Class: Puppet::SSL::CertificateAuthority::Interface

Inherits:

Object

• Object
• Puppet::SSL::CertificateAuthority::Interface

Defined in:

lib/puppet/ssl/certificate_authority/interface.rb

Overview

This class is basically a hidden class that knows how to act on the CA. Its job is to provide a CLI-like interface to the CA class.

API:

• public

Defined Under Namespace

Classes: InterfaceError

Constant Summary

INTERFACE_METHODS =

API:

• public

[:destroy, :list, :revoke, :generate, :sign, :print, :verify, :fingerprint, :reinventory]

DESTRUCTIVE_METHODS =

API:

• public

[:destroy, :revoke]

SUBJECTLESS_METHODS =

API:

• public

[:list, :reinventory]

CERT_STATUS_GLYPHS =

API:

• public

{:signed => '+', :request => ' ', :invalid => '-'}

VALID_CONFIRMATION_VALUES =

API:

• public

%w{y Y yes Yes YES}

Instance Attribute Summary

• #digest ⇒ Object readonly
• #method ⇒ Object
• #options ⇒ Object readonly
• #subjects ⇒ Object

Instance Method Summary

• #apply(ca) ⇒ Object

  Actually perform the work.

• #fingerprint(ca) ⇒ Object

  Print certificate information.

• #format_attrs_and_exts(cert) ⇒ Object
• #format_host(host, info, width, format) ⇒ Object
• #generate(ca) ⇒ Object
• #human_host_formatting(host, info) ⇒ Object
• #initialize(method, options) ⇒ Interface constructor

  A new instance of Interface.

• #legacy_host_formatting(host, info, width) ⇒ Object
• #list(ca) ⇒ Object

  List the hosts.

• #machine_host_formatting(host, info) ⇒ Object
• #print(ca) ⇒ Object

  Print certificate information.

• #reinventory(ca) ⇒ Object
• #sign(ca) ⇒ Object

  Signs given certificates or all waiting if subjects == :all.

Constructor Details

#initialize(method, options) ⇒ Interface

Returns a new instance of Interface.

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 48

def initialize(method, options)
  self.method = method
  self.subjects = options.delete(:to)
  @digest = options.delete(:digest)
  @options = options
end

Instance Attribute Details

#digest ⇒ Object (readonly)

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 16

def digest
  @digest
end

#method ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 16

def method
  @method
end

#options ⇒ Object (readonly)

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 16

def options
  @options
end

#subjects ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 16

def subjects
  @subjects
end

Instance Method Details

#apply(ca) ⇒ Object

Actually perform the work.

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 19

def apply(ca)
  unless subjects || SUBJECTLESS_METHODS.include?(method)
    raise ArgumentError, "You must provide hosts or --all when using #{method}"
  end

  destructive_subjects = [:signed, :all].include?(subjects)
  if DESTRUCTIVE_METHODS.include?(method) && destructive_subjects
    subject_text = (subjects == :all ? subjects : "all signed")
    raise ArgumentError, "Refusing to #{method} #{subject_text} certs, provide an explicit list of certs to #{method}"
  end

  # if the interface implements the method, use it instead of the ca's method
  if respond_to?(method)
    send(method, ca)
  else
    (subjects == :all ? ca.list : subjects).each do |host|
      ca.send(method, host)
    end
  end
end

#fingerprint(ca) ⇒ Object

Print certificate information.

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 259

def fingerprint(ca)
  (subjects == :all ? ca.list + ca.waiting?: subjects).each do |host|
    if cert = (Puppet::SSL::Certificate.indirection.find(host) || Puppet::SSL::CertificateRequest.indirection.find(host))
      puts "#{host} #{cert.digest(@digest)}"
    else
        raise ArgumentError, "Could not find certificate for #{host}"
    end
  end
end

#format_attrs_and_exts(cert) ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 232

def format_attrs_and_exts(cert)
  exts = []
  exts += cert.custom_extensions if cert.respond_to?(:custom_extensions)
  exts += cert.custom_attributes if cert.respond_to?(:custom_attributes)
  exts += cert.request_extensions if cert.respond_to?(:request_extensions)

  exts.map {|e| "#{e['oid']}: #{e['value'].inspect}" }.sort
end

#format_host(host, info, width, format) ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 120

def format_host(host, info, width, format)
  case format
  when :machine
    machine_host_formatting(host, info)
  when :human
    human_host_formatting(host, info)
  else
    if options[:verbose]
      machine_host_formatting(host, info)
    else
      legacy_host_formatting(host, info, width)
    end
  end
end

#generate(ca) ⇒ Object

Raises:

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 40

def generate(ca)
  raise InterfaceError, "It makes no sense to generate all hosts; you must specify a list" if subjects == :all

  subjects.each do |host|
    ca.generate(host, options)
  end
end

#human_host_formatting(host, info) ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 161

def human_host_formatting(host, info)
  type         = info[:type]
  verify_error = info[:verify_error]
  cert         = info[:cert]
  alt_names    = cert.subject_alt_names - [host]
  extensions   = format_attrs_and_exts(cert)

  glyph       = CERT_STATUS_GLYPHS[type]
  fingerprint = cert.digest(@digest).to_s

  if type == :invalid || (extensions.empty? && alt_names.empty?)
    extension_string = ''
  else
    if !alt_names.empty?
      extensions.unshift("alt names: #{alt_names.map(&:inspect).join(', ')}")
    end

    extension_string = "\n    Extensions:\n      "
    extension_string << extensions.join("\n      ")
  end

  if type == :signed
    expiration_string = "\n    Expiration: #{cert.expiration.iso8601}"
  else
    expiration_string = ''
  end

  status = case type
           when :invalid then "Invalid - #{verify_error}"
           when :request then "Request Pending"
           when :signed then "Signed"
           end

  output = "#{glyph} #{host.inspect}"
  output << "\n  #{fingerprint}"
  output << "\n    Status: #{status}"
  output << expiration_string
  output << extension_string
  output << "\n"

  output
end

#legacy_host_formatting(host, info, width) ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 204

def legacy_host_formatting(host, info, width)
  type         = info[:type]
  verify_error = info[:verify_error]
  cert         = info[:cert]
  alt_names    = cert.subject_alt_names - [host]
  extensions   = format_attrs_and_exts(cert)

  glyph       = CERT_STATUS_GLYPHS[type]
  name        = host.inspect.ljust(width)
  fingerprint = cert.digest(@digest).to_s

  if type != :invalid
    if alt_names.empty?
      alt_name_string = nil
    else
      alt_name_string = "(alt names: #{alt_names.map(&:inspect).join(', ')})"
    end

    if extensions.empty?
      extension_string = nil
    else
      extension_string = "**"
    end
  end

  [glyph, name, fingerprint, alt_name_string, verify_error, extension_string].compact.join(' ')
end

#list(ca) ⇒ Object

List the hosts.

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 56

def list(ca)
  signed = ca.list if [:signed, :all].include?(subjects)
  requests = ca.waiting?

  case subjects
  when :all
    hosts = [signed, requests].flatten
  when :signed
    hosts = signed.flatten
  when nil
    hosts = requests
  else
    hosts = subjects
    signed = ca.list(hosts)
  end

  certs = {:signed => {}, :invalid => {}, :request => {}}

  return if hosts.empty?

  hosts.uniq.sort.each do |host|
    verify_error = nil

    begin
      ca.verify(host) unless requests.include?(host)
    rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError => details
      verify_error = "(#{details.to_s})"
    end

    if verify_error
      type = :invalid
      cert = Puppet::SSL::Certificate.indirection.find(host)
    elsif (signed and signed.include?(host))
      type = :signed
      cert = Puppet::SSL::Certificate.indirection.find(host)
    else
      type = :request
      cert = Puppet::SSL::CertificateRequest.indirection.find(host)
    end

    certs[type][host] = {
      :cert         => cert,
      :type         => type,
      :verify_error => verify_error,
    }
  end

  names = certs.values.map(&:keys).flatten

  name_width = names.sort_by(&:length).last.length rescue 0
  # We quote these names, so account for those characters
  name_width += 2

  output = [:request, :signed, :invalid].map do |type|
    next if certs[type].empty?

    certs[type].map do |host, info|
      format_host(host, info, name_width, options[:format])
    end
  end.flatten.compact.sort.join("\n")

  puts output
end

#machine_host_formatting(host, info) ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 135

def machine_host_formatting(host, info)
  type         = info[:type]
  verify_error = info[:verify_error]
  cert         = info[:cert]
  alt_names    = cert.subject_alt_names - [host]
  extensions   = format_attrs_and_exts(cert)

  glyph       = CERT_STATUS_GLYPHS[type]
  name        = host.inspect
  fingerprint = cert.digest(@digest).to_s

  expiration  = cert.expiration.iso8601 if type == :signed

  if type != :invalid
    if !alt_names.empty?
      extensions.unshift("alt names: #{alt_names.map(&:inspect).join(', ')}")
    end

    if !extensions.empty?
      metadata_string = "(#{extensions.join(', ')})" unless extensions.empty?
    end
  end

  [glyph, name, fingerprint, expiration, metadata_string, verify_error].compact.join(' ')
end

#print(ca) ⇒ Object

Print certificate information.

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 248

def print(ca)
  (subjects == :all ? ca.list  : subjects).each do |host|
    if value = ca.print(host)
      puts value
    else
      raise ArgumentError, "Could not find certificate for #{host}"
    end
  end
end

#reinventory(ca) ⇒ Object

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 308

def reinventory(ca)
  ca.inventory.rebuild
end

#sign(ca) ⇒ Object

Signs given certificates or all waiting if subjects == :all

Raises:

API:

• public

# File 'lib/puppet/ssl/certificate_authority/interface.rb', line 270

def sign(ca)
  list = subjects == :all ? ca.waiting? : subjects
  raise InterfaceError, "No waiting certificate requests to sign" if list.empty?

  signing_options = options.select { |k,_|
    [:allow_authorization_extensions, :allow_dns_alt_names].include?(k)
  }

  list.each do |host|
    cert = Puppet::SSL::CertificateRequest.indirection.find(host)

    raise InterfaceError, "Could not find CSR for: #{host.inspect}." unless cert

    # ca.sign will also do this - and it should if it is called
    # elsewhere - but we want to reject an attempt to sign a
    # problematic csr as early as possible for usability concerns.
    ca.check_internal_signing_policies(host, cert, signing_options)

    name_width = host.inspect.length
    info = {:type => :request, :cert => cert}
    host_string = format_host(host, info, name_width, options[:format])
    puts "Signing Certificate Request for:\n#{host_string}"

    if options[:interactive]
      STDOUT.print "Sign Certificate Request? [y/N] "

      if !options[:yes]
        input = STDIN.gets.chomp
        raise InterfaceError, "NOT Signing Certificate Request" unless VALID_CONFIRMATION_VALUES.include?(input)
      else
        puts "Assuming YES from `-y' or `--assume-yes' flag"
      end
    end

    ca.sign(host, signing_options)
  end
end