diff options
author | Tim Smith <tsmith@chef.io> | 2018-08-24 13:31:02 -0700 |
---|---|---|
committer | Tim Smith <tsmith@chef.io> | 2018-08-24 13:31:02 -0700 |
commit | e4dacff806daf381d53468448239c1deebb437d0 (patch) | |
tree | e83b0436a5640515604068ce312452140aa4118c /lib/chef/resource/openssl_x509_crl.rb | |
parent | c3951d2cc25f48aa29d505a68ecb83ed32c78bff (diff) | |
download | chef-e4dacff806daf381d53468448239c1deebb437d0.tar.gz |
Add openssl_x509_crl resource
This is another great resource added to the openssl cookbook by @juju482 at Institut National de l'Audiovisuel
Signed-off-by: Tim Smith <tsmith@chef.io>
Diffstat (limited to 'lib/chef/resource/openssl_x509_crl.rb')
-rw-r--r-- | lib/chef/resource/openssl_x509_crl.rb | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/lib/chef/resource/openssl_x509_crl.rb b/lib/chef/resource/openssl_x509_crl.rb new file mode 100644 index 0000000000..06c591ac18 --- /dev/null +++ b/lib/chef/resource/openssl_x509_crl.rb @@ -0,0 +1,130 @@ +# +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "chef/resource" + +class Chef + class Resource + class OpensslX509Crl < Chef::Resource + require "chef/mixin/openssl_helper" + include Chef::Mixin::OpenSSLHelper + + preview_resource true + resource_name :openssl_x509_crl + + description "Use the openssl_x509_crl resource to generate PEM-formatted x509 CRL files." + introduced "14.4" + + property :path, String, + description: "Optional path to write the file to if you'd like to specify it here instead of in the resource name.", + name_property: true + + property :serial_to_revoke, [Integer, String], + description: "Serial of the X509 Certificate to revoke." + + property :revocation_reason, Integer, + description: "Reason for the revokation.", + default: 0 + + property :expire, Integer, + description: "Value representing the number of days from now through which the issued CRL will remain valid. The CRL will expire after this period.", + default: 8 + + property :renewal_threshold, Integer, + description: "Number of days before the expiration. It this threshold is reached, the CRL will be renewed.", + default: 1 + + property :ca_cert_file, String, + description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file attribute is specified, the ca_key_file attribute must also be specified, the CRL will be signed with them.", + required: true + + property :ca_key_file, String, + description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the ca_cert_file property must also be specified, the CRL will be signed with them.", + required: true + + property :ca_key_pass, String, + description: "The passphrase for CA private key's passphrase." + + property :owner, String, + description: "The owner permission for the CRL file." + + property :group, String, + description: "The group permission for the CRL file." + + property :mode, [Integer, String], + description: "The permission mode of the CRL file." + + action :create do + description "Create the CRL file." + + file new_resource.path do + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode unless new_resource.mode.nil? + content crl.to_pem + action :create + end + end + + action_class do + def crl_info + # Will contain issuer & expiration + crl_info = {} + + crl_info["issuer"] = ::OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file) + crl_info["validity"] = new_resource.expire + + crl_info + end + + def revoke_info + # Will contain Serial to revoke & reason + revoke_info = {} + + revoke_info["serial"] = new_resource.serial_to_revoke + revoke_info["reason"] = new_resource.revocation_reason + + revoke_info + end + + def ca_private_key + ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass + ca_private_key + end + + def crl + if crl_file_valid?(new_resource.path) + crl = ::OpenSSL::X509::CRL.new ::File.read(new_resource.path) + else + log "Creating a CRL #{new_resource.path} for CA #{new_resource.ca_cert_file}" + crl = gen_x509_crl(ca_private_key, crl_info) + end + + if !new_resource.serial_to_revoke.nil? && serial_revoked?(crl, new_resource.serial_to_revoke) == false + log "Revoking serial #{new_resource.serial_to_revoke} in CRL #{new_resource.path}" + crl = revoke_x509_crl(revoke_info, crl, ca_private_key, crl_info) + elsif crl.next_update <= Time.now + 3600 * 24 * new_resource.renewal_threshold + log "Renewing CRL for CA #{new_resource.ca_cert_file}" + crl = renew_x509_crl(crl, ca_private_key, crl_info) + end + + crl + end + end + + end + end +end |