Class: Puppet::Application::Cert

Inherits:

Puppet::Application

• Object
• Puppet::Application
• Puppet::Application::Cert

Defined in:

lib/puppet/application/cert.rb

Constant Summary

Constants inherited from Puppet::Application

DOCPATTERN

Constants included from Util

Util::AbsolutePathPosix, Util::AbsolutePathWindows, Util::DEFAULT_POSIX_MODE, Util::DEFAULT_WINDOWS_MODE

Constants included from Util::POSIX

Util::POSIX::LOCALE_ENV_VARS, Util::POSIX::USER_ENV_VARS

Constants included from Util::SymbolicFileMode

Util::SymbolicFileMode::SetGIDBit, Util::SymbolicFileMode::SetUIDBit, Util::SymbolicFileMode::StickyBit, Util::SymbolicFileMode::SymbolicMode, Util::SymbolicFileMode::SymbolicSpecialToBit

Instance Attribute Summary

• #all ⇒ Object
• #ca ⇒ Object
• #digest ⇒ Object
• #signed ⇒ Object

Attributes inherited from Puppet::Application

#command_line, #options

Instance Method Summary

• #apply(ca, method, options) ⇒ Object

  Create and run an applicator.

• #help ⇒ Object
• #main ⇒ Object
• #parse_options ⇒ Object
• #setup ⇒ Object
• #subcommand ⇒ Object
• #subcommand=(name) ⇒ Object

Methods inherited from Puppet::Application

[], #app_defaults, available_application_names, banner, clear!, clear?, clear_everything_for_tests, #configure_indirector_routes, controlled_run, exit, find, #handle_logdest_arg, #handlearg, #initialize, #initialize_app_defaults, interrupted?, #log_runtime_environment, #name, option, option_parser_commands, #preinit, restart!, restart_requested?, #run, #run_command, run_mode, #set_log_level, #setup_logs, stop!, stop_requested?, try_load_class

Methods included from Util

absolute_path?, benchmark, chuser, clear_environment, default_env, deterministic_rand, deterministic_rand_int, exit_on_fail, get_env, get_environment, logmethods, merge_environment, path_to_uri, pretty_backtrace, replace_file, safe_posix_fork, set_env, symbolizehash, thinmark, uri_to_path, which, withenv, withumask

Methods included from Util::POSIX

#get_posix_field, #gid, #idfield, #methodbyid, #methodbyname, #search_posix_field, #uid

Methods included from Util::SymbolicFileMode

#normalize_symbolic_mode, #symbolic_mode_to_int, #valid_symbolic_mode?

Constructor Details

This class inherits a constructor from Puppet::Application

Instance Attribute Details

#all ⇒ Object

# File 'lib/puppet/application/cert.rb', line 8

def all
  @all
end

#ca ⇒ Object

# File 'lib/puppet/application/cert.rb', line 8

def ca
  @ca
end

#digest ⇒ Object

# File 'lib/puppet/application/cert.rb', line 8

def digest
  @digest
end

#signed ⇒ Object

# File 'lib/puppet/application/cert.rb', line 8

def signed
  @signed
end

Instance Method Details

#apply(ca, method, options) ⇒ Object

Create and run an applicator. I wanted to build an interface where you could do something like ‘ca.apply(:generate).to(:all) but I don’t think it’s really possible.

Raises:

• (ArgumentError)

# File 'lib/puppet/application/cert.rb', line 324

def apply(ca, method, options)
  raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless options[:to]
  applier = Puppet::SSL::CertificateAuthority::Interface.new(method, options)
  applier.apply(ca)
end

