Class: Puppet::SSL::Host

Inherits:

Object

• Object
• Puppet::SSL::Host

Defined in:

lib/puppet/ssl/host.rb

Overview

The class that manages all aspects of our SSL certificates – private keys, public keys, requests, etc.

Constant Summary

Key =

Yay, ruby’s strange constant lookups.

Puppet::SSL::Key

CA_NAME =

Puppet::SSL::CA_NAME

Certificate =

Puppet::SSL::Certificate

CertificateRequest =

Puppet::SSL::CertificateRequest

Instance Attribute Summary

• #certificate ⇒ Object
• #certificate_request ⇒ Puppet::SSL::CertificateRequest^?

  Search for an existing CSR for this host either cached on disk or stored by the CA.

• #crl_path ⇒ Object readonly

  Returns the value of attribute crl_path.

• #crl_usage ⇒ Object writeonly

  Sets the attribute crl_usage.

• #key ⇒ Object
• #name ⇒ Object readonly

  Returns the value of attribute name.

Class Method Summary

• .configure_indirection(terminus, cache = nil) ⇒ Object

  Configure how our various classes interact with their various terminuses.

• .from_data_hash(data) ⇒ Object
• .localhost ⇒ Object
• .reset ⇒ Object

Instance Method Summary

• #check_for_certificate_on_disk(cert_name) ⇒ Puppet::SSL::Certificate^?

  Checks for the requested certificate on disc, at a location determined by this host’s configuration.

• #download_host_certificate ⇒ Object
• #ensure_ca_certificate ⇒ Boolean

  Ensures that the CA certificate is available for either generating or validating the host’s cert.

• #generate ⇒ Object

  Generate all necessary parts of our ssl host.

• #generate_certificate_request(options = {}) ⇒ Object

  Our certificate request requires the key but that’s all.

• #generate_key ⇒ Object

  This is the private key; we can create it from scratch with no inputs.

• #http_client(ssl_context) ⇒ Object
• #initialize(name = nil) ⇒ Host constructor

  A new instance of Host.

• #public_key ⇒ Object

  Extract the public key from the private key.

• #save_host_certificate(cert) ⇒ Object

  Saves the given certificate to disc, at a location determined by this host’s configuration.

• #ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) ⇒ Object

  Create/return a store that uses our SSL info to validate connections.

• #submit_request ⇒ Puppet::SSL::CertificateRequest^?

  Generate a keypair, generate a CSR, and submit it.

• #use_crl? ⇒ Boolean
• #use_crl_chain? ⇒ Boolean
• #validate_certificate_with_key(cert) ⇒ Object

  Validate that our private key matches the specified certificate.

• #wait_for_cert(time) ⇒ Object

  Attempt to retrieve a cert, if we don’t already have one.

Constructor Details

#initialize(name = nil) ⇒ Host

Returns a new instance of Host.

# File 'lib/puppet/ssl/host.rb', line 274

def initialize(name = nil)
  @name = (name || Puppet[:certname]).downcase
  Puppet::SSL::Base.validate_certname(@name)
  @key = @certificate = @certificate_request = nil
  @crl_usage = Puppet.settings[:certificate_revocation]
  @crl_path = Puppet.settings[:hostcrl]
end

Instance Attribute Details

#certificate ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 130

def certificate
  unless @certificate
    generate_key unless key

    # get the CA cert first, since it's required for the normal cert
    # to be of any use. If we can't get it, quit.
    if !ensure_ca_certificate
      return nil
    end

    cert = get_host_certificate
    return nil unless cert

    validate_certificate_with_key(cert)
    @certificate = cert
  end
  @certificate
end

#certificate_request ⇒ Puppet::SSL::CertificateRequest^?

Search for an existing CSR for this host either cached on disk or stored by the CA. Returns nil if no request exists.

Returns:

• (Puppet::SSL::CertificateRequest, nil)

# File 'lib/puppet/ssl/host.rb', line 183

def certificate_request
  unless @certificate_request
    if csr = load_certificate_request_from_file
      @certificate_request = csr
    elsif csr = download_csr_from_ca
      @certificate_request = csr
    end
  end
  @certificate_request
end

#crl_path ⇒ Object (readonly)

Returns the value of attribute crl_path.

# File 'lib/puppet/ssl/host.rb', line 26

def crl_path
  @crl_path
end

#crl_usage=(value) ⇒ Object (writeonly)

Sets the attribute crl_usage

Parameters:

• value —

  the value to set the attribute crl_usage to.

# File 'lib/puppet/ssl/host.rb', line 28

def crl_usage=(value)
  @crl_usage = value
end

#key ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 77

def key
  @key ||= Key.indirection.find(name)
end

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/puppet/ssl/host.rb', line 26

def name
  @name
end

Class Method Details

.configure_indirection(terminus, cache = nil) ⇒ Object

Configure how our various classes interact with their various terminuses.

# File 'lib/puppet/ssl/host.rb', line 43

def self.configure_indirection(terminus, cache = nil)
  Certificate.indirection.terminus_class = terminus
  CertificateRequest.indirection.terminus_class = terminus

  if cache
    # This is weird; we don't actually cache our keys, we
    # use what would otherwise be the cache as our normal
    # terminus.
    Key.indirection.terminus_class = cache
  else
    Key.indirection.terminus_class = terminus
  end

  if cache
    Certificate.indirection.cache_class = cache
    CertificateRequest.indirection.cache_class = cache
  else
    # Make sure we have no cache configured.  puppet master
    # switches the configurations around a bit, so it's important
    # that we specify the configs for absolutely everything, every
    # time.
    Certificate.indirection.cache_class = nil
    CertificateRequest.indirection.cache_class = nil
  end
end

.from_data_hash(data) ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 69

def self.from_data_hash(data)
  instance = new(data["name"])
  if data["desired_state"]
    instance.desired_state = data["desired_state"]
  end
  instance
end

.localhost ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 30

def self.localhost
  return @localhost if @localhost
  @localhost = new
  @localhost.generate unless @localhost.certificate
  @localhost.key
  @localhost
end

.reset ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 38

def self.reset
  @localhost = nil
end

Instance Method Details

#check_for_certificate_on_disk(cert_name) ⇒ Puppet::SSL::Certificate^?

Checks for the requested certificate on disc, at a location determined by this host’s configuration.

Returns:

• (Puppet::SSL::Certificate, nil)

Raises:

• (Puppet::Error) —

  if contents of certificate file is invalid and could not be loaded

# File 'lib/puppet/ssl/host.rb', line 541

def check_for_certificate_on_disk(cert_name)
  file_path = certificate_location(cert_name)
  if Puppet::FileSystem.exist?(file_path)
    begin
      Puppet::SSL::Certificate.from_s(Puppet::FileSystem.read(file_path))
    rescue OpenSSL::X509::CertificateError
      raise Puppet::Error, _("The certificate at %{file_path} is invalid. Could not load.") % { file_path: file_path }
    end
  end
end

#download_host_certificate ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 171

def download_host_certificate
  cert = download_certificate_from_ca(name)
  return nil unless cert

  validate_certificate_with_key(cert)
  save_host_certificate(cert)
  cert
end

#ensure_ca_certificate ⇒ Boolean

Ensures that the CA certificate is available for either generating or validating the host’s cert. It will first check on disk, then try to download it.

Returns:

• (Boolean) —

  true if the CA certificate was found, false otherwise

Raises:

• (Puppet::Error) —

  if text form of found certificate bundle is invalid and cannot be loaded into cert objects

# File 'lib/puppet/ssl/host.rb', line 423

def ensure_ca_certificate
  file_path = certificate_location(CA_NAME)
  if Puppet::FileSystem.exist?(file_path)
    begin
      # This load ensures that the file contents is a valid cert bundle.
      # If the text is malformed, load_certificate_bundle will raise.
      load_certificate_bundle(Puppet::FileSystem.read(file_path))
    rescue Puppet::Error => e
      raise Puppet::Error, _("The CA certificate at %{file_path} is invalid: %{message}") % { file_path: file_path, message: e.message }
    end
  else
    bundle = download_ca_certificate_bundle
    if bundle
      save_bundle(bundle, certificate_location(CA_NAME))
      true
    else
      false
    end
  end
end

#generate ⇒ Object

Generate all necessary parts of our ssl host.

# File 'lib/puppet/ssl/host.rb', line 195

def generate
  generate_key unless key

  existing_request = certificate_request

  # if CSR downloaded from master, but the local keypair was just generated and
  # does not match the public key in the CSR, fail hard
  validate_csr_with_key(existing_request, key) if existing_request

  generate_certificate_request unless existing_request
end

#generate_certificate_request(options = {}) ⇒ Object

Our certificate request requires the key but that’s all.

# File 'lib/puppet/ssl/host.rb', line 96

def generate_certificate_request(options = {})
  generate_key unless key

  # If this CSR is for the current machine...
  if name == Puppet[:certname].downcase
    # ...add our configured dns_alt_names
    if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
      options[:dns_alt_names] ||= Puppet[:dns_alt_names]
    end
  end

  csr_attributes = Puppet::SSL::CertificateRequestAttributes.new(Puppet[:csr_attributes])
  if csr_attributes.load
    options[:csr_attributes] = csr_attributes.custom_attributes
    options[:extension_requests] = csr_attributes.extension_requests
  end

  @certificate_request = CertificateRequest.new(name)
  @certificate_request.generate(key.content, options)
  begin
    submit_certificate_request(@certificate_request)
    save_certificate_request(@certificate_request)
  rescue
    @certificate_request = nil
    raise
  end

  true
end

#generate_key ⇒ Object

This is the private key; we can create it from scratch with no inputs.

