puppetserver-ca 1.4.0 → 1.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CODEOWNERS +4 -0
- data/lib/puppetserver/ca/action/generate.rb +24 -10
- data/lib/puppetserver/ca/action/sign.rb +4 -1
- data/lib/puppetserver/ca/certificate_authority.rb +44 -5
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6675ef6328d11ddc9d47becb63063089f1eab59d
|
4
|
+
data.tar.gz: f8f0e62f01297a56d238ffc7d074b6ed1300a448
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ce20b8b249b03b73eeeaed698723df472191269626e37ce232ddf6e5a199fbcc19e29787929efa70e4400dc7a14c38fc0ad1c62f0de1febee3845d36899b49da
|
7
|
+
data.tar.gz: 37b285c14dff8b48fab045dd699771917ac12e0b3663c61ec42d94ff6773644a7311af02d792ed17241be9b180f4ff041e2d61d04bf9cf7f034eaeefa0d12fa7
|
data/CODEOWNERS
ADDED
@@ -75,6 +75,9 @@ BANNER
|
|
75
75
|
'Causes the cert to be generated offline.') do |ca_client|
|
76
76
|
parsed['ca-client'] = true
|
77
77
|
end
|
78
|
+
opts.on('--ttl TTL', 'The time-to-live for each cert generated and signed') do |ttl|
|
79
|
+
parsed['ttl'] = ttl
|
80
|
+
end
|
78
81
|
end
|
79
82
|
end
|
80
83
|
|
@@ -140,7 +143,7 @@ BANNER
|
|
140
143
|
return 1 if check_server_online(puppet.settings)
|
141
144
|
all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
|
142
145
|
else
|
143
|
-
all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
|
146
|
+
all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
|
144
147
|
end
|
145
148
|
return all_passed ? 0 : 1
|
146
149
|
end
|
@@ -209,8 +212,10 @@ BANNER
|
|
209
212
|
# Generate csrs and keys, then submit them to CA, request for the CA to sign
|
210
213
|
# them, download the signed certificates from the CA, and finally save
|
211
214
|
# the signed certs and associated keys. Returns true if all certs were
|
212
|
-
# successfully created and saved.
|
213
|
-
|
215
|
+
# successfully created and saved. Takes a ttl to use if certificates
|
216
|
+
# are signed by this CLI, not autosigned by the CA. if ttl is nil, uses
|
217
|
+
# the CA's settings.
|
218
|
+
def generate_certs(certnames, alt_names, settings, digest, ttl)
|
214
219
|
# Make sure we have all the directories where we will be writing files
|
215
220
|
FileSystem.ensure_dirs([settings[:ssldir],
|
216
221
|
settings[:certdir],
|
@@ -228,17 +233,26 @@ BANNER
|
|
228
233
|
next false unless submit_csr(certname, ca, settings, digest, current_alt_names)
|
229
234
|
|
230
235
|
# Check if the CA autosigned the cert
|
231
|
-
|
232
|
-
@logger.inform "Certificate for #{certname} was autosigned."
|
233
|
-
true
|
234
|
-
else
|
235
|
-
next false unless ca.sign_certs([certname])
|
236
|
-
download_cert(ca, certname, settings)
|
237
|
-
end
|
236
|
+
next acquire_signed_cert(ca, certname, settings, ttl)
|
238
237
|
end
|
239
238
|
passed.all?
|
240
239
|
end
|
241
240
|
|
241
|
+
# Try to download a signed certificate; sign the cert with the given ttl if it needs
|
242
|
+
# signing before download.
|
243
|
+
def acquire_signed_cert(ca, certname, settings, ttl)
|
244
|
+
if download_cert(ca, certname, settings)
|
245
|
+
@logger.inform "Certificate for #{certname} was autosigned."
|
246
|
+
if ttl
|
247
|
+
@logger.warn "ttl was specified, but the CA autosigned the CSR. Unable to specify #{ttl} for #{certname}"
|
248
|
+
end
|
249
|
+
true
|
250
|
+
else
|
251
|
+
false unless ca.sign_certs([certname], ttl)
|
252
|
+
download_cert(ca, certname, settings)
|
253
|
+
end
|
254
|
+
end
|
255
|
+
|
242
256
|
def submit_csr(certname, ca, settings, digest, alt_names)
|
243
257
|
key, csr = generate_key_csr(certname, settings, digest, alt_names)
|
244
258
|
return false unless csr
|
@@ -32,6 +32,9 @@ Options:
|
|
32
32
|
def self.parser(parsed = {})
|
33
33
|
OptionParser.new do |opts|
|
34
34
|
opts.banner = BANNER
|
35
|
+
opts.on('--ttl TTL', 'The time-to-live for each cert signed') do |ttl|
|
36
|
+
parsed['ttl'] = ttl
|
37
|
+
end
|
35
38
|
opts.on('--certname NAME[,NAME]', Array, 'the name(s) of the cert(s) to be signed') do |cert|
|
36
39
|
parsed['certname'] = cert
|
37
40
|
end
|
@@ -72,7 +75,7 @@ Options:
|
|
72
75
|
requested_certnames = input['certname']
|
73
76
|
end
|
74
77
|
|
75
|
-
success = ca.sign_certs(requested_certnames)
|
78
|
+
success = ca.sign_certs(requested_certnames, input['ttl'])
|
76
79
|
return success ? 0 : 1
|
77
80
|
end
|
78
81
|
|
@@ -8,6 +8,16 @@ module Puppetserver
|
|
8
8
|
|
9
9
|
include Puppetserver::Ca::Utils
|
10
10
|
|
11
|
+
# Taken from puppet/lib/settings/duration_settings.rb
|
12
|
+
UNITMAP = {
|
13
|
+
# 365 days isn't technically a year, but is sufficient for most purposes
|
14
|
+
"y" => 365 * 24 * 60 * 60,
|
15
|
+
"d" => 24 * 60 * 60,
|
16
|
+
"h" => 60 * 60,
|
17
|
+
"m" => 60,
|
18
|
+
"s" => 1
|
19
|
+
}
|
20
|
+
|
11
21
|
REVOKE_BODY = JSON.dump({ desired_state: 'revoked' })
|
12
22
|
SIGN_BODY = JSON.dump({ desired_state: 'signed' })
|
13
23
|
|
@@ -35,11 +45,40 @@ module Puppetserver
|
|
35
45
|
HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
|
36
46
|
end
|
37
47
|
|
38
|
-
def
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
48
|
+
def process_ttl_input(ttl)
|
49
|
+
match = /^(\d+)(s|m|h|d|y)?$/.match(ttl)
|
50
|
+
if match
|
51
|
+
if match[2]
|
52
|
+
match[1].to_i * UNITMAP[match[2]].to_i
|
53
|
+
else
|
54
|
+
ttl
|
55
|
+
end
|
56
|
+
else
|
57
|
+
@logger.err "Error:"
|
58
|
+
@logger.err " '#{ttl}' is an invalid ttl value"
|
59
|
+
@logger.err "Value should match regex \"^(\d+)(s|m|h|d|y)?$\""
|
60
|
+
nil
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
def sign_certs(certnames, ttl=nil)
|
65
|
+
results = []
|
66
|
+
if ttl
|
67
|
+
lifetime = process_ttl_input(ttl)
|
68
|
+
return false if lifetime.nil?
|
69
|
+
body = JSON.dump({ desired_state: 'signed',
|
70
|
+
cert_ttl: lifetime})
|
71
|
+
results = put(certnames,
|
72
|
+
resource_type: 'certificate_status',
|
73
|
+
body: body,
|
74
|
+
type: :sign)
|
75
|
+
else
|
76
|
+
results = put(certnames,
|
77
|
+
resource_type: 'certificate_status',
|
78
|
+
body: SIGN_BODY,
|
79
|
+
type: :sign)
|
80
|
+
end
|
81
|
+
|
43
82
|
|
44
83
|
results.all? { |result| result == :success }
|
45
84
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-12-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -83,6 +83,7 @@ files:
|
|
83
83
|
- ".gitignore"
|
84
84
|
- ".rspec"
|
85
85
|
- ".travis.yml"
|
86
|
+
- CODEOWNERS
|
86
87
|
- CODE_OF_CONDUCT.md
|
87
88
|
- CONTRIBUTING.md
|
88
89
|
- Gemfile
|