Class: Puppet::SSL::Host
- Extended by:
- Indirector
- Defined in:
- lib/vendor/puppet/ssl/host.rb
Overview
The class that manages all aspects of our SSL certificates – private keys, public keys, requests, etc.
Constant Summary collapse
- Key =
Yay, ruby’s strange constant lookups.
Puppet::SSL::Key
- CA_NAME =
Puppet::SSL::CA_NAME
- Certificate =
Puppet::SSL::Certificate
- CertificateRequest =
Puppet::SSL::CertificateRequest
- CertificateRevocationList =
Puppet::SSL::CertificateRevocationList
- CA_MODES =
{ # Our ca is local, so we use it as the ultimate source of information # And we cache files locally. :local => [:ca, :file], # We're a remote CA client. :remote => [:rest, :file], # We are the CA, so we don't have read/write access to the normal certificates. :only => [:ca], # We have no CA, so we just look in the local file store. :none => [:disabled_ca] }
Constants included from Indirector
Class Attribute Summary collapse
-
.ca_location ⇒ Object
Returns the value of attribute ca_location.
Instance Attribute Summary collapse
-
#ca ⇒ Object
Returns the value of attribute ca.
- #certificate ⇒ Object
- #certificate_request ⇒ Object
-
#desired_state ⇒ Object
This accessor is used in instances for indirector requests to hold desired state.
- #key ⇒ Object
-
#name ⇒ Object
readonly
Returns the value of attribute name.
Class Method Summary collapse
-
.ca_name ⇒ Object
This is the constant that people will use to mark that a given host is a certificate authority.
-
.configure_indirection(terminus, cache = nil) ⇒ Object
Configure how our various classes interact with their various terminuses.
-
.destroy(name) ⇒ Object
Puppet::SSL::Host is actually indirected now so the original implementation has been moved into the certificate_status indirector.
- .from_pson(pson) ⇒ Object
- .localhost ⇒ Object
- .reset ⇒ Object
-
.search(options = {}) ⇒ Object
Puppet::SSL::Host is actually indirected now so the original implementation has been moved into the certificate_status indirector.
Instance Method Summary collapse
-
#ca? ⇒ Boolean
Is this a ca host, meaning that all of its files go in the CA location?.
-
#generate ⇒ Object
Generate all necessary parts of our ssl host.
-
#generate_certificate_request(options = {}) ⇒ Object
Our certificate request requires the key but that’s all.
-
#generate_key ⇒ Object
This is the private key; we can create it from scratch with no inputs.
-
#initialize(name = nil) ⇒ Host
constructor
A new instance of Host.
-
#public_key ⇒ Object
Extract the public key from the private key.
-
#ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) ⇒ Object
Create/return a store that uses our SSL info to validate connections.
- #state ⇒ Object
-
#suitable_message_digest_algorithms ⇒ Object
eventually we’ll probably want to move this somewhere else or make it configurable –jeffweiss 29 aug 2012.
- #this_csr_is_for_the_current_host ⇒ Object
- #to_pson(*args) ⇒ Object
- #validate_certificate_with_key ⇒ Object
-
#wait_for_cert(time) ⇒ Object
Attempt to retrieve a cert, if we don’t already have one.
Methods included from Indirector
Constructor Details
#initialize(name = nil) ⇒ Host
Returns a new instance of Host.
237 238 239 240 241 242 |
# File 'lib/vendor/puppet/ssl/host.rb', line 237 def initialize(name = nil) @name = (name || Puppet[:certname]).downcase Puppet::SSL::Base.validate_certname(@name) @key = @certificate = @certificate_request = nil @ca = (name == self.class.ca_name) end |
Class Attribute Details
.ca_location ⇒ Object
Returns the value of attribute ca_location.
48 49 50 |
# File 'lib/vendor/puppet/ssl/host.rb', line 48 def ca_location @ca_location end |
Instance Attribute Details
#ca ⇒ Object
Returns the value of attribute ca.
22 23 24 |
# File 'lib/vendor/puppet/ssl/host.rb', line 22 def ca @ca end |
#certificate ⇒ Object
193 194 195 196 197 198 199 200 201 202 203 204 205 |
# File 'lib/vendor/puppet/ssl/host.rb', line 193 def certificate unless @certificate generate_key unless key # get the CA cert first, since it's required for the normal cert # to be of any use. return nil unless Certificate.indirection.find("ca") unless ca? return nil unless @certificate = Certificate.indirection.find(name) validate_certificate_with_key end @certificate end |
#certificate_request ⇒ Object
155 156 157 |
# File 'lib/vendor/puppet/ssl/host.rb', line 155 def certificate_request @certificate_request ||= CertificateRequest.indirection.find(name) end |
#desired_state ⇒ Object
This accessor is used in instances for indirector requests to hold desired state
27 28 29 |
# File 'lib/vendor/puppet/ssl/host.rb', line 27 def desired_state @desired_state end |
#key ⇒ Object
137 138 139 |
# File 'lib/vendor/puppet/ssl/host.rb', line 137 def key @key ||= Key.indirection.find(name) end |
#name ⇒ Object (readonly)
Returns the value of attribute name.
21 22 23 |
# File 'lib/vendor/puppet/ssl/host.rb', line 21 def name @name end |
Class Method Details
.ca_name ⇒ Object
This is the constant that people will use to mark that a given host is a certificate authority.
43 44 45 |
# File 'lib/vendor/puppet/ssl/host.rb', line 43 def self.ca_name CA_NAME end |
.configure_indirection(terminus, cache = nil) ⇒ Object
Configure how our various classes interact with their various terminuses.
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
# File 'lib/vendor/puppet/ssl/host.rb', line 52 def self.configure_indirection(terminus, cache = nil) Certificate.indirection.terminus_class = terminus CertificateRequest.indirection.terminus_class = terminus CertificateRevocationList.indirection.terminus_class = terminus host_map = {:ca => :file, :disabled_ca => nil, :file => nil, :rest => :rest} if term = host_map[terminus] self.indirection.terminus_class = term else self.indirection.reset_terminus_class end if cache # This is weird; we don't actually cache our keys, we # use what would otherwise be the cache as our normal # terminus. Key.indirection.terminus_class = cache else Key.indirection.terminus_class = terminus end if cache Certificate.indirection.cache_class = cache CertificateRequest.indirection.cache_class = cache CertificateRevocationList.indirection.cache_class = cache else # Make sure we have no cache configured. puppet master # switches the configurations around a bit, so it's important # that we specify the configs for absolutely everything, every # time. Certificate.indirection.cache_class = nil CertificateRequest.indirection.cache_class = nil CertificateRevocationList.indirection.cache_class = nil end end |
.destroy(name) ⇒ Object
Puppet::SSL::Host is actually indirected now so the original implementation has been moved into the certificate_status indirector. This method is in-use in ‘puppet cert -c <certname>`.
113 114 115 |
# File 'lib/vendor/puppet/ssl/host.rb', line 113 def self.destroy(name) indirection.destroy(name) end |
.from_pson(pson) ⇒ Object
117 118 119 120 121 122 123 |
# File 'lib/vendor/puppet/ssl/host.rb', line 117 def self.from_pson(pson) instance = new(pson["name"]) if pson["desired_state"] instance.desired_state = pson["desired_state"] end instance end |
.localhost ⇒ Object
29 30 31 32 33 34 35 |
# File 'lib/vendor/puppet/ssl/host.rb', line 29 def self.localhost return @localhost if @localhost @localhost = new @localhost.generate unless @localhost.certificate @localhost.key @localhost end |
.reset ⇒ Object
37 38 39 |
# File 'lib/vendor/puppet/ssl/host.rb', line 37 def self.reset @localhost = nil end |
.search(options = {}) ⇒ Object
Puppet::SSL::Host is actually indirected now so the original implementation has been moved into the certificate_status indirector. This method does not appear to be in use in ‘puppet cert -l`.
128 129 130 |
# File 'lib/vendor/puppet/ssl/host.rb', line 128 def self.search( = {}) indirection.search("*", ) end |
Instance Method Details
#ca? ⇒ Boolean
Is this a ca host, meaning that all of its files go in the CA location?
133 134 135 |
# File 'lib/vendor/puppet/ssl/host.rb', line 133 def ca? ca end |
#generate ⇒ Object
Generate all necessary parts of our ssl host.
225 226 227 228 229 230 231 232 233 234 235 |
# File 'lib/vendor/puppet/ssl/host.rb', line 225 def generate generate_key unless key generate_certificate_request unless certificate_request # If we can get a CA instance, then we're a valid CA, and we # should use it to sign our request; else, just try to read # the cert. if ! certificate and ca = Puppet::SSL::CertificateAuthority.instance ca.sign(self.name, true) end end |
#generate_certificate_request(options = {}) ⇒ Object
Our certificate request requires the key but that’s all.
168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 |
# File 'lib/vendor/puppet/ssl/host.rb', line 168 def generate_certificate_request( = {}) generate_key unless key # If this is for the current machine... if this_csr_is_for_the_current_host # ...add our configured dns_alt_names if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != '' [:dns_alt_names] ||= Puppet[:dns_alt_names] elsif Puppet::SSL::CertificateAuthority.ca? and fqdn = Facter.value(:fqdn) and domain = Facter.value(:domain) [:dns_alt_names] = "puppet, #{fqdn}, puppet.#{domain}" end end @certificate_request = CertificateRequest.new(name) @certificate_request.generate(key.content, ) begin CertificateRequest.indirection.save(@certificate_request) rescue @certificate_request = nil raise end true end |
#generate_key ⇒ Object
This is the private key; we can create it from scratch with no inputs.
143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/vendor/puppet/ssl/host.rb', line 143 def generate_key @key = Key.new(name) @key.generate begin Key.indirection.save(@key) rescue @key = nil raise end true end |
#public_key ⇒ Object
Extract the public key from the private key.
245 246 247 |
# File 'lib/vendor/puppet/ssl/host.rb', line 245 def public_key key.content.public_key end |
#ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) ⇒ Object
Create/return a store that uses our SSL info to validate connections.
251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 |
# File 'lib/vendor/puppet/ssl/host.rb', line 251 def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) unless @ssl_store @ssl_store = OpenSSL::X509::Store.new @ssl_store.purpose = purpose # Use the file path here, because we don't want to cause # a lookup in the middle of setting our ssl connection. @ssl_store.add_file(Puppet[:localcacert]) # If there's a CRL, add it to our store. if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME) @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] @ssl_store.add_crl(crl.content) end return @ssl_store end @ssl_store end |
#state ⇒ Object
350 351 352 353 354 355 356 357 358 359 360 361 362 |
# File 'lib/vendor/puppet/ssl/host.rb', line 350 def state my_cert = Puppet::SSL::Certificate.indirection.find(name) if certificate_request return 'requested' end begin Puppet::SSL::CertificateAuthority.new.verify(my_cert) return 'signed' rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError return 'revoked' end end |
#suitable_message_digest_algorithms ⇒ Object
eventually we’ll probably want to move this somewhere else or make it configurable –jeffweiss 29 aug 2012
309 310 311 |
# File 'lib/vendor/puppet/ssl/host.rb', line 309 def [:SHA1, :SHA256, :SHA512] end |
#this_csr_is_for_the_current_host ⇒ Object
159 160 161 |
# File 'lib/vendor/puppet/ssl/host.rb', line 159 def this_csr_is_for_the_current_host name == Puppet[:certname].downcase end |
#to_pson(*args) ⇒ Object
270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 |
# File 'lib/vendor/puppet/ssl/host.rb', line 270 def to_pson(*args) my_cert = Puppet::SSL::Certificate.indirection.find(name) pson_hash = { :name => name } my_state = state pson_hash[:state] = my_state pson_hash[:desired_state] = desired_state if desired_state thing_to_use = (my_state == 'requested') ? certificate_request : my_cert # this is for backwards-compatibility # we should deprecate it and transition people to using # pson[:fingerprints][:default] # It appears that we have no internal consumers of this api # --jeffweiss 30 aug 2012 pson_hash[:fingerprint] = thing_to_use.fingerprint # The above fingerprint doesn't tell us what message digest algorithm was used # No problem, except that the default is changing between 2.7 and 3.0. Also, as # we move to FIPS 140-2 compliance, MD5 is no longer allowed (and, gasp, will # segfault in rubies older than 1.9.3) # So, when we add the newer fingerprints, we're explicit about the hashing # algorithm used. # --jeffweiss 31 july 2012 pson_hash[:fingerprints] = {} pson_hash[:fingerprints][:default] = thing_to_use.fingerprint .each do |md| pson_hash[:fingerprints][md] = thing_to_use.fingerprint md end pson_hash[:dns_alt_names] = thing_to_use.subject_alt_names pson_hash.to_pson(*args) end |
#validate_certificate_with_key ⇒ Object
207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 |
# File 'lib/vendor/puppet/ssl/host.rb', line 207 def validate_certificate_with_key raise Puppet::Error, "No certificate to validate." unless certificate raise Puppet::Error, "No private key with which to validate certificate with fingerprint: #{certificate.fingerprint}" unless key unless certificate.content.check_private_key(key.content) raise Puppet::Error, <<ERROR_STRING The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: #{certificate.fingerprint} To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean #{Puppet[:certname]} On the agent: rm -f #{Puppet[:hostcert]} puppet agent -t ERROR_STRING end end |
#wait_for_cert(time) ⇒ Object
Attempt to retrieve a cert, if we don’t already have one.
314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 |
# File 'lib/vendor/puppet/ssl/host.rb', line 314 def wait_for_cert(time) begin return if certificate generate return if certificate rescue SystemExit,NoMemoryError raise rescue Exception => detail puts detail.backtrace if Puppet[:trace] Puppet.err "Could not request certificate: #{detail}" if time < 1 puts "Exiting; failed to retrieve certificate and waitforcert is disabled" exit(1) else sleep(time) end retry end if time < 1 puts "Exiting; no certificate found and waitforcert is disabled" exit(1) end while true sleep time begin break if certificate Puppet.notice "Did not receive certificate" rescue StandardError => detail puts detail.backtrace if Puppet[:trace] Puppet.err "Could not request certificate: #{detail}" end end end |