puppetserver-ca 1.3.1 → 1.3.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7d21f7cdfd7425e4c88f7393fdd78534437eee25
|
4
|
+
data.tar.gz: 80a876597aa720abd453663da272579f95361248
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 778cdc29b03bf61bde662da6c5f8796616c1aead0bb72e136a0e688d7dd7fec552dce878eb043f51252de650d86f8c10c76811125988302d67125dce67ce9fc0
|
7
|
+
data.tar.gz: 96602ab1cf6da30af50fd1b50aaac4a96a936f35c60e7e2d6acec10a4e63fbb8888f586b28b517e291b524a1dea070b84425ff7d8e08fec2cecf5ce4b0dd2b54
|
@@ -97,9 +97,10 @@ MSG
|
|
97
97
|
return signer.errors if signer.errors.any?
|
98
98
|
|
99
99
|
ca = LocalCertificateAuthority.new(signer.digest, settings)
|
100
|
-
infra_crl = ca.create_crl_for(ca.cert, ca.key)
|
101
100
|
return ca.errors if ca.errors.any?
|
102
101
|
|
102
|
+
infra_crl = ca.create_crl_for(ca.cert, ca.key)
|
103
|
+
|
103
104
|
# Drop the full leaf CRL from the chain
|
104
105
|
crl_chain = ca.crl_chain.drop(1)
|
105
106
|
# Add the new clean CRL, that will be populated with infra nodes only
|
@@ -20,6 +20,7 @@ Usage:
|
|
20
20
|
puppetserver ca list [--help]
|
21
21
|
puppetserver ca list [--config]
|
22
22
|
puppetserver ca list [--all]
|
23
|
+
puppetserver ca list --certname NAME[,NAME]
|
23
24
|
|
24
25
|
Description:
|
25
26
|
List outstanding certificate requests. If --all is specified, signed and
|
@@ -46,11 +47,21 @@ Options:
|
|
46
47
|
opts.on('--all', 'List all certificates') do |a|
|
47
48
|
parsed['all'] = true
|
48
49
|
end
|
50
|
+
opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
|
51
|
+
parsed['certname'] = cert
|
52
|
+
end
|
49
53
|
end
|
50
54
|
end
|
51
55
|
|
52
56
|
def run(input)
|
53
57
|
config = input['config']
|
58
|
+
certnames = input['certname'] || []
|
59
|
+
all = input['all']
|
60
|
+
|
61
|
+
if all && certnames.any?
|
62
|
+
Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
|
63
|
+
return 1
|
64
|
+
end
|
54
65
|
|
55
66
|
if config
|
56
67
|
errors = FileSystem.validate_file_paths(config)
|
@@ -60,17 +71,25 @@ Options:
|
|
60
71
|
puppet = Config::Puppet.parse(config)
|
61
72
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
62
73
|
|
63
|
-
|
64
|
-
|
74
|
+
filter_names = certnames.any? \
|
75
|
+
? lambda { |x| certnames.include?(x['name']) }
|
76
|
+
: lambda { |x| true }
|
65
77
|
|
78
|
+
all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
|
66
79
|
requested, signed, revoked = separate_certs(all_certs)
|
67
|
-
|
80
|
+
missing = certnames - all_certs.map { |cert| cert['name'] }
|
81
|
+
|
82
|
+
(all || certnames.any?) \
|
83
|
+
? output_certs_by_state(requested, signed, revoked, missing)
|
84
|
+
: output_certs_by_state(requested)
|
68
85
|
|
69
|
-
return
|
86
|
+
return missing.any? \
|
87
|
+
? 1
|
88
|
+
: 0
|
70
89
|
end
|
71
90
|
|
72
|
-
def output_certs_by_state(requested, signed = [], revoked = [])
|
73
|
-
if revoked.empty? && signed.empty? && requested.empty?
|
91
|
+
def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
|
92
|
+
if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
|
74
93
|
@logger.inform "No certificates to list"
|
75
94
|
return
|
76
95
|
end
|
@@ -89,6 +108,13 @@ Options:
|
|
89
108
|
@logger.inform "Revoked Certificates:"
|
90
109
|
output_certs(revoked)
|
91
110
|
end
|
111
|
+
|
112
|
+
unless missing.empty?
|
113
|
+
@logger.inform "Missing Certificates:"
|
114
|
+
missing.each do |name|
|
115
|
+
@logger.inform " #{name}"
|
116
|
+
end
|
117
|
+
end
|
92
118
|
end
|
93
119
|
|
94
120
|
def output_certs(certs)
|
@@ -118,7 +144,7 @@ Options:
|
|
118
144
|
|
119
145
|
def get_all_certs(settings)
|
120
146
|
result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
|
121
|
-
JSON.parse(result.body)
|
147
|
+
result ? JSON.parse(result.body) : []
|
122
148
|
end
|
123
149
|
|
124
150
|
def parse(args)
|
@@ -64,10 +64,10 @@ module Puppetserver
|
|
64
64
|
|
65
65
|
def load_ssl_components(loader)
|
66
66
|
@cert_bundle = loader.certs
|
67
|
-
@cert = loader.certs.first
|
68
67
|
@key = loader.key
|
68
|
+
@cert = loader.cert
|
69
69
|
@crl_chain = loader.crls
|
70
|
-
@crl = loader.
