diff options
Diffstat (limited to 'lib/chef')
| -rw-r--r-- | lib/chef/api_client_v1.rb | 8 | ||||
| -rw-r--r-- | lib/chef/client.rb | 33 | ||||
| -rw-r--r-- | lib/chef/http/authenticator.rb | 81 |
3 files changed, 33 insertions, 89 deletions
diff --git a/lib/chef/api_client_v1.rb b/lib/chef/api_client_v1.rb index f7a41cdb5b..b61efa9857 100644 --- a/lib/chef/api_client_v1.rb +++ b/lib/chef/api_client_v1.rb @@ -299,10 +299,10 @@ class Chef # the new method only gets called when migrating keys to the certificate store. new_client = if Chef::Config[:migrate_key_to_keystore] == true - chef_rest_v1_with_validator.post("clients", payload) - else - chef_rest_v1.post("clients", payload) - end + chef_rest_v1_with_validator.post("clients", payload) + else + chef_rest_v1.post("clients", payload) + end # get the private_key out of the chef_key hash if it exists if new_client["chef_key"] diff --git a/lib/chef/client.rb b/lib/chef/client.rb index 29eaf3df83..c3b62a60c3 100644 --- a/lib/chef/client.rb +++ b/lib/chef/client.rb @@ -52,12 +52,11 @@ Chef.autoload :PolicyBuilder, File.expand_path("policy_builder", __dir__) require_relative "request_id" require_relative "platform/rebooter" require_relative "mixin/deprecation" -# require_relative "mixin/powershell_exec" require "chef-utils" unless defined?(ChefUtils::CANARY) require "ohai" unless defined?(Ohai::System) require "rbconfig" unless defined?(RbConfig) require "forwardable" unless defined?(Forwardable) -require "singleton" +require "singleton" unless defined?(Singleton) require_relative "compliance/runner" @@ -663,7 +662,6 @@ class Chef logger.trace("Client key #{config[:client_key]} is present in Certificate Store - skipping registration") else move_key_and_register(cert_name) - KeyMigration.instance.key_migrated = false logger.trace("Client key #{config[:client_key]} moved to the Certificate Store - skipping registration") end events.skipping_registration(client_name, config) @@ -694,10 +692,6 @@ class Chef win32certstore.search("#{cert_name}") end - # def generate_pfx_package(cert_name) - # self.generate_pfx_package(cert_name) - # end - def generate_pfx_package(cert_name, date = nil) require_relative "mixin/powershell_exec" extend Chef::Mixin::PowershellExec @@ -723,37 +717,32 @@ class Chef end def move_key_and_register(cert_name) - require 'time' + require "time" unless defined?(Time) autoload :URI, "uri" - base_url = "https://" + URI.parse(Chef::Config[:chef_server_url]).host - client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key]) - KeyMigration.instance.key_migrated = true node = Chef::Config[:node_name] d = Time.now end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601 - public_key = get_public_key(cert_name) payload = { name: node, clientname: node, - public_key: public_key, - expiration_date: end_date + public_key: "", + expiration_date: end_date, } - generate_pfx_package(cert_name,end_date) - - body = { "name": "#{node}" } - client.post("/organizations/cheftest2/nodes", body) - client.post("/organizations/cheftest2/clients", payload) - + generate_pfx_package(cert_name, end_date) + payload[:public_key] = get_public_key(cert_name) + base_url = "#{Chef::Config[:chef_server_url]}" + client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:validation_client_name], signing_key_filename: Chef::Config[:validation_key]) + client.post(base_url + "/clients", payload) + KeyMigration.instance.key_migrated = false Chef::Log.trace("Updated client data: #{client.inspect}") end def get_public_key(cert_name) - binding.pry password = ::Chef::HTTP::Authenticator.get_cert_password require_relative "mixin/powershell_exec" extend Chef::Mixin::PowershellExec @@ -768,7 +757,7 @@ class Chef path = cert_file[1] p12 = OpenSSL::PKCS12.new(File.binread(path), password) File.delete(path) - return p12.key.public_to_pem + p12.key.public_to_pem end # diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb index eaa5130647..641599972a 100644 --- a/lib/chef/http/authenticator.rb +++ b/lib/chef/http/authenticator.rb @@ -22,8 +22,6 @@ require_relative "../exceptions" require_relative "../win32/registry" autoload :OpenSSL, "openssl" -require "pry" - class Chef class HTTP class Authenticator @@ -50,7 +48,6 @@ class Chef @auth_credentials = AuthCredentials.new(opts[:client_name], @key, use_ssh_agent: opts[:ssh_agent_signing]) @version_class = opts[:version_class] @api_version = opts[:api_version] - @old_priv_key = nil end def handle_request(method, url, headers = {}, data = false) @@ -103,6 +100,18 @@ class Chef self.class.retrieve_certificate_key(client_name) end + def get_cert_password + self.class.get_cert_password + end + + def encrypt_pfx_pass + self.class.encrypt_pfx_pass + end + + def decrypt_pfx_pass + self.class.decrypt_pfx_pass + end + # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows) # # @param client_name - we're using the node name to store and retrieve any keys @@ -130,17 +139,14 @@ class Chef end def load_signing_key(key_file, raw_key = nil) - results = if !!Chef::Client::KeyMigration.instance.old_priv_key - Chef::Client::KeyMigration.instance.old_priv_key - else - retrieve_certificate_key(Chef::Config[:node_name]) - end - if key_file == nil? && raw_key == nil? - puts "\nNo key detected\n" + results = retrieve_certificate_key(Chef::Config[:node_name]) + + if ::Chef::Config[:migrate_key_to_keystore] == true && ::Chef::Client::KeyMigration.instance.key_migrated == true + @raw_key = IO.read(Chef::Config[:validation_key]).strip elsif !!results @raw_key = results - elsif ::Chef::Config[:migrate_key_to_keystore] == true && Chef::Client::KeyMigration.instance.key_migrated == true - @raw_key = IO.read(Chef::Config[:validation_key]).strip + elsif key_file == nil? && raw_key == nil? + puts "\nNo key detected\n" elsif !!key_file @raw_key = IO.read(key_file).strip elsif !!raw_key @@ -193,14 +199,6 @@ class Chef password end - def get_cert_password - self.get_cert_password - end - - def encrypt_pfx_pass - self.ncrypt_pfx_pass - end - def self.encrypt_pfx_pass(password) powershell_code = <<~CODE $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force @@ -259,49 +257,6 @@ class Chef CODE end - def self.is_certificate_expiring(pkcs) - require 'time' - cert_date = DateTime.parse(pkcs.certificate.not_after.iso8601) - today = DateTime.parse(Time.now.iso8601) - client_name = "chef-#{Chef::Config[:node_name]}" - if cert_date.mjd - today.mjd <= 7 - Chef::Client::KeyMigration.instance.old_priv_key = pkcs.key.private_to_pem - create_new_pfx_in_keystore(client_name) - end - end - - def self.create_new_pfx_in_keystore(client_name) - require 'time' - node = Chef::Config[:node_name] - delete_old_pfx(client_name) - new_client = Chef::Client.new - d = Time.now - end_date = Time.new(d.year, d.month + 3, d.day, d.hour, d.min, d.sec).utc.iso8601 - new_client.generate_pfx_package(client_name, end_date) - new_public_key = new_client.get_public_key(client_name) - base_url = "https://" + URI.parse(Chef::Config[:chef_server_url]).host - client = Chef::ServerAPI.new(base_url, client_name: Chef::Config[:client_name], signing_key_filename: "cert://#{client_name}") - - payload = { - name: "default", - public_key: new_public_key, - expiration_date: end_date - } - client.put("/organizations/cheftest2/clients/#{node}/keys/default", payload) - end - - def self.delete_old_pfx(cert_name) - powershell_code = <<~CODE - Try{ - Get-ChildItem Cert:\\LocalMachine\\My | Where-Object { $_.Subject -match "#{cert_name}$" } -ErrorAction Stop | Remove-Item; - } - Catch{ - return $false - } - CODE - powershell_exec!(powershell_code).result - end - def authentication_headers(method, url, json_body = nil, headers = nil) request_params = { http_method: method, |