puppetserver-ca 0.0.1.pre.dev1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 29470ef5b2d156af3ab35e6b08bba8cf04f9ace7
-  data.tar.gz: 9c194481163f5a9b5e9e7974b5929189141f2d1f
+  metadata.gz: 3ce9f1836cdf33c3a90c4ead5503c9e3bd77dd4c
+  data.tar.gz: 4c935b843c029cce7626c9b5ae5ec4d2e3d7a483
 SHA512:
-  metadata.gz: 4a685288d88e4a2388736cef346d9c7d7d24f23bf4b5befc968f296b44443faf652fbe47702f9d1a10c999bfad089164cffc7b7525b9dd5cb6cf54c7abbe30ae
-  data.tar.gz: '08f50143a3a5090ee5173fd27e0391d99eda1c56bfeff627804da40bb209a40f7bab095d479c8ef07791bd0a4ed2d00b48679a01c8dcaa8a1a8186ef84ec2b50'
+  metadata.gz: 136312e8f3183ba47e97d7e256c6887e22b044bc4b455cb0d7f7e635835b511a83e2a78d53c87b6c45f12c1b11ff149a82dd02346324fde2a75dcb656de4c688
+  data.tar.gz: 1bff6c715e519f6cc4fcb238059c318659b244a7fad493d8a4b446a7d204a9947464838adb76f213a80fbf7416088b49231dab4531013318c8703abf01b6b579

data/.travis.yml

@@ -1,5 +1,11 @@
 sudo: false
 language: ruby
+notifications:
+  email: false
 rvm:
-  - 2.3.4
+  - 2.3
+  - 2.4
+  - 2.5
 before_install: gem install bundler -v 1.16.1
+script:
+  - bundle exec rake spec

data/Gemfile

@@ -4,3 +4,6 @@ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in puppetserver-ca.gemspec
 gemspec
+
+gem 'pry'
+gem 'pry-byebug'

data/exe/puppetserver-ca

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+# This requires everything in our Gemfile, so when functionally testing
+# our debugging tools are available without having to require them
+require 'bundler/setup'
+Bundler.require(:default)
+
+require 'puppetserver/ca/cli'
+
+exit Puppetserver::Ca::Cli.run(ARGV)

data/lib/puppetserver/ca/cli.rb

@@ -0,0 +1,105 @@
+require 'optparse'
+require 'puppetserver/ca/version'
+require 'puppetserver/ca/setup_action'
+require 'puppetserver/ca/logger'
+
+module Puppetserver
+  module Ca
+    class Cli
+      BANNER= <<-BANNER
+Usage: puppetserver ca <action> [options]
+
+Manage the Private Key Infrastructure for
+Puppet Server's built-in Certificate Authority
+BANNER
+
+      VALID_ACTIONS = {'setup' => SetupAction}
+
+      ACTION_LIST = "\nAvailable Actions:\n" +
+        VALID_ACTIONS.map do |action, cls|
+          "    #{action}\t#{cls::SUMMARY}"
+        end.join("\n")
+
+      ACTION_OPTIONS = "\nAction Options:\n" +
+        VALID_ACTIONS.map do |action, cls|
+          "  #{action}:\n" +
+          cls.parser.summarize.
+            select{|line| line =~ /^\s*--/ }.
+            reject{|line| line =~ /--help|--version/ }.join('')
+        end.join("\n")
+
+
+      def self.run(cli_args = ARGV, out = STDOUT, err = STDERR)
+        logger = Puppetserver::Ca::Logger.new(:info, out, err)
+        parser, general_options, unparsed = parse_general_inputs(cli_args)
+
+        if general_options['version']
+          logger.inform Puppetserver::Ca::VERSION
+          return 0
+        end
+
+        action_argument = unparsed.shift
+        action_class = VALID_ACTIONS[action_argument]
+
+        if general_options['help']
+          if action_class
+            logger.inform action_class.parser.help
+          else
+            logger.inform parser.help
+          end
+
+          return 0
+        end
+
+        if action_class
+          action = action_class.new(logger)
+          input, exit_code = action.parse(unparsed)
+
+          if exit_code
+            return exit_code
+          else
+            return action.run(input)
+          end
+        else
+          logger.warn "Unknown action: #{action_argument}"
+          logger.warn parser.help
+          return 1
+        end
+      end
+
+      def self.parse_general_inputs(inputs)
+        parsed = {}
+        general_parser = OptionParser.new do |opts|
+          opts.banner = BANNER
+          opts.separator ACTION_LIST
+          opts.separator "\nGeneral Options:"
+
+          opts.on('--help', 'Display this general help output') do |help|
+            parsed['help'] = true
+          end
+          opts.on('--version', 'Display the version') do |v|
+            parsed['version'] = true
+          end
+
+          opts.separator ACTION_OPTIONS
+          opts.separator "\nSee `puppetserver ca <action> --help` for detailed info"
+
+        end
+
+        unparsed, nonopts = [], []
+
+        begin
+          general_parser.order!(inputs) do |nonopt|
+            nonopts << nonopt
+          end
+        rescue OptionParser::InvalidOption => e
+          unparsed += e.args
+          unparsed << inputs.shift unless inputs.first =~ /^-{1,2}/
+          retry
+        end
+
+        return general_parser, parsed, nonopts + unparsed
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/logger.rb

