puppetserver-ca 1.2.1 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +2 -1
- data/lib/puppetserver/ca/action/clean.rb +1 -1
- data/lib/puppetserver/ca/action/enable.rb +142 -0
- data/lib/puppetserver/ca/action/generate.rb +1 -5
- data/lib/puppetserver/ca/action/import.rb +1 -5
- data/lib/puppetserver/ca/action/list.rb +1 -1
- data/lib/puppetserver/ca/action/setup.rb +1 -5
- data/lib/puppetserver/ca/action/sign.rb +1 -1
- data/lib/puppetserver/ca/cli.rb +2 -0
- data/lib/puppetserver/ca/local_certificate_authority.rb +6 -4
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 868261be07fde8ea3c45c865fe605f378543c754
|
4
|
+
data.tar.gz: a8e814826e1bffaa95372f8ff32e199a44ad71c6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a5bff259ba4ab4ead91759dbb5413273a3241127b4f48b2bb953e1554340edbfa6feb19fc8e861bec558fe7e25e2c0b9732644e63da05695c51892b70cb6c16e
|
7
|
+
data.tar.gz: 4d0b7fbcc5854b2e217b8242393dfc9cb104b9bbe0e4ad8c7e8802d7fd5c32b95675a82b53d3a47469ceb460f8cf9b93b01395aee170a6384e134af889518427
|
data/.travis.yml
CHANGED
@@ -42,7 +42,7 @@ BANNER
|
|
42
42
|
o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
|
43
43
|
parsed['config'] = conf
|
44
44
|
end
|
45
|
-
o.on('--help', 'Display this
|
45
|
+
o.on('--help', 'Display this command-specific help output') do |help|
|
46
46
|
parsed['help'] = true
|
47
47
|
end
|
48
48
|
end
|
@@ -0,0 +1,142 @@
|
|
1
|
+
require 'optparse'
|
2
|
+
|
3
|
+
require 'puppetserver/ca/config/puppet'
|
4
|
+
require 'puppetserver/ca/errors'
|
5
|
+
require 'puppetserver/ca/local_certificate_authority'
|
6
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
7
|
+
require 'puppetserver/ca/utils/file_system'
|
8
|
+
require 'puppetserver/ca/utils/signing_digest'
|
9
|
+
|
10
|
+
module Puppetserver
|
11
|
+
module Ca
|
12
|
+
module Action
|
13
|
+
class Enable
|
14
|
+
include Puppetserver::Ca::Utils
|
15
|
+
|
16
|
+
SUMMARY = "Setup infrastructure CRL based on a node inventory."
|
17
|
+
BANNER = <<-BANNER
|
18
|
+
Usage:
|
19
|
+
puppetserver ca enable [--help]
|
20
|
+
puppetserver ca enable [--infracrl]
|
21
|
+
|
22
|
+
Description:
|
23
|
+
Performs actions necessary to enable certain CA modes.
|
24
|
+
|
25
|
+
--infracrl
|
26
|
+
Creates auxiliary files necessary to use the infrastructure-only CRL.
|
27
|
+
Assumes the existence of an `infra_inventory.txt` file in the CA
|
28
|
+
directory listing the certnames of the infrastructure nodes in the
|
29
|
+
Puppet installation. Generates the `infra_serials` file and the empty
|
30
|
+
CRL to be populated with revoked infrastructure nodes.
|
31
|
+
|
32
|
+
Options:
|
33
|
+
BANNER
|
34
|
+
|
35
|
+
def initialize(logger)
|
36
|
+
@logger = logger
|
37
|
+
end
|
38
|
+
|
39
|
+
def run(input)
|
40
|
+
# Validate config_path provided
|
41
|
+
config_path = input['config']
|
42
|
+
if config_path
|
43
|
+
errors = FileSystem.validate_file_paths(config_path)
|
44
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
45
|
+
end
|
46
|
+
|
47
|
+
puppet = Config::Puppet.new(config_path)
|
48
|
+
puppet.load
|
49
|
+
settings = puppet.settings
|
50
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
51
|
+
|
52
|
+
if input['infracrl']
|
53
|
+
errors = enable_infra_crl(settings)
|
54
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
55
|
+
end
|
56
|
+
|
57
|
+
return 0
|
58
|
+
end
|
59
|
+
|
60
|
+
def enable_infra_crl(settings)
|
61
|
+
inventory_file = File.join(settings[:cadir], 'infra_inventory.txt')
|
62
|
+
if !File.exist?(inventory_file)
|
63
|
+
error = <<-ERR
|
64
|
+
Please create an inventory file at '#{inventory_file}' with the certnames of your
|
65
|
+
infrastructure nodes before proceeding with infra CRL setup!"
|
66
|
+
ERR
|
67
|
+
return [error]
|
68
|
+
end
|
69
|
+
|
70
|
+
serial_file = File.join(settings[:cadir], 'infra_serials')
|
71
|
+
infra_crl = File.join(settings[:cadir], 'infra_crl.pem')
|
72
|
+
|
73
|
+
file_errors = check_for_existing_infra_files([serial_file, infra_crl])
|
74
|
+
return file_errors if !file_errors.empty?
|
75
|
+
|
76
|
+
FileSystem.write_file(serial_file, '', 0644)
|
77
|
+
|
78
|
+
errors = create_infra_crl_chain(settings)
|
79
|
+
return errors if !errors.empty?
|
80
|
+
|
81
|
+
@logger.inform "Infra CRL files created."
|
82
|
+
return []
|
83
|
+
end
|
84
|
+
|
85
|
+
def check_for_existing_infra_files(files)
|
86
|
+
file_errors = FileSystem.check_for_existing_files(files)
|
87
|
+
if !file_errors.empty?
|
88
|
+
notice = <<-MSG
|
89
|
+
If you would really like to reinitialize your infrastructure CRL, please delete
|
90
|
+
the existing files and run this command again.
|
91
|
+
MSG
|
92
|
+
file_errors << notice
|
93
|
+
end
|
94
|
+
return file_errors
|
95
|
+
end
|
96
|
+
|
97
|
+
def create_infra_crl_chain(settings)
|
98
|
+
# Load most secure signing digest we can for cers/crl/csr signing.
|
99
|
+
signer = SigningDigest.new
|
100
|
+
return signer.errors if signer.errors.any?
|
101
|
+
|
102
|
+
ca = LocalCertificateAuthority.new(signer.digest, settings)
|
103
|
+
infra_crl = ca.create_crl_for(ca.cert, ca.key)
|
104
|
+
return ca.errors if ca.errors.any?
|
105
|
+
|
106
|
+
# Drop the full leaf CRL from the chain
|
107
|
+
crl_chain = ca.crl_chain.drop(1)
|
108
|
+
# Add the new clean CRL, that will be populated with infra nodes only
|
109
|
+
# as they are revoked
|
110
|
+
crl_chain.unshift(infra_crl)
|
111
|
+
FileSystem.write_file(File.join(settings[:cadir], 'infra_crl.pem'), crl_chain, 0644)
|
112
|
+
|
113
|
+
[]
|
114
|
+
end
|
115
|
+
|
116
|
+
def parse(cli_args)
|
117
|
+
results = {}
|
118
|
+
parser = self.class.parser(results)
|
119
|
+
errors = CliParsing.parse_with_errors(parser, cli_args)
|
120
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
121
|
+
exit_code = errors_were_handled ? 1 : nil
|
122
|
+
return results, exit_code
|
123
|
+
end
|
124
|
+
|
125
|
+
def self.parser(parsed = {})
|
126
|
+
OptionParser.new do |opts|
|
127
|
+
opts.banner = BANNER
|
128
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
129
|
+
parsed['help'] = true
|
130
|
+
end
|
131
|
+
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
132
|
+
parsed['config'] = conf
|
133
|
+
end
|
134
|
+
opts.on('--infracrl', "Create auxiliary files for the infrastructure-only CRL.") do |infracrl|
|
135
|
+
parsed['infracrl'] = true
|
136
|
+
end
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
@@ -45,10 +45,6 @@ Description:
|
|
45
45
|
conflicting with the actions of the CA service. This will be
|
46
46
|
mandatory in a future release.
|
47
47
|
|
48
|
-
To determine the target location, the default puppet.conf
|
49
|
-
is consulted for custom values. If using a custom puppet.conf
|
50
|
-
provide it with the --config flag
|
51
|
-
|
52
48
|
Options:
|
53
49
|
BANNER
|
54
50
|
def initialize(logger)
|
@@ -64,7 +60,7 @@ BANNER
|
|
64
60
|
'One or more comma separated certnames') do |certs|
|
65
61
|
parsed['certnames'] += certs
|
66
62
|
end
|
67
|
-
opts.on('--help', 'Display this
|
63
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
68
64
|
parsed['help'] = true
|
69
65
|
end
|
70
66
|
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
@@ -29,10 +29,6 @@ Description:
|
|
29
29
|
Note that the cert and crl provided for the leaf CA must not
|
30
30
|
have already issued or revoked any certificates.
|
31
31
|
|
32
|
-
To determine the target location the default puppet.conf
|
33
|
-
is consulted for custom values. If using a custom puppet.conf
|
34
|
-
provide it with the --config flag
|
35
|
-
|
36
32
|
Options:
|
37
33
|
BANNER
|
38
34
|
|
@@ -166,7 +162,7 @@ ERR
|
|
166
162
|
parsed['subject-alt-names'] = ''
|
167
163
|
OptionParser.new do |opts|
|
168
164
|
opts.banner = BANNER
|
169
|
-
opts.on('--help', 'Display this
|
165
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
170
166
|
parsed['help'] = true
|
171
167
|
end
|
172
168
|
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
@@ -40,7 +40,7 @@ Options:
|
|
40
40
|
opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
|
41
41
|
parsed['config'] = conf
|
42
42
|
end
|
43
|
-
opts.on('--help', 'Display this command
|
43
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
44
44
|
parsed['help'] = true
|
45
45
|
end
|
46
46
|
opts.on('--all', 'List all certificates') do |a|
|
@@ -31,10 +31,6 @@ Description:
|
|
31
31
|
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
32
32
|
Names with no prefix will be treated as DNS names.
|
33
33
|
|
34
|
-
To determine the target location, the default puppet.conf
|
35
|
-
is consulted for custom values. If using a custom puppet.conf
|
36
|
-
provide it with the --config flag
|
37
|
-
|
38
34
|
Options:
|
39
35
|
BANNER
|
40
36
|
|
@@ -157,7 +153,7 @@ ERR
|
|
157
153
|
parsed['certname'] = ''
|
158
154
|
OptionParser.new do |opts|
|
159
155
|
opts.banner = BANNER
|
160
|
-
opts.on('--help', 'Display this
|
156
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
161
157
|
parsed['help'] = true
|
162
158
|
end
|
163
159
|
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
@@ -38,7 +38,7 @@ Options:
|
|
38
38
|
opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
|
39
39
|
parsed['config'] = conf
|
40
40
|
end
|
41
|
-
opts.on('--help', 'Display this command
|
41
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
42
42
|
parsed['help'] = true
|
43
43
|
end
|
44
44
|
opts.on('--all', 'Operate on all certnames') do |a|
|
data/lib/puppetserver/ca/cli.rb
CHANGED
@@ -3,6 +3,7 @@ require 'optparse'
|
|
3
3
|
require 'puppetserver/ca/action/clean'
|
4
4
|
require 'puppetserver/ca/action/generate'
|
5
5
|
require 'puppetserver/ca/action/import'
|
6
|
+
require 'puppetserver/ca/action/enable'
|
6
7
|
require 'puppetserver/ca/action/list'
|
7
8
|
require 'puppetserver/ca/action/revoke'
|
8
9
|
require 'puppetserver/ca/action/setup'
|
@@ -26,6 +27,7 @@ BANNER
|
|
26
27
|
INIT_ACTIONS = {
|
27
28
|
'import' => Action::Import,
|
28
29
|
'setup' => Action::Setup,
|
30
|
+
'enable' => Action::Enable,
|
29
31
|
}
|
30
32
|
|
31
33
|
MAINT_ACTIONS = {
|
@@ -37,7 +37,7 @@ module Puppetserver
|
|
37
37
|
["authorityKeyIdentifier", "keyid:always", false]
|
38
38
|
].freeze
|
39
39
|
|
40
|
-
attr_reader :cert, :key, :crl
|
40
|
+
attr_reader :cert, :cert_bundle, :key, :crl, :crl_chain
|
41
41
|
|
42
42
|
def initialize(digest, settings)
|
43
43
|
@digest = digest
|
@@ -63,9 +63,11 @@ module Puppetserver
|
|
63
63
|
end
|
64
64
|
|
65
65
|
def load_ssl_components(loader)
|
66
|
-
|
67
|
-
|
68
|
-
|
66
|
+
@cert_bundle = loader.certs
|
67
|
+
@cert = loader.certs.first
|
68
|
+
@key = loader.key
|
69
|
+
@crl_chain = loader.crls
|
70
|
+
@crl = loader.crls.first
|
69
71
|
end
|
70
72
|
|
71
73
|
def errors
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-01-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -93,6 +93,7 @@ files:
|
|
93
93
|
- exe/puppetserver-ca
|
94
94
|
- lib/puppetserver/ca.rb
|
95
95
|
- lib/puppetserver/ca/action/clean.rb
|
96
|
+
- lib/puppetserver/ca/action/enable.rb
|
96
97
|
- lib/puppetserver/ca/action/generate.rb
|
97
98
|
- lib/puppetserver/ca/action/import.rb
|
98
99
|
- lib/puppetserver/ca/action/list.rb
|