Class: Puppet::SSL::CertificateAuthority

Inherits:

Object

• Object
• Puppet::SSL::CertificateAuthority

Extended by:

Util::Cacher

Defined in:

lib/puppet/ssl/certificate_authority.rb,
lib/puppet/ssl/certificate_authority/interface.rb

Overview

The class that knows how to sign certificates. It creates a ‘special’ SSL::Host whose name is ‘ca’, thus indicating that, well, it’s the CA. There’s some magic in the indirector/ssl_file terminus base class that does that for us.

This class mostly just signs certs for us, but

it can also be seen as a general interface into all of the SSL stuff.

Defined Under Namespace

Classes: CertificateVerificationError, Interface

Instance Attribute Summary

• #host ⇒ Object readonly

  Returns the value of attribute host.

• #name ⇒ Object readonly

  Returns the value of attribute name.

Attributes included from Util::Cacher::Expirer

#timestamp

Class Method Summary

• .ca? ⇒ Boolean
• .instance ⇒ Object

  If this process can function as a CA, then return a singleton instance.

Instance Method Summary

• #apply(method, options) ⇒ Object

  Create and run an applicator.

• #autosign ⇒ Object

  If autosign is configured, then autosign all CSRs that match our configuration.

• #autosign? ⇒ Boolean

  Do we autosign? This returns true, false, or a filename.

• #autosign_store(file) ⇒ Object

  Create an AuthStore for autosigning.

• #crl ⇒ Object

  Retrieve (or create, if necessary) the certificate revocation list.

• #destroy(name) ⇒ Object

  Delegate this to our Host class.

• #fingerprint(name, md = :MD5) ⇒ Object
• #generate(name) ⇒ Object

  Generate a new certificate.

• #generate_ca_certificate ⇒ Object

  Generate our CA certificate.

• #generate_password ⇒ Object

  Generate a new password for the CA.

• #initialize ⇒ CertificateAuthority constructor

  A new instance of CertificateAuthority.

• #inventory ⇒ Object

  Retrieve (or create, if necessary) our inventory manager.

• #list ⇒ Object

  List all signed certificates.

• #next_serial ⇒ Object

  Read the next serial from the serial file, and increment the file so this one is considered used.

• #password? ⇒ Boolean

  Does the password file exist?.

• #print(name) ⇒ Object

  Print a given host’s certificate as text.

• #revoke(name) ⇒ Object

  Revoke a given certificate.

• #setup ⇒ Object

  This initializes our CA so it actually works.

• #sign(hostname, cert_type = :server, self_signing_csr = nil) ⇒ Object

  Sign a given certificate request.

• #verify(name) ⇒ Object

  Verify a given host’s certificate.

• #waiting? ⇒ Boolean

  List the waiting certificate requests.

Methods included from Util::Cacher

extended, included

Methods included from Util::Cacher::Expirer

#dependent_data_expired?, #expire

Constructor Details

#initialize ⇒ CertificateAuthority

Returns a new instance of CertificateAuthority.

# File 'lib/puppet/ssl/certificate_authority.rb', line 139

def initialize
  Puppet.settings.use :main, :ssl, :ca

  @name = Puppet[:certname]

  @host = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name)

  setup
end

Instance Attribute Details

#host ⇒ Object (readonly)

Returns the value of attribute host.

# File 'lib/puppet/ssl/certificate_authority.rb', line 48

def host
  @host
end

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/puppet/ssl/certificate_authority.rb', line 48

def name
  @name
end

Class Method Details

.ca? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/ssl/certificate_authority.rb', line 34

def self.ca?
  return false unless Puppet[:ca]
  return false unless Puppet.run_mode.master?
  true
end

.instance ⇒ Object

If this process can function as a CA, then return a singleton instance.

# File 'lib/puppet/ssl/certificate_authority.rb', line 42

def self.instance
  return nil unless ca?

  singleton_instance
end

Instance Method Details

#apply(method, options) ⇒ Object

Create and run an applicator. I wanted to build an interface where you could do something like ‘ca.apply(:generate).to(:all) but I don’t think it’s really possible.

