RubyGems - puppetserver-ca - Versions diffs - 0.3.1 → 0.4.0 - Mend

puppetserver-ca 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

checksums.yaml +4 -4
data/lib/puppetserver/ca/action/clean.rb +102 -0
data/lib/puppetserver/ca/action/create.rb +161 -0
data/lib/puppetserver/ca/action/generate.rb +313 -0
data/lib/puppetserver/ca/action/import.rb +132 -0
data/lib/puppetserver/ca/action/list.rb +132 -0
data/lib/puppetserver/ca/action/revoke.rb +101 -0
data/lib/puppetserver/ca/action/sign.rb +126 -0
data/lib/puppetserver/ca/certificate_authority.rb +224 -0
data/lib/puppetserver/ca/cli.rb +17 -16
data/lib/puppetserver/ca/config/puppet.rb +242 -0
data/lib/puppetserver/ca/config/puppetserver.rb +85 -0
data/lib/puppetserver/ca/utils/cli_parsing.rb +82 -0
data/lib/puppetserver/ca/utils/config.rb +13 -0
data/lib/puppetserver/ca/utils/file_system.rb +90 -0
data/lib/puppetserver/ca/utils/http_client.rb +129 -0
data/lib/puppetserver/ca/utils/signing_digest.rb +27 -0
data/lib/puppetserver/ca/version.rb +1 -1
metadata +17 -17
data/lib/puppetserver/ca/clean_action.rb +0 -157
data/lib/puppetserver/ca/config_utils.rb +0 -11
data/lib/puppetserver/ca/create_action.rb +0 -265
data/lib/puppetserver/ca/generate_action.rb +0 -227
data/lib/puppetserver/ca/import_action.rb +0 -153
data/lib/puppetserver/ca/list_action.rb +0 -153
data/lib/puppetserver/ca/puppet_config.rb +0 -197
data/lib/puppetserver/ca/puppetserver_config.rb +0 -83
data/lib/puppetserver/ca/revoke_action.rb +0 -136
data/lib/puppetserver/ca/sign_action.rb +0 -190
data/lib/puppetserver/ca/utils.rb +0 -80
data/lib/puppetserver/settings/ttl_setting.rb +0 -48
data/lib/puppetserver/utils/file_utilities.rb +0 -78
data/lib/puppetserver/utils/http_client.rb +0 -129
data/lib/puppetserver/utils/signing_digest.rb +0 -25

data/lib/puppetserver/ca/puppetserver_config.rb DELETED Viewed

@@ -1,83 +0,0 @@
-require 'hocon'
-require 'puppetserver/ca/config_utils'
-module Puppetserver
-  module Ca
-    # Provides an interface for querying Puppetserver settings w/o loading
-    # Puppetserver or any TK config service. Uses the ruby-hocon gem for parsing.
-    class PuppetserverConfig
-      include Puppetserver::Ca::ConfigUtils
-      def self.parse(config_path = nil)
-        instance = new(config_path)
-        instance.load
-        return instance
-      end
-      attr_reader :errors, :settings
-      def initialize(supplied_config_path = nil)
-        @using_default_location = !supplied_config_path
-        @config_path = supplied_config_path || "/etc/puppetlabs/puppetserver/conf.d/ca.conf"
-        @settings = nil
-        @errors = []
-      end
-      # Populate this config object with the CA-related settings
-      def load
-        if explicitly_given_config_file_or_default_config_exists?
-          begin
-            results = Hocon.load(@config_path)
-          rescue Hocon::ConfigError => e
-            errors << e.message
-          end
-        end
-        overrides = results || {}
-        @settings = supply_defaults(overrides).freeze
-      end
-      private
-      # Return the correct confdir. We check for being root on *nix,
-      # else the user path. We do not include a check for running
-      # as Adminstrator since non-development scenarios for Puppet Server
-      # on Windows are unsupported.
-      # Note that Puppet Server runs as the [pe-]puppet user but to
-      # start/stop it you must be root.
-      def user_specific_ca_dir
-        if running_as_root?
-          '/etc/puppetlabs/puppetserver/ca'
-        else
-          "#{ENV['HOME']}/.puppetlabs/etc/puppetserver/ca"
-        end
-      end
-      # Supply defaults for any CA settings not present in the config file
-      # @param [Hash] overrides setting names and values loaded from the config file,
-      #                         for overriding the defaults
-      # @return [Hash] CA-related settings
-      def supply_defaults(overrides = {})
-        ca_settings = overrides['certificate-authority'] || {}
-        settings = {}
-        cadir = settings[:cadir] = ca_settings.fetch('cadir', user_specific_ca_dir)
-        settings[:cacert] = ca_settings.fetch('cacert', "#{cadir}/ca_crt.pem")
-        settings[:cakey] = ca_settings.fetch('cakey', "#{cadir}/ca_key.pem")
-        settings[:cacrl] = ca_settings.fetch('cacrl', "#{cadir}/ca_crl.pem")
-        settings[:serial] = ca_settings.fetch('serial', "#{cadir}/serial")
-        settings[:cert_inventory] = ca_settings.fetch('cert-inventory', "#{cadir}/inventory.txt")
-        return settings
-      end
-      def explicitly_given_config_file_or_default_config_exists?
-        !@using_default_location || File.exist?(@config_path)
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/revoke_action.rb DELETED Viewed

