puppetserver-ca 1.1.3 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0a642b5be01fd4809412f6c70928f1764a8ed294
4
- data.tar.gz: edb6b327dc31c877cc69fce0cd9382e73082409d
3
+ metadata.gz: 738624da584684a68fc407803548fb3d4b6855aa
4
+ data.tar.gz: cb3ff01a01b44468687668a39ca957d7496038a4
5
5
  SHA512:
6
- metadata.gz: 6a05b9d88d88098766164e3fc834343461de20d81858a65523e8ad53f179c7f56a4d5b5a43ecdae63e59d1d8ba959ff9ea007e58f4ca1d559d758b2786f4db21
7
- data.tar.gz: 803bacaad5099f629adeb64cdb86ea711e4a14235714836f9fccd6746fae9d84e66252d51d907d4e15378a5dc6271772b1bc7289e0ce3c996ad9d061cfe9f9cc
6
+ metadata.gz: 8ba3e5d5f070022ed1c2d88cc388b18de694782846a836490c3309cd7fe1fa85cfe60943ead8f422911920638ae84099d471b734bf39191e1ea8901d605aaa0d
7
+ data.tar.gz: e0ec48b8a594b342e47962addc05c0b08976aa06bc335a63c181dc1fd2dbab60cca1a5cd38ebd7b911c8713c2675ac6029fbd6fa9b9e2007939a42dc1841902a
@@ -1,10 +1,11 @@
1
- require 'puppetserver/ca/utils/cli_parsing'
2
- require 'puppetserver/ca/utils/file_system'
3
- require 'puppetserver/ca/config/puppet'
1
+ require 'optparse'
2
+
4
3
  require 'puppetserver/ca/action/revoke'
5
4
  require 'puppetserver/ca/certificate_authority'
6
-
7
- require 'optparse'
5
+ require 'puppetserver/ca/config/puppet'
6
+ require 'puppetserver/ca/errors'
7
+ require 'puppetserver/ca/utils/cli_parsing'
8
+ require 'puppetserver/ca/utils/file_system'
8
9
 
9
10
  module Puppetserver
10
11
  module Ca
@@ -22,10 +23,10 @@ Usage:
22
23
  puppetserver ca clean [--config] --certname NAME[,NAME]
23
24
 
24
25
  Description:
25
- Given one or more valid certnames, instructs the CA to revoke certificates
26
- matching the given certnames if they exist, and then remove files pertaining
27
- to them (keys, cert, and certificate request) over HTTPS using the local
28
- agent's PKI
26
+ Given one or more valid certnames, instructs the CA to revoke certificates
27
+ matching the given certnames if they exist, and then remove files pertaining
28
+ to them (keys, cert, and certificate request) over HTTPS using the local
29
+ agent's PKI
29
30
 
30
31
  Options:
31
32
  BANNER
@@ -68,7 +69,7 @@ BANNER
68
69
  errors << ' At least one certname is required to clean'
69
70
  end
70
71
 
71
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
72
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
72
73
 
73
74
  exit_code = errors_were_handled ? 1 : nil
74
75
 
@@ -81,11 +82,11 @@ BANNER
81
82
 
82
83
  if config
83
84
  errors = FileSystem.validate_file_paths(config)
84
- return 1 if CliParsing.handle_errors(@logger, errors)
85
+ return 1 if Errors.handle_with_usage(@logger, errors)
85
86
  end
86
87
 
87
88
  puppet = Config::Puppet.parse(config)
88
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
89
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
89
90
 
90
91
  result = clean_certs(certnames, puppet.settings)
91
92
  case result
@@ -1,12 +1,13 @@
1
- require 'puppetserver/ca/utils/cli_parsing'
2
- require 'puppetserver/ca/host'
3
1
  require 'puppetserver/ca/certificate_authority'
4
- require 'puppetserver/ca/local_certificate_authority'
5
- require 'puppetserver/ca/x509_loader'
6
2
  require 'puppetserver/ca/config/puppet'
3
+ require 'puppetserver/ca/errors'
4
+ require 'puppetserver/ca/host'
5
+ require 'puppetserver/ca/local_certificate_authority'
6
+ require 'puppetserver/ca/utils/cli_parsing'
7
+ require 'puppetserver/ca/utils/config'
7
8
  require 'puppetserver/ca/utils/file_system'
8
9
  require 'puppetserver/ca/utils/signing_digest'
9
- require 'puppetserver/ca/utils/config'
10
+ require 'puppetserver/ca/x509_loader'
10
11
 
