puppetserver-ca 0.3.1 → 0.4.0

data/lib/puppetserver/ca/import_action.rb

@@ -1,153 +0,0 @@
-require 'optparse'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/x509_loader'
-require 'puppetserver/ca/puppet_config'
-
-module Puppetserver
-  module Ca
-    class ImportAction
-
-      SUMMARY = "Import the CA's key, certs, and crls"
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca import [--help]
-  puppetserver ca import [--config PATH]
-      --private-key PATH --cert-bundle PATH --crl-chain PATH
-
-Description:
-Given a private key, cert bundle, and a crl chain,
-validate and import to the Puppet Server CA.
-
-To determine the target location the default puppet.conf
-is consulted for custom values. If using a custom puppet.conf
-provide it with the --config flag
-
-Options:
-BANNER
-
-      def initialize(logger)
-        @logger = logger
-      end
-
-      def run(input)
-        bundle_path = input['cert-bundle']
-        key_path = input['private-key']
-        chain_path = input['crl-chain']
-        config_path = input['config']
-
-        files = [bundle_path, key_path, chain_path, config_path].compact
-
-        errors = Puppetserver::Utils::FileUtilities.validate_file_paths(files)
-        return 1 if log_possible_errors(errors)
-
-        loader = X509Loader.new(bundle_path, key_path, chain_path)
-        return 1 if log_possible_errors(loader.errors)
-
-        puppet = PuppetConfig.parse(config_path)
-        return 1 if log_possible_errors(puppet.errors)
-
-        Puppetserver::Utils::FileUtilities.ensure_dir(puppet.settings[:cadir])
-
-        Puppetserver::Utils::FileUtilities.write_file(puppet.settings[:cacert], loader.certs, 0640)
-
-        Puppetserver::Utils::FileUtilities.write_file(puppet.settings[:cakey], loader.key, 0640)
-
-        Puppetserver::Utils::FileUtilities.write_file(puppet.settings[:cacrl], loader.crls, 0640)
-
-        # Puppet's internal CA expects these file to exist.
-        Puppetserver::Utils::FileUtilities.ensure_file(puppet.settings[:serial], "001", 0640)
-        Puppetserver::Utils::FileUtilities.ensure_file(puppet.settings[:cert_inventory], "", 0640)
-
-        @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
-        return 0
-      end
-
-      def log_possible_errors(maybe_errors)
-        errors = Array(maybe_errors).compact
-        unless errors.empty?
-          @logger.err "Error:"
-          errors.each do |message|
-            @logger.err "    #{message}"
-          end
-          return true
-        end
-      end
-
-      def parse(cli_args)
-        parser, inputs, unparsed = parse_inputs(cli_args)
-
-        if !unparsed.empty?
-          @logger.err 'Error:'
-          @logger.err 'Unknown arguments or flags:'
-          unparsed.each do |arg|
-            @logger.err "    #{arg}"
-          end
-
-          @logger.err ''
-          @logger.err parser.help
-
-          exit_code = 1
-        else
-          exit_code = validate_inputs(inputs, parser.help)
-        end
-
-        return inputs, exit_code
-      end
-
-      def validate_inputs(input, usage)
-        exit_code = nil
-
-        if input.values_at('cert-bundle', 'private-key', 'crl-chain').any?(&:nil?)
