Module: Puppet::SSL::Oids Private

Defined in:
lib/puppet/ssl/oids.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

This module defines OIDs for use within Puppet.

# ASN.1 Definition

The following is the formal definition of OIDs specified in this file.

“‘ puppetCertExtensions OBJECT IDENTIFIER ::= identified-organization(3)

dod(6) internet(1) private(4) enterprise(1) 34380 1

– the tree under registeredExtensions ‘belongs’ to puppetlabs – privateExtensions can be extended by enterprises to suit their own needs registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 } privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 } authorizationExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 3 }

– subtree of common registered extensions – The short names for these OIDs are intentionally lowercased and formatted – since they may be exposed inside the Puppet DSL as variables. pp_uuid OBJECT IDENTIFIER ::= { registeredExtensions 1 } pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 } pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 } pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 } “‘

Constant Summary collapse

PUPPET_OIDS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Note: When updating the following OIDs make sure to also update the OID definitions here: github.com/puppetlabs/puppetserver/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L122-L159

[
  ["1.3.6.1.4.1.34380", 'puppetlabs', 'Puppet Labs'],
  ["1.3.6.1.4.1.34380.1", 'ppCertExt', 'Puppet Certificate Extension'],

  ["1.3.6.1.4.1.34380.1.1", 'ppRegCertExt', 'Puppet Registered Certificate Extension'],

  ["1.3.6.1.4.1.34380.1.1.1", 'pp_uuid', 'Puppet Node UUID'],
  ["1.3.6.1.4.1.34380.1.1.2", 'pp_instance_id', 'Puppet Node Instance ID'],
  ["1.3.6.1.4.1.34380.1.1.3", 'pp_image_name', 'Puppet Node Image Name'],
  ["1.3.6.1.4.1.34380.1.1.4", 'pp_preshared_key', 'Puppet Node Preshared Key'],
  ["1.3.6.1.4.1.34380.1.1.5", 'pp_cost_center', 'Puppet Node Cost Center Name'],
  ["1.3.6.1.4.1.34380.1.1.6", 'pp_product', 'Puppet Node Product Name'],
  ["1.3.6.1.4.1.34380.1.1.7", 'pp_project', 'Puppet Node Project Name'],
  ["1.3.6.1.4.1.34380.1.1.8", 'pp_application', 'Puppet Node Application Name'],
  ["1.3.6.1.4.1.34380.1.1.9", 'pp_service', 'Puppet Node Service Name'],
  ["1.3.6.1.4.1.34380.1.1.10", 'pp_employee', 'Puppet Node Employee Name'],
  ["1.3.6.1.4.1.34380.1.1.11", 'pp_created_by', 'Puppet Node created_by Tag'],
  ["1.3.6.1.4.1.34380.1.1.12", 'pp_environment', 'Puppet Node Environment Name'],
  ["1.3.6.1.4.1.34380.1.1.13", 'pp_role', 'Puppet Node Role Name'],
  ["1.3.6.1.4.1.34380.1.1.14", 'pp_software_version', 'Puppet Node Software Version'],
  ["1.3.6.1.4.1.34380.1.1.15", 'pp_department', 'Puppet Node Department Name'],
  ["1.3.6.1.4.1.34380.1.1.16", 'pp_cluster', 'Puppet Node Cluster Name'],
  ["1.3.6.1.4.1.34380.1.1.17", 'pp_provisioner', 'Puppet Node Provisioner Name'],
  ["1.3.6.1.4.1.34380.1.1.18", 'pp_region', 'Puppet Node Region Name'],
  ["1.3.6.1.4.1.34380.1.1.19", 'pp_datacenter', 'Puppet Node Datacenter Name'],
  ["1.3.6.1.4.1.34380.1.1.20", 'pp_zone', 'Puppet Node Zone Name'],
  ["1.3.6.1.4.1.34380.1.1.21", 'pp_network', 'Puppet Node Network Name'],
  ["1.3.6.1.4.1.34380.1.1.22", 'pp_securitypolicy', 'Puppet Node Security Policy Name'],
  ["1.3.6.1.4.1.34380.1.1.23", 'pp_cloudplatform', 'Puppet Node Cloud Platform Name'],
  ["1.3.6.1.4.1.34380.1.1.24", 'pp_apptier', 'Puppet Node Application Tier'],
  ["1.3.6.1.4.1.34380.1.1.25", 'pp_hostname', 'Puppet Node Hostname'],
  ["1.3.6.1.4.1.34380.1.1.26", 'pp_owner', 'Puppet Node Owner'],

  ["1.3.6.1.4.1.34380.1.2", 'ppPrivCertExt', 'Puppet Private Certificate Extension'],

  ["1.3.6.1.4.1.34380.1.3", 'ppAuthCertExt', 'Puppet Certificate Authorization Extension'],

