Exemplo n.º 1
0
def update(branch, repo):
    '''
    Execute an update for the configured git fileserver backend for Pillar

    CLI Example:

    .. code-block:: bash

        salt-run git_pillar.update branch='branch' repo='location'
    '''
    for opts_dict in __opts__.get('ext_pillar', []):
        parts = opts_dict.get('git', '').split()
        if len(parts) >= 2 and parts[:2] == [branch, repo]:
            salt.pillar.git_pillar.GitPillar(branch, repo, __opts__).update()
            break
    else:
        raise SaltRunnerError('git repo/branch not found in ext_pillar config')
Exemplo n.º 2
0
def gen_csr(
    minion_id,
    dns_name,
    organization_id,
    ou_name=None,
    key_len=2048,
    shatype="sha256",
    password=None,
):
    """

    CLI Example:

    .. code-block:: bash

        salt-run digicert.gen_csr <minion_id> <dns_name>
    """
    org_details = get_org_details(organization_id)

    if "error" in org_details:
        raise SaltRunnerError(
            "Problem getting organization details for organization_id={0} ({1})"
            .format(organization_id, org_details["error"]))
    if org_details["dict"].get("status", "active") == "inactive":
        raise SaltRunnerError(
            "Organization with organization_id={0} is marked inactive".format(
                organization_id))

    tmpdir = tempfile.mkdtemp()
    os.chmod(tmpdir, 0o700)

    bank = "digicert/domains"
    cache = salt.cache.Cache(__opts__, syspaths.CACHE_DIR)
    data = cache.fetch(bank, dns_name)
    if data is None:
        data = {}
    if "private_key" not in data:
        data["private_key"] = gen_key(minion_id,
                                      dns_name,
                                      password,
                                      key_len=key_len)

    tmppriv = "{0}/priv".format(tmpdir)
    tmpcsr = "{0}/csr".format(tmpdir)
    with salt.utils.files.fopen(tmppriv, "w") as if_:
        if_.write(salt.utils.stringutils.to_str(data["private_key"]))

    subject = "/C={0}/ST={1}/L={2}/O={3}".format(
        org_details["dict"]["country"],
        org_details["dict"]["state"],
        org_details["dict"]["city"],
        org_details["dict"]["display_name"],
    )

    if ou_name:
        subject = subject + "/OU={0}".format(ou_name)

    subject = subject + "/CN={0}".format(dns_name)

    cmd = "openssl req -new -{0} -key {1} -out {2} -subj '{3}'".format(
        shatype, tmppriv, tmpcsr, subject)
    output = __salt__["salt.cmd"]("cmd.run", cmd)

    if "problems making Certificate Request" in output:
        raise CommandExecutionError(
            "There was a problem generating the CSR. Please ensure that you "
            "have a valid Organization established inside CertCentral")

    with salt.utils.files.fopen(tmpcsr, "r") as of_:
        csr = salt.utils.stringutils.to_unicode(of_.read())

    data["minion_id"] = minion_id
    data["csr"] = csr
    cache.store(bank, dns_name, data)
    return csr
Exemplo n.º 3
0
def order_certificate(
    minion_id,
    common_name,
    organization_id,
    validity_years,
    cert_key_passphrase=None,
    signature_hash=None,
    key_len=2048,
    dns_names=None,
    organization_units=None,
    server_platform=None,
    custom_expiration_date=None,
    comments=None,
    disable_renewal_notifications=False,
    product_type_hint=None,
    renewal_of_order_id=None,
):
    """
    Order a certificate.  Requires that an Organization has been created inside Digicert's CertCentral.

    See here for API documentation:
    https://www.digicert.com/services/v2/documentation/order/order-ssl-determinator

    CLI Example:

    .. code-block:: bash

        salt-run digicert.order_certificate my_minionid my.domain.com 10 \
            3 signature_hash=sha256 \
            dns_names=['this.domain.com', 'that.domain.com'] \
            organization_units='My Domain Org Unit' \
            comments='Comment goes here for the approver'

    This runner can also be used to renew a certificate by passing `renewal_of_order_id`.
    Previous order details can be retrieved with digicertapi.list_orders.
    """

    if dns_names and isinstance(dns_names, six.string_types):
        dns_names = [dns_names]
    if dns_names and not isinstance(dns_names, collections.Sequence):
        raise SaltRunnerError(
            "order_certificate needs a single dns_name, or an array of dns_names."
        )
    certificate = {"common_name": common_name}
    certificate["dns_names"] = dns_names

    if signature_hash:
        certificate["signature_hash"] = signature_hash
    else:
        certificate["signature_hash"] = __opts__.get("digicert", {}).get(
            "shatype", "sha256")

    body = {}

    if organization_units and isinstance(organization_units, six.string_types):
        organization_units = [organization_units]
    if organization_units and not isinstance(organization_units,
                                             collections.Sequence):
        raise SaltRunnerError("Organization_units is not a valid data type.")
    if organization_units:
        certificate["organization_units"] = organization_units

    if organization_units:
        # Currently the Digicert API requires organization units to be an array
        # but only pays attention to the first one.
        csr = gen_csr(
            minion