@@ -1,136 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/puppet_config'
-require 'optparse'
-require 'json'
-module Puppetserver
-  module Ca
-    class RevokeAction
-      include Puppetserver::Utils
-      REQUEST_BODY = JSON.dump({ desired_state: 'revoked' })
-      CERTNAME_BLACKLIST = %w{--all --config}
-      SUMMARY = 'Revoke a given certificate'
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca revoke [--help|--version]
-  puppetserver ca revoke [--config] --certname CERTNAME[,ADDLCERTNAME]
-Description:
-Given one or more valid certnames, instructs the CA to revoke them over
-HTTPS using the local agent's PKI
-Options:
-BANNER
-      def self.parser(parsed = {})
-        parsed['certnames'] = []
-        OptionParser.new do |o|
-          o.banner = BANNER
-          o.on('--certname foo,bar', Array,
-               'One or more comma separated certnames') do |certs|
-            parsed['certnames'] += certs
-          end
-          o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
-            parsed['config'] = conf
-          end
-          o.on('--help', 'Displays this revoke specific help output') do |help|
-            parsed['help'] = help
-          end
-        end
-      end
-      def initialize(logger)
-        @logger = logger
-      end
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-        errors = Utils.parse_with_errors(parser, args)
-        results['certnames'].each do |certname|
-          if CERTNAME_BLACKLIST.include?(certname)
-            errors << "    Cannot manage cert named `#{certname}` from " +
-                      "the CLI, if needed use the HTTP API directly"
-          end
-        end
-        if results['certnames'].empty?
-          errors << '  At least one certname is required to revoke'
-        end
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-        # if there is an exit_code then Cli will return it early, so we only
-        # return an exit_code if there's an error
-        exit_code = errors_were_handled ? 1 : nil
-        return results, exit_code
-      end
-      def run(args)
-        certnames = args['certnames']
-        config = args['config']
-        if config
-          errors = FileUtilities.validate_file_paths(config)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-        puppet = PuppetConfig.parse(config)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-        passed = revoke_certs(certnames, puppet.settings)
-        return passed ? 0 : 1
-      end
-      def revoke_certs(certnames, settings)
-        client = HttpClient.new(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_status')
-        # results will be a list of trues & falses based on the success
-        # of revocations
-        results = client.with_connection(url) do |connection|
-          certnames.map do |certname|
-            url.resource_name = certname
-            result = connection.put(REQUEST_BODY, url)
-            check_result(result, certname)
-          end
-        end
-        return results.all?
-      end
-      # logs the action and returns a boolean for success/failure
-      def check_result(result, certname)
-        case result.code
-        when '200', '204'
-          @logger.inform "Revoked certificate for #{certname}"
-          return true
-        when '404'
-          @logger.err 'Error:'
-          @logger.err "    Could not find certificate for #{certname}"
-          return false
-        else
-          @logger.err 'Error:'
-          @logger.err "    When revoking #{certname} received:"
-          @logger.err "      code: #{result.code}"
-          @logger.err "      body: #{result.body.to_s}" if result.body
-          return false
-        end
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/sign_action.rb DELETED Viewed