|
70
|
+
@crl = loader.crl
|
71
71
|
end
|
72
72
|
|
73
73
|
def errors
|
@@ -5,7 +5,7 @@ module Puppetserver
|
|
5
5
|
# Load, validate, and store x509 objects needed by the Puppet Server CA.
|
6
6
|
class X509Loader
|
7
7
|
|
8
|
-
attr_reader :errors, :certs, :key, :crls
|
8
|
+
attr_reader :errors, :certs, :cert, :key, :crls, :crl
|
9
9
|
|
10
10
|
def initialize(bundle_path, key_path, chain_path)
|
11
11
|
@errors = []
|
@@ -13,23 +13,53 @@ module Puppetserver
|
|
13
13
|
@certs = load_certs(bundle_path)
|
14
14
|
@key = load_key(key_path)
|
15
15
|
@crls = load_crls(chain_path)
|
16
|
+
@cert = find_signing_cert
|
17
|
+
@crl = find_leaf_crl
|
16
18
|
|
17
19
|
validate(@certs, @key, @crls)
|
18
20
|
end
|
19
21
|
|
22
|
+
def find_signing_cert
|
23
|
+
return if @key.nil? || @certs.empty?
|
24
|
+
|
25
|
+
signing_cert = @certs.find do |cert|
|
26
|
+
cert.check_private_key(@key)
|
27
|
+
end
|
28
|
+
|
29
|
+
if signing_cert.nil?
|
30
|
+
@errors << "Could not find certificate matching private key"
|
31
|
+
end
|
32
|
+
|
33
|
+
signing_cert
|
34
|
+
end
|
35
|
+
|
36
|
+
def find_leaf_crl
|
37
|
+
return if @crls.empty? || @cert.nil?
|
38
|
+
|
39
|
+
leaf_crl = @crls.find do |crl|
|
40
|
+
crl.issuer == @cert.subject
|
41
|
+
end
|
42
|
+
|
43
|
+
if leaf_crl.nil?
|
44
|
+
@errors << 'Could not find CRL issued by CA certificate'
|
45
|
+
end
|
46
|
+
|
47
|
+
leaf_crl
|
48
|
+
end
|
49
|
+
|
20
50
|
# Only do as much validation as is possible, assume whoever tried to
|
21
51
|
# load the objects wrote errors about any invalid ones, but that bundle
|
22
52
|
# and chain may be empty arrays and pkey may be nil.
|
23
53
|
def validate(bundle, pkey, chain)
|
24
|
-
if
|
25
|
-
validate_crl_and_cert(
|
54
|
+
if !@crl.nil? && !@cert.nil?
|
55
|
+
validate_crl_and_cert(@crl, @cert)
|
26
56
|
end
|
27
57
|
|
28
|
-
if pkey &&
|
29
|
-
validate_cert_and_key(pkey,
|
58
|
+
if pkey && !@cert.nil?
|
59
|
+
validate_cert_and_key(pkey, @cert)
|
30
60
|
end
|
31
61
|
|
32
|
-
unless bundle.empty?
|
62
|
+
unless bundle.empty? || @cert.nil?
|
33
63
|
validate_full_chain(bundle, chain)
|
34
64
|
end
|
35
65
|
end
|
@@ -112,7 +142,7 @@ module Puppetserver
|
|
112
142
|
# - If provided, no CAs within the chain of trust have been revoked
|
113
143
|
# However this does allow for:
|
114
144
|
# - Additional, ignored, certs and CRLs in the bundle/chain
|
115
|
-
# - certs and CRLs in any order
|
145
|
+
# - certs and CRLs in any order
|
116
146
|
def validate_full_chain(certs, crls)
|
117
147
|
store = OpenSSL::X509::Store.new
|
118
148
|
certs.each {|cert| store.add_cert(cert) }
|
@@ -121,7 +151,7 @@ module Puppetserver
|
|
121
151
|
crls.each {|crl| store.add_crl(crl) }
|
122
152
|
end
|
123
153
|
|
124
|
-
unless store.verify(
|
154
|
+
unless store.verify(@cert)
|
125
155
|
@errors << 'Leaf certificate could not be validated'
|
126
156
|
@errors << "Validating cert store returned: #{store.error} - #{store.error_string}"
|
127
157
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-07-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|