# File 'lib/puppet/ssl/host.rb', line 83

def generate_key
  @key = Key.new(name)
  @key.generate
  begin
    Key.indirection.save(@key)
  rescue
    @key = nil
    raise
  end
  true
end

#http_client(ssl_context) ⇒ Object

# File 'lib/puppet/ssl/host.rb', line 126

def http_client(ssl_context)
  Puppet::Rest::Client.new(ssl_context: ssl_context)
end

#public_key ⇒ Object

Extract the public key from the private key.

# File 'lib/puppet/ssl/host.rb', line 283

def public_key
  key.content.public_key
end

#save_host_certificate(cert) ⇒ Object

Saves the given certificate to disc, at a location determined by this host’s configuration.

Parameters:

• cert (Puppet::SSL::Certificate) —

  the cert to save

# File 'lib/puppet/ssl/host.rb', line 340

def save_host_certificate(cert)
  file_path = certificate_location(name)
  Puppet::Util.replace_file(file_path, 0644) do |f|
    f.write(cert.to_s)
  end
end

#ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) ⇒ Object

Create/return a store that uses our SSL info to validate connections.

# File 'lib/puppet/ssl/host.rb', line 297

def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY)
  if @ssl_store.nil?
    @ssl_store = build_ssl_store(purpose)
  end
  @ssl_store
end

#submit_request ⇒ Puppet::SSL::CertificateRequest^?

Generate a keypair, generate a CSR, and submit it. If a local key pair already exists it will be used to generate the CSR. If a local CSR already exists and matches the key then the existing CSR will be submitted. If the CSR and key do not match an exception will be raised.

Returns:

• (Puppet::SSL::CertificateRequest, nil)

# File 'lib/puppet/ssl/host.rb', line 213

def submit_request
  generate_key unless key

  csr = load_certificate_request_from_file
  if csr
    if key.content.public_key.to_s != csr.content.public_key.to_s
      Puppet.warning("The local CSR does not match the agent's public key. Generating a new CSR.")

      request_path = certificate_request_location(name)
      Puppet::FileSystem.unlink(request_path)
      csr = nil
    end
  end

  if csr
    validate_csr_with_key(csr, key)
    submit_certificate_request(csr)
    @certificate_request = csr
  else
    generate_certificate_request
  end

  @certificate_request
end

#use_crl? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/ssl/host.rb', line 287

def use_crl?
  !!@crl_usage
end

#use_crl_chain? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/ssl/host.rb', line 291

def use_crl_chain?
  @crl_usage == true || @crl_usage == :chain
end

#validate_certificate_with_key(cert) ⇒ Object

Validate that our private key matches the specified certificate.

Parameters:

• cert (Puppet::SSL::Certificate) —

  the certificate to check

Raises:

• (Puppet::Error)

# File 'lib/puppet/ssl/host.rb', line 153

def validate_certificate_with_key(cert)
  raise Puppet::Error, _("No certificate to validate.") unless cert
  raise Puppet::Error, _("No private key with which to validate certificate with fingerprint: %{fingerprint}") % { fingerprint: cert.fingerprint } unless key
  unless cert.content.check_private_key(key.content)
    raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: cert.fingerprint, cert_name: Puppet[:certname], ssl_dir: Puppet[:ssldir], cert_dir: Puppet[:certdir].gsub('/', '\\') }
The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
Certificate fingerprint: %{fingerprint}
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
puppet cert clean %{cert_name}
On the agent:
1a. On most platforms: find %{ssl_dir} -name %{cert_name}.pem -delete
1b. On Windows: del "%{cert_dir}\\%{cert_name}.pem" /f
2. puppet agent -t
ERROR_STRING
  end
end

#wait_for_cert(time) ⇒ Object

Attempt to retrieve a cert, if we don’t already have one.

# File 'lib/puppet/ssl/host.rb', line 305

def wait_for_cert(time)
  begin
    return if certificate
    generate
    return if certificate
  rescue StandardError => detail
    Puppet.log_exception(detail, _("Could not request certificate: %{message}") % { message: detail.message })
    if time < 1
      puts _("Exiting; failed to retrieve certificate and waitforcert is disabled")
      exit(1)
    else
      sleep(time)
    end
    retry
  end

  if time < 1
    puts _("Exiting; no certificate found and waitforcert is disabled")
    exit(1)
  end

  while true
    sleep time
    begin
      break if certificate
      Puppet.notice _("Did not receive certificate")
    rescue StandardError => detail
      Puppet.log_exception(detail, _("Could not request certificate: %{message}") % { message: detail.message })
    end
  end
end