diff options
| author | John McCrae <jmccrae@chf.io> | 2022-05-24 11:48:26 +0600 |
|---|---|---|
| committer | John McCrae <jmccrae@chf.io> | 2022-05-26 13:40:30 +0600 |
| commit | 61b518ed838dd61ea611c6a0a6fb54e7a860c0f0 (patch) | |
| tree | 3c53044d7c7bf0b1a1a817c030c3b5ca0ada01a3 | |
| parent | c864baf4b5c9d4b667f33ee52cd8465199642451 (diff) | |
| download | chef-61b518ed838dd61ea611c6a0a6fb54e7a860c0f0.tar.gz | |
Updated files to account for pem storage in the Certificate Store
Signed-off-by: John McCrae <jmccrae@chf.io>
| -rw-r--r-- | lib/chef/http/authenticator.rb | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb index 98d331d4f0..d31aa6b53d 100644 --- a/lib/chef/http/authenticator.rb +++ b/lib/chef/http/authenticator.rb @@ -228,13 +228,18 @@ class Chef file_path = ps_blob["PSPath"].split("::")[1] pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password) - # We test the pfx we just extracted the private key from + # We check the pfx we just extracted the private key from # if that cert is expiring in 7 days or less we generate a new pfx/p12 object # then we post the new public key from that to the client endpoint on # chef server. - # is_certificate_expiring(pkcs) File.delete(file_path) + key_expiring = is_certificate_expiring?(pkcs) + if key_expiring + powershell_exec!(delete_old_key_ps(client_name)) + ::Chef::Client.update_key_and_register(Chef::Config[:client_name], pkcs) + end + File.delete(file_path) return pkcs.key.private_to_pem end end @@ -242,6 +247,12 @@ class Chef false end + def self.is_certificate_expiring?(pkcs) + today = Date.parse(Time.now.utc.iso8601) + future = Date.parse(pkcs.certificate.not_after.iso8601) + future.mjd - today.mjd <= 7 + end + def self.get_the_key_ps(client_name, password) powershell_code = <<~CODE Try { @@ -256,6 +267,12 @@ class Chef CODE end + def self.delete_old_key_ps(client_name) + powershell_code = <<~CODE + Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop; + CODE + end + def authentication_headers(method, url, json_body = nil, headers = nil) request_params = { http_method: method, |