puppetserver-ca 2.3.0 → 2.3.4
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7c543d4837c103bf83f5d7defd975a7e86c89d2e3e6fd289d621a6c771f263a4
|
|
4
|
+
data.tar.gz: 82ada6a011efb5500a8906ca3fe26287f43e3ff08836e25b66cf571e32d9102c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3a97af8c8ad5c9b0b34fbb4bff4bfe8dba2763f497676db2106ba49de5fbfe8483b4eee122990742753b5db65327c1a9bf1c3aa03194e3d603b9310534d16051
|
|
7
|
+
data.tar.gz: 20654749dcc0e200cf2a0f97237fcb6a342b61c31a96b45c0b7e82dd2ff2acbcac41286d844e99fb1d74783e23733862549a9cff4bc2e8469b4eecc9e3156a1b
|
|
@@ -62,6 +62,7 @@ Options:
|
|
|
62
62
|
certnames = input['certname'] || []
|
|
63
63
|
all = input['all']
|
|
64
64
|
output_format = input['format'] || "text"
|
|
65
|
+
missing = []
|
|
65
66
|
|
|
66
67
|
unless VALID_FORMAT.include?(output_format)
|
|
67
68
|
Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
|
|
@@ -87,14 +88,14 @@ Options:
|
|
|
87
88
|
filter_names = lambda { |x| true }
|
|
88
89
|
end
|
|
89
90
|
|
|
90
|
-
all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
|
|
91
|
-
requested, signed, revoked = separate_certs(all_certs)
|
|
92
|
-
missing = certnames - all_certs.map { |cert| cert['name'] }
|
|
93
|
-
|
|
94
91
|
if (all || certnames.any?)
|
|
92
|
+
all_certs = get_certs_or_csrs(puppet.settings).select { |cert| filter_names.call(cert) }
|
|
93
|
+
requested, signed, revoked = separate_certs(all_certs)
|
|
94
|
+
missing = certnames - all_certs.map { |cert| cert['name'] }
|
|
95
95
|
output_certs_by_state(all, output_format, requested, signed, revoked, missing)
|
|
96
96
|
else
|
|
97
|
-
|
|
97
|
+
all_csrs = get_certs_or_csrs(puppet.settings, "requested")
|
|
98
|
+
output_certs_by_state(all, output_format, all_csrs)
|
|
98
99
|
end
|
|
99
100
|
|
|
100
101
|
return missing.any? ? 1 : 0
|
|
@@ -209,8 +210,9 @@ Options:
|
|
|
209
210
|
return requested, signed, revoked
|
|
210
211
|
end
|
|
211
212
|
|
|
212
|
-
def
|
|
213
|
-
|
|
213
|
+
def get_certs_or_csrs(settings, queried_state = nil)
|
|
214
|
+
query = queried_state ? { :state => queried_state } : {}
|
|
215
|
+
result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses(query)
|
|
214
216
|
|
|
215
217
|
if result
|
|
216
218
|
return JSON.parse(result.body)
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
2
|
require 'openssl'
|
|
3
|
+
require 'set'
|
|
3
4
|
require 'puppetserver/ca/errors'
|
|
4
5
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
5
6
|
require 'puppetserver/ca/utils/file_system'
|
|
@@ -31,6 +32,7 @@ BANNER
|
|
|
31
32
|
|
|
32
33
|
def run(inputs)
|
|
33
34
|
config_path = inputs['config']
|
|
35
|
+
exit_code = 0
|
|
34
36
|
|
|
35
37
|
# Validate the config path.
|
|
36
38
|
if config_path
|
|
@@ -49,40 +51,59 @@ BANNER
|
|
|
49
51
|
# Getting the CRL(s)
|
|
50
52
|
loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
|
|
51
53
|
|
|
52
|
-
|
|
53
|
-
prune_CRLs(puppet_crl)
|
|
54
|
-
update_pruned_CRL(puppet_crl, loader.key)
|
|
55
|
-
FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
|
|
54
|
+
verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
|
|
56
55
|
|
|
57
|
-
|
|
58
|
-
|
|
56
|
+
if verified_crls.length == 1
|
|
57
|
+
puppet_crl = verified_crls.first
|
|
58
|
+
@logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
|
|
59
|
+
number_of_removed_duplicates = prune_CRL(puppet_crl)
|
|
60
|
+
|
|
61
|
+
if number_of_removed_duplicates > 0
|
|
62
|
+
update_pruned_CRL(puppet_crl, loader.key)
|
|
63
|
+
FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
|
|
64
|
+
@logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
|
|
65
|
+
else
|
|
66
|
+
@logger.inform("No duplicate revocations found in the CRL.")
|
|
67
|
+
end
|
|
68
|
+
else
|
|
69
|
+
@logger.err("Could not identify Puppet's CRL. Aborting prune action.")
|
|
70
|
+
exit_code = 1
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
return exit_code
|
|
59
74
|
end
|
|
60
75
|
|
|
61
|
-
def
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
+
def prune_CRL(crl)
|
|
77
|
+
number_of_removed_duplicates = 0
|
|
78
|
+
|
|
79
|
+
existed_serial_number = Set.new()
|
|
80
|
+
revoked_list = crl.revoked
|
|
81
|
+
@logger.debug("Pruning duplicate entries in CRL for issuer " \
|
|
82
|
+
"#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
|
|
83
|
+
|
|
84
|
+
revoked_list.delete_if do |revoked|
|
|
85
|
+
if existed_serial_number.add?(revoked.serial)
|
|
86
|
+
false
|
|
87
|
+
else
|
|
88
|
+
number_of_removed_duplicates += 1
|
|
89
|
+
@logger.debug("Removing duplicate of #{revoked.serial}, " \
|
|
90
|
+
"revoked on #{revoked.time}\n") if @logger.debug?
|
|
91
|
+
true
|
|
76
92
|
end
|
|
77
|
-
crl.revoked=(revoked_list)
|
|
78
93
|
end
|
|
94
|
+
crl.revoked=(revoked_list)
|
|
95
|
+
|
|
96
|
+
return number_of_removed_duplicates
|
|
79
97
|
end
|
|
80
98
|
|
|
81
|
-
def update_pruned_CRL(
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
99
|
+
def update_pruned_CRL(crl, pkey)
|
|
100
|
+
number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
|
|
101
|
+
number_ext.each do |crl_number|
|
|
102
|
+
updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
|
|
103
|
+
crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
|
|
85
104
|
end
|
|
105
|
+
crl.extensions=(number_ext + other_ext)
|
|
106
|
+
crl.sign(pkey, OpenSSL::Digest::SHA256.new)
|
|
86
107
|
end
|
|
87
108
|
|
|
88
109
|
def self.parser(parsed = {})
|
|
@@ -41,8 +41,8 @@ module Puppetserver
|
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
# Returns a URI-like wrapper around CA specific urls
|
|
44
|
-
def make_ca_url(resource_type = nil, certname = nil)
|
|
45
|
-
HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
|
|
44
|
+
def make_ca_url(resource_type = nil, certname = nil, query = {})
|
|
45
|
+
HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname, query)
|
|
46
46
|
end
|
|
47
47
|
|
|
48
48
|
def process_ttl_input(ttl)
|
|
@@ -141,7 +141,7 @@ module Puppetserver
|
|
|
141
141
|
when :revoke
|
|
142
142
|
case result.code
|
|
143
143
|
when '200', '204'
|
|
144
|
-
@logger.inform "
|
|
144
|
+
@logger.inform "Certificate for #{certname} has been revoked"
|
|
145
145
|
return :success
|
|
146
146
|
when '404'
|
|
147
147
|
@logger.err 'Error:'
|
|
@@ -215,7 +215,7 @@ module Puppetserver
|
|
|
215
215
|
def check_revocation(certname, result)
|
|
216
216
|
case result.code
|
|
217
217
|
when '200', '204'
|
|
218
|
-
@logger.inform "
|
|
218
|
+
@logger.inform "Certificate for #{certname} has been revoked"
|
|
219
219
|
return :success
|
|
220
220
|
when '409'
|
|
221
221
|
return :invalid
|
|
@@ -250,8 +250,8 @@ module Puppetserver
|
|
|
250
250
|
end
|
|
251
251
|
|
|
252
252
|
# Returns nil for errors, else the result of the GET request
|
|
253
|
-
def get_certificate_statuses
|
|
254
|
-
result = get('certificate_statuses', 'any_key')
|
|
253
|
+
def get_certificate_statuses(query = {})
|
|
254
|
+
result = get('certificate_statuses', 'any_key', query)
|
|
255
255
|
|
|
256
256
|
unless result.code == '200'
|
|
257
257
|
@logger.err 'Error:'
|
|
@@ -287,8 +287,8 @@ module Puppetserver
|
|
|
287
287
|
# @param resource_type [String] the resource type of url
|
|
288
288
|
# @param resource_name [String] the resource name of url
|
|
289
289
|
# @return [Struct] an instance of the Result struct with :code, :body
|
|
290
|
-
def get(resource_type, resource_name)
|
|
291
|
-
url = make_ca_url(resource_type, resource_name)
|
|
290
|
+
def get(resource_type, resource_name, query = {})
|
|
291
|
+
url = make_ca_url(resource_type, resource_name, query)
|
|
292
292
|
@client.with_connection(url) do |connection|
|
|
293
293
|
connection.get(url)
|
|
294
294
|
end
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'net/https'
|
|
2
2
|
require 'openssl'
|
|
3
|
+
require 'uri'
|
|
3
4
|
|
|
4
5
|
require 'puppetserver/ca/errors'
|
|
5
6
|
|
|
@@ -114,7 +115,6 @@ module Puppetserver
|
|
|
114
115
|
request.body = body
|
|
115
116
|
result = @conn.request(request)
|
|
116
117
|
|
|
117
|
-
|
|
118
118
|
Result.new(result.code, result.body)
|
|
119
119
|
end
|
|
120
120
|
|
|
@@ -136,10 +136,13 @@ module Puppetserver
|
|
|
136
136
|
# Like URI, but not... maybe of suspicious value
|
|
137
137
|
URL = Struct.new(:protocol, :host, :port,
|
|
138
138
|
:endpoint, :version,
|
|
139
|
-
:resource_type, :resource_name) do
|
|
139
|
+
:resource_type, :resource_name, :query) do
|
|
140
140
|
def full_url
|
|
141
|
-
protocol + '://' + host + ':' + port + '/' +
|
|
142
|
-
|
|
141
|
+
url = protocol + '://' + host + ':' + port + '/' +
|
|
142
|
+
[endpoint, version, resource_type, resource_name].join('/')
|
|
143
|
+
|
|
144
|
+
url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
|
|
145
|
+
return url
|
|
143
146
|
end
|
|
144
147
|
|
|
145
148
|
def to_uri
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.3.
|
|
4
|
+
version: 2.3.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-08-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|