-          @logger.err 'Error:'
-          @logger.err 'Missing required argument'
-          @logger.err '    --cert-bundle, --private-key, --crl-chain are required'
-          @logger.err ''
-          @logger.err usage
-          exit_code = 1
-        end
-
-        exit_code
-      end
-
-      def parse_inputs(inputs)
-        parsed = {}
-        unparsed = []
-
-        parser = self.class.parser(parsed)
-
-        begin
-          parser.order!(inputs) do |nonopt|
-            unparsed << nonopt
-          end
-        rescue OptionParser::ParseError => e
-          unparsed += e.args
-          unparsed << inputs.shift unless inputs.first =~ /^-{1,2}/
-          retry
-        end
-
-        return parser, parsed, unparsed
-      end
-
-      def self.parser(parsed = {})
-        OptionParser.new do |opts|
-          opts.banner = BANNER
-          opts.on('--help', 'Display this import specific help output') do |help|
-            parsed['help'] = true
-          end
-          opts.on('--config CONF', 'Path to puppet.conf') do |conf|
-            parsed['config'] = conf
-          end
-          opts.on('--private-key KEY', 'Path to PEM encoded key') do |key|
-            parsed['private-key'] = key
-          end
-          opts.on('--cert-bundle BUNDLE', 'Path to PEM encoded bundle') do |bundle|
-            parsed['cert-bundle'] = bundle
-          end
-          opts.on('--crl-chain CHAIN', 'Path to PEM encoded chain') do |chain|
-            parsed['crl-chain'] = chain
-          end
-        end
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/list_action.rb

@@ -1,153 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/puppet_config'
-require 'optparse'
-require 'json'
-
-module Puppetserver
-  module Ca
-    class ListAction
-
-      include Puppetserver::Utils
-
-      SUMMARY = 'List all certificate requests'
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca list [--help]
-  puppetserver ca list [--config]
-  puppetserver ca list [--all]
-
-Description:
-List outstanding certificate requests. If --all is specified, signed and revoked certificates will be listed as well.
-
-Options:
-      BANNER
-
-      BODY = JSON.dump({desired_state: 'signed'})
-
-      def initialize(logger)
-        @logger = logger
-      end
-
-      def self.parser(parsed = {})
-        OptionParser.new do |opts|
-          opts.banner = BANNER
-          opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
-            parsed['config'] = conf
-          end
-          opts.on('--help', 'Display this command specific help output') do |help|
-            parsed['help'] = true
-          end
-          opts.on('--all', 'List all certificates') do |a|
-            parsed['all'] = true
-          end
-        end
-      end
-
-      def run(input)
-        config = input['config']
-
-        if config
-          errors = FileUtilities.validate_file_paths(config)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-
-        puppet = PuppetConfig.parse(config)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-
-        all_certs = get_all_certs(puppet.settings)
-        return 1 if all_certs.nil?
-
-        requested, signed, revoked = separate_certs(all_certs)
-        input['all'] ? output_certs_by_state(requested, signed, revoked) : output_certs_by_state(requested)
-
-        return 0
-      end
-
-      def output_certs_by_state(requested, signed = [], revoked = [])
-        if revoked.empty? && signed.empty? && requested.empty?
-          @logger.inform "No certificates to list"
-          return
-        end
-
-        unless requested.empty?
-          @logger.inform "Requested Certificates:"
-          output_certs(requested)
-        end
-
-        unless signed.empty?
-          @logger.inform "Signed Certificates:"
-          output_certs(signed)
-        end
-
-        unless revoked.empty?
-          @logger.inform "Revoked Certificates:"
-          output_certs(revoked)
-        end
-      end
-
-      def output_certs(certs)
-        padded = 0
-        certs.each do |cert|
-          cert_size = cert["name"].size
-          padded = cert_size if cert_size > padded
-        end
-
-        certs.each do |cert|
-          @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
-                             (cert["dns_alt_names"].empty? ? "" : "\talt names: #{cert["dns_alt_names"]}")
-          end
-      end
-
-      def http_client(settings)
-        @client ||= HttpClient.new(settings)
-      end
-
-      def get_certificate_statuses(settings)
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_statuses',
-                                 'any_key')
-        client.with_connection(url) do |connection|
-          connection.get(url)
-        end
-      end
-
-      def separate_certs(all_certs)
-        certs = all_certs.group_by { |v| v["state"]}
-        requested = certs.fetch("requested", [])
-        signed = certs.fetch("signed", [])
-        revoked = certs.fetch("revoked", [])
-        return requested, signed, revoked
-      end
-
-      def get_all_certs(settings)
-        result = get_certificate_statuses(settings)
-
-        unless result.code == '200'
-          @logger.err 'Error:'
-          @logger.err "    code: #{result.code}"
-          @logger.err "    body: #{result.body}" if result.body
-          return nil
-        end
-
-        JSON.parse(result.body)
-      end
-
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-
-        errors = Utils.parse_with_errors(parser, args)
-
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-
-        exit_code = errors_were_handled ? 1 : nil
-
-        return results, exit_code
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/puppet_config.rb

@@ -1,197 +0,0 @@
-require 'puppetserver/ca/config_utils'
-require 'puppetserver/settings/ttl_setting'
-require 'securerandom'
-require 'facter'
-
-module Puppetserver
-  module Ca
-    # Provides an interface for asking for Puppet settings w/o loading
-    # Puppet. Includes a simple ini parser that will ignore Puppet's
-    # more complicated conventions.
-    class PuppetConfig
-
-      include Puppetserver::Ca::ConfigUtils
-
-      def self.parse(config_path = nil)
-        instance = new(config_path)
-        instance.load
-
-        return instance
-      end
-
-      attr_reader :errors, :settings
-
-      def initialize(supplied_config_path = nil)
-        @using_default_location = !supplied_config_path
-        @config_path = supplied_config_path || user_specific_conf_file
-
-        @settings = nil
-        @errors = []
-      end
-
-      # Return the correct confdir. We check for being root on *nix,
-      # else the user path. We do not include a check for running
-      # as Adminstrator since non-development scenarios for Puppet Server
-      # on Windows are unsupported.
-      # Note that Puppet Server runs as the [pe-]puppet user but to
-      # start/stop it you must be root.
-      def user_specific_conf_dir
-        if running_as_root?
-          '/etc/puppetlabs/puppet'
-        else
-          "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-        end
-      end
-
-      def user_specific_conf_file
-        user_specific_conf_dir + '/puppet.conf'
-      end
-
-      def load
-        if explicitly_given_config_file_or_default_config_exists?
-          results = parse_text(File.read(@config_path))
-        end
-
-        @certname = default_certname
-
-        results ||= {}
-        results[:main] ||= {}
-        results[:master] ||= {}
-
-        overrides = results[:main].merge(results[:master])
-
-        @settings = resolve_settings(overrides).freeze
-      end
-
-      def default_certname
-        hostname = Facter.value(:hostname)
-        domain = Facter.value(:domain)
-        if domain and domain != ''
-          fqdn = [hostname, domain].join('.')
-        else
-          fqdn = hostname
-        end
-        fqdn.chomp('.')
-      end
-
-      # Resolve settings from default values, with any overrides for the
-      # specific settings or their dependent settings (ssldir, cadir) taken into account.
-      def resolve_settings(overrides = {})
-        unresolved_setting = /\$[a-z_]+/
-
-        # Returning the key for unknown keys (rather than nil) is required to
-        # keep unknown settings in the string for later verification.
-        substitutions = Hash.new {|h, k| k }
-        settings = {}
-
-        confdir = user_specific_conf_dir
-        settings[:confdir] = substitutions['$confdir'] = confdir
-
-        ssldir = overrides.fetch(:ssldir, '$confdir/ssl')
-        settings[:ssldir] = substitutions['$ssldir'] = ssldir.sub('$confdir', confdir)
-
-        certdir = overrides.fetch(:certdir, '$ssldir/certs')
-        settings[:certdir] = substitutions['$certdir'] = certdir.sub(unresolved_setting, substitutions)
-
-        cadir = overrides.fetch(:cadir, '$ssldir/ca')
-        settings[:cadir] = substitutions['$cadir'] = cadir.sub(unresolved_setting, substitutions)
-
-        settings[:certname] = substitutions['$certname'] = overrides.fetch(:certname, @certname)
-
-        server = overrides.fetch(:server, '$certname')
-        settings[:server] = substitutions['$server'] = server.sub(unresolved_setting, substitutions)
-
-        privatekeydir = overrides.fetch(:privatekeydir, '$ssldir/private_keys')
-        settings[:privatekeydir] = substitutions['$privatekeydir'] = privatekeydir.sub(unresolved_setting, substitutions)
-
-        settings[:masterport] = substitutions['$masterport'] = overrides.fetch(:masterport, '8140')
-
-        settings[:ca_name] =  overrides.fetch(:ca_name, 'Puppet CA: $certname')
