puppetserver-ca 1.3.1 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puppetserver/ca/action/enable.rb +2 -1
  3. data/lib/puppetserver/ca/action/list.rb +33 -7
  4. data/lib/puppetserver/ca/local_certificate_authority.rb +2 -2
  5. data/lib/puppetserver/ca/version.rb +1 -1
  6. data/lib/puppetserver/ca/x509_loader.rb +38 -8
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 620bfa6c11518623fbd5070910a6c119d7597f3d
4
- data.tar.gz: e68bb09956a5248ee1644a719a04f46c23bfaabe
3
+ metadata.gz: 7d21f7cdfd7425e4c88f7393fdd78534437eee25
4
+ data.tar.gz: 80a876597aa720abd453663da272579f95361248
5
5
  SHA512:
6
- metadata.gz: 4b4b9ac60fccc7b4229f8763602cdef31dd0fc031caadc822901ef15980a167e54cd7c1b434d2b6766be38bf191220e6e835a321124a5277fe79c3799e47df63
7
- data.tar.gz: 05c098c24279c5418a5a84f62b81084694167be9d1313eec2314b5410a2f0a36914af84cfc164146c643fa86131f561e6845fceec58c20e81b9204c225a544d9
6
+ metadata.gz: 778cdc29b03bf61bde662da6c5f8796616c1aead0bb72e136a0e688d7dd7fec552dce878eb043f51252de650d86f8c10c76811125988302d67125dce67ce9fc0
7
+ data.tar.gz: 96602ab1cf6da30af50fd1b50aaac4a96a936f35c60e7e2d6acec10a4e63fbb8888f586b28b517e291b524a1dea070b84425ff7d8e08fec2cecf5ce4b0dd2b54
data/lib/puppetserver/ca/action/enable.rb CHANGED
@@ -97,9 +97,10 @@ MSG
97
97
  return signer.errors if signer.errors.any?
98
98
 
99
99
  ca = LocalCertificateAuthority.new(signer.digest, settings)
100
- infra_crl = ca.create_crl_for(ca.cert, ca.key)
101
100
  return ca.errors if ca.errors.any?
102
101
 
102
+ infra_crl = ca.create_crl_for(ca.cert, ca.key)
103
+
103
104
  # Drop the full leaf CRL from the chain
104
105
  crl_chain = ca.crl_chain.drop(1)
105
106
  # Add the new clean CRL, that will be populated with infra nodes only
data/lib/puppetserver/ca/action/list.rb CHANGED
@@ -20,6 +20,7 @@ Usage:
20
20
  puppetserver ca list [--help]
21
21
  puppetserver ca list [--config]
22
22
  puppetserver ca list [--all]
23
+ puppetserver ca list --certname NAME[,NAME]
23
24
 
24
25
  Description:
25
26
  List outstanding certificate requests. If --all is specified, signed and
@@ -46,11 +47,21 @@ Options:
46
47
  opts.on('--all', 'List all certificates') do |a|
47
48
  parsed['all'] = true
48
49
  end
50
+ opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
51
+ parsed['certname'] = cert
52
+ end
49
53
  end
50
54
  end
51
55
 
52
56
  def run(input)
53
57
  config = input['config']
58
+ certnames = input['certname'] || []
59
+ all = input['all']
60
+
61
+ if all && certnames.any?
62
+ Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
63
+ return 1
64
+ end
54
65
 
55
66
  if config
56
67
  errors = FileSystem.validate_file_paths(config)
@@ -60,17 +71,25 @@ Options:
60
71
  puppet = Config::Puppet.parse(config)
61
72
  return 1 if Errors.handle_with_usage(@logger, puppet.errors)
62
73
 
63
- all_certs = get_all_certs(puppet.settings)
64
- return 1 if all_certs.nil?
74
+ filter_names = certnames.any? \
75
+ ? lambda { |x| certnames.include?(x['name']) }
76
+ : lambda { |x| true }
65
77
 
78
+ all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
66
79
  requested, signed, revoked = separate_certs(all_certs)
67
- input['all'] ? output_certs_by_state(requested, signed, revoked) : output_certs_by_state(requested)
80
+ missing = certnames - all_certs.map { |cert| cert['name'] }
81
+
82
+ (all || certnames.any?) \
83
+ ? output_certs_by_state(requested, signed, revoked, missing)
84
+ : output_certs_by_state(requested)
68
85
 
69
- return 0
86
+ return missing.any? \
87
+ ? 1
88
+ : 0
70
89
  end
71
90
 
72
- def output_certs_by_state(requested, signed = [], revoked = [])
73
- if revoked.empty? && signed.empty? && requested.empty?
91
+ def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
92
+ if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
74
93
  @logger.inform "No certificates to list"
75
94
  return
76
95
  end
@@ -89,6 +108,13 @@ Options:
89
108
  @logger.inform "Revoked Certificates:"
90
109
  output_certs(revoked)
91
110
  end
111
+
112
+ unless missing.empty?
113
+ @logger.inform "Missing Certificates:"
114
+ missing.each do |name|
115
+ @logger.inform " #{name}"
116
+ end
117
+ end
92
118
  end
93
119
 
94
120
  def output_certs(certs)
@@ -118,7 +144,7 @@ Options:
118
144
 
119
145
  def get_all_certs(settings)
120
146
  result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
121
- JSON.parse(result.body) if result
147
+ result ? JSON.parse(result.body) : []
122
148
  end
123
149
 
124
150
  def parse(args)
data/lib/puppetserver/ca/local_certificate_authority.rb CHANGED
@@ -64,10 +64,10 @@ module Puppetserver
64
64
 
65
65
  def load_ssl_components(loader)
66
66
  @cert_bundle = loader.certs
67
- @cert = loader.certs.first
68
67
  @key = loader.key
68
+ @cert = loader.cert
69
69
  @crl_chain = loader.crls
70
- @crl = loader.crls.first
70
+ @crl = loader.crl
71
71
  end
72
72
 
73
73
  def errors
data/lib/puppetserver/ca/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "1.3.1"
3
+ VERSION = "1.3.2"
4
4
  end
5
5
  end
data/lib/puppetserver/ca/x509_loader.rb CHANGED
@@ -5,7 +5,7 @@ module Puppetserver
5
5
  # Load, validate, and store x509 objects needed by the Puppet Server CA.
6
6
  class X509Loader
7
7
 
8
- attr_reader :errors, :certs, :key, :crls
8
+ attr_reader :errors, :certs, :cert, :key, :crls, :crl
9
9
 
10
10
  def initialize(bundle_path, key_path, chain_path)
11
11
  @errors = []
@@ -13,23 +13,53 @@ module Puppetserver
13
13
  @certs = load_certs(bundle_path)
14
14
  @key = load_key(key_path)
15
15
  @crls = load_crls(chain_path)
16
+ @cert = find_signing_cert
17
+ @crl = find_leaf_crl
16
18
 
17
19
  validate(@certs, @key, @crls)
18
20
  end
19
21
 
22
+ def find_signing_cert
23
+ return if @key.nil? || @certs.empty?
24
+
25
+ signing_cert = @certs.find do |cert|
26
+ cert.check_private_key(@key)
27
+ end
28
+
29
+ if signing_cert.nil?
30
+ @errors << "Could not find certificate matching private key"
31
+ end
32
+
33
+ signing_cert
34
+ end
35
+
36
+ def find_leaf_crl
37
+ return if @crls.empty? || @cert.nil?
38
+
39
+ leaf_crl = @crls.find do |crl|
40
+ crl.issuer == @cert.subject
41
+ end
42
+
43
+ if leaf_crl.nil?
44
+ @errors << 'Could not find CRL issued by CA certificate'
45
+ end
46
+
47
+ leaf_crl
48
+ end
49
+
20
50
  # Only do as much validation as is possible, assume whoever tried to
21
51
  # load the objects wrote errors about any invalid ones, but that bundle
22
52
  # and chain may be empty arrays and pkey may be nil.
23
53
  def validate(bundle, pkey, chain)
24
- if !chain.empty? && !bundle.empty?
25
- validate_crl_and_cert(chain.first, bundle.first)
54
+ if !@crl.nil? && !@cert.nil?
55
+ validate_crl_and_cert(@crl, @cert)
26
56
  end
27
57
 
28
- if pkey && !bundle.empty?
29
- validate_cert_and_key(pkey, bundle.first)
58
+ if pkey && !@cert.nil?
59
+ validate_cert_and_key(pkey, @cert)
30
60
  end
31
61
 
32
- unless bundle.empty?
62
+ unless bundle.empty? || @cert.nil?
33
63
  validate_full_chain(bundle, chain)
34
64
  end
35
65
  end
@@ -112,7 +142,7 @@ module Puppetserver
112
142
  # - If provided, no CAs within the chain of trust have been revoked
113
143
  # However this does allow for:
114
144
  # - Additional, ignored, certs and CRLs in the bundle/chain
115
- # - certs and CRLs in any order (as long as the leaf cert is first)
145
+ # - certs and CRLs in any order
116
146
  def validate_full_chain(certs, crls)
117
147
  store = OpenSSL::X509::Store.new
118
148
  certs.each {|cert| store.add_cert(cert) }
@@ -121,7 +151,7 @@ module Puppetserver
121
151
  crls.each {|crl| store.add_crl(crl) }
122
152
  end
123
153
 
124
- unless store.verify(certs.first)
154
+ unless store.verify(@cert)
125
155
  @errors << 'Leaf certificate could not be validated'
126
156
  @errors << "Validating cert store returned: #{store.error} - #{store.error_string}"
127
157
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-03-08 00:00:00.000000000 Z
11
+ date: 2019-07-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter