RubyGems - puppetserver-ca - Versions diffs - 0.3.1 → 0.4.0 - Mend

puppetserver-ca 0.3.1 → 0.4.0

Files changed (34) hide show

checksums.yaml +4 -4
data/lib/puppetserver/ca/action/clean.rb +102 -0
data/lib/puppetserver/ca/action/create.rb +161 -0
data/lib/puppetserver/ca/action/generate.rb +313 -0
data/lib/puppetserver/ca/action/import.rb +132 -0
data/lib/puppetserver/ca/action/list.rb +132 -0
data/lib/puppetserver/ca/action/revoke.rb +101 -0
data/lib/puppetserver/ca/action/sign.rb +126 -0
data/lib/puppetserver/ca/certificate_authority.rb +224 -0
data/lib/puppetserver/ca/cli.rb +17 -16
data/lib/puppetserver/ca/config/puppet.rb +242 -0
data/lib/puppetserver/ca/config/puppetserver.rb +85 -0
data/lib/puppetserver/ca/utils/cli_parsing.rb +82 -0
data/lib/puppetserver/ca/utils/config.rb +13 -0
data/lib/puppetserver/ca/utils/file_system.rb +90 -0
data/lib/puppetserver/ca/utils/http_client.rb +129 -0
data/lib/puppetserver/ca/utils/signing_digest.rb +27 -0
data/lib/puppetserver/ca/version.rb +1 -1
metadata +17 -17
data/lib/puppetserver/ca/clean_action.rb +0 -157
data/lib/puppetserver/ca/config_utils.rb +0 -11
data/lib/puppetserver/ca/create_action.rb +0 -265
data/lib/puppetserver/ca/generate_action.rb +0 -227
data/lib/puppetserver/ca/import_action.rb +0 -153
data/lib/puppetserver/ca/list_action.rb +0 -153
data/lib/puppetserver/ca/puppet_config.rb +0 -197
data/lib/puppetserver/ca/puppetserver_config.rb +0 -83
data/lib/puppetserver/ca/revoke_action.rb +0 -136
data/lib/puppetserver/ca/sign_action.rb +0 -190
data/lib/puppetserver/ca/utils.rb +0 -80
data/lib/puppetserver/settings/ttl_setting.rb +0 -48
data/lib/puppetserver/utils/file_utilities.rb +0 -78
data/lib/puppetserver/utils/http_client.rb +0 -129
data/lib/puppetserver/utils/signing_digest.rb +0 -25

data/lib/puppetserver/ca/puppetserver_config.rb DELETED Viewed

@@ -1,83 +0,0 @@
-require 'hocon'
-require 'puppetserver/ca/config_utils'
-module Puppetserver
-  module Ca
-    # Provides an interface for querying Puppetserver settings w/o loading
-    # Puppetserver or any TK config service. Uses the ruby-hocon gem for parsing.
-    class PuppetserverConfig
-      include Puppetserver::Ca::ConfigUtils
-      def self.parse(config_path = nil)
-        instance = new(config_path)
-        instance.load
-        return instance
-      end
-      attr_reader :errors, :settings
-      def initialize(supplied_config_path = nil)
-        @using_default_location = !supplied_config_path
-        @config_path = supplied_config_path || "/etc/puppetlabs/puppetserver/conf.d/ca.conf"
-        @settings = nil
-        @errors = []
-      end
-      # Populate this config object with the CA-related settings
-      def load
-        if explicitly_given_config_file_or_default_config_exists?
-          begin
-            results = Hocon.load(@config_path)
-          rescue Hocon::ConfigError => e
-            errors << e.message
-          end
-        end
-        overrides = results || {}
-        @settings = supply_defaults(overrides).freeze
-      end
-      private
-      # Return the correct confdir. We check for being root on *nix,
-      # else the user path. We do not include a check for running
-      # as Adminstrator since non-development scenarios for Puppet Server
-      # on Windows are unsupported.
-      # Note that Puppet Server runs as the [pe-]puppet user but to
-      # start/stop it you must be root.
-      def user_specific_ca_dir
-        if running_as_root?
-          '/etc/puppetlabs/puppetserver/ca'
-        else
-          "#{ENV['HOME']}/.puppetlabs/etc/puppetserver/ca"
-        end
-      end
-      # Supply defaults for any CA settings not present in the config file
-      # @param [Hash] overrides setting names and values loaded from the config file,
-      #                         for overriding the defaults
-      # @return [Hash] CA-related settings
-      def supply_defaults(overrides = {})
-        ca_settings = overrides['certificate-authority'] || {}
-        settings = {}
-        cadir = settings[:cadir] = ca_settings.fetch('cadir', user_specific_ca_dir)
-        settings[:cacert] = ca_settings.fetch('cacert', "#{cadir}/ca_crt.pem")
-        settings[:cakey] = ca_settings.fetch('cakey', "#{cadir}/ca_key.pem")
-        settings[:cacrl] = ca_settings.fetch('cacrl', "#{cadir}/ca_crl.pem")
-        settings[:serial] = ca_settings.fetch('serial', "#{cadir}/serial")
-        settings[:cert_inventory] = ca_settings.fetch('cert-inventory', "#{cadir}/inventory.txt")
-        return settings
-      end
-      def explicitly_given_config_file_or_default_config_exists?
-        !@using_default_location || File.exist?(@config_path)
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/revoke_action.rb DELETED Viewed

@@ -1,136 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/puppet_config'
-require 'optparse'
-require 'json'
-module Puppetserver
-  module Ca
-    class RevokeAction
-      include Puppetserver::Utils
-      REQUEST_BODY = JSON.dump({ desired_state: 'revoked' })
-      CERTNAME_BLACKLIST = %w{--all --config}
-      SUMMARY = 'Revoke a given certificate'
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca revoke [--help|--version]
-  puppetserver ca revoke [--config] --certname CERTNAME[,ADDLCERTNAME]
-Description:
-Given one or more valid certnames, instructs the CA to revoke them over
-HTTPS using the local agent's PKI
-Options:
-BANNER
-      def self.parser(parsed = {})
-        parsed['certnames'] = []
-        OptionParser.new do |o|
-          o.banner = BANNER
-          o.on('--certname foo,bar', Array,
-               'One or more comma separated certnames') do |certs|
-            parsed['certnames'] += certs
-          end
-          o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
-            parsed['config'] = conf
-          end
-          o.on('--help', 'Displays this revoke specific help output') do |help|
-            parsed['help'] = help
-          end
-        end
-      end
-      def initialize(logger)
-        @logger = logger
-      end
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-        errors = Utils.parse_with_errors(parser, args)
-        results['certnames'].each do |certname|
-          if CERTNAME_BLACKLIST.include?(certname)
-            errors << "    Cannot manage cert named `#{certname}` from " +
-                      "the CLI, if needed use the HTTP API directly"
-          end
-        end
-        if results['certnames'].empty?
-          errors << '  At least one certname is required to revoke'
-        end
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-        # if there is an exit_code then Cli will return it early, so we only
-        # return an exit_code if there's an error
-        exit_code = errors_were_handled ? 1 : nil
-        return results, exit_code
-      end
-      def run(args)
-        certnames = args['certnames']
-        config = args['config']
-        if config
-          errors = FileUtilities.validate_file_paths(config)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-        puppet = PuppetConfig.parse(config)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-        passed = revoke_certs(certnames, puppet.settings)
-        return passed ? 0 : 1
-      end
-      def revoke_certs(certnames, settings)
-        client = HttpClient.new(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_status')
-        # results will be a list of trues & falses based on the success
-        # of revocations
-        results = client.with_connection(url) do |connection|
-          certnames.map do |certname|
-            url.resource_name = certname
-            result = connection.put(REQUEST_BODY, url)
-            check_result(result, certname)
-          end
-        end
-        return results.all?
-      end
-      # logs the action and returns a boolean for success/failure
-      def check_result(result, certname)
-        case result.code
-        when '200', '204'
-          @logger.inform "Revoked certificate for #{certname}"
-          return true
-        when '404'
-          @logger.err 'Error:'
-          @logger.err "    Could not find certificate for #{certname}"
-          return false
-        else
-          @logger.err 'Error:'
-          @logger.err "    When revoking #{certname} received:"
-          @logger.err "      code: #{result.code}"
-          @logger.err "      body: #{result.body.to_s}" if result.body
-          return false
-        end
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/sign_action.rb DELETED Viewed

