puppetserver-ca 1.2.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +2 -1
- data/lib/puppetserver/ca/action/clean.rb +1 -1
- data/lib/puppetserver/ca/action/enable.rb +142 -0
- data/lib/puppetserver/ca/action/generate.rb +1 -5
- data/lib/puppetserver/ca/action/import.rb +1 -5
- data/lib/puppetserver/ca/action/list.rb +1 -1
- data/lib/puppetserver/ca/action/setup.rb +1 -5
- data/lib/puppetserver/ca/action/sign.rb +1 -1
- data/lib/puppetserver/ca/cli.rb +2 -0
- data/lib/puppetserver/ca/local_certificate_authority.rb +6 -4
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 868261be07fde8ea3c45c865fe605f378543c754
|
4
|
+
data.tar.gz: a8e814826e1bffaa95372f8ff32e199a44ad71c6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a5bff259ba4ab4ead91759dbb5413273a3241127b4f48b2bb953e1554340edbfa6feb19fc8e861bec558fe7e25e2c0b9732644e63da05695c51892b70cb6c16e
|
7
|
+
data.tar.gz: 4d0b7fbcc5854b2e217b8242393dfc9cb104b9bbe0e4ad8c7e8802d7fd5c32b95675a82b53d3a47469ceb460f8cf9b93b01395aee170a6384e134af889518427
|
data/.travis.yml
CHANGED
@@ -42,7 +42,7 @@ BANNER
|
|
42
42
|
o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
|
43
43
|
parsed['config'] = conf
|
44
44
|
end
|
45
|
-
o.on('--help', 'Display this
|
45
|
+
o.on('--help', 'Display this command-specific help output') do |help|
|
46
46
|
parsed['help'] = true
|
47
47
|
end
|
48
48
|
end
|
@@ -0,0 +1,142 @@
|
|
1
|
+
require 'optparse'
|
2
|
+
|
3
|
+
require 'puppetserver/ca/config/puppet'
|
4
|
+
require 'puppetserver/ca/errors'
|
5
|
+
require 'puppetserver/ca/local_certificate_authority'
|
6
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
7
|
+
require 'puppetserver/ca/utils/file_system'
|
8
|
+
require 'puppetserver/ca/utils/signing_digest'
|
9
|
+
|
10
|
+
module Puppetserver
|
11
|
+
module Ca
|
12
|
+
module Action
|
13
|
+
class Enable
|
14
|
+
include Puppetserver::Ca::Utils
|
15
|
+
|
16
|
+
SUMMARY = "Setup infrastructure CRL based on a node inventory."
|
17
|
+
BANNER = <<-BANNER
|
18
|
+
Usage:
|
19
|
+
puppetserver ca enable [--help]
|
20
|
+
puppetserver ca enable [--infracrl]
|
21
|
+
|
22
|
+
Description:
|
23
|
+
Performs actions necessary to enable certain CA modes.
|
24
|
+
|
25
|
+
--infracrl
|
26
|
+
Creates auxiliary files necessary to use the infrastructure-only CRL.
|
27
|
+
Assumes the existence of an `infra_inventory.txt` file in the CA
|
28
|
+
directory listing the certnames of the infrastructure nodes in the
|
29
|
+
Puppet installation. Generates the `infra_serials` file and the empty
|
30
|
+
CRL to be populated with revoked infrastructure nodes.
|
31
|
+
|
32
|
+
Options:
|
33
|
+
BANNER
|
34
|
+
|
35
|
+
def initialize(logger)
|
36
|
+
@logger = logger
|
37
|
+
end
|
38
|
+
|
39
|
+
def run(input)
|
40
|
+
# Validate config_path provided
|
41
|
+
config_path = input['config']
|
42
|
+
if config_path
|
43
|
+
errors = FileSystem.validate_file_paths(config_path)
|
44
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
45
|
+
end
|
46
|
+
|
47
|
+
puppet = Config::Puppet.new(config_path)
|
48
|
+
puppet.load
|
49
|
+
settings = puppet.settings
|
50
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
51
|
+
|
52
|
+
if input['infracrl']
|
53
|
+
errors = enable_infra_crl(settings)
|
54
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
55
|
+
end
|
56
|
+
|
57
|
+
return 0
|
58
|
+
end
|
59
|
+
|
60
|
+
def enable_infra_crl(settings)
|
61
|
+
inventory_file = File.join(settings[:cadir], 'infra_inventory.txt')
|
62
|
+
if !File.exist?(inventory_file)
|
63
|
+
error = <<-ERR
|
64
|
+
Please create an inventory file at '#{inventory_file}' with the certnames of your
|
65
|
+
infrastructure nodes before proceeding with infra CRL setup!"
|
66
|
+
ERR
|
67
|
+
return [error]
|
68
|
+
end
|
69
|
+
|
70
|
+
serial_file = File.join(settings[:cadir], 'infra_serials')
|
71
|
+
infra_crl = File.join(settings[:cadir], 'infra_crl.pem')
|
72
|
+
|
73
|
+
file_errors = check_for_existing_infra_files([serial_file, infra_crl])
|
74
|
+
return file_errors if !file_errors.empty?
|
75
|
+
|
76
|
+
FileSystem.write_file(serial_file, '', 0644)
|
77
|
+
|
78
|
+
errors = create_infra_crl_chain(settings)
|
79
|
+
return errors if !errors.empty?
|
80
|
+
|
81
|
+
@logger.inform "Infra CRL files created."
|
82
|
+
return []
|
83
|
+
end
|
84
|
+
|
85
|
+
def check_for_existing_infra_files(files)
|
86
|
+
file_errors = FileSystem.check_for_existing_files(files)
|
87
|
+
if !file_errors.empty?
|
88
|
+
notice = <<-MSG
|
89
|
+
If you would really like to reinitialize your infrastructure CRL, please delete
|
90
|
+
the existing files and run this command again.
|
91
|
+
MSG
|
92
|
+
file_errors << notice
|
93
|
+
end
|
94
|
+
return file_errors
|
95
|
+
end
|
96
|
+
|
97
|
+
def create_infra_crl_chain(settings)
|
98
|
+
# Load most secure signing digest we can for cers/crl/csr signing.
|
99
|
+
signer = SigningDigest.new
|
100
|
+
return signer.errors if signer.errors.any?
|
101
|
+
|
102
|
+
ca = LocalCertificateAuthority.new(signer.digest, settings)
|
103
|
+
infra_crl = ca.create_crl_for(ca.cert, ca.key)
|
104
|
+
return ca.errors if ca.errors.any?
|
105
|
+
|
106
|
+
# Drop the full leaf CRL from the chain
|
107
|
+
crl_chain = ca.crl_chain.drop(1)
|
108
|
+
# Add the new clean CRL, that will be populated with infra nodes only
|
109
|
+
# as they are revoked
|
110
|
+
crl_chain.unshift(infra_crl)
|
111
|
+
FileSystem.write_file(File.join(settings[:cadir], 'infra_crl.pem'), crl_chain, 0644)
|
112
|
+
|
113
|
+
[]
|
114
|
+
end
|
115
|
+
|
116
|
+
def parse(cli_args)
|
117
|
+
results = {}
|
118
|
+
parser = self.class.parser(results)
|
119
|
+
errors = CliParsing.parse_with_errors(parser, cli_args)
|
120
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
121
|
+
exit_code = errors_were_handled ? 1 : nil
|
122
|
+
return results, exit_code
|
123
|
+
end
|
124
|
+
|
125
|
+
def self.parser(parsed = {})
|
126
|
+
OptionParser.new do |opts|
|
127
|
+
opts.banner = BANNER
|
128
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
129
|
+
parsed['help'] = true
|
130
|
+
end
|
131
|
+
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
132
|
+
parsed['config'] = conf
|
133
|
+
end
|
134
|
+
opts.on('--infracrl', "Create auxiliary files for the infrastructure-only CRL.") do |infracrl|
|
135
|
+
parsed['infracrl'] = true
|
136
|
+
end
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
@@ -45,10 +45,6 @@ Description:
|
|
45
45
|
conflicting with the actions of the CA service. This will be
|
46
46
|
mandatory in a future release.
|
47
47
|
|
48
|
-
To determine the target location, the default puppet.conf
|
49
|
-
is consulted for custom values. If using a custom puppet.conf
|
50
|
-
provide it with the --config flag
|
51
|
-
|
52
48
|
Options:
|
53
49
|
BANNER
|
54
50
|
def initialize(logger)
|
@@ -64,7 +60,7 @@ BANNER
|
|
64
60
|
'One or more comma separated certnames') do |certs|
|
65
61
|
parsed['certnames'] += certs
|
66
62
|
end
|
67
|
-
opts.on('--help', 'Display this
|
63
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
68
64
|
parsed['help'] = true
|
69
65
|
end
|
70
66
|
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
@@ -29,10 +29,6 @@ Description:
|
|
29
29
|
Note that the cert and crl provided for the leaf CA must not
|
30
30
|
have already issued or revoked any certificates.
