puppetserver-ca 1.1.3 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/puppetserver/ca/action/clean.rb +13 -12
- data/lib/puppetserver/ca/action/generate.rb +34 -33
- data/lib/puppetserver/ca/action/import.rb +17 -15
- data/lib/puppetserver/ca/action/list.rb +11 -8
- data/lib/puppetserver/ca/action/revoke.rb +9 -9
- data/lib/puppetserver/ca/action/setup.rb +20 -18
- data/lib/puppetserver/ca/action/sign.rb +12 -10
- data/lib/puppetserver/ca/certificate_authority.rb +2 -2
- data/lib/puppetserver/ca/cli.rb +11 -2
- data/lib/puppetserver/ca/config/puppet.rb +25 -3
- data/lib/puppetserver/ca/config/puppetserver.rb +1 -0
- data/lib/puppetserver/ca/errors.rb +26 -0
- data/lib/puppetserver/ca/host.rb +1 -1
- data/lib/puppetserver/ca/local_certificate_authority.rb +2 -2
- data/lib/puppetserver/ca/utils/cli_parsing.rb +0 -15
- data/lib/puppetserver/ca/utils/file_system.rb +1 -1
- data/lib/puppetserver/ca/utils/http_client.rb +35 -9
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 738624da584684a68fc407803548fb3d4b6855aa
|
|
4
|
+
data.tar.gz: cb3ff01a01b44468687668a39ca957d7496038a4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ba3e5d5f070022ed1c2d88cc388b18de694782846a836490c3309cd7fe1fa85cfe60943ead8f422911920638ae84099d471b734bf39191e1ea8901d605aaa0d
|
|
7
|
+
data.tar.gz: e0ec48b8a594b342e47962addc05c0b08976aa06bc335a63c181dc1fd2dbab60cca1a5cd38ebd7b911c8713c2675ac6029fbd6fa9b9e2007939a42dc1841902a
|
|
@@ -1,10 +1,11 @@
|
|
|
1
|
-
require '
|
|
2
|
-
|
|
3
|
-
require 'puppetserver/ca/config/puppet'
|
|
1
|
+
require 'optparse'
|
|
2
|
+
|
|
4
3
|
require 'puppetserver/ca/action/revoke'
|
|
5
4
|
require 'puppetserver/ca/certificate_authority'
|
|
6
|
-
|
|
7
|
-
require '
|
|
5
|
+
require 'puppetserver/ca/config/puppet'
|
|
6
|
+
require 'puppetserver/ca/errors'
|
|
7
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
8
|
+
require 'puppetserver/ca/utils/file_system'
|
|
8
9
|
|
|
9
10
|
module Puppetserver
|
|
10
11
|
module Ca
|
|
@@ -22,10 +23,10 @@ Usage:
|
|
|
22
23
|
puppetserver ca clean [--config] --certname NAME[,NAME]
|
|
23
24
|
|
|
24
25
|
Description:
|
|
25
|
-
Given one or more valid certnames, instructs the CA to revoke certificates
|
|
26
|
-
matching the given certnames if they exist, and then remove files pertaining
|
|
27
|
-
to them (keys, cert, and certificate request) over HTTPS using the local
|
|
28
|
-
agent's PKI
|
|
26
|
+
Given one or more valid certnames, instructs the CA to revoke certificates
|
|
27
|
+
matching the given certnames if they exist, and then remove files pertaining
|
|
28
|
+
to them (keys, cert, and certificate request) over HTTPS using the local
|
|
29
|
+
agent's PKI
|
|
29
30
|
|
|
30
31
|
Options:
|
|
31
32
|
BANNER
|
|
@@ -68,7 +69,7 @@ BANNER
|
|
|
68
69
|
errors << ' At least one certname is required to clean'
|
|
69
70
|
end
|
|
70
71
|
|
|
71
|
-
errors_were_handled =
|
|
72
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
72
73
|
|
|
73
74
|
exit_code = errors_were_handled ? 1 : nil
|
|
74
75
|
|
|
@@ -81,11 +82,11 @@ BANNER
|
|
|
81
82
|
|
|
82
83
|
if config
|
|
83
84
|
errors = FileSystem.validate_file_paths(config)
|
|
84
|
-
return 1 if
|
|
85
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
85
86
|
end
|
|
86
87
|
|
|
87
88
|
puppet = Config::Puppet.parse(config)
|
|
88
|
-
return 1 if
|
|
89
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
89
90
|
|
|
90
91
|
result = clean_certs(certnames, puppet.settings)
|
|
91
92
|
case result
|
|
@@ -1,12 +1,13 @@
|
|
|
1
|
-
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
|
-
require 'puppetserver/ca/host'
|
|
3
1
|
require 'puppetserver/ca/certificate_authority'
|
|
4
|
-
require 'puppetserver/ca/local_certificate_authority'
|
|
5
|
-
require 'puppetserver/ca/x509_loader'
|
|
6
2
|
require 'puppetserver/ca/config/puppet'
|
|
3
|
+
require 'puppetserver/ca/errors'
|
|
4
|
+
require 'puppetserver/ca/host'
|
|
5
|
+
require 'puppetserver/ca/local_certificate_authority'
|
|
6
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/config'
|
|
7
8
|
require 'puppetserver/ca/utils/file_system'
|
|
8
9
|
require 'puppetserver/ca/utils/signing_digest'
|
|
9
|
-
require 'puppetserver/ca/
|
|
10
|
+
require 'puppetserver/ca/x509_loader'
|
|
10
11
|
|
|
11
12
|
module Puppetserver
|
|
12
13
|
module Ca
|
|
@@ -28,25 +29,25 @@ Usage:
|
|
|
28
29
|
[--ca-client]
|
|
29
30
|
|
|
30
31
|
Description:
|
|
31
|
-
Generates a new certificate signed by the intermediate CA
|
|
32
|
-
and stores generated keys and certs on disk.
