puppetserver-ca 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f41aeb772961d07711e18252a727800b7962e11a
-  data.tar.gz: ebc595c85433ec3a4c14d2660e0e92237bee3690
+  metadata.gz: 652bd1357434ad6509c6c08678b57373a4bd6ef1
+  data.tar.gz: 0ad23edeca68b2813ff5d3b1683882f911e7a4c8
 SHA512:
-  metadata.gz: 315814ed7b351eea57fc5620bd08e8e406d6c489a24cc4e0e2e6048844d2ed2ef85260a6fc5c1de8f923f999708aaf0679388b3a23af865f04538f14f6a617e2
-  data.tar.gz: b482951edd70310b07d1aa2a8f988a34bc3a08d3a5ddf75e10799a2b86ad09e0dfd8eee0b683ee0fd665eb90e795c0c422517371dedb68124c49d6544283bec6
+  metadata.gz: 7445af71aaa5aeed30c9e69ac679cd88bffd60a126e9f0766196a69edb353b8473312dec8b34cb767a87f58837af307005fc11e13d368538404a8ab464415970
+  data.tar.gz: 3a3e1ca91518f68c6a6aedb682357c34d9ddf845f482586d9bc21f342c0a36f9f59f577401c73cfcf9ae12d1dd44a952b5c30c28c84f7fd1032f2ac4e0e8db6f

data/lib/puppetserver/ca/clean_action.rb

@@ -0,0 +1,159 @@
+require 'puppetserver/ca/utils'
+require 'puppetserver/utils/http_client'
+require 'puppetserver/utils/file_utilities'
+require 'puppetserver/ca/puppet_config'
+require 'puppetserver/ca/revoke_action'
+
+require 'optparse'
+require 'json'
+
+module Puppetserver
+  module Ca
+    class CleanAction
+
+      include Puppetserver::Utils
+
+      CERTNAME_BLACKLIST = %w{--all --config}
+
+      SUMMARY = 'Clean files from the CA for certificate(s)'
+      BANNER = <<-BANNER
+Usage:
+  puppetserver ca clean [--help|--version]
+  puppetserver ca clean [--config] --certname CERTNAME[,ADDLCERTNAME]
+
+Description:
+Given one or more valid certnames, instructs the CA to revoke certificates
+matching the given certnames if they exist, and then remove files pertaining
+to them (keys, cert, and certificate request) over HTTPS using the local
+agent's PKI
+
+Options:
+BANNER
+
+      def self.parser(parsed = {})
+        parsed['certnames'] = []
+        OptionParser.new do |o|
+          o.banner = BANNER
+          o.on('--certname foo,bar', Array,
+               'One or more comma separated certnames') do |certs|
+            parsed['certnames'] += certs
+          end
+          o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
+            parsed['config'] = conf
+          end
+          o.on('--help', 'Displays this clean specific help output') do |help|
+            parsed['help'] = help
+          end
+        end
+      end
+
+      def initialize(logger)
+        @logger = logger
+      end
+
+      def parse(args)
+        results = {}
+        parser = self.class.parser(results)
+
+        errors = Utils.parse_with_errors(parser, args)
+
+        results['certnames'].each do |certname|
+          if CERTNAME_BLACKLIST.include?(certname)
+            errors << "    Cannot manage cert named `#{certname}` from " +
+                      "the CLI, if needed use the HTTP API directly"
+          end
+        end
+
+        if results['certnames'].empty?
+          errors << '  At least one certname is required to clean'
+        end
+
+        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
+
+        exit_code = errors_were_handled ? 1 : nil
+
+        return results, exit_code
+      end
+
+      def run(args)
+        certnames = args['certnames']
+        config = args['config']
+
+        if config
+          errors = FileUtilities.validate_file_paths(config)
+          return 1 if Utils.handle_errors(@logger, errors)
+        end
+
+        puppet = PuppetConfig.parse(config)
+        return 1 if Utils.handle_errors(@logger, puppet.errors)
+
+        passed = clean_certs(certnames, puppet.settings)
+
+        return passed ? 0 : 1
+      end
+
+      def clean_certs(certnames, settings)
+        client = HttpClient.new(settings[:localcacert],
+                                settings[:certificate_revocation],
+                                settings[:hostcrl])
+
+        url = client.make_ca_url(settings[:ca_server],
+                                 settings[:ca_port],
+                                 'certificate_status')
+
+        results = client.with_connection(url) do |connection|
+          certnames.map do |certname|
+            url.resource_name = certname
+            revoke_result = connection.put(RevokeAction::REQUEST_BODY, url)
+            revoked = check_revocation(revoke_result, certname)
+
+            cleaned = nil
+            unless revoked == :error
+              clean_result = connection.delete(url)
+              cleaned = check_result(clean_result, certname)
+            end
+
+            cleaned == :success && [:success, :not_found].include?(revoked)
+          end
+        end
+
+        return results.all?
+      end
+
+      # possibly logs the action, always returns a status symbol 👑
+      def check_revocation(result, certname)
+        case result.code
+        when '200', '204'
+          @logger.inform "Revoked certificate for #{certname}"
+          return :success
+        when '404'
+          return :not_found
+        else
+          @logger.err 'Error:'
+          @logger.err "    Failed revoking certificate for #{certname}"
+          @logger.err "    Received code: #{result.code}, body: #{result.body}"
+          return :error
+        end
+      end
+
+      # logs the action and returns a status symbol 👑
+      def check_result(result, certname)
+        case result.code
+        when '200', '204'
+          @logger.inform "Cleaned files related to #{certname}"
+          return :success
+        when '404'
+          @logger.err 'Error:'
+          @logger.err "    Could not find files for #{certname}"
+          return :not_found
+        else
+          @logger.err 'Error:'
+          @logger.err "    When cleaning #{certname} received:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return :error
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/cli.rb

@@ -1,7 +1,14 @@
 require 'optparse'
 require 'puppetserver/ca/version'
-require 'puppetserver/ca/import_action'
 require 'puppetserver/ca/logger'
+require 'puppetserver/ca/clean_action'
+require 'puppetserver/ca/import_action'
+require 'puppetserver/ca/generate_action'
+require 'puppetserver/ca/revoke_action'
+require 'puppetserver/ca/list_action'
+require 'puppetserver/ca/sign_action'
+require 'puppetserver/ca/utils'
+require 'puppetserver/ca/create_action'
 
 module Puppetserver
   module Ca
@@ -13,7 +20,15 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      VALID_ACTIONS = {'import' => ImportAction}
+      VALID_ACTIONS = {
+        'clean'    => CleanAction,
+        'create'   => CreateAction,
+        'generate' => GenerateAction,
+        'import'   => ImportAction,
+        'list'     => ListAction,
+        'revoke'   => RevokeAction,
+        'sign'     => SignAction
+      }
 
       ACTION_LIST = "\nAvailable Actions:\n" +
         VALID_ACTIONS.map do |action, cls|
@@ -22,10 +37,12 @@ BANNER
 
       ACTION_OPTIONS = "\nAction Options:\n" +
         VALID_ACTIONS.map do |action, cls|
-          "  #{action}:\n" +
-          cls.parser.summarize.
-            select{|line| line =~ /^\s*--/ }.
-            reject{|line| line =~ /--help|--version/ }.join('')
+          action_summary = cls.parser.summarize.
+                             select{|line| line =~ /^\s*--/ }.
+                             reject{|line| line =~ /--help|--version/ }
+          summary = action_summary.empty? ? '      N/A' : action_summary.join('')
+
+          "  #{action}:\n" + summary
         end.join("\n")
 
 
@@ -86,19 +103,9 @@ BANNER
 
         end
 
-        unparsed, nonopts = [], []
-
-        begin
-          general_parser.order!(inputs) do |nonopt|
-            nonopts << nonopt
-          end
-        rescue OptionParser::InvalidOption => e
-          unparsed += e.args
-          unparsed << inputs.shift unless inputs.first =~ /^-{1,2}/
-          retry
-        end
+        all,_,_,_ = Utils.parse_without_raising(general_parser, inputs)
 
-        return general_parser, parsed, nonopts + unparsed
+        return general_parser, parsed, all
       end
     end
   end

data/lib/puppetserver/ca/create_action.rb

@@ -0,0 +1,267 @@
+require 'puppetserver/ca/utils'
+require 'puppetserver/ca/host'
+require 'puppetserver/ca/puppet_config'
+require 'puppetserver/utils/file_utilities'
+require 'puppetserver/utils/http_client'
+require 'puppetserver/utils/signing_digest'
+require 'json'
+
+module Puppetserver
+  module Ca
+    class CreateAction
+
+      include Puppetserver::Utils
+
+      # Only allow printing ascii characters, excluding /
+      VALID_CERTNAME = /\A[ -.0-~]+\Z/
+      CERTNAME_BLACKLIST = %w{--all --config}
+
+      SUMMARY = "Create a new certificate signed by the CA"
+      BANNER = <<-BANNER
+Usage:
+  puppetserver ca create [--help]
+  puppetserver ca create [--config] --certname CERTNAME[,ADDLCERTNAME]
+
+Description:
+Creates a new certificate signed by the intermediate CA
+and stores generated keys and certs on disk.
+
+To determine the target location, the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+      def initialize(logger)
+        @logger = logger
+      end
+
+      def self.parser(parsed = {})
+        parsed['certnames'] = []
+        OptionParser.new do |opts|
+          opts.banner = BANNER
+          opts.on('--certname FOO,BAR', Array,
+               'One or more comma separated certnames') do |certs|
+            parsed['certnames'] += certs
+          end
+          opts.on('--help', 'Display this create specific help output') do |help|
+            parsed['help'] = true
+          end
+          opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+            parsed['config'] = conf
+          end
+        end
+      end
+
+      def parse(args)
+        results = {}
+        parser = self.class.parser(results)
+
+        errors = Utils.parse_with_errors(parser, args)
+
+        if results['certnames'].empty?
+          errors << '    At least one certname is required to create'
+        else
+          results['certnames'].each do |certname|
+            if CERTNAME_BLACKLIST.include?(certname)
+              errors << "    Cannot manage cert named `#{certname}` from " +
+                        "the CLI, if needed use the HTTP API directly"
+            end
+
+            if certname.match(/\p{Upper}/)
+              errors << "    Certificate names must be lower case"
+            end
+
+            unless certname =~ VALID_CERTNAME
+              errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
+            end
+          end
+        end
+
+        errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)
+
+        exit_code = errors_were_handled ? 1 : nil
+
+        return results, exit_code
+      end
+
+      def run(input)
+        certnames = input['certnames']
+        config_path = input['config']
+
+        # Validate config_path provided
+        if config_path
+          errors = FileUtilities.validate_file_paths(config_path)
+          return 1 if Utils.handle_errors(@logger, errors)
+        end
+
+        # Load, resolve, and validate puppet config settings
+        puppet = PuppetConfig.parse(config_path)
+        return 1 if Utils.handle_errors(@logger, puppet.errors)
+
+        # Load most secure signing digest we can for csr signing.
+        signer = SigningDigest.new
+        return 1 if Utils.handle_errors(@logger, signer.errors)
+
+        # Make sure we have all the directories where we will be writing files
+        FileUtilities.ensure_dir(puppet.settings[:certdir])
+        FileUtilities.ensure_dir(puppet.settings[:privatekeydir])
+        FileUtilities.ensure_dir(puppet.settings[:publickeydir])
+
+        # Generate and save certs and associated keys
+        all_passed = generate_certs(certnames, puppet.settings, signer.digest)
+        return all_passed ? 0 : 1
+      end
+
+      # Create csrs and keys, then submit them to CA, request for the CA to sign
+      # them, download the signed certificates from the CA, and finally save
+      # the signed certs and associated keys. Returns true if all certs were
+      # successfully created and saved.
+      def generate_certs(certnames, settings, digest)
+        passed = certnames.map do |certname|
+          key, csr = generate_key_csr(certname, settings, digest)
+          return false unless submit_certificate_request(certname, csr.to_s, settings)
+          return false unless sign_cert(certname, settings)
+          if download_cert(certname, settings)
+            save_keys(key, certname, settings)
+            true
+          else
+            false
+          end
+        end
+        passed.all?
+      end
+
+      def generate_key_csr(certname, settings, digest)
+        host = Puppetserver::Ca::Host.new(digest)
+        private_key = host.create_private_key(settings[:keylength])
+        csr = host.create_csr(certname, private_key)
+
+        return private_key, csr
+      end
+
+      def http_client(settings)
+        @client ||= HttpClient.new(settings[:localcacert],
+                                         settings[:certificate_revocation],
+                                         settings[:hostcrl])
+      end
+
+      # Make an HTTP request to submit certificate requests to CA
+      # @param certname [String] the name of the certificate to fetch
+      # @param csr [String] string version of a OpenSSL::X509::Request
+      # @param settings [Hash] a hash of config settings
+      # @return [Boolean] success of all csrs being submitted to CA
+      def submit_certificate_request(certname, csr, settings)
+        client = http_client(settings)
+        url = client.make_ca_url(settings[:ca_server],
+                       settings[:ca_port],
+                       'certificate_request',
+                       certname)
+
+        client.with_connection(url) do |connection|
+          result = connection.put(csr, url)
+          check_submit_result(result, certname)
+        end
+      end
+
+      def check_submit_result(result, certname)
+        case result.code
+        when '200', '204'
+          @logger.inform "Successfully submitted certificate request for #{certname}"
+          return true
+        else
+          @logger.err 'Error:'
+          @logger.err "    When certificate request submitted for #{certname}:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return false
+        end
+      end
+
+      # Make an HTTP request to CA to sign the named certificates
+      # @param certname [String] the name of the certificate to have signed
+      # @param settings [Hash] a hash of config settings
+      # @return [Boolean] the success of certificates being signed
+      def sign_cert(certname, settings)
+        client = http_client(settings)
+
+        url = client.make_ca_url(settings[:ca_server],
+                       settings[:ca_port],
+                       'certificate_status',
+                       certname)
+
+        client.with_connection(url) do |connection|
+          body = JSON.dump({desired_state: 'signed'})
+          result = connection.put(body, url)
+          check_sign_result(result, certname)
+        end
+      end
+
+      def check_sign_result(result, certname)
+        case result.code
+        when '204'
+          @logger.inform "Successfully signed certificate request for #{certname}"
+          return true
+        else
+          @logger.err 'Error:'
+          @logger.err "    When signing request submitted for #{certname}:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return false
+        end
+      end
+
+      # Make an HTTP request to fetch the named certificates from CA
+      # @param certname [String] the name of the certificate to fetch
+      # @param settings [Hash] a hash of config settings
+      # @return [Boolean] the success of certificate being downloaded
+      def download_cert(certname, settings)
+        client = http_client(settings)
+        url = client.make_ca_url(settings[:ca_server],
+                       settings[:ca_port],
+                       'certificate',
+                       certname)
+        client.with_connection(url) do |connection|
+          result = connection.get(url)
+          if downloaded = check_download_result(result, certname)
+            save_file(result.body, certname, settings[:certdir], "Certificate")
+            @logger.inform "Successfully downloaded and saved certificate #{certname} to #{settings[:certdir]}/#{certname}.pem"
+          end
+          downloaded
+        end
+      end
+
+      def check_download_result(result, certname)
+        case result.code
+        when '200'
+          return true
+        when '404'
+          @logger.err 'Error:'
+          @logger.err "    Signed certificate #{certname} could not be found on the CA"
+          return false
+        else
+          @logger.err 'Error:'
+          @logger.err "    When download requested for certificate #{certname}:"
+          @logger.err "      code: #{result.code}"
+          @logger.err "      body: #{result.body.to_s}" if result.body
+          return false
+        end
+      end
+
+      def save_keys(key, certname, settings)
+        public_key = key.public_key
+        save_file(key, certname, settings[:privatekeydir], "Private key")
+        save_file(public_key, certname, settings[:publickeydir], "Public key")
+        @logger.inform "Successfully saved private key for #{certname} to #{settings[:privatekeydir]}/#{certname}.pem"
+        @logger.inform "Successfully saved public key for #{certname} to #{settings[:publickeydir]}/#{certname}.pem"
+      end
+
+
+      def save_file(content, certname, dir, type)
+        location = File.join(dir, "#{certname}.pem")
+        @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
+        FileUtilities.write_file(location, content, 0640)
+      end
+    end
+  end
+end