Class: Puppetserver::Ca::CertificateAuthority
- Inherits:
-
Object
- Object
- Puppetserver::Ca::CertificateAuthority
- Includes:
- Utils
- Defined in:
- lib/puppetserver/ca/certificate_authority.rb
Constant Summary collapse
- REVOKE_BODY =
JSON.dump({ desired_state: 'revoked' })
- SIGN_BODY =
JSON.dump({ desired_state: 'signed' })
Instance Method Summary collapse
-
#check_clean(certname, result) ⇒ Object
logs the action and returns a status symbol 👑.
-
#check_revocation(certname, result) ⇒ Object
possibly logs the action, always returns a status symbol 👑.
-
#clean_certs(certnames) ⇒ Boolean
Make an HTTP request to CA to clean the named certificates.
-
#get(resource_type, resource_name) ⇒ Struct
Make an HTTP GET request to CA.
-
#get_certificate(certname) ⇒ Object
Returns nil for errors, else the result of the GET request.
-
#get_certificate_statuses ⇒ Object
Returns nil for errors, else the result of the GET request.
-
#initialize(logger, settings) ⇒ CertificateAuthority
constructor
A new instance of CertificateAuthority.
-
#make_ca_url(resource_type = nil, certname = nil) ⇒ Object
Returns a URI-like wrapper around CA specific urls.
-
#process_results(type, certname, result) ⇒ Object
logs the action and returns true/false for success.
-
#put(certnames, resource_type:, body:, type:, headers: {}) ⇒ Boolean
Make an HTTP PUT request to CA.
- #revoke_certs(certnames) ⇒ Object
- #sign_certs(certnames) ⇒ Object
- #submit_certificate_request(certname, csr) ⇒ Object
- #worst_result(previous_result, current_result) ⇒ Object
Constructor Details
#initialize(logger, settings) ⇒ CertificateAuthority
Returns a new instance of CertificateAuthority.
14 15 16 17 18 19 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 14 def initialize(logger, settings) @logger = logger @client = HttpClient.new(settings) @ca_server = settings[:ca_server] @ca_port = settings[:ca_port] end |
Instance Method Details
#check_clean(certname, result) ⇒ Object
logs the action and returns a status symbol 👑
195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 195 def check_clean(certname, result) case result.code when '200', '204' @logger.inform "Cleaned files related to #{certname}" return :success when '404' @logger.err 'Error:' @logger.err " Could not find files to clean for #{certname}" return :not_found else @logger.err 'Error:' @logger.err " When attempting to clean certificate '#{certname}', received:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return :error end end |
#check_revocation(certname, result) ⇒ Object
possibly logs the action, always returns a status symbol 👑
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 176 def check_revocation(certname, result) case result.code when '200', '204' @logger.inform "Revoked certificate for #{certname}" return :success when '409' return :invalid when '404' return :not_found else @logger.err 'Error:' @logger.err " When attempting to revoke certificate '#{certname}', received:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return :error end end |
#clean_certs(certnames) ⇒ Boolean
Make an HTTP request to CA to clean the named certificates
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 140 def clean_certs(certnames) url = make_ca_url('certificate_status') results = @client.with_connection(url) do |connection| certnames.map do |certname| url.resource_name = certname revoke_result = connection.put(REVOKE_BODY, url) revoked = check_revocation(certname, revoke_result) cleaned = nil unless revoked == :error clean_result = connection.delete(url) cleaned = check_clean(certname, clean_result) end if revoked == :error || cleaned != :success :error # If we get passed the first conditional we know that # cleaned must == :success and revoked must be one of # :invalid, :not_found, or :success. We'll treat both # :not_found and :success of revocation here as successes. # However we'll treat invalid's specially. elsif revoked == :invalid :invalid else :success end end end return results.reduce {|prev, curr| worst_result(prev, curr) } end |
#get(resource_type, resource_name) ⇒ Struct
Make an HTTP GET request to CA
251 252 253 254 255 256 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 251 def get(resource_type, resource_name) url = make_ca_url(resource_type, resource_name) @client.with_connection(url) do |connection| connection.get(url) end end |
#get_certificate(certname) ⇒ Object
Returns nil for errors, else the result of the GET request
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 228 def get_certificate(certname) result = get('certificate', certname) case result.code when '200' return result when '404' @logger.err 'Error:' @logger.err " Signed certificate #{certname} could not be found on the CA" return nil else @logger.err 'Error:' @logger.err " When attempting to download certificate '#{certname}', received:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return nil end end |
#get_certificate_statuses ⇒ Object
Returns nil for errors, else the result of the GET request
214 215 216 217 218 219 220 221 222 223 224 225 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 214 def get_certificate_statuses result = get('certificate_statuses', 'any_key') unless result.code == '200' @logger.err 'Error:' @logger.err " code: #{result.code}" @logger.err " body: #{result.body}" if result.body return nil end result end |
#make_ca_url(resource_type = nil, certname = nil) ⇒ Object
Returns a URI-like wrapper around CA specific urls
34 35 36 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 34 def make_ca_url(resource_type = nil, certname = nil) HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname) end |
#process_results(type, certname, result) ⇒ Object
logs the action and returns true/false for success
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 84 def process_results(type, certname, result) case type when :sign case result.code when '204' @logger.inform "Successfully signed certificate request for #{certname}" return :success when '404' @logger.err 'Error:' @logger.err " Could not find certificate request for #{certname}" return :not_found else @logger.err 'Error:' @logger.err " When attempting to sign certificate request '#{certname}', received" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return :error end when :revoke case result.code when '200', '204' @logger.inform "Revoked certificate for #{certname}" return :success when '404' @logger.err 'Error:' @logger.err " Could not find certificate for #{certname}" return :not_found when '409' @logger.err 'Error:' @logger.err " Could not revoke unsigned csr for #{certname}" return :invalid else @logger.err 'Error:' @logger.err " When attempting to revoke certificate '#{certname}', received:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return :error end when :submit case result.code when '200', '204' @logger.inform "Successfully submitted certificate request for #{certname}" return :success else @logger.err 'Error:' @logger.err " When attempting to submit certificate request for '#{certname}', received:" @logger.err " code: #{result.code}" @logger.err " body: #{result.body.to_s}" if result.body return :error end end end |
#put(certnames, resource_type:, body:, type:, headers: {}) ⇒ Boolean
Make an HTTP PUT request to CA
72 73 74 75 76 77 78 79 80 81 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 72 def put(certnames, resource_type:, body:, type:, headers: {}) url = make_ca_url(resource_type) results = @client.with_connection(url) do |connection| certnames.map do |certname| url.resource_name = certname result = connection.put(body, url, headers) process_results(type, certname, result) end end end |
#revoke_certs(certnames) ⇒ Object
47 48 49 50 51 52 53 54 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 47 def revoke_certs(certnames) results = put(certnames, resource_type: 'certificate_status', body: REVOKE_BODY, type: :revoke) results.reduce {|prev, curr| worst_result(prev, curr) } end |
#sign_certs(certnames) ⇒ Object
38 39 40 41 42 43 44 45 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 38 def sign_certs(certnames) results = put(certnames, resource_type: 'certificate_status', body: SIGN_BODY, type: :sign) results.all? {|result| result == :success } end |
#submit_certificate_request(certname, csr) ⇒ Object
56 57 58 59 60 61 62 63 64 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 56 def submit_certificate_request(certname, csr) results = put([certname], resource_type: 'certificate_request', body: csr.to_pem, headers: {'Content-Type' => 'text/plain'}, type: :submit) results.all? {|result| result == :success } end |
#worst_result(previous_result, current_result) ⇒ Object
21 22 23 24 25 26 27 28 29 30 31 |
# File 'lib/puppetserver/ca/certificate_authority.rb', line 21 def worst_result(previous_result, current_result) %i{success invalid not_found error}.each do |state| if previous_result == state return current_result elsif current_result == state return previous_result else next end end end |