Class: Puppetserver::Ca::Action::Generate

Inherits:

Object

• Object
• Puppetserver::Ca::Action::Generate

Includes:

Utils

Defined in:

lib/puppetserver/ca/action/generate.rb

Constant Summary

VALID_CERTNAME =

Only allow printing ascii characters, excluding /

/\A[ -.0-~]+\Z/

CERTNAME_BLACKLIST =

%w{--all --config}

SUMMARY =

"Generate a new certificate signed by the CA"

BANNER =

<<-BANNER
Usage:
  puppetserver ca generate [--help]
  puppetserver ca generate --certname NAME[,NAME] [--config PATH]
                           [--subject-alt-names NAME[,NAME]]
                           [--ca-client]

Description:
Generates a new certificate signed by the intermediate CA
and stores generated keys and certs on disk.

If the `--ca-client` flag is passed, the cert will be generated
offline, without using Puppet Server's signing code, and will add
a special extension authorizing it to talk to the CA API. This can
be used for regenerating the master's host cert, or for manually
setting up other nodes to be CA clients. Do not distribute certs
generated this way to any node that you do not intend to have
administrative access to the CA (e.g. the ability to sign a cert).

Since the `--ca-client` causes a cert to be generated offline, it
should ONLY be used when Puppet Server is NOT running, to avoid
conflicting with the actions of the CA service. This will be
mandatory in a future release.

To determine the target location, the default puppet.conf
is consulted for custom values. If using a custom puppet.conf
provide it with the --config flag

Options:
BANNER

Class Method Summary

• .parser(parsed = {}) ⇒ Object

Instance Method Summary

• #check_for_existing_ssl_files(certname, settings) ⇒ Object
• #generate_authorized_certs(certnames, alt_names, settings, digest) ⇒ Object

  Certs authorized to talk to the CA API need to be signed offline, in order to securely add the special auth extension.

• #generate_certs(certnames, alt_names, settings, digest) ⇒ Object

  Generate csrs and keys, then submit them to CA, request for the CA to sign them, download the signed certificates from the CA, and finally save the signed certs and associated keys.

• #generate_key_csr(certname, settings, digest, alt_names = '') ⇒ Object

  For certs signed offline, any alt names are added directly to the cert, rather than to the CSR.

• #initialize(logger) ⇒ Generate constructor

  A new instance of Generate.

• #parse(args) ⇒ Object
• #process_alt_names(alt_names, certname) ⇒ Object
• #run(input) ⇒ Object
• #save_file(content, certname, dir, type) ⇒ Object
• #save_keys(certname, settings, key) ⇒ Object

Constructor Details

#initialize(logger) ⇒ Generate

Returns a new instance of Generate.

# File 'lib/puppetserver/ca/action/generate.rb', line 53

def initialize(logger)
  @logger = logger
end

Class Method Details

.parser(parsed = {}) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 57

def self.parser(parsed = {})
  parsed['certnames'] = []
  parsed['subject-alt-names'] = ''
  OptionParser.new do |opts|
    opts.banner = BANNER
    opts.on('--certname NAME[,NAME]', Array,
         'One or more comma separated certnames') do |certs|
      parsed['certnames'] += certs
    end
    opts.on('--help', 'Display this generate specific help output') do |help|
      parsed['help'] = true
    end
    opts.on('--config CONF', 'Path to puppet.conf') do |conf|
      parsed['config'] = conf
    end
    opts.on('--subject-alt-names NAME[,NAME]',
            'Subject alternative names for the generated cert') do |sans|
      parsed['subject-alt-names'] = sans
    end
    opts.on('--ca-client',
            'Whether this cert will be used to request CA actions.\
            Causes the cert to be generated offline.') do |ca_client|
      parsed['ca-client'] = true
    end
  end
end

Instance Method Details

#check_for_existing_ssl_files(certname, settings) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 257

def check_for_existing_ssl_files(certname, settings)
  files = [ File.join(settings[:certdir], "#{certname}.pem"),
            File.join(settings[:privatekeydir], "#{certname}.pem"),
            File.join(settings[:publickeydir], "#{certname}.pem"),
            File.join(settings[:signeddir], "#{certname}.pem"), ]
  errors = Puppetserver::Ca::Utils::FileSystem.check_for_existing_files(files)
  if !errors.empty?
    errors << "Please delete these files if you really want to generate a new cert for #{certname}."
  end
  errors
end

#generate_authorized_certs(certnames, alt_names, settings, digest) ⇒ Object

Certs authorized to talk to the CA API need to be signed offline, in order to securely add the special auth extension.

# File 'lib/puppetserver/ca/action/generate.rb', line 151

def generate_authorized_certs(certnames, alt_names, settings, digest)
  # Make sure we have all the directories where we will be writing files
  FileSystem.ensure_dirs([settings[:ssldir],
                          settings[:certdir],
                          settings[:privatekeydir],
                          settings[:publickeydir]])

  ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
  ca_cert, ca_key = ca.load_ca
  return false if CliParsing.handle_errors(@logger, ca.errors)

  passed = certnames.map do |certname|
    errors = check_for_existing_ssl_files(certname, settings)
    next false if CliParsing.handle_errors(@logger, errors)

    current_alt_names = process_alt_names(alt_names, certname)

    # For certs signed offline, any alt names are added directly to the cert,
    # rather than to the CSR.
    key, csr = generate_key_csr(certname, settings, digest)
    next false unless csr

    cert = ca.sign_authorized_cert(ca_key, ca_cert, csr, current_alt_names)
    next false unless save_file(cert.to_pem, certname, settings[:certdir], "Certificate")
    next false unless save_file(cert.to_pem, certname, settings[:signeddir], "Certificate")
    next false unless save_keys(certname, settings, key)
    ca.update_serial_file(cert.serial + 1)
    true
  end
  passed.all?
end

#generate_certs(certnames, alt_names, settings, digest) ⇒ Object

Generate csrs and keys, then submit them to CA, request for the CA to sign them, download the signed certificates from the CA, and finally save the signed certs and associated keys. Returns true if all certs were successfully created and saved.

