puppetserver-ca 1.1.3 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/puppetserver/ca/action/clean.rb +13 -12
- data/lib/puppetserver/ca/action/generate.rb +34 -33
- data/lib/puppetserver/ca/action/import.rb +17 -15
- data/lib/puppetserver/ca/action/list.rb +11 -8
- data/lib/puppetserver/ca/action/revoke.rb +9 -9
- data/lib/puppetserver/ca/action/setup.rb +20 -18
- data/lib/puppetserver/ca/action/sign.rb +12 -10
- data/lib/puppetserver/ca/certificate_authority.rb +2 -2
- data/lib/puppetserver/ca/cli.rb +11 -2
- data/lib/puppetserver/ca/config/puppet.rb +25 -3
- data/lib/puppetserver/ca/config/puppetserver.rb +1 -0
- data/lib/puppetserver/ca/errors.rb +26 -0
- data/lib/puppetserver/ca/host.rb +1 -1
- data/lib/puppetserver/ca/local_certificate_authority.rb +2 -2
- data/lib/puppetserver/ca/utils/cli_parsing.rb +0 -15
- data/lib/puppetserver/ca/utils/file_system.rb +1 -1
- data/lib/puppetserver/ca/utils/http_client.rb +35 -9
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 738624da584684a68fc407803548fb3d4b6855aa
|
|
4
|
+
data.tar.gz: cb3ff01a01b44468687668a39ca957d7496038a4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ba3e5d5f070022ed1c2d88cc388b18de694782846a836490c3309cd7fe1fa85cfe60943ead8f422911920638ae84099d471b734bf39191e1ea8901d605aaa0d
|
|
7
|
+
data.tar.gz: e0ec48b8a594b342e47962addc05c0b08976aa06bc335a63c181dc1fd2dbab60cca1a5cd38ebd7b911c8713c2675ac6029fbd6fa9b9e2007939a42dc1841902a
|
|
@@ -1,10 +1,11 @@
|
|
|
1
|
-
require '
|
|
2
|
-
|
|
3
|
-
require 'puppetserver/ca/config/puppet'
|
|
1
|
+
require 'optparse'
|
|
2
|
+
|
|
4
3
|
require 'puppetserver/ca/action/revoke'
|
|
5
4
|
require 'puppetserver/ca/certificate_authority'
|
|
6
|
-
|
|
7
|
-
require '
|
|
5
|
+
require 'puppetserver/ca/config/puppet'
|
|
6
|
+
require 'puppetserver/ca/errors'
|
|
7
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
8
|
+
require 'puppetserver/ca/utils/file_system'
|
|
8
9
|
|
|
9
10
|
module Puppetserver
|
|
10
11
|
module Ca
|
|
@@ -22,10 +23,10 @@ Usage:
|
|
|
22
23
|
puppetserver ca clean [--config] --certname NAME[,NAME]
|
|
23
24
|
|
|
24
25
|
Description:
|
|
25
|
-
Given one or more valid certnames, instructs the CA to revoke certificates
|
|
26
|
-
matching the given certnames if they exist, and then remove files pertaining
|
|
27
|
-
to them (keys, cert, and certificate request) over HTTPS using the local
|
|
28
|
-
agent's PKI
|
|
26
|
+
Given one or more valid certnames, instructs the CA to revoke certificates
|
|
27
|
+
matching the given certnames if they exist, and then remove files pertaining
|
|
28
|
+
to them (keys, cert, and certificate request) over HTTPS using the local
|
|
29
|
+
agent's PKI
|
|
29
30
|
|
|
30
31
|
Options:
|
|
31
32
|
BANNER
|
|
@@ -68,7 +69,7 @@ BANNER
|
|
|
68
69
|
errors << ' At least one certname is required to clean'
|
|
69
70
|
end
|
|
70
71
|
|
|
71
|
-
errors_were_handled =
|
|
72
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
72
73
|
|
|
73
74
|
exit_code = errors_were_handled ? 1 : nil
|
|
74
75
|
|
|
@@ -81,11 +82,11 @@ BANNER
|
|
|
81
82
|
|
|
82
83
|
if config
|
|
83
84
|
errors = FileSystem.validate_file_paths(config)
|
|
84
|
-
return 1 if
|
|
85
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
85
86
|
end
|
|
86
87
|
|
|
87
88
|
puppet = Config::Puppet.parse(config)
|
|
88
|
-
return 1 if
|
|
89
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
89
90
|
|
|
90
91
|
result = clean_certs(certnames, puppet.settings)
|
|
91
92
|
case result
|
|
@@ -1,12 +1,13 @@
|
|
|
1
|
-
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
|
-
require 'puppetserver/ca/host'
|
|
3
1
|
require 'puppetserver/ca/certificate_authority'
|
|
4
|
-
require 'puppetserver/ca/local_certificate_authority'
|
|
5
|
-
require 'puppetserver/ca/x509_loader'
|
|
6
2
|
require 'puppetserver/ca/config/puppet'
|
|
3
|
+
require 'puppetserver/ca/errors'
|
|
4
|
+
require 'puppetserver/ca/host'
|
|
5
|
+
require 'puppetserver/ca/local_certificate_authority'
|
|
6
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/config'
|
|
7
8
|
require 'puppetserver/ca/utils/file_system'
|
|
8
9
|
require 'puppetserver/ca/utils/signing_digest'
|
|
9
|
-
require 'puppetserver/ca/
|
|
10
|
+
require 'puppetserver/ca/x509_loader'
|
|
10
11
|
|
|
11
12
|
module Puppetserver
|
|
12
13
|
module Ca
|
|
@@ -28,25 +29,25 @@ Usage:
|
|
|
28
29
|
[--ca-client]
|
|
29
30
|
|
|
30
31
|
Description:
|
|
31
|
-
Generates a new certificate signed by the intermediate CA
|
|
32
|
-
and stores generated keys and certs on disk.
|
|
33
|
-
|
|
34
|
-
If the `--ca-client` flag is passed, the cert will be generated
|
|
35
|
-
offline, without using Puppet Server's signing code, and will add
|
|
36
|
-
a special extension authorizing it to talk to the CA API. This can
|
|
37
|
-
be used for regenerating the master's host cert, or for manually
|
|
38
|
-
setting up other nodes to be CA clients. Do not distribute certs
|
|
39
|
-
generated this way to any node that you do not intend to have
|
|
40
|
-
administrative access to the CA (e.g. the ability to sign a cert).
|
|
41
|
-
|
|
42
|
-
Since the `--ca-client` causes a cert to be generated offline, it
|
|
43
|
-
should ONLY be used when Puppet Server is NOT running, to avoid
|
|
44
|
-
conflicting with the actions of the CA service. This will be
|
|
45
|
-
mandatory in a future release.
|
|
46
|
-
|
|
47
|
-
To determine the target location, the default puppet.conf
|
|
48
|
-
is consulted for custom values. If using a custom puppet.conf
|
|
49
|
-
provide it with the --config flag
|
|
32
|
+
Generates a new certificate signed by the intermediate CA
|
|
33
|
+
and stores generated keys and certs on disk.
|
|
34
|
+
|
|
35
|
+
If the `--ca-client` flag is passed, the cert will be generated
|
|
36
|
+
offline, without using Puppet Server's signing code, and will add
|
|
37
|
+
a special extension authorizing it to talk to the CA API. This can
|
|
38
|
+
be used for regenerating the master's host cert, or for manually
|
|
39
|
+
setting up other nodes to be CA clients. Do not distribute certs
|
|
40
|
+
generated this way to any node that you do not intend to have
|
|
41
|
+
administrative access to the CA (e.g. the ability to sign a cert).
|
|
42
|
+
|
|
43
|
+
Since the `--ca-client` causes a cert to be generated offline, it
|
|
44
|
+
should ONLY be used when Puppet Server is NOT running, to avoid
|
|
45
|
+
conflicting with the actions of the CA service. This will be
|
|
46
|
+
mandatory in a future release.
|
|
47
|
+
|
|
48
|
+
To determine the target location, the default puppet.conf
|
|
49
|
+
is consulted for custom values. If using a custom puppet.conf
|
|
50
|
+
provide it with the --config flag
|
|
50
51
|
|
|
51
52
|
Options:
|
|
52
53
|
BANNER
|
|
@@ -106,7 +107,7 @@ BANNER
|
|
|
106
107
|
end
|
|
107
108
|
end
|
|
108
109
|
|
|
109
|
-
errors_were_handled =
|
|
110
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
110
111
|
|
|
111
112
|
exit_code = errors_were_handled ? 1 : nil
|
|
112
113
|
|
|
@@ -120,14 +121,14 @@ BANNER
|
|
|
120
121
|
# Validate config_path provided
|
|
121
122
|
if config_path
|
|
122
123
|
errors = FileSystem.validate_file_paths(config_path)
|
|
123
|
-
return 1 if
|
|
124
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
124
125
|
end
|
|
125
126
|
|
|
126
127
|
# Load, resolve, and validate puppet config settings
|
|
127
128
|
settings_overrides = {}
|
|
128
129
|
puppet = Config::Puppet.new(config_path)
|
|
129
130
|
puppet.load(settings_overrides)
|
|
130
|
-
return 1 if
|
|
131
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
131
132
|
|
|
132
133
|
# We don't want generate to respect the alt names setting, since it is usually
|
|
133
134
|
# used to generate certs for other nodes
|
|
@@ -135,7 +136,7 @@ BANNER
|
|
|
135
136
|
|
|
136
137
|
# Load most secure signing digest we can for csr signing.
|
|
137
138
|
signer = SigningDigest.new
|
|
138
|
-
return 1 if
|
|
139
|
+
return 1 if Errors.handle_with_usage(@logger, signer.errors)
|
|
139
140
|
|
|
140
141
|
# Generate and save certs and associated keys
|
|
141
142
|
if input['ca-client']
|
|
@@ -152,7 +153,7 @@ BANNER
|
|
|
152
153
|
# Returns true if it receives back a response of "running", and false if
|
|
153
154
|
# no connection can be made, or a different response is received.
|
|
154
155
|
def check_server_online(settings)
|
|
155
|
-
status_url = HttpClient::URL.new('https', settings[:
|
|
156
|
+
status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
|
|
156
157
|
begin
|
|
157
158
|
# Generating certs offline is necessary if the master cert has been destroyed
|
|
158
159
|
# or compromised. Since querying the status endpoint does not require a client cert, and
|
|
@@ -183,11 +184,11 @@ BANNER
|
|
|
183
184
|
settings[:publickeydir]])
|
|
184
185
|
|
|
185
186
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
|
|
186
|
-
return false if
|
|
187
|
+
return false if Errors.handle_with_usage(@logger, ca.errors)
|
|
187
188
|
|
|
188
189
|
passed = certnames.map do |certname|
|
|
189
190
|
errors = check_for_existing_ssl_files(certname, settings)
|
|
190
|
-
next false if
|
|
191
|
+
next false if Errors.handle_with_usage(@logger, errors)
|
|
191
192
|
|
|
192
193
|
current_alt_names = process_alt_names(alt_names, certname)
|
|
193
194
|
|
|
@@ -221,7 +222,7 @@ BANNER
|
|
|
221
222
|
|
|
222
223
|
passed = certnames.map do |certname|
|
|
223
224
|
errors = check_for_existing_ssl_files(certname, settings)
|
|
224
|
-
next false if
|
|
225
|
+
next false if Errors.handle_with_usage(@logger, errors)
|
|
225
226
|
|
|
226
227
|
current_alt_names = process_alt_names(alt_names, certname)
|
|
227
228
|
|
|
@@ -273,7 +274,7 @@ BANNER
|
|
|
273
274
|
key: private_key,
|
|
274
275
|
cli_extensions: extensions,
|
|
275
276
|
csr_attributes_path: settings[:csr_attributes])
|
|
276
|
-
return if
|
|
277
|
+
return if Errors.handle_with_usage(@logger, host.errors)
|
|
277
278
|
|
|
278
279
|
return private_key, csr
|
|
279
280
|
end
|
|
@@ -1,10 +1,12 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
|
-
|
|
3
|
-
require 'puppetserver/ca/x509_loader'
|
|
2
|
+
|
|
4
3
|
require 'puppetserver/ca/config/puppet'
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
5
5
|
require 'puppetserver/ca/local_certificate_authority'
|
|
6
6
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/file_system'
|
|
7
8
|
require 'puppetserver/ca/utils/signing_digest'
|
|
9
|
+
require 'puppetserver/ca/x509_loader'
|
|
8
10
|
|
|
9
11
|
module Puppetserver
|
|
10
12
|
module Ca
|
|
@@ -21,15 +23,15 @@ Usage:
|
|
|
21
23
|
--private-key PATH --cert-bundle PATH --crl-chain PATH
|
|
22
24
|
|
|
23
25
|
Description:
|
|
24
|
-
Given a private key, cert bundle, and a crl chain,
|
|
25
|
-
validate and import to the Puppet Server CA.
|
|
26
|
+
Given a private key, cert bundle, and a crl chain,
|
|
27
|
+
validate and import to the Puppet Server CA.
|
|
26
28
|
|
|
27
|
-
Note that the cert and crl provided for the leaf CA must not
|
|
28
|
-
have already issued or revoked any certificates.
|
|
29
|
+
Note that the cert and crl provided for the leaf CA must not
|
|
30
|
+
have already issued or revoked any certificates.
