puppetserver-ca 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a64b08fb770d1dc3f6837b80a4115756a143484d
-  data.tar.gz: 9874789b46a28996379ec33f5f51b70946564c9b
+  metadata.gz: 1d0f3441468d38c6a0385a7c2ed7e3056e9e7407
+  data.tar.gz: 84e643ade9ca258be16166e16b1577dd454ec9f8
 SHA512:
-  metadata.gz: c729aa2b55a1b080f773ae31ef103296c4eb3ffac7b3aeba2f789f8df7cceebd2ed443dfc7af96c6f02aecac4922997fed1f4ea6baae999f2c372e581cbbc5d4
-  data.tar.gz: c64afc116c5e301fe58577bb83161baccf3e0a2ba20d580806f8696724e1568b7b0b0b9c42d4e5c6c09dedc004af9c8f1692316a1e080bb0df88229ab211ae59
+  metadata.gz: 6dd35a352ff2ca7aec331efd573781224471e03efcd451fd35d5c13416b6f2d2cceec34339d0ff9016840a77af321b9821d6fff1f2d6d42a568316786b8e19bd
+  data.tar.gz: 6e460d0db0cf328e17968950741eade841198ce165e306b5ca07e81343d1c29045b3baab88ce0be78c90c3a50c969fc4323c6e626f195814bd7fba6f08707e78

data/lib/puppetserver/ca/action/clean.rb

@@ -15,11 +15,11 @@ module Puppetserver
 
         CERTNAME_BLACKLIST = %w{--all --config}
 
-        SUMMARY = 'Clean files from the CA for certificate(s)'
+        SUMMARY = 'Revoke cert(s) and remove related files from CA'
         BANNER = <<-BANNER
 Usage:
   puppetserver ca clean [--help]
-  puppetserver ca clean [--config] --certname CERTNAME[,ADDLCERTNAME]
+  puppetserver ca clean [--config] --certname NAME[,NAME]
 
 Description:
 Given one or more valid certnames, instructs the CA to revoke certificates
@@ -34,11 +34,11 @@ BANNER
           parsed['certnames'] = []
           OptionParser.new do |o|
             o.banner = BANNER
-            o.on('--certname foo,bar', Array,
+            o.on('--certname NAME[,NAME]', Array,
                  'One or more comma separated certnames') do |certs|
               parsed['certnames'] += certs
             end
-            o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
+            o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
               parsed['config'] = conf
             end
             o.on('--help', 'Display this clean specific help output') do |help|

data/lib/puppetserver/ca/action/generate.rb

@@ -1,32 +1,31 @@
-require 'optparse'
-require 'puppetserver/ca/utils/file_system'
-require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
-require 'puppetserver/ca/utils/signing_digest'
+require 'puppetserver/ca/host'
+require 'puppetserver/ca/certificate_authority'
 require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/signing_digest'
 
 module Puppetserver
   module Ca
     module Action
       class Generate
+
         include Puppetserver::Ca::Utils
 
-        SUMMARY = "Generate a root and intermediate signing CA for Puppet Server"
+        # Only allow printing ascii characters, excluding /
+        VALID_CERTNAME = /\A[ -.0-~]+\Z/
+        CERTNAME_BLACKLIST = %w{--all --config}
+
+        SUMMARY = "Generate a new certificate signed by the CA"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca generate [--help]
-  puppetserver ca generate [--config PATH] [--subject-alt-names ALTNAME1[,ALTNAME2...]]
-                           [--certname NAME] [--ca-name NAME]
+  puppetserver ca generate [--config PATH] [--certname NAME[,NAME]]
+                           [--subject-alt-names NAME[,NAME]]
 
 Description:
-Generate a root and intermediate signing CA for Puppet Server
-and store generated CA keys, certs, and crls on disk.
-
-The `--subject-alt-names` flag can be used to add SANs to the
-certificate generated for the Puppet master. Multiple names can be
-listed as a comma separated string. These can be either DNS names or
-IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
-Names with no prefix will be treated as DNS names.
+Generates a new certificate signed by the intermediate CA
+and stores generated keys and certs on disk.
 
