diff options
Diffstat (limited to 'lib/chef/resource/windows_certificate.rb')
-rw-r--r-- | lib/chef/resource/windows_certificate.rb | 274 |
1 files changed, 208 insertions, 66 deletions
diff --git a/lib/chef/resource/windows_certificate.rb b/lib/chef/resource/windows_certificate.rb index 6d0e080b3f..4ac0effa58 100644 --- a/lib/chef/resource/windows_certificate.rb +++ b/lib/chef/resource/windows_certificate.rb @@ -19,6 +19,7 @@ require_relative "../util/path_helper" require_relative "../resource" +require_relative "../exceptions" module Win32 autoload :Certstore, "win32-certstore" if Chef::Platform.windows? end @@ -62,11 +63,11 @@ class Chef DOC property :source, String, - description: "The source file (for create and acl_add), thumbprint (for delete and acl_add) or subject (for delete) if it differs from the resource block's name.", + description: "The source file (for `create` and `acl_add`), thumbprint (for `delete`, `export`, and `acl_add`), or subject (for `delete` or `export`) if it differs from the resource block's name.", name_property: true property :pfx_password, String, - description: "The password to access the source if it is a pfx file." + description: "The password to access the object with if it is a PFX file." property :private_key_acl, Array, description: "An array of 'domain\\account' entries to be granted read-only access to the certificate's private key. Not idempotent." @@ -79,8 +80,7 @@ class Chef description: "Use the `CurrentUser` store instead of the default `LocalMachine` store. Note: Prior to #{ChefUtils::Dist::Infra::CLIENT}. 16.10 this property was ignored.", default: false - property :cert_path, String, - description: "The path to the certificate." + deprecated_property_alias :cert_path, :output_path, "The cert_path property was renamed output_path in the 17.0 release of #{ChefUtils::Dist::Infra::CLIENT}. Please update your cookbooks to use the new property name." # lazy used to set default value of sensitive to true if password is set property :sensitive, [TrueClass, FalseClass], @@ -92,16 +92,20 @@ class Chef default: false, introduced: "16.8" - action :create, description: "Creates or updates a certificate" do - # Extension of the certificate - ext = ::File.extname(new_resource.source) + property :output_path, String, + description: "A path on the node where a certificate object (PFX, PEM, CER, KEY, etc) can be exported to.", + introduced: "17.0" + + action :create, description: "Creates or updates a certificate." do + ext = get_file_extension(new_resource.source) # PFX certificates contains private keys and we import them with some other approach - import_certificates(fetch_cert_object(ext), (ext == ".pfx")) + # import_certificates(fetch_cert_object(ext), (ext == ".pfx")) + import_certificates(fetch_cert_object_from_file(ext), (ext == ".pfx")) end # acl_add is a modify-if-exists operation : not idempotent - action :acl_add, description: "Adds read-only entries to a certificate's private key ACL" do + action :acl_add, description: "Adds read-only entries to a certificate's private key ACL." do if ::File.exist?(new_resource.source) hash = "$cert.GetCertHashString()" @@ -124,8 +128,9 @@ class Chef end end - action :delete, description: "Deletes a certificate" do + action :delete, description: "Deletes a certificate." do cert_obj = fetch_cert + if cert_obj converge_by("Deleting certificate #{new_resource.source} from Store #{new_resource.store_name}") do delete_cert @@ -135,10 +140,21 @@ class Chef end end - action :fetch, description: "Fetches a certificate" do - cert_obj = fetch_cert + action :fetch, description: "Fetches a certificate." do + unless new_resource.output_path + raise Chef::Exceptions::ResourceNotFound, "You must include an output_path parameter when calling the fetch action" + end + + if ::File.extname(new_resource.output_path) == ".pfx" + powershell_exec!(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_resource.output_path, password: new_resource.pfx_password )) + else + cert_obj = fetch_cert + end + if cert_obj - show_or_store_cert(cert_obj) + converge_by("Fetching certificate #{new_resource.source} from Store \\#{ps_cert_location}\\#{new_resource.store_name}") do + export_cert(cert_obj, output_path: new_resource.output_path, store_name: new_resource.store_name , store_location: ps_cert_location, pfx_password: new_resource.pfx_password) + end else Chef::Log.debug("Certificate not found") end @@ -153,6 +169,7 @@ class Chef end action_class do + @local_pfx_path = "" CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000 CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000 @@ -162,10 +179,10 @@ class Chef store.add(cert_obj) end - def add_pfx_cert + def add_pfx_cert(path) exportable = new_resource.exportable ? 