Class: Puppetserver::Ca::CreateAction

Inherits:

Object

• Object
• Puppetserver::Ca::CreateAction

Includes:

Utils

Defined in:

lib/puppetserver/ca/create_action.rb

Constant Summary

VALID_CERTNAME =

Only allow printing ascii characters, excluding /

/\A[ -.0-~]+\Z/

CERTNAME_BLACKLIST =

%w{--all --config}

SUMMARY =

"Create a new certificate signed by the CA"

BANNER =

"Usage:\npuppetserver ca create [--help]\npuppetserver ca create [--config] --certname CERTNAME[,ADDLCERTNAME]\n\nDescription:\nCreates a new certificate signed by the intermediate CA\nand stores generated keys and certs on disk.\n\nTo determine the target location, the default puppet.conf\nis consulted for custom values. If using a custom puppet.conf\nprovide it with the --config flag\n\nOptions:\n"

Class Method Summary

• .parser(parsed = {}) ⇒ Object

Instance Method Summary

• #check_download_result(result, certname) ⇒ Object
• #check_sign_result(result, certname) ⇒ Object
• #check_submit_result(result, certname) ⇒ Object
• #download_cert(certname, settings) ⇒ Boolean

  Make an HTTP request to fetch the named certificates from CA.

• #generate_certs(certnames, settings, digest) ⇒ Object

  Create csrs and keys, then submit them to CA, request for the CA to sign them, download the signed certificates from the CA, and finally save the signed certs and associated keys.

• #generate_key_csr(certname, settings, digest) ⇒ Object
• #http_client(settings) ⇒ Object
• #initialize(logger) ⇒ CreateAction constructor

  A new instance of CreateAction.

• #parse(args) ⇒ Object
• #run(input) ⇒ Object
• #save_file(content, certname, dir, type) ⇒ Object
• #save_keys(key, certname, settings) ⇒ Object
• #sign_cert(certname, settings) ⇒ Boolean

  Make an HTTP request to CA to sign the named certificates.

• #submit_certificate_request(certname, csr, settings) ⇒ Boolean

  Make an HTTP request to submit certificate requests to CA.

Constructor Details

#initialize(logger) ⇒ CreateAction

Returns a new instance of CreateAction.

# File 'lib/puppetserver/ca/create_action.rb', line 35

def initialize(logger)
  @logger = logger
end

Class Method Details

.parser(parsed = {}) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 39

def self.parser(parsed = {})
  parsed['certnames'] = []
  OptionParser.new do |opts|
    opts.banner = BANNER
    opts.on('--certname FOO,BAR', Array,
         'One or more comma separated certnames') do |certs|
      parsed['certnames'] += certs
    end
    opts.on('--help', 'Display this create specific help output') do |help|
      parsed['help'] = true
    end
    opts.on('--config CONF', 'Path to puppet.conf') do |conf|
      parsed['config'] = conf
    end
  end
end

Instance Method Details

#check_download_result(result, certname) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 234

def check_download_result(result, certname)
  case result.code
  when '200'
    return true
  when '404'
    @logger.err 'Error:'
    @logger.err "    Signed certificate #{certname} could not be found on the CA"
    return false
  else
    @logger.err 'Error:'
    @logger.err "    When download requested for certificate #{certname}:"
    @logger.err "      code: #{result.code}"
    @logger.err "      body: #{result.body.to_s}" if result.body
    return false
  end
end

#check_sign_result(result, certname) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 200

def check_sign_result(result, certname)
  case result.code
  when '204'
    @logger.inform "Successfully signed certificate request for #{certname}"
    return true
  else
    @logger.err 'Error:'
    @logger.err "    When signing request submitted for #{certname}:"
    @logger.err "      code: #{result.code}"
    @logger.err "      body: #{result.body.to_s}" if result.body
    return false
  end
end

#check_submit_result(result, certname) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 167

def check_submit_result(result, certname)
  case result.code
  when '200', '204'
    @logger.inform "Successfully submitted certificate request for #{certname}"
    return true
  else
    @logger.err 'Error:'
    @logger.err "    When certificate request submitted for #{certname}:"
    @logger.err "      code: #{result.code}"
    @logger.err "      body: #{result.body.to_s}" if result.body
    return false
  end
end

#download_cert(certname, settings) ⇒ Boolean

Make an HTTP request to fetch the named certificates from CA

Parameters:

• certname (String) —

  the name of the certificate to fetch

• settings (Hash) —

  a hash of config settings

Returns:

• (Boolean) —

  the success of certificate being downloaded

# File 'lib/puppetserver/ca/create_action.rb', line 218

def download_cert(certname, settings)
  client = http_client(settings)
  url = client.make_ca_url(settings[:ca_server],
                 settings[:ca_port],
                 'certificate',
                 certname)
  client.with_connection(url) do |connection|
    result = connection.get(url)
    if downloaded = check_download_result(result, certname)
      save_file(result.body, certname, settings[:certdir], "Certificate")
      @logger.inform "Successfully downloaded and saved certificate #{certname} to #{settings[:certdir]}/#{certname}.pem"
    end
    downloaded
  end
end

#generate_certs(certnames, settings, digest) ⇒ Object

Create csrs and keys, then submit them to CA, request for the CA to sign them, download the signed certificates from the CA, and finally save the signed certs and associated keys. Returns true if all certs were successfully created and saved.

# File 'lib/puppetserver/ca/create_action.rb', line 120

def generate_certs(certnames, settings, digest)
  passed = certnames.map do |certname|
    key, csr = generate_key_csr(certname, settings, digest)
    return false unless submit_certificate_request(certname, csr.to_s, settings)
    return false unless sign_cert(certname, settings)
    if download_cert(certname, settings)
      save_keys(key, certname, settings)
      true
    else
      false
    end
  end
  passed.all?
end

#generate_key_csr(certname, settings, digest) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 135

def generate_key_csr(certname, settings, digest)
  host = Puppetserver::Ca::Host.new(digest)
  private_key = host.create_private_key(settings[:keylength])
  csr = host.create_csr(certname, private_key)

  return private_key, csr
end

#http_client(settings) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 143

def http_client(settings)
  @client ||= HttpClient.new(settings[:localcacert],
                                   settings[:certificate_revocation],
                                   settings[:hostcrl])
end

#parse(args) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 56

def parse(args)
  results = {}
  parser = self.class.parser(results)

  errors = Utils.parse_with_errors(parser, args)

  if results['certnames'].empty?
    errors << '    At least one certname is required to create'
  else
    results['certnames'].each do |certname|
      if CERTNAME_BLACKLIST.include?(certname)
        errors << "    Cannot manage cert named `#{certname}` from " +
                  "the CLI, if needed use the HTTP API directly"
      end

      if certname.match(/\p{Upper}/)
        errors << "    Certificate names must be lower case"
      end

      unless certname =~ VALID_CERTNAME
        errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
      end
    end
  end

  errors_were_handled = Utils.handle_errors(@logger, errors, parser.help)

  exit_code = errors_were_handled ? 1 : nil

  return results, exit_code
end

#run(input) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 88

def run(input)
  certnames = input['certnames']
  config_path = input['config']

  # Validate config_path provided
  if config_path
    errors = FileUtilities.validate_file_paths(config_path)
    return 1 if Utils.handle_errors(@logger, errors)
  end

  # Load, resolve, and validate puppet config settings
  puppet = PuppetConfig.parse(config_path)
  return 1 if Utils.handle_errors(@logger, puppet.errors)

  # Load most secure signing digest we can for csr signing.
  signer = SigningDigest.new
  return 1 if Utils.handle_errors(@logger, signer.errors)

  # Make sure we have all the directories where we will be writing files
  FileUtilities.ensure_dir(puppet.settings[:certdir])
  FileUtilities.ensure_dir(puppet.settings[:privatekeydir])
  FileUtilities.ensure_dir(puppet.settings[:publickeydir])

  # Generate and save certs and associated keys
  all_passed = generate_certs(certnames, puppet.settings, signer.digest)
  return all_passed ? 0 : 1
end

#save_file(content, certname, dir, type) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 260

def save_file(content, certname, dir, type)
  location = File.join(dir, "#{certname}.pem")
  @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
  FileUtilities.write_file(location, content, 0640)
end

#save_keys(key, certname, settings) ⇒ Object

# File 'lib/puppetserver/ca/create_action.rb', line 251

def save_keys(key, certname, settings)
  public_key = key.public_key
  save_file(key, certname, settings[:privatekeydir], "Private key")
  save_file(public_key, certname, settings[:publickeydir], "Public key")
  @logger.inform "Successfully saved private key for #{certname} to #{settings[:privatekeydir]}/#{certname}.pem"
  @logger.inform "Successfully saved public key for #{certname} to #{settings[:publickeydir]}/#{certname}.pem"
end

#sign_cert(certname, settings) ⇒ Boolean

Make an HTTP request to CA to sign the named certificates

Parameters:

• certname (String) —

  the name of the certificate to have signed

• settings (Hash) —

  a hash of config settings

Returns:

• (Boolean) —

  the success of certificates being signed

# File 'lib/puppetserver/ca/create_action.rb', line 185

def sign_cert(certname, settings)
  client = http_client(settings)

  url = client.make_ca_url(settings[:ca_server],
                 settings[:ca_port],
                 'certificate_status',
                 certname)

  client.with_connection(url) do |connection|
    body = JSON.dump({desired_state: 'signed'})
    result = connection.put(body, url)
    check_sign_result(result, certname)
  end
end

#submit_certificate_request(certname, csr, settings) ⇒ Boolean

Make an HTTP request to submit certificate requests to CA

Parameters:

• certname (String) —

  the name of the certificate to fetch

• csr (String) —

  string version of a OpenSSL::X509::Request

• settings (Hash) —

  a hash of config settings

Returns:

• (Boolean) —

  success of all csrs being submitted to CA

# File 'lib/puppetserver/ca/create_action.rb', line 154

def submit_certificate_request(certname, csr, settings)
  client = http_client(settings)
  url = client.make_ca_url(settings[:ca_server],
                 settings[:ca_port],
                 'certificate_request',
                 certname)

  client.with_connection(url) do |connection|
    result = connection.put(csr, url)
    check_submit_result(result, certname)
  end
end