|
|
33
|
-
|
|
34
|
-
If the `--ca-client` flag is passed, the cert will be generated
|
|
35
|
-
offline, without using Puppet Server's signing code, and will add
|
|
36
|
-
a special extension authorizing it to talk to the CA API. This can
|
|
37
|
-
be used for regenerating the master's host cert, or for manually
|
|
38
|
-
setting up other nodes to be CA clients. Do not distribute certs
|
|
39
|
-
generated this way to any node that you do not intend to have
|
|
40
|
-
administrative access to the CA (e.g. the ability to sign a cert).
|
|
41
|
-
|
|
42
|
-
Since the `--ca-client` causes a cert to be generated offline, it
|
|
43
|
-
should ONLY be used when Puppet Server is NOT running, to avoid
|
|
44
|
-
conflicting with the actions of the CA service. This will be
|
|
45
|
-
mandatory in a future release.
|
|
46
|
-
|
|
47
|
-
To determine the target location, the default puppet.conf
|
|
48
|
-
is consulted for custom values. If using a custom puppet.conf
|
|
49
|
-
provide it with the --config flag
|
|
32
|
+
Generates a new certificate signed by the intermediate CA
|
|
33
|
+
and stores generated keys and certs on disk.
|
|
34
|
+
|
|
35
|
+
If the `--ca-client` flag is passed, the cert will be generated
|
|
36
|
+
offline, without using Puppet Server's signing code, and will add
|
|
37
|
+
a special extension authorizing it to talk to the CA API. This can
|
|
38
|
+
be used for regenerating the master's host cert, or for manually
|
|
39
|
+
setting up other nodes to be CA clients. Do not distribute certs
|
|
40
|
+
generated this way to any node that you do not intend to have
|
|
41
|
+
administrative access to the CA (e.g. the ability to sign a cert).
|
|
42
|
+
|
|
43
|
+
Since the `--ca-client` causes a cert to be generated offline, it
|
|
44
|
+
should ONLY be used when Puppet Server is NOT running, to avoid
|
|
45
|
+
conflicting with the actions of the CA service. This will be
|
|
46
|
+
mandatory in a future release.
|
|
47
|
+
|
|
48
|
+
To determine the target location, the default puppet.conf
|
|
49
|
+
is consulted for custom values. If using a custom puppet.conf
|
|
50
|
+
provide it with the --config flag
|
|
50
51
|
|
|
51
52
|
Options:
|
|
52
53
|
BANNER
|
|
@@ -106,7 +107,7 @@ BANNER
|
|
|
106
107
|
end
|
|
107
108
|
end
|
|
108
109
|
|
|
109
|
-
errors_were_handled =
|
|
110
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
110
111
|
|
|
111
112
|
exit_code = errors_were_handled ? 1 : nil
|
|
112
113
|
|
|
@@ -120,14 +121,14 @@ BANNER
|
|
|
120
121
|
# Validate config_path provided
|
|
121
122
|
if config_path
|
|
122
123
|
errors = FileSystem.validate_file_paths(config_path)
|
|
123
|
-
return 1 if
|
|
124
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
124
125
|
end
|
|
125
126
|
|
|
126
127
|
# Load, resolve, and validate puppet config settings
|
|
127
128
|
settings_overrides = {}
|
|
128
129
|
puppet = Config::Puppet.new(config_path)
|
|
129
130
|
puppet.load(settings_overrides)
|
|
130
|
-
return 1 if
|
|
131
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
131
132
|
|
|
132
133
|
# We don't want generate to respect the alt names setting, since it is usually
|
|
133
134
|
# used to generate certs for other nodes
|
|
@@ -135,7 +136,7 @@ BANNER
|
|
|
135
136
|
|
|
136
137
|
# Load most secure signing digest we can for csr signing.
|
|
137
138
|
signer = SigningDigest.new
|
|
138
|
-
return 1 if
|
|
139
|
+
return 1 if Errors.handle_with_usage(@logger, signer.errors)
|
|
139
140
|
|
|
140
141
|
# Generate and save certs and associated keys
|
|
141
142
|
if input['ca-client']
|
|
@@ -152,7 +153,7 @@ BANNER
|
|
|
152
153
|
# Returns true if it receives back a response of "running", and false if
|
|
153
154
|
# no connection can be made, or a different response is received.
|
|
154
155
|
def check_server_online(settings)
|
|
155
|
-
status_url = HttpClient::URL.new('https', settings[:
|
|
156
|
+
status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
|
|
156
157
|
begin
|
|
157
158
|
# Generating certs offline is necessary if the master cert has been destroyed
|
|
158
159
|
# or compromised. Since querying the status endpoint does not require a client cert, and
|
|
@@ -183,11 +184,11 @@ BANNER
|
|
|
183
184
|
settings[:publickeydir]])
|
|
184
185
|
|
|
185
186
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
|
|
186
|
-
return false if
|
|
187
|
+
return false if Errors.handle_with_usage(@logger, ca.errors)
|
|
187
188
|
|
|
188
189
|
passed = certnames.map do |certname|
|
|
189
190
|
errors = check_for_existing_ssl_files(certname, settings)
|
|
190
|
-
next false if
|
|
191
|
+
next false if Errors.handle_with_usage(@logger, errors)
|
|
191
192
|
|
|
192
193
|
current_alt_names = process_alt_names(alt_names, certname)
|
|
193
194
|
|
|
@@ -221,7 +222,7 @@ BANNER
|
|
|
221
222
|
|
|
222
223
|
passed = certnames.map do |certname|
|
|
223
224
|
errors = check_for_existing_ssl_files(certname, settings)
|
|
224
|
-
next false if
|
|
225
|
+
next false if Errors.handle_with_usage(@logger, errors)
|
|
225
226
|
|
|
226
227
|
current_alt_names = process_alt_names(alt_names, certname)
|
|
227
228
|
|
|
@@ -273,7 +274,7 @@ BANNER
|
|
|
273
274
|
key: private_key,
|
|
274
275
|
cli_extensions: extensions,
|
|
275
276
|
csr_attributes_path: settings[:csr_attributes])
|
|
276
|
-
return if
|
|
277
|
+
return if Errors.handle_with_usage(@logger, host.errors)
|
|
277
278
|
|
|
278
279
|
return private_key, csr
|
|
279
280
|
end
|
|
@@ -1,10 +1,12 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
|
-
|
|
3
|
-
require 'puppetserver/ca/x509_loader'
|
|
2
|
+
|
|
4
3
|
require 'puppetserver/ca/config/puppet'
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
5
5
|
require 'puppetserver/ca/local_certificate_authority'
|
|
6
6
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/file_system'
|
|
7
8
|
require 'puppetserver/ca/utils/signing_digest'
|
|
9
|
+
require 'puppetserver/ca/x509_loader'
|
|
8
10
|
|
|
9
11
|
module Puppetserver
|
|
10
12
|
module Ca
|
|
@@ -21,15 +23,15 @@ Usage:
|
|
|
21
23
|
--private-key PATH --cert-bundle PATH --crl-chain PATH
|
|
22
24
|
|
|
23
25
|
Description:
|
|
24
|
-
Given a private key, cert bundle, and a crl chain,
|
|
25
|
-
validate and import to the Puppet Server CA.
|
|
26
|
+
Given a private key, cert bundle, and a crl chain,
|
|
27
|
+
validate and import to the Puppet Server CA.
|
|
26
28
|
|
|
27
|
-
Note that the cert and crl provided for the leaf CA must not
|
|
28
|
-
have already issued or revoked any certificates.
|
|
29
|
+
Note that the cert and crl provided for the leaf CA must not
|
|
30
|
+
have already issued or revoked any certificates.
|
|
29
31
|
|
|
30
|
-
To determine the target location the default puppet.conf
|
|
31
|
-
is consulted for custom values. If using a custom puppet.conf
|
|
32
|
-
provide it with the --config flag
|
|
32
|
+
To determine the target location the default puppet.conf
|
|
33
|
+
is consulted for custom values. If using a custom puppet.conf
|
|
34
|
+
provide it with the --config flag
|
|
33
35
|
|
|
34
36
|
Options:
|
|
35
37
|
BANNER
|
|
@@ -47,10 +49,10 @@ BANNER
|
|
|
47
49
|
files = [bundle_path, key_path, chain_path, config_path].compact
|
|
48
50
|
|
|
49
51
|
errors = FileSystem.validate_file_paths(files)
|
|
50
|
-
return 1 if
|
|
52
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
51
53
|
|
|
52
54
|
loader = X509Loader.new(bundle_path, key_path, chain_path)
|
|
53
|
-
return 1 if
|
|
55
|
+
return 1 if Errors.handle_with_usage(@logger, loader.errors)
|
|
54
56
|
|
|
55
57
|
settings_overrides = {}
|
|
56
58
|
settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
|
|
@@ -58,14 +60,14 @@ BANNER
|
|
|
58
60
|
|
|
59
61
|
puppet = Config::Puppet.new(config_path)
|
|
60
62
|
puppet.load(settings_overrides)
|
|
61
|
-
return 1 if
|
|
63
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
62
64
|
|
|
63
65
|
# Load most secure signing digest we can for cers/crl/csr signing.
|
|
64
66
|
signer = SigningDigest.new
|
|
65
|
-
return 1 if
|
|
67
|
+
return 1 if Errors.handle_with_usage(@logger, signer.errors)
|
|
66
68
|
|
|
67
69
|
errors = import(loader, puppet.settings, signer.digest)
|
|
68
|
-
return 1 if
|
|
70
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
69
71
|
|
|
70
72
|
@logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
|
|
71
73
|
return 0
|
|
@@ -152,7 +154,7 @@ ERR
|
|
|
152
154
|
errors << err
|
|
153
155
|
end
|
|
154
156
|
|
|
155
|
-
errors_were_handled =
|
|
157
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
156
158
|
|
|
157
159
|
exit_code = errors_were_handled ? 1 : nil
|
|
158
160
|
|
|
@@ -1,9 +1,11 @@
|
|
|
1
|
-
require '
|
|
2
|
-
require '
|
|
1
|
+
require 'json'
|
|
2
|
+
require 'optparse'
|
|
3
|
+
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
3
5
|
require 'puppetserver/ca/certificate_authority'
|
|
4
6
|
require 'puppetserver/ca/config/puppet'
|
|
5
|
-
require '
|
|
6
|
-
require '
|
|
7
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
8
|
+
require 'puppetserver/ca/utils/file_system'
|
|
7
9
|
|
|
8
10
|
module Puppetserver
|
|
9
11
|
module Ca
|
|
@@ -20,7 +22,8 @@ Usage:
|
|
|
20
22
|
puppetserver ca list [--all]
|
|
21
23
|
|
|
22
24
|
Description:
|
|
23
|
-
List outstanding certificate requests. If --all is specified, signed and
|
|
25
|
+
List outstanding certificate requests. If --all is specified, signed and
|
|
26
|
+
revoked certificates will be listed as well.
|
|
24
27
|
|
|
25
28
|
Options:
|
|
26
29
|
BANNER
|
|
@@ -51,11 +54,11 @@ Options:
|
|
|
51
54
|
|
|
52
55
|
if config
|
|
53
56
|
errors = FileSystem.validate_file_paths(config)
|
|
54
|
-
return 1 if
|
|
57
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
55
58
|
end
|
|
56
59
|
|
|
57
60
|
puppet = Config::Puppet.parse(config)
|
|
58
|
-
return 1 if
|
|
61
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
59
62
|
|
|
60
63
|
all_certs = get_all_certs(puppet.settings)
|
|
61
64
|
return 1 if all_certs.nil?
|
|
@@ -124,7 +127,7 @@ Options:
|
|
|
124
127
|
|
|
125
128
|
errors = CliParsing.parse_with_errors(parser, args)
|
|
126
129
|
|
|
127
|
-
errors_were_handled =
|
|
130
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
128
131
|
|
|
129
132
|
exit_code = errors_were_handled ? 1 : nil
|
|
130
133
|
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
+
require 'optparse'
|
|
2
|
+
|
|
3
|
+
require 'puppetserver/ca/certificate_authority'
|
|
4
|
+
require 'puppetserver/ca/config/puppet'
|
|
1
5
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
6
|
require 'puppetserver/ca/utils/file_system'
|
|
3
|
-
require 'puppetserver/ca/config/puppet'
|
|
4
|
-
require 'puppetserver/ca/certificate_authority'
|
|
5
|
-
|
|
6
|
-
require 'optparse'
|
|
7
7
|
|
|
8
8
|
module Puppetserver
|
|
9
9
|
module Ca
|
|
@@ -21,8 +21,8 @@ Usage:
|
|
|
21
21
|
puppetserver ca revoke [--config] --certname NAME[,NAME]
|
|
22
22
|
|
|
23
23
|
Description:
|
|
24
|
-
Given one or more valid certnames, instructs the CA to revoke them over
|
|
25
|
-
HTTPS using the local agent's PKI
|
|
24
|
+
Given one or more valid certnames, instructs the CA to revoke them over
|
|
25
|
+
HTTPS using the local agent's PKI
|
|
26
26
|
|
|
27
27
|
Options:
|
|
28
28
|
BANNER
|
|
@@ -65,7 +65,7 @@ BANNER
|
|
|
65
65
|
errors << ' At least one certname is required to revoke'
|
|
66
66
|
end
|
|
67
67
|
|
|
68
|
-
errors_were_handled =
|
|
68
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
69
69
|
|
|
70
70
|
# if there is an exit_code then Cli will return it early, so we only
|
|
71
71
|
# return an exit_code if there's an error
|
|
@@ -80,11 +80,11 @@ BANNER
|
|
|
80
80
|
|
|
81
81
|
if config
|
|
82
82
|
errors = FileSystem.validate_file_paths(config)
|
|
83
|
-
return 1 if
|
|
83
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
84
84
|
end
|
|
85
85
|
|
|
86
86
|
puppet = Config::Puppet.parse(config)
|
|
87
|
-
return 1 if
|
|
87
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
88
88
|
|
|
89
89
|
result = revoke_certs(certnames, puppet.settings)
|
|
90
90
|
|
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
|
-
|
|
2
|
+
|
|
3
|
+
require 'puppetserver/ca/config/puppet'
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
3
5
|
require 'puppetserver/ca/local_certificate_authority'
|
|
4
6
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/file_system'
|
|
5
8
|
require 'puppetserver/ca/utils/signing_digest'
|
|
6
|
-
require 'puppetserver/ca/config/puppet'
|
|
7
9
|
|
|
8
10
|
module Puppetserver
|
|
9
11
|
module Ca
|
|
@@ -19,19 +21,19 @@ Usage:
|
|
|
19
21
|
[--certname NAME] [--ca-name NAME]
|
|
20
22
|
|
|
21
23
|
Description:
|
|
22
|
-
Setup a root and intermediate signing CA for Puppet Server
|
|
23
|
-
and store generated CA keys, certs, crls, and associated
|
|
24
|
-
master related files on disk.
|
|
24
|
+
Setup a root and intermediate signing CA for Puppet Server
|
|
25
|
+
and store generated CA keys, certs, crls, and associated
|
|
26
|
+
master related files on disk.
|
|
25
27
|
|
|
26
|
-
The `--subject-alt-names` flag can be used to add SANs to the
|
|
27
|
-
certificate generated for the Puppet master. Multiple names can be
|
|
28
|
-
listed as a comma separated string. These can be either DNS names or
|
|
29
|
-
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
|
30
|
-
Names with no prefix will be treated as DNS names.
|
|
28
|
+
The `--subject-alt-names` flag can be used to add SANs to the
|
|
29
|
+
certificate generated for the Puppet master. Multiple names can be
|
|
30
|
+
listed as a comma separated string. These can be either DNS names or
|
|
31
|
+
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
|
32
|
+
Names with no prefix will be treated as DNS names.
|
|
31
33
|
|
|
32
|
-
To determine the target location, the default puppet.conf
|
|
33
|
-
is consulted for custom values. If using a custom puppet.conf
|
|
34
|
-
provide it with the --config flag
|
|
34
|
+
To determine the target location, the default puppet.conf
|
|
35
|
+
is consulted for custom values. If using a custom puppet.conf
|
|
36
|
+
provide it with the --config flag
|
|
35
37
|
|
|
36
38
|
Options:
|
|
37
39
|
BANNER
|
|
@@ -45,7 +47,7 @@ BANNER
|
|
|
45
47
|
config_path = input['config']
|
|
46
48
|
if config_path
|
|
47
49
|
errors = FileSystem.validate_file_paths(config_path)
|
|
48
|
-
return 1 if
|
|
50
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
# Load, resolve, and validate puppet config settings
|
|
@@ -58,16 +60,16 @@ BANNER
|
|
|
58
60
|
|
|
59
61
|
puppet = Config::Puppet.new(config_path)
|
|
60
62
|
puppet.load(settings_overrides)
|
|
61
|
-
return 1 if
|
|
63
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
62
64
|
|
|
63
65
|
# Load most secure signing digest we can for cers/crl/csr signing.
|
|
64
66
|
signer = SigningDigest.new
|
|
65
|
-
return 1 if
|
|
67
|
+
return 1 if Errors.handle_with_usage(@logger, signer.errors)
|
|
66
68
|
|
|
67
69
|
# Generate root and intermediate ca and put all the certificates, crls,
|
|
68
70
|
# and keys where they should go.
|
|
69
71
|
errors = generate_pki(puppet.settings, signer.digest)
|
|
70
|
-
return 1 if
|
|
72
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
71
73
|
|
|
72
74
|
@logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
|
|
73
75
|
return 0
|
|
@@ -144,7 +146,7 @@ ERR
|
|
|
144
146
|
results = {}
|
|
145
147
|
parser = self.class.parser(results)
|
|
146
148
|
errors = CliParsing.parse_with_errors(parser, cli_args)
|
|
147
|
-
errors_were_handled =
|
|
149
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
148
150
|
exit_code = errors_were_handled ? 1 : nil
|
|
149
151
|
return results, exit_code
|
|
150
152
|
end
|
|
@@ -1,11 +1,12 @@
|
|
|
1
|
+
require 'net/https'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
require 'optparse'
|
|
4
|
+
|
|
5
|
+
require 'puppetserver/ca/certificate_authority'
|
|
6
|
+
require 'puppetserver/ca/config/puppet'
|
|
7
|
+
require 'puppetserver/ca/errors'
|
|
1
8
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
9
|
require 'puppetserver/ca/utils/file_system'
|
|
3
|
-
require 'puppetserver/ca/config/puppet'
|
|
4
|
-
require 'puppetserver/ca/certificate_authority'
|
|
5
|
-
|
|
6
|
-
require 'optparse'
|
|
7
|
-
require 'openssl'
|
|
8
|
-
require 'net/https'
|
|
9
10
|
|
|
10
11
|
module Puppetserver
|
|
11
12
|
module Ca
|
|
@@ -22,7 +23,8 @@ Usage:
|
|
|
22
23
|
puppetserver ca sign --all
|
|
23
24
|
|
|
24
25
|
Description:
|
|
25
|
-
Given a comma-separated list of valid certnames, instructs the CA to sign
|
|
26
|
+
Given a comma-separated list of valid certnames, instructs the CA to sign
|
|
27
|
+
each cert.
|
|
26
28
|
|
|
27
29
|
Options:
|
|
28
30
|
BANNER
|
|
@@ -54,11 +56,11 @@ Options:
|
|
|
54
56
|
|
|
55
57
|
if config
|
|
56
58
|
errors = FileSystem.validate_file_paths(config)
|
|
57
|
-
return 1 if
|
|
59
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
58
60
|
end
|
|
59
61
|
|
|
60
62
|
puppet = Config::Puppet.parse(config)
|
|
61
|
-
return 1 if
|
|
63
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
62
64
|
|
|
63
65
|
ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
|
|
64
66
|
|
|
@@ -113,7 +115,7 @@ Options:
|
|
|
113
115
|
errors << err
|
|
114
116
|
end
|
|
115
117
|
|
|
116
|
-
errors_were_handled =
|
|
118
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
117
119
|
|
|
118
120
|
exit_code = errors_were_handled ? 1 : nil
|
|
119
121
|
|
data/lib/puppetserver/ca/cli.rb
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
|
+
|
|
2
3
|
require 'puppetserver/ca/action/clean'
|
|
3
4
|
require 'puppetserver/ca/action/generate'
|
|
4
5
|
require 'puppetserver/ca/action/import'
|
|
@@ -6,9 +7,10 @@ require 'puppetserver/ca/action/list'
|
|
|
6
7
|
require 'puppetserver/ca/action/revoke'
|
|
7
8
|
require 'puppetserver/ca/action/setup'
|
|
8
9
|
require 'puppetserver/ca/action/sign'
|
|
10
|
+
require 'puppetserver/ca/errors'
|
|
9
11
|
require 'puppetserver/ca/logger'
|
|
10
|
-
require 'puppetserver/ca/version'
|
|
11
12
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
13
|
+
require 'puppetserver/ca/version'
|
|
12
14
|
|
|
13
15
|
|
|
14
16
|
module Puppetserver
|
|
@@ -86,7 +88,14 @@ BANNER
|
|
|
86
88
|
if exit_code
|
|
87
89
|
return exit_code
|
|
88
90
|
else
|
|
89
|
-
|
|
91
|
+
begin
|
|
92
|
+
return action.run(input)
|
|
93
|
+
rescue Puppetserver::Ca::Error => e
|
|
94
|
+
logger.err "Fatal error when running action '#{action_argument}'"
|
|
95
|
+
logger.err " Error: " + e.message
|
|
96
|
+
|
|
97
|
+
return 1
|
|
98
|
+
end
|
|
90
99
|
end
|
|
91
100
|
else
|
|
92
101
|
logger.warn "Unknown action: #{action_argument}"
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
require 'puppetserver/ca/utils/config'
|
|
2
|
-
require 'securerandom'
|
|
3
1
|
require 'facter'
|
|
2
|
+
require 'securerandom'
|
|
3
|
+
|
|
4
|
+
require 'puppetserver/ca/utils/config'
|
|
4
5
|
|
|
5
6
|
module Puppetserver
|
|
6
7
|
module Ca
|
|
@@ -66,8 +67,9 @@ module Puppetserver
|
|
|
66
67
|
results ||= {}
|
|
67
68
|
results[:main] ||= {}
|
|
68
69
|
results[:master] ||= {}
|
|
70
|
+
results[:agent] ||= {}
|
|
69
71
|
|
|
70
|
-
overrides = results[:main].merge(results[:master])
|
|
72
|
+
overrides = results[:agent].merge(results[:main]).merge(results[:master])
|
|
71
73
|
overrides.merge!(cli_overrides)
|
|
72
74
|
|
|
73
75
|
@settings = resolve_settings(overrides).freeze
|
|
@@ -132,6 +134,7 @@ module Puppetserver
|
|
|
132
134
|
:ca_ttl => '15y',
|
|
133
135
|
:certificate_revocation => 'true',
|
|
134
136
|
:signeddir => '$cadir/signed',
|
|
137
|
+
:server_list => '',
|
|
135
138
|
}
|
|
136
139
|
|
|
137
140
|
# This loops through the base defaults and gives each setting a
|
|
@@ -161,6 +164,11 @@ module Puppetserver
|
|
|
161
164
|
settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
|
|
162
165
|
settings[:subject_alt_names] = Puppetserver::Ca::Utils::Config.munge_alt_names(settings[:subject_alt_names])
|
|
163
166
|
settings[:keylength] = settings[:keylength].to_i
|
|
167
|
+
settings[:server_list] = settings[:server_list].
|
|
168
|
+
split(/\s*,\s*/).
|
|
169
|
+
map {|entry| entry.split(":") }
|
|
170
|
+
|
|
171
|
+
update_for_server_list!(settings)
|
|
164
172
|
|
|
165
173
|
settings.each do |key, value|
|
|
166
174
|
next unless value.is_a? String
|
|
@@ -239,6 +247,20 @@ module Puppetserver
|
|
|
239
247
|
:ignore
|
|
240
248
|
end
|
|
241
249
|
end
|
|
250
|
+
|
|
251
|
+
def update_for_server_list!(settings)
|
|
252
|
+
if settings.dig(:server_list, 0, 0) &&
|
|
253
|
+
settings[:ca_server] == '$server'
|
|
254
|
+
|
|
255
|
+
settings[:ca_server] = settings.dig(:server_list, 0, 0)
|
|
256
|
+
end
|
|
257
|
+
|
|
258
|
+
if settings.dig(:server_list, 0, 1) &&
|
|
259
|
+
settings[:ca_port] == '$masterport'
|
|
260
|
+
|
|
261
|
+
settings[:ca_port] = settings.dig(:server_list, 0, 1)
|
|
262
|
+
end
|
|
263
|
+
end
|
|
242
264
|
end
|
|
243
265
|
end
|
|
244
266
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
module Puppetserver
|
|
2
|
+
module Ca
|
|
3
|
+
class Error < StandardError; end
|
|
4
|
+
class FileNotFound < Error; end
|
|
5
|
+
class InvalidX509Object < Error; end
|
|
6
|
+
class ConnectionFailed < Error; end
|
|
7
|
+
|
|
8
|
+
module Errors
|
|
9
|
+
def self.handle_with_usage(log, errors, usage = nil)
|
|
10
|
+
unless errors.empty?
|
|
11
|
+
log.err 'Error:'
|
|
12
|
+
errors.each {|e| log.err e }
|
|
13
|
+
|
|
14
|
+
if usage
|
|
15
|
+
log.err ''
|
|
16
|
+
log.err usage
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
return true
|
|
20
|
+
else
|
|
21
|
+
return false
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
data/lib/puppetserver/ca/host.rb
CHANGED
|
@@ -50,21 +50,6 @@ module Puppetserver
|
|
|
50
50
|
errors
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
def self.handle_errors(log, errors, usage = nil)
|
|
54
|
-
unless errors.empty?
|
|
55
|
-
log.err 'Error:'
|
|
56
|
-
errors.each {|e| log.err e }
|
|
57
|
-
|
|
58
|
-
if usage
|
|
59
|
-
log.err ''
|
|
60
|
-
log.err usage
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
return true
|
|
64
|
-
else
|
|
65
|
-
return false
|
|
66
|
-
end
|
|
67
|
-
end
|
|
68
53
|
|
|
69
54
|
private
|
|
70
55
|
|
|
@@ -1,5 +1,7 @@
|
|
|
1
|
-
require 'openssl'
|
|
2
1
|
require 'net/https'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
3
5
|
|
|
4
6
|
module Puppetserver
|
|
5
7
|
module Ca
|
|
@@ -31,12 +33,16 @@ module Puppetserver
|
|
|
31
33
|
end
|
|
32
34
|
end
|
|
33
35
|
|
|
34
|
-
def load_cert(
|
|
35
|
-
|
|
36
|
+
def load_cert(path)
|
|
37
|
+
load_with_errors(path, 'hostcert') do |content|
|
|
38
|
+
OpenSSL::X509::Certificate.new(content)
|
|
39
|
+
end
|
|
36
40
|
end
|
|
37
41
|
|
|
38
|
-
def load_key(
|
|
39
|
-
|
|
42
|
+
def load_key(path)
|
|
43
|
+
load_with_errors(path, 'hostprivkey') do |content|
|
|
44
|
+
OpenSSL::PKey.read(content)
|
|
45
|
+
end
|
|
40
46
|
end
|
|
41
47
|
|
|
42
48
|
# Takes an instance URL (defined lower in the file), and creates a
|
|
@@ -46,13 +52,33 @@ module Puppetserver
|
|
|
46
52
|
def with_connection(url, &block)
|
|
47
53
|
request = ->(conn) { block.call(Connection.new(conn, url)) }
|
|
48
54
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
55
|
+
begin
|
|
56
|
+
Net::HTTP.start(url.host, url.port,
|
|
57
|
+
use_ssl: true, cert_store: @store,
|
|
58
|
+
cert: @cert, key: @key,
|
|
59
|
+
&request)
|
|
60
|
+
rescue StandardError => e
|
|
61
|
+
raise ConnectionFailed.new(
|
|
62
|
+
"Failed connecting to #{url.full_url}\n" +
|
|
63
|
+
" Root cause: #{e.message}")
|
|
64
|
+
end
|
|
53
65
|
end
|
|
54
66
|
|
|
55
67
|
private
|
|
68
|
+
|
|
69
|
+
def load_with_errors(path, setting, &block)
|
|
70
|
+
begin
|
|
71
|
+
content = File.read(path)
|
|
72
|
+
block.call(content)
|
|
73
|
+
rescue Errno::ENOENT
|
|
74
|
+
raise FileNotFound.new("Could not find '#{setting}' at '#{path}'")
|
|
75
|
+
rescue OpenSSL::OpenSSLError => e
|
|
76
|
+
raise InvalidX509Object.new(
|
|
77
|
+
"Could not parse '#{setting}' at '#{path}'.\n" +
|
|
78
|
+
" OpenSSL returned: #{e.message}")
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
|
|
56
82
|
# Helper class that wraps a Net::HTTP connection, a HttpClient::URL
|
|
57
83
|
# and defines methods named after HTTP verbs that are called on the
|
|
58
84
|
# saved connection, returning a Result.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-11
|
|
11
|
+
date: 2018-12-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|
|
@@ -103,6 +103,7 @@ files:
|
|
|
103
103
|
- lib/puppetserver/ca/cli.rb
|
|
104
104
|
- lib/puppetserver/ca/config/puppet.rb
|
|
105
105
|
- lib/puppetserver/ca/config/puppetserver.rb
|
|
106
|
+
- lib/puppetserver/ca/errors.rb
|
|
106
107
|
- lib/puppetserver/ca/host.rb
|
|
107
108
|
- lib/puppetserver/ca/local_certificate_authority.rb
|
|
108
109
|
- lib/puppetserver/ca/logger.rb
|