code/environments/production/modules: Add ca_extend module instead.

10 files changed, 190 insertions, 0 deletions

diff --git a/code/environments/production/modules/ca_extend/tasks/check_agent_expiry.json b/code/environments/production/modules/ca_extend/tasks/check_agent_expiry.json
new file mode 100644
index 0000000..a3792cd
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/check_agent_expiry.json
@@ -0,0 +1,13 @@
+{
+  "description": "Check the expiration date of all agent certificates",
+  "parameters": {
+    "date": {
+      "description": "YYYY-MM-DD date to test whether the certificates will expire by. Defaults to three months from today",
+      "type": "Optional[String[1]]"
+    }
+  },
+
+  "implementations": [
+    {"name": "check_agent_expiry.sh", "requirements": ["shell"], "files": ["ca_extend/files/common.sh"], "input_method": "environment"}
+  ]
+}
diff --git a/code/environments/production/modules/ca_extend/tasks/check_agent_expiry.sh b/code/environments/production/modules/ca_extend/tasks/check_agent_expiry.sh
new file mode 100644
index 0000000..780f4a6
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/check_agent_expiry.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+declare PT__installdir
+# shellcheck disable=SC1090
+source "$PT__installdir/ca_extend/files/common.sh"
+PUPPET_BIN='/opt/puppetlabs/puppet/bin'
+
+valid=()
+expired=()
+
+to_date="${date:-+3 months}"
+to_date="$(date --date="$to_date" +"%s")" || fail "Error calculating date"
+
+# It's possible that we are not on a Puppet AIO system. If we cannot find a
+# openssl binary in the AIO directory, we accept one in $PATH
+if [ "$(command -v "${PUPPET_BIN}/openssl")" ]; then
+  openssl="${PUPPET_BIN}/openssl"
+else
+  openssl="$(command -v openssl)"
+fi
+
+shopt -s nullglob
+
+for f in "$($PUPPET_BIN/puppet config print signeddir)"/*; do
+  # The -checkend command in openssl takes a number of seconds as an argument
+  # However, on older versions we may overflow a 32 bit integer if we use that
+  # So, we'll use bash arithmetic and `date` to do the comparison
+  expiry_date="$(${openssl} x509 -enddate -noout -in "${f}")"
+  expiry_date="${expiry_date#*=}"
+  expiry_seconds="$(date --date="$expiry_date" +"%s")" || fail "Error calculating expiry date from enddate"
+
+  if (( to_date >= expiry_seconds )); then
+    expired+=("\"$f\"")
+  else
+    valid+=("\"$f\"")
+  fi
+done
+
+# This is ugly, we as of now we don't include jq binaries in Bolt
+# As long as there aren't weird characters in certnames it should be ok
+(IFS=,; printf '{"valid": [%s], "expiring": [%s]}' "${valid[*]}" "${expired[*]}")
diff --git a/code/environments/production/modules/ca_extend/tasks/check_ca_expiry.json b/code/environments/production/modules/ca_extend/tasks/check_ca_expiry.json
new file mode 100644
index 0000000..6eaee1c
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/check_ca_expiry.json
@@ -0,0 +1,17 @@
+{
+  "description": "Check the expiration date of a CA certificate",
+  "parameters": {
+    "cert": {
+      "description": "Location of the CA certificate to check. Defaults to Puppet's default location",
+      "type": "Optional[String[1]]"
+    },
+    "date": {
+      "description": "YYYY-MM-DD date to test whether the certificate will expire by. Defaults to three months from today",
+      "type": "Optional[String[1]]"
+    }
+  },
+
+  "implementations": [
+    {"name": "check_ca_expiry.sh", "requirements": ["shell"], "files": ["ca_extend/files/common.sh"], "input_method": "environment"}
+  ]
+}
diff --git a/code/environments/production/modules/ca_extend/tasks/check_ca_expiry.sh b/code/environments/production/modules/ca_extend/tasks/check_ca_expiry.sh
new file mode 100644
index 0000000..5df1aa0
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/check_ca_expiry.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+declare PT__installdir
+# shellcheck disable=SC1090
+source "$PT__installdir/ca_extend/files/common.sh"
+PUPPET_BIN='/opt/puppetlabs/puppet/bin'
+
+cert="${cert:-/etc/puppetlabs/puppet/ssl/certs/ca.pem}"
+[[ -e $cert ]] || fail "cert $cert not found"
+
+to_date="${date:-+3 months}"
+to_date="$(date --date="$to_date" +"%s")" || fail "Error calculating date"
+
+# Sanity check that we're dealing with a valid cert
+"${PUPPET_BIN}/openssl" x509 -in "$cert" >/dev/null || fail "Error checking $cert"
+
+# The -checkend command in openssl takes a number of seconds as an argument
+# However, on older versions we may overflow a 32 bit integer if we use that
+# So, we'll use bash arithmetic and `date` to do the comparison
+expiry_date="$("${PUPPET_BIN}/openssl" x509 -enddate -noout -in "$cert")"
+expiry_date="${expiry_date#*=}"
+expiry_seconds="$(date --date="$expiry_date" +"%s")" || fail "Error calculating expiry date from enddate"
+
+if (( to_date >= expiry_seconds )); then
+  success "{ \"status\": \"will expire\", \"expiry date\": \"$expiry_date\" }"
+else
+  success "{ \"status\": \"valid\", \"expiry date\": \"$expiry_date\" }"
+fi
diff --git a/code/environments/production/modules/ca_extend/tasks/check_primary_cert.json b/code/environments/production/modules/ca_extend/tasks/check_primary_cert.json
new file mode 100644
index 0000000..3167d9a
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/check_primary_cert.json
@@ -0,0 +1,8 @@
+{
+  "description": "Check the expiration date of the primary server cert",
+  "parameters": {},
+
+  "implementations": [
+    {"name": "check_primary_cert.sh", "requirements": ["shell"], "files": ["ca_extend/files/common.sh"], "input_method": "environment"}
+  ]
+}
diff --git a/code/environments/production/modules/ca_extend/tasks/check_primary_cert.sh b/code/environments/production/modules/ca_extend/tasks/check_primary_cert.sh
new file mode 100644
index 0000000..9a5f74e
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/check_primary_cert.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+declare PT__installdir
+# shellcheck disable=SC1090
+source "$PT__installdir/ca_extend/files/common.sh"
+PUPPET_BIN='/opt/puppetlabs/puppet/bin'
+
+hostcert="$($PUPPET_BIN/puppet config print hostcert)"
+[[ -e $hostcert ]] || fail "ERROR: primary server cert not found.  pass regen_primary_cert=true to the plan to regenerate it if needed."
+
+expiry_date="$($PUPPET_BIN/openssl x509 -enddate -noout -in "$hostcert")"
+expiry_date="${expiry_date#*=}"
+expiry_seconds="$(date --date="$expiry_date" +"%s")" || fail "Error calculating expiry date from enddate"
+
+if (( $(date +"%s") >= expiry_seconds )); then
+  fail "ERROR: the primary server certificate has expired.  Please pass regen_primary_cert=true to the plan to regenerate it."
+elif (( $(date --date="+3 months" +"%s") >= expiry_seconds )); then
+  success '{ "status": "warn", "message": "WARN: Primary cert expiring within 3 months. Either regenerate manually or pass regen_primary_cert=true to the plan to regenerate it." }'
+else
+  success '{ "status": "success", "message": "Primary cert ok" }'
+fi
diff --git a/code/environments/production/modules/ca_extend/tasks/configure_primary.json b/code/environments/production/modules/ca_extend/tasks/configure_primary.json
new file mode 100644
index 0000000..0520327
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/configure_primary.json
@@ -0,0 +1,17 @@
+{
+  "description": "Backup ssldir and copy newly generated CA certificate",
+  "parameters": {
+    "new_cert": {
+      "description": "Location of the newly generated CA certificate",
+      "type": "String"
+    },
+    "regen_primary_cert": {
+      "description": "Flag to regerate the primary server's certificate.  Set to true to perform the regeneration",
+      "type": "Boolean"
+    }
+  },
+
+  "implementations": [
+    {"name": "configure_primary.sh", "requirements": ["shell"], "files": ["ca_extend/files/common.sh", "ca_extend/files/extend.sh"], "input_method": "environment"}
+  ]
+}
diff --git a/code/environments/production/modules/ca_extend/tasks/configure_primary.sh b/code/environments/production/modules/ca_extend/tasks/configure_primary.sh
new file mode 100644
index 0000000..dd47f54
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/configure_primary.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+declare PT__installdir
+# shellcheck disable=SC1090
+source "$PT__installdir/ca_extend/files/common.sh"
+
+PUPPET_BIN='/opt/puppetlabs/puppet/bin'
+ssldir="$($PUPPET_BIN/puppet config print ssldir)"
+cadir="$($PUPPET_BIN/puppet config print cadir)"
+ca_dirs=("$ssldir" "$cadir")
+
+mkdir -p /var/puppetlabs/backups/
+cp -aR "$ssldir" /var/puppetlabs/backups || fail "Error backing up '/etc/puppetlabs/puppet/ssl'"
+
+# shellcheck disable=SC2154
+[[ $regen_primary_cert == "true" ]] && {
+  # add the command substitutions to get ssldir and cadir to an array
+  find "${ca_dirs[@]}" -name "$($PUPPET_BIN/puppet config print certname).pem" -delete
+}
+
+# shellcheck disable=SC2154
+cp "$new_cert" "${cadir}/ca_crt.pem" || fail "Error copying 'ca_crt.pem'"
+cp "$new_cert" "${ssldir}/certs/ca.pem" || fail "Error copying 'ca.pem'"
+
+PATH="${PATH}:/opt/puppetlabs/bin" puppet infrastructure configure --no-recover || fail "Error running 'puppet infrastructure configure'"
+
+success '{ "status": "success" }'
diff --git a/code/environments/production/modules/ca_extend/tasks/extend_ca_cert.json b/code/environments/production/modules/ca_extend/tasks/extend_ca_cert.json
new file mode 100644
index 0000000..825f323
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/extend_ca_cert.json
@@ -0,0 +1,6 @@
+{
+  "description": "Extend CA certificate expiry date",
+  "implementations": [
+    {"name": "extend_ca_cert.sh", "requirements": ["shell"], "files": ["ca_extend/files/common.sh", "ca_extend/files/extend.sh"], "input_method": "environment"}
+  ]
+}
diff --git a/code/environments/production/modules/ca_extend/tasks/extend_ca_cert.sh b/code/environments/production/modules/ca_extend/tasks/extend_ca_cert.sh
new file mode 100755
index 0000000..b5e1b16
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/tasks/extend_ca_cert.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+declare PT__installdir
+# shellcheck disable=SC1090
+source "$PT__installdir/ca_extend/files/common.sh"
+
+echo "test" | base64 -w 0 - &>/dev/null || fail "This script requires a version of base64 with the -w flag"
+
+new_cert="$(bash "$PT__installdir/ca_extend/files/extend.sh")" || fail "Error extending CA certificate expiry date"
+contents="$(base64 -w 0 "$new_cert")" || fail "Error encoding CA certificate"
+
+success "{ \"status\": \"success\", \"new_cert\": \"$new_cert\", \"contents\": \"$contents\" }"