puppetserver-ca 1.9.3 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +6 -6
- data/lib/puppetserver/ca/action/clean.rb +3 -3
- data/lib/puppetserver/ca/action/enable.rb +1 -1
- data/lib/puppetserver/ca/action/generate.rb +4 -4
- data/lib/puppetserver/ca/action/import.rb +15 -12
- data/lib/puppetserver/ca/action/list.rb +1 -1
- data/lib/puppetserver/ca/action/migrate.rb +9 -15
- data/lib/puppetserver/ca/action/revoke.rb +3 -3
- data/lib/puppetserver/ca/action/setup.rb +16 -13
- data/lib/puppetserver/ca/action/sign.rb +1 -1
- data/lib/puppetserver/ca/config/puppet.rb +52 -20
- data/lib/puppetserver/ca/host.rb +2 -2
- data/lib/puppetserver/ca/local_certificate_authority.rb +9 -9
- data/lib/puppetserver/ca/utils/config.rb +36 -0
- data/lib/puppetserver/ca/utils/file_system.rb +13 -0
- data/lib/puppetserver/ca/utils/http_client.rb +1 -1
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 497bfffece8f53a956a7b1e668e9e822cd96e1e14ee9491c8e7cc88d9344a373
|
|
4
|
+
data.tar.gz: a77a2b34ef63e9952daf7b67f90ba895427584e02e859739a93092246775a5a6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 175e6787a090312bca7d48f042fba739e35b0eb41bde6059408ad1490788049906b5ccfa1c4408c1c391491c7ea73a98ba31b34062ec61eeb101aad20aaf749e
|
|
7
|
+
data.tar.gz: 1fd6b2216952dca8053b03d5f2b09db65e6b4b3529a6c025ebb86331901f56aa3f1a25bb2c7cda3bbd7da3592ecd691a1e3b169b6e2166b57802b48adb0c6101
|
data/README.md
CHANGED
|
@@ -61,7 +61,7 @@ puppetserver ca --help
|
|
|
61
61
|
```
|
|
62
62
|
|
|
63
63
|
This code in this project is licensed under the Apache Software License v2,
|
|
64
|
-
please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/
|
|
64
|
+
please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/LICENSE.md)
|
|
65
65
|
for more details.
|
|
66
66
|
|
|
67
67
|
|
|
@@ -79,8 +79,8 @@ To test your changes on a VM:
|
|
|
79
79
|
1. Copy the gem to your VM: `scp puppetserver-ca-<version>.gem <your-vm>:.`
|
|
80
80
|
1. Install puppetserver (FOSS) by installing the relevant release package and then installing the puppetserver package. For example:
|
|
81
81
|
```
|
|
82
|
-
$ wget http://nightlies.puppet.com/yum/
|
|
83
|
-
$ rpm -i
|
|
82
|
+
$ wget http://nightlies.puppet.com/yum/puppet-nightly-release-el-7.noarch.rpm
|
|
83
|
+
$ rpm -i puppet-nightly-release-el-7.noarch.rpm
|
|
84
84
|
$ yum update
|
|
85
85
|
$ yum install -y puppetserver
|
|
86
86
|
```
|
|
@@ -92,7 +92,7 @@ To test your changes on a VM:
|
|
|
92
92
|
1. To confirm that installation was successful, run `puppetserver ca --help`
|
|
93
93
|
|
|
94
94
|
### Releasing
|
|
95
|
-
To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-
|
|
95
|
+
To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
|
|
96
96
|
|
|
97
97
|
|
|
98
98
|
## Contributing & Support
|
|
@@ -105,9 +105,9 @@ Freenode, or the Puppet Community Slack channel.
|
|
|
105
105
|
|
|
106
106
|
Contributions are welcome at https://github.com/puppetlabs/puppetserver-ca-cli/pulls.
|
|
107
107
|
Contributors should both be sure to read the
|
|
108
|
-
[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/
|
|
108
|
+
[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CONTRIBUTING.md)
|
|
109
109
|
and sign the [contributor license agreement](https://cla.puppet.com/).
|
|
110
110
|
|
|
111
111
|
Everyone interacting with the project’s codebase, issue tracker, etc is expected
|
|
112
112
|
to follow the
|
|
113
|
-
[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/
|
|
113
|
+
[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CODE_OF_CONDUCT.md).