11
12
  module Puppetserver
12
13
  module Ca
@@ -28,25 +29,25 @@ Usage:
28
29
  [--ca-client]
29
30
 
30
31
  Description:
31
- Generates a new certificate signed by the intermediate CA
32
- and stores generated keys and certs on disk.
33
-
34
- If the `--ca-client` flag is passed, the cert will be generated
35
- offline, without using Puppet Server's signing code, and will add
36
- a special extension authorizing it to talk to the CA API. This can
37
- be used for regenerating the master's host cert, or for manually
38
- setting up other nodes to be CA clients. Do not distribute certs
39
- generated this way to any node that you do not intend to have
40
- administrative access to the CA (e.g. the ability to sign a cert).
41
-
42
- Since the `--ca-client` causes a cert to be generated offline, it
43
- should ONLY be used when Puppet Server is NOT running, to avoid
44
- conflicting with the actions of the CA service. This will be
45
- mandatory in a future release.
46
-
47
- To determine the target location, the default puppet.conf
48
- is consulted for custom values. If using a custom puppet.conf
49
- provide it with the --config flag
32
+ Generates a new certificate signed by the intermediate CA
33
+ and stores generated keys and certs on disk.
34
+
35
+ If the `--ca-client` flag is passed, the cert will be generated
36
+ offline, without using Puppet Server's signing code, and will add
37
+ a special extension authorizing it to talk to the CA API. This can
38
+ be used for regenerating the master's host cert, or for manually
39
+ setting up other nodes to be CA clients. Do not distribute certs
40
+ generated this way to any node that you do not intend to have
41
+ administrative access to the CA (e.g. the ability to sign a cert).
42
+
43
+ Since the `--ca-client` causes a cert to be generated offline, it
44
+ should ONLY be used when Puppet Server is NOT running, to avoid
45
+ conflicting with the actions of the CA service. This will be
46
+ mandatory in a future release.
47
+
48
+ To determine the target location, the default puppet.conf
49
+ is consulted for custom values. If using a custom puppet.conf
50
+ provide it with the --config flag
50
51
 
51
52
  Options:
52
53
  BANNER
@@ -106,7 +107,7 @@ BANNER
106
107
  end
107
108
  end
108
109
 
109
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
110
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
110
111
 
111
112
  exit_code = errors_were_handled ? 1 : nil
112
113
 
@@ -120,14 +121,14 @@ BANNER
120
121
  # Validate config_path provided
121
122
  if config_path
122
123
  errors = FileSystem.validate_file_paths(config_path)
123
- return 1 if CliParsing.handle_errors(@logger, errors)
124
+ return 1 if Errors.handle_with_usage(@logger, errors)
124
125
  end
125
126
 
126
127
  # Load, resolve, and validate puppet config settings
127
128
  settings_overrides = {}
128
129
  puppet = Config::Puppet.new(config_path)
129
130
  puppet.load(settings_overrides)
130
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
131
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
131
132
 
132
133
  # We don't want generate to respect the alt names setting, since it is usually
133
134
  # used to generate certs for other nodes
@@ -135,7 +136,7 @@ BANNER
135
136
 
136
137
  # Load most secure signing digest we can for csr signing.
137
138
  signer = SigningDigest.new
138
- return 1 if CliParsing.handle_errors(@logger, signer.errors)
139
+ return 1 if Errors.handle_with_usage(@logger, signer.errors)
139
140
 