@@ -1,190 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/puppet_config'
-require 'optparse'
-require 'openssl'
-require 'net/https'
-require 'json'
-module Puppetserver
-  module Ca
-    class SignAction
-      include Puppetserver::Utils
-      SUMMARY = 'Sign a given certificate'
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca sign [--help|--version]
-  puppetserver ca sign [--config] --certname CERTNAME[,CERTNAME]
-  puppetserver ca sign  --all
-Description:
-Given a comma-separated list of valid certnames, instructs the CA to sign each cert.
-Options:
-      BANNER
-      BODY = JSON.dump({desired_state: 'signed'})
-      def self.parser(parsed = {})
-        OptionParser.new do |opts|
-          opts.banner = BANNER
-          opts.on('--certname x,y,z', Array, 'the name(s) of the cert(s) to be signed') do |cert|
-            parsed['certname'] = cert
-          end
-          opts.on('--config PUPPET.CONF', 'Custom path to Puppet\'s config file') do |conf|
-            parsed['config'] = conf
-          end
-          opts.on('--help', 'Display this command specific help output') do |help|
-            parsed['help'] = true
-          end
-          opts.on('--version', 'Output the version') do |v|
-            parsed['version'] = true
-          end
-          opts.on('--all', 'Operate on all certnames') do |a|
-            parsed['all'] = true
-          end
-        end
-      end
-      def initialize(logger)
-        @logger = logger
-      end
-      def run(input)
-        config = input['config']
-        if config
-          errors = FileUtilities.validate_file_paths(config)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-        puppet = PuppetConfig.parse(config)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-        if input['all']
-          requested_certnames = get_all_pending_certs(puppet.settings)
-          if requested_certnames.nil?
-            return 1
-          end
-        else
-          requested_certnames = input['certname']
-        end
-        success = sign_requested_certs(requested_certnames, puppet.settings)
-        return success ? 0 : 1
-      end
-      def http_client(settings)
-        @client ||= HttpClient.new(settings)
-      end
-      def get_certificate_statuses(settings)
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_statuses',
-                                 'any_key')
-        client.with_connection(url) do |connection|
-          connection.get(url)
-        end
-      end
-      def sign_certs(certnames,settings)
-        results = {}
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_status')
-        client.with_connection(url) do |connection|
-          certnames.each do |certname|
-            url.resource_name = certname
-            results[certname] = connection.put(BODY, url)
-          end
-        end
-        return results
-      end
-      def get_all_certs(settings)
-        result = get_certificate_statuses(settings)
-        unless result.code == 200
-            @logger.err 'Error:'
-            @logger.err "    #{result.inspect}"
-            return nil
-        end
-        return result
-      end
-      def select_pending_certs(get_result)
-        requested_certnames = JSON.parse(get_result).select{|e| e["state"] == "requested"}.map{|e| e["name"]}
-        if requested_certnames.empty?
-          @logger.err 'Error:'
-          @logger.err "    No waiting certificate requests to sign"
-          return nil
-        end
-        return requested_certnames
-      end
-      def get_all_pending_certs(settings)
-        result = get_all_certs(settings)
-        if result
-          select_pending_certs(result.body)
-        end
-      end
-      def sign_requested_certs(certnames,settings)
-        success = true
-        results = sign_certs(certnames, settings)
-        results.each do |certname, result|
-          case result.code
-          when '204'
-            @logger.inform "Signed certificate for #{certname}"
-          when '404'
-            @logger.err 'Error:'
-            @logger.err "    Could not find certificate for #{certname}"
-            success = false
-          else
-            @logger.err 'Error:'
-            @logger.err "    When download requested for #{result.inspect}"
-            @logger.err "    code: #{result.code}"
-            @logger.err "    body: #{result.body.to_s}" if result.body
-            success = false
-          end
-        end
-        return success
-      end
-      def check_flag_usage(results)
-        if results['certname'] && results['all']
-          '--all and --certname cannot be used together'
-        elsif !results['certname'] && !results['all']
-          'No arguments given'
-        elsif results['certname'] && results['certname'].include?('--all')
-          'Cannot use --all with --certname. If you actually have a certificate request ' +
-                          'for a certifcate named --all, you need to use the HTTP API.'
-        end
-      end
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-        errors = Utils.parse_with_errors(parser, args)
-        if check_flag_usage(results)
-          errors << check_flag_usage(results)
-        end
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-        exit_code = errors_were_handled ? 1 : nil
-        return results, exit_code
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/utils.rb DELETED Viewed

@@ -1,80 +0,0 @@
-module Puppetserver
-  module Ca
-    module Utils
-      def self.parse_without_raising(parser, args)
-        all, not_flags, malformed_flags, unknown_flags = [], [], [], []
-        begin
-          # OptionParser calls this block when it finds a value that doesn't
-          # start with one or two dashes and doesn't follow a flag that
-          # consumes a value.
-          parser.order!(args) do |not_flag|
-            not_flags << not_flag
-            all << not_flag
-          end
-        rescue OptionParser::MissingArgument => e
-          malformed_flags += e.args
-          all += e.args
-          retry
-        rescue OptionParser::ParseError => e
-          flag = e.args.first
-          unknown_flags << flag
-          all << flag
-          if does_not_contain_argument(flag) &&
-              args.first &&
-              next_arg_is_not_another_flag(args.first)
-            value = args.shift
-            unknown_flags << value
-            all << value
-          end
-          retry
-        end
-        return all, not_flags, malformed_flags, unknown_flags
-      end
-      def self.parse_with_errors(parser, args)
-        errors = []
-        _, non_flags, malformed_flags, unknown_flags = parse_without_raising(parser, args)
-        malformed_flags.each {|f| errors << "    Missing argument to flag `#{f}`" }
-        unknown_flags.each   {|f| errors << "    Unknown flag or argument `#{f}`" }
-        non_flags.each       {|f| errors << "    Unknown input `#{f}`" }
-        errors
-      end
-      def self.handle_errors(log, errors, usage = nil)
-        unless errors.empty?
-          log.err 'Error:'
-          errors.each {|e| log.err e }
-          if usage
-            log.err ''
-            log.err usage
-          end
-          return true
-        else
-          return false
-        end
-      end
-    private
-      # eg. --flag=argument-to-flag
-      def self.does_not_contain_argument(flag)
-        !flag.include?('=')
-      end
-      def self.next_arg_is_not_another_flag(maybe_an_arg)
-        !maybe_an_arg.start_with?('-')
-      end
-    end
-  end
-end