 To determine the target location, the default puppet.conf
 is consulted for custom values. If using a custom puppet.conf
@@ -34,14 +33,69 @@ provide it with the --config flag
 
 Options:
 BANNER
-
         def initialize(logger)
           @logger = logger
         end
 
+        def self.parser(parsed = {})
+          parsed['certnames'] = []
+          parsed['subject-alt-names'] = ''
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--certname NAME[,NAME]', Array,
+                 'One or more comma separated certnames') do |certs|
+              parsed['certnames'] += certs
+            end
+            opts.on('--help', 'Display this generate specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--subject-alt-names NAME[,NAME]',
+                    'Subject alternative names for the generated cert') do |sans|
+              parsed['subject-alt-names'] = sans
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          if results['certnames'].empty?
+            errors << '    At least one certname is required to generate'
+          else
+            results['certnames'].each do |certname|
+              if CERTNAME_BLACKLIST.include?(certname)
+                errors << "    Cannot manage cert named `#{certname}` from " +
+                          "the CLI, if needed use the HTTP API directly"
+              end
+
+              if certname.match(/\p{Upper}/)
+                errors << "    Certificate names must be lower case"
+              end
+
+              unless certname =~ VALID_CERTNAME
+                errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
+              end
+            end
+          end
+
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+
+          return results, exit_code
+        end
+
         def run(input)
-          # Validate config_path provided
+          certnames = input['certnames']
           config_path = input['config']
+
+          # Validate config_path provided
           if config_path
             errors = FileSystem.validate_file_paths(config_path)
             return 1 if CliParsing.handle_errors(@logger, errors)
@@ -49,130 +103,81 @@ BANNER
 
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
-          settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
-          settings_overrides[:ca_name] = input['ca-name'] unless input['ca-name'].empty?
           # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
           # to ensure that the overriding works correctly.
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
-
           puppet = Config::Puppet.new(config_path)
           puppet.load(settings_overrides)
           return 1 if CliParsing.handle_errors(@logger, puppet.errors)
 
-          # Load most secure signing digest we can for cers/crl/csr signing.
+          # Load most secure signing digest we can for csr signing.
           signer = SigningDigest.new
           return 1 if CliParsing.handle_errors(@logger, signer.errors)
 
-          # Generate root and intermediate ca and put all the certificates, crls,
-          # and keys where they should go.
-          errors = generate_pki(puppet.settings, signer.digest)
-          return 1 if CliParsing.handle_errors(@logger, errors)
-
-          @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
-          return 0
+          # Generate and save certs and associated keys
+          all_passed = generate_certs(certnames, puppet.settings, signer.digest)
+          return all_passed ? 0 : 1
         end
 
-        def generate_pki(settings, signing_digest)
-          ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
-
-          root_key, root_cert, root_crl = ca.create_root_cert
-          int_key, int_cert, int_crl = ca.create_intermediate_cert(root_key, root_cert)
-          master_key, master_cert = ca.create_master_cert(int_key, int_cert)
-          return ca.errors if ca.errors.any?
-
+        # Generate csrs and keys, then submit them to CA, request for the CA to sign
+        # them, download the signed certificates from the CA, and finally save
+        # the signed certs and associated keys. Returns true if all certs were
+        # successfully created and saved.
+        def generate_certs(certnames, settings, digest)
+          # Make sure we have all the directories where we will be writing files
           FileSystem.ensure_dirs([settings[:ssldir],
-                                  settings[:cadir],
                                   settings[:certdir],
                                   settings[:privatekeydir],
-                                  settings[:publickeydir],
-                                  settings[:signeddir]])
-
-          public_files = [
-            [settings[:cacert], [int_cert, root_cert]],
-            [settings[:cacrl], [int_crl, root_crl]],
-            [settings[:cadir] + '/infra_crl.pem', [int_crl, root_crl]],
-            [settings[:hostcert], master_cert],
-            [settings[:localcacert], [int_cert, root_cert]],
-            [settings[:hostcrl], [int_crl, root_crl]],
-            [settings[:hostpubkey], master_key.public_key],
-            [settings[:capub], int_key.public_key],
-            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
-            [settings[:cadir] + '/infra_inventory.txt', ''],
-            [settings[:cadir] + '/infra_serials', ''],
-            [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
-          ]
-
-          private_files = [
-            [settings[:hostprivkey], master_key],
-            [settings[:rootkey], root_key],
-            [settings[:cakey], int_key],
-          ]
-
-          files_to_check = public_files + private_files
-          # We don't want to error if master's keys exist. Certain workflows
-          # allow the agent to have already be installed with keys and then
-          # upgraded to be a master. The host class will honor keys, if both
-          # public and private exist, and error if only one exists - as is
-          # previous behavior.
-          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
-          errors = FileSystem.check_for_existing_files(files_to_check)
-
-          if !errors.empty?
-            instructions = <<-ERR
-If you would really like to replace your CA, please delete the existing files first.
-Note that any certificates that were issued by this CA will become invalid if you
-replace it!
-ERR
-            errors << instructions
-            return errors
-          end
-
-          public_files.each do |location, content|
-            FileSystem.write_file(location, content, 0644)
+                                  settings[:publickeydir]])
+
+          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
+
+          passed = certnames.map do |certname|
+            key, csr = generate_key_csr(certname, settings, digest)
+            return false unless csr
+            return false unless ca.submit_certificate_request(certname, csr)
+            return false unless ca.sign_certs([certname])
+            if result = ca.get_certificate(certname)
+              save_file(result.body, certname, settings[:certdir], "Certificate")
+              save_keys(certname, settings, key)
+              true
+            else
+              false
+            end
           end
+          passed.all?
+        end
 
-          private_files.each do |location, content|
-            FileSystem.write_file(location, content, 0640)
+        def generate_key_csr(certname, settings, digest)
+          host = Puppetserver::Ca::Host.new(digest)
+          private_key = host.create_private_key(settings[:keylength])
+          extensions = []
+          if !settings[:subject_alt_names].empty?
+            ef = OpenSSL::X509::ExtensionFactory.new
+            extensions << ef.create_extension("subjectAltName",
+                                              settings[:subject_alt_names],
+                                              false)
           end
+          csr = host.create_csr(name: certname,
+                                key: private_key,
+                                cli_extensions: extensions,
+                                csr_attributes_path: settings[:csr_attributes])
+          return if CliParsing.handle_errors(@logger, host.errors)
 
-          return []
+          return private_key, csr
         end
 
-        def parse(cli_args)
-          results = {}
-          parser = self.class.parser(results)
-          errors = CliParsing.parse_with_errors(parser, cli_args)
-          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
-          exit_code = errors_were_handled ? 1 : nil
-          return results, exit_code
+        def save_keys(certname, settings, key)
+          public_key = key.public_key
+          save_file(key, certname, settings[:privatekeydir], "Private key")
+          save_file(public_key, certname, settings[:publickeydir], "Public key")
         end
 
-        def self.parser(parsed = {})
-          parsed['subject-alt-names'] = ''
-          parsed['ca-name'] = ''
-          parsed['certname'] = ''
-          OptionParser.new do |opts|
-            opts.banner = BANNER
-            opts.on('--help', 'Display this generate specific help output') do |help|
-              parsed['help'] = true
-            end
-            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
-              parsed['config'] = conf
-            end
-            opts.on('--subject-alt-names NAME1[,NAME2]',
-                    'Subject alternative names for the master cert') do |sans|
-              parsed['subject-alt-names'] = sans
-            end
-            opts.on('--ca-name NAME',
-                    'Common name to use for the CA signing cert') do |name|
-              parsed['ca-name'] = name
-            end
-            opts.on('--certname NAME',
-                    'Common name to use for the master cert') do |name|
-              parsed['certname'] = name
-            end
-          end
+        def save_file(content, certname, dir, type)
+          location = File.join(dir, "#{certname}.pem")
+          @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
+          FileSystem.write_file(location, content, 0640)
+          @logger.inform "Successfully saved #{type.downcase} for #{certname} to #{location}"
         end
       end
     end

data/lib/puppetserver/ca/action/import.rb

@@ -12,12 +12,12 @@ module Puppetserver
       class Import
         include Puppetserver::Ca::Utils
 
-        SUMMARY = "Import the CA's key, certs, and crls"
+        SUMMARY = "Import an external CA chain and generate master PKI"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca import [--help]
   puppetserver ca import [--config PATH] [--certname NAME]
-                         [--subject-alt-names ALTNAME1[,ALTNAME2...]]
+                         [--subject-alt-names NAME[,NAME]]
       --private-key PATH --cert-bundle PATH --crl-chain PATH
 
 Description:
@@ -181,7 +181,7 @@ ERR
                     'Common name to use for the master cert') do |name|
               parsed['certname'] = name
             end
-            opts.on('--subject-alt-names NAME1[,NAME2]',
+            opts.on('--subject-alt-names NAME[,NAME]',
                     'Subject alternative names for the master cert') do |sans|
               parsed['subject-alt-names'] = sans
             end

data/lib/puppetserver/ca/action/list.rb

@@ -12,7 +12,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        SUMMARY = 'List all certificate requests'
+        SUMMARY = 'List certificates and CSRs'
         BANNER = <<-BANNER
 Usage:
   puppetserver ca list [--help]

data/lib/puppetserver/ca/action/revoke.rb

@@ -14,11 +14,11 @@ module Puppetserver
 
         CERTNAME_BLACKLIST = %w{--all --config}
 
-        SUMMARY = 'Revoke a given certificate'
+        SUMMARY = 'Revoke certificate(s)'
         BANNER = <<-BANNER
 Usage:
   puppetserver ca revoke [--help]
-  puppetserver ca revoke [--config] --certname CERTNAME[,ADDLCERTNAME]
+  puppetserver ca revoke [--config] --certname NAME[,NAME]
 
 Description:
 Given one or more valid certnames, instructs the CA to revoke them over
@@ -31,11 +31,11 @@ BANNER
           parsed['certnames'] = []
           OptionParser.new do |o|
             o.banner = BANNER
-            o.on('--certname foo,bar', Array,
+            o.on('--certname NAME[,NAME]', Array,
                  'One or more comma separated certnames') do |certs|
               parsed['certnames'] += certs
             end
-            o.on('--config PUPPET.CONF', 'Custom path to puppet.conf') do |conf|
+            o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
               parsed['config'] = conf
             end
             o.on('--help', 'Displays this revoke specific help output') do |help|

