
-        client.with_connection(url) do |connection|
-          result = connection.get(url)
-          if downloaded = check_download_result(result, certname)
-            save_file(result.body, certname, settings[:certdir], "Certificate")
-            @logger.inform "Successfully downloaded and saved certificate #{certname} to #{settings[:certdir]}/#{certname}.pem"
-          end
-          downloaded
-        end
-      end
-
-      def check_download_result(result, certname)
-        case result.code
-        when '200'
-          return true
-        when '404'
-          @logger.err 'Error:'
-          @logger.err "    Signed certificate #{certname} could not be found on the CA"
-          return false
-        else
-          @logger.err 'Error:'
-          @logger.err "    When download requested for certificate #{certname}:"
-          @logger.err "      code: #{result.code}"
-          @logger.err "      body: #{result.body.to_s}" if result.body
-          return false
-        end
-      end
-
-      def save_keys(key, certname, settings)
-        public_key = key.public_key
-        save_file(key, certname, settings[:privatekeydir], "Private key")
-        save_file(public_key, certname, settings[:publickeydir], "Public key")
-        @logger.inform "Successfully saved private key for #{certname} to #{settings[:privatekeydir]}/#{certname}.pem"
-        @logger.inform "Successfully saved public key for #{certname} to #{settings[:publickeydir]}/#{certname}.pem"
-      end
-
-
-      def save_file(content, certname, dir, type)
-        location = File.join(dir, "#{certname}.pem")
-        @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
-        FileUtilities.write_file(location, content, 0640)
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/generate_action.rb

@@ -1,227 +0,0 @@
-require 'optparse'
-require 'openssl'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/host'
-require 'puppetserver/utils/signing_digest'
-
-module Puppetserver
-  module Ca
-    class GenerateAction
-      include Puppetserver::Utils
-
-      CA_EXTENSIONS = [
-        ["basicConstraints", "CA:TRUE", true],
-        ["keyUsage", "keyCertSign, cRLSign", true],
-        ["subjectKeyIdentifier", "hash", false],
-        ["authorityKeyIdentifier", "keyid:always", false]
-      ].freeze
-
-      # Make the certificate valid as of yesterday, because so many people's
-      # clocks are out of sync.  This gives one more day of validity than people
-      # might expect, but is better than making every person who has a messed up
-      # clock fail, and better than having every cert we generate expire a day
-      # before the user expected it to when they asked for "one year".
-      CERT_VALID_FROM = (Time.now - (60*60*24)).freeze
-
-      SUMMARY = "Generate a root and intermediate signing CA for Puppet Server"
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca generate [--help]
-  puppetserver ca generate [--config PATH]
-
-Description:
-Generate a root and intermediate signing CA for Puppet Server
-and store generated CA keys, certs, and crls on disk.
-
-To determine the target location, the default puppet.conf
-is consulted for custom values. If using a custom puppet.conf
-provide it with the --config flag
-
-Options:
-BANNER
-
-      def initialize(logger)
-        @logger = logger
-      end
-
-      def run(input)
-        # Validate config_path provided
-        config_path = input['config']
-        if config_path
-          errors = FileUtilities.validate_file_paths(config_path)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-
-        # Load, resolve, and validate puppet config settings
-        puppet = PuppetConfig.parse(config_path)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-
-        # Load most secure signing digest we can for cers/crl/csr signing.
-        signer = SigningDigest.new
-        return 1 if Utils.handle_errors(@logger, signer.errors)
-
-        # Generate root and intermediate ca and put all the certificates, crls,
-        # and keys where they should go.
-        generate_root_and_intermediate_ca(puppet.settings, signer.digest)
-
-        # Puppet's internal CA expects these file to exist.
-        FileUtilities.ensure_file(puppet.settings[:serial], "001", 0640)
-        FileUtilities.ensure_file(puppet.settings[:cert_inventory], "", 0640)
-
-        @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
-        return 0
-      end
-
-      def generate_root_and_intermediate_ca(settings, signing_digest)
-        valid_until = Time.now + settings[:ca_ttl]
-        host = Puppetserver::Ca::Host.new(signing_digest)
-
-        root_key = host.create_private_key(settings[:keylength])
-        root_cert = self_signed_ca(root_key, settings[:root_ca_name], valid_until, signing_digest)
-        root_crl = create_crl_for(root_cert, root_key, valid_until, signing_digest)
-
-        int_key = host.create_private_key(settings[:keylength])
-        int_csr = host.create_csr(settings[:ca_name], int_key)
-        int_cert = sign_intermediate(root_key, root_cert, int_csr, valid_until, signing_digest)
-        int_crl = create_crl_for(int_cert, int_key, valid_until, signing_digest)
-
-        FileUtilities.ensure_dir(settings[:cadir])
-
-        file_properties = [
-          [settings[:cacert], [int_cert, root_cert]],
-          [settings[:cakey], int_key],
-          [settings[:rootkey], root_key],
-          [settings[:cacrl], [int_crl, root_crl]]
-        ]
-
-        file_properties.each do |location, content|
-          @logger.warn "#{location} exists, overwriting" if File.exist?(location)
-          FileUtilities.write_file(location, content, 0640)
-        end
-      end
-
-      def self_signed_ca(key, name, valid_until, signing_digest)
-        cert = OpenSSL::X509::Certificate.new
-
-        cert.public_key = key.public_key
-        cert.subject = OpenSSL::X509::Name.new([["CN", name]])
-        cert.issuer = cert.subject
-        cert.version = 2
-        cert.serial = 1
-
-        cert.not_before = CERT_VALID_FROM
-        cert.not_after  = valid_until
-
-        ef = extension_factory_for(cert, cert)
-        CA_EXTENSIONS.each do |ext|
-          extension = ef.create_extension(*ext)
-          cert.add_extension(extension)
-        end
-
-        cert.sign(key, signing_digest)
-
-        cert
-      end
-
-      def extension_factory_for(ca, cert = nil)
-        ef = OpenSSL::X509::ExtensionFactory.new
-        ef.issuer_certificate  = ca
-        ef.subject_certificate = cert if cert
-
-        ef
-      end
-
-      def create_crl_for(ca_cert, ca_key, valid_until, signing_digest)
-        crl = OpenSSL::X509::CRL.new
-        crl.version = 1
-        crl.issuer = ca_cert.subject
-
-        ef = extension_factory_for(ca_cert)
-        crl.add_extension(
-          ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
-        crl.add_extension(
-          OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
-
-        crl.last_update = CERT_VALID_FROM
-        crl.next_update = valid_until
-        crl.sign(ca_key, signing_digest)
-
-        crl
-      end
-
-      def sign_intermediate(ca_key, ca_cert, csr, valid_until, signing_digest)
-        cert = OpenSSL::X509::Certificate.new
-
-        cert.public_key = csr.public_key
-        cert.subject = csr.subject
-        cert.issuer = ca_cert.subject
-        cert.version = 2
-        cert.serial = 2
-
-        cert.not_before = CERT_VALID_FROM
-        cert.not_after = valid_until
-
-        ef = extension_factory_for(ca_cert, cert)
-        CA_EXTENSIONS.each do |ext|
-          extension = ef.create_extension(*ext)
-          cert.add_extension(extension)
-        end
-        cert.sign(ca_key, signing_digest)
-
-        cert
-      end
-
-      def parse(cli_args)
-        parser, inputs, unparsed = parse_inputs(cli_args)
-
-        if !unparsed.empty?
-          @logger.err 'Error:'
-          @logger.err 'Unknown arguments or flags:'
-          unparsed.each do |arg|
-            @logger.err "    #{arg}"
-          end
-
-          @logger.err ''
-          @logger.err parser.help
-
-          exit_code = 1
-        else
-          exit_code = nil
-        end
-
-        return inputs, exit_code
-      end
-
-      def parse_inputs(inputs)
-        parsed = {}
-        unparsed = []
-
-        parser = self.class.parser(parsed)
-
-        begin
-          parser.order!(inputs) do |nonopt|
-            unparsed << nonopt
-          end
-        rescue OptionParser::ParseError => e
-          unparsed += e.args
-          unparsed << inputs.shift unless inputs.first =~ /^-{1,2}/
-          retry
-        end
-
-        return parser, parsed, unparsed
-      end
-
-      def self.parser(parsed = {})
-        OptionParser.new do |opts|
-          opts.banner = BANNER
-          opts.on('--help', 'Display this generate specific help output') do |help|
-            parsed['help'] = true
-          end
-          opts.on('--config CONF', 'Path to puppet.conf') do |conf|
-            parsed['config'] = conf
-          end
-        end
-      end
-    end
-  end
-end