  ["1.3.6.1.4.1.34380.1.3.1", 'pp_authorization', 'Certificate Extension Authorization'],
  ["1.3.6.1.4.1.34380.1.3.2", 'pp_auth_auto_renew', 'Auto-Renew Certificate Attribute'],
  ["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
  ["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization']
]

Class Method Summary collapse

Class Method Details

.load_custom_oid_file(custom_oid_file, map_key = 'oid_mapping') ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Load custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.

oid_mapping:

'1.3.6.1.4.1.34380.1.2.1.1':
  shortname : 'myshortname'
  longname  : 'Long name'
'1.3.6.1.4.1.34380.1.2.1.2':
  shortname: 'myothershortname'
  longname: 'Other Long name'

Examples:

Custom OID mapping file

Parameters:

  • custom_oid_file (String)

    File to obtain custom OIDs mapping from

  • map_key (String) (defaults to: 'oid_mapping')

    Hash key in which custom OIDs mapping is stored



155
156
157
158
159
160
161
162
163
164
165
166
 
# File 'lib/puppet/ssl/oids.rb', line 155

def self.load_custom_oid_file(custom_oid_file, map_key = 'oid_mapping')
  oid_defns = parse_custom_oid_file(custom_oid_file, map_key)
  unless oid_defns.nil?
    begin
      oid_defns.each do |oid_defn|
        OpenSSL::ASN1::ObjectId.register(*oid_defn)
      end
    rescue => err
      raise ArgumentError, _("Error registering ssl custom OIDs mapping from file '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace
    end
  end
end

.parse_custom_oid_file(custom_oid_file, map_key = 'oid_mapping') ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parse custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.

oid_mapping:

'1.3.6.1.4.1.34380.1.2.1.1':
  shortname : 'myshortname'
  longname  : 'Long name'
'1.3.6.1.4.1.34380.1.2.1.2':
  shortname: 'myothershortname'
  longname: 'Other Long name'

Examples:

Custom OID mapping file

Parameters:

  • custom_oid_file (String)

    File to obtain custom OIDs mapping from

  • map_key (String) (defaults to: 'oid_mapping')

    Hash key in which custom OIDs mapping is stored



109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'lib/puppet/ssl/oids.rb', line 109

def self.parse_custom_oid_file(custom_oid_file, map_key = 'oid_mapping')
  if File.exist?(custom_oid_file) && File.readable?(custom_oid_file)
    mapping = nil
    begin
      mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol])
    rescue => err
      raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace
    end

    unless mapping.has_key?(map_key)
      raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': no such index '%{map_key}'") % { custom_oid_file: custom_oid_file, map_key: map_key }
    end

    unless mapping[map_key].is_a?(Hash)
      raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': data under index '%{map_key}' must be a Hash") % { custom_oid_file: custom_oid_file, map_key: map_key }
    end

    oid_defns = []
    mapping[map_key].keys.each do |oid|
      shortname, longname = mapping[map_key][oid].values_at("shortname", "longname")
      if shortname.nil? || longname.nil?
        raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': incomplete definition of oid '%{oid}'") % { custom_oid_file: custom_oid_file, oid: oid }
      end

      oid_defns << [oid, shortname, longname]
    end

    oid_defns
  end
end

.register_puppet_oidsObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Register our custom Puppet OIDs with OpenSSL so they can be used as CSR extensions. Without registering these OIDs, OpenSSL will fail when it encounters such an extension in a CSR.



84
85
86
87
88
89
90
91
92
 
# File 'lib/puppet/ssl/oids.rb', line 84

def self.register_puppet_oids
  unless @did_register_puppet_oids
    PUPPET_OIDS.each do |oid_defn|
      OpenSSL::ASN1::ObjectId.register(*oid_defn)
    end

    @did_register_puppet_oids = true
  end
end

.subtree_of?(first, second, exclusive = false) ⇒ true, false

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Determine if the first OID contains the second OID

Examples:

Comparing two dotted OIDs

Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true
Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false

Comparing an OID short name with a dotted OID

Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true
Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true

Comparing an OID against itself

Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true
Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false

Parameters:

  • first (String)

    The containing OID, in dotted form or as the short name

  • second (String)

    The contained OID, in dotted form or as the short name

  • exclusive (true, false) (defaults to: false)

    If an OID should not be considered as a subtree of itself

Returns:

  • (true, false) 


187
188
189
190
191
192
193
194
195
196
197
198
 
# File 'lib/puppet/ssl/oids.rb', line 187

def self.subtree_of?(first, second, exclusive = false)
  first_oid = OpenSSL::ASN1::ObjectId.new(first).oid
  second_oid = OpenSSL::ASN1::ObjectId.new(second).oid

  if exclusive and first_oid == second_oid
    false
  else
    second_oid.index(first_oid) == 0
  end
rescue OpenSSL::ASN1::ASN1Error, TypeError
  false
end