|
|
@@ -14,7 +14,7 @@ module Puppetserver
|
|
|
14
14
|
|
|
15
15
|
include Puppetserver::Ca::Utils
|
|
16
16
|
|
|
17
|
-
|
|
17
|
+
CERTNAME_BLOCKLIST = %w{--all --config}
|
|
18
18
|
|
|
19
19
|
SUMMARY = 'Revoke cert(s) and remove related files from CA'
|
|
20
20
|
BANNER = <<-BANNER
|
|
@@ -59,7 +59,7 @@ BANNER
|
|
|
59
59
|
errors = CliParsing.parse_with_errors(parser, args)
|
|
60
60
|
|
|
61
61
|
results['certnames'].each do |certname|
|
|
62
|
-
if
|
|
62
|
+
if CERTNAME_BLOCKLIST.include?(certname)
|
|
63
63
|
errors << " Cannot manage cert named `#{certname}` from " +
|
|
64
64
|
"the CLI, if needed use the HTTP API directly"
|
|
65
65
|
end
|
|
@@ -85,7 +85,7 @@ BANNER
|
|
|
85
85
|
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
86
86
|
end
|
|
87
87
|
|
|
88
|
-
puppet = Config::Puppet.parse(config)
|
|
88
|
+
puppet = Config::Puppet.parse(config, @logger)
|
|
89
89
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
90
90
|
|
|
91
91
|
result = clean_certs(certnames, puppet.settings)
|
|
@@ -18,7 +18,7 @@ module Puppetserver
|
|
|
18
18
|
|
|
19
19
|
# Only allow printing ascii characters, excluding /
|
|
20
20
|
VALID_CERTNAME = /\A[ -.0-~]+\Z/
|
|
21
|
-
|
|
21
|
+
CERTNAME_BLOCKLIST = %w{--all --config}
|
|
22
22
|
|
|
23
23
|
SUMMARY = "Generate a new certificate signed by the CA"
|
|
24
24
|
BANNER = <<-BANNER
|
|
@@ -35,7 +35,7 @@ Description:
|
|
|
35
35
|
If the `--ca-client` flag is passed, the cert will be generated
|
|
36
36
|
offline, without using Puppet Server's signing code, and will add
|
|
37
37
|
a special extension authorizing it to talk to the CA API. This can
|
|
38
|
-
be used for regenerating the
|
|
38
|
+
be used for regenerating the server's host cert, or for manually
|
|
39
39
|
setting up other nodes to be CA clients. Do not distribute certs
|
|
40
40
|
generated this way to any node that you do not intend to have
|
|
41
41
|
administrative access to the CA (e.g. the ability to sign a cert).
|
|
@@ -91,7 +91,7 @@ BANNER
|
|
|
91
91
|
errors << ' At least one certname is required to generate'
|
|
92
92
|
else
|
|
93
93
|
results['certnames'].each do |certname|
|
|
94
|
-
if
|
|
94
|
+
if CERTNAME_BLOCKLIST.include?(certname)
|
|
95
95
|
errors << " Cannot manage cert named `#{certname}` from " +
|
|
96
96
|
"the CLI, if needed use the HTTP API directly"
|
|
97
97
|
end
|
|
@@ -126,7 +126,7 @@ BANNER
|
|
|
126
126
|
# Load, resolve, and validate puppet config settings
|
|
127
127
|
settings_overrides = {}
|
|
128
128
|
puppet = Config::Puppet.new(config_path)
|
|
129
|
-
puppet.load(settings_overrides)
|
|
129
|
+
puppet.load(cli_overrides: settings_overrides, logger: @logger)
|
|
130
130
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
131
131
|
|
|
132
132
|
# We don't want generate to respect the alt names setting, since it is usually
|
|
@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
|
|
|
4
4
|
require 'puppetserver/ca/errors'
|
|
5
5
|
require 'puppetserver/ca/local_certificate_authority'
|
|
6
6
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/config'
|
|
7
8
|
require 'puppetserver/ca/utils/file_system'
|
|
8
9
|
require 'puppetserver/ca/utils/signing_digest'
|
|
9
10
|
require 'puppetserver/ca/x509_loader'
|
|
@@ -14,7 +15,7 @@ module Puppetserver
|
|
|
14
15
|
class Import
|
|
15
16
|
include Puppetserver::Ca::Utils
|
|
16
17
|
|
|
17
|
-
SUMMARY = "Import an external CA chain and generate
|
|
18
|
+
SUMMARY = "Import an external CA chain and generate server PKI"
|
|
18
19
|
BANNER = <<-BANNER
|
|
19
20
|
Usage:
|
|
20
21
|
puppetserver ca import [--help]
|
|
@@ -55,7 +56,7 @@ BANNER
|
|
|
55
56
|
settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
|
|
56
57
|
|
|
57
58
|
puppet = Config::Puppet.new(config_path)
|
|
58
|
-
puppet.load(settings_overrides)
|
|
59
|
+
puppet.load(cli_overrides: settings_overrides, logger: @logger)
|
|
59
60
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
60
61
|
|
|
61
62
|
# Load most secure signing digest we can for cers/crl/csr signing.
|
|
@@ -72,7 +73,7 @@ BANNER
|
|
|
72
73
|
def import(loader, settings, signing_digest)
|
|
73
74
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
|
|
74
75
|
ca.initialize_ssl_components(loader)
|
|
75
|
-
|
|
76
|
+
server_key, server_cert = ca.create_server_cert
|
|
76
77
|
return ca.errors if ca.errors.any?
|
|
77
78
|
|
|
78
79
|
FileSystem.ensure_dirs([settings[:ssldir],
|
|
@@ -88,25 +89,25 @@ BANNER
|
|
|
88
89
|
[settings[:cadir] + '/infra_crl.pem', loader.crls],
|
|
89
90
|
[settings[:localcacert], loader.certs],
|
|
90
91
|
[settings[:hostcrl], loader.crls],
|
|
91
|
-
[settings[:hostpubkey],
|
|
92
|
-
[settings[:hostcert],
|
|
93
|
-
[settings[:cert_inventory], ca.inventory_entry(
|
|
92
|
+
[settings[:hostpubkey], server_key.public_key],
|
|
93
|
+
[settings[:hostcert], server_cert],
|
|
94
|
+
[settings[:cert_inventory], ca.inventory_entry(server_cert)],
|
|
94
95
|
[settings[:capub], loader.key.public_key],
|
|
95
96
|
[settings[:cadir] + '/infra_inventory.txt', ''],
|
|
96
97
|
[settings[:cadir] + '/infra_serials', ''],
|
|
97
98
|
[settings[:serial], "002"],
|
|
98
|
-
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"),
|
|
99
|
+
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert]
|
|
99
100
|
]
|
|
100
101
|
|
|
101
102
|
private_files = [
|
|
102
|
-
[settings[:hostprivkey],
|
|
103
|
+
[settings[:hostprivkey], server_key],
|
|
103
104
|
[settings[:cakey], loader.key],
|
|
104
105
|
]
|
|
105
106
|
|
|
106
107
|
files_to_check = public_files + private_files
|
|
107
|
-
# We don't want to error if
|
|
108
|
+
# We don't want to error if server's keys exist. Certain workflows
|
|
108
109
|
# allow the agent to have already be installed with keys and then
|
|
109
|
-
# upgraded to be a
|
|
110
|
+
# upgraded to be a server. The host class will honor keys, if both
|
|
110
111
|
# public and private exist, and error if only one exists - as is
|
|
111
112
|
# previous behavior.
|
|
112
113
|
files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
|
|
@@ -130,6 +131,8 @@ ERR
|
|
|
130
131
|
FileSystem.write_file(location, content, 0640)
|
|
131
132
|
end
|
|
132
133
|
|
|
134
|
+
Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
|
|
135
|
+
|
|
133
136
|
return []
|
|
134
137
|
end
|
|
135
138
|
|
|
@@ -178,11 +181,11 @@ ERR
|
|
|
178
181
|
parsed['crl-chain'] = chain
|
|
179
182
|
end
|
|
180
183
|
opts.on('--certname NAME',
|
|
181
|
-
'Common name to use for the
|
|
184
|
+
'Common name to use for the server cert') do |name|
|
|
182
185
|
parsed['certname'] = name
|
|
183
186
|
end
|
|
184
187
|
opts.on('--subject-alt-names NAME[,NAME]',
|
|
185
|
-
'Subject alternative names for the
|
|
188
|
+
'Subject alternative names for the server cert') do |sans|
|
|
186
189
|
parsed['subject-alt-names'] = sans
|
|
187
190
|
end
|
|
188
191
|
end
|
|
@@ -68,7 +68,7 @@ Options:
|
|
|
68
68
|
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
69
69
|
end
|
|
70
70
|
|
|
71
|
-
puppet = Config::Puppet.parse(config)
|
|
71
|
+
puppet = Config::Puppet.parse(config, @logger)
|
|
72
72
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
73
73
|
|
|
74
74
|
filter_names = certnames.any? \
|
|
@@ -1,24 +1,26 @@
|
|
|
1
1
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
2
|
require 'puppetserver/ca/utils/file_system'
|
|
3
3
|
require 'puppetserver/ca/utils/http_client'
|
|
4
|
+
require 'puppetserver/ca/utils/config'
|
|
4
5
|
|
|
5
6
|
module Puppetserver
|
|
6
7
|
module Ca
|
|
7
8
|
module Action
|
|
8
9
|
class Migrate
|
|
9
10
|
include Puppetserver::Ca::Utils
|
|
10
|
-
PUPPETSERVER_CA_DIR =
|
|
11
|
+
PUPPETSERVER_CA_DIR = Puppetserver::Ca::Utils::Config.new_default_cadir
|
|
11
12
|
|
|
12
|
-
SUMMARY = "Migrate the existing CA directory to
|
|
13
|
+
SUMMARY = "Migrate the existing CA directory to #{PUPPETSERVER_CA_DIR}"
|
|
13
14
|
BANNER = <<-BANNER
|
|
14
15
|
Usage:
|
|
15
16
|
puppetserver ca migrate [--help]
|
|
16
17
|
puppetserver ca migrate [--config PATH]
|
|
17
18
|
|
|
18
19
|
Description:
|
|
19
|
-
Migrate an existing CA directory to
|
|
20
|
-
upgrading from Puppet Platform 6.x to Puppet 7.
|
|
21
|
-
|
|
20
|
+
Migrate an existing CA directory to #{PUPPETSERVER_CA_DIR}. This is for
|
|
21
|
+
upgrading from Puppet Platform 6.x to Puppet 7. Uses the default puppet.conf
|
|
22
|
+
in your installation, or use a different config by supplying the `--config` flag.
|
|
23
|
+
|
|
22
24
|
Options:
|
|
23
25
|
BANNER
|
|
24
26
|
|
|
@@ -29,7 +31,7 @@ BANNER
|
|
|
29
31
|
def run(input)
|
|
30
32
|
config_path = input['config']
|
|
31
33
|
puppet = Config::Puppet.new(config_path)
|
|
32
|
-
puppet.load
|
|
34
|
+
puppet.load(logger: @logger, ca_dir_warn: false)
|
|
33
35
|
return 1 if HttpClient.check_server_online(puppet.settings, @logger)
|
|
34
36
|
|
|
35
37
|
errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
|
|
@@ -65,15 +67,7 @@ SUCCESS_MESSAGE
|
|
|
65
67
|
|
|
66
68
|
def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
|
|
67
69
|
FileUtils.mv(old_cadir, new_cadir)
|
|
68
|
-
|
|
69
|
-
# Ensure the symlink has the same ownership as the actual cadir.
|
|
70
|
-
# This requires using `FileUtils.chown` rather than `File.chown`, as
|
|
71
|
-
# the latter will update the ownership of the target rather than the
|
|
72
|
-
# link itself.
|
|
73
|
-
# Symlink permissions are ignored in favor of the target's permissions,
|
|
74
|
-
# so we don't have to change those.
|
|
75
|
-
cadir = File.stat(new_cadir)
|
|
76
|
-
FileUtils.chown(cadir.uid, cadir.gid, old_cadir)
|
|
70
|
+
FileSystem.forcibly_symlink(new_cadir, old_cadir)
|
|
77
71
|
end
|
|
78
72
|
|
|
79
73
|
def parse(args)
|
|
@@ -12,7 +12,7 @@ module Puppetserver
|
|
|
12
12
|
|
|
13
13
|
include Puppetserver::Ca::Utils
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
CERTNAME_BLOCKLIST = %w{--all --config}
|
|
16
16
|
|
|
17
17
|
SUMMARY = 'Revoke certificate(s)'
|
|
18
18
|
BANNER = <<-BANNER
|
|
@@ -55,7 +55,7 @@ BANNER
|
|
|
55
55
|
errors = CliParsing.parse_with_errors(parser, args)
|
|
56
56
|
|
|
57
57
|
results['certnames'].each do |certname|
|
|
58
|
-
if
|
|
58
|
+
if CERTNAME_BLOCKLIST.include?(certname)
|
|
59
59
|
errors << " Cannot manage cert named `#{certname}` from " +
|
|
60
60
|
"the CLI, if needed use the HTTP API directly"
|
|
61
61
|
end
|
|
@@ -83,7 +83,7 @@ BANNER
|
|
|
83
83
|
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
84
84
|
end
|
|
85
85
|
|
|
86
|
-
puppet = Config::Puppet.parse(config)
|
|
86
|
+
puppet = Config::Puppet.parse(config, @logger)
|
|
87
87
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
88
88
|
|
|
89
89
|
result = revoke_certs(certnames, puppet.settings)
|
|
@@ -3,6 +3,7 @@ require 'optparse'
|
|
|
3
3
|
require 'puppetserver/ca/config/puppet'
|
|
4
4
|
require 'puppetserver/ca/errors'
|
|
5
5
|
require 'puppetserver/ca/local_certificate_authority'
|
|
6
|
+
require 'puppetserver/ca/utils/config'
|
|
6
7
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
8
|
require 'puppetserver/ca/utils/file_system'
|
|
8
9
|
require 'puppetserver/ca/utils/signing_digest'
|
|
@@ -23,10 +24,10 @@ Usage:
|
|
|
23
24
|
Description:
|
|
24
25
|
Setup a root and intermediate signing CA for Puppet Server
|
|
25
26
|
and store generated CA keys, certs, crls, and associated
|
|
26
|
-
|
|
27
|
+
server related files on disk.
|
|
27
28
|
|
|
28
29
|
The `--subject-alt-names` flag can be used to add SANs to the
|
|
29
|
-
certificate generated for the Puppet
|
|
30
|
+
certificate generated for the Puppet server. Multiple names can be
|
|
30
31
|
listed as a comma separated string. These can be either DNS names or
|
|
31
32
|
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
|
32
33
|
Names with no prefix will be treated as DNS names.
|
|
@@ -55,7 +56,7 @@ BANNER
|
|
|
55
56
|
settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
|
|
56
57
|
|
|
57
58
|
puppet = Config::Puppet.new(config_path)
|
|
58
|
-
puppet.load(settings_overrides)
|
|
59
|
+
puppet.load(cli_overrides: settings_overrides, logger: @logger)
|
|
59
60
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
60
61
|
|
|
61
62
|
# Load most secure signing digest we can for cers/crl/csr signing.
|
|
@@ -76,7 +77,7 @@ BANNER
|
|
|
76
77
|
|
|
77
78
|
root_key, root_cert, root_crl = ca.create_root_cert
|
|
78
79
|
ca.create_intermediate_cert(root_key, root_cert)
|
|
79
|
-
|
|
80
|
+
server_key, server_cert = ca.create_server_cert
|
|
80
81
|
return ca.errors if ca.errors.any?
|
|
81
82
|
|
|
82
83
|
FileSystem.ensure_dirs([settings[:ssldir],
|
|
@@ -90,28 +91,28 @@ BANNER
|
|
|
90
91
|
[settings[:cacert], [ca.cert, root_cert]],
|
|
91
92
|
[settings[:cacrl], [ca.crl, root_crl]],
|
|
92
93
|
[settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
|
|
93
|
-
[settings[:hostcert],
|
|
94
|
+
[settings[:hostcert], server_cert],
|
|
94
95
|
[settings[:localcacert], [ca.cert, root_cert]],
|
|
95
96
|
[settings[:hostcrl], [ca.crl, root_crl]],
|
|
96
|
-
[settings[:hostpubkey],
|
|
97
|
+
[settings[:hostpubkey], server_key.public_key],
|
|
97
98
|
[settings[:capub], ca.key.public_key],
|
|
98
|
-
[settings[:cert_inventory], ca.inventory_entry(
|
|
99
|
+
[settings[:cert_inventory], ca.inventory_entry(server_cert)],
|
|
99
100
|
[settings[:cadir] + '/infra_inventory.txt', ''],
|
|
100
101
|
[settings[:cadir] + '/infra_serials', ''],
|
|
101
102
|
[settings[:serial], "002"],
|
|
102
|
-
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"),
|
|
103
|
+
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert],
|
|
103
104
|
]
|
|
104
105
|
|
|
105
106
|
private_files = [
|
|
106
|
-
[settings[:hostprivkey],
|
|
107
|
+
[settings[:hostprivkey], server_key],
|
|
107
108
|
[settings[:rootkey], root_key],
|
|
108
109
|
[settings[:cakey], ca.key],
|
|
109
110
|
]
|
|
110
111
|
|
|
111
112
|
files_to_check = public_files + private_files
|
|
112
|
-
# We don't want to error if
|
|
113
|
+
# We don't want to error if server's keys exist. Certain workflows
|
|
113
114
|
# allow the agent to have already be installed with keys and then
|
|
114
|
-
# upgraded to be a
|
|
115
|
+
# upgraded to be a server. The host class will honor keys, if both
|
|
115
116
|
# public and private exist, and error if only one exists - as is
|
|
116
117
|
# previous behavior.
|
|
117
118
|
files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
|
|
@@ -135,6 +136,8 @@ ERR
|
|
|
135
136
|
FileSystem.write_file(location, content, 0640)
|
|
136
137
|
end
|
|
137
138
|
|
|
139
|
+
Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
|
|
140
|
+
|
|
138
141
|
return []
|
|
139
142
|
end
|
|
140
143
|
|
|
@@ -160,7 +163,7 @@ ERR
|
|
|
160
163
|
parsed['config'] = conf
|
|
161
164
|
end
|
|
162
165
|
opts.on('--subject-alt-names NAME[,NAME]',
|
|
163
|
-
'Subject alternative names for the
|
|
166
|
+
'Subject alternative names for the server cert') do |sans|
|
|
164
167
|
parsed['subject-alt-names'] = sans
|
|
165
168
|
end
|
|
166
169
|
opts.on('--ca-name NAME',
|
|
@@ -168,7 +171,7 @@ ERR
|
|
|
168
171
|
parsed['ca-name'] = name
|
|
169
172
|
end
|
|
170
173
|
opts.on('--certname NAME',
|
|
171
|
-
'Common name to use for the
|
|
174
|
+
'Common name to use for the server cert') do |name|
|
|
172
175
|
parsed['certname'] = name
|
|
173
176
|
end
|
|
174
177
|
end
|
|
@@ -62,7 +62,7 @@ Options:
|
|
|
62
62
|
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
63
63
|
end
|
|
64
64
|
|
|
65
|
-
puppet = Config::Puppet.parse(config)
|
|
65
|
+
puppet = Config::Puppet.parse(config, @logger)
|
|
66
66
|
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
67
67
|
|
|
68
68
|
ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
|
|
@@ -23,9 +23,9 @@ module Puppetserver
|
|
|
23
23
|
# A regex describing valid formats with groups for capturing the value and units
|
|
24
24
|
TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
|
|
25
25
|
|
|
26
|
-
def self.parse(config_path)
|
|
26
|
+
def self.parse(config_path, logger)
|
|
27
27
|
instance = new(config_path)
|
|
28
|
-
instance.load
|
|
28
|
+
instance.load(logger: logger)
|
|
29
29
|
|
|
30
30
|
return instance
|
|
31
31
|
end
|
|
@@ -34,7 +34,7 @@ module Puppetserver
|
|
|
34
34
|
|
|
35
35
|
def initialize(supplied_config_path = nil)
|
|
36
36
|
@using_default_location = !supplied_config_path
|
|
37
|
-
@config_path = supplied_config_path ||
|
|
37
|
+
@config_path = supplied_config_path || user_specific_puppet_config
|
|
38
38
|
|
|
39
39
|
@settings = nil
|
|
40
40
|
@errors = []
|
|
@@ -46,20 +46,15 @@ module Puppetserver
|
|
|
46
46
|
# on Windows are unsupported.
|
|
47
47
|
# Note that Puppet Server runs as the [pe-]puppet user but to
|
|
48
48
|
# start/stop it you must be root.
|
|
49
|
-
def
|
|
50
|
-
@
|
|
51
|
-
if Puppetserver::Ca::Utils::Config.running_as_root?
|
|
52
|
-
'/etc/puppetlabs/puppet'
|
|
53
|
-
else
|
|
54
|
-
"#{ENV['HOME']}/.puppetlabs/etc/puppet"
|
|
55
|
-
end
|
|
49
|
+
def user_specific_puppet_confdir
|
|
50
|
+
@user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
|
|
56
51
|
end
|
|
57
52
|
|
|
58
|
-
def
|
|
59
|
-
|
|
53
|
+
def user_specific_puppet_config
|
|
54
|
+
user_specific_puppet_confdir + '/puppet.conf'
|
|
60
55
|
end
|
|
61
56
|
|
|
62
|
-
def load(cli_overrides
|
|
57
|
+
def load(cli_overrides: {}, logger:, ca_dir_warn: true)
|
|
63
58
|
if explicitly_given_config_file_or_default_config_exists?
|
|
64
59
|
results = parse_text(File.read(@config_path))
|
|
65
60
|
end
|
|
@@ -74,8 +69,11 @@ module Puppetserver
|
|
|
74
69
|
|
|
75
70
|
overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
|
|
76
71
|
overrides.merge!(cli_overrides)
|
|
72
|
+
if overrides[:masterport]
|
|
73
|
+
overrides[:serverport] ||= overrides.delete(:masterport)
|
|
74
|
+
end
|
|
77
75
|
|
|
78
|
-
@settings = resolve_settings(overrides).freeze
|
|
76
|
+
@settings = resolve_settings(overrides, logger, ca_dir_warn: ca_dir_warn).freeze
|
|
79
77
|
end
|
|
80
78
|
|
|
81
79
|
def default_certname
|
|
@@ -91,7 +89,7 @@ module Puppetserver
|
|
|
91
89
|
|
|
92
90
|
# Resolve settings from default values, with any overrides for the
|
|
93
91
|
# specific settings or their dependent settings (ssldir, cadir) taken into account.
|
|
94
|
-
def resolve_settings(overrides = {})
|
|
92
|
+
def resolve_settings(overrides = {}, logger, ca_dir_warn: true)
|
|
95
93
|
unresolved_setting = /\$[a-z_]+/
|
|
96
94
|
|
|
97
95
|
# Returning the key for unknown keys (rather than nil) is required to
|
|
@@ -103,13 +101,12 @@ module Puppetserver
|
|
|
103
101
|
# These need to be evaluated before we can construct their dependent
|
|
104
102
|
# defaults below
|
|
105
103
|
base_defaults = [
|
|
106
|
-
[:confdir,
|
|
104
|
+
[:confdir, user_specific_puppet_confdir],
|
|
107
105
|
[:ssldir,'$confdir/ssl'],
|
|
108
|
-
[:cadir, '$ssldir/ca'],
|
|
109
106
|
[:certdir, '$ssldir/certs'],
|
|
110
107
|
[:certname, default_certname],
|
|
111
108
|
[:server, 'puppet'],
|
|
112
|
-
[:
|
|
109
|
+
[:serverport, '8140'],
|
|
113
110
|
[:privatekeydir, '$ssldir/private_keys'],
|
|
114
111
|
[:publickeydir, '$ssldir/public_keys'],
|
|
115
112
|
]
|
|
@@ -127,7 +124,7 @@ module Puppetserver
|
|
|
127
124
|
:serial => '$cadir/serial',
|
|
128
125
|
:cert_inventory => '$cadir/inventory.txt',
|
|
129
126
|
:ca_server => '$server',
|
|
130
|
-
:ca_port => '$
|
|
127
|
+
:ca_port => '$serverport',
|
|
131
128
|
:localcacert => '$certdir/ca.pem',
|
|
132
129
|
:hostcrl => '$ssldir/crl.pem',
|
|
133
130
|
:hostcert => '$certdir/$certname.pem',
|
|
@@ -150,6 +147,14 @@ module Puppetserver
|
|
|
150
147
|
settings[setting_name] = substitutions[substitution_name] = subbed_value
|
|
151
148
|
end
|
|
152
149
|
|
|
150
|
+
cadir = find_cadir(overrides.fetch(:cadir, false),
|
|
151
|
+
settings[:confdir],
|
|
152
|
+
settings[:ssldir],
|
|
153
|
+
logger,
|
|
154
|
+
ca_dir_warn)
|
|
155
|
+
settings[:cadir] = substitutions['$cadir'] = cadir
|
|
156
|
+
|
|
157
|
+
|
|
153
158
|
dependent_defaults.each do |setting_name, default_value|
|
|
154
159
|
setting_value = overrides.fetch(setting_name, default_value)
|
|
155
160
|
settings[setting_name] = setting_value
|
|
@@ -212,6 +217,33 @@ module Puppetserver
|
|
|
212
217
|
|
|
213
218
|
private
|
|
214
219
|
|
|
220
|
+
|
|
221
|
+
def find_cadir(configured_cadir, confdir, ssldir, logger, ca_dir_warn)
|
|
222
|
+
warning = 'The cadir is currently configured to be inside the ' +
|
|
223
|
+
'%{ssldir} directory. This config setting and the directory ' +
|
|
224
|
+
'location will not be used in a future version of puppet. ' +
|
|
225
|
+
'Please run the puppetserver ca tool to migrate out from the ' +
|
|
226
|
+
'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
|
|
227
|
+
'Use `puppetserver ca migrate --help` for more info.'
|
|
228
|
+
|
|
229
|
+
if configured_cadir
|
|
230
|
+
if ca_dir_warn && configured_cadir.start_with?(ssldir)
|
|
231
|
+
logger.warn(warning % {ssldir: ssldir})
|
|
232
|
+
end
|
|
233
|
+
configured_cadir
|
|
234
|
+
|
|
235
|
+
else
|
|
236
|
+
old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
|
|
237
|
+
new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
|
|
238
|
+
if File.exist?(old_cadir) && !File.symlink?(old_cadir)
|
|
239
|
+
logger.warn(warning % {ssldir: ssldir}) if ca_dir_warn
|
|
240
|
+
old_cadir
|
|
241
|
+
else
|
|
242
|
+
new_cadir
|
|
243
|
+
end
|
|
244
|
+
end
|
|
245
|
+
end
|
|
246
|
+
|
|
215
247
|
def explicitly_given_config_file_or_default_config_exists?
|
|
216
248
|
!@using_default_location || File.exist?(@config_path)
|
|
217
249
|
end
|
|
@@ -258,7 +290,7 @@ module Puppetserver
|
|
|
258
290
|
end
|
|
259
291
|
|
|
260
292
|
if settings.dig(:server_list, 0, 1) &&
|
|
261
|
-
settings[:ca_port] == '$
|
|
293
|
+
settings[:ca_port] == '$serverport'
|
|
262
294
|
|
|
263
295
|
settings[:ca_port] = settings.dig(:server_list, 0, 1)
|
|
264
296
|
end
|
data/lib/puppetserver/ca/host.rb
CHANGED
|
@@ -58,10 +58,10 @@ module Puppetserver
|
|
|
58
58
|
@errors = []
|
|
59
59
|
end
|
|
60
60
|
|
|
61
|
-
# If both the private and public keys exist for a
|
|
61
|
+
# If both the private and public keys exist for a server then we want
|
|
62
62
|
# to honor them here, if only one key exists we want to surface an error,
|
|
63
63
|
# and if neither exist we generate a new key. This logic is necessary for
|
|
64
|
-
# proper bootstrapping for certain
|
|
64
|
+
# proper bootstrapping for certain server workflows.
|
|
65
65
|
def create_private_key(keylength, private_path = '', public_path = '')
|
|
66
66
|
if File.exists?(private_path) && File.exists?(public_path)
|
|
67
67
|
return OpenSSL::PKey.read(File.read(private_path))
|
|
@@ -20,7 +20,7 @@ module Puppetserver
|
|
|
20
20
|
|
|
21
21
|
CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
|
|
22
22
|
|
|
23
|
-
|
|
23
|
+
SERVER_EXTENSIONS = [
|
|
24
24
|
["basicConstraints", "CA:FALSE", true],
|
|
25
25
|
["nsComment", "Puppet Server Internal Certificate", false],
|
|
26
26
|
["authorityKeyIdentifier", "keyid:always", false],
|
|
@@ -132,23 +132,23 @@ module Puppetserver
|
|
|
132
132
|
time.strftime('%Y-%m-%dT%H:%M:%S%Z')
|
|
133
133
|
end
|
|
134
134
|
|
|
135
|
-
def
|
|
136
|
-
|
|
137
|
-
|
|
135
|
+
def create_server_cert
|
|
136
|
+
server_cert = nil
|
|
137
|
+
server_key = @host.create_private_key(@settings[:keylength],
|
|
138
138
|
@settings[:hostprivkey],
|
|
139
139
|
@settings[:hostpubkey])
|
|
140
|
-
if
|
|
141
|
-
|
|
140
|
+
if server_key
|
|
141
|
+
server_csr = @host.create_csr(name: @settings[:certname], key: server_key)
|
|
142
142
|
if @settings[:subject_alt_names].empty?
|
|
143
143
|
alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
|
|
144
144
|
else
|
|
145
145
|
alt_names = @settings[:subject_alt_names]
|
|
146
146
|
end
|
|
147
147
|
|
|
148
|
-
|
|
148
|
+
server_cert = sign_authorized_cert(server_csr, alt_names)
|
|
149
149
|
end
|
|
150
150
|
|
|
151
|
-
return
|
|
151
|
+
return server_key, server_cert
|
|
152
152
|
end
|
|
153
153
|
|
|
154
154
|
def sign_authorized_cert(csr, alt_names = '')
|
|
@@ -176,7 +176,7 @@ module Puppetserver
|
|
|
176
176
|
end
|
|
177
177
|
|
|
178
178
|
def add_authorized_extensions(cert, ef)
|
|
179
|
-
|
|
179
|
+
SERVER_EXTENSIONS.each do |ext|
|
|
180
180
|
extension = ef.create_extension(*ext)
|
|
181
181
|
cert.add_extension(extension)
|
|
182
182
|
end
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'puppetserver/ca/utils/file_system'
|
|
2
|
+
|
|
1
3
|
module Puppetserver
|
|
2
4
|
module Ca
|
|
3
5
|
module Utils
|
|
@@ -19,6 +21,40 @@ module Puppetserver
|
|
|
19
21
|
end.sort.uniq.join(", ")
|
|
20
22
|
end
|
|
21
23
|
|
|
24
|
+
def self.puppet_confdir
|
|
25
|
+
if running_as_root?
|
|
26
|
+
'/etc/puppetlabs/puppet'
|
|
27
|
+
else
|
|
28
|
+
"#{ENV['HOME']}/.puppetlabs/etc/puppet"
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def self.puppetserver_confdir(puppet_confdir)
|
|
33
|
+
File.join(File.dirname(puppet_confdir), 'puppetserver')
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def self.default_ssldir(confdir = puppet_confdir)
|
|
37
|
+
File.join(confdir, 'ssl')
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def self.old_default_cadir(confdir = puppet_confdir)
|
|
41
|
+
File.join(confdir, 'ssl', 'ca')
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def self.new_default_cadir(confdir = puppet_confdir)
|
|
45
|
+
File.join(puppetserver_confdir(confdir), 'ca')
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
|
|
49
|
+
old_cadir = old_default_cadir(puppet_confdir)
|
|
50
|
+
new_cadir = new_default_cadir(puppet_confdir)
|
|
51
|
+
return if current_cadir != new_cadir
|
|
52
|
+
# This is only run on setup/import, so there should be no files in the
|
|
53
|
+
# old cadir, so it should be safe to forcibly remove it (which we need
|
|
54
|
+
# to do in order to create a symlink).
|
|
55
|
+
Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
|
|
56
|
+
end
|
|
57
|
+
|
|
22
58
|
end
|
|
23
59
|
end
|
|
24
60
|
end
|
|
@@ -50,6 +50,19 @@ module Puppetserver
|
|
|
50
50
|
errors
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
+
def self.forcibly_symlink(source, link_target)
|
|
54
|
+
FileUtils.remove_dir(link_target, true)
|
|
55
|
+
FileUtils.symlink(source, link_target)
|
|
56
|
+
# Ensure the symlink has the same ownership as the source.
|
|
57
|
+
# This requires using `FileUtils.chown` rather than `File.chown`, as
|
|
58
|
+
# the latter will update the ownership of the source rather than the
|
|
59
|
+
# link itself.
|
|
60
|
+
# Symlink permissions are ignored in favor of the source's permissions,
|
|
61
|
+
# so we don't have to change those.
|
|
62
|
+
source_info = File.stat(source)
|
|
63
|
+
FileUtils.chown(source_info.uid, source_info.gid, link_target)
|
|
64
|
+
end
|
|
65
|
+
|
|
53
66
|
def initialize
|
|
54
67
|
@user, @group = find_user_and_group
|
|
55
68
|
end
|
|
@@ -166,7 +166,7 @@ module Puppetserver
|
|
|
166
166
|
def self.check_server_online(settings, logger)
|
|
167
167
|
status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
|
|
168
168
|
begin
|
|
169
|
-
# Generating certs offline is necessary if the
|
|
169
|
+
# Generating certs offline is necessary if the server cert has been destroyed
|
|
170
170
|
# or compromised. Since querying the status endpoint does not require a client cert, and
|
|
171
171
|
# we commonly won't have one, don't require one for creating the connection.
|
|
172
172
|
# Additionally, we want to ensure the server is stopped before migrating the CA dir to
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-04-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|