puppetserver-ca 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e4ce165ce36009a209f855a3be43baf46d9f3149
-  data.tar.gz: 1dff6f4475def4e3dcbd069e48bfcd1d9f7401b0
+  metadata.gz: 98b359182e9c882ea8a66b4315b873f9d87185de
+  data.tar.gz: 3de8823031139ae413aa7a151dc6bbd0c10176b0
 SHA512:
-  metadata.gz: c667523644d19b2d835507b473c8a8e33c5ac397faa43ad272283289c5fb228ebb35f32bd62fb31ce93842a6065b6aae7f579685e1addcfb07257771eb3d2bff
-  data.tar.gz: 8e37ef678e3fef24eb89b7e6ca51662323e3014f656582d54a05751f2de440e8bc8304b970bef3fac250538e567de5cee7abfbc2e7effaebfa1e0dcd86918165
+  metadata.gz: 327b9b653764428a428f9531dcec525fde0dd67913be851fef86f25a9993d041624dd6f70cec1357687af50f22cd77f690ee1f7bc570bd79a255f53105e81b4a
+  data.tar.gz: baa44b1f602863f5323911446b1896ec9145eeb4360c1fcaa85fb0c63ad173b5acd59b81f5fd6d1fcd183161526154f4d9599ece1c3a0b7b5241d3b6fb372e82

data/lib/puppetserver/ca/action/clean.rb

@@ -0,0 +1,102 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/action/revoke'
+require 'puppetserver/ca/certificate_authority'
+
+require 'optparse'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Clean
+
+        include Puppetserver::Ca::Utils
+
+        CERTNAME_BLACKLIST = %w{--all --config}
+
+        SUMMARY = 'Clean files from the CA for certificate(s)'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca clean [--help]
+  puppetserver ca clean [--config] --certname CERTNAME[,ADDLCERTNAME]
+
+Description:
+Given one or more valid certnames, instructs the CA to revoke certificates
+matching the given certnames if they exist, and then remove files pertaining
+to them (keys, cert, and certificate request) over HTTPS using the local
+agent's PKI
+
+Options:
+BANNER
+
+        def self.parser(parsed = {})
+          parsed['certnames'] = []
+          OptionParser.new do |o|
+            o.banner = BANNER
+            o.on('--certname foo,bar', Array,
+                 'One or more comma separated certnames') do |certs|
+              parsed['certnames'] += certs
+            end
+            o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            o.on('--help', 'Display this clean specific help output') do |help|
+              parsed['help'] = true
+            end
+          end
+        end
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          results['certnames'].each do |certname|
+            if CERTNAME_BLACKLIST.include?(certname)
+              errors << "    Cannot manage cert named `#{certname}` from " +
+                        "the CLI, if needed use the HTTP API directly"
+            end
+          end
+
+          if results['certnames'].empty?
+            errors << '  At least one certname is required to clean'
+          end
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+
+        def run(args)
+          certnames = args['certnames']
+          config = args['config']
+
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          puppet = Config::Puppet.parse(config)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          passed = clean_certs(certnames, puppet.settings)
+
+          return passed ? 0 : 1
+        end
+
+        def clean_certs(certnames, settings)
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
+          ca.clean_certs(certnames)
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/create.rb

@@ -0,0 +1,161 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/host'
+require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/signing_digest'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Create
+
+        include Puppetserver::Ca::Utils
+
+        # Only allow printing ascii characters, excluding /
+        VALID_CERTNAME = /\A[ -.0-~]+\Z/
+        CERTNAME_BLACKLIST = %w{--all --config}
+
+        SUMMARY = "Create a new certificate signed by the CA"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca create [--help]
+  puppetserver ca create [--config] --certname CERTNAME[,ADDLCERTNAME]
+
+Description:
+Creates a new certificate signed by the intermediate CA
+and stores generated keys and certs on disk.
+
+To determine the target location, the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def self.parser(parsed = {})
+          parsed['certnames'] = []
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--certname FOO,BAR', Array,
+                 'One or more comma separated certnames') do |certs|
+              parsed['certnames'] += certs
+            end
+            opts.on('--help', 'Display this create specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          if results['certnames'].empty?
+            errors << '    At least one certname is required to create'
+          else
+            results['certnames'].each do |certname|
+              if CERTNAME_BLACKLIST.include?(certname)
+                errors << "    Cannot manage cert named `#{certname}` from " +
+                          "the CLI, if needed use the HTTP API directly"
+              end
+
+              if certname.match(/\p{Upper}/)
+                errors << "    Certificate names must be lower case"
+              end
+
+              unless certname =~ VALID_CERTNAME
+                errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
+              end
+            end
+          end
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+
+        def run(input)
+          certnames = input['certnames']
+          config_path = input['config']
+
+          # Validate config_path provided
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          # Load, resolve, and validate puppet config settings
+          puppet = Config::Puppet.parse(config_path)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          # Load most secure signing digest we can for csr signing.
+          signer = SigningDigest.new
+          return 1 if CliParsing.handle_errors(@logger, signer.errors)
+
+          # Make sure we have all the directories where we will be writing files
+          FileSystem.ensure_dir(puppet.settings[:certdir])
+          FileSystem.ensure_dir(puppet.settings[:privatekeydir])
+          FileSystem.ensure_dir(puppet.settings[:publickeydir])
+
+          # Generate and save certs and associated keys
+          all_passed = generate_certs(certnames, puppet.settings, signer.digest)
+          return all_passed ? 0 : 1
+        end
+
+        # Create csrs and keys, then submit them to CA, request for the CA to sign
+        # them, download the signed certificates from the CA, and finally save
+        # the signed certs and associated keys. Returns true if all certs were
+        # successfully created and saved.
+        def generate_certs(certnames, settings, digest)
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
+
+          passed = certnames.map do |certname|
+            key, csr = generate_key_csr(certname, settings, digest)
+            return false unless ca.submit_certificate_request(certname, csr)
+            return false unless ca.sign_certs([certname])
+            if result = ca.get_certificate(certname)
+              save_file(result.body, certname, settings[:certdir], "Certificate")
+              save_keys(certname, settings, key)
+              true
+            else
+              false
+            end
+          end
+          passed.all?
+        end
+
+        def generate_key_csr(certname, settings, digest)
+          host = Puppetserver::Ca::Host.new(digest)
+          private_key = host.create_private_key(settings[:keylength])
+          csr = host.create_csr(certname, private_key)
+
+          return private_key, csr
+        end
+
+        def save_keys(certname, settings, key)
+          public_key = key.public_key
+          save_file(key, certname, settings[:privatekeydir], "Private key")
+          save_file(public_key, certname, settings[:publickeydir], "Public key")
+        end
+
+        def save_file(content, certname, dir, type)
+          location = File.join(dir, "#{certname}.pem")
+          @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
+          FileSystem.write_file(location, content, 0640)
+          @logger.inform "Successfully saved #{type.downcase} for #{certname} to #{location}"
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/generate.rb

@@ -0,0 +1,313 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/host'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/signing_digest'
+require 'puppetserver/ca/config/puppet'
+require 'facter'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Generate
+        include Puppetserver::Ca::Utils
+
+        CA_EXTENSIONS = [
+          ["basicConstraints", "CA:TRUE", true],
+          ["keyUsage", "keyCertSign, cRLSign", true],
+          ["subjectKeyIdentifier", "hash", false],
+          ["nsComment", "Puppet Server Internal Certificate", false],
+          ["authorityKeyIdentifier", "keyid:always", false]
+        ].freeze
+
+        SSL_SERVER_CERT = "1.3.6.1.5.5.7.3.1"
+        SSL_CLIENT_CERT = "1.3.6.1.5.5.7.3.2"
+
+        MASTER_EXTENSIONS = [
+          ["basicConstraints", "CA:FALSE", true],
+          ["nsComment", "Puppet Server Internal Certificate", false],
+          ["authorityKeyIdentifier", "keyid:always", false],
+          ["extendedKeyUsage", "#{SSL_SERVER_CERT}, #{SSL_CLIENT_CERT}", true],
+          ["keyUsage", "keyEncipherment, digitalSignature", true],
+          ["subjectKeyIdentifier", "hash", false]
+        ].freeze
+
+        # Make the certificate valid as of yesterday, because so many people's
+        # clocks are out of sync.  This gives one more day of validity than people
+        # might expect, but is better than making every person who has a messed up
+        # clock fail, and better than having every cert we generate expire a day
+        # before the user expected it to when they asked for "one year".
+        CERT_VALID_FROM = (Time.now - (60*60*24)).freeze
+
+        SUMMARY = "Generate a root and intermediate signing CA for Puppet Server"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca generate [--help]
+  puppetserver ca generate [--config PATH]
+  puppetserver ca generate [--subject-alt-names ALTNAME1[,ALTNAME2...]]
+
+Description:
+Generate a root and intermediate signing CA for Puppet Server
+and store generated CA keys, certs, and crls on disk.
+
+The `--subject-alt-names` flag can be used to add SANs to the
+certificate generated for the Puppet master. Multiple names can be
+listed as a comma separated string. These can be either DNS names or
+IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
+Names with no prefix will be treated as DNS names.
+
+To determine the target location, the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          # Validate config_path provided
+          config_path = input['config']
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          # Load, resolve, and validate puppet config settings
+          puppet = Config::Puppet.parse(config_path)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          # Load most secure signing digest we can for cers/crl/csr signing.
+          signer = SigningDigest.new
+          return 1 if CliParsing.handle_errors(@logger, signer.errors)
+
+          if input['subject_alt_names'].empty?
+            subject_alt_names = munge_alt_names(puppet.settings[:subject_alt_names])
+          else
+            subject_alt_names = munge_alt_names(input['subject_alt_names'])
+          end
+
+          # Generate root and intermediate ca and put all the certificates, crls,
+          # and keys where they should go.
+          errors = generate_pki(puppet.settings, signer.digest, subject_alt_names)
+          return 1 if CliParsing.handle_errors(@logger, errors)
+
+          @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
+          return 0
+        end
+
+        def generate_pki(settings, signing_digest, subject_alt_names = '')
+          valid_until = Time.now + settings[:ca_ttl]
+          host = Puppetserver::Ca::Host.new(signing_digest)
+
+          root_key = host.create_private_key(settings[:keylength])
+          root_cert = self_signed_ca(root_key, settings[:root_ca_name], valid_until, signing_digest)
+          root_crl = create_crl_for(root_cert, root_key, valid_until, signing_digest)
+
+          int_key = host.create_private_key(settings[:keylength])
+          int_csr = host.create_csr(settings[:ca_name], int_key)
+          int_cert = sign_intermediate(root_key, root_cert, int_csr, valid_until, signing_digest)
+          int_crl = create_crl_for(int_cert, int_key, valid_until, signing_digest)
+
+          master_key = host.create_private_key(settings[:keylength])
+          master_csr = host.create_csr(settings[:certname], master_key)
+          master_cert = sign_master_cert(int_key, int_cert, master_csr,
+                                       valid_until, signing_digest, subject_alt_names)
+
+          FileSystem.ensure_dir(settings[:cadir])
+          FileSystem.ensure_dir(settings[:certdir])
+          FileSystem.ensure_dir(settings[:privatekeydir])
+          FileSystem.ensure_dir(settings[:publickeydir])
+
+          public_files = [
+            [settings[:cacert], [int_cert, root_cert]],
+            [settings[:cacrl], [int_crl, root_crl]],
+            [settings[:hostcert], master_cert],
+            [settings[:localcacert], [int_cert, root_cert]],
+            [settings[:localcacrl], [int_crl, root_crl]],
+            [settings[:hostpubkey], master_key.public_key],
+            [settings[:capub], int_key.public_key],
+            [settings[:cert_inventory], inventory_entry(master_cert)],
+            [settings[:serial], "0x0002"],
+          ]
+
+          private_files = [
+            [settings[:hostprivkey], master_key],
+            [settings[:rootkey], root_key],
+            [settings[:cakey], int_key],
+          ]
+
+          errors = FileSystem.check_for_existing_files(public_files.map(&:first))
+          errors += FileSystem.check_for_existing_files(private_files.map(&:first))
+
+          if !errors.empty?
+            instructions = <<-ERR
+If you would really like to replace your CA, please delete the existing files first.
+Note that any certificates that were issued by this CA will become invalid if you
+replace it!
+ERR
+            errors << instructions
+            return errors
+          end
+
+          public_files.each do |location, content|
+            FileSystem.write_file(location, content, 0644)
+          end
+
+          private_files.each do |location, content|
+            FileSystem.write_file(location, content, 0640)
+          end
+
+          return []
+        end
+
+        def self_signed_ca(key, name, valid_until, signing_digest)
+          cert = OpenSSL::X509::Certificate.new
+
+          cert.public_key = key.public_key
+          cert.subject = OpenSSL::X509::Name.new([["CN", name]])
+          cert.issuer = cert.subject
+          cert.version = 2
+          cert.serial = 1
+
+          cert.not_before = CERT_VALID_FROM
+          cert.not_after  = valid_until
+
+          ef = extension_factory_for(cert, cert)
+          CA_EXTENSIONS.each do |ext|
+            extension = ef.create_extension(*ext)
+            cert.add_extension(extension)
+          end
+
+          cert.sign(key, signing_digest)
+
+          cert
+        end
+
+        def inventory_entry(cert)
+          "0x%04x %s %s %s" % [cert.serial, format_time(cert.not_before),
+                               format_time(cert.not_after), cert.subject]
+        end
+
+        def format_time(time)
+          time.strftime('%Y-%m-%dT%H:%M:%S%Z')
+        end
+
+        def extension_factory_for(ca, cert = nil)
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.issuer_certificate  = ca
+          ef.subject_certificate = cert if cert
+
+          ef
+        end
+
+        def create_crl_for(ca_cert, ca_key, valid_until, signing_digest)
+          crl = OpenSSL::X509::CRL.new
+          crl.version = 1
+          crl.issuer = ca_cert.subject
+
+          ef = extension_factory_for(ca_cert)
+          crl.add_extension(
+            ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
+          crl.add_extension(
+            OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
+
+          crl.last_update = CERT_VALID_FROM
+          crl.next_update = valid_until
+          crl.sign(ca_key, signing_digest)
+
+          crl
+        end
+
+        def sign_intermediate(ca_key, ca_cert, csr, valid_until, signing_digest)
+          cert = OpenSSL::X509::Certificate.new
+
+          cert.public_key = csr.public_key
+          cert.subject = csr.subject
+          cert.issuer = ca_cert.subject
+          cert.version = 2
+          cert.serial = 2
+
+          cert.not_before = CERT_VALID_FROM
+          cert.not_after = valid_until
+
+          ef = extension_factory_for(ca_cert, cert)
+          CA_EXTENSIONS.each do |ext|
+            extension = ef.create_extension(*ext)
+            cert.add_extension(extension)
+          end
+
+          cert.sign(ca_key, signing_digest)
+
+          cert
+        end
+
+        def sign_master_cert(int_key, int_cert, csr, valid_until, signing_digest, subject_alt_names)
+          cert = OpenSSL::X509::Certificate.new
+          cert.public_key = csr.public_key
+          cert.subject = csr.subject
+          cert.issuer = int_cert.subject
+          cert.version = 2
+          cert.serial = 1
+          cert.not_before = CERT_VALID_FROM
+          cert.not_after = valid_until
+
+          ef = extension_factory_for(int_cert, cert)
+          MASTER_EXTENSIONS.each do |ext|
+            extension = ef.create_extension(*ext)
+            cert.add_extension(extension)
+          end
+
+          if !subject_alt_names.empty?
+            alt_names_ext = ef.create_extension("subjectAltName", subject_alt_names, false)
+            cert.add_extension(alt_names_ext)
+          end
+
+          cert.sign(int_key, signing_digest)
+          cert
+        end
+
+        def munge_alt_names(names)
+          raw_names = names.split(/\s*,\s*/).map(&:strip)
+          munged_names = raw_names.map do |name|
+            # Prepend the DNS tag if no tag was specified
+            if !name.start_with?("IP:") && !name.start_with?("DNS:")
+              "DNS:#{name}"
+            else
+              name
+            end
+          end.sort.uniq.join(", ")
+        end
+
+        def parse(cli_args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, cli_args)
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          parsed['subject_alt_names'] = ''
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this generate specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--subject-alt-names NAME1[,NAME2]',
+                    'Subject alternative names for the CA signing cert') do |sans|
+              parsed['subject_alt_names'] = sans
+            end
+          end
+        end
+      end
+    end
+  end
+end