Class: Puppet::SSL::Base

Inherits:

Object

• Object
• Puppet::SSL::Base

Defined in:

lib/puppet/ssl/base.rb

Overview

The base class for wrapping SSL instances.

Direct Known Subclasses

Certificate, CertificateRequest, CertificateRevocationList, Key

Constant Summary

SEPARATOR =

For now, use the YAML separator.

"\n---\n"

VALID_CERTNAME =

Only allow printing ascii characters, excluding /

/\A[ -.0-~]+\Z/

Instance Attribute Summary

• #content ⇒ Object

  Returns the value of attribute content.

• #name ⇒ Object

  Returns the value of attribute name.

Class Method Summary

• .from_instance(instance, name = nil) ⇒ Object

  Create an instance of our Puppet::SSL::* class using a given instance of the wrapped class.

• .from_multiple_s(text) ⇒ Object
• .from_s(string, name = nil) ⇒ Object

  Convert a string into an instance.

• .name_from_subject(subject) ⇒ String private

  name_from_subject extracts the common name attribute from the subject of an x.509 certificate certificate.

• .to_multiple_s(instances) ⇒ Object
• .validate_certname(name) ⇒ Object
• .wrapped_class ⇒ Object
• .wraps(klass) ⇒ Object

Instance Method Summary

• #ca? ⇒ Boolean

  Is this file for the CA?.

• #digest(algorithm = nil) ⇒ Object
• #digest_algorithm ⇒ Object
• #fingerprint(md = :SHA256) ⇒ Object
• #generate ⇒ Object
• #initialize(name) ⇒ Base constructor

  A new instance of Base.

• #read(path) ⇒ Object

  Read content from disk appropriately.

• #to_data_hash ⇒ Object
• #to_s ⇒ Object

  Convert our thing to pem.

• #to_text ⇒ Object

  Provide the full text of the thing we’re dealing with.

Constructor Details

#initialize(name) ⇒ Base

Returns a new instance of Base.

# File 'lib/puppet/ssl/base.rb', line 46

def initialize(name)
  @name = name.to_s.downcase
  self.class.validate_certname(@name)
end

Instance Attribute Details

#content ⇒ Object

Returns the value of attribute content.

# File 'lib/puppet/ssl/base.rb', line 35

def content
  @content
end

#name ⇒ Object

Returns the value of attribute name.

# File 'lib/puppet/ssl/base.rb', line 35

def name
  @name
end

Class Method Details

.from_instance(instance, name = nil) ⇒ Object

Create an instance of our Puppet::SSL::* class using a given instance of the wrapped class

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/base.rb', line 66

def self.from_instance(instance, name = nil)
  raise ArgumentError, "Object must be an instance of #{wrapped_class}, #{instance.class} given" unless instance.is_a? wrapped_class
  raise ArgumentError, "Name must be supplied if it cannot be determined from the instance" if name.nil? and !instance.respond_to?(:subject)

  name ||= name_from_subject(instance.subject)
  result = new(name)
  result.content = instance
  result
end

.from_multiple_s(text) ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 14

def self.from_multiple_s(text)
  text.split(SEPARATOR).collect { |inst| from_s(inst) }
end

.from_s(string, name = nil) ⇒ Object

Convert a string into an instance

# File 'lib/puppet/ssl/base.rb', line 77

def self.from_s(string, name = nil)
  instance = wrapped_class.new(string)
  from_instance(instance, name)
end

.name_from_subject(subject) ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

name_from_subject extracts the common name attribute from the subject of an x.509 certificate certificate

Parameters:

• subject (OpenSSL::X509::Name) —

  The full subject (distinguished name) of the x.509 certificate.

Returns:

• (String) —

  the name (CN) extracted from the subject.

# File 'lib/puppet/ssl/base.rb', line 61

def self.name_from_subject(subject)
  Puppet::Util::SSL.cn_from_subject(subject)
end

.to_multiple_s(instances) ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 18

def self.to_multiple_s(instances)
  instances.collect { |inst| inst.to_s }.join(SEPARATOR)
end

.validate_certname(name) ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 31

def self.validate_certname(name)
  raise _("Certname %{name} must not contain unprintable or non-ASCII characters") % { name: name.inspect } unless name =~ VALID_CERTNAME
end

.wrapped_class ⇒ Object

Raises:

• (Puppet::DevError)

# File 'lib/puppet/ssl/base.rb', line 26

def self.wrapped_class
  raise(Puppet::DevError, "#{self} has not declared what class it wraps") unless defined?(@wrapped_class)
  @wrapped_class
end

.wraps(klass) ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 22

def self.wraps(klass)
  @wrapped_class = klass
end

Instance Method Details

#ca? ⇒ Boolean

Is this file for the CA?

Returns:

• (Boolean)

# File 'lib/puppet/ssl/base.rb', line 38

def ca?
  name == Puppet::SSL::Host.ca_name
end

#digest(algorithm = nil) ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 121

def digest(algorithm=nil)
  unless algorithm
    algorithm = digest_algorithm
  end

  Puppet::SSL::Digest.new(algorithm, content.to_der)
end

#digest_algorithm ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 129

def digest_algorithm
  # The signature_algorithm on the X509 cert is a combination of the digest
  # algorithm and the encryption algorithm
  # e.g. md5WithRSAEncryption, sha256WithRSAEncryption
  # Unfortunately there isn't a consistent pattern
  # See RFCs 3279, 5758
  digest_re = Regexp.union(
    /ripemd160/i,
    /md[245]/i,
    /sha\d*/i
  )
  ln = content.signature_algorithm
  if match = digest_re.match(ln)
    match[0].downcase
  else
    raise Puppet::Error, _("Unknown signature algorithm '%{ln}'") % { ln: ln }
  end
end

#fingerprint(md = :SHA256) ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 116

def fingerprint(md = :SHA256)
  mds = md.to_s.upcase
  digest(mds).to_hex
end

#generate ⇒ Object

Raises:

• (Puppet::DevError)

# File 'lib/puppet/ssl/base.rb', line 42

def generate
  raise Puppet::DevError, "#{self.class} did not override 'generate'"
end

#read(path) ⇒ Object

Read content from disk appropriately.

# File 'lib/puppet/ssl/base.rb', line 83

def read(path)
  # applies to Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest, Puppet::SSL::CertificateRevocationList
  # Puppet::SSL::Key uses this, but also provides its own override
  # nothing derives from Puppet::SSL::Certificate, but it is called by a number of other SSL Indirectors:
  # Puppet::SSL::Certificate::DisabledCa (:find, :save, :destroy)
  # Puppet::Indirector::CertificateStatus::File (.indirection.find)
  # Puppet::Network::HTTP::WEBrick (.indirection.find)
  # Puppet::Network::HTTP::RackREST (.from_instance)
  # Puppet::Network::HTTP::WEBrickREST (.from_instance)
  # Puppet::SSL::CertificateAuthority (.new, .indirection.find, .indirection.save)
  # Puppet::SSL::Host (.indirection.find)
  # Puppet::SSL::Inventory (.indirection.search, implements its own add / rebuild / serials with encoding UTF8)
  # Puppet::SSL::CertificateAuthority::Interface (.indirection.find)
  # Puppet::SSL::Validator::DefaultValidator (.from_instance) / Puppet::SSL::Validator::NoValidator does nothing
  @content = wrapped_class.new(Puppet::FileSystem.read(path, :encoding => Encoding::ASCII))
end

#to_data_hash ⇒ Object

# File 'lib/puppet/ssl/base.rb', line 106

def to_data_hash
  to_s
end

#to_s ⇒ Object

Convert our thing to pem.

# File 'lib/puppet/ssl/base.rb', line 101

def to_s
  return "" unless content
  content.to_pem
end

#to_text ⇒ Object

Provide the full text of the thing we’re dealing with.

# File 'lib/puppet/ssl/base.rb', line 111

def to_text
  return "" unless content
  content.to_text
end