1 : 0 store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) - store.add_pfx(new_resource.source, new_resource.pfx_password, exportable) + store.add_pfx(path, new_resource.pfx_password, exportable) end def delete_cert @@ -175,12 +192,66 @@ class Chef def fetch_cert store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) - store.get(resolve_thumbprint(new_resource.source)) + if new_resource.output_path && ::File.extname(new_resource.output_path) == ".key" + fetch_key + + else + store.get(resolve_thumbprint(new_resource.source), store_name: new_resource.store_name, store_location: native_cert_location) + end + end + + def fetch_key + require "openssl" unless defined?(OpenSSL) + file_name = ::File.basename(new_resource.output_path, ::File.extname(new_resource.output_path)) + directory = ::File.dirname(new_resource.output_path) + pfx_file = file_name + ".pfx" + new_pfx_output_path = ::File.join(Chef::FileCache.create_cache_path("pfx_files"), pfx_file) + powershell_exec(pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: ps_cert_location, store_name: new_resource.store_name, output_path: new_pfx_output_path, password: new_resource.pfx_password )) + pkcs12 = OpenSSL::PKCS12.new(::File.binread(new_pfx_output_path), new_resource.pfx_password) + f = ::File.open(new_resource.output_path, "w") + f.write(pkcs12.key.to_s) + f.flush + f.close + end + + def get_file_extension(file_name) + if is_file?(file_name) + ::File.extname(file_name) + elsif is_url?(file_name) + require "open-uri" unless defined?(OpenURI) + uri = URI.parse(file_name) + output_file = ::File.basename(uri.path) + ::File.extname(output_file) + end + end + + def get_file_name(path_name) + if is_file?(path_name) + ::File.extname(path_name) + elsif is_url?(path_name) + require "open-uri" unless defined?(OpenURI) + uri = URI.parse(path_name) + ::File.basename(uri.path) + end + end + + def is_url?(source) + require "uri" unless defined?(URI) + uri = URI.parse(source) + uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS) + end + + def is_file?(source) + ::File.file?(source) + end + + def is_file?(source) + ::File.file?(source) end # Thumbprints should be exactly 40 Hex characters def valid_thumbprint?(string) - string.scan(/\H/).empty? && string.length == 40 + string.match?(/[0-9A-Fa-f]/) && string.length == 40 end def get_thumbprint(store_name, location, source) @@ -205,45 +276,11 @@ class Chef def verify_cert(thumbprint = new_resource.source) store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) - store.valid?(resolve_thumbprint(thumbprint)) - end - - def show_or_store_cert(cert_obj) - if new_resource.cert_path - export_cert(cert_obj, new_resource.cert_path) - if ::File.size(new_resource.cert_path) > 0 - Chef::Log.info("Certificate export in #{new_resource.cert_path}") - else - ::File.delete(new_resource.cert_path) - end - else - Chef::Log.info(cert_obj.display) - end - end - - def export_cert(cert_obj, cert_path) - out_file = ::File.new(cert_path, "w+") - case ::File.extname(cert_path) - when ".pem" - out_file.puts(cert_obj.to_pem) - when ".der" - out_file.puts(cert_obj.to_der) - when ".cer" - cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CER").stdout - out_file.puts(cert_out) - when ".crt" - cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CRT").stdout - out_file.puts(cert_out) - when ".pfx" - cert_out = shell_out("openssl pkcs12 -export -nokeys -in #{cert_obj.to_pem} -outform PFX").stdout - out_file.puts(cert_out) - when ".p7b" - cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout - out_file.puts(cert_out) + if new_resource.pfx_password.nil? + store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name ) else - Chef::Log.info("Supported certificate format .pem, .der, .cer, .crt, .pfx and .p7b") + store.valid?(resolve_thumbprint(thumbprint), store_location: native_cert_location, store_name: new_resource.store_name) end - out_file.close end # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores @@ -252,6 +289,14 @@ class Chef new_resource.user_store ? "CurrentUser" : "LocalMachine" end + def pfx_ps_cmd(thumbprint, store_location: "LocalMachine", store_name: "My", output_path:, password: ) + <<-CMD + $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText + $cert = Get-ChildItem -path cert:\\#{store_location}\\#{store_name} -Recurse | Where { $_.Thumbprint -eq "#{thumbprint.upcase}" } + Export-PfxCertificate -Cert $cert -FilePath "#{output_path}" -Password $my_pwd + CMD + end + def native_cert_location new_resource.user_store ? CERT_SYSTEM_STORE_CURRENT_USER : CERT_SYSTEM_STORE_LOCAL_MACHINE end @@ -330,8 +375,50 @@ class Chef # # @raise [OpenSSL::PKCS12::PKCS12Error] When incorrect password is provided for PFX certificate # - def fetch_cert_object(ext) - contents = ::File.binread(new_resource.source) + + def fetch_cert_object_from_file(ext) + if is_file?(new_resource.source) + begin + ::File.exist?(new_resource.source) + contents = ::File.binread(new_resource.source) + rescue => exception + message = "Unable to load the certificate object from the specified local path : #{new_resource.source}\n" + message << exception.message + raise Chef::Exceptions::FileNotFound, message + end + elsif is_url?(new_resource.source) + require "uri" unless defined?(URI) + uri = URI(new_resource.source) + state = uri.is_a?(URI::HTTP) && !uri.host.nil? ? true : false + if state + begin + output_file_name = get_file_name(new_resource.source) + unless Dir.exist?(Chef::Config[:file_cache_path]) + Dir.mkdir(Chef::Config[:file_cache_path]) + end + local_path = ::File.join(Chef::Config[:file_cache_path], output_file_name) + @local_pfx_path = local_path + ::File.open(local_path, "wb") do |file| + file.write URI.open(new_resource.source).read + end + rescue => exception + message = "Not Able to Download Certificate Object at the URL specified : #{new_resource.source}\n" + message << exception.message + raise Chef::Exceptions::FileNotFound, message + end + + contents = ::File.binread(local_path) + + else + message = "Not Able to Download Certificate Object at the URL specified : #{new_resource.source}\n" + message << exception.message + raise Chef::Exceptions::InvalidRemoteFileURI, message + end + else + message = "You passed an invalid file or url to import. Please check the spelling and try again." + message << exception.message + raise Chef::Exceptions::ArgumentError, message + end case ext when ".pfx" @@ -348,24 +435,79 @@ class Chef end end + def export_cert(cert_obj, output_path:, store_name:, store_location:, pfx_password:) + # Delete the cert if it exists. This is non-destructive in that it only removes the file and not the entire path. + # We want to ensure we're not randomly loading an old stinky cert. + if ::File.exists?(output_path) + ::File.delete(output_path) + end + + unless ::File.directory?(::File.dirname(output_path)) + FileUtils.mkdir_p(::File.dirname(output_path)) + end + + out_file = ::File.new(output_path, "w+") + + case ::File.extname(output_path) + when ".pem" + out_file.puts(cert_obj) + when ".der" + out_file.puts(cert_obj.to_der) + when ".cer" + cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj.to_pem} -outform CER").stdout + out_file.puts(cert_out) + when ".crt" + cert_out = shell_out("openssl x509 -text -inform DER -in #{cert_obj} -outform CRT").stdout + out_file.puts(cert_out) + when ".pfx" + pfx_ps_cmd(resolve_thumbprint(new_resource.source), store_location: store_location, store_name: store_name, output_path: output_path, password: pfx_password ) + when ".p7b" + cert_out = shell_out("openssl pkcs7 -export -nokeys -in #{cert_obj.to_pem} -outform P7B").stdout + out_file.puts(cert_out) + when ".key" + out_file.puts(cert_obj) + else + Chef::Log.info("Supported certificate format .pem, .der, .cer, .crt, and .p7b") + end + + out_file.close + end + # Imports the certificate object into cert store # # @param cert_objs [OpenSSL::X509::Certificate] Object containing certificate's attributes # # @param is_pfx [Boolean] true if we want to import a PFX certificate # - def import_certificates(cert_objs, is_pfx) + def import_certificates(cert_objs, is_pfx, store_name: new_resource.store_name, store_location: native_cert_location) [cert_objs].flatten.each do |cert_obj| - thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s # Fetch its thumbprint - # Need to check if return value is Boolean:true - # If not then the given certificate should be added in certstore - if verify_cert(thumbprint) == true - Chef::Log.debug("Certificate is already present") - else - converge_by("Adding certificate #{new_resource.source} into #{ps_cert_location} Store #{new_resource.store_name}") do - if is_pfx - add_pfx_cert + # thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s + # pkcs = OpenSSL::PKCS12.new(cert_obj, new_resource.pfx_password) + # cert = OpenSSL::X509::Certificate.new(pkcs.certificate.to_pem) + thumbprint = OpenSSL::Digest.new("SHA1", cert_obj.to_der).to_s + if is_pfx + if verify_cert(thumbprint) == true + Chef::Log.debug("Certificate is already present") + else + if is_file?(new_resource.source) + converge_by("Creating a PFX #{new_resource.source} for Store #{new_resource.store_name}") do + add_pfx_cert(new_resource.source) + end + elsif is_url?(new_resource.source) + converge_by("Creating a PFX #{@local_pfx_path} for Store #{new_resource.store_name}") do + add_pfx_cert(@local_pfx_path) + end else + message = "You passed an invalid file or url to import. Please check the spelling and try again." + message << exception.message + raise Chef::Exceptions::ArgumentError, message + end + end + else + if verify_cert(thumbprint) == true + Chef::Log.debug("Certificate is already present") + else + converge_by("Creating a certificate #{new_resource.source} for Store #{new_resource.store_name}") do add_cert(cert_obj) end end |