puppetserver-ca 0.4.0 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puppetserver/ca/action/generate.rb +30 -14
  3. data/lib/puppetserver/ca/action/import.rb +10 -3
  4. data/lib/puppetserver/ca/config/puppet.rb +4 -2
  5. data/lib/puppetserver/ca/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 98b359182e9c882ea8a66b4315b873f9d87185de
4
- data.tar.gz: 3de8823031139ae413aa7a151dc6bbd0c10176b0
3
+ metadata.gz: 7cdc97b5346544e3f5eaa1b6e8258e7f8ad6356d
4
+ data.tar.gz: fa5cafd9e26a01d03a0f9ffd73169b4ea98c77f0
5
5
  SHA512:
6
- metadata.gz: 327b9b653764428a428f9531dcec525fde0dd67913be851fef86f25a9993d041624dd6f70cec1357687af50f22cd77f690ee1f7bc570bd79a255f53105e81b4a
7
- data.tar.gz: baa44b1f602863f5323911446b1896ec9145eeb4360c1fcaa85fb0c63ad173b5acd59b81f5fd6d1fcd183161526154f4d9599ece1c3a0b7b5241d3b6fb372e82
6
+ metadata.gz: 96260c55c8b9a1499ce112e20300801306ab9e7ce7ebdaf2a8a0cff5cffb9f692e5b266dccdf1a2df14bb3ff4f6a57dc2b4bb17dc93ce9a2f092b57e6f61a002
7
+ data.tar.gz: b9ffc226ca976e0359530d89a5c449f1ec089c9e75b560aa0dbb5b5db133900ebbd657d14a96884d55f9d098b963f207f57f5249c3df257e7715ad14ba55e4c2
data/lib/puppetserver/ca/action/generate.rb CHANGED
@@ -44,8 +44,8 @@ module Puppetserver
44
44
  BANNER = <<-BANNER
45
45
  Usage:
46
46
  puppetserver ca generate [--help]
47
- puppetserver ca generate [--config PATH]
48
- puppetserver ca generate [--subject-alt-names ALTNAME1[,ALTNAME2...]]
47
+ puppetserver ca generate [--config PATH] [--subject-alt-names ALTNAME1[,ALTNAME2...]]
48
+ [--certname NAME] [--ca-name NAME]
49
49
 
50
50
  Description:
51
51
  Generate a root and intermediate signing CA for Puppet Server
@@ -77,31 +77,34 @@ BANNER
77
77
  end
78
78
 
79
79
  # Load, resolve, and validate puppet config settings
80
- puppet = Config::Puppet.parse(config_path)
80
+ settings_overrides = {}
81
+ settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
82
+ settings_overrides[:ca_name] = input['ca_name'] unless input['ca_name'].empty?
83
+ # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
84
+ # to ensure that the overriding works correctly.
85
+ settings_overrides[:dns_alt_names] = input['subject_alt_names'] unless input['subject_alt_names'].empty?
86
+
87
+ puppet = Config::Puppet.new(config_path)
88
+ puppet.load(settings_overrides)
81
89
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)
82
90
 
83
91
  # Load most secure signing digest we can for cers/crl/csr signing.
84
92
  signer = SigningDigest.new
85
93
  return 1 if CliParsing.handle_errors(@logger, signer.errors)
86
94
 
87
- if input['subject_alt_names'].empty?
88
- subject_alt_names = munge_alt_names(puppet.settings[:subject_alt_names])
89
- else
90
- subject_alt_names = munge_alt_names(input['subject_alt_names'])
91
- end
92
-
93
95
  # Generate root and intermediate ca and put all the certificates, crls,
94
96
  # and keys where they should go.
95
- errors = generate_pki(puppet.settings, signer.digest, subject_alt_names)
97
+ errors = generate_pki(puppet.settings, signer.digest)
96
98
  return 1 if CliParsing.handle_errors(@logger, errors)
97
99
 
98
100
  @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
99
101
  return 0
100
102
  end
101
103
 
102
- def generate_pki(settings, signing_digest, subject_alt_names = '')
104
+ def generate_pki(settings, signing_digest)
103
105
  valid_until = Time.now + settings[:ca_ttl]
104
106
  host = Puppetserver::Ca::Host.new(signing_digest)
107
+ subject_alt_names = munge_alt_names(settings[:subject_alt_names])
105
108
 
106
109
  root_key = host.create_private_key(settings[:keylength])
107
110
  root_cert = self_signed_ca(root_key, settings[:root_ca_name], valid_until, signing_digest)
@@ -115,12 +118,14 @@ BANNER
115
118
  master_key = host.create_private_key(settings[:keylength])
116
119
  master_csr = host.create_csr(settings[:certname], master_key)
117
120
  master_cert = sign_master_cert(int_key, int_cert, master_csr,
118
- valid_until, signing_digest, subject_alt_names)
121
+ valid_until, signing_digest,
122
+ subject_alt_names)
119
123
 
120
124
  FileSystem.ensure_dir(settings[:cadir])
121
125
  FileSystem.ensure_dir(settings[:certdir])
122
126
  FileSystem.ensure_dir(settings[:privatekeydir])
123
127
  FileSystem.ensure_dir(settings[:publickeydir])
128
+ FileSystem.ensure_dir(settings[:signeddir])
124
129
 
125
130
  public_files = [
126
131
  [settings[:cacert], [int_cert, root_cert]],
@@ -131,7 +136,8 @@ BANNER
131
136
  [settings[:hostpubkey], master_key.public_key],
132
137
  [settings[:capub], int_key.public_key],
133
138
  [settings[:cert_inventory], inventory_entry(master_cert)],
134
- [settings[:serial], "0x0002"],
139
+ [settings[:serial], "002"],
140
+ [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
135
141
  ]
136
142
 
137
143
  private_files = [
@@ -293,6 +299,8 @@ ERR
293
299
 
294
300
  def self.parser(parsed = {})
295
301
  parsed['subject_alt_names'] = ''
302
+ parsed['ca_name'] = ''
303
+ parsed['certname'] = ''
296
304
  OptionParser.new do |opts|
297
305
  opts.banner = BANNER
298
306
  opts.on('--help', 'Display this generate specific help output') do |help|
@@ -302,9 +310,17 @@ ERR
302
310
  parsed['config'] = conf
303
311
  end
304
312
  opts.on('--subject-alt-names NAME1[,NAME2]',
305
- 'Subject alternative names for the CA signing cert') do |sans|
313
+ 'Subject alternative names for the master cert') do |sans|
306
314
  parsed['subject_alt_names'] = sans
307
315
  end
316
+ opts.on('--ca-name NAME',
317
+ 'Common name to use for the CA signing cert') do |name|
318
+ parsed['ca_name'] = name
319
+ end
320
+ opts.on('--certname NAME',
321
+ 'Common name to use for the master cert') do |name|
322
+ parsed['certname'] = name
323
+ end
308
324
  end
309
325
  end
310
326
  end
data/lib/puppetserver/ca/action/import.rb CHANGED
@@ -14,7 +14,7 @@ module Puppetserver
14
14
  BANNER = <<-BANNER
15
15
  Usage:
16
16
  puppetserver ca import [--help]
17
- puppetserver ca import [--config PATH]
17
+ puppetserver ca import [--config PATH] [--certname NAME]
18
18
  --private-key PATH --cert-bundle PATH --crl-chain PATH
19
19
 
20
20
  Description:
@@ -46,7 +46,10 @@ BANNER
46
46
  loader = X509Loader.new(bundle_path, key_path, chain_path)
47
47
  return 1 if CliParsing.handle_errors(@logger, loader.errors)
48
48
 
49
- puppet = Config::Puppet.parse(config_path)
49
+ settings_overrides = {}
50
+ settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
51
+ puppet = Config::Puppet.new(config_path)
52
+ puppet.load(settings_overrides)
50
53
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)
51
54
 
52
55
  target_locations = [puppet.settings[:cacert],
@@ -75,7 +78,7 @@ ERR
75
78
  FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0640)
76
79
 
77
80
  # Puppet's internal CA expects these file to exist.
78
- FileSystem.ensure_file(puppet.settings[:serial], "0x0001", 0640)
81
+ FileSystem.ensure_file(puppet.settings[:serial], "001", 0640)
79
82
  FileSystem.ensure_file(puppet.settings[:cert_inventory], "", 0640)
80
83
 
81
84
  @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
@@ -124,6 +127,10 @@ ERR
124
127
  opts.on('--crl-chain CHAIN', 'Path to PEM encoded chain') do |chain|
125
128
  parsed['crl-chain'] = chain
126
129
  end
130
+ opts.on('--certname NAME',
131
+ 'Common name to use for the master cert') do |name|
132
+ parsed['certname'] = name
133
+ end
127
134
  end
128
135
  end
129
136
  end
data/lib/puppetserver/ca/config/puppet.rb CHANGED
@@ -24,7 +24,7 @@ module Puppetserver
24
24
 
25
25
  include Puppetserver::Ca::Utils::Config
26
26
 
27
- def self.parse(config_path = nil)
27
+ def self.parse(config_path)
28
28
  instance = new(config_path)
29
29
  instance.load
30
30
 
@@ -60,7 +60,7 @@ module Puppetserver
60
60
  user_specific_conf_dir + '/puppet.conf'
61
61
  end
62
62
 
63
- def load
63
+ def load(cli_overrides = {})
64
64
  if explicitly_given_config_file_or_default_config_exists?
65
65
  results = parse_text(File.read(@config_path))
66
66
  end
@@ -70,6 +70,7 @@ module Puppetserver
70
70
  results[:master] ||= {}
71
71
 
72
72
  overrides = results[:main].merge(results[:master])
73
+ overrides.merge!(cli_overrides)
73
74
 
74
75
  @settings = resolve_settings(overrides).freeze
75
76
  end
@@ -133,6 +134,7 @@ module Puppetserver
133
134
  :publickeydir => '$ssldir/public_keys',
134
135
  :ca_ttl => '15y',
135
136
  :certificate_revocation => 'true',
137
+ :signeddir => '$cadir/signed',
136
138
  }
137
139
 
138
140
  # This loops through the base defaults and gives each setting a
data/lib/puppetserver/ca/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "0.4.0"
3
+ VERSION = "0.4.1"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-08-22 00:00:00.000000000 Z
11
+ date: 2018-08-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter