puppetserver-ca 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 68f6a3c820f9dd32b2df38855a1e03249cb89ba0
-  data.tar.gz: b885a1ad3e176010f2e36a63f6940b0bab7501ad
+  metadata.gz: 868261be07fde8ea3c45c865fe605f378543c754
+  data.tar.gz: a8e814826e1bffaa95372f8ff32e199a44ad71c6
 SHA512:
-  metadata.gz: 809c1ce65101f0c3f9aa908540070c59114aae9551170875177c87518e4e43111ebcaa3f8f29b0e400a2dd8e0d5ce996fbf01e35766b395d2c6443086a36ffdd
-  data.tar.gz: f2975078313f77c519c45eb03ccc70272efdad3f859863c97e07a3a800e37ae2fd2e086ad534367eb86b3b86f39272d1428754457150fdf8b8174dd8cb1a5025
+  metadata.gz: a5bff259ba4ab4ead91759dbb5413273a3241127b4f48b2bb953e1554340edbfa6feb19fc8e861bec558fe7e25e2c0b9732644e63da05695c51892b70cb6c16e
+  data.tar.gz: 4d0b7fbcc5854b2e217b8242393dfc9cb104b9bbe0e4ad8c7e8802d7fd5c32b95675a82b53d3a47469ceb460f8cf9b93b01395aee170a6384e134af889518427

data/.travis.yml

@@ -6,6 +6,7 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
-before_install: gem install bundler -v 1.16.1
+before_install:
+   gem install bundler -v 1.16.1 && (gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true)
 script:
   - bundle exec rake spec

data/lib/puppetserver/ca/action/clean.rb

@@ -42,7 +42,7 @@ BANNER
             o.on('--config CONF', 'Custom path to puppet.conf') do |conf|
               parsed['config'] = conf
             end
-            o.on('--help', 'Display this clean specific help output') do |help|
+            o.on('--help', 'Display this command-specific help output') do |help|
               parsed['help'] = true
             end
           end

data/lib/puppetserver/ca/action/enable.rb

@@ -0,0 +1,142 @@
+require 'optparse'
+
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/signing_digest'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Enable
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Setup infrastructure CRL based on a node inventory."
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca enable [--help]
+  puppetserver ca enable [--infracrl]
+
+Description:
+  Performs actions necessary to enable certain CA modes.
+
+  --infracrl
+    Creates auxiliary files necessary to use the infrastructure-only CRL.
+    Assumes the existence of an `infra_inventory.txt` file in the CA
+    directory listing the certnames of the infrastructure nodes in the
+    Puppet installation. Generates the `infra_serials` file and the empty
+    CRL to be populated with revoked infrastructure nodes.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          # Validate config_path provided
+          config_path = input['config']
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          puppet = Config::Puppet.new(config_path)
+          puppet.load
+          settings = puppet.settings
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          if input['infracrl']
+            errors = enable_infra_crl(settings)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          return 0
+        end
+
+        def enable_infra_crl(settings)
+          inventory_file = File.join(settings[:cadir], 'infra_inventory.txt')
+          if !File.exist?(inventory_file)
+            error = <<-ERR
+  Please create an inventory file at '#{inventory_file}' with the certnames of your
+  infrastructure nodes before proceeding with infra CRL setup!"
+ERR
+            return [error]
+          end
+
+          serial_file = File.join(settings[:cadir], 'infra_serials')
+          infra_crl = File.join(settings[:cadir], 'infra_crl.pem')
+
+          file_errors = check_for_existing_infra_files([serial_file, infra_crl])
+          return file_errors if !file_errors.empty?
+
+          FileSystem.write_file(serial_file, '', 0644)
+
+          errors = create_infra_crl_chain(settings)
+          return errors if !errors.empty?
+
+          @logger.inform "Infra CRL files created."
+          return []
+        end
+
+        def check_for_existing_infra_files(files)
+          file_errors = FileSystem.check_for_existing_files(files)
+          if !file_errors.empty?
+            notice = <<-MSG
+  If you would really like to reinitialize your infrastructure CRL, please delete
+  the existing files and run this command again.
+MSG
+            file_errors << notice
+          end
+          return file_errors
+        end
+
+        def create_infra_crl_chain(settings)
+          # Load most secure signing digest we can for cers/crl/csr signing.
+          signer = SigningDigest.new
+          return signer.errors if signer.errors.any?
+
+          ca = LocalCertificateAuthority.new(signer.digest, settings)
+          infra_crl = ca.create_crl_for(ca.cert, ca.key)
+          return ca.errors if ca.errors.any?
+
+          # Drop the full leaf CRL from the chain
+          crl_chain = ca.crl_chain.drop(1)
+          # Add the new clean CRL, that will be populated with infra nodes only
+          # as they are revoked
+          crl_chain.unshift(infra_crl)
+          FileSystem.write_file(File.join(settings[:cadir], 'infra_crl.pem'), crl_chain, 0644)
+
+          []
+        end
+
+        def parse(cli_args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, cli_args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--infracrl', "Create auxiliary files for the infrastructure-only CRL.") do |infracrl|
+              parsed['infracrl'] = true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/generate.rb

@@ -45,10 +45,6 @@ Description:
   conflicting with the actions of the CA service. This will be
   mandatory in a future release.
 
-  To determine the target location, the default puppet.conf
-  is consulted for custom values. If using a custom puppet.conf
-  provide it with the --config flag
-
 Options:
 BANNER
         def initialize(logger)
@@ -64,7 +60,7 @@ BANNER
                  'One or more comma separated certnames') do |certs|
               parsed['certnames'] += certs
             end
-            opts.on('--help', 'Display this generate specific help output') do |help|
+            opts.on('--help', 'Display this command-specific help output') do |help|
               parsed['help'] = true
             end
             opts.on('--config CONF', 'Path to puppet.conf') do |conf|

data/lib/puppetserver/ca/action/import.rb

@@ -29,10 +29,6 @@ Description:
   Note that the cert and crl provided for the leaf CA must not
   have already issued or revoked any certificates.
 
-  To determine the target location the default puppet.conf
-  is consulted for custom values. If using a custom puppet.conf
-  provide it with the --config flag
-
 Options:
 BANNER
 
@@ -166,7 +162,7 @@ ERR
           parsed['subject-alt-names'] = ''
           OptionParser.new do |opts|
             opts.banner = BANNER
-            opts.on('--help', 'Display this import specific help output') do |help|
+            opts.on('--help', 'Display this command-specific help output') do |help|
               parsed['help'] = true
             end
             opts.on('--config CONF', 'Path to puppet.conf') do |conf|

data/lib/puppetserver/ca/action/list.rb

@@ -40,7 +40,7 @@ Options:
             opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
               parsed['config'] = conf
             end
-            opts.on('--help', 'Display this command specific help output') do |help|
+            opts.on('--help', 'Display this command-specific help output') do |help|
               parsed['help'] = true
             end
             opts.on('--all', 'List all certificates') do |a|

data/lib/puppetserver/ca/action/setup.rb

@@ -31,10 +31,6 @@ Description:
   IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
   Names with no prefix will be treated as DNS names.
 
-  To determine the target location, the default puppet.conf
-  is consulted for custom values. If using a custom puppet.conf
-  provide it with the --config flag
-
 Options:
 BANNER
 
@@ -157,7 +153,7 @@ ERR
           parsed['certname'] = ''
           OptionParser.new do |opts|
             opts.banner = BANNER
-            opts.on('--help', 'Display this setup specific help output') do |help|
+            opts.on('--help', 'Display this command-specific help output') do |help|
               parsed['help'] = true
             end
             opts.on('--config CONF', 'Path to puppet.conf') do |conf|

data/lib/puppetserver/ca/action/sign.rb

@@ -38,7 +38,7 @@ Options:
             opts.on('--config CONF', 'Custom path to Puppet\'s config file') do |conf|
               parsed['config'] = conf
             end
-            opts.on('--help', 'Display this command specific help output') do |help|
+            opts.on('--help', 'Display this command-specific help output') do |help|
               parsed['help'] = true
             end
             opts.on('--all', 'Operate on all certnames') do |a|

data/lib/puppetserver/ca/cli.rb

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/action/clean'
 require 'puppetserver/ca/action/generate'
 require 'puppetserver/ca/action/import'
+require 'puppetserver/ca/action/enable'
 require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
@@ -26,6 +27,7 @@ BANNER
       INIT_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
+        'enable' => Action::Enable,
       }
 
       MAINT_ACTIONS = {

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -37,7 +37,7 @@ module Puppetserver
         ["authorityKeyIdentifier", "keyid:always", false]
       ].freeze
 
-      attr_reader :cert, :key, :crl
+      attr_reader :cert, :cert_bundle, :key, :crl, :crl_chain
 
       def initialize(digest, settings)
         @digest = digest
@@ -63,9 +63,11 @@ module Puppetserver
       end
 
       def load_ssl_components(loader)
-          @cert = loader.certs.first
-          @key = loader.key
-          @crl = loader.crls.first
+        @cert_bundle = loader.certs
+        @cert = loader.certs.first
+        @key = loader.key
+        @crl_chain = loader.crls
+        @crl = loader.crls.first
       end
 
       def errors

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.2.1"
+    VERSION = "1.3.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-12-14 00:00:00.000000000 Z
+date: 2019-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -93,6 +93,7 @@ files:
 - exe/puppetserver-ca
 - lib/puppetserver/ca.rb
 - lib/puppetserver/ca/action/clean.rb
+- lib/puppetserver/ca/action/enable.rb
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb