Class: Puppetserver::Ca::Action::Import

Inherits:
Object
  • Object
show all
Includes:
Utils
Defined in:
lib/puppetserver/ca/action/import.rb

Constant Summary collapse

SUMMARY = 
"Import an external CA chain and generate master PKI"
<<-BANNER
Usage:
  puppetserver ca import [--help]
  puppetserver ca import [--config PATH] [--certname NAME]
                         [--subject-alt-names NAME[,NAME]]
      --private-key PATH --cert-bundle PATH --crl-chain PATH

Description:
Given a private key, cert bundle, and a crl chain,
validate and import to the Puppet Server CA.

Note that the cert and crl provided for the leaf CA must not
have already issued or revoked any certificates.

To determine the target location the default puppet.conf
is consulted for custom values. If using a custom puppet.conf
provide it with the --config flag

Options:
BANNER

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(logger) ⇒ Import

Returns a new instance of Import.



37
38
39
 
# File 'lib/puppetserver/ca/action/import.rb', line 37

def initialize(logger)
  @logger = logger
end

Class Method Details

.parser(parsed = {}) ⇒ Object 



160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
 
# File 'lib/puppetserver/ca/action/import.rb', line 160

def self.parser(parsed = {})
  parsed['certname'] = ''
  parsed['subject-alt-names'] = ''
  OptionParser.new do |opts|
    opts.banner = BANNER
    opts.on('--help', 'Display this import specific help output') do |help|
      parsed['help'] = true
    end
    opts.on('--config CONF', 'Path to puppet.conf') do |conf|
      parsed['config'] = conf
    end
    opts.on('--private-key KEY', 'Path to PEM encoded key') do |key|
      parsed['private-key'] = key
    end
    opts.on('--cert-bundle BUNDLE', 'Path to PEM encoded bundle') do |bundle|
      parsed['cert-bundle'] = bundle
    end
    opts.on('--crl-chain CHAIN', 'Path to PEM encoded chain') do |chain|
      parsed['crl-chain'] = chain
    end
    opts.on('--certname NAME',
            'Common name to use for the master cert') do |name|
      parsed['certname'] = name
    end
    opts.on('--subject-alt-names NAME[,NAME]',
            'Subject alternative names for the master cert') do |sans|
      parsed['subject-alt-names'] = sans
    end
  end
end

Instance Method Details

#check_flag_usage(results) ⇒ Object 



136
137
138
139
140
141
 
# File 'lib/puppetserver/ca/action/import.rb', line 136

def check_flag_usage(results)
  if results['cert-bundle'].nil? || results['private-key'].nil? || results['crl-chain'].nil?
    '    Missing required argument' + "\n" +
    '    --cert-bundle, --private-key, --crl-chain are required'
  end
end

#import(loader, settings, signing_digest) ⇒ Object 



74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
# File 'lib/puppetserver/ca/action/import.rb', line 74

def import(loader, settings, signing_digest)
  ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
  master_key, master_cert = ca.create_master_cert(loader.key, loader.certs.first)
  return ca.errors if ca.errors.any?

  FileSystem.ensure_dirs([settings[:ssldir],
                          settings[:cadir],
                          settings[:certdir],
                          settings[:privatekeydir],
                          settings[:publickeydir],
                          settings[:signeddir]])

  public_files = [
    [settings[:cacert], loader.certs],
    [settings[:cacrl], loader.crls],
    [settings[:cadir] + '/infra_crl.pem', loader.crls],
    [settings[:localcacert], loader.certs],
    [settings[:hostcrl], loader.crls],
    [settings[:hostpubkey], master_key.public_key],
    [settings[:hostcert], master_cert],
    [settings[:cert_inventory], ca.inventory_entry(master_cert)],
    [settings[:cadir] + '/infra_inventory.txt', ''],
    [settings[:cadir] + '/infra_serials', ''],
    [settings[:serial], "002"],
    [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert]
  ]

  private_files = [
    [settings[:hostprivkey], master_key],
    [settings[:cakey], loader.key],
  ]

  files_to_check = public_files + private_files
  # We don't want to error if master's keys exist. Certain workflows
  # allow the agent to have already be installed with keys and then
  # upgraded to be a master. The host class will honor keys, if both
  # public and private exist, and error if only one exists - as is
  # previous behavior.
  files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
  errors = FileSystem.check_for_existing_files(files_to_check)

  if !errors.empty?
    instructions = <<-ERR
If you would really like to replace your CA, please delete the existing files first.
Note that any certificates that were issued by this CA will become invalid if you
replace it!
ERR
    errors << instructions
    return errors
  end

  public_files.each do |location, content|
    FileSystem.write_file(location, content, 0644)
  end

  private_files.each do |location, content|
    FileSystem.write_file(location, content, 0640)
  end

  return []
end

#parse(args) ⇒ Object 



143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
 
# File 'lib/puppetserver/ca/action/import.rb', line 143

def parse(args)
  results = {}
  parser = self.class.parser(results)

  errors = CliParsing.parse_with_errors(parser, args)

  if err = check_flag_usage(results)
    errors << err
  end

  errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)

  exit_code = errors_were_handled ? 1 : nil

  return results, exit_code
end

#run(input) ⇒ Object 



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/puppetserver/ca/action/import.rb', line 41

def run(input)
  bundle_path = input['cert-bundle']
  key_path = input['private-key']
  chain_path = input['crl-chain']
  config_path = input['config']

  files = [bundle_path, key_path, chain_path, config_path].compact

  errors = FileSystem.validate_file_paths(files)
  return 1 if CliParsing.handle_errors(@logger, errors)

  loader = X509Loader.new(bundle_path, key_path, chain_path)
  return 1 if CliParsing.handle_errors(@logger, loader.errors)

  settings_overrides = {}
  settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
  settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?

  puppet = Config::Puppet.new(config_path)
  puppet.load(settings_overrides)
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)

  # Load most secure signing digest we can for cers/crl/csr signing.
  signer = SigningDigest.new
  return 1 if CliParsing.handle_errors(@logger, signer.errors)

  errors = import(loader, puppet.settings, signer.digest)
  return 1 if CliParsing.handle_errors(@logger, errors)

  @logger.inform "Import succeeded. Find your files in #{puppet.settings[:cadir]}"
  return 0
end