puppetserver-ca 2.2.0 → 2.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +5 -0
- data/lib/puppetserver/ca/action/prune.rb +116 -0
- data/lib/puppetserver/ca/cli.rb +8 -6
- data/lib/puppetserver/ca/logger.rb +5 -1
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: af10497de6396a89adeeb920ea09df98f728c97a6e219e6baf5d92ab1f063937
|
|
4
|
+
data.tar.gz: 39e54eaa7e05c9274add48f046e0328d68bb74146343abef6bc2be8fd4aba2be
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4e58d65112ae40fbd21881cb0514321c86311cea8d5947db8b049b1b19959268850a320375419a1b1506bae4dc805773e82d2ff23aeb43c528dd9e13157b8713
|
|
7
|
+
data.tar.gz: 9fe0a51c4966a39bef6317498f79ab1e953ed410ec409bc940003fb7ab295d09bf244a46832c4845c0dae1fef197c7da5ea4c4b77839256eb7724462d0d9ab52
|
data/README.md
CHANGED
|
@@ -55,6 +55,11 @@ To create a new keypair and certificate for a certname:
|
|
|
55
55
|
puppetserver ca generate --certname foo.example.com
|
|
56
56
|
```
|
|
57
57
|
|
|
58
|
+
To remove duplicated entries from Puppet's CRL:
|
|
59
|
+
```
|
|
60
|
+
puppetserver ca prune
|
|
61
|
+
```
|
|
62
|
+
|
|
58
63
|
To enable verbose mode:
|
|
59
64
|
```
|
|
60
65
|
puppetserver ca --verbose <action>
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
require 'optparse'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
require 'puppetserver/ca/errors'
|
|
4
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
|
5
|
+
require 'puppetserver/ca/utils/file_system'
|
|
6
|
+
require 'puppetserver/ca/utils/config'
|
|
7
|
+
require 'puppetserver/ca/x509_loader'
|
|
8
|
+
|
|
9
|
+
module Puppetserver
|
|
10
|
+
module Ca
|
|
11
|
+
module Action
|
|
12
|
+
class Prune
|
|
13
|
+
include Puppetserver::Ca::Utils
|
|
14
|
+
|
|
15
|
+
SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
|
|
16
|
+
BANNER = <<-BANNER
|
|
17
|
+
Usage:
|
|
18
|
+
puppetserver ca prune [--help]
|
|
19
|
+
puppetserver ca prune [--config]
|
|
20
|
+
|
|
21
|
+
Description:
|
|
22
|
+
Prune the list of revoked certificates of any duplication within it. This command
|
|
23
|
+
will only prune the CRL issued by Puppet's CA cert.
|
|
24
|
+
|
|
25
|
+
Options:
|
|
26
|
+
BANNER
|
|
27
|
+
|
|
28
|
+
def initialize(logger)
|
|
29
|
+
@logger = logger
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def run(inputs)
|
|
33
|
+
config_path = inputs['config']
|
|
34
|
+
|
|
35
|
+
# Validate the config path.
|
|
36
|
+
if config_path
|
|
37
|
+
errors = FileSystem.validate_file_paths(config_path)
|
|
38
|
+
return 1 if Errors.handle_with_usage(@logger, errors)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
# Validate puppet config setting.
|
|
42
|
+
puppet = Config::Puppet.new(config_path)
|
|
43
|
+
puppet.load(logger: @logger)
|
|
44
|
+
return 1 if Errors.handle_with_usage(@logger, puppet.errors)
|
|
45
|
+
|
|
46
|
+
# Validate that we are offline
|
|
47
|
+
return 1 if HttpClient.check_server_online(puppet.settings, @logger)
|
|
48
|
+
|
|
49
|
+
# Getting the CRL(s)
|
|
50
|
+
loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
|
|
51
|
+
|
|
52
|
+
puppet_crl = loader.crls.select { |crl| crl.verify(loader.key) }
|
|
53
|
+
prune_CRLs(puppet_crl)
|
|
54
|
+
update_pruned_CRL(puppet_crl, loader.key)
|
|
55
|
+
FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
|
|
56
|
+
|
|
57
|
+
@logger.inform("Finished pruning Puppet's CRL")
|
|
58
|
+
return 0
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
def prune_CRLs(crl_list)
|
|
62
|
+
crl_list.each do |crl|
|
|
63
|
+
existed_serial_number = Set.new()
|
|
64
|
+
revoked_list = crl.revoked
|
|
65
|
+
@logger.debug("Pruning duplicate entries in CRL for issuer " \
|
|
66
|
+
"#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
|
|
67
|
+
|
|
68
|
+
revoked_list.delete_if do |revoked|
|
|
69
|
+
if existed_serial_number.add?(revoked.serial)
|
|
70
|
+
false
|
|
71
|
+
else
|
|
72
|
+
@logger.debug("Removing duplicate of #{revoked.serial}, " \
|
|
73
|
+
"revoked on #{revoked.time}\n") if @logger.debug?
|
|
74
|
+
true
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
crl.revoked=(revoked_list)
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
def update_pruned_CRL(crl_list, pkey)
|
|
82
|
+
crl_list.each do |crl|
|
|
83
|
+
crl.version=(crl.version + 1)
|
|
84
|
+
crl.sign(pkey, OpenSSL::Digest::SHA256.new)
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
def self.parser(parsed = {})
|
|
89
|
+
OptionParser.new do |opts|
|
|
90
|
+
opts.banner = BANNER
|
|
91
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
|
92
|
+
parsed['help'] = true
|
|
93
|
+
end
|
|
94
|
+
opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
|
|
95
|
+
parsed['config'] = conf
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
end
|
|
99
|
+
|
|
100
|
+
def parse(args)
|
|
101
|
+
results = {}
|
|
102
|
+
parser = self.class.parser(results)
|
|
103
|
+
errors = CliParsing.parse_with_errors(parser, args)
|
|
104
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
|
105
|
+
|
|
106
|
+
if errors_were_handled
|
|
107
|
+
exit_code = 1
|
|
108
|
+
else
|
|
109
|
+
exit_code = nil
|
|
110
|
+
end
|
|
111
|
+
return results, exit_code
|
|
112
|
+
end
|
|
113
|
+
end
|
|
114
|
+
end
|
|
115
|
+
end
|
|
116
|
+
end
|
data/lib/puppetserver/ca/cli.rb
CHANGED
|
@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
|
|
|
8
8
|
require 'puppetserver/ca/action/revoke'
|
|
9
9
|
require 'puppetserver/ca/action/setup'
|
|
10
10
|
require 'puppetserver/ca/action/sign'
|
|
11
|
+
require 'puppetserver/ca/action/prune'
|
|
11
12
|
require 'puppetserver/ca/action/migrate'
|
|
12
13
|
require 'puppetserver/ca/errors'
|
|
13
14
|
require 'puppetserver/ca/logger'
|
|
@@ -25,11 +26,12 @@ Manage the Private Key Infrastructure for
|
|
|
25
26
|
Puppet Server's built-in Certificate Authority
|
|
26
27
|
BANNER
|
|
27
28
|
|
|
28
|
-
|
|
29
|
+
ADMIN_ACTIONS = {
|
|
29
30
|
'import' => Action::Import,
|
|
30
31
|
'setup' => Action::Setup,
|
|
31
|
-
'enable'
|
|
32
|
-
'migrate'
|
|
32
|
+
'enable' => Action::Enable,
|
|
33
|
+
'migrate' => Action::Migrate,
|
|
34
|
+
'prune' => Action::Prune
|
|
33
35
|
}
|
|
34
36
|
|
|
35
37
|
MAINT_ACTIONS = {
|
|
@@ -40,15 +42,15 @@ BANNER
|
|
|
40
42
|
'sign' => Action::Sign
|
|
41
43
|
}
|
|
42
44
|
|
|
43
|
-
VALID_ACTIONS =
|
|
45
|
+
VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
|
|
44
46
|
|
|
45
47
|
ACTION_LIST = "\nAvailable Actions:\n\n" +
|
|
46
48
|
" Certificate Actions (requires a running Puppet Server):\n\n" +
|
|
47
49
|
MAINT_ACTIONS.map do |action, cls|
|
|
48
50
|
" #{action}\t#{cls::SUMMARY}"
|
|
49
51
|
end.join("\n") + "\n\n" +
|
|
50
|
-
"
|
|
51
|
-
|
|
52
|
+
" Administrative Actions (requires Puppet Server to be stopped):\n\n" +
|
|
53
|
+
ADMIN_ACTIONS.map do |action, cls|
|
|
52
54
|
" #{action}\t#{cls::SUMMARY}"
|
|
53
55
|
end.join("\n")
|
|
54
56
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-07-
|
|
11
|
+
date: 2021-07-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|
|
@@ -100,6 +100,7 @@ files:
|
|
|
100
100
|
- lib/puppetserver/ca/action/import.rb
|
|
101
101
|
- lib/puppetserver/ca/action/list.rb
|
|
102
102
|
- lib/puppetserver/ca/action/migrate.rb
|
|
103
|
+
- lib/puppetserver/ca/action/prune.rb
|
|
103
104
|
- lib/puppetserver/ca/action/revoke.rb
|
|
104
105
|
- lib/puppetserver/ca/action/setup.rb
|
|
105
106
|
- lib/puppetserver/ca/action/sign.rb
|