data/lib/puppetserver/ca/action/setup.rb

@@ -0,0 +1,181 @@
+require 'optparse'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/signing_digest'
+require 'puppetserver/ca/config/puppet'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Setup
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Setup a self-signed CA chain for Puppet Server"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca setup [--help]
+  puppetserver ca setup [--config PATH] [--subject-alt-names NAME[,NAME]]
+                           [--certname NAME] [--ca-name NAME]
+
+Description:
+Setup a root and intermediate signing CA for Puppet Server
+and store generated CA keys, certs, crls, and associated
+master related files on disk.
+
+The `--subject-alt-names` flag can be used to add SANs to the
+certificate generated for the Puppet master. Multiple names can be
+listed as a comma separated string. These can be either DNS names or
+IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
+Names with no prefix will be treated as DNS names.
+
+To determine the target location, the default puppet.conf
+is consulted for custom values. If using a custom puppet.conf
+provide it with the --config flag
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          # Validate config_path provided
+          config_path = input['config']
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if CliParsing.handle_errors(@logger, errors)
+          end
+
+          # Load, resolve, and validate puppet config settings
+          settings_overrides = {}
+          settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
+          settings_overrides[:ca_name] = input['ca-name'] unless input['ca-name'].empty?
+          # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
+          # to ensure that the overriding works correctly.
+          settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
+
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(settings_overrides)
+          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
+
+          # Load most secure signing digest we can for cers/crl/csr signing.
+          signer = SigningDigest.new
+          return 1 if CliParsing.handle_errors(@logger, signer.errors)
+
+          # Generate root and intermediate ca and put all the certificates, crls,
+          # and keys where they should go.
+          errors = generate_pki(puppet.settings, signer.digest)
+          return 1 if CliParsing.handle_errors(@logger, errors)
+
+          @logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
+          return 0
+        end
+
+        def generate_pki(settings, signing_digest)
+          ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
+
+          root_key, root_cert, root_crl = ca.create_root_cert
+          int_key, int_cert, int_crl = ca.create_intermediate_cert(root_key, root_cert)
+          master_key, master_cert = ca.create_master_cert(int_key, int_cert)
+          return ca.errors if ca.errors.any?
+
+          FileSystem.ensure_dirs([settings[:ssldir],
+                                  settings[:cadir],
+                                  settings[:certdir],
+                                  settings[:privatekeydir],
+                                  settings[:publickeydir],
+                                  settings[:signeddir]])
+
+          public_files = [
+            [settings[:cacert], [int_cert, root_cert]],
+            [settings[:cacrl], [int_crl, root_crl]],
+            [settings[:cadir] + '/infra_crl.pem', [int_crl, root_crl]],
+            [settings[:hostcert], master_cert],
+            [settings[:localcacert], [int_cert, root_cert]],
+            [settings[:hostcrl], [int_crl, root_crl]],
+            [settings[:hostpubkey], master_key.public_key],
+            [settings[:capub], int_key.public_key],
+            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
+            [settings[:cadir] + '/infra_inventory.txt', ''],
+            [settings[:cadir] + '/infra_serials', ''],
+            [settings[:serial], "002"],
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
+          ]
+
+          private_files = [
+            [settings[:hostprivkey], master_key],
+            [settings[:rootkey], root_key],
+            [settings[:cakey], int_key],
+          ]
+
+          files_to_check = public_files + private_files
+          # We don't want to error if master's keys exist. Certain workflows
+          # allow the agent to have already be installed with keys and then
+          # upgraded to be a master. The host class will honor keys, if both
+          # public and private exist, and error if only one exists - as is
+          # previous behavior.
+          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
+          errors = FileSystem.check_for_existing_files(files_to_check)
+
+          if !errors.empty?
+            instructions = <<-ERR
+If you would really like to replace your CA, please delete the existing files first.
+Note that any certificates that were issued by this CA will become invalid if you
+replace it!
+ERR
+            errors << instructions
+            return errors
+          end
+
+          public_files.each do |location, content|
+            FileSystem.write_file(location, content, 0644)
+          end
+
+          private_files.each do |location, content|
+            FileSystem.write_file(location, content, 0640)
+          end
+
+          return []
+        end
+
+        def parse(cli_args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, cli_args)
+          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          parsed['subject-alt-names'] = ''
+          parsed['ca-name'] = ''
+          parsed['certname'] = ''
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this setup specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--subject-alt-names NAME[,NAME]',
+                    'Subject alternative names for the master cert') do |sans|
+              parsed['subject-alt-names'] = sans
+            end
+            opts.on('--ca-name NAME',
+                    'Common name to use for the CA signing cert') do |name|
+              parsed['ca-name'] = name
+            end
+            opts.on('--certname NAME',
+                    'Common name to use for the master cert') do |name|
+              parsed['certname'] = name
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/sign.rb

@@ -14,11 +14,11 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        SUMMARY = 'Sign a given certificate'
+        SUMMARY = 'Sign certificate request(s)'
         BANNER = <<-BANNER
 Usage:
   puppetserver ca sign [--help]
-  puppetserver ca sign [--config] --certname CERTNAME[,CERTNAME]
+  puppetserver ca sign [--config] --certname NAME[,NAME]
   puppetserver ca sign  --all
 
 Description:
@@ -30,10 +30,10 @@ Options:
         def self.parser(parsed = {})
           OptionParser.new do |opts|
             opts.banner = BANNER
-            opts.on('--certname x,y,z', Array, 'the name(s) of the cert(s) to be signed') do |cert|
+            opts.on('--certname NAME[,NAME]', Array, 'the name(s) of the cert(s) to be signed') do |cert|
               parsed['certname'] = cert
             end
-            opts.on('--config PUPPET.CONF', 'Custom path to Puppet\'s config file') do |conf|
+            opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
               parsed['config'] = conf
             end
             opts.on('--help', 'Display this command specific help output') do |help|

data/lib/puppetserver/ca/cli.rb

@@ -1,13 +1,13 @@
 require 'optparse'
-require 'puppetserver/ca/version'
-require 'puppetserver/ca/logger'
 require 'puppetserver/ca/action/clean'
-require 'puppetserver/ca/action/create'
-require 'puppetserver/ca/action/import'
 require 'puppetserver/ca/action/generate'
-require 'puppetserver/ca/action/revoke'
+require 'puppetserver/ca/action/import'
 require 'puppetserver/ca/action/list'
+require 'puppetserver/ca/action/revoke'
+require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/logger'
+require 'puppetserver/ca/version'
 require 'puppetserver/ca/utils/cli_parsing'
 
 
@@ -21,18 +21,28 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      VALID_ACTIONS = {
+      INIT_ACTIONS = {
+        'import'   => Action::Import,
+        'setup'    => Action::Setup,
+      }
+
+      MAINT_ACTIONS = {
         'clean'    => Action::Clean,
-        'create'   => Action::Create,
         'generate' => Action::Generate,
-        'import'   => Action::Import,
         'list'     => Action::List,
         'revoke'   => Action::Revoke,
         'sign'     => Action::Sign
       }
 
-      ACTION_LIST = "\nAvailable Actions:\n" +
-        VALID_ACTIONS.map do |action, cls|
+      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+
+      ACTION_LIST = "\nAvailable Actions:\n\n" +
+        "  Certificate Actions (requires a running Puppet Server):\n\n" +
+        MAINT_ACTIONS.map do |action, cls|
+          "    #{action}\t#{cls::SUMMARY}"
+        end.join("\n") + "\n\n" +
+        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
+        INIT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")
 

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.6.0"
+    VERSION = "0.7.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-11 00:00:00.000000000 Z
+date: 2018-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -93,11 +93,11 @@ files:
 - exe/puppetserver-ca
 - lib/puppetserver/ca.rb
 - lib/puppetserver/ca/action/clean.rb
-- lib/puppetserver/ca/action/create.rb
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/revoke.rb
+- lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
 - lib/puppetserver/ca/certificate_authority.rb
 - lib/puppetserver/ca/cli.rb

data/lib/puppetserver/ca/action/create.rb

@@ -1,185 +0,0 @@
-require 'puppetserver/ca/utils/cli_parsing'
-require 'puppetserver/ca/host'
-require 'puppetserver/ca/certificate_authority'
-require 'puppetserver/ca/config/puppet'
-require 'puppetserver/ca/utils/file_system'
-require 'puppetserver/ca/utils/signing_digest'
-
-module Puppetserver
-  module Ca
-    module Action
-      class Create
-
-        include Puppetserver::Ca::Utils
-
-        # Only allow printing ascii characters, excluding /
-        VALID_CERTNAME = /\A[ -.0-~]+\Z/
-        CERTNAME_BLACKLIST = %w{--all --config}
-
-        SUMMARY = "Create a new certificate signed by the CA"
-        BANNER = <<-BANNER
-Usage:
-  puppetserver ca create [--help]
-  puppetserver ca create [--config PATH] [--certname CERTNAME[,ADDLCERTNAME]]
-                         [--subject-alt-names ALTNAME1[,ALTNAME2...]]
-
-Description:
-Creates a new certificate signed by the intermediate CA
-and stores generated keys and certs on disk.
-
-To determine the target location, the default puppet.conf
-is consulted for custom values. If using a custom puppet.conf
-provide it with the --config flag
-
-Options:
-BANNER
-        def initialize(logger)
-          @logger = logger
-        end
-
-        def self.parser(parsed = {})
-          parsed['certnames'] = []
-          parsed['subject-alt-names'] = ''
-          OptionParser.new do |opts|
-            opts.banner = BANNER
-            opts.on('--certname FOO,BAR', Array,
-                 'One or more comma separated certnames') do |certs|
-              parsed['certnames'] += certs
-            end
-            opts.on('--help', 'Display this create specific help output') do |help|
-              parsed['help'] = true
-            end
-            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
-              parsed['config'] = conf
-            end
-            opts.on('--subject-alt-names NAME1[,NAME2]',
-                    'Subject alternative names for the generated cert') do |sans|
-              parsed['subject-alt-names'] = sans
-            end
-          end
-        end
-
-        def parse(args)
-          results = {}
-          parser = self.class.parser(results)
-
-          errors = CliParsing.parse_with_errors(parser, args)
-
-          if results['certnames'].empty?
-            errors << '    At least one certname is required to create'
-          else
-            results['certnames'].each do |certname|
-              if CERTNAME_BLACKLIST.include?(certname)
-                errors << "    Cannot manage cert named `#{certname}` from " +
-                          "the CLI, if needed use the HTTP API directly"
-              end
-
-              if certname.match(/\p{Upper}/)
-                errors << "    Certificate names must be lower case"
-              end
-
-              unless certname =~ VALID_CERTNAME
-                errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
-              end
-            end
-          end
-
-          errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)
-
-          exit_code = errors_were_handled ? 1 : nil
-
-          return results, exit_code
-        end
-
-        def run(input)
-          certnames = input['certnames']
-          config_path = input['config']
-
-          # Validate config_path provided
-          if config_path
-            errors = FileSystem.validate_file_paths(config_path)
-            return 1 if CliParsing.handle_errors(@logger, errors)
-          end
-
-          # Load, resolve, and validate puppet config settings
-          settings_overrides = {}
-          # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
-          # to ensure that the overriding works correctly.
-          settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
-          puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
-          return 1 if CliParsing.handle_errors(@logger, puppet.errors)
-
-          # Load most secure signing digest we can for csr signing.
-          signer = SigningDigest.new
-          return 1 if CliParsing.handle_errors(@logger, signer.errors)
-
-          # Generate and save certs and associated keys
-          all_passed = generate_certs(certnames, puppet.settings, signer.digest)
-          return all_passed ? 0 : 1
-        end
-
-        # Create csrs and keys, then submit them to CA, request for the CA to sign
-        # them, download the signed certificates from the CA, and finally save
-        # the signed certs and associated keys. Returns true if all certs were
-        # successfully created and saved.
-        def generate_certs(certnames, settings, digest)
-          # Make sure we have all the directories where we will be writing files
-          FileSystem.ensure_dirs([settings[:ssldir],
-                                  settings[:certdir],
-                                  settings[:privatekeydir],
-                                  settings[:publickeydir]])
-
-          ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
-
-          passed = certnames.map do |certname|
-            key, csr = generate_key_csr(certname, settings, digest)
-            return false unless csr
-            return false unless ca.submit_certificate_request(certname, csr)
-            return false unless ca.sign_certs([certname])
-            if result = ca.get_certificate(certname)
-              save_file(result.body, certname, settings[:certdir], "Certificate")
-              save_keys(certname, settings, key)
-              true
-            else
-              false
-            end
-          end
-          passed.all?
-        end
-
-        def generate_key_csr(certname, settings, digest)
-          host = Puppetserver::Ca::Host.new(digest)
-          private_key = host.create_private_key(settings[:keylength])
-          extensions = []
-          if !settings[:subject_alt_names].empty?
-            ef = OpenSSL::X509::ExtensionFactory.new
-            extensions << ef.create_extension("subjectAltName",
-                                              settings[:subject_alt_names],
-                                              false)
-          end
-          csr = host.create_csr(name: certname,
-                                key: private_key,
-                                cli_extensions: extensions,
-                                csr_attributes_path: settings[:csr_attributes])
-          return if CliParsing.handle_errors(@logger, host.errors)
-
-          return private_key, csr
-        end
-
-        def save_keys(certname, settings, key)
-          public_key = key.public_key
-          save_file(key, certname, settings[:privatekeydir], "Private key")
-          save_file(public_key, certname, settings[:publickeydir], "Public key")
-        end
-
-        def save_file(content, certname, dir, type)
-          location = File.join(dir, "#{certname}.pem")
-          @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
-          FileSystem.write_file(location, content, 0640)
-          @logger.inform "Successfully saved #{type.downcase} for #{certname} to #{location}"
-        end
-      end
-    end
-  end
-end