140
141
  # Generate and save certs and associated keys
141
142
  if input['ca-client']
@@ -152,7 +153,7 @@ BANNER
152
153
  # Returns true if it receives back a response of "running", and false if
153
154
  # no connection can be made, or a different response is received.
154
155
  def check_server_online(settings)
155
- status_url = HttpClient::URL.new('https', settings[:server], settings[:masterport], 'status', 'v1', 'simple', 'ca')
156
+ status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
156
157
  begin
157
158
  # Generating certs offline is necessary if the master cert has been destroyed
158
159
  # or compromised. Since querying the status endpoint does not require a client cert, and
@@ -183,11 +184,11 @@ BANNER
183
184
  settings[:publickeydir]])
184
185
 
185
186
  ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
186
- return false if CliParsing.handle_errors(@logger, ca.errors)
187
+ return false if Errors.handle_with_usage(@logger, ca.errors)
187
188
 
188
189
  passed = certnames.map do |certname|
189
190
  errors = check_for_existing_ssl_files(certname, settings)
190
- next false if CliParsing.handle_errors(@logger, errors)
191
+ next false if Errors.handle_with_usage(@logger, errors)
191
192
 
192
193
  current_alt_names = process_alt_names(alt_names, certname)
193
194
 
@@ -221,7 +222,7 @@ BANNER
221
222
 
222
223
  passed = certnames.map do |certname|
223
224
  errors = check_for_existing_ssl_files(certname, settings)
224
- next false if CliParsing.handle_errors(@logger, errors)
225
+ next false if Errors.handle_with_usage(@logger, errors)
225
226
 
226
227
  current_alt_names = process_alt_names(alt_names, certname)
227
228
 
@@ -273,7 +274,7 @@ BANNER
273
274
  key: private_key,
274
275
  cli_extensions: extensions,
275
276
  csr_attributes_path: settings[:csr_attributes])
276
- return if CliParsing.handle_errors(@logger, host.errors)
277
+ return if Errors.handle_with_usage(@logger, host.errors)
277
278
 
278
279
  return private_key, csr
279
280
  end
@@ -1,10 +1,12 @@
1
1
  require 'optparse'
2
- require 'puppetserver/ca/utils/file_system'
3
- require 'puppetserver/ca/x509_loader'
2
+
4
3
  require 'puppetserver/ca/config/puppet'
4
+ require 'puppetserver/ca/errors'
5
5
  require 'puppetserver/ca/local_certificate_authority'
6
6
  require 'puppetserver/ca/utils/cli_parsing'
7
+ require 'puppetserver/ca/utils/file_system'
7
8
  require 'puppetserver/ca/utils/signing_digest'
9
+ require 'puppetserver/ca/x509_loader'
8
10
 
9
11
  module Puppetserver
10
12
  module Ca
@@ -21,15 +23,15 @@ Usage:
21
23
  --private-key PATH --cert-bundle PATH --crl-chain PATH
22
24
 
23
25
  Description:
24
- Given a private key, cert bundle, and a crl chain,
25
- validate and import to the Puppet Server CA.
26
+ Given a private key, cert bundle, and a crl chain,
27
+ validate and import to the Puppet Server CA.
26
28
 
27
- Note that the cert and crl provided for the leaf CA must not
28
- have already issued or revoked any certificates.
29
+ Note that the cert and crl provided for the leaf CA must not
30
+ have already issued or revoked any certificates.
29
31
 
30
- To determine the target location the default puppet.conf
31
- is consulted for custom values. If using a custom puppet.conf
32
- provide it with the --config flag
32
+ To determine the target location the default puppet.conf
33
+ is consulted for custom values. If using a custom puppet.conf
34
+ provide it with the --config flag
33
35
 
34
36
  Options:
35
37
  BANNER
@@ -47,10 +49,10 @@ BANNER
47
49
  files = [bundle_path, key_path, chain_path, config_path].compact
48
50
 
49
51
  errors = FileSystem.validate_file_paths(files)
50
- return 1 if CliParsing.handle_errors(@logger, errors)
52
+ return 1 if Errors.handle_with_usage(@logger, errors)
51
53
 
52
54
  loader = X509Loader.new(bundle_path, key_path, chain_path)
53
- return 1 if CliParsing.handle_errors(@logger, loader.errors)
55
+ return 1 if Errors.handle_with_usage(@logger, loader.errors)
54
56
 
55
57
  settings_overrides = {}
56
58
  settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
@@ -58,14 +60,14 @@ BANNER
58
60
 
59
61
  puppet = Config::Puppet.new(config_path)
60
62
  puppet.load(settings_overrides)
61
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
63
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
62
64
 
63
65
  # Load most secure signing digest we can for cers/crl/csr signing.
64
66
  signer = SigningDigest.new
65
- return 1 if CliParsing.handle_errors(@logger, signer.errors)
67
+ return 1 if Errors.handle_with_usage(@logger, signer.errors)
66
68
 
67
69
  errors = import(loader, puppet.settings, signer.digest)
68
- return 1 if CliParsing.handle_errors(@logger, errors)
70
+ return 1 if Errors.handle_with_usage(@logger, errors)
69
71
 
70
72
  @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
71
73
  return 0
@@ -152,7 +154,7 @@ ERR
152
154
  errors << err
153
155
  end
154
156
 
155
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
157
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
156
158
 
157
159
  exit_code = errors_were_handled ? 1 : nil
158
160
 
@@ -1,9 +1,11 @@
1
- require 'puppetserver/ca/utils/cli_parsing'
2
- require 'puppetserver/ca/utils/file_system'
1
+ require 'json'
2
+ require 'optparse'
3
+
4
+ require 'puppetserver/ca/errors'
3
5
  require 'puppetserver/ca/certificate_authority'
4
6
  require 'puppetserver/ca/config/puppet'
5
- require 'optparse'
6
- require 'json'
7
+ require 'puppetserver/ca/utils/cli_parsing'
8
+ require 'puppetserver/ca/utils/file_system'
7
9
 
8
10
  module Puppetserver
9
11
  module Ca
@@ -20,7 +22,8 @@ Usage:
20
22
  puppetserver ca list [--all]
21
23
 
22
24
  Description:
23
- List outstanding certificate requests. If --all is specified, signed and revoked certificates will be listed as well.
25
+ List outstanding certificate requests. If --all is specified, signed and
26
+ revoked certificates will be listed as well.
24
27
 
25
28
  Options:
26
29
  BANNER
@@ -51,11 +54,11 @@ Options:
51
54
 
52
55
  if config
53
56
  errors = FileSystem.validate_file_paths(config)
54
- return 1 if CliParsing.handle_errors(@logger, errors)
57
+ return 1 if Errors.handle_with_usage(@logger, errors)
55
58
  end
56
59
 
57
60
  puppet = Config::Puppet.parse(config)
58
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
61
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
59
62
 
60
63
  all_certs = get_all_certs(puppet.settings)
61
64
  return 1 if all_certs.nil?
@@ -124,7 +127,7 @@ Options:
124
127
 
125
128
  errors = CliParsing.parse_with_errors(parser, args)
126
129
 
127
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
130
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
128
131
 
129
132
  exit_code = errors_were_handled ? 1 : nil
130
133
 
@@ -1,9 +1,9 @@
1
+ require 'optparse'
2
+
3
+ require 'puppetserver/ca/certificate_authority'
4
+ require 'puppetserver/ca/config/puppet'
1
5
  require 'puppetserver/ca/utils/cli_parsing'
2
6
  require 'puppetserver/ca/utils/file_system'
3
- require 'puppetserver/ca/config/puppet'
4
- require 'puppetserver/ca/certificate_authority'
5
-
6
- require 'optparse'
7
7
 
8
8
  module Puppetserver
9
9
  module Ca
@@ -21,8 +21,8 @@ Usage:
21
21
  puppetserver ca revoke [--config] --certname NAME[,NAME]
22
22
 
23
23
  Description:
24
- Given one or more valid certnames, instructs the CA to revoke them over
25
- HTTPS using the local agent's PKI
24
+ Given one or more valid certnames, instructs the CA to revoke them over
25
+ HTTPS using the local agent's PKI
26
26
 
