Revision bcf80519
Added by Dmitri Dolguikh over 7 years ago
| modules/puppetca/puppetca_main.rb | ||
|---|---|---|
|
require 'openssl'
|
||
|
require 'set'
|
||
|
|
||
|
# rubocop:disable ModuleLength
|
||
|
module Proxy::PuppetCa
|
||
|
extend ::Proxy::Log
|
||
|
extend ::Proxy::Util
|
||
| ... | ... | |
|
class NotPresent < RuntimeError; end
|
||
|
|
||
|
class << self
|
||
|
|
||
|
def sign certname
|
||
|
puppetca("sign", certname)
|
||
|
end
|
||
| ... | ... | |
|
all.delete_if {|k,v| v[:state] != "pending"}
|
||
|
end
|
||
|
|
||
|
private
|
||
|
|
||
|
# helper to find puppetca and sudo binaries
|
||
|
# checks if our CA really exists
|
||
|
def find_puppetca
|
||
| ... | ... | |
|
def ca_inventory
|
||
|
inventory = Pathname.new(ssldir).join("ca","inventory.txt")
|
||
|
raise "Unable to find CA inventory file at #{inventory}" unless File.exist?(inventory)
|
||
|
hash = {}
|
||
|
# 0x005a 2011-04-16T07:12:46GMT 2016-04-14T07:12:46GMT /CN=uuid
|
||
|
File.read(inventory).each_line do |cert|
|
||
|
if cert =~ /(0(x|X)(\d|[a-f]|[A-F])+)\s+(\d+\S+)\s+(\d+\S+)\s+\/CN=(\S+)/
|
||
|
hash[$6] = {:serial => $1.to_i(16), :not_before => $4, :not_after => $5}
|
||
|
end
|
||
|
end
|
||
|
crl = revoked_serials
|
||
|
hash.each do |cert,values|
|
||
|
crl_path = Pathname.new(ssldir).join("ca","ca_crl.pem")
|
||
|
raise "Unable to find CRL" unless File.exist?(crl_path)
|
||
|
compute_ca_inventory(File.read(inventory), File.read(crl_path))
|
||
|
end
|
||
|
|
||
|
def compute_ca_inventory(inventory_contents, crl_cert_contents)
|
||
|
inventory = parse_inventory(inventory_contents)
|
||
|
crl = revoked_serials(crl_cert_contents)
|
||
|
inventory.each do |_, values|
|
||
|
values[:state] = "revoked" if crl.include?(values[:serial])
|
||
|
end
|
||
|
hash
|
||
|
inventory
|
||
|
end
|
||
|
|
||
|
def revoked_serials
|
||
|
crl = Pathname.new(ssldir).join("ca","ca_crl.pem")
|
||
|
raise "Unable to find CRL" unless File.exist?(crl)
|
||
|
def parse_inventory(inventory_contents)
|
||
|
to_return = {}
|
||
|
inventory_contents.each_line do |cert|
|
||
|
if cert =~ /(0(x|X)(\d|[a-f]|[A-F])+)\s+(\d+\S+)\s+(\d+\S+)\s+\/CN=(\S+)/ # 0x005a 2011-04-16T07:12:46GMT 2016-04-14T07:12:46GMT /CN=uuid
|
||
|
to_return[$6] = {:serial => $1.to_i(16), :not_before => $4, :not_after => $5}
|
||
|
end
|
||
|
end
|
||
|
to_return
|
||
|
end
|
||
|
|
||
|
crl = OpenSSL::X509::CRL.new(File.read(crl))
|
||
|
Set.new(crl.revoked.collect {|r| r.serial})
|
||
|
def revoked_serials(crl_cert_contents)
|
||
|
Set.new(OpenSSL::X509::CRL.new(crl_cert_contents).revoked.collect {|r| r.serial.to_i})
|
||
|
end
|
||
|
|
||
|
def puppetca mode, certname
|
||
| ... | ... | |
|
end
|
||
|
end
|
||
|
end
|
||
|
# rubocop:enable ModuleLength
|
||
| test/puppetca/puppetca_test.rb | ||
|---|---|---|
|
assert_equal content.include?('foo.example.com'), false
|
||
|
end
|
||
|
|
||
|
def test_should_have_a_logger
|
||
|
assert_respond_to Proxy::PuppetCa, :logger
|
||
|
end
|
||
|
|
||
|
def test_which_should_return_a_binary_path
|
||
|
ENV.stubs(:[]).with('PATH').returns(['/foo', '/bin', '/usr/bin'].join(File::PATH_SEPARATOR))
|
||
|
{ '/foo' => false, '/bin' => true, '/usr/bin' => false, '/usr/sbin' => false, '/usr/local/bin' => false, '/usr/local/sbin' => false }.each do |p,r|
|
||
| ... | ... | |
|
assert_equal '/bin/ls', Proxy::PuppetCa.which('ls')
|
||
|
end
|
||
|
|
||
|
INVENTORY_CONTENTS =<<EOF
|
||
|
0x0002 2015-09-01T15:15:57UTC 2020-08-31T15:15:57UTC /CN=revoked.my.domain
|
||
|
0x0003 2015-09-02T08:34:59UTC 2020-09-01T08:34:59UTC /CN=active.my.domain
|
||
|
0x0004 2017-01-11T15:04:35UTC 2022-01-11T15:04:35UTC /CN=revoked.my.domain
|
||
|
EOF
|
||
|
def test_parse_inventory
|
||
|
assert_equal({"revoked.my.domain" => {:serial => 4, :not_before => "2017-01-11T15:04:35UTC", :not_after => "2022-01-11T15:04:35UTC"},
|
||
|
"active.my.domain" => {:serial => 3, :not_before => "2015-09-02T08:34:59UTC", :not_after => "2020-09-01T08:34:59UTC"}},
|
||
|
::Proxy::PuppetCa.parse_inventory(INVENTORY_CONTENTS))
|
||
|
end
|
||
|
|
||
|
CRL_CONTENTS =<<EOF
|
||
|
-----BEGIN X509 CRL-----
|
||
|
MIIC9DCB3QIBATANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQDDClQdXBwZXQgQ0E6
|
||
|
IGx1Y2lkLW5vbnNlbnNlLmFwcGxpZWRsb2dpYy5jYRcNMTcwMTEyMTUzNjM1WhcN
|
||
|
MjIwMTExMTUzNjM2WjBEMCACAQIXDTE3MDExMjEzMDEwOVowDDAKBgNVHRUEAwoB
|
||
|
ATAgAgEEFw0xNzAxMTIxNTM2MzZaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQY
|
||
|
MBaAFPXwC6fTTZGAEGWebeMJobxzTq0IMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEB
|
||
|
BQUAA4ICAQBevzkpnkJOelipZsd8GbV5r7b/5Mc/X9fIoNb7wfDGzRWMNDvp/pqd
|
||
|
3TeXvHKsgFqjgchQlI+dd+K1eouJm3pYSsT5MYVrJYUJ6kzPgC89tgtEDApnYOjx
|
||
|
rZIWyF6PeWjL8E7ZKNVFX6RS2HbhWLZStDnkJvckXAhN4GXdLdm5FulkXQ7asQTy
|
||
|
8u1bXWDvRESNuveHuuVyQpfzbnznxUSgf+gJzQ35wbNGZCJDoNlEth6UnIz26LIY
|
||
|
/3dRt/HcybDLoSIV+PF7m2VZZxwcpRCIgjvhCz0fWdfakPYoCn5l3ZGZnv6vL/ss
|
||
|
Mt7bh+b9C0u4g9sQxAYsW21EEFcxVjREXQNn9t/9iqwNn+W90Fee3TJGmWQINO29
|
||
|
zzPgmYyWZQFHCVPuQE/R6cVrRIFte1PjEycsxcTjVv4f71vIWd/54VW7/7TjXYq5
|
||
|
7CnBxWUlWs8N8GwJLzem5DgJvF85YUbVACfNs8JhZc7osLPxFhnZcKz2dLyJgXOj
|
||
|
tzZtHJZG7qxR1n9GmERVpk6OSeK0KKYmb+N9u4mGXYTDG6kl+nj1dU/Uh/yoAwG8
|
||
|
UCEaly81c8sSHjLI3GetK4WxND0cElcSaFY3q22bDay7drhhCMftcbhxoh9ROI5h
|
||
|
Ldr9eKhzX/iwBRnlcwxVCLSUEP+46oGi8hawrhEUnPxPtftMjPVFTQ==
|
||
|
-----END X509 CRL-----
|
||
|
EOF
|
||
|
def test_revoked_serials
|
||
|
assert_equal Set.new([2, 4]), ::Proxy::PuppetCa.revoked_serials(CRL_CONTENTS)
|
||
|
end
|
||
|
|
||
|
def test_compute_ca_inventory
|
||
|
assert_equal({"revoked.my.domain"=>{:serial=>4, :not_before=>"2017-01-11T15:04:35UTC", :not_after=>"2022-01-11T15:04:35UTC", :state=>"revoked"},
|
||
|
"active.my.domain"=>{:serial=>3, :not_before=>"2015-09-02T08:34:59UTC", :not_after=>"2020-09-01T08:34:59UTC"}},
|
||
|
::Proxy::PuppetCa.compute_ca_inventory(INVENTORY_CONTENTS, CRL_CONTENTS))
|
||
|
end
|
||
|
|
||
|
def test_should_clean_host
|
||
|
#TODO
|
||
|
assert_respond_to Proxy::PuppetCa, :clean
|
||
Also available in: Unified diff
Fixes #13318 - Revoked certs always have state 'revoked'
Serial numbers from the CRL are now compared correctly to the inventory
as integers.