#help ⇒ Object

# File 'lib/puppet/application/cert.rb', line 102

def help
  "\npuppet-cert(8) -- Manage certificates and requests\n========\n\nSYNOPSIS\n--------\nStandalone certificate authority. Capable of generating certificates,\nbut mostly used for signing certificate requests from puppet clients.\n\n\nUSAGE\n-----\npuppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]\n[--digest <digest>] [<host>]\n\n\nDESCRIPTION\n-----------\nBecause the puppet master service defaults to not signing client\ncertificate requests, this script is available for signing outstanding\nrequests. It can be used to list outstanding requests and then either\nsign them individually or sign all of them.\n\nACTIONS\n-------\n\nEvery action except 'list' and 'generate' requires a hostname to act on,\nunless the '--all' option is set.\n\nThe most important actions for day-to-day use are 'list' and 'sign'.\n\n* clean:\nRevoke a host's certificate (if applicable) and remove all files\nrelated to that host from puppet cert's storage. This is useful when\nrebuilding hosts, since new certificate signing requests will only be\nhonored if puppet cert does not have a copy of a signed certificate\nfor that host. If '--all' is specified then all host certificates,\nboth signed and unsigned, will be removed.\n\n* fingerprint:\nPrint the DIGEST (defaults to the signing algorithm) fingerprint of a\nhost's certificate.\n\n* generate:\nGenerate a certificate for a named client. A certificate/keypair will\nbe generated for each client named on the command line.\n\n* list:\nList outstanding certificate requests. If '--all' is specified, signed\ncertificates are also listed, prefixed by '+', and revoked or invalid\ncertificates are prefixed by '-' (the verification outcome is printed\nin parenthesis). If '--human-readable' or '-H' is specified,\ncertificates are formatted in a way to improve human scan-ability. If\n'--machine-readable' or '-m' is specified, output is formatted concisely\nfor consumption by a script.\n\n* print:\nPrint the full-text version of a host's certificate.\n\n* revoke:\nRevoke the certificate of a client. The certificate can be specified either\nby its serial number (given as a hexadecimal number prefixed by '0x') or by its\nhostname. The certificate is revoked by adding it to the Certificate Revocation\nList given by the 'cacrl' configuration option. Note that the puppet master\nneeds to be restarted after revoking certificates.\n\n* sign:\nSign an outstanding certificate request. If '--interactive' or '-i' is\nsupplied the user will be prompted to confirm that they are signing the\ncorrect certificate (recommended). If '--assume-yes' or '-y' is supplied\nthe interactive prompt will assume the answer of 'yes'.\n\n* verify:\nVerify the named certificate against the local CA certificate.\n\n* reinventory:\nBuild an inventory of the issued certificates. This will destroy the current\ninventory file specified by 'cert_inventory' and recreate it from the\ncertificates found in the 'certdir'. Ensure the puppet master is stopped\nbefore running this action.\n\nOPTIONS\n-------\nNote that any setting that's valid in the configuration\nfile is also a valid long argument. For example, 'ssldir' is a valid\nsetting, so you can specify '--ssldir <directory>' as an\nargument.\n\nSee the configuration file documentation at\nhttps://docs.puppetlabs.com/puppet/latest/reference/configuration.html for the\nfull list of acceptable parameters. A commented list of all\nconfiguration options can also be generated by running puppet cert with\n'--genconfig'.\n\n* --all:\nOperate on all items. Currently only makes sense with the 'sign',\n'list', and 'fingerprint' actions.\n\n* --allow-dns-alt-names:\nSign a certificate request even if it contains one or more alternate DNS\nnames. If this option isn't specified, 'puppet cert sign' will ignore any\nrequests that contain alternate names.\n\nIn general, ONLY certs intended for a Puppet master server should include\nalternate DNS names, since Puppet agent relies on those names for identifying\nits rightful server.\n\nYou can make Puppet agent request a certificate with alternate names by\nsetting 'dns_alt_names' in puppet.conf or specifying '--dns_alt_names' on the\ncommand line. The output of 'puppet cert list' shows any requested alt names\nfor pending certificate requests.\n\n* --allow-authorization-extensions:\nEnable the signing of a request with authorization extensions. Such requests\nare sensitive because they can be used to write access rules in Puppet Server.\nCurrently, this is the only means by which such requests can be signed.\n\n* --digest:\nSet the digest for fingerprinting (defaults to the digest used when\nsigning the cert). Valid values depends on your openssl and openssl ruby\nextension version.\n\n* --debug:\nEnable full debugging.\n\n* --help:\nPrint this help message\n\n* --verbose:\nEnable verbosity.\n\n* --version:\nPrint the puppet version number and exit.\n\n\nEXAMPLE\n-------\n  $ puppet cert list\n  culain.madstop.com\n  $ puppet cert sign culain.madstop.com\n\n\nAUTHOR\n------\nLuke Kanies\n\n\nCOPYRIGHT\n---------\nCopyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License\n\n  HELP\nend\n"

#main ⇒ Object

# File 'lib/puppet/application/cert.rb', line 258

def main
  if @all
    hosts = :all
  elsif @signed
    hosts = :signed
  else
    hosts = command_line.args.collect { |h| h.downcase }
  end
  begin
    apply(@ca, :revoke, options.merge(:to => hosts)) if subcommand == :destroy
    apply(@ca, subcommand, options.merge(:to => hosts, :digest => @digest))
  rescue => detail
    Puppet.log_exception(detail)
    exit(24)
  end
end

#parse_options ⇒ Object

# File 'lib/puppet/application/cert.rb', line 307

def parse_options
  # handle the bareword subcommand pattern.
  result = super
  unless self.subcommand then
    if sub = self.command_line.args.shift then
      self.subcommand = sub
    else
      puts help
      exit
    end
  end

  result
end

#setup ⇒ Object

# File 'lib/puppet/application/cert.rb', line 275

def setup
  require 'puppet/ssl/certificate_authority'
  exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?

  Puppet::SSL::Oids.register_puppet_oids
  Puppet::SSL::Oids.load_custom_oid_file(Puppet[:trusted_oid_mapping_file])

  Puppet::Util::Log.newdestination :console

  if [:generate, :destroy].include? subcommand
    Puppet::SSL::Host.ca_location = :local
  else
    Puppet::SSL::Host.ca_location = :only
  end

  # If we are generating, and the option came from the CLI, it gets added to
  # the data.  This will do the right thing for non-local certificates, in
  # that the command line but *NOT* the config file option will apply.
  if subcommand == :generate
    if Puppet.settings.set_by_cli?(:dns_alt_names)
      options[:dns_alt_names] = Puppet[:dns_alt_names]
    end
  end

  begin
    @ca = Puppet::SSL::CertificateAuthority.new
  rescue => detail
    Puppet.log_exception(detail)
    exit(23)
  end
end

#subcommand ⇒ Object

# File 'lib/puppet/application/cert.rb', line 10

def subcommand
  @subcommand
end

#subcommand=(name) ⇒ Object

# File 'lib/puppet/application/cert.rb', line 14

def subcommand=(name)
  # Handle the nasty, legacy mapping of "clean" to "destroy".
  sub = name.to_sym
  @subcommand = (sub == :clean ? :destroy : sub)
end