|
|
29
31
|
|
|
30
|
-
To determine the target location the default puppet.conf
|
|
31
|
-
is consulted for custom values. If using a custom puppet.conf
|
|
32
|
-
provide it with the --config flag
|
|
32
|
+
To determine the target location the default puppet.conf
|
|
33
|
+
is consulted for custom values. If using a custom puppet.conf
|
|
34
|
+
provide it with the --config flag
|
|
33
35
|
|
|
34
36
|
Options:
|
|
35
37
|
BANNER
|
|
@@ -47,10 +49,10 @@ BANNER
|
|
|
47
49
|
files = [bundle_path, key_path, chain_path, config_path].compact
|
|
48
50
|
|
|
49
51
|
errors = FileSystem.validate_file_paths(files)
|
|
50
|
-
return 1 if
|
|
52
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
51
53
|
|
|
52
54
|
loader = X509Loader.new(bundle_path, key_path, chain_path)
|
|
53
|
-
return 1 if
|
|
55
|
+
return 1 if Errors.handle_with_usage(@logger, loader.errors)
|
|
54
56
|
|
|
55
57
|
settings_overrides = {}
|
|
56
58
|
settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
|
|
@@ -58,14 +60,14 @@ BANNER
|
|
|
58
60
|
|
|
59
61
|
puppet = Config::Puppet.new(config_path)
|
|
60
62
|
puppet.load(settings_overrides)
|
|
61
|
-
return 1 if
|
|
63
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
62
64
|
|
|
63
65
|
# Load most secure signing digest we can for cers/crl/csr signing.
|
|
64
66
|
signer = SigningDigest.new
|
|
65
|
-
return 1 if
|
|
67
|
+
return 1 if Errors.handle_with_usage(@logger, signer.errors)
|
|
66
68
|
|
|
67
69
|
errors = import(loader, puppet.settings, signer.digest)
|
|
68
|
-
return 1 if
|
|
70
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
69
71
|
|
|
70
72
|
@logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
|
|
71
73
|
return 0
|
|
@@ -152,7 +154,7 @@ ERR
|
|
|
152
154
|
errors << err
|
|
153
155
|
end
|
|
154
156
|
|
|
155
|
-
errors_were_handled =
|
|
157
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
156
158
|
|
|
157
159
|
exit_code = errors_were_handled ? 1 : nil
|
|
158
160
|
|
|
@@ -1,9 +1,11 @@
|
|
|
1
|
-
require '
|
|
2
|
-
require '
|
|
1
|
+
require 'json'
|
|
2
|
+
require 'optparse'
|
|
3
|
+
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
3
5
|
require 'puppetserver/ca/certificate_authority'
|
|
4
6
|
require 'puppetserver/ca/config/puppet'
|
|
5
|
-
require '
|
|
6
|
-
require '
|
|
7
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
8
|
+
require 'puppetserver/ca/utils/file_system'
|
|
7
9
|
|
|
8
10
|
module Puppetserver
|
|
9
11
|
module Ca
|
|
@@ -20,7 +22,8 @@ Usage:
|
|
|
20
22
|
puppetserver ca list [--all]
|
|
21
23
|
|
|
22
24
|
Description:
|
|
23
|
-
List outstanding certificate requests. If --all is specified, signed and
|
|
25
|
+
List outstanding certificate requests. If --all is specified, signed and
|
|
26
|
+
revoked certificates will be listed as well.
|
|
24
27
|
|
|
25
28
|
Options:
|
|
26
29
|
BANNER
|
|
@@ -51,11 +54,11 @@ Options:
|
|
|
51
54
|
|
|
52
55
|
if config
|
|
53
56
|
errors = FileSystem.validate_file_paths(config)
|
|
54
|
-
return 1 if
|
|
57
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
55
58
|
end
|
|
56
59
|
|
|
57
60
|
puppet = Config::Puppet.parse(config)
|
|
58
|
-
return 1 if
|
|
61
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
59
62
|
|
|
60
63
|
all_certs = get_all_certs(puppet.settings)
|
|
61
64
|
return 1 if all_certs.nil?
|
|
@@ -124,7 +127,7 @@ Options:
|
|
|
124
127
|
|
|
125
128
|
errors = CliParsing.parse_with_errors(parser, args)
|
|
126
129
|
|
|
127
|
-
errors_were_handled =
|
|
130
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
128
131
|
|
|
129
132
|
exit_code = errors_were_handled ? 1 : nil
|
|
130
133
|
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
+
require 'optparse'
|
|
2
|
+
|
|
3
|
+
require 'puppetserver/ca/certificate_authority'
|
|
4
|
+
require 'puppetserver/ca/config/puppet'
|
|
1
5
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
6
|
require 'puppetserver/ca/utils/file_system'
|
|
3
|
-
require 'puppetserver/ca/config/puppet'
|
|
4
|
-
require 'puppetserver/ca/certificate_authority'
|
|
5
|
-
|
|
6
|
-
require 'optparse'
|
|
7
7
|
|
|
8
8
|
module Puppetserver
|
|
9
9
|
module Ca
|
|
@@ -21,8 +21,8 @@ Usage:
|
|
|
21
21
|
puppetserver ca revoke [--config] --certname NAME[,NAME]
|
|
22
22
|
|
|
23
23
|
Description:
|
|
24
|
-
Given one or more valid certnames, instructs the CA to revoke them over
|
|
25
|
-
HTTPS using the local agent's PKI
|
|
24
|
+
Given one or more valid certnames, instructs the CA to revoke them over
|
|
25
|
+
HTTPS using the local agent's PKI
|
|
26
26
|
|
|
27
27
|
Options:
|
|
28
28
|
BANNER
|
|
@@ -65,7 +65,7 @@ BANNER
|
|
|
65
65
|
errors << ' At least one certname is required to revoke'
|
|
66
66
|
end
|
|
67
67
|
|
|
68
|
-
errors_were_handled =
|
|
68
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
69
69
|
|
|
70
70
|
# if there is an exit_code then Cli will return it early, so we only
|
|
71
71
|
# return an exit_code if there's an error
|
|
@@ -80,11 +80,11 @@ BANNER
|
|
|
80
80
|
|
|
81
81
|
if config
|
|
82
82
|
errors = FileSystem.validate_file_paths(config)
|
|
83
|
-
return 1 if
|
|
83
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
84
84
|
end
|
|
85
85
|
|
|
86
86
|
puppet = Config::Puppet.parse(config)
|
|
87
|
-
return 1 if
|
|
87
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
88
88
|
|
|
89
89
|
result = revoke_certs(certnames, puppet.settings)
|
|
90
90
|
|
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
|
-
|
|
2
|
+
|
|
3
|
+
require 'puppetserver/ca/config/puppet'
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
3
5
|
require 'puppetserver/ca/local_certificate_authority'
|
|
4
6
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
7
|
+
require 'puppetserver/ca/utils/file_system'
|
|
5
8
|
require 'puppetserver/ca/utils/signing_digest'
|
|
6
|
-
require 'puppetserver/ca/config/puppet'
|
|
7
9
|
|
|
8
10
|
module Puppetserver
|
|
9
11
|
module Ca
|
|
@@ -19,19 +21,19 @@ Usage:
|
|
|
19
21
|
[--certname NAME] [--ca-name NAME]
|
|
20
22
|
|
|
21
23
|
Description:
|
|
22
|
-
Setup a root and intermediate signing CA for Puppet Server
|
|
23
|
-
and store generated CA keys, certs, crls, and associated
|
|
24
|
-
master related files on disk.
|
|
24
|
+
Setup a root and intermediate signing CA for Puppet Server
|
|
25
|
+
and store generated CA keys, certs, crls, and associated
|
|
26
|
+
master related files on disk.
|
|
25
27
|
|
|
26
|
-
The `--subject-alt-names` flag can be used to add SANs to the
|
|
27
|
-
certificate generated for the Puppet master. Multiple names can be
|
|
28
|
-
listed as a comma separated string. These can be either DNS names or
|
|
29
|
-
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
|
30
|
-
Names with no prefix will be treated as DNS names.
|
|
28
|
+
The `--subject-alt-names` flag can be used to add SANs to the
|
|
29
|
+
certificate generated for the Puppet master. Multiple names can be
|
|
30
|
+
listed as a comma separated string. These can be either DNS names or
|
|
31
|
+
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
|
32
|
+
Names with no prefix will be treated as DNS names.
|
|
31
33
|
|
|
32
|
-
To determine the target location, the default puppet.conf
|
|
33
|
-
is consulted for custom values. If using a custom puppet.conf
|
|
34
|
-
provide it with the --config flag
|
|
34
|
+
To determine the target location, the default puppet.conf
|
|
35
|
+
is consulted for custom values. If using a custom puppet.conf
|
|
36
|
+
provide it with the --config flag
|
|
35
37
|
|
|
36
38
|
Options:
|
|
37
39
|
BANNER
|
|
@@ -45,7 +47,7 @@ BANNER
|
|
|
45
47
|
config_path = input['config']
|
|
46
48
|
if config_path
|
|
47
49
|
errors = FileSystem.validate_file_paths(config_path)
|
|
48
|
-
return 1 if
|
|
50
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
# Load, resolve, and validate puppet config settings
|
|
@@ -58,16 +60,16 @@ BANNER
|
|
|
58
60
|
|
|
59
61
|
puppet = Config::Puppet.new(config_path)
|
|
60
62
|
puppet.load(settings_overrides)
|
|
61
|
-
return 1 if
|
|
63
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
62
64
|
|
|
63
65
|
# Load most secure signing digest we can for cers/crl/csr signing.
|
|
64
66
|
signer = SigningDigest.new
|
|
65
|
-
return 1 if
|
|
67
|
+
return 1 if Errors.handle_with_usage(@logger, signer.errors)
|
|
66
68
|
|
|
67
69
|
# Generate root and intermediate ca and put all the certificates, crls,
|
|
68
70
|
# and keys where they should go.
|
|
69
71
|
errors = generate_pki(puppet.settings, signer.digest)
|
|
70
|
-
return 1 if
|
|
72
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
71
73
|
|
|
72
74
|
@logger.inform "Generation succeeded. Find your files in #{puppet.settings[:cadir]}"
|
|
73
75
|
return 0
|
|
@@ -144,7 +146,7 @@ ERR
|
|
|
144
146
|
results = {}
|
|
145
147
|
parser = self.class.parser(results)
|
|
146
148
|
errors = CliParsing.parse_with_errors(parser, cli_args)
|
|
147
|
-
errors_were_handled =
|
|
149
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
148
150
|
exit_code = errors_were_handled ? 1 : nil
|
|
149
151
|
return results, exit_code
|
|
150
152
|
end
|
|
@@ -1,11 +1,12 @@
|
|
|
1
|
+
require 'net/https'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
require 'optparse'
|
|
4
|
+
|
|
5
|
+
require 'puppetserver/ca/certificate_authority'
|
|
6
|
+
require 'puppetserver/ca/config/puppet'
|
|
7
|
+
require 'puppetserver/ca/errors'
|
|
1
8
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
2
9
|
require 'puppetserver/ca/utils/file_system'
|
|
3
|
-
require 'puppetserver/ca/config/puppet'
|
|
4
|
-
require 'puppetserver/ca/certificate_authority'
|
|
5
|
-
|
|
6
|
-
require 'optparse'
|
|
7
|
-
require 'openssl'
|
|
8
|
-
require 'net/https'
|
|
9
10
|
|
|
10
11
|
module Puppetserver
|
|
11
12
|
module Ca
|
|
@@ -22,7 +23,8 @@ Usage:
|
|
|
22
23
|
puppetserver ca sign --all
|
|
23
24
|
|
|
24
25
|
Description:
|
|
25
|
-
Given a comma-separated list of valid certnames, instructs the CA to sign
|
|
26
|
+
Given a comma-separated list of valid certnames, instructs the CA to sign
|
|
27
|
+
each cert.
|
|
26
28
|
|
|
27
29
|
Options:
|
|
28
30
|
BANNER
|
|
@@ -54,11 +56,11 @@ Options:
|
|
|
54
56
|
|
|
55
57
|
if config
|
|
56
58
|
errors = FileSystem.validate_file_paths(config)
|
|
57
|
-
return 1 if
|
|
59
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
58
60
|
end
|
|
59
61
|
|
|
60
62
|
puppet = Config::Puppet.parse(config)
|
|
61
|
-
return 1 if
|
|
63
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
62
64
|
|
|
63
65
|
ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
|
|
64
66
|
|
|
@@ -113,7 +115,7 @@ Options:
|
|
|
113
115
|
errors << err
|
|
114
116
|
end
|
|
115
117
|
|
|
116
|
-
errors_were_handled =
|
|
118
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
117
119
|
|
|
118
120
|
exit_code = errors_were_handled ? 1 : nil
|
|
119
121
|
|
data/lib/puppetserver/ca/cli.rb
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
|
+
|
|
2
3
|
require 'puppetserver/ca/action/clean'
|
|
3
4
|
require 'puppetserver/ca/action/generate'
|
|
4
5
|
require 'puppetserver/ca/action/import'
|
|
@@ -6,9 +7,10 @@ require 'puppetserver/ca/action/list'
|
|
|
6
7
|
require 'puppetserver/ca/action/revoke'
|
|
7
8
|
require 'puppetserver/ca/action/setup'
|
|
8
9
|
require 'puppetserver/ca/action/sign'
|
|
10
|
+
require 'puppetserver/ca/errors'
|
|
9
11
|
require 'puppetserver/ca/logger'