27
27
  Options:
28
28
  BANNER
@@ -65,7 +65,7 @@ BANNER
65
65
  errors << ' At least one certname is required to revoke'
66
66
  end
67
67
 
68
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
68
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
69
69
 
70
70
  # if there is an exit_code then Cli will return it early, so we only
71
71
  # return an exit_code if there's an error
@@ -80,11 +80,11 @@ BANNER
80
80
 
81
81
  if config
82
82
  errors = FileSystem.validate_file_paths(config)
83
- return 1 if CliParsing.handle_errors(@logger, errors)
83
+ return 1 if Errors.handle_with_usage(@logger, errors)
84
84
  end
85
85
 
86
86
  puppet = Config::Puppet.parse(config)
87
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
87
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
88
88
 
89
89
  result = revoke_certs(certnames, puppet.settings)
90
90
 
@@ -1,9 +1,11 @@
1
1
  require 'optparse'
2
- require 'puppetserver/ca/utils/file_system'
2
+
3
+ require 'puppetserver/ca/config/puppet'
4
+ require 'puppetserver/ca/errors'
3
5
  require 'puppetserver/ca/local_certificate_authority'
4
6
  require 'puppetserver/ca/utils/cli_parsing'
7
+ require 'puppetserver/ca/utils/file_system'
5
8
  require 'puppetserver/ca/utils/signing_digest'
6
- require 'puppetserver/ca/config/puppet'
7
9
 
8
10
  module Puppetserver
9
11
  module Ca
@@ -19,19 +21,19 @@ Usage:
19
21
  [--certname NAME] [--ca-name NAME]
20
22
 
21
23
  Description:
22
- Setup a root and intermediate signing CA for Puppet Server
23
- and store generated CA keys, certs, crls, and associated
24
- master related files on disk.
24
+ Setup a root and intermediate signing CA for Puppet Server
25
+ and store generated CA keys, certs, crls, and associated
26
+ master related files on disk.
25
27
 
26
- The `--subject-alt-names` flag can be used to add SANs to the
27
- certificate generated for the Puppet master. Multiple names can be
28
- listed as a comma separated string. These can be either DNS names or
29
- IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
30
- Names with no prefix will be treated as DNS names.
28
+ The `--subject-alt-names` flag can be used to add SANs to the
29
+ certificate generated for the Puppet master. Multiple names can be
30
+ listed as a comma separated string. These can be either DNS names or
31
+ IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
32
+ Names with no prefix will be treated as DNS names.
31
33
 
32
- To determine the target location, the default puppet.conf
33
- is consulted for custom values. If using a custom puppet.conf
34
- provide it with the --config flag
34
+ To determine the target location, the default puppet.conf
35
+ is consulted for custom values. If using a custom puppet.conf
36
+ provide it with the --config flag
35
37
 
36
38
  Options:
37
39
  BANNER
@@ -45,7 +47,7 @@ BANNER
45
47
  config_path = input['config']
46
48
  if config_path
47
49
  errors = FileSystem.validate_file_paths(config_path)
48
- return 1 if CliParsing.handle_errors(@logger, errors)
50
+ return 1 if Errors.handle_with_usage(@logger, errors)
49
51
  end
50
52
 
51
53
  # Load, resolve, and validate puppet config settings
@@ -58,16 +60,16 @@ BANNER
58
60
 
59
61
  puppet = Config::Puppet.new(config_path)
60
62
  puppet.load(settings_overrides)
61
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
63
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
62
64
 
63
65
  # Load most secure signing digest we can for cers/crl/csr signing.
64
66
  signer = SigningDigest.new
65
- return 1 if CliParsing.handle_errors(@logger, signer.errors)
67
+ return 1 if Errors.handle_with_usage(@logger, signer.errors)
66
68
 
67
69
  # Generate root and intermediate ca and put all the certificates, crls,
68
70
  # and keys where they should go.
69
71
  errors = generate_pki(puppet.settings, signer.digest)
70
- return 1 if CliParsing.handle_errors(@logger, errors)
72
+ return 1 if Errors.handle_with_usage(@logger, errors)
71
73
 
72
74
  @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
73
75
  return 0
@@ -144,7 +146,7 @@ ERR
144
146
  results = {}
145
147
  parser = self.class.parser(results)
146
148
  errors = CliParsing.parse_with_errors(parser, cli_args)
147
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
149
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
148
150
  exit_code = errors_were_handled ? 1 : nil
149
151
  return results, exit_code
150
152
  end
@@ -1,11 +1,12 @@
1
+ require 'net/https'
2
+ require 'openssl'
3
+ require 'optparse'
4
+
5
+ require 'puppetserver/ca/certificate_authority'
6
+ require 'puppetserver/ca/config/puppet'
7
+ require 'puppetserver/ca/errors'
1
8
  require 'puppetserver/ca/utils/cli_parsing'
2
9
  require 'puppetserver/ca/utils/file_system'
3
- require 'puppetserver/ca/config/puppet'
4
- require 'puppetserver/ca/certificate_authority'
5
-
6
- require 'optparse'
7
- require 'openssl'
8
- require 'net/https'
9
10
 
10
11
  module Puppetserver
11
12
  module Ca
@@ -22,7 +23,8 @@ Usage:
22
23
  puppetserver ca sign --all
23
24
 
24
25
  Description:
25
- Given a comma-separated list of valid certnames, instructs the CA to sign each cert.
26
+ Given a comma-separated list of valid certnames, instructs the CA to sign
27
+ each cert.
26
28
 
27
29
  Options:
28
30
  BANNER
@@ -54,11 +56,11 @@ Options:
54
56
 
55
57
  if config
56
58
  errors = FileSystem.validate_file_paths(config)
57
- return 1 if CliParsing.handle_errors(@logger, errors)
59
+ return 1 if Errors.handle_with_usage(@logger, errors)
58
60
  end
59
61
 
60
62
  puppet = Config::Puppet.parse(config)
61
- return 1 if CliParsing.handle_errors(@logger, puppet.errors)
63
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
62
64
 
63
65
  ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
64
66
 
@@ -113,7 +115,7 @@ Options:
113
115
  errors << err
114
116
  end
115
117
 
116
- errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
118
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
117
119
 
118
120
  exit_code = errors_were_handled ? 1 : nil
119
121
 
@@ -1,7 +1,7 @@
1
- require 'puppetserver/ca/utils/http_client'
2
-
3
1
  require 'json'
4
2
 
3
+ require 'puppetserver/ca/utils/http_client'
4
+
5
5
  module Puppetserver
6
6
  module Ca
7
7
  class CertificateAuthority
@@ -1,4 +1,5 @@
1
1
  require 'optparse'
2
+
2
3
  require 'puppetserver/ca/action/clean'
3
4
  require 'puppetserver/ca/action/generate'
4
5
  require 'puppetserver/ca/action/import'
@@ -6,9 +7,10 @@ require 'puppetserver/ca/action/list'
6
7
  require 'puppetserver/ca/action/revoke'
7
8
  require 'puppetserver/ca/action/setup'
8
9
  require 'puppetserver/ca/action/sign'
10
+ require 'puppetserver/ca/errors'
9
11
  require 'puppetserver/ca/logger'
10
- require 'puppetserver/ca/version'
11
12
  require 'puppetserver/ca/utils/cli_parsing'
13
+ require 'puppetserver/ca/version'
12
14
 
13
15
 
14
16
  module Puppetserver
@@ -86,7 +88,14 @@ BANNER
86
88
  if exit_code
87
89
  return exit_code
88
90
  else
89
- return action.run(input)
91
+ begin
92
+ return action.run(input)
93
+ rescue Puppetserver::Ca::Error => e
94
+ logger.err "Fatal error when running action '#{action_argument}'"
95
+ logger.err " Error: " + e.message
96
+
97
+ return 1
98
+ end
90
99
  end
91
100
  else
92
101
  logger.warn "Unknown action: #{action_argument}"
@@ -1,6 +1,7 @@
1
- require 'puppetserver/ca/utils/config'
2
- require 'securerandom'
3
1
  require 'facter'
2
+ require 'securerandom'
3
+
4
+ require 'puppetserver/ca/utils/config'
4
5
 
5
6
  module Puppetserver
6
7
  module Ca
@@ -66,8 +67,9 @@ module Puppetserver
66
67
  results ||= {}
67
68
  results[:main] ||= {}
68
69
  results[:master] ||= {}
70
+ results[:agent] ||= {}
69
71
 
70
- overrides = results[:main].merge(results[:master])
72
+ overrides = results[:agent].merge(results[:main]).merge(results[:master])
71
73
  overrides.merge!(cli_overrides)
72
74
 
73
75
  @settings = resolve_settings(overrides).freeze
@@ -132,6 +134,7 @@ module Puppetserver
132
134
  :ca_ttl => '15y',
133
135
  :certificate_revocation => 'true',
134
136
  :signeddir => '$cadir/signed',
137
+ :server_list => '',
135
138
  }
136
139
 
137
140
  # This loops through the base defaults and gives each setting a
@@ -161,6 +164,11 @@ module Puppetserver
161
164
  settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
162
165
  settings[:subject_alt_names] = Puppetserver::Ca::Utils::Config.munge_alt_names(settings[:subject_alt_names])
163
166
  settings[:keylength] = settings[:keylength].to_i
167
+ settings[:server_list] = settings[:server_list].
168
+ split(/\s*,\s*/).
169
+ map {|entry| entry.split(":") }
170
+
171
+ update_for_server_list!(settings)
164
172
 
165
173
  settings.each do |key, value|
166
174
  next unless value.is_a? String
@@ -239,6 +247,20 @@ module Puppetserver
239
247
  :ignore
240
248
  end
241
249
  end
250
+
251
+ def update_for_server_list!(settings)
252
+ if settings.dig(:server_list, 0, 0) &&
253
+ settings[:ca_server] == '$server'
254
+
255
+ settings[:ca_server] = settings.dig(:server_list, 0, 0)
256
+ end
257
+
258
+ if settings.dig(:server_list, 0, 1) &&
259
+ settings[:ca_port] == '$masterport'
260
+
261
+ settings[:ca_port] = settings.dig(:server_list, 0, 1)
262
+ end
263
+ end
242
264
  end
243
265
  end
244
266
  end
@@ -1,4 +1,5 @@
1
1
  require 'hocon'
2
+
2
3
  require 'puppetserver/ca/utils/config'
3
4
 
4
5
  module Puppetserver
@@ -0,0 +1,26 @@
1
+ module Puppetserver
2
+ module Ca
3
+ class Error < StandardError; end
4
+ class FileNotFound < Error; end
5
+ class InvalidX509Object < Error; end
6
+ class ConnectionFailed < Error; end
7
+
8
+ module Errors
9
+ def self.handle_with_usage(log, errors, usage = nil)
10
+ unless errors.empty?
11
+ log.err 'Error:'
12
+ errors.each {|e| log.err e }
13
+
14
+ if usage
15
+ log.err ''
16
+ log.err usage
17
+ end
18
+
19
+ return true
20
+ else
21
+ return false
22
+ end
23
+ end
24
+ end
25
+ end
26
+ end
@@ -1,5 +1,5 @@
1
- require 'openssl'
2
1
  require 'fileutils'
2
+ require 'openssl'
3
3
  require 'yaml'
4
4
 
5
5
  module Puppetserver
@@ -1,9 +1,9 @@
1
+ require 'openssl'
2
+
1
3
  require 'puppetserver/ca/host'
2
4
  require 'puppetserver/ca/utils/file_system'
3
5
  require 'puppetserver/ca/x509_loader'
4
6
 