@@ -0,0 +1,41 @@
+module Puppetserver
+  module Ca
+    class Logger
+      LEVELS = {error: 1, warning: 2, info: 3, debug: 4}
+
+      def initialize(level = :info, out = STDOUT, err = STDERR)
+        @level = LEVELS[level]
+        if @level.nil?
+          raise ArgumentError, "Unknown log level #{level}"
+        end
+
+        @out = out
+        @err = err
+      end
+
+      def debug(text)
+        if @level >= LEVELS[:debug]
+          @out.puts(text)
+        end
+      end
+
+      def inform(text)
+        if @level >= LEVELS[:info]
+          @out.puts(text)
+        end
+      end
+
+      def warn(text)
+        if @level >= LEVELS[:warning]
+          @err.puts(text)
+        end
+      end
+
+      def err(text)
+        if @level >= LEVELS[:error]
+          @err.puts(text)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/puppet_config.rb

@@ -0,0 +1,134 @@
+
+module Puppetserver
+  module Ca
+    # Provides an interface for asking for Puppet[ Server] settings w/o loading
+    # either Puppet or Puppet Server. Includes a simple ini parser that will
+    # ignore Puppet's more complicated conventions.
+    class PuppetConfig
+
+      def self.parse(config_path = nil)
+        instance = new(config_path)
+        instance.load
+
+        return instance
+      end
+
+      attr_reader :errors, :settings
+
+      def initialize(supplied_config_path = nil)
+        @using_default_location = !supplied_config_path
+        @config_path = supplied_config_path || user_specific_conf_file
+
+        @settings = nil
+        @errors = []
+      end
+
+      # Return the correct confdir. We check for being root on *nix,
+      # else the user path. We do not include a check for running
+      # as Adminstrator since non-development scenarios for Puppet Server
+      # on Windows are unsupported.
+      # Note that Puppet Server runs as the [pe-]puppet user but to
+      # start/stop it you must be root.
+      def user_specific_conf_dir
+        if running_as_root?
+          '/etc/puppetlabs/puppet'
+        else
+          "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+        end
+      end
+
+      def user_specific_conf_file
+        user_specific_conf_dir + '/puppet.conf'
+      end
+
+      def load
+        if explicitly_given_config_file_or_default_config_exists?
+          results = parse_text(File.read(@config_path))
+        end
+
+        results ||= {}
+        results[:main] ||= {}
+        results[:master] ||= {}
+
+        overrides = results[:main].merge(results[:master])
+
+        @settings = resolve_settings(overrides).freeze
+      end
+
+      # Resolve the cacert, cakey, and cacrl settings from default values,
+      # with any overrides for the specific settings or their dependent
+      # settings (ssldir, cadir) taken into account.
+      def resolve_settings(overrides = {})
+        unresolved_setting = /\$[a-z_]+/
+
+        # Returning the key for unknown keys (rather than nil) is required to
+        # keep unknown settings in the string for later verification.
+        substitutions = Hash.new {|h, k| k }
+        settings = {}
+
+        confdir = user_specific_conf_dir
+        settings[:confdir] = substitutions['$confdir'] = confdir
+
+        ssldir = overrides.fetch(:ssldir, '$confdir/ssl')
+        settings[:ssldir] = substitutions['$ssldir'] = ssldir.sub('$confdir', confdir)
+
+        cadir = overrides.fetch(:cadir, '$ssldir/ca')
+        settings[:cadir] = substitutions['$cadir'] = cadir.sub(unresolved_setting, substitutions)
+
+        settings[:cacert] = overrides.fetch(:cacert, '$cadir/ca_crt.pem')
+        settings[:cakey] = overrides.fetch(:cakey, '$cadir/ca_key.pem')
+        settings[:cacrl] = overrides.fetch(:cacrl, '$cadir/ca_crl.pem')
+        settings[:serial] = overrides.fetch(:serial, '$cadir/serial')
+        settings[:cert_inventory] = overrides.fetch(:cert_inventory, '$cadir/inventory.txt')
+
+        settings.each_pair do |key, value|
+          settings[key] = value.sub(unresolved_setting, substitutions)
+
+          if match = settings[key].match(unresolved_setting)
+            @errors << "Could not parse #{match[0]} in #{value}, " +
+                       'valid settings to be interpolated are ' +
+                       '$ssldir or $cadir'
+          end
+        end
+
+        return settings
+      end
+
+      # Parse an inifile formatted String. Only captures \word character
+      # class keys/section names but nearly any character values (excluding
+      # leading whitespace) up to one of whitespace, opening curly brace, or
+      # hash sign (Our concern being to capture filesystem path values).
+      # Put values without a section into :main.
+      #
+      # Return Hash of Symbol section names with Symbol setting keys and
+      # String values.
+      def parse_text(text)
+        res = {}
+        current_section = :main
+        text.each_line do |line|
+          case line
+          when /^\s*\[(\w+)\].*/
+            current_section = $1.to_sym
+          when /^\s*(\w+)\s*=\s*([^\s{#]+).*$/
+            # Using a Hash with a default key breaks RSpec expectations.
+            res[current_section] ||= {}
+            res[current_section][$1.to_sym] = $2
+          end
+        end
+
+        res
+      end
+
+
+     private
+
+      def explicitly_given_config_file_or_default_config_exists?
+        !@using_default_location || File.exist?(@config_path)
+      end
+
+      def running_as_root?
+        !Gem.win_platform? && Process::UID.eid == 0
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/setup_action.rb

@@ -0,0 +1,211 @@
+require 'etc'
+require 'fileutils'
+require 'optparse'
+require 'puppetserver/ca/x509_loader'
+require 'puppetserver/ca/puppet_config'
+
+module Puppetserver
+  module Ca
+    class SetupAction
+
+      SUMMARY = "Set up the CA's key, certs, and crls"
+      BANNER = <<-BANNER
+Usage:
+  puppetserver ca setup [--help|--version]
+  puppetserver ca setup [--config PATH]
+      --private-key PATH --cert-bundle PATH --crl-chain PATH
+
+Description:
+Given a private key, cert bundle, and a crl chain,
+validate and import to the Puppet Server CA.
+
+To determine the target location the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+
+      def initialize(logger)
+        @logger = logger
+      end
+
+      def run(input)
+        bundle_path = input['cert-bundle']
+        key_path = input['private-key']
+        chain_path = input['crl-chain']
+        config_path = input['config']
+
+        files = [bundle_path, key_path, chain_path, config_path].compact
+
+        errors = validate_file_paths(files)
+        return 1 if log_possible_errors(errors)
+
+        loader = X509Loader.new(bundle_path, key_path, chain_path)
+        return 1 if log_possible_errors(loader.errors)
+
+        puppet = PuppetConfig.parse(config_path)
+        return 1 if log_possible_errors(puppet.errors)
+
+        user, group = find_user_and_group
+
+        if !File.exist?(puppet.settings[:cadir])
+          FileUtils.mkdir_p(puppet.settings[:cadir], mode: 0750)
+          FileUtils.chown(user, group, puppet.settings[:cadir])
+        end
+
+        write_file(puppet.settings[:cacert], loader.certs, user, group, 0640)
+
+        write_file(puppet.settings[:cakey], loader.key, user, group, 0640)
+
+        write_file(puppet.settings[:cacrl], loader.crls, user, group, 0640)
+
+        if !File.exist?(puppet.settings[:serial])
+          write_file(puppet.settings[:serial], "001", user, group, 0640)
+        end
+
+        if !File.exist?(puppet.settings[:cert_inventory])
+          write_file(puppet.settings[:cert_inventory],
+                     "", user, group, 0640)
+        end
+
+        return 0
+      end
+
+      def find_user_and_group
+        if !running_as_root?
+          return Process.euid, Process.egid
+        else
+          if pe_puppet_exists?
+            return 'pe-puppet', 'pe-puppet'
+          else
+            return 'puppet', 'puppet'
+          end
+        end
+      end
+
+      def running_as_root?
+        !Gem.win_platform? && Process.euid == 0
+      end
+
+      def pe_puppet_exists?
+        !!(Etc.getpwnam('pe-puppet') rescue nil)
+      end
+
+      def write_file(path, one_or_more_objects, user, group, mode)
+        if File.exist?(path)
+          @logger.warn("#{path} exists, overwriting")
+        end
+
+        File.open(path, 'w', mode) do |f|
+          Array(one_or_more_objects).each do |object|
+            f.puts object.to_s
+          end
+        end
+
+        FileUtils.chown(user, group, path)
+      end
+
+      def log_possible_errors(maybe_errors)
+        errors = Array(maybe_errors).compact
+        unless errors.empty?
+          @logger.err "Error:"
+          errors.each do |message|
+            @logger.err "    #{message}"
+          end
+          return true
+        end
+      end
+
+      def parse(cli_args)
+        parser, inputs, unparsed = parse_inputs(cli_args)
+
+        if !unparsed.empty?
+          @logger.err 'Error:'
+          @logger.err 'Unknown arguments or flags:'
+          unparsed.each do |arg|
+            @logger.err "    #{arg}"
+          end
+
+          @logger.err ''
+          @logger.err parser.help
+
+          exit_code = 1
+        else
+          exit_code = validate_inputs(inputs, parser.help)
+        end
+
+        return inputs, exit_code
+      end
+
+      def validate_inputs(input, usage)
+        exit_code = nil
+
+        if input.values_at('cert-bundle', 'private-key', 'crl-chain').any?(&:nil?)
+          @logger.err 'Error:'
+          @logger.err 'Missing required argument'
+          @logger.err '    --cert-bundle, --private-key, --crl-chain are required'
+          @logger.err ''
+          @logger.err usage
+          exit_code = 1
+        end
+
+        exit_code
+      end
+
+      def parse_inputs(inputs)
+        parsed = {}
+        unparsed = []
+
+        parser = self.class.parser(parsed)
+
+        begin
+          parser.order!(inputs) do |nonopt|
+            unparsed << nonopt
+          end
+        rescue OptionParser::ParseError => e
+          unparsed += e.args
+          unparsed << inputs.shift unless inputs.first =~ /^-{1,2}/
+          retry
+        end
+
+        return parser, parsed, unparsed
+      end
+
+      def self.parser(parsed = {})
+        OptionParser.new do |opts|
+          opts.banner = BANNER
+          opts.on('--help', 'Display this setup specific help output') do |help|
+            parsed['help'] = true
+          end
+          opts.on('--version', 'Output the version') do |v|
+            parsed['version'] = true
+          end
+          opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+            parsed['config'] = conf
+          end
+          opts.on('--private-key KEY', 'Path to PEM encoded key') do |key|
+            parsed['private-key'] = key
+          end
+          opts.on('--cert-bundle BUNDLE', 'Path to PEM encoded bundle') do |bundle|
+            parsed['cert-bundle'] = bundle
+          end
+          opts.on('--crl-chain CHAIN', 'Path to PEM encoded chain') do |chain|
+            parsed['crl-chain'] = chain
+          end
+        end
+      end
+
+      def validate_file_paths(one_or_more_paths)
+        errors = []
+        Array(one_or_more_paths).each do |path|
+          if !File.exist?(path) || !File.readable?(path)
+            errors << "Could not read file '#{path}'"
+          end
+        end
+
+        errors
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.0.1-dev1"
+    VERSION = "0.1.0"
   end
 end

data/lib/puppetserver/ca/x509_loader.rb

@@ -0,0 +1,131 @@
+require 'openssl'
+
+module Puppetserver
+  module Ca
+    # Load, validate, and store x509 objects needed by the Puppet Server CA.
+    class X509Loader
+
+      attr_reader :errors, :certs, :key, :crls
+
+      def initialize(bundle_path, key_path, chain_path)
+        @errors = []
+
+        @certs = load_certs(bundle_path)
+        @key = load_key(key_path)
+        @crls = load_crls(chain_path)
+
+        validate(@certs, @key, @crls)
+      end
+
+      # Only do as much validation as is possible, assume whoever tried to
+      # load the objects wrote errors about any invalid ones, but that bundle
+      # and chain may be empty arrays and pkey may be nil.
+      def validate(bundle, pkey, chain)
+        if !chain.empty? && !bundle.empty?
+          validate_crl_and_cert(chain.first, bundle.first)
+        end
+
+        if pkey && !bundle.empty?
+          validate_cert_and_key(pkey, bundle.first)
+        end
+
+        unless bundle.empty?
+          validate_full_chain(bundle, chain)
+        end
+      end
+
+      def load_certs(bundle_path)
+        certs, errs = [], []
+
+        bundle_string = File.read(bundle_path)
+        cert_strings = bundle_string.scan(/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m)
+        cert_strings.each do |cert_string|
+          begin
+            certs << OpenSSL::X509::Certificate.new(cert_string)
+          rescue OpenSSL::X509::CertificateError
+            errs << "Could not parse entry:\n#{cert_string}"
+          end
+        end
+
+        if certs.empty?
+          errs << "Could not detect any certs within #{bundle_path}"
+        end
+
+        unless errs.empty?
+          @errors << "Could not parse #{bundle_path}"
+          @errors += errs
+        end
+
+        return certs
+      end
+
+      def load_key(key_path)
+        begin
+          OpenSSL::PKey.read(File.read(key_path))
+        rescue ArgumentError, OpenSSL::PKey::PKeyError => e
+          @errors << "Could not parse #{key_path}"
+
+          return nil
+        end
+      end
+
+      def load_crls(chain_path)
+        errs, crls = [], []
+
+        chain_string = File.read(chain_path)
+        crl_strings = chain_string.scan(/-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m)
+        crl_strings.map do |crl_string|
+          begin
+            crls << OpenSSL::X509::CRL.new(crl_string)
+          rescue OpenSSL::X509::CRLError
+            errs << "Could not parse entry:\n#{crl_string}"
+          end
+        end
+
+        if crls.empty?
+          errs << "Could not detect any crls within #{chain_path}"
+        end
+
+        unless errs.empty?
+          @errors << "Could not parse #{chain_path}"
+          @errors += errs
+        end
+
+        return crls
+      end
+
+      def validate_cert_and_key(key, cert)
+        unless cert.check_private_key(key)
+          @errors << 'Private key and certificate do not match'
+        end
+      end
+
+      def validate_crl_and_cert(crl, cert)
+        unless crl.issuer == cert.subject
+          @errors << 'Leaf CRL was not issued by leaf certificate'
+        end
+      end
+
+      # By creating an X509::Store and validating the leaf cert with it we:
+      #   - Ensure a full chain of trust (root to leaf) is within the bundle
+      #   - If provided, there are CRLs for the CAs
+      #   - If provided, no CAs within the chain of trust have been revoked
+      # However this does allow for:
+      #   - Additional, ignored, certs and CRLs in the bundle/chain
+      #   - certs and CRLs in any order (as long as the leaf cert is first)
+      def validate_full_chain(certs, crls)
+        store = OpenSSL::X509::Store.new
+        certs.each {|cert| store.add_cert(cert) }
+        if !crls.empty?
+          store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+          crls.each {|crl| store.add_crl(crl) }
+        end
+
+        unless store.verify(certs.first)
+          @errors << 'Leaf certificate could not be validated'
+          @errors << "Validating cert store returned: #{store.error} - #{store.error_string}"
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.0.1.pre.dev1
+  version: 0.1.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-06-05 00:00:00.000000000 Z
+date: 2018-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -55,7 +55,8 @@ dependencies:
 description: 
 email:
 - release@puppet.com
-executables: []
+executables:
+- puppetserver-ca
 extensions: []
 extra_rdoc_files: []
 files:
@@ -70,9 +71,15 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- exe/puppetserver-ca
 - lib/puppetserver/ca.rb
+- lib/puppetserver/ca/cli.rb
+- lib/puppetserver/ca/logger.rb
+- lib/puppetserver/ca/puppet_config.rb
+- lib/puppetserver/ca/setup_action.rb
 - lib/puppetserver/ca/stub.rb
 - lib/puppetserver/ca/version.rb
+- lib/puppetserver/ca/x509_loader.rb
 - puppetserver-ca.gemspec
 homepage: https://github.com/puppetlabs/puppetserver-ca-cli/
 licenses:
@@ -89,12 +96,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority