puppetserver-ca 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puppetserver/ca/action/generate.rb +30 -14
  3. data/lib/puppetserver/ca/action/import.rb +10 -3
  4. data/lib/puppetserver/ca/config/puppet.rb +4 -2
  5. data/lib/puppetserver/ca/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 98b359182e9c882ea8a66b4315b873f9d87185de
4
- data.tar.gz: 3de8823031139ae413aa7a151dc6bbd0c10176b0
3
+ metadata.gz: 7cdc97b5346544e3f5eaa1b6e8258e7f8ad6356d
4
+ data.tar.gz: fa5cafd9e26a01d03a0f9ffd73169b4ea98c77f0
5
5
  SHA512:
6
- metadata.gz: 327b9b653764428a428f9531dcec525fde0dd67913be851fef86f25a9993d041624dd6f70cec1357687af50f22cd77f690ee1f7bc570bd79a255f53105e81b4a
7
- data.tar.gz: baa44b1f602863f5323911446b1896ec9145eeb4360c1fcaa85fb0c63ad173b5acd59b81f5fd6d1fcd183161526154f4d9599ece1c3a0b7b5241d3b6fb372e82
6
+ metadata.gz: 96260c55c8b9a1499ce112e20300801306ab9e7ce7ebdaf2a8a0cff5cffb9f692e5b266dccdf1a2df14bb3ff4f6a57dc2b4bb17dc93ce9a2f092b57e6f61a002
7
+ data.tar.gz: b9ffc226ca976e0359530d89a5c449f1ec089c9e75b560aa0dbb5b5db133900ebbd657d14a96884d55f9d098b963f207f57f5249c3df257e7715ad14ba55e4c2
data/lib/puppetserver/ca/action/generate.rb CHANGED
@@ -44,8 +44,8 @@ module Puppetserver
44
44
  BANNER = <<-BANNER
45
45
  Usage:
46
46
  puppetserver ca generate [--help]
47
- puppetserver ca generate [--config PATH]
48
- puppetserver ca generate [--subject-alt-names ALTNAME1[,ALTNAME2...]]
47
+ puppetserver ca generate [--config PATH] [--subject-alt-names ALTNAME1[,ALTNAME2...]]
48
+ [--certname NAME] [--ca-name NAME]
49
49
 
50
50
  Description:
51
51
  Generate a root and intermediate signing CA for Puppet Server
@@ -77,31 +77,34 @@ BANNER
77
77
  end
78
78
 
79
79
  # Load, resolve, and validate puppet config settings
80
- puppet = Config::Puppet.parse(config_path)
80
+ settings_overrides = {}
81
+ settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
82
+ settings_overrides[:ca_name] = input['ca_name'] unless input['ca_name'].empty?
83
+ # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
84
+ # to ensure that the overriding works correctly.
85
+ settings_overrides[:dns_alt_names] = input['subject_alt_names'] unless input['subject_alt_names'].empty?
86
+
87
+ puppet = Config::Puppet.new(config_path)
88
+ puppet.load(settings_overrides)
81
89
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)
82
90
 
83
91
  # Load most secure signing digest we can for cers/crl/csr signing.
84
92
  signer = SigningDigest.new
85
93
  return 1 if CliParsing.handle_errors(@logger, signer.errors)
86
94
 
87
- if input['subject_alt_names'].empty?
88
- subject_alt_names = munge_alt_names(puppet.settings[:subject_alt_names])
89
- else
90
- subject_alt_names = munge_alt_names(input['subject_alt_names'])
91
- end
92
-
93
95
  # Generate root and intermediate ca and put all the certificates, crls,
94
96
  # and keys where they should go.
95
- errors = generate_pki(puppet.settings, signer.digest, subject_alt_names)
97
+ errors = generate_pki(puppet.settings, signer.digest)
96
98
  return 1 if CliParsing.handle_errors(@logger, errors)
97
99
 
98
100
  @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
99
101
  return 0
100
102
  end
101
103
 
102
- def generate_pki(settings, signing_digest, subject_alt_names = '')
104
+ def generate_pki(settings, signing_digest)
103
105
  valid_until = Time.now + settings[:ca_ttl]
104
106
  host = Puppetserver::Ca::Host.new(signing_digest)
107
+ subject_alt_names = munge_alt_names(settings[:subject_alt_names])
105
108
 
106
109
  root_key = host.create_private_key(settings[:keylength])
107
110
  root_cert = self_signed_ca(root_key, settings[:root_ca_name], valid_until, signing_digest)
@@ -115,12 +118,14 @@ BANNER
115
118
  master_key = host.create_private_key(settings[:keylength])
116
119
  master_csr = host.create_csr(settings[:certname], master_key)
117
120
  master_cert = sign_master_cert(int_key, int_cert, master_csr,
118
- valid_until, signing_digest, subject_alt_names)
121
+ valid_until, signing_digest,
122
+ subject_alt_names)
119
123
 
120
124
  FileSystem.ensure_dir(settings[:cadir])
121
125
  FileSystem.ensure_dir(settings[:certdir])
122
126
  FileSystem.ensure_dir(settings[:privatekeydir])
123
127
  FileSystem.ensure_dir(settings[:publickeydir])
128
+ FileSystem.ensure_dir(settings[:signeddir])
124
129
 
125
130
  public_files = [
126
131
  [settings[:cacert], [int_cert, root_cert]],
@@ -131,7 +136,8 @@ BANNER
131
136
  [settings[:hostpubkey], master_key.public_key],
132
137
  [settings[:capub], int_key.public_key],
133
138
  [settings[:cert_inventory], inventory_entry(master_cert)],
134
- [settings[:serial], "0x0002"],
139
+ [settings[:serial], "002"],
140
+ [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
135
141
  ]
136
142
 
137
143
  private_files = [
@@ -293,6 +299,8 @@ ERR
293
299
 
294
300
  def self.parser(parsed = {})
295
301
  parsed['subject_alt_names'] = ''
302
+ parsed['ca_name'] = ''
303
+ parsed['certname'] = ''
296
304
  OptionParser.new do |opts|
297
305
  opts.banner = BANNER
298
306
  opts.on('--help', 'Display this generate specific help output') do |help|
@@ -302,9 +310,17 @@ ERR
302
310
  parsed['config'] = conf
303
311
  end
304
312
  opts.on('--subject-alt-names NAME1[,NAME2]',
305
- 'Subject alternative names for the CA signing cert') do |sans|
313
+ 'Subject alternative names for the master cert') do |sans|
306
314
  parsed['subject_alt_names'] = sans
307
315
  end
316
+ opts.on('--ca-name NAME',
317
+ 'Common name to use for the CA signing cert') do |name|
318
+ parsed['ca_name'] = name
319
+ end
320
+ opts.on('--certname NAME',
321
+ 'Common name to use for the master cert') do |name|
322
+ parsed['certname'] = name
323
+ end
308
324
  end
309
325
  end
310
326
  end
data/lib/puppetserver/ca/action/import.rb CHANGED
@@ -14,7 +14,7 @@ module Puppetserver
14
14
  BANNER = <<-BANNER
15
15
  Usage:
16
16
  puppetserver ca import [--help]
17
- puppetserver ca import [--config PATH]
17
+ puppetserver ca import [--config PATH] [--certname NAME]
18
18
  --private-key PATH --cert-bundle PATH --crl-chain PATH
19
19
 
20
20
  Description:
@@ -46,7 +46,10 @@ BANNER
46
46
  loader = X509Loader.new(bundle_path, key_path, chain_path)
47
47
  return 1 if CliParsing.handle_errors(@logger, loader.errors)
48
48
 
49
- puppet = Config::Puppet.parse(config_path)
49
+ settings_overrides = {}
50
+ settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
51
+ puppet = Config::Puppet.new(config_path)
52
+ puppet.load(settings_overrides)
50
53
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)
51
54
 
52
55
  target_locations = [puppet.settings[:cacert],
@@ -75,7 +78,7 @@ ERR
75
78
  FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0640)
76
79
 
77
80
  # Puppet's internal CA expects these file to exist.
78
- FileSystem.ensure_file(puppet.settings[:serial], "0x0001", 0640)
81
+ FileSystem.ensure_file(puppet.settings[:serial], "001", 0640)
79
82
  FileSystem.ensure_file(puppet.settings[:cert_inventory], "", 0640)
80
83
 
81
84
  @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
@@ -124,6 +127,10 @@ ERR
124
127
  opts.on('--crl-chain CHAIN', 'Path to PEM encoded chain') do |chain|
125
128
  parsed['crl-chain'] = chain
126
129
  end
130
+ opts.on('--certname NAME',
131
+ 'Common name to use for the master cert') do |name|
132
+ parsed['certname'] = name
133
+ end
127
134
  end
128
135
  end
129
136
  end
data/lib/puppetserver/ca/config/puppet.rb CHANGED
@@ -24,7 +24,7 @@ module Puppetserver
24
24
 
25
25
  include Puppetserver::Ca::Utils::Config
26
26
 
27
- def self.parse(config_path = nil)
27
+ def self.parse(config_path)
28
28
  instance = new(config_path)
29
29
  instance.load
30
30
 
@@ -60,7 +60,7 @@ module Puppetserver
60
60
  user_specific_conf_dir + '/puppet.conf'
61
61
  end
62
62
 
63
- def load
63
+ def load(cli_overrides = {})
64
64
  if explicitly_given_config_file_or_default_config_exists?
65
65
  results = parse_text(File.read(@config_path))
66
66
  end
@@ -70,6 +70,7 @@ module Puppetserver
70
70
  results[:master] ||= {}
71
71
 
72
72
  overrides = results[:main].merge(results[:master])
73
+ overrides.merge!(cli_overrides)
73
74
 
74
75
  @settings = resolve_settings(overrides).freeze
75
76
  end
@@ -133,6 +134,7 @@ module Puppetserver
133
134
  :publickeydir => '$ssldir/public_keys',
134
135
  :ca_ttl => '15y',
135
136
  :certificate_revocation => 'true',
137
+ :signeddir => '$cadir/signed',
136
138
  }
137
139
 
138
140
  # This loops through the base defaults and gives each setting a
data/lib/puppetserver/ca/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "0.4.0"
3
+ VERSION = "0.4.1"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-08-22 00:00:00.000000000 Z
11
+ date: 2018-08-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter