diff options
| author | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-02-07 23:12:33 +0000 |
|---|---|---|
| committer | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-02-07 23:12:33 +0000 |
| commit | b98e65f1fd858a1d0af415554db49a121a76232c (patch) | |
| tree | 728f94dd17f88902c6bdf21ff6b17486babb08af /lib/puppet/sslcertificates | |
| parent | f1ffc34c0927840beeb21e1e2d864ce14de5d15e (diff) | |
| download | puppet-b98e65f1fd858a1d0af415554db49a121a76232c.tar.gz puppet-b98e65f1fd858a1d0af415554db49a121a76232c.tar.xz puppet-b98e65f1fd858a1d0af415554db49a121a76232c.zip | |
There is now full support for configuration files, and the entire system has been modified to expect their new behaviour. I have not yet run the test across all test hosts, though.
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@873 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib/puppet/sslcertificates')
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 110 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/certificate.rb | 10 |
2 files changed, 50 insertions, 70 deletions
diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index 40b34e1ee..a3cd376fc 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -2,46 +2,6 @@ class Puppet::SSLCertificates::CA Certificate = Puppet::SSLCertificates::Certificate attr_accessor :keyfile, :file, :config, :dir, :cert -# @@params = [ -# :certdir, -# :publickeydir, -# :privatekeydir, -# :cadir, -# :cakey, -# :cacert, -# :capass, -# :capub, -# :csrdir, -# :signeddir, -# :serial, -# :privatedir, -# :ca_crl_days, -# :ca_days, -# :ca_md, -# :req_bits, -# :keylength, -# :autosign -# ] -# :certdir => [:ssldir, "certs"], -# :publickeydir => [:ssldir, "public_keys"], -# :privatekeydir => [:ssldir, "private_keys"], -# :cadir => [:ssldir, "ca"], -# :cacert => [:cadir, "ca_crt.pem"], -# :cakey => [:cadir, "ca_key.pem"], -# :capub => [:cadir, "ca_pub.pem"], -# :csrdir => [:cadir, "requests"], -# :signeddir => [:cadir, "signed"], -# :capass => [:cadir, "ca.pass"], -# :serial => [:cadir, "serial"], -# :privatedir => [:ssldir, "private"], -# :passfile => [:privatedir, "password"], -# :autosign => [:puppetconf, "autosign.conf"], -# :ca_crl_days => 365, -# :ca_days => 1825, -# :ca_md => "md5", -# :req_bits => 2048, -# :keylength => 1024, - Puppet.setdefaults("ca", [:certdir, "$ssldir/certs", "The certificate directory."], [:publickeydir, "$ssldir/public_keys", "The public key directory."], @@ -51,19 +11,26 @@ class Puppet::SSLCertificates::CA [:cacert, "$cadir/ca_crt.pem", "The CA certificate."], [:cakey, "$cadir/ca_key.pem", "The CA private key."], [:capub, "$cadir/ca_pub.pem", "The CA public key."], + [:caprivatedir, "$cadir/private", + "Where the CA stores private certificate information."], [:csrdir, "$cadir/requests", "Where the CA stores certificate requests"], [:signeddir, "$cadir/signed", "Where the CA stores signed certificates."], - [:capass, "$cadir/ca.pass", - "Where the CA stores the password for the private key; usually not used."], + [:capass, "$caprivatedir/ca.pass", + "Where the CA stores the password for the private key"], [:serial, "$cadir/serial", "Where the serial number for certificates is stored."], + [:privatedir, "$ssldir/private", + "Where the client stores private certificate information."], [:passfile, "$privatedir/password", "Where puppetd stores the password for its private key. Generally unused."], - [:autosign, "$puppetconf/autosign.conf", - "Where to look for the autosigning configuration file."], + [:autosign, "$confdir/autosign.conf", + "Whether to enable autosign. Valid values are true (which autosigns + any key request, and is a very bad idea), false (which never autosigns + any key request), and the path to a file, which uses that configuration + file to determine which keys to sign."], [:ca_days, 1825, "How long a certificate should be valid."], [:ca_md, "md5", "The type of hash used in certificates."], [:req_bits, 2048, "The bit length of the certificates."], @@ -97,30 +64,51 @@ class Puppet::SSLCertificates::CA def initialize(hash = {}) self.setconfig(hash) + if Puppet[:capass] + if FileTest.exists?(Puppet[:capass]) + #puts "Reading %s" % Puppet[:capass] + #system "ls -al %s" % Puppet[:capass] + #File.read Puppet[:capass] + Puppet.info "Getting pass" + @config[:password] = self.getpass + else + # Don't create a password if the cert already exists + unless FileTest.exists?(@config[:cacert]) + Puppet.info "Genning pass" + @config[:password] = self.genpass + end + end + end + self.getcert unless FileTest.exists?(@config[:serial]) File.open(@config[:serial], "w") { |f| f << "%04X" % 1 } end - - if Puppet[:capass] and ! FileTest.exists?(Puppet[:capass]) - self.genpass - end end def genpass pass = "" 20.times { pass += (rand(74) + 48).chr } - unless @config[:capass] - raise "No passfile" + Puppet.recmkdir(File.dirname(@config[:capass])) + begin + File.open(@config[:capass], "w", 0600) { |f| f.print pass } + rescue Errno::EACCES => detail + raise Puppet::Error, detail.to_s end - Puppet::SSLCertificates.mkdir(File.dirname(@config[:capass])) - File.open(@config[:capass], "w", 0600) { |f| f.print pass } return pass end + def getpass + if @config[:capass] and File.readable?(@config[:capass]) + return File.read(@config[:capass]) + else + raise Puppet::Error, "Could not read CA passfile %s" % @config[:capass] + end + end + def getcert if FileTest.exists?(@config[:cacert]) @cert = OpenSSL::X509::Certificate.new( @@ -161,7 +149,7 @@ class Puppet::SSLCertificates::CA cert = Certificate.new( :name => "CAcert", :cert => @config[:cacert], - :encrypt => @config[:passfile], + :encrypt => @config[:capass], :key => @config[:cakey], :selfsign => true, :length => 1825, @@ -187,22 +175,13 @@ class Puppet::SSLCertificates::CA def setconfig(hash) @config = {} Puppet.config.params("ca").each { |param| + param = param.intern if param.is_a? String if hash.include?(param) - begin @config[param] = hash[param] Puppet[param] = hash[param] hash.delete(param) - rescue => detail - puts detail - exit - end else - begin @config[param] = Puppet[param] - rescue => detail - puts detail - exit - end end } @@ -217,10 +196,10 @@ class Puppet::SSLCertificates::CA [:cadir, :csrdir, :signeddir].each { |dir| unless @config[dir] - raise "%s is undefined" % dir + raise Puppet::DevError, "%s is undefined" % dir end unless FileTest.exists?(@config[dir]) - Puppet::SSLCertificates.mkdir(@config[dir]) + Puppet.recmkdir(@config[dir]) end } end @@ -249,6 +228,7 @@ class Puppet::SSLCertificates::CA File.read(@config[:cakey]), @config[:password] ) else + system("ls -al %s" % Puppet[:capass]) cakey = OpenSSL::PKey::RSA.new( File.read(@config[:cakey]) ) diff --git a/lib/puppet/sslcertificates/certificate.rb b/lib/puppet/sslcertificates/certificate.rb index 65ceb44b9..618b7473a 100644 --- a/lib/puppet/sslcertificates/certificate.rb +++ b/lib/puppet/sslcertificates/certificate.rb @@ -54,7 +54,7 @@ class Puppet::SSLCertificates::Certificate def initialize(hash) unless hash.include?(:name) - raise "You must specify the common name for the certificate" + raise Puppet::Error, "You must specify the common name for the certificate" end @name = hash[:name] @@ -72,7 +72,7 @@ class Puppet::SSLCertificates::Certificate @cacertfile ||= File.join(Puppet[:certdir], "ca.pem") unless FileTest.directory?(@dir) - Puppet::SSLCertificates.mkdir(@dir) + Puppet.recmkdir(@dir) end unless @certfile =~ /\.pem$/ @@ -82,14 +82,14 @@ class Puppet::SSLCertificates::Certificate Puppet[:privatekeydir], [@name,"pem"].join(".") ) unless FileTest.directory?(@dir) - Puppet::SSLCertificates.mkdir(@dir) + Puppet.recmkdir(@dir) end [@keyfile].each { |file| dir = File.dirname(file) unless FileTest.directory?(dir) - Puppet::SSLCertificates.mkdir(dir) + Puppet.recmkdir(dir) end } @@ -122,7 +122,7 @@ class Puppet::SSLCertificates::Certificate @password = f.read.chomp } else - raise ":encrypt must be a path to a pass phrase file" + raise Puppet::Error, ":encrypt must be a path to a pass phrase file" end else @password = nil |