puppetlabs
diff --git a/‎bin/puppetca‎
Lines changed: 19 additions & 168 deletions b/‎bin/puppetca‎
Lines changed: 19 additions & 168 deletions
diff --git a/‎lib/puppet/ssl/certificate_authority.rb‎
Lines changed: 121 additions & 0 deletions b/‎lib/puppet/ssl/certificate_authority.rb‎
Lines changed: 121 additions & 0 deletions
diff --git a/‎lib/puppet/ssl/certificate_revocation_list.rb‎
Lines changed: 1 addition & 0 deletions b/‎lib/puppet/ssl/certificate_revocation_list.rb‎
Lines changed: 1 addition & 0 deletions
@@ -95,7 +95,7 @@
 # Licensed under the GNU Public License
 
 require 'puppet'
-require 'puppet/sslcertificates'
+require 'puppet/ssl/certificate_authority'
 require 'getoptlong'
 
 options = [
@@ -118,35 +118,27 @@ Puppet.settings.addargs(options)
 
 result = GetoptLong.new(*options)
 
-mode = nil
-all = false
-generate = nil
+modes = Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS
 
-modes = [:clean, :list, :revoke, :generate, :sign, :print, :verify]
+all = false
+mode = nil
 
 begin
     result.each { |opt,arg|
         case opt
+            when "--clean"
+                mode = :destroy
             when "--all"
                 all = true
             when "--debug"
                 Puppet::Util::Log.level = :debug
-            when "--generate"
-                generate = arg
-                mode = :generate
             when "--help"
                 if Puppet.features.usage?
                     RDoc::usage && exit
                 else
                     puts "No help available unless you have RDoc::usage installed"
                     exit
                 end
-            when "--list"
-                mode = :list
-            when "--revoke"
-                mode = :revoke
-            when "--sign"
-                mode = :sign
             when "--version"
                 puts "%s" % Puppet.version
                 exit
@@ -172,12 +164,12 @@ Puppet.parse_config
 Puppet.genconfig
 Puppet.genmanifest
 
+Puppet::Util::Log.newdestination :console
+
 begin
-    ca = Puppet::SSLCertificates::CA.new()
+    ca = Puppet::SSL::CertificateAuthority.new
 rescue => detail
-    if Puppet[:debug]
-        puts detail.backtrace
-    end
+    puts detail.backtrace if Puppet[:trace]
     puts detail.to_s
     exit(23)
 end
@@ -187,157 +179,16 @@ unless mode
     exit(12)
 end
 
-if [:verify, :print, :generate, :clean, :revoke, :list].include?(mode)
+if all
+    hosts = :all
+else
     hosts = ARGV.collect { |h| h.downcase }
 end
 
-if [:sign, :list].include?(mode)
-    waiting = ca.list
-    unless waiting.length > 0 or (mode == :list and all)
-        puts "No certificates to sign"
-        if ARGV.length > 0
-            exit(17)
-        else
-            exit(0)
-        end
-    end
-end
-
-case mode
-when :list
-    waiting = ca.list
-    if waiting.length > 0
-        puts waiting.join("\n")
-    end
-    if all
-        puts ca.list_signed.collect { |cert | cert.sub(/^/,"+ ") }.join("\n")
-    end
-when :clean
-    if hosts.empty?
-        $stderr.puts "You must specify one or more hosts to clean"
-        exit(24)
-    end
-    cleaned = false
-    hosts.each do |host|
-        cert = ca.getclientcert(host)[0]
-        if cert.nil?
-            $stderr.puts "Could not find client certificate for %s" % host
-            next
-        end
-        ca.clean(host)
-        cleaned = true
-    end
-    unless cleaned
-        exit(27)
-    end
-when :sign
-    to_sign = ARGV.collect { |h| h.downcase }
-    unless to_sign.length > 0 or all
-        $stderr.puts(
-            "You must specify to sign all certificates or you must specify hostnames"
-        )
-        exit(24)
-    end
-
-    unless all
-        to_sign.each { |host|
-            unless waiting.include?(host)
-                $stderr.puts "No waiting request for %s" % host
-            end
-        }
-        waiting = waiting.find_all { |host|
-            to_sign.include?(host)
-        }
-    end
-
-    waiting.each { |host|
-        begin
-            csr = ca.getclientcsr(host)
-        rescue => detail
-            $stderr.puts "Could not retrieve request for %s: %s" % [host, detail]
-        end
-
-        begin
-            ca.sign(csr)
-            $stderr.puts "Signed %s" % host
-        rescue => detail
-            $stderr.puts "Could not sign request for %s: %s" % [host, detail]
-        end
-
-        begin
-            ca.removeclientcsr(host)
-        rescue => detail
-            $stderr.puts "Could not remove request for %s: %s" % [host, detail]
-        end
-    }
-when :generate
-    # we need to generate a certificate for a host
-    hosts.each { |host|
-        puts "Generating certificate for %s" % host
-        cert = Puppet::SSLCertificates::Certificate.new(
-            :name => host
-        )
-        cert.mkcsr
-        signedcert, cacert = ca.sign(cert.csr)
-
-        cert.cert = signedcert
-        cert.cacert = cacert
-        cert.write
-    }
-when :print
-    hosts.each { |h|
-        cert = ca.getclientcert(h)[0]
-        puts cert.to_text
-    }
-when :revoke
-    hosts.each { |h|
-        serial = nil
-        if h =~ /^0x[0-9a-f]+$/
-            serial = h.to_i(16)
-        elsif h =~ /^[0-9]+$/
-            serial = h.to_i
-        else
-            cert = ca.getclientcert(h)[0]
-            if cert.nil?
-                $stderr.puts "Could not find client certificate for %s" % h
-            else
-                serial = cert.serial
-            end
-        end
-        unless serial.nil?
-            ca.revoke(serial)
-            puts "Revoked certificate with serial #{serial}"
-        end
-    }
-when :verify
-    unless ssl = %x{which openssl}.chomp
-        raise "Can't verify certificates without the openssl binary and could not find one"
-    end
-    success = true
-
-    cacert = Puppet[:localcacert]
-
-    hosts.each do |host|
-        print "%s: " % host
-        file = ca.host2certfile(host)
-        unless FileTest.exist?(file)
-            puts "no certificate found"
-            success = false
-            next
-        end
-
-
-        command = %{#{ssl} verify -CAfile #{cacert} #{file}}
-        output = %x{#{command}}
-        if $? == 0
-            puts "valid"
-        else
-            puts output
-            success = false
-        end
-    end
-else
-    $stderr.puts "Invalid mode %s" % mode
-    exit(42)
+begin
+    ca.apply(mode, :to => hosts)
+rescue => detail
+    puts detail.backtrace if Puppet[:trace]
+    puts detail.to_s
+    exit(24)
 end
-
@@ -14,8 +14,129 @@ class Puppet::SSL::CertificateAuthority
     require 'puppet/ssl/inventory'
     require 'puppet/ssl/certificate_revocation_list'
 
