Class: Puppetserver::Ca::CreateAction
- Inherits:
-
Object
- Object
- Puppetserver::Ca::CreateAction
- Includes:
- Utils
- Defined in:
- lib/puppetserver/ca/create_action.rb
Constant Summary collapse
- VALID_CERTNAME =
Only allow printing ascii characters, excluding /
/\A[ -.0-~]+\Z/
- CERTNAME_BLACKLIST =
%w{--all --config}
- SUMMARY =
"Create a new certificate signed by the CA"
- BANNER =
"Usage:\npuppetserver ca create [--help]\npuppetserver ca create [--config] --certname CERTNAME[,ADDLCERTNAME]\n\nDescription:\nCreates a new certificate signed by the intermediate CA\nand stores generated keys and certs on disk.\n\nTo determine the target location, the default puppet.conf\nis consulted for custom values. If using a custom puppet.conf\nprovide it with the --config flag\n\nOptions:\n"
Class Method Summary collapse
Instance Method Summary collapse
- #check_download_result(result, certname) ⇒ Object
- #check_sign_result(result, certname) ⇒ Object
- #check_submit_result(result, certname) ⇒ Object
-
#download_cert(certname, settings) ⇒ Boolean
Make an HTTP request to fetch the named certificates from CA.
-
#generate_certs(certnames, settings, digest) ⇒ Object
Create csrs and keys, then submit them to CA, request for the CA to sign them, download the signed certificates from the CA, and finally save the signed certs and associated keys.
- #generate_key_csr(certname, settings, digest) ⇒ Object
- #http_client(settings) ⇒ Object
-
#initialize(logger) ⇒ CreateAction
constructor
A new instance of CreateAction.
- #parse(args) ⇒ Object
- #run(input) ⇒ Object
- #save_file(content, certname, dir, type) ⇒ Object
- #save_keys(key, certname, settings) ⇒ Object
-
#sign_cert(certname, settings) ⇒ Boolean
Make an HTTP request to CA to sign the named certificates.
-
#submit_certificate_request(certname, csr, settings) ⇒ Boolean
Make an HTTP request to submit certificate requests to CA.
Constructor Details
#initialize(logger) ⇒ CreateAction
Returns a new instance of CreateAction.
35 36 37 |
# File 'lib/puppetserver/ca/create_action.rb', line 35 def initialize(logger) @logger = logger end |
Class Method Details
.parser(parsed = {}) ⇒ Object
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# File 'lib/puppetserver/ca/create_action.rb', line 39 def self.parser(parsed = {}) parsed['certnames'] = [] OptionParser.new do |opts| opts. = BANNER opts.on('--certname FOO,BAR', Array, 'One or more comma separated certnames') do |certs| parsed['certnames'] += certs end opts.on('--help', 'Display this create specific help output') do |help| parsed['help'] = true end opts.on('--config CONF', 'Path to puppet.conf') do |conf| parsed['config'] = conf end end end |
Instance Method Details
#check_download_result(result, certname) ⇒ Object
234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 |
# File 'lib/puppetserver/ca/create_action.rb', line 234 def check_download_result(result, certname) case result.code when '200' return true when '404' @logger.err 'Error:' @logger.err " Signed certificate #{certname} could not be found on the CA" return false else @logger.err 'Error:' @logger.err " When download requested for certificate #{certname}:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return false end end |
#check_sign_result(result, certname) ⇒ Object
200 201 202 203 204 205 206 207 208 209 210 211 212 |
# File 'lib/puppetserver/ca/create_action.rb', line 200 def check_sign_result(result, certname) case result.code when '204' @logger.inform "Successfully signed certificate request for #{certname}" return true else @logger.err 'Error:' @logger.err " When signing request submitted for #{certname}:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return false end end |
#check_submit_result(result, certname) ⇒ Object
167 168 169 170 171 172 173 174 175 176 177 178 179 |
# File 'lib/puppetserver/ca/create_action.rb', line 167 def check_submit_result(result, certname) case result.code when '200', '204' @logger.inform "Successfully submitted certificate request for #{certname}" return true else @logger.err 'Error:' @logger.err " When certificate request submitted for #{certname}:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return false end end |
#download_cert(certname, settings) ⇒ Boolean
Make an HTTP request to fetch the named certificates from CA
218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 |
# File 'lib/puppetserver/ca/create_action.rb', line 218 def download_cert(certname, settings) client = http_client(settings) url = client.make_ca_url(settings[:ca_server], settings[:ca_port], 'certificate', certname) client.with_connection(url) do |connection| result = connection.get(url) if downloaded = check_download_result(result, certname) save_file(result.body, certname, settings[:certdir], "Certificate") @logger.inform "Successfully downloaded and saved certificate #{certname} to #{settings[:certdir]}/#{certname}.pem" end downloaded end end |
#generate_certs(certnames, settings, digest) ⇒ Object
Create csrs and keys, then submit them to CA, request for the CA to sign them, download the signed certificates from the CA, and finally save the signed certs and associated keys. Returns true if all certs were successfully created and saved.
120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# File 'lib/puppetserver/ca/create_action.rb', line 120 def generate_certs(certnames, settings, digest) passed = certnames.map do |certname| key, csr = generate_key_csr(certname, settings, digest) return false unless submit_certificate_request(certname, csr.to_s, settings) return false unless sign_cert(certname, settings) if download_cert(certname, settings) save_keys(key, certname, settings) true else false end end passed.all? end |
#generate_key_csr(certname, settings, digest) ⇒ Object
135 136 137 138 139 140 141 |
# File 'lib/puppetserver/ca/create_action.rb', line 135 def generate_key_csr(certname, settings, digest) host = Puppetserver::Ca::Host.new(digest) private_key = host.create_private_key(settings[:keylength]) csr = host.create_csr(certname, private_key) return private_key, csr end |
#http_client(settings) ⇒ Object
143 144 145 146 147 |
# File 'lib/puppetserver/ca/create_action.rb', line 143 def http_client(settings) @client ||= HttpClient.new(settings[:localcacert], settings[:certificate_revocation], settings[:hostcrl]) end |
#parse(args) ⇒ Object
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
# File 'lib/puppetserver/ca/create_action.rb', line 56 def parse(args) results = {} parser = self.class.parser(results) errors = Utils.parse_with_errors(parser, args) if results['certnames'].empty? errors << ' At least one certname is required to create' else results['certnames'].each do |certname| if CERTNAME_BLACKLIST.include?(certname) errors << " Cannot manage cert named `#{certname}` from " + "the CLI, if needed use the HTTP API directly" end if certname.match(/\p{Upper}/) errors << " Certificate names must be lower case" end unless certname =~ VALID_CERTNAME errors << " Certname #{certname} must not contain unprintable or non-ASCII characters" end end end errors_were_handled = Utils.handle_errors(@logger, errors, parser.help) exit_code = errors_were_handled ? 1 : nil return results, exit_code end |
#run(input) ⇒ Object
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
# File 'lib/puppetserver/ca/create_action.rb', line 88 def run(input) certnames = input['certnames'] config_path = input['config'] # Validate config_path provided if config_path errors = FileUtilities.validate_file_paths(config_path) return 1 if Utils.handle_errors(@logger, errors) end # Load, resolve, and validate puppet config settings puppet = PuppetConfig.parse(config_path) return 1 if Utils.handle_errors(@logger, puppet.errors) # Load most secure signing digest we can for csr signing. signer = SigningDigest.new return 1 if Utils.handle_errors(@logger, signer.errors) # Make sure we have all the directories where we will be writing files FileUtilities.ensure_dir(puppet.settings[:certdir]) FileUtilities.ensure_dir(puppet.settings[:privatekeydir]) FileUtilities.ensure_dir(puppet.settings[:publickeydir]) # Generate and save certs and associated keys all_passed = generate_certs(certnames, puppet.settings, signer.digest) return all_passed ? 0 : 1 end |
#save_file(content, certname, dir, type) ⇒ Object
260 261 262 263 264 |
# File 'lib/puppetserver/ca/create_action.rb', line 260 def save_file(content, certname, dir, type) location = File.join(dir, "#{certname}.pem") @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location) FileUtilities.write_file(location, content, 0640) end |
#save_keys(key, certname, settings) ⇒ Object
251 252 253 254 255 256 257 |
# File 'lib/puppetserver/ca/create_action.rb', line 251 def save_keys(key, certname, settings) public_key = key.public_key save_file(key, certname, settings[:privatekeydir], "Private key") save_file(public_key, certname, settings[:publickeydir], "Public key") @logger.inform "Successfully saved private key for #{certname} to #{settings[:privatekeydir]}/#{certname}.pem" @logger.inform "Successfully saved public key for #{certname} to #{settings[:publickeydir]}/#{certname}.pem" end |
#sign_cert(certname, settings) ⇒ Boolean
Make an HTTP request to CA to sign the named certificates
185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
# File 'lib/puppetserver/ca/create_action.rb', line 185 def sign_cert(certname, settings) client = http_client(settings) url = client.make_ca_url(settings[:ca_server], settings[:ca_port], 'certificate_status', certname) client.with_connection(url) do |connection| body = JSON.dump({desired_state: 'signed'}) result = connection.put(body, url) check_sign_result(result, certname) end end |
#submit_certificate_request(certname, csr, settings) ⇒ Boolean
Make an HTTP request to submit certificate requests to CA
154 155 156 157 158 159 160 161 162 163 164 165 |
# File 'lib/puppetserver/ca/create_action.rb', line 154 def submit_certificate_request(certname, csr, settings) client = http_client(settings) url = client.make_ca_url(settings[:ca_server], settings[:ca_port], 'certificate_request', certname) client.with_connection(url) do |connection| result = connection.put(csr, url) check_submit_result(result, certname) end end |