puppetserver-ca 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CODEOWNERS +4 -0
- data/lib/puppetserver/ca/action/generate.rb +24 -10
- data/lib/puppetserver/ca/action/sign.rb +4 -1
- data/lib/puppetserver/ca/certificate_authority.rb +44 -5
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6675ef6328d11ddc9d47becb63063089f1eab59d
|
|
4
|
+
data.tar.gz: f8f0e62f01297a56d238ffc7d074b6ed1300a448
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ce20b8b249b03b73eeeaed698723df472191269626e37ce232ddf6e5a199fbcc19e29787929efa70e4400dc7a14c38fc0ad1c62f0de1febee3845d36899b49da
|
|
7
|
+
data.tar.gz: 37b285c14dff8b48fab045dd699771917ac12e0b3663c61ec42d94ff6773644a7311af02d792ed17241be9b180f4ff041e2d61d04bf9cf7f034eaeefa0d12fa7
|
data/CODEOWNERS
ADDED
|
@@ -75,6 +75,9 @@ BANNER
|
|
|
75
75
|
'Causes the cert to be generated offline.') do |ca_client|
|
|
76
76
|
parsed['ca-client'] = true
|
|
77
77
|
end
|
|
78
|
+
opts.on('--ttl TTL', 'The time-to-live for each cert generated and signed') do |ttl|
|
|
79
|
+
parsed['ttl'] = ttl
|
|
80
|
+
end
|
|
78
81
|
end
|
|
79
82
|
end
|
|
80
83
|
|
|
@@ -140,7 +143,7 @@ BANNER
|
|
|
140
143
|
return 1 if check_server_online(puppet.settings)
|
|
141
144
|
all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
|
|
142
145
|
else
|
|
143
|
-
all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
|
|
146
|
+
all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
|
|
144
147
|
end
|
|
145
148
|
return all_passed ? 0 : 1
|
|
146
149
|
end
|
|
@@ -209,8 +212,10 @@ BANNER
|
|
|
209
212
|
# Generate csrs and keys, then submit them to CA, request for the CA to sign
|
|
210
213
|
# them, download the signed certificates from the CA, and finally save
|
|
211
214
|
# the signed certs and associated keys. Returns true if all certs were
|
|
212
|
-
# successfully created and saved.
|
|
213
|
-
|
|
215
|
+
# successfully created and saved. Takes a ttl to use if certificates
|
|
216
|
+
# are signed by this CLI, not autosigned by the CA. if ttl is nil, uses
|
|
217
|
+
# the CA's settings.
|
|
218
|
+
def generate_certs(certnames, alt_names, settings, digest, ttl)
|
|
214
219
|
# Make sure we have all the directories where we will be writing files
|
|
215
220
|
FileSystem.ensure_dirs([settings[:ssldir],
|
|
216
221
|
settings[:certdir],
|
|
@@ -228,17 +233,26 @@ BANNER
|
|
|
228
233
|
next false unless submit_csr(certname, ca, settings, digest, current_alt_names)
|
|
229
234
|
|
|
230
235
|
# Check if the CA autosigned the cert
|
|
231
|
-
|
|
232
|
-
@logger.inform "Certificate for #{certname} was autosigned."
|
|
233
|
-
true
|
|
234
|
-
else
|
|
235
|
-
next false unless ca.sign_certs([certname])
|
|
236
|
-
download_cert(ca, certname, settings)
|
|
237
|
-
end
|
|
236
|
+
next acquire_signed_cert(ca, certname, settings, ttl)
|
|
238
237
|
end
|
|
239
238
|
passed.all?
|
|
240
239
|
end
|
|
241
240
|
|
|
241
|
+
# Try to download a signed certificate; sign the cert with the given ttl if it needs
|
|
242
|
+
# signing before download.
|
|
243
|
+
def acquire_signed_cert(ca, certname, settings, ttl)
|
|
244
|
+
if download_cert(ca, certname, settings)
|
|
245
|
+
@logger.inform "Certificate for #{certname} was autosigned."
