Class: Puppet::SSL::Host

Inherits:
Object show all
Extended by:
Indirector
Defined in:
lib/puppet/ssl/host.rb

Overview

The class that manages all aspects of our SSL certificates – private keys, public keys, requests, etc.

Constant Summary collapse

Key =

Yay, ruby’s strange constant lookups.

Puppet::SSL::Key
CA_NAME = 
Puppet::SSL::CA_NAME
Certificate = 
Puppet::SSL::Certificate
CertificateRequest = 
Puppet::SSL::CertificateRequest
CertificateRevocationList = 
Puppet::SSL::CertificateRevocationList
CA_MODES = 
{
  # Our ca is local, so we use it as the ultimate source of information
  # And we cache files locally.
  :local => [:ca, :file],
  # We're a remote CA client.
  :remote => [:rest, :file],
  # We are the CA, so we don't have read/write access to the normal certificates.
  :only => [:ca],
  # We have no CA, so we just look in the local file store.
  :none => [:file]
}

Constants included from Indirector

Indirector::BadNameRegexp

Class Attribute Summary collapse

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Indirector

configure_routes, indirects

Constructor Details

#initialize(name = nil) ⇒ Host

Returns a new instance of Host.



229
230
231
232
233
 
# File 'lib/puppet/ssl/host.rb', line 229

def initialize(name = nil)
  @name = (name || Puppet[:certname]).downcase
  @key = @certificate = @certificate_request = nil
  @ca = (name == self.class.ca_name)
end

Class Attribute Details

.ca_locationObject

Returns the value of attribute ca_location.



48
49
50
 
# File 'lib/puppet/ssl/host.rb', line 48

def ca_location
  @ca_location
end

Instance Attribute Details

#caObject

Returns the value of attribute ca.



22
23
24
 
# File 'lib/puppet/ssl/host.rb', line 22

def ca
  @ca
end

#certificateObject 



193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
 
# File 'lib/puppet/ssl/host.rb', line 193

def certificate
  unless @certificate
    generate_key unless key

    # get the CA cert first, since it's required for the normal cert
    # to be of any use.
    return nil unless Certificate.indirection.find("ca") unless ca?
    return nil unless @certificate = Certificate.indirection.find(name)

    unless certificate_matches_key?
      raise Puppet::Error, "Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key"
    end
  end
  @certificate
end

#certificate_requestObject 



155
156
157
 
# File 'lib/puppet/ssl/host.rb', line 155

def certificate_request
  @certificate_request ||= CertificateRequest.indirection.find(name)
end

#desired_stateObject

This accessor is used in instances for indirector requests to hold desired state



27
28
29
 
# File 'lib/puppet/ssl/host.rb', line 27

def desired_state
  @desired_state
end

#keyObject 



137
138
139
 
# File 'lib/puppet/ssl/host.rb', line 137

def key
  @key ||= Key.indirection.find(name)
end

#nameObject (readonly)

Returns the value of attribute name.



21
22
23
 
# File 'lib/puppet/ssl/host.rb', line 21

def name
  @name
end

Class Method Details

.ca_nameObject

This is the constant that people will use to mark that a given host is a certificate authority.



43
44
45
 
# File 'lib/puppet/ssl/host.rb', line 43

def self.ca_name
  CA_NAME
end

.configure_indirection(terminus, cache = nil) ⇒ Object

Configure how our various classes interact with their various terminuses.



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/puppet/ssl/host.rb', line 52

def self.configure_indirection(terminus, cache = nil)
  Certificate.indirection.terminus_class = terminus
  CertificateRequest.indirection.terminus_class = terminus
  CertificateRevocationList.indirection.terminus_class = terminus

  host_map = {:ca => :file, :file => nil, :rest => :rest}
  if term = host_map[terminus]
    self.indirection.terminus_class = term
  else
    self.indirection.reset_terminus_class
  end

  if cache
    # This is weird; we don't actually cache our keys, we
    # use what would otherwise be the cache as our normal
    # terminus.
    Key.indirection.terminus_class = cache
  else
    Key.indirection.terminus_class = terminus
  end

  if cache
    Certificate.indirection.cache_class = cache
    CertificateRequest.indirection.cache_class = cache
    CertificateRevocationList.indirection.cache_class = cache
  else
    # Make sure we have no cache configured.  puppet master
    # switches the configurations around a bit, so it's important
    # that we specify the configs for absolutely everything, every
    # time.
    Certificate.indirection.cache_class = nil
    CertificateRequest.indirection.cache_class = nil
    CertificateRevocationList.indirection.cache_class = nil
  end
end

.destroy(name) ⇒ Object

Puppet::SSL::Host is actually indirected now so the original implementation has been moved into the certificate_status indirector. This method is in-use in ‘puppet cert -c <certname>`.



113
114
115
 
# File 'lib/puppet/ssl/host.rb', line 113

def self.destroy(name)
  indirection.destroy(name)
end

.from_pson(pson) ⇒ Object 



117
118
119
120
121
122
123
 
# File 'lib/puppet/ssl/host.rb', line 117

def self.from_pson(pson)
  instance = new(pson["name"])
  if pson["desired_state"]
    instance.desired_state = pson["desired_state"]
  end
  instance
end

.localhostObject 



29
30
31
32
33
34
35
 
# File 'lib/puppet/ssl/host.rb', line 29

def self.localhost
  return @localhost if @localhost
  @localhost = new
  @localhost.generate unless @localhost.certificate
  @localhost.key
  @localhost
end

.resetObject 



37
38
39
 
# File 'lib/puppet/ssl/host.rb', line 37

def self.reset
  @localhost = nil
end

.search(options = {}) ⇒ Object

Puppet::SSL::Host is actually indirected now so the original implementation has been moved into the certificate_status indirector. This method does not appear to be in use in ‘puppet cert -l`.



128
129
130
 
# File 'lib/puppet/ssl/host.rb', line 128

def self.search(options = {})
  indirection.search("*", options)
end

Instance Method Details

#ca?Boolean

Is this a ca host, meaning that all of its files go in the CA location?

Returns:

  • (Boolean) 


133
134
135
 
# File 'lib/puppet/ssl/host.rb', line 133

def ca?
  ca
end

#certificate_matches_key?Boolean

Returns:

  • (Boolean) 


209
210
211
212
213
214
 
# File 'lib/puppet/ssl/host.rb', line 209

def certificate_matches_key?
  return false unless key
  return false unless certificate

  certificate.content.check_private_key(key.content)
end

#generateObject

Generate all necessary parts of our ssl host.



217
218
219
220
221
222
223
224
225
226
227
 
# File 'lib/puppet/ssl/host.rb', line 217

def generate
  generate_key unless key
  generate_certificate_request unless certificate_request

  # If we can get a CA instance, then we're a valid CA, and we
  # should use it to sign our request; else, just try to read
  # the cert.
  if ! certificate and ca = Puppet::SSL::CertificateAuthority.instance
    ca.sign(self.name, true)
  end
end

#generate_certificate_request(options = {}) ⇒ Object

Our certificate request requires the key but that’s all.



168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
 
# File 'lib/puppet/ssl/host.rb', line 168

def generate_certificate_request(options = {})
  generate_key unless key

  # If this is for the current machine...
  if this_csr_is_for_the_current_host
    # ...add our configured dns_alt_names
    if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
      options[:dns_alt_names] ||= Puppet[:dns_alt_names]
    elsif Puppet::SSL::CertificateAuthority.ca? and fqdn = Facter.value(:fqdn) and domain = Facter.value(:domain)
      options[:dns_alt_names] = "puppet, #{fqdn}, puppet.#{domain}"
    end
  end

  @certificate_request = CertificateRequest.new(name)
  @certificate_request.generate(key.content, options)
  begin
    CertificateRequest.indirection.save(@certificate_request)
  rescue
    @certificate_request = nil
    raise
  end

  true
end

#generate_keyObject

This is the private key; we can create it from scratch with no inputs.



143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/puppet/ssl/host.rb', line 143

def generate_key
  @key = Key.new(name)
  @key.generate
  begin
    Key.indirection.save(@key)
  rescue
    @key = nil
    raise
  end
  true
end

#public_keyObject

Extract the public key from the private key.



236
237
238
 
# File 'lib/puppet/ssl/host.rb', line 236

def public_key
  key.content.public_key
end

#ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) ⇒ Object

Create/return a store that uses our SSL info to validate connections.



242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
 
# File 'lib/puppet/ssl/host.rb', line 242

def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY)
  unless @ssl_store
    @ssl_store = OpenSSL::X509::Store.new
    @ssl_store.purpose = purpose

    # Use the file path here, because we don't want to cause
    # a lookup in the middle of setting our ssl connection.
    @ssl_store.add_file(Puppet[:localcacert])

    # If there's a CRL, add it to our store.
    if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
      @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
      @ssl_store.add_crl(crl.content)
    end
    return @ssl_store
  end
  @ssl_store
end

#stateObject 



316
317
318
319
320
321
322
323
324
325
326
327
328
 
# File 'lib/puppet/ssl/host.rb', line 316

def state
  my_cert = Puppet::SSL::Certificate.indirection.find(name)
  if certificate_request
    return 'requested'
  end

  begin
    Puppet::SSL::CertificateAuthority.new.verify(my_cert)
    return 'signed'
  rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError
    return 'revoked'
  end
end

#this_csr_is_for_the_current_hostObject 



159
160
161
 
# File 'lib/puppet/ssl/host.rb', line 159

def this_csr_is_for_the_current_host
  name == Puppet[:certname].downcase
end

#to_pson(*args) ⇒ Object 



261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
 
# File 'lib/puppet/ssl/host.rb', line 261

def to_pson(*args)
  my_cert = Puppet::SSL::Certificate.indirection.find(name)
  pson_hash = { :name  => name }

  my_state = state

  pson_hash[:state] = my_state
  pson_hash[:desired_state] = desired_state if desired_state

  if my_state == 'requested'
    pson_hash[:fingerprint] = certificate_request.fingerprint
  else
    pson_hash[:fingerprint] = my_cert.fingerprint
  end

  pson_hash.to_pson(*args)
end

#wait_for_cert(time) ⇒ Object

Attempt to retrieve a cert, if we don’t already have one.



280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
 
# File 'lib/puppet/ssl/host.rb', line 280

def wait_for_cert(time)
  begin
    return if certificate
    generate
    return if certificate
  rescue SystemExit,NoMemoryError
    raise
  rescue Exception => detail
    puts detail.backtrace if Puppet[:trace]
    Puppet.err "Could not request certificate: #{detail}"
    if time < 1
      puts "Exiting; failed to retrieve certificate and waitforcert is disabled"
      exit(1)
    else
      sleep(time)
    end
    retry
  end

  if time < 1
    puts "Exiting; no certificate found and waitforcert is disabled"
    exit(1)
  end

  while true
    sleep time
    begin
      break if certificate
      Puppet.notice "Did not receive certificate"
    rescue StandardError => detail
      puts detail.backtrace if Puppet[:trace]
      Puppet.err "Could not request certificate: #{detail}"
    end
  end
end