class ManageIQ::ApplianceConsole::Certificate

Constants

STATUS_COMPLETE
STATUS_RETURN_CODES

map `getcert status` return codes to something more descriptive 0 => :complete – keys/certs generated 1 => :no_key – either certmonger is down, or we havent asked for the key yet. (assuming the latter) 2 => :rejected – request failed. we need to resubmit once we fix stuff 3 => :waiting – couldn't contact CA, will try again 4 => :error – certmonger is not configured properly 5 => :waiting – waiting for CA to send back the certificate

Attributes

ca_name[RW]

name of certificate authority

cert_filename[RW]
extensions[RW]

509 v3 extesions for stuff to signify purpose of this certificate (e.g.: client)

hostname[RW]

hostname of current machine

key_filename[W]

key filename defaults to certificate name w/ different extension

owner[RW]
realm[RW]

ipa realm

root_filename[RW]

root certificate filename

service[RW]

Public Class Methods

new(options = {}) click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 36
def initialize(options = {})
  options.each { |n, v| public_send("#{n}=", v) }
  @ca_name ||= "ipa"
  @extensions ||= %w(server client)
  @realm ||= hostname.split(".")[1..-1].join(".").upcase if hostname
end

Public Instance Methods

clear_status() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 103
def clear_status
  @status = nil
end
complete?() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 99
def complete?
  status == :complete
end
enable_certmonger() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 111
def enable_certmonger
  say("enabling certmonger to start on reboot")
  LinuxAdmin::Service.new("certmonger").enable.start
end
make_certs_world_readable() click to toggle source

workaround currently, the -C is not run after the root certificate is written

# File lib/manageiq/appliance_console/certificate.rb, line 76
def make_certs_world_readable
  FileUtils.chmod(0644, [root_filename, cert_filename].compact)
end
no_key?() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 91
def no_key?
  status == :no_key
end
principal() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 61
def principal
  @principal ||= Principal.new(:hostname => hostname, :realm => realm, :service => service, :ca_name => ca_name)
end
rejected?() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 95
def rejected?
  status == :rejected
end
request() { || ... } click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 43
def request
  undo_tracking if complete?

  if should_request_key?
    principal.register
    remove_key_pair
    request_certificate
    # NOTE: status probably changed
    set_owner_of_key unless rejected?
  end

  if complete?
    make_certs_world_readable
    yield if block_given?
  end
  self
end
request_certificate() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 65
def request_certificate
  if rejected?
    request_again
  else
    request_first
  end
  clear_status
end
set_owner_of_key() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 80
def set_owner_of_key
  FileUtils.chown(owner.split(".").first, owner.split(".")[1], key_filename) if owner && (owner != "root")
  self
end
should_request_key?() click to toggle source

statuses

# File lib/manageiq/appliance_console/certificate.rb, line 87
def should_request_key?
  no_key? || rejected?
end
status() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 107
def status
  @status ||= key_status
end

Private Instance Methods

key_ext_usage() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 167
def key_ext_usage
  extensions.collect { |n| "id-kp-#{n}Auth" }.join(",")
end
key_filename() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 158
def key_filename
  @key_filename || "#{cert_filename.chomp(File.extname(cert_filename))}.key"
end
key_status() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 162
def key_status
  ret = AwesomeSpawn.run("/usr/bin/getcert", :params => ["status", "-f", cert_filename])
  STATUS_RETURN_CODES[ret.exit_status]
end
remove_key_pair() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 118
def remove_key_pair
  FileUtils.rm_f(cert_filename) if File.exist?(cert_filename)
  FileUtils.rm_f(key_filename)  if File.exist?(key_filename)
end
request_again() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 153
def request_again
  AwesomeSpawn.run!("/usr/bin/getcert", :params => ["resubmit", "-w", "-f", cert_filename])
  self
end
request_first() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 134
def request_first
  params = {
    nil  => "request",
    "-c" => ca_name,
    "-v" => nil, # verbose
    "-w" => nil, # wait til completion if possible
    "-k" => key_filename,
    "-f" => cert_filename,
    "-N" => principal.subject_name,
    "-K" => principal.name,
    "-C" => "chmod 644 #{cert_filename} #{root_filename}",
    "-U" => key_ext_usage
  }
  params["-F"] = root_filename if root_filename

  AwesomeSpawn.run!("/usr/bin/getcert", :params => params)
  self
end
stop_tracking() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 130
def stop_tracking
  AwesomeSpawn.run!("/usr/bin/getcert", :params => ["stop-tracking", "-f", cert_filename, "-k", key_filename])
end
undo_tracking() click to toggle source
# File lib/manageiq/appliance_console/certificate.rb, line 123
def undo_tracking
  stop_tracking
  FileUtils.rm_f(root_filename) if File.exist?(root_filename)
  remove_key_pair
  clear_status
end