|
|
10
|
-
require 'puppetserver/ca/version'
|
|
11
12
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
13
|
+
require 'puppetserver/ca/version'
|
|
12
14
|
|
|
13
15
|
|
|
14
16
|
module Puppetserver
|
|
@@ -86,7 +88,14 @@ BANNER
|
|
|
86
88
|
if exit_code
|
|
87
89
|
return exit_code
|
|
88
90
|
else
|
|
89
|
-
|
|
91
|
+
begin
|
|
92
|
+
return action.run(input)
|
|
93
|
+
rescue Puppetserver::Ca::Error => e
|
|
94
|
+
logger.err "Fatal error when running action '#{action_argument}'"
|
|
95
|
+
logger.err " Error: " + e.message
|
|
96
|
+
|
|
97
|
+
return 1
|
|
98
|
+
end
|
|
90
99
|
end
|
|
91
100
|
else
|
|
92
101
|
logger.warn "Unknown action: #{action_argument}"
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
require 'puppetserver/ca/utils/config'
|
|
2
|
-
require 'securerandom'
|
|
3
1
|
require 'facter'
|
|
2
|
+
require 'securerandom'
|
|
3
|
+
|
|
4
|
+
require 'puppetserver/ca/utils/config'
|
|
4
5
|
|
|
5
6
|
module Puppetserver
|
|
6
7
|
module Ca
|
|
@@ -66,8 +67,9 @@ module Puppetserver
|
|
|
66
67
|
results ||= {}
|
|
67
68
|
results[:main] ||= {}
|
|
68
69
|
results[:master] ||= {}
|
|
70
|
+
results[:agent] ||= {}
|
|
69
71
|
|
|
70
|
-
overrides = results[:main].merge(results[:master])
|
|
72
|
+
overrides = results[:agent].merge(results[:main]).merge(results[:master])
|
|
71
73
|
overrides.merge!(cli_overrides)
|
|
72
74
|
|
|
73
75
|
@settings = resolve_settings(overrides).freeze
|
|
@@ -132,6 +134,7 @@ module Puppetserver
|
|
|
132
134
|
:ca_ttl => '15y',
|
|
133
135
|
:certificate_revocation => 'true',
|
|
134
136
|
:signeddir => '$cadir/signed',
|
|
137
|
+
:server_list => '',
|
|
135
138
|
}
|
|
136
139
|
|
|
137
140
|
# This loops through the base defaults and gives each setting a
|
|
@@ -161,6 +164,11 @@ module Puppetserver
|
|
|
161
164
|
settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
|
|
162
165
|
settings[:subject_alt_names] = Puppetserver::Ca::Utils::Config.munge_alt_names(settings[:subject_alt_names])
|
|
163
166
|
settings[:keylength] = settings[:keylength].to_i
|
|
167
|
+
settings[:server_list] = settings[:server_list].
|
|
168
|
+
split(/\s*,\s*/).
|
|
169
|
+
map {|entry| entry.split(":") }
|
|
170
|
+
|
|
171
|
+
update_for_server_list!(settings)
|
|
164
172
|
|
|
165
173
|
settings.each do |key, value|
|
|
166
174
|
next unless value.is_a? String
|
|
@@ -239,6 +247,20 @@ module Puppetserver
|
|
|
239
247
|
:ignore
|
|
240
248
|
end
|
|
241
249
|
end
|
|
250
|
+
|
|
251
|
+
def update_for_server_list!(settings)
|
|
252
|
+
if settings.dig(:server_list, 0, 0) &&
|
|
253
|
+
settings[:ca_server] == '$server'
|
|
254
|
+
|
|
255
|
+
settings[:ca_server] = settings.dig(:server_list, 0, 0)
|
|
256
|
+
end
|
|
257
|
+
|
|
258
|
+
if settings.dig(:server_list, 0, 1) &&
|
|
259
|
+
settings[:ca_port] == '$masterport'
|
|
260
|
+
|
|
261
|
+
settings[:ca_port] = settings.dig(:server_list, 0, 1)
|
|
262
|
+
end
|
|
263
|
+
end
|
|
242
264
|
end
|
|
243
265
|
end
|
|
244
266
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
module Puppetserver
|
|
2
|
+
module Ca
|
|
3
|
+
class Error < StandardError; end
|
|
4
|
+
class FileNotFound < Error; end
|
|
5
|
+
class InvalidX509Object < Error; end
|
|
6
|
+
class ConnectionFailed < Error; end
|
|
7
|
+
|
|
8
|
+
module Errors
|
|
9
|
+
def self.handle_with_usage(log, errors, usage = nil)
|
|
10
|
+
unless errors.empty?
|
|
11
|
+
log.err 'Error:'
|
|
12
|
+
errors.each {|e| log.err e }
|
|
13
|
+
|
|
14
|
+
if usage
|
|
15
|
+
log.err ''
|
|
16
|
+
log.err usage
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
return true
|
|
20
|
+
else
|
|
21
|
+
return false
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
data/lib/puppetserver/ca/host.rb
CHANGED
|
@@ -50,21 +50,6 @@ module Puppetserver
|
|
|
50
50
|
errors
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
def self.handle_errors(log, errors, usage = nil)
|
|
54
|
-
unless errors.empty?
|
|
55
|
-
log.err 'Error:'
|
|
56
|
-
errors.each {|e| log.err e }
|
|
57
|
-
|
|
58
|
-
if usage
|
|
59
|
-
log.err ''
|
|
60
|
-
log.err usage
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
return true
|
|
64
|
-
else
|
|
65
|
-
return false
|
|
66
|
-
end
|
|
67
|
-
end
|
|
68
53
|
|
|
69
54
|
private
|
|
70
55
|
|
|
@@ -1,5 +1,7 @@
|
|
|
1
|
-
require 'openssl'
|
|
2
1
|
require 'net/https'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
|
|
4
|
+
require 'puppetserver/ca/errors'
|
|
3
5
|
|
|
4
6
|
module Puppetserver
|
|
5
7
|
module Ca
|
|
@@ -31,12 +33,16 @@ module Puppetserver
|
|
|
31
33
|
end
|
|
32
34
|
end
|
|
33
35
|
|
|
34
|
-
def load_cert(
|
|
35
|
-
|
|
36
|
+
def load_cert(path)
|
|
37
|
+
load_with_errors(path, 'hostcert') do |content|
|
|
38
|
+
OpenSSL::X509::Certificate.new(content)
|
|
39
|
+
end
|
|
36
40
|
end
|
|
37
41
|
|
|
38
|
-
def load_key(
|
|
39
|
-
|
|
42
|
+
def load_key(path)
|
|
43
|
+
load_with_errors(path, 'hostprivkey') do |content|
|
|
44
|
+
OpenSSL::PKey.read(content)
|
|
45
|
+
end
|
|
40
46
|
end
|
|
41
47
|
|
|
42
48
|
# Takes an instance URL (defined lower in the file), and creates a
|
|
@@ -46,13 +52,33 @@ module Puppetserver
|
|
|
46
52
|
def with_connection(url, &block)
|
|
47
53
|
request = ->(conn) { block.call(Connection.new(conn, url)) }
|
|
48
54
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
55
|
+
begin
|
|
56
|
+
Net::HTTP.start(url.host, url.port,
|
|
57
|
+
use_ssl: true, cert_store: @store,
|
|
58
|
+
cert: @cert, key: @key,
|
|
59
|
+
&request)
|
|
60
|
+
rescue StandardError => e
|
|
61
|
+
raise ConnectionFailed.new(
|
|
62
|
+
"Failed connecting to #{url.full_url}\n" +
|
|
63
|
+
" Root cause: #{e.message}")
|
|
64
|
+
end
|
|
53
65
|
end
|
|
54
66
|
|
|
55
67
|
private
|
|
68
|
+
|
|
69
|
+
def load_with_errors(path, setting, &block)
|
|
70
|
+
begin
|
|
71
|
+
content = File.read(path)
|
|
72
|
+
block.call(content)
|
|
73
|
+
rescue Errno::ENOENT
|
|
74
|
+
raise FileNotFound.new("Could not find '#{setting}' at '#{path}'")
|
|
75
|
+
rescue OpenSSL::OpenSSLError => e
|
|
76
|
+
raise InvalidX509Object.new(
|
|
77
|
+
"Could not parse '#{setting}' at '#{path}'.\n" +
|
|
78
|
+
" OpenSSL returned: #{e.message}")
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
|
|
56
82
|
# Helper class that wraps a Net::HTTP connection, a HttpClient::URL
|
|
57
83
|
# and defines methods named after HTTP verbs that are called on the
|
|
58
84
|
# saved connection, returning a Result.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-11
|
|
11
|
+
date: 2018-12-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|
|
@@ -103,6 +103,7 @@ files:
|
|
|
103
103
|
- lib/puppetserver/ca/cli.rb
|
|
104
104
|
- lib/puppetserver/ca/config/puppet.rb
|
|
105
105
|
- lib/puppetserver/ca/config/puppetserver.rb
|
|
106
|
+
- lib/puppetserver/ca/errors.rb
|
|
106
107
|
- lib/puppetserver/ca/host.rb
|
|
107
108
|
- lib/puppetserver/ca/local_certificate_authority.rb
|
|
108
109
|
- lib/puppetserver/ca/logger.rb
|