puppetserver-ca 1.2.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 68f6a3c820f9dd32b2df38855a1e03249cb89ba0
4
- data.tar.gz: b885a1ad3e176010f2e36a63f6940b0bab7501ad
3
+ metadata.gz: 868261be07fde8ea3c45c865fe605f378543c754
4
+ data.tar.gz: a8e814826e1bffaa95372f8ff32e199a44ad71c6
5
5
  SHA512:
6
- metadata.gz: 809c1ce65101f0c3f9aa908540070c59114aae9551170875177c87518e4e43111ebcaa3f8f29b0e400a2dd8e0d5ce996fbf01e35766b395d2c6443086a36ffdd
7
- data.tar.gz: f2975078313f77c519c45eb03ccc70272efdad3f859863c97e07a3a800e37ae2fd2e086ad534367eb86b3b86f39272d1428754457150fdf8b8174dd8cb1a5025
6
+ metadata.gz: a5bff259ba4ab4ead91759dbb5413273a3241127b4f48b2bb953e1554340edbfa6feb19fc8e861bec558fe7e25e2c0b9732644e63da05695c51892b70cb6c16e
7
+ data.tar.gz: 4d0b7fbcc5854b2e217b8242393dfc9cb104b9bbe0e4ad8c7e8802d7fd5c32b95675a82b53d3a47469ceb460f8cf9b93b01395aee170a6384e134af889518427
@@ -6,6 +6,7 @@ rvm:
6
6
  - 2.3
7
7
  - 2.4
8
8
  - 2.5
9
- before_install: gem install bundler -v 1.16.1
9
+ before_install:
10
+ gem install bundler -v 1.16.1 && (gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true)
10
11
  script:
11
12
  - bundle exec rake spec
@@ -42,7 +42,7 @@ BANNER
42
42
  o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
43
43
  parsed['config'] = conf
44
44
  end
45
- o.on('--help', 'Display this clean specific help output') do |help|
45
+ o.on('--help', 'Display this command-specific help output') do |help|
46
46
  parsed['help'] = true
47
47
  end
48
48
  end
@@ -0,0 +1,142 @@
1
+ require 'optparse'
2
+
3
+ require 'puppetserver/ca/config/puppet'
4
+ require 'puppetserver/ca/errors'
5
+ require 'puppetserver/ca/local_certificate_authority'
6
+ require 'puppetserver/ca/utils/cli_parsing'
7
+ require 'puppetserver/ca/utils/file_system'
8
+ require 'puppetserver/ca/utils/signing_digest'
9
+
10
+ module Puppetserver
11
+ module Ca
12
+ module Action
13
+ class Enable
14
+ include Puppetserver::Ca::Utils
15
+
16
+ SUMMARY = "Setup infrastructure CRL based on a node inventory."
17
+ BANNER = <<-BANNER
18
+ Usage:
19
+ puppetserver ca enable [--help]
20
+ puppetserver ca enable [--infracrl]
21
+
22
+ Description:
23
+ Performs actions necessary to enable certain CA modes.
24
+
25
+ --infracrl
26
+ Creates auxiliary files necessary to use the infrastructure-only CRL.
27
+ Assumes the existence of an `infra_inventory.txt` file in the CA
28
+ directory listing the certnames of the infrastructure nodes in the
29
+ Puppet installation. Generates the `infra_serials` file and the empty
30
+ CRL to be populated with revoked infrastructure nodes.
31
+
32
+ Options:
33
+ BANNER
34
+
35
+ def initialize(logger)
36
+ @logger = logger
37
+ end
38
+
39
+ def run(input)
40
+ # Validate config_path provided
41
+ config_path = input['config']
42
+ if config_path
43
+ errors = FileSystem.validate_file_paths(config_path)
44
+ return 1 if Errors.handle_with_usage(@logger, errors)
45
+ end
46
+
47
+ puppet = Config::Puppet.new(config_path)
48
+ puppet.load
49
+ settings = puppet.settings
50
+ return 1 if Errors.handle_with_usage(@logger, puppet.errors)
51
+
52
+ if input['infracrl']
53
+ errors = enable_infra_crl(settings)
54
+ return 1 if Errors.handle_with_usage(@logger, errors)
55
+ end
56
+
57
+ return 0
58
+ end
59
+
60
+ def enable_infra_crl(settings)
61
+ inventory_file = File.join(settings[:cadir], 'infra_inventory.txt')
62
+ if !File.exist?(inventory_file)
63
+ error = <<-ERR
64
+ Please create an inventory file at '#{inventory_file}' with the certnames of your
65
+ infrastructure nodes before proceeding with infra CRL setup!"
66
+ ERR
67
+ return [error]
68
+ end
69
+
70
+ serial_file = File.join(settings[:cadir], 'infra_serials')
71
+ infra_crl = File.join(settings[:cadir], 'infra_crl.pem')
72
+
73
+ file_errors = check_for_existing_infra_files([serial_file, infra_crl])
74
+ return file_errors if !file_errors.empty?
75
+
76
+ FileSystem.write_file(serial_file, '', 0644)
77
+
78
+ errors = create_infra_crl_chain(settings)
79
+ return errors if !errors.empty?
80
+
81
+ @logger.inform "Infra CRL files created."
82
+ return []
83
+ end
84
+
85
+ def check_for_existing_infra_files(files)
86
+ file_errors = FileSystem.check_for_existing_files(files)
87
+ if !file_errors.empty?
88
+ notice = <<-MSG
89
+ If you would really like to reinitialize your infrastructure CRL, please delete
90
+ the existing files and run this command again.
91
+ MSG
92
+ file_errors << notice
93
+ end
94
+ return file_errors
95
+ end
96
+
97
+ def create_infra_crl_chain(settings)
98
+ # Load most secure signing digest we can for cers/crl/csr signing.
99
+ signer = SigningDigest.new
100
+ return signer.errors if signer.errors.any?
101
+
102
+ ca = LocalCertificateAuthority.new(signer.digest, settings)
103
+ infra_crl = ca.create_crl_for(ca.cert, ca.key)
104
+ return ca.errors if ca.errors.any?
105
+
106
+ # Drop the full leaf CRL from the chain
107
+ crl_chain = ca.crl_chain.drop(1)
108
+ # Add the new clean CRL, that will be populated with infra nodes only
109
+ # as they are revoked
110
+ crl_chain.unshift(infra_crl)
111
+ FileSystem.write_file(File.join(settings[:cadir], 'infra_crl.pem'), crl_chain, 0644)
112
+
113
+ []
114
+ end
115
+
116
+ def parse(cli_args)
117
+ results = {}
118
+ parser = self.class.parser(results)
119
+ errors = CliParsing.parse_with_errors(parser, cli_args)
120
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
121
+ exit_code = errors_were_handled ? 1 : nil
122
+ return results, exit_code
123
+ end
124
+
125
+ def self.parser(parsed = {})
126
+ OptionParser.new do |opts|
127
+ opts.banner = BANNER
128
+ opts.on('--help', 'Display this command-specific help output') do |help|
129
+ parsed['help'] = true
130
+ end
131
+ opts.on('--config CONF', 'Path to puppet.conf') do |conf|
132
+ parsed['config'] = conf
133
+ end
134
+ opts.on('--infracrl', "Create auxiliary files for the infrastructure-only CRL.") do |infracrl|
135
+ parsed['infracrl'] = true
136
+ end
137
+ end
138
+ end
139
+ end
140
+ end
141
+ end
142
+ end
@@ -45,10 +45,6 @@ Description:
45
45
  conflicting with the actions of the CA service. This will be
46
46
  mandatory in a future release.
47
47
 
48
- To determine the target location, the default puppet.conf
49
- is consulted for custom values. If using a custom puppet.conf
50
- provide it with the --config flag
51
-
52
48
  Options:
53
49
  BANNER
54
50
  def initialize(logger)
@@ -64,7 +60,7 @@ BANNER
64
60
  'One or more comma separated certnames') do |certs|
65
61
  parsed['certnames'] += certs
66
62
  end
67
- opts.on('--help', 'Display this generate specific help output') do |help|
63
+ opts.on('--help', 'Display this command-specific help output') do |help|
68
64
  parsed['help'] = true
69
65
  end
70
66
  opts.on('--config CONF', 'Path to puppet.conf') do |conf|
@@ -29,10 +29,6 @@ Description:
29
29
  Note that the cert and crl provided for the leaf CA must not
30
30
  have already issued or revoked any certificates.
31
31
 
32
- To determine the target location the default puppet.conf
33
- is consulted for custom values. If using a custom puppet.conf
34
- provide it with the --config flag
35
-
36
32
  Options:
37
33
  BANNER
38
34
 
@@ -166,7 +162,7 @@ ERR
166
162
  parsed['subject-alt-names'] = ''
167
163
  OptionParser.new do |opts|
168
164
  opts.banner = BANNER
169
- opts.on('--help', 'Display this import specific help output') do |help|
165
+ opts.on('--help', 'Display this command-specific help output') do |help|
170
166
  parsed['help'] = true
171
167
  end
172
168
  opts.on('--config CONF', 'Path to puppet.conf') do |conf|
@@ -40,7 +40,7 @@ Options:
40
40
  opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
41
41
  parsed['config'] = conf
42
42
  end
43
- opts.on('--help', 'Display this command specific help output') do |help|
43
+ opts.on('--help', 'Display this command-specific help output') do |help|
44
44
  parsed['help'] = true
45
45
  end
46
46
  opts.on('--all', 'List all certificates') do |a|
@@ -31,10 +31,6 @@ Description:
31
31
  IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
32
32
  Names with no prefix will be treated as DNS names.
33
33
 
34
- To determine the target location, the default puppet.conf
35
- is consulted for custom values. If using a custom puppet.conf
36
- provide it with the --config flag
37
-
38
34
  Options:
39
35
  BANNER
40
36
 
@@ -157,7 +153,7 @@ ERR
157
153
  parsed['certname'] = ''
158
154
  OptionParser.new do |opts|
159
155
  opts.banner = BANNER
160
- opts.on('--help', 'Display this setup specific help output') do |help|
156
+ opts.on('--help', 'Display this command-specific help output') do |help|
161
157
  parsed['help'] = true
162
158
  end
163
159
  opts.on('--config CONF', 'Path to puppet.conf') do |conf|
@@ -38,7 +38,7 @@ Options:
38
38
  opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
39
39
  parsed['config'] = conf
40
40
  end
41
- opts.on('--help', 'Display this command specific help output') do |help|
41
+ opts.on('--help', 'Display this command-specific help output') do |help|
42
42
  parsed['help'] = true
43
43
  end
44
44
  opts.on('--all', 'Operate on all certnames') do |a|
@@ -3,6 +3,7 @@ require 'optparse'
3
3
  require 'puppetserver/ca/action/clean'
4
4
  require 'puppetserver/ca/action/generate'
5
5
  require 'puppetserver/ca/action/import'
6
+ require 'puppetserver/ca/action/enable'
6
7
  require 'puppetserver/ca/action/list'
7
8
  require 'puppetserver/ca/action/revoke'
8
9
  require 'puppetserver/ca/action/setup'
@@ -26,6 +27,7 @@ BANNER
26
27
  INIT_ACTIONS = {
27
28
  'import' => Action::Import,
28
29
  'setup' => Action::Setup,
30
+ 'enable' => Action::Enable,
29
31
  }
30
32
 
31
33
  MAINT_ACTIONS = {
@@ -37,7 +37,7 @@ module Puppetserver
37
37
  ["authorityKeyIdentifier", "keyid:always", false]
38
38
  ].freeze
39
39
 
40
- attr_reader :cert, :key, :crl
40
+ attr_reader :cert, :cert_bundle, :key, :crl, :crl_chain
41
41
 
42
42
  def initialize(digest, settings)
43
43
  @digest = digest
@@ -63,9 +63,11 @@ module Puppetserver
63
63
  end
64
64
 
65
65
  def load_ssl_components(loader)
66
- @cert = loader.certs.first
67
- @key = loader.key
68
- @crl = loader.crls.first
66
+ @cert_bundle = loader.certs
67
+ @cert = loader.certs.first
68
+ @key = loader.key
69
+ @crl_chain = loader.crls
70
+ @crl = loader.crls.first
69
71
  end
70
72
 
71
73
  def errors
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "1.2.1"
3
+ VERSION = "1.3.0"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.1
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-12-14 00:00:00.000000000 Z
11
+ date: 2019-01-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter
@@ -93,6 +93,7 @@ files:
93
93
  - exe/puppetserver-ca
94
94
  - lib/puppetserver/ca.rb
95
95
  - lib/puppetserver/ca/action/clean.rb
96
+ - lib/puppetserver/ca/action/enable.rb
96
97
  - lib/puppetserver/ca/action/generate.rb
97
98
  - lib/puppetserver/ca/action/import.rb
98
99
  - lib/puppetserver/ca/action/list.rb