@@ -1,190 +0,0 @@
-require 'puppetserver/ca/utils'
-require 'puppetserver/utils/http_client'
-require 'puppetserver/utils/file_utilities'
-require 'puppetserver/ca/puppet_config'
-require 'optparse'
-require 'openssl'
-require 'net/https'
-require 'json'
-module Puppetserver
-  module Ca
-    class SignAction
-      include Puppetserver::Utils
-      SUMMARY = 'Sign a given certificate'
-      BANNER = <<-BANNER
-Usage:
-  puppetserver ca sign [--help|--version]
-  puppetserver ca sign [--config] --certname CERTNAME[,CERTNAME]
-  puppetserver ca sign  --all
-Description:
-Given a comma-separated list of valid certnames, instructs the CA to sign each cert.
-Options:
-      BANNER
-      BODY = JSON.dump({desired_state: 'signed'})
-      def self.parser(parsed = {})
-        OptionParser.new do |opts|
-          opts.banner = BANNER
-          opts.on('--certname x,y,z', Array, 'the name(s) of the cert(s) to be signed') do |cert|
-            parsed['certname'] = cert
-          end
-          opts.on('--config PUPPET.CONF', 'Custom path to Puppet\'s config file') do |conf|
-            parsed['config'] = conf
-          end
-          opts.on('--help', 'Display this command specific help output') do |help|
-            parsed['help'] = true
-          end
-          opts.on('--version', 'Output the version') do |v|
-            parsed['version'] = true
-          end
-          opts.on('--all', 'Operate on all certnames') do |a|
-            parsed['all'] = true
-          end
-        end
-      end
-      def initialize(logger)
-        @logger = logger
-      end
-      def run(input)
-        config = input['config']
-        if config
-          errors = FileUtilities.validate_file_paths(config)
-          return 1 if Utils.handle_errors(@logger, errors)
-        end
-        puppet = PuppetConfig.parse(config)
-        return 1 if Utils.handle_errors(@logger, puppet.errors)
-        if input['all']
-          requested_certnames = get_all_pending_certs(puppet.settings)
-          if requested_certnames.nil?
-            return 1
-          end
-        else
-          requested_certnames = input['certname']
-        end
-        success = sign_requested_certs(requested_certnames, puppet.settings)
-        return success ? 0 : 1
-      end
-      def http_client(settings)
-        @client ||= HttpClient.new(settings)
-      end
-      def get_certificate_statuses(settings)
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_statuses',
-                                 'any_key')
-        client.with_connection(url) do |connection|
-          connection.get(url)
-        end
-      end
-      def sign_certs(certnames,settings)
-        results = {}
-        client = http_client(settings)
-        url = client.make_ca_url(settings[:ca_server],
-                                 settings[:ca_port],
-                                 'certificate_status')
-        client.with_connection(url) do |connection|
-          certnames.each do |certname|
-            url.resource_name = certname
-            results[certname] = connection.put(BODY, url)
-          end
-        end
-        return results
-      end
-      def get_all_certs(settings)
-        result = get_certificate_statuses(settings)
-        unless result.code == 200
-            @logger.err 'Error:'
-            @logger.err "    #{result.inspect}"
-            return nil
-        end
-        return result
-      end
-      def select_pending_certs(get_result)
-        requested_certnames = JSON.parse(get_result).select{|e| e["state"] == "requested"}.map{|e| e["name"]}
-        if requested_certnames.empty?
-          @logger.err 'Error:'
-          @logger.err "    No waiting certificate requests to sign"
-          return nil
-        end
-        return requested_certnames
-      end
-      def get_all_pending_certs(settings)
-        result = get_all_certs(settings)
-        if result
-          select_pending_certs(result.body)
-        end
-      end
-      def sign_requested_certs(certnames,settings)
-        success = true
-        results = sign_certs(certnames, settings)
-        results.each do |certname, result|
-          case result.code
-          when '204'
-            @logger.inform "Signed certificate for #{certname}"
-          when '404'
-            @logger.err 'Error:'
-            @logger.err "    Could not find certificate for #{certname}"
-            success = false
-          else
-            @logger.err 'Error:'
-            @logger.err "    When download requested for #{result.inspect}"
-            @logger.err "    code: #{result.code}"
-            @logger.err "    body: #{result.body.to_s}" if result.body
-            success = false
-          end
-        end
-        return success
-      end
-      def check_flag_usage(results)
-        if results['certname'] && results['all']
-          '--all and --certname cannot be used together'
-        elsif !results['certname'] && !results['all']
-          'No arguments given'
-        elsif results['certname'] && results['certname'].include?('--all')
-          'Cannot use --all with --certname. If you actually have a certificate request ' +
-                          'for a certifcate named --all, you need to use the HTTP API.'
-        end
-      end
-      def parse(args)
-        results = {}
-        parser = self.class.parser(results)
-        errors = Utils.parse_with_errors(parser, args)
-        if check_flag_usage(results)
-          errors << check_flag_usage(results)
-        end
-        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
-        exit_code = errors_were_handled ? 1 : nil
-        return results, exit_code
-      end
-    end
-  end
-end

data/lib/puppetserver/ca/utils.rb DELETED Viewed

@@ -1,80 +0,0 @@
-module Puppetserver
-  module Ca
-    module Utils
-      def self.parse_without_raising(parser, args)
-        all, not_flags, malformed_flags, unknown_flags = [], [], [], []
-        begin
-          # OptionParser calls this block when it finds a value that doesn't
-          # start with one or two dashes and doesn't follow a flag that
-          # consumes a value.
-          parser.order!(args) do |not_flag|
-            not_flags << not_flag
-            all << not_flag
-          end
-        rescue OptionParser::MissingArgument => e
-          malformed_flags += e.args
-          all += e.args
-          retry
-        rescue OptionParser::ParseError => e
-          flag = e.args.first
-          unknown_flags << flag
-          all << flag
-          if does_not_contain_argument(flag) &&
-              args.first &&
-              next_arg_is_not_another_flag(args.first)
-            value = args.shift
-            unknown_flags << value
-            all << value
-          end
-          retry
-        end
-        return all, not_flags, malformed_flags, unknown_flags
-      end
-      def self.parse_with_errors(parser, args)
-        errors = []
-        _, non_flags, malformed_flags, unknown_flags = parse_without_raising(parser, args)
-        malformed_flags.each {|f| errors << "    Missing argument to flag `#{f}`" }
-        unknown_flags.each   {|f| errors << "    Unknown flag or argument `#{f}`" }
-        non_flags.each       {|f| errors << "    Unknown input `#{f}`" }
-        errors
-      end
-      def self.handle_errors(log, errors, usage = nil)
-        unless errors.empty?
-          log.err 'Error:'
-          errors.each {|e| log.err e }
-          if usage
-            log.err ''
-            log.err usage
-          end
-          return true
-        else
-          return false
-        end
-      end
-    private
-      # eg. --flag=argument-to-flag
-      def self.does_not_contain_argument(flag)
-        !flag.include?('=')
-      end
-      def self.next_arg_is_not_another_flag(maybe_an_arg)
-        !maybe_an_arg.start_with?('-')
-      end
-    end
-  end
-end