|
|
246
|
+
if ttl
|
|
247
|
+
@logger.warn "ttl was specified, but the CA autosigned the CSR. Unable to specify #{ttl} for #{certname}"
|
|
248
|
+
end
|
|
249
|
+
true
|
|
250
|
+
else
|
|
251
|
+
false unless ca.sign_certs([certname], ttl)
|
|
252
|
+
download_cert(ca, certname, settings)
|
|
253
|
+
end
|
|
254
|
+
end
|
|
255
|
+
|
|
242
256
|
def submit_csr(certname, ca, settings, digest, alt_names)
|
|
243
257
|
key, csr = generate_key_csr(certname, settings, digest, alt_names)
|
|
244
258
|
return false unless csr
|
|
@@ -32,6 +32,9 @@ Options:
|
|
|
32
32
|
def self.parser(parsed = {})
|
|
33
33
|
OptionParser.new do |opts|
|
|
34
34
|
opts.banner = BANNER
|
|
35
|
+
opts.on('--ttl TTL', 'The time-to-live for each cert signed') do |ttl|
|
|
36
|
+
parsed['ttl'] = ttl
|
|
37
|
+
end
|
|
35
38
|
opts.on('--certname NAME[,NAME]', Array, 'the name(s) of the cert(s) to be signed') do |cert|
|
|
36
39
|
parsed['certname'] = cert
|
|
37
40
|
end
|
|
@@ -72,7 +75,7 @@ Options:
|
|
|
72
75
|
requested_certnames = input['certname']
|
|
73
76
|
end
|
|
74
77
|
|
|
75
|
-
success = ca.sign_certs(requested_certnames)
|
|
78
|
+
success = ca.sign_certs(requested_certnames, input['ttl'])
|
|
76
79
|
return success ? 0 : 1
|
|
77
80
|
end
|
|
78
81
|
|
|
@@ -8,6 +8,16 @@ module Puppetserver
|
|
|
8
8
|
|
|
9
9
|
include Puppetserver::Ca::Utils
|
|
10
10
|
|
|
11
|
+
# Taken from puppet/lib/settings/duration_settings.rb
|
|
12
|
+
UNITMAP = {
|
|
13
|
+
# 365 days isn't technically a year, but is sufficient for most purposes
|
|
14
|
+
"y" => 365 * 24 * 60 * 60,
|
|
15
|
+
"d" => 24 * 60 * 60,
|
|
16
|
+
"h" => 60 * 60,
|
|
17
|
+
"m" => 60,
|
|
18
|
+
"s" => 1
|
|
19
|
+
}
|
|
20
|
+
|
|
11
21
|
REVOKE_BODY = JSON.dump({ desired_state: 'revoked' })
|
|
12
22
|
SIGN_BODY = JSON.dump({ desired_state: 'signed' })
|
|
13
23
|
|
|
@@ -35,11 +45,40 @@ module Puppetserver
|
|
|
35
45
|
HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
|
|
36
46
|
end
|
|
37
47
|
|
|
38
|
-
def
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
48
|
+
def process_ttl_input(ttl)
|
|
49
|
+
match = /^(\d+)(s|m|h|d|y)?$/.match(ttl)
|
|
50
|
+
if match
|
|
51
|
+
if match[2]
|
|
52
|
+
match[1].to_i * UNITMAP[match[2]].to_i
|
|
53
|
+
else
|
|
54
|
+
ttl
|
|
55
|
+
end
|
|
56
|
+
else
|
|
57
|
+
@logger.err "Error:"
|
|
58
|
+
@logger.err " '#{ttl}' is an invalid ttl value"
|
|
59
|
+
@logger.err "Value should match regex \"^(\d+)(s|m|h|d|y)?$\""
|
|
60
|
+
nil
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
def sign_certs(certnames, ttl=nil)
|
|
65
|
+
results = []
|
|
66
|
+
if ttl
|
|
67
|
+
lifetime = process_ttl_input(ttl)
|
|
68
|
+
return false if lifetime.nil?
|
|
69
|
+
body = JSON.dump({ desired_state: 'signed',
|
|
70
|
+
cert_ttl: lifetime})
|
|
71
|
+
results = put(certnames,
|
|
72
|
+
resource_type: 'certificate_status',
|
|
73
|
+
body: body,
|
|
74
|
+
type: :sign)
|
|
75
|
+
else
|
|
76
|
+
results = put(certnames,
|
|
77
|
+
resource_type: 'certificate_status',
|
|
78
|
+
body: SIGN_BODY,
|
|
79
|
+
type: :sign)
|
|
80
|
+
end
|
|
81
|
+
|
|
43
82
|
|
|
44
83
|
results.all? { |result| result == :success }
|
|
45
84
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-12-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|
|
@@ -83,6 +83,7 @@ files:
|
|
|
83
83
|
- ".gitignore"
|
|
84
84
|
- ".rspec"
|
|
85
85
|
- ".travis.yml"
|
|
86
|
+
- CODEOWNERS
|
|
86
87
|
- CODE_OF_CONDUCT.md
|
|
87
88
|
- CONTRIBUTING.md
|
|
88
89
|
- Gemfile
|