+    # This class is basically a hidden class that knows how to act
+    # on the CA.  It's only used by the 'puppetca' executable, and its
+    # job is to provide a CLI-like interface to the CA class. 
+    class Interface
+        INTERFACE_METHODS = [:destroy, :list, :revoke, :generate, :sign, :print, :verify]
+
+        class InterfaceError < ArgumentError; end
+
+        attr_reader :method, :subjects
+
+        # Actually perform the work.
+        def apply(ca)
+            unless subjects or method == :list
+                raise ArgumentError, "You must provide hosts or :all when using %s" % method
+            end
+
+            begin
+                if respond_to?(method)
+                    return send(method, ca)
+                end
+
+                (subjects == :all ? ca.list : subjects).each do |host|
+                    ca.send(method, host)
+                end
+            rescue InterfaceError
+                raise
+            rescue => detail
+                puts detail.backtrace if Puppet[:trace]
+                Puppet.err "Could not call %s: %s" % [method, detail]
+            end
+        end
+
+        def generate(ca)
+            raise InterfaceError, "It makes no sense to generate all hosts; you must specify a list" if subjects == :all
+
+            subjects.each do |host|
+                ca.generate(host)
+            end
+        end
+
+        def initialize(method, subjects)
+            self.method = method
+            self.subjects = subjects
+        end
+
+        # List the hosts.
+        def list(ca)
+            unless subjects
+                puts ca.waiting?.join("\n")
+                return nil
+            end
+
+            signed = ca.list
+            requests = ca.waiting?
+
+            if subjects == :all
+                hosts = [signed, requests].flatten
+            else
+                hosts = subjects
+            end
+
+            hosts.uniq.sort.each do |host|
+                if signed.include?(host)
+                    puts "+ " + host
+                else
+                    puts host
+                end
+            end
+        end
+
+        # Set the method to apply.
+        def method=(method)
+            raise ArgumentError, "Invalid method %s to apply" % method unless INTERFACE_METHODS.include?(method)
+            @method = method
+        end
+
+        # Print certificate information.
+        def print(ca)
+            (subjects == :all ? ca.list : subjects).each do |host|
+                if value = ca.print(host)
+                    puts value
+                else
+                    Puppet.err "Could not find certificate for %s" % host
+                end
+            end
+        end
+
+        # Sign a given certificate.
+        def sign(ca)
+            list = subjects == :all ? ca.waiting? : subjects
+            raise InterfaceError, "No waiting certificate requests to sign" if list.empty?
+            list.each do |host|
+                ca.sign(host)
+            end
+        end
+
+        # Set the list of hosts we're operating on.  Also supports keywords.
+        def subjects=(value)
+            unless value == :all or value.is_a?(Array)
+                raise ArgumentError, "Subjects must be an array or :all; not %s" % value
+            end
+
+            if value.is_a?(Array) and value.empty?
+                value = nil
+            end
+
+            @subjects = value
+        end
+    end
+
     attr_reader :name, :host
 
+    # Create and run an applicator.  I wanted to build an interface where you could do
+    # something like 'ca.apply(:generate).to(:all) but I don't think it's really possible.
+    def apply(method, options)
+        unless options[:to]
+            raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all"
+        end
+        applier = Interface.new(method, options[:to])
+
+        applier.apply(self)
+    end
+
     # Retrieve (or create, if necessary) the certificate revocation list.
     def crl
         unless defined?(@crl)
 
@@ -30,6 +30,7 @@ def initialize(fakename)
     # CA, then write the CRL back to disk. The REASON must be one of the
     # OpenSSL::OCSP::REVOKED_* reasons
     def revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
+        Puppet.notice "Revoked certificate with serial %s" % serial
         time = Time.now
 
         # Add our revocation to the CRL.