8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
# File 'plans/configure_comply_certs.pp', line 8
plan complyadm::configure_comply_certs(
String $generate = '',
String $hiera_data_file_path = 'data/common.yaml',
String $pkcs7_public_key_path = 'keys/public_key.pkcs7.pem',
) {
# Check if in non interactive mode
if $generate == 'auto' {
$comply_host = complyadm::get_yaml_key_value('resolvable_hostname', $hiera_data_file_path)
$generated = complyadm::generate_cert_chain($comply_host)
complyadm::save_comply_certs($generated['cert_chain'], $generated['private_key'], $generated['crl'])
return true
}
complyadm::display("
A TLS certificate is required to provide an HTTPS connection between your browser and the Security
Compliance Management web console. A self-signed certificate can be automatically generated if you
don't have your own trusted certificate, private key and certificate revocation list (CRL).
TLS can be re-configured post-install."
)
# Lets get defaults. Allows us to skip questions if first run
$cert_chain_pre = complyadm::get_yaml_key_value('cert_chain', $hiera_data_file_path)
$private_key_pre = complyadm::get_yaml_key_value('private_key', $hiera_data_file_path)
$crl_pre = complyadm::get_yaml_key_value('crl', $hiera_data_file_path)
# Only ask the question if certs have already been generated
if $cert_chain_pre != '' and $private_key_pre != '' and $crl_pre != '' {
if Boolean(prompt('Would you like to configure TLS?', 'default' => 'n')) == false {
return false
}
}
complyadm::display()
if Boolean(prompt('Manually provide TLS certificate chain, private key, and crl?', 'default' => 'n')) == true {
complyadm::display()
$cert_chain = prompt('TLS certificate chain (absolute path or Puppet file path)', 'default' => 'complyadm/comply_certs/cert_chain.pem')
$cert_chain_contents = if file::exists($cert_chain) { file::read($cert_chain) } else { '' }
complyadm::display()
$private_key = prompt('Private Key (absolute path or Puppet file path)', 'default' => 'complyadm/comply_certs/private_key.pem')
$private_key_contents = if file::exists($private_key) { file::read($private_key) } else { '' }
complyadm::display()
$crl = prompt('CRL (absolute path or Puppet file path)', 'default' => 'complyadm/comply_certs/crl.pem')
$crl_contents = if file::exists($crl) { file::read($crl) } else { '' } file::read($crl)
# lets check validity
$valid = if $cert_chain_pre == '' or $private_key_pre == '' or $crl_pre == '' { false } else { complyadm::verify_certs($cert_chain_contents, $private_key_contents) }
if $valid {
# lets save the keys
complyadm::save_comply_certs($cert_chain_contents, $private_key_contents, $crl_contents, $hiera_data_file_path, $pkcs7_public_key_path)
return true
} else {
complyadm::display()
# invalid keys provided, ask if we want to retry
if Boolean(prompt('Invalid TLS Configuration, Retry?', 'default' => 'y')) {
# Lets rerun this plan
return run_plan(complyadm::configure_comply_certs)
}
}
}
# Self Generation Reached. Firstly check if tls ever been generated, if so ask user if want to update
# Otherwise, we dont give a choice as tls required to start application
if $cert_chain_pre != '' and $private_key_pre != '' and $crl_pre != '' {
complyadm::display()
if Boolean(prompt('Self Generate TLS certificate chain, private key, and crl?', 'default' => 'n')) == false {
return false
}
}
complyadm::display()
log::debug('Self Generation of TLS certificate chain, private key, and crl')
$comply_host = complyadm::get_yaml_key_value('resolvable_hostname', $hiera_data_file_path)
$generated = complyadm::generate_cert_chain($comply_host)
complyadm::save_comply_certs($generated['cert_chain'], $generated['private_key'], $generated['crl'])
return true
}
|