-        settings[:root_ca_name] = overrides.fetch(:root_ca_name, "Puppet Root CA: #{SecureRandom.hex(7)}")
-
-        unmunged_ca_ttl =  overrides.fetch(:ca_ttl, '15y')
-        ttl_setting = Puppetserver::Settings::TTLSetting.new(:ca_ttl, unmunged_ca_ttl)
-        if ttl_setting.errors
-          ttl_setting.errors.each { |error| @errors << error }
-        end
-
-        settings[:ca_ttl] =         ttl_setting.munged_value
-        settings[:keylength] =      overrides.fetch(:keylength, 4096)
-        settings[:cacert] =         overrides.fetch(:cacert, '$cadir/ca_crt.pem')
-        settings[:cakey] =          overrides.fetch(:cakey, '$cadir/ca_key.pem')
-        settings[:rootkey] =        overrides.fetch(:rootkey, '$cadir/root_key.pem')
-        settings[:cacrl] =          overrides.fetch(:cacrl, '$cadir/ca_crl.pem')
-        settings[:serial] =         overrides.fetch(:serial, '$cadir/serial')
-        settings[:cert_inventory] = overrides.fetch(:cert_inventory, '$cadir/inventory.txt')
-        settings[:ca_server] =      overrides.fetch(:ca_server, '$server')
-        settings[:ca_port] =        overrides.fetch(:ca_port, '$masterport')
-        settings[:localcacert] =    overrides.fetch(:localcacert, '$certdir/ca.pem')
-        settings[:hostcert] =       overrides.fetch(:hostcert, '$certdir/$certname.pem')
-        settings[:hostcrl] =        overrides.fetch(:hostcrl, '$ssldir/crl.pem')
-        settings[:hostprivkey] =    overrides.fetch(:hostprivkey, '$privatekeydir/$certname.pem')
-        settings[:publickeydir] =   overrides.fetch(:publickeydir, '$ssldir/public_keys')
-        settings[:certificate_revocation] = parse_crl_usage(overrides.fetch(:certificate_revocation, 'true'))
-
-        settings.each_pair do |key, value|
-          next unless value.is_a? String
-
-          settings[key] = value.gsub(unresolved_setting, substitutions)
-
-          if match = settings[key].match(unresolved_setting)
-            @errors << "Could not parse #{match[0]} in #{value}, " +
-                       'valid settings to be interpolated are ' +
-                       '$ssldir, $cadir, or $certname'
-          end
-        end
-
-        return settings
-      end
-
-      # Parse an inifile formatted String. Only captures \word character
-      # class keys/section names but nearly any character values (excluding
-      # leading whitespace) up to one of whitespace, opening curly brace, or
-      # hash sign (Our concern being to capture filesystem path values).
-      # Put values without a section into :main.
-      #
-      # Return Hash of Symbol section names with Symbol setting keys and
-      # String values.
-      def parse_text(text)
-        res = {}
-        current_section = :main
-        text.each_line do |line|
-          case line
-          when /^\s*\[(\w+)\].*/
-            current_section = $1.to_sym
-          when /^\s*(\w+)\s*=\s*([^\s{#]+).*$/
-            # Using a Hash with a default key breaks RSpec expectations.
-            res[current_section] ||= {}
-            res[current_section][$1.to_sym] = $2
-          end
-        end
-
-        res
-      end
-
-     private
-
-      def explicitly_given_config_file_or_default_config_exists?
-        !@using_default_location || File.exist?(@config_path)
-      end
-
-      def run(command)
-        %x( #{command} )
-      end
-
-      def parse_crl_usage(setting)
-        case setting.to_s
-        when 'true', 'chain'
-          :chain
-        when 'leaf'
-          :leaf
-        when 'false'
-          :ignore
-        end
-      end
-    end
-  end
-end