# File 'lib/puppetserver/ca/action/generate.rb', line 187

def generate_certs(certnames, alt_names, settings, digest)
  # Make sure we have all the directories where we will be writing files
  FileSystem.ensure_dirs([settings[:ssldir],
                          settings[:certdir],
                          settings[:privatekeydir],
                          settings[:publickeydir]])

  ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)

  passed = certnames.map do |certname|
    errors = check_for_existing_ssl_files(certname, settings)
    next false if CliParsing.handle_errors(@logger, errors)

    current_alt_names = process_alt_names(alt_names, certname)

    key, csr = generate_key_csr(certname, settings, digest, current_alt_names)
    next false unless csr
    next false unless ca.submit_certificate_request(certname, csr)
    next false unless ca.sign_certs([certname])
    if result = ca.get_certificate(certname)
      next false unless save_file(result.body, certname, settings[:certdir], "Certificate")
      next false unless save_keys(certname, settings, key)
      true
    else
      false
    end
  end
  passed.all?
end

#generate_key_csr(certname, settings, digest, alt_names = '') ⇒ Object

For certs signed offline, any alt names are added directly to the cert, rather than to the CSR.

# File 'lib/puppetserver/ca/action/generate.rb', line 219

def generate_key_csr(certname, settings, digest, alt_names = '')
  host = Puppetserver::Ca::Host.new(digest)
  private_key = host.create_private_key(settings[:keylength])
  extensions = []
  if !alt_names.empty?
    ef = OpenSSL::X509::ExtensionFactory.new
    extensions << ef.create_extension("subjectAltName",
                                      alt_names,
                                      false)
  end
  csr = host.create_csr(name: certname,
                        key: private_key,
                        cli_extensions: extensions,
                        csr_attributes_path: settings[:csr_attributes])
  return if CliParsing.handle_errors(@logger, host.errors)

  return private_key, csr
end

#parse(args) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 84

def parse(args)
  results = {}
  parser = self.class.parser(results)

  errors = CliParsing.parse_with_errors(parser, args)

  if results['certnames'].empty?
    errors << '    At least one certname is required to generate'
  else
    results['certnames'].each do |certname|
      if CERTNAME_BLACKLIST.include?(certname)
        errors << "    Cannot manage cert named `#{certname}` from " +
                  "the CLI, if needed use the HTTP API directly"
      end

      if certname.match(/\p{Upper}/)
        errors << "    Certificate names must be lower case"
      end

      unless certname =~ VALID_CERTNAME
        errors << "  Certname #{certname} must not contain unprintable or non-ASCII characters"
      end
    end
  end

  errors_were_handled = CliParsing.handle_errors(@logger, errors, parser.help)

  exit_code = errors_were_handled ? 1 : nil

  return results, exit_code
end

#process_alt_names(alt_names, certname) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 269

def process_alt_names(alt_names, certname)
  return '' if alt_names.empty?

  current_alt_names = alt_names.dup
  # When validating the cert, OpenSSL will ignore the CN field if
  # altnames are present, so we need to ensure that the certname is
  # also listed among the alt names.
  current_alt_names += ",DNS:#{certname}"
  current_alt_names = Puppetserver::Ca::Utils::Config.munge_alt_names(current_alt_names)
end

#run(input) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 116

def run(input)
  certnames = input['certnames']
  config_path = input['config']

  # Validate config_path provided
  if config_path
    errors = FileSystem.validate_file_paths(config_path)
    return 1 if CliParsing.handle_errors(@logger, errors)
  end

  # Load, resolve, and validate puppet config settings
  settings_overrides = {}
  puppet = Config::Puppet.new(config_path)
  puppet.load(settings_overrides)
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)

  # We don't want generate to respect the alt names setting, since it is usually
  # used to generate certs for other nodes
  alt_names = input['subject-alt-names']

  # Load most secure signing digest we can for csr signing.
  signer = SigningDigest.new
  return 1 if CliParsing.handle_errors(@logger, signer.errors)

  # Generate and save certs and associated keys
  if input['ca-client']
    all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
  else
    all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
  end
  return all_passed ? 0 : 1
end

#save_file(content, certname, dir, type) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 245

def save_file(content, certname, dir, type)
  location = File.join(dir, "#{certname}.pem")
  if File.exist?(location)
    @logger.err "#{type} #{certname}.pem already exists. Please delete it if you really want to regenerate it."
    false
  else
    FileSystem.write_file(location, content, 0640)
    @logger.inform "Successfully saved #{type.downcase} for #{certname} to #{location}"
    true
  end
end

#save_keys(certname, settings, key) ⇒ Object

# File 'lib/puppetserver/ca/action/generate.rb', line 238

def save_keys(certname, settings, key)
  public_key = key.public_key
  return false unless save_file(key, certname, settings[:privatekeydir], "Private key")
  return false unless save_file(public_key, certname, settings[:publickeydir], "Public key")
  true
end