puppetserver-ca 1.3.1 → 1.3.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puppetserver/ca/action/enable.rb +2 -1
  3. data/lib/puppetserver/ca/action/list.rb +33 -7
  4. data/lib/puppetserver/ca/local_certificate_authority.rb +2 -2
  5. data/lib/puppetserver/ca/version.rb +1 -1
  6. data/lib/puppetserver/ca/x509_loader.rb +38 -8
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 620bfa6c11518623fbd5070910a6c119d7597f3d
4
- data.tar.gz: e68bb09956a5248ee1644a719a04f46c23bfaabe
3
+ metadata.gz: 7d21f7cdfd7425e4c88f7393fdd78534437eee25
4
+ data.tar.gz: 80a876597aa720abd453663da272579f95361248
5
5
  SHA512:
6
- metadata.gz: 4b4b9ac60fccc7b4229f8763602cdef31dd0fc031caadc822901ef15980a167e54cd7c1b434d2b6766be38bf191220e6e835a321124a5277fe79c3799e47df63
7
- data.tar.gz: 05c098c24279c5418a5a84f62b81084694167be9d1313eec2314b5410a2f0a36914af84cfc164146c643fa86131f561e6845fceec58c20e81b9204c225a544d9
6
+ metadata.gz: 778cdc29b03bf61bde662da6c5f8796616c1aead0bb72e136a0e688d7dd7fec552dce878eb043f51252de650d86f8c10c76811125988302d67125dce67ce9fc0
7
+ data.tar.gz: 96602ab1cf6da30af50fd1b50aaac4a96a936f35c60e7e2d6acec10a4e63fbb8888f586b28b517e291b524a1dea070b84425ff7d8e08fec2cecf5ce4b0dd2b54
data/lib/puppetserver/ca/action/enable.rb CHANGED
@@ -97,9 +97,10 @@ MSG
97
97
  return signer.errors if signer.errors.any?
98
98
 
99
99
  ca = LocalCertificateAuthority.new(signer.digest, settings)
100
- infra_crl = ca.create_crl_for(ca.cert, ca.key)
101
100
  return ca.errors if ca.errors.any?
102
101
 
102
+ infra_crl = ca.create_crl_for(ca.cert, ca.key)
103
+
103
104
  # Drop the full leaf CRL from the chain
104
105
  crl_chain = ca.crl_chain.drop(1)
105
106
  # Add the new clean CRL, that will be populated with infra nodes only
data/lib/puppetserver/ca/action/list.rb CHANGED
@@ -20,6 +20,7 @@ Usage:
20
20
  puppetserver ca list [--help]
21
21
  puppetserver ca list [--config]
22
22
  puppetserver ca list [--all]
23
+ puppetserver ca list --certname NAME[,NAME]
23
24
 
24
25
  Description:
25
26
  List outstanding certificate requests. If --all is specified, signed and
@@ -46,11 +47,21 @@ Options:
46
47
  opts.on('--all', 'List all certificates') do |a|
47
48
  parsed['all'] = true
48
49
  end
50
+ opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
51
+ parsed['certname'] = cert
52
+ end
49
53
  end
50
54
  end
51
55
 
52
56
  def run(input)
53
57
  config = input['config']
58
+ certnames = input['certname'] || []
59
+ all = input['all']
60
+
61
+ if all && certnames.any?
62
+ Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
63
+ return 1
64
+ end
54
65
 
55
66
  if config
56
67
  errors = FileSystem.validate_file_paths(config)
@@ -60,17 +71,25 @@ Options:
60
71
  puppet = Config::Puppet.parse(config)
61
72
  return 1 if Errors.handle_with_usage(@logger, puppet.errors)
62
73
 
63
- all_certs = get_all_certs(puppet.settings)
64
- return 1 if all_certs.nil?
74
+ filter_names = certnames.any? \
75
+ ? lambda { |x| certnames.include?(x['name']) }
76
+ : lambda { |x| true }
65
77
 
78
+ all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
66
79
  requested, signed, revoked = separate_certs(all_certs)
67
- input['all'] ? output_certs_by_state(requested, signed, revoked) : output_certs_by_state(requested)
80
+ missing = certnames - all_certs.map { |cert| cert['name'] }
81
+
82
+ (all || certnames.any?) \
83
+ ? output_certs_by_state(requested, signed, revoked, missing)
84
+ : output_certs_by_state(requested)
68
85
 
69
- return 0
86
+ return missing.any? \
87
+ ? 1
88
+ : 0
70
89
  end
71
90
 
72
- def output_certs_by_state(requested, signed = [], revoked = [])
73
- if revoked.empty? && signed.empty? && requested.empty?
91
+ def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
92
+ if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
74
93
  @logger.inform "No certificates to list"
75
94
  return
76
95
  end
@@ -89,6 +108,13 @@ Options:
89
108
  @logger.inform "Revoked Certificates:"
90
109
  output_certs(revoked)
91
110
  end
111
+
112
+ unless missing.empty?
113
+ @logger.inform "Missing Certificates:"
114
+ missing.each do |name|
115
+ @logger.inform " #{name}"
116
+ end
117
+ end
92
118
  end
93
119
 
