class ManageIQ::ApplianceConsole::Certificate
Constants
- STATUS_COMPLETE
- STATUS_RETURN_CODES
map `getcert status` return codes to something more descriptive 0 => :complete – keys/certs generated 1 => :no_key – either certmonger is down, or we havent asked for the key yet. (assuming the latter) 2 => :rejected – request failed. we need to resubmit once we fix stuff 3 => :waiting – couldn't contact CA, will try again 4 => :error – certmonger is not configured properly 5 => :waiting – waiting for CA to send back the certificate
Attributes
name of certificate authority
509 v3 extesions for stuff to signify purpose of this certificate (e.g.: client)
hostname of current machine
key filename defaults to certificate name w/ different extension
ipa realm
root certificate filename
Public Class Methods
# File lib/manageiq/appliance_console/certificate.rb, line 36 def initialize(options = {}) options.each { |n, v| public_send("#{n}=", v) } @ca_name ||= "ipa" @extensions ||= %w(server client) @realm ||= hostname.split(".")[1..-1].join(".").upcase if hostname end
Public Instance Methods
# File lib/manageiq/appliance_console/certificate.rb, line 103 def clear_status @status = nil end
# File lib/manageiq/appliance_console/certificate.rb, line 99 def complete? status == :complete end
# File lib/manageiq/appliance_console/certificate.rb, line 111 def enable_certmonger say("enabling certmonger to start on reboot") LinuxAdmin::Service.new("certmonger").enable.start end
workaround currently, the -C is not run after the root certificate is written
# File lib/manageiq/appliance_console/certificate.rb, line 76 def make_certs_world_readable FileUtils.chmod(0644, [root_filename, cert_filename].compact) end
# File lib/manageiq/appliance_console/certificate.rb, line 91 def no_key? status == :no_key end
# File lib/manageiq/appliance_console/certificate.rb, line 61 def principal @principal ||= Principal.new(:hostname => hostname, :realm => realm, :service => service, :ca_name => ca_name) end
# File lib/manageiq/appliance_console/certificate.rb, line 95 def rejected? status == :rejected end
# File lib/manageiq/appliance_console/certificate.rb, line 43 def request undo_tracking if complete? if should_request_key? principal.register remove_key_pair request_certificate # NOTE: status probably changed set_owner_of_key unless rejected? end if complete? make_certs_world_readable yield if block_given? end self end
# File lib/manageiq/appliance_console/certificate.rb, line 65 def request_certificate if rejected? request_again else request_first end clear_status end
# File lib/manageiq/appliance_console/certificate.rb, line 80 def set_owner_of_key FileUtils.chown(owner.split(".").first, owner.split(".")[1], key_filename) if owner && (owner != "root") self end
statuses
# File lib/manageiq/appliance_console/certificate.rb, line 87 def should_request_key? no_key? || rejected? end
# File lib/manageiq/appliance_console/certificate.rb, line 107 def status @status ||= key_status end
Private Instance Methods
# File lib/manageiq/appliance_console/certificate.rb, line 167 def key_ext_usage extensions.collect { |n| "id-kp-#{n}Auth" }.join(",") end
# File lib/manageiq/appliance_console/certificate.rb, line 158 def key_filename @key_filename || "#{cert_filename.chomp(File.extname(cert_filename))}.key" end
# File lib/manageiq/appliance_console/certificate.rb, line 162 def key_status ret = AwesomeSpawn.run("/usr/bin/getcert", :params => ["status", "-f", cert_filename]) STATUS_RETURN_CODES[ret.exit_status] end
# File lib/manageiq/appliance_console/certificate.rb, line 118 def remove_key_pair FileUtils.rm_f(cert_filename) if File.exist?(cert_filename) FileUtils.rm_f(key_filename) if File.exist?(key_filename) end
# File lib/manageiq/appliance_console/certificate.rb, line 153 def request_again AwesomeSpawn.run!("/usr/bin/getcert", :params => ["resubmit", "-w", "-f", cert_filename]) self end
# File lib/manageiq/appliance_console/certificate.rb, line 134 def request_first params = { nil => "request", "-c" => ca_name, "-v" => nil, # verbose "-w" => nil, # wait til completion if possible "-k" => key_filename, "-f" => cert_filename, "-N" => principal.subject_name, "-K" => principal.name, "-C" => "chmod 644 #{cert_filename} #{root_filename}", "-U" => key_ext_usage } params["-F"] = root_filename if root_filename AwesomeSpawn.run!("/usr/bin/getcert", :params => params) self end
# File lib/manageiq/appliance_console/certificate.rb, line 130 def stop_tracking AwesomeSpawn.run!("/usr/bin/getcert", :params => ["stop-tracking", "-f", cert_filename, "-k", key_filename]) end
# File lib/manageiq/appliance_console/certificate.rb, line 123 def undo_tracking stop_tracking FileUtils.rm_f(root_filename) if File.exist?(root_filename) remove_key_pair clear_status end