|
31
31
|
|
32
|
-
To determine the target location the default puppet.conf
|
33
|
-
is consulted for custom values. If using a custom puppet.conf
|
34
|
-
provide it with the --config flag
|
35
|
-
|
36
32
|
Options:
|
37
33
|
BANNER
|
38
34
|
|
@@ -166,7 +162,7 @@ ERR
|
|
166
162
|
parsed['subject-alt-names'] = ''
|
167
163
|
OptionParser.new do |opts|
|
168
164
|
opts.banner = BANNER
|
169
|
-
opts.on('--help', 'Display this
|
165
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
170
166
|
parsed['help'] = true
|
171
167
|
end
|
172
168
|
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
@@ -40,7 +40,7 @@ Options:
|
|
40
40
|
opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
|
41
41
|
parsed['config'] = conf
|
42
42
|
end
|
43
|
-
opts.on('--help', 'Display this command
|
43
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
44
44
|
parsed['help'] = true
|
45
45
|
end
|
46
46
|
opts.on('--all', 'List all certificates') do |a|
|
@@ -31,10 +31,6 @@ Description:
|
|
31
31
|
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
32
32
|
Names with no prefix will be treated as DNS names.
|
33
33
|
|
34
|
-
To determine the target location, the default puppet.conf
|
35
|
-
is consulted for custom values. If using a custom puppet.conf
|
36
|
-
provide it with the --config flag
|
37
|
-
|
38
34
|
Options:
|
39
35
|
BANNER
|
40
36
|
|
@@ -157,7 +153,7 @@ ERR
|
|
157
153
|
parsed['certname'] = ''
|
158
154
|
OptionParser.new do |opts|
|
159
155
|
opts.banner = BANNER
|
160
|
-
opts.on('--help', 'Display this
|
156
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
161
157
|
parsed['help'] = true
|
162
158
|
end
|
163
159
|
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
@@ -38,7 +38,7 @@ Options:
|
|
38
38
|
opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
|
39
39
|
parsed['config'] = conf
|
40
40
|
end
|
41
|
-
opts.on('--help', 'Display this command
|
41
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
42
42
|
parsed['help'] = true
|
43
43
|
end
|
44
44
|
opts.on('--all', 'Operate on all certnames') do |a|
|
data/lib/puppetserver/ca/cli.rb
CHANGED
@@ -3,6 +3,7 @@ require 'optparse'
|
|
3
3
|
require 'puppetserver/ca/action/clean'
|
4
4
|
require 'puppetserver/ca/action/generate'
|
5
5
|
require 'puppetserver/ca/action/import'
|
6
|
+
require 'puppetserver/ca/action/enable'
|
6
7
|
require 'puppetserver/ca/action/list'
|
7
8
|
require 'puppetserver/ca/action/revoke'
|
8
9
|
require 'puppetserver/ca/action/setup'
|
@@ -26,6 +27,7 @@ BANNER
|
|
26
27
|
INIT_ACTIONS = {
|
27
28
|
'import' => Action::Import,
|
28
29
|
'setup' => Action::Setup,
|
30
|
+
'enable' => Action::Enable,
|
29
31
|
}
|
30
32
|
|
31
33
|
MAINT_ACTIONS = {
|
@@ -37,7 +37,7 @@ module Puppetserver
|
|
37
37
|
["authorityKeyIdentifier", "keyid:always", false]
|
38
38
|
].freeze
|
39
39
|
|
40
|
-
attr_reader :cert, :key, :crl
|
40
|
+
attr_reader :cert, :cert_bundle, :key, :crl, :crl_chain
|
41
41
|
|
42
42
|
def initialize(digest, settings)
|
43
43
|
@digest = digest
|
@@ -63,9 +63,11 @@ module Puppetserver
|
|
63
63
|
end
|
64
64
|
|
65
65
|
def load_ssl_components(loader)
|
66
|
-
|
67
|
-
|
68
|
-
|
66
|
+
@cert_bundle = loader.certs
|
67
|
+
@cert = loader.certs.first
|
68
|
+
@key = loader.key
|
69
|
+
@crl_chain = loader.crls
|
70
|
+
@crl = loader.crls.first
|
69
71
|
end
|
70
72
|
|
71
73
|
def errors
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-01-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -93,6 +93,7 @@ files:
|
|
93
93
|
- exe/puppetserver-ca
|
94
94
|
- lib/puppetserver/ca.rb
|
95
95
|
- lib/puppetserver/ca/action/clean.rb
|
96
|
+
- lib/puppetserver/ca/action/enable.rb
|
96
97
|
- lib/puppetserver/ca/action/generate.rb
|
97
98
|
- lib/puppetserver/ca/action/import.rb
|
98
99
|
- lib/puppetserver/ca/action/list.rb
|