Class: Puppet::Application::Ssl

Inherits:
Puppet::Application show all
Defined in:
lib/puppet/application/ssl.rb

Constant Summary

Constants inherited from Puppet::Application

DOCPATTERN

Constants included from Util

Util::AbsolutePathPosix, Util::AbsolutePathWindows, Util::DEFAULT_POSIX_MODE, Util::DEFAULT_WINDOWS_MODE, Util::RFC_3986_URI_REGEX

Constants included from Util::POSIX

Util::POSIX::LOCALE_ENV_VARS, Util::POSIX::USER_ENV_VARS

Constants included from Util::SymbolicFileMode

Util::SymbolicFileMode::SetGIDBit, Util::SymbolicFileMode::SetUIDBit, Util::SymbolicFileMode::StickyBit, Util::SymbolicFileMode::SymbolicMode, Util::SymbolicFileMode::SymbolicSpecialToBit

Instance Attribute Summary

Attributes inherited from Puppet::Application

#command_line, #options

Instance Method Summary collapse

Methods inherited from Puppet::Application

[], #app_defaults, available_application_names, banner, clear!, clear?, clear_everything_for_tests, #configure_indirector_routes, controlled_run, #deprecate, #deprecated?, environment_mode, exit, find, get_environment_mode, #handle_logdest_arg, #handlearg, #initialize, #initialize_app_defaults, interrupted?, #log_runtime_environment, #name, option, option_parser_commands, #parse_options, #preinit, restart!, restart_requested?, #run, #run_command, run_mode, #set_log_level, #setup, #setup_logs, stop!, stop_requested?, try_load_class

Methods included from Util

absolute_path?, benchmark, chuser, clear_environment, default_env, deterministic_rand, deterministic_rand_int, exit_on_fail, get_env, get_environment, logmethods, merge_environment, path_to_uri, pretty_backtrace, replace_file, safe_posix_fork, set_env, symbolizehash, thinmark, uri_encode, uri_query_encode, uri_to_path, which, withenv, withumask

Methods included from Util::POSIX

#get_posix_field, #gid, #idfield, #methodbyid, #methodbyname, #search_posix_field, #uid

Methods included from Util::SymbolicFileMode

#normalize_symbolic_mode, #symbolic_mode_to_int, #valid_symbolic_mode?

Constructor Details

This class inherits a constructor from Puppet::Application

Instance Method Details

#download_cert(host) ⇒ Object 



83
84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'lib/puppet/application/ssl.rb', line 83

def download_cert(host)
  host.ensure_ca_certificate

  puts "Downloading certificate '#{host.name}' from https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
  if cert = host.download_host_certificate
    puts "Downloaded certificate '#{host.name}' with fingerprint #{cert.fingerprint}"
  else
    puts "No certificate for '#{host.name}' on CA"
  end
rescue => e
  puts "Failed to download certificate: #{e.message}"
  exit(1)
end

#helpObject 



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/puppet/application/ssl.rb', line 9

def help
  <<-HELP
puppet-ssl(8) -- #{summary}
========

SYNOPSIS
--------
Manage SSL keys and certificates for an SSL clients needed
to communicate with a puppet infrastructure.

USAGE
-----
puppet ssl <action> [--certname <NAME>]

ACTIONS
-------

* submit_request:
Generate a certificate signing request (CSR) and submit it to the CA. If a private and
public key pair already exist, they will be used to generate the CSR. Otherwise a new
key pair will be generated. If a CSR has already been submitted with the given `certname`,
then the operation will fail.

* download_cert:
Download a certificate for this host. If the current private key matches the downloaded
certificate, then the certificate will be saved and used for subsequent requests. If
there is already an existing certificate, it will be overwritten.

* verify:
Verify the private key and certificate are present and match, verify the certificate is
issued by a trusted CA, and check revocation status.
HELP
end

#mainObject 



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/puppet/application/ssl.rb', line 47

def main
  if command_line.args.empty?
    puts help
    exit(1)
  end

  Puppet.settings.use(:main, :agent)
  host = Puppet::SSL::Host.new(options[:certname])

  action = command_line.args.first
  case action
  when 'submit_request'
    submit_request(host)
    download_cert(host)
  when 'download_cert'
    download_cert(host)
  when 'verify'
    verify(host)
  else
    puts "Unknown action '#{action}'"
    exit(1)
  end

  exit(0)
end

#submit_request(host) ⇒ Object 



73
74
75
76
77
78
79
80
81
 
# File 'lib/puppet/application/ssl.rb', line 73

def submit_request(host)
  host.ensure_ca_certificate

  host.submit_request
  puts "Submitted certificate request for '#{host.name}' to https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
rescue => e
  puts "Failed to submit certificate request: #{e.message}"
  exit(1)
end

#summaryObject 



5
6
7
 
# File 'lib/puppet/application/ssl.rb', line 5

def summary
  _("Manage SSL keys and certificates for puppet SSL clients")
end

#verify(host) ⇒ Object 



97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
 
# File 'lib/puppet/application/ssl.rb', line 97

def verify(host)
  host.ensure_ca_certificate

  key = host.key
  unless key
    puts "The host's private key is missing"
    exit(1)
  end

  cert = host.check_for_certificate_on_disk(host.name)
  unless cert
    puts "The host's certificate is missing"
    exit(1)
  end

  if cert.content.public_key.to_pem != key.content.public_key.to_pem
    puts "The host's key does not match the certificate"
    exit(1)
  end

  store = host.ssl_store
  unless store.verify(cert.content)
    puts "Failed to verify certificate '#{host.name}': #{store.error_string} (#{store.error})"
    exit(1)
  end

  puts "Verified certificate '#{host.name}'"
  # store.chain.reverse.each_with_index do |issuer, i|
  #   indent = "  " * (i+1)
  #   puts "#{indent}#{issuer.subject.to_s}"
  # end
  exit(0)
rescue => e
  puts "Verify failed: #{e.message}"
  exit(1)
end