5
- require 'openssl'
6
-
7
7
  module Puppetserver
8
8
  module Ca
9
9
  class LocalCertificateAuthority
@@ -50,21 +50,6 @@ module Puppetserver
50
50
  errors
51
51
  end
52
52
 
53
- def self.handle_errors(log, errors, usage = nil)
54
- unless errors.empty?
55
- log.err 'Error:'
56
- errors.each {|e| log.err e }
57
-
58
- if usage
59
- log.err ''
60
- log.err usage
61
- end
62
-
63
- return true
64
- else
65
- return false
66
- end
67
- end
68
53
 
69
54
  private
70
55
 
@@ -1,5 +1,5 @@
1
- require 'fileutils'
2
1
  require 'etc'
2
+ require 'fileutils'
3
3
 
4
4
  module Puppetserver
5
5
  module Ca
@@ -1,5 +1,7 @@
1
- require 'openssl'
2
1
  require 'net/https'
2
+ require 'openssl'
3
+
4
+ require 'puppetserver/ca/errors'
3
5
 
4
6
  module Puppetserver
5
7
  module Ca
@@ -31,12 +33,16 @@ module Puppetserver
31
33
  end
32
34
  end
33
35
 
34
- def load_cert(cert_path)
35
- OpenSSL::X509::Certificate.new(File.read(cert_path))
36
+ def load_cert(path)
37
+ load_with_errors(path, 'hostcert') do |content|
38
+ OpenSSL::X509::Certificate.new(content)
39
+ end
36
40
  end
37
41
 
38
- def load_key(key_path)
39
- OpenSSL::PKey.read(File.read(key_path))
42
+ def load_key(path)
43
+ load_with_errors(path, 'hostprivkey') do |content|
44
+ OpenSSL::PKey.read(content)
45
+ end
40
46
  end
41
47
 
42
48
  # Takes an instance URL (defined lower in the file), and creates a
@@ -46,13 +52,33 @@ module Puppetserver
46
52
  def with_connection(url, &block)
47
53
  request = ->(conn) { block.call(Connection.new(conn, url)) }
48
54
 
49
- Net::HTTP.start(url.host, url.port,
50
- use_ssl: true, cert_store: @store,
51
- cert: @cert, key: @key,
52
- &request)
55
+ begin
56
+ Net::HTTP.start(url.host, url.port,
57
+ use_ssl: true, cert_store: @store,
58
+ cert: @cert, key: @key,
59
+ &request)
60
+ rescue StandardError => e
61
+ raise ConnectionFailed.new(
62
+ "Failed connecting to #{url.full_url}\n" +
63
+ " Root cause: #{e.message}")
64
+ end
53
65
  end
54
66
 
55
67
  private
68
+
69
+ def load_with_errors(path, setting, &block)
70
+ begin
71
+ content = File.read(path)
72
+ block.call(content)
73
+ rescue Errno::ENOENT
74
+ raise FileNotFound.new("Could not find '#{setting}' at '#{path}'")
75
+ rescue OpenSSL::OpenSSLError => e
76
+ raise InvalidX509Object.new(
77
+ "Could not parse '#{setting}' at '#{path}'.\n" +
78
+ " OpenSSL returned: #{e.message}")
79
+ end
80
+ end
81
+
56
82
  # Helper class that wraps a Net::HTTP connection, a HttpClient::URL
57
83
  # and defines methods named after HTTP verbs that are called on the
58
84
  # saved connection, returning a Result.
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "1.1.3"
3
+ VERSION = "1.2.0"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.3
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-11-16 00:00:00.000000000 Z
11
+ date: 2018-12-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter
@@ -103,6 +103,7 @@ files:
103
103
  - lib/puppetserver/ca/cli.rb
104
104
  - lib/puppetserver/ca/config/puppet.rb
105
105
  - lib/puppetserver/ca/config/puppetserver.rb
106
+ - lib/puppetserver/ca/errors.rb
106
107
  - lib/puppetserver/ca/host.rb
107
108
  - lib/puppetserver/ca/local_certificate_authority.rb
108
109
  - lib/puppetserver/ca/logger.rb