summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn McCrae <jmccrae@chf.io>2022-05-24 11:48:26 +0600
committerJohn McCrae <jmccrae@chf.io>2022-05-26 13:40:30 +0600
commit61b518ed838dd61ea611c6a0a6fb54e7a860c0f0 (patch)
tree3c53044d7c7bf0b1a1a817c030c3b5ca0ada01a3
parentc864baf4b5c9d4b667f33ee52cd8465199642451 (diff)
downloadchef-61b518ed838dd61ea611c6a0a6fb54e7a860c0f0.tar.gz
Updated files to account for pem storage in the Certificate Store
Signed-off-by: John McCrae <jmccrae@chf.io>
-rw-r--r--lib/chef/http/authenticator.rb21
1 files changed, 19 insertions, 2 deletions
diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb
index 98d331d4f0..d31aa6b53d 100644
--- a/lib/chef/http/authenticator.rb
+++ b/lib/chef/http/authenticator.rb
@@ -228,13 +228,18 @@ class Chef
file_path = ps_blob["PSPath"].split("::")[1]
pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
- # We test the pfx we just extracted the private key from
+ # We check the pfx we just extracted the private key from
# if that cert is expiring in 7 days or less we generate a new pfx/p12 object
# then we post the new public key from that to the client endpoint on
# chef server.
- # is_certificate_expiring(pkcs)
File.delete(file_path)
+ key_expiring = is_certificate_expiring?(pkcs)
+ if key_expiring
+ powershell_exec!(delete_old_key_ps(client_name))
+ ::Chef::Client.update_key_and_register(Chef::Config[:client_name], pkcs)
+ end
+ File.delete(file_path)
return pkcs.key.private_to_pem
end
end
@@ -242,6 +247,12 @@ class Chef
false
end
+ def self.is_certificate_expiring?(pkcs)
+ today = Date.parse(Time.now.utc.iso8601)
+ future = Date.parse(pkcs.certificate.not_after.iso8601)
+ future.mjd - today.mjd <= 7
+ end
+
def self.get_the_key_ps(client_name, password)
powershell_code = <<~CODE
Try {
@@ -256,6 +267,12 @@ class Chef
CODE
end
+ def self.delete_old_key_ps(client_name)
+ powershell_code = <<~CODE
+ Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+ CODE
+ end
+
def authentication_headers(method, url, json_body = nil, headers = nil)
request_params = {
http_method: method,