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_authority.rb', line 52

def apply(method, options)
  raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless options[:to]
  applier = Interface.new(method, options)

  applier.apply(self)
end

#autosign ⇒ Object

If autosign is configured, then autosign all CSRs that match our configuration.

# File 'lib/puppet/ssl/certificate_authority.rb', line 60

def autosign
  return unless auto = autosign?

  store = nil
  store = autosign_store(auto) if auto != true

  Puppet::SSL::CertificateRequest.search("*").each do |csr|
    sign(csr.name) if auto == true or store.allowed?(csr.name, "127.1.1.1")
  end
end

#autosign? ⇒ Boolean

Do we autosign? This returns true, false, or a filename.

Returns:

• (Boolean)

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_authority.rb', line 72

def autosign?
  auto = Puppet[:autosign]
  return false if ['false', false].include?(auto)
  return true if ['true', true].include?(auto)

  raise ArgumentError, "The autosign configuration '#{auto}' must be a fully qualified file" unless auto =~ /^\//
  FileTest.exist?(auto) && auto
end

#autosign_store(file) ⇒ Object

Create an AuthStore for autosigning.

# File 'lib/puppet/ssl/certificate_authority.rb', line 82

def autosign_store(file)
  auth = Puppet::Network::AuthStore.new
  File.readlines(file).each do |line|
    next if line =~ /^\s*#/
    next if line =~ /^\s*$/
    auth.allow(line.chomp)
  end

  auth
end

#crl ⇒ Object

Retrieve (or create, if necessary) the certificate revocation list.

# File 'lib/puppet/ssl/certificate_authority.rb', line 94

def crl
  unless defined?(@crl)
    unless @crl = Puppet::SSL::CertificateRevocationList.find(Puppet::SSL::CA_NAME)
      @crl = Puppet::SSL::CertificateRevocationList.new(Puppet::SSL::CA_NAME)
      @crl.generate(host.certificate.content, host.key.content)
      @crl.save
    end
  end
  @crl
end

#destroy(name) ⇒ Object

Delegate this to our Host class.

# File 'lib/puppet/ssl/certificate_authority.rb', line 106

def destroy(name)
  Puppet::SSL::Host.destroy(name)
end

#fingerprint(name, md = :MD5) ⇒ Object

# File 'lib/puppet/ssl/certificate_authority.rb', line 273

def fingerprint(name, md = :MD5)
  unless cert = Puppet::SSL::Certificate.find(name) || Puppet::SSL::CertificateRequest.find(name)
    raise ArgumentError, "Could not find a certificate or csr for #{name}"
  end
  cert.fingerprint(md)
end

#generate(name) ⇒ Object

Generate a new certificate.

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_authority.rb', line 111

def generate(name)
  raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.find(name)
  host = Puppet::SSL::Host.new(name)

  host.generate_certificate_request

  sign(name)
end

#generate_ca_certificate ⇒ Object

Generate our CA certificate.

# File 'lib/puppet/ssl/certificate_authority.rb', line 121

def generate_ca_certificate
  generate_password unless password?

  host.generate_key unless host.key

  # Create a new cert request.  We do this
  # specially, because we don't want to actually
  # save the request anywhere.
  request = Puppet::SSL::CertificateRequest.new(host.name)
  request.generate(host.key)

  # Create a self-signed certificate.
  @certificate = sign(host.name, :ca, request)

  # And make sure we initialize our CRL.
  crl
end

#generate_password ⇒ Object

Generate a new password for the CA.

# File 'lib/puppet/ssl/certificate_authority.rb', line 155

def generate_password
  pass = ""
  20.times { pass += (rand(74) + 48).chr }

  begin
    Puppet.settings.write(:capass) { |f| f.print pass }
  rescue Errno::EACCES => detail
    raise Puppet::Error, "Could not write CA password: #{detail}"
  end

  @password = pass

  pass
end

#inventory ⇒ Object

Retrieve (or create, if necessary) our inventory manager.

# File 'lib/puppet/ssl/certificate_authority.rb', line 150

def inventory
  @inventory ||= Puppet::SSL::Inventory.new
end

#list ⇒ Object

List all signed certificates.

# File 'lib/puppet/ssl/certificate_authority.rb', line 171

def list
  Puppet::SSL::Certificate.search("*").collect { |c| c.name }
end

#next_serial ⇒ Object

Read the next serial from the serial file, and increment the file so this one is considered used.

# File 'lib/puppet/ssl/certificate_authority.rb', line 177

def next_serial
  serial = nil

  # This is slightly odd.  If the file doesn't exist, our readwritelock creates
  # it, but with a mode we can't actually read in some cases.  So, use
  # a default before the lock.
  serial = 0x1 unless FileTest.exist?(Puppet[:serial])

  Puppet.settings.readwritelock(:serial) { |f|
    serial ||= File.read(Puppet.settings[:serial]).chomp.hex if FileTest.exist?(Puppet[:serial])

    # We store the next valid serial, not the one we just used.
    f << "%04X" % (serial + 1)
  }

  serial
end

#password? ⇒ Boolean

Does the password file exist?

Returns:

• (Boolean)

# File 'lib/puppet/ssl/certificate_authority.rb', line 196

def password?
  FileTest.exist? Puppet[:capass]
end

#print(name) ⇒ Object

Print a given host’s certificate as text.

# File 'lib/puppet/ssl/certificate_authority.rb', line 201

def print(name)
  (cert = Puppet::SSL::Certificate.find(name)) ? cert.to_text : nil
end

#revoke(name) ⇒ Object

Revoke a given certificate.

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_authority.rb', line 206

def revoke(name)
  raise ArgumentError, "Cannot revoke certificates when the CRL is disabled" unless crl

  if cert = Puppet::SSL::Certificate.find(name)
    serial = cert.content.serial
  elsif ! serial = inventory.serial(name)
    raise ArgumentError, "Could not find a serial number for #{name}"
  end
  crl.revoke(serial, host.key.content)
end

#setup ⇒ Object

This initializes our CA so it actually works. This should be a private method, except that you can’t any-instance stub private methods, which is awesome. This method only really exists to provide a stub-point during testing.

# File 'lib/puppet/ssl/certificate_authority.rb', line 221

def setup
  generate_ca_certificate unless @host.certificate
end

#sign(hostname, cert_type = :server, self_signing_csr = nil) ⇒ Object

Sign a given certificate request.

# File 'lib/puppet/ssl/certificate_authority.rb', line 226

def sign(hostname, cert_type = :server, self_signing_csr = nil)
  # This is a self-signed certificate
  if self_signing_csr
    csr = self_signing_csr
    issuer = csr.content
  else
    unless csr = Puppet::SSL::CertificateRequest.find(hostname)
      raise ArgumentError, "Could not find certificate request for #{hostname}"
    end
    issuer = host.certificate.content
  end

  cert = Puppet::SSL::Certificate.new(hostname)
  cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
  cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)

  Puppet.notice "Signed certificate request for #{hostname}"

  # Add the cert to the inventory before we save it, since
  # otherwise we could end up with it being duplicated, if
  # this is the first time we build the inventory file.
  inventory.add(cert)

  # Save the now-signed cert.  This should get routed correctly depending
  # on the certificate type.
  cert.save

  # And remove the CSR if this wasn't self signed.
  Puppet::SSL::CertificateRequest.destroy(csr.name) unless self_signing_csr

  cert
end

#verify(name) ⇒ Object

Verify a given host’s certificate.

Raises:

• (CertificateVerificationError.new(store.error))

# File 'lib/puppet/ssl/certificate_authority.rb', line 260

def verify(name)
  unless cert = Puppet::SSL::Certificate.find(name)
    raise ArgumentError, "Could not find a certificate for #{name}"
  end
  store = OpenSSL::X509::Store.new
  store.add_file Puppet[:cacert]
  store.add_crl crl.content if self.crl
  store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
  store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]

  raise CertificateVerificationError.new(store.error), store.error_string unless store.verify(cert.content)
end

#waiting? ⇒ Boolean

List the waiting certificate requests.

Returns:

• (Boolean)

# File 'lib/puppet/ssl/certificate_authority.rb', line 281

def waiting?
  Puppet::SSL::CertificateRequest.search("*").collect { |r| r.name }
end