94
120
  def output_certs(certs)
@@ -118,7 +144,7 @@ Options:
118
144
 
119
145
  def get_all_certs(settings)
120
146
  result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
121
- JSON.parse(result.body) if result
147
+ result ? JSON.parse(result.body) : []
122
148
  end
123
149
 
124
150
  def parse(args)
data/lib/puppetserver/ca/local_certificate_authority.rb CHANGED
@@ -64,10 +64,10 @@ module Puppetserver
64
64
 
65
65
  def load_ssl_components(loader)
66
66
  @cert_bundle = loader.certs
67
- @cert = loader.certs.first
68
67
  @key = loader.key
68
+ @cert = loader.cert
69
69
  @crl_chain = loader.crls
70
- @crl = loader.crls.first
70
+ @crl = loader.crl
71
71
  end
72
72
 
73
73
  def errors
data/lib/puppetserver/ca/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "1.3.1"
3
+ VERSION = "1.3.2"
4
4
  end
5
5
  end
data/lib/puppetserver/ca/x509_loader.rb CHANGED
@@ -5,7 +5,7 @@ module Puppetserver
5
5
  # Load, validate, and store x509 objects needed by the Puppet Server CA.
6
6
  class X509Loader
7
7
 
8
- attr_reader :errors, :certs, :key, :crls
8
+ attr_reader :errors, :certs, :cert, :key, :crls, :crl
9
9
 
10
10
  def initialize(bundle_path, key_path, chain_path)
11
11
  @errors = []
@@ -13,23 +13,53 @@ module Puppetserver
13
13
  @certs = load_certs(bundle_path)
14
14
  @key = load_key(key_path)
15
15
  @crls = load_crls(chain_path)
16
+ @cert = find_signing_cert
17
+ @crl = find_leaf_crl
16
18
 
17
19
  validate(@certs, @key, @crls)
18
20
  end
19
21
 
22
+ def find_signing_cert
23
+ return if @key.nil? || @certs.empty?
24
+
25
+ signing_cert = @certs.find do |cert|
26
+ cert.check_private_key(@key)
27
+ end
28
+
29
+ if signing_cert.nil?
30
+ @errors << "Could not find certificate matching private key"
31
+ end
32
+
33
+ signing_cert
34
+ end
35
+
36
+ def find_leaf_crl
37
+ return if @crls.empty? || @cert.nil?
38
+
39
+ leaf_crl = @crls.find do |crl|
40
+ crl.issuer == @cert.subject
41
+ end
42
+
43
+ if leaf_crl.nil?
44
+ @errors << 'Could not find CRL issued by CA certificate'
45
+ end
46
+
47
+ leaf_crl
48
+ end
49
+
20
50
  # Only do as much validation as is possible, assume whoever tried to
21
51
  # load the objects wrote errors about any invalid ones, but that bundle
22
52
  # and chain may be empty arrays and pkey may be nil.
23
53
  def validate(bundle, pkey, chain)
24
- if !chain.empty? && !bundle.empty?
25
- validate_crl_and_cert(chain.first, bundle.first)
54
+ if !@crl.nil? && !@cert.nil?
55
+ validate_crl_and_cert(@crl, @cert)
26
56
  end
27
57
 
28
- if pkey && !bundle.empty?
29
- validate_cert_and_key(pkey, bundle.first)
58
+ if pkey && !@cert.nil?
59
+ validate_cert_and_key(pkey, @cert)
30
60
  end
31
61
 
32
- unless bundle.empty?
62
+ unless bundle.empty? || @cert.nil?
33
63
  validate_full_chain(bundle, chain)
34
64
  end
35
65
  end
@@ -112,7 +142,7 @@ module Puppetserver
112
142
  # - If provided, no CAs within the chain of trust have been revoked
113
143
  # However this does allow for:
114
144
  # - Additional, ignored, certs and CRLs in the bundle/chain
115
- # - certs and CRLs in any order (as long as the leaf cert is first)
145
+ # - certs and CRLs in any order
116
146
  def validate_full_chain(certs, crls)
117
147
  store = OpenSSL::X509::Store.new
118
148
  certs.each {|cert| store.add_cert(cert) }
@@ -121,7 +151,7 @@ module Puppetserver
121
151
  crls.each {|crl| store.add_crl(crl) }
122
152
  end
123
153
 
124
- unless store.verify(certs.first)
154
+ unless store.verify(@cert)
125
155
  @errors << 'Leaf certificate could not be validated'
126
156
  @errors << "Validating cert store returned: #{store.error} - #{store.error_string}"
127
157
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-03-08 00:00:00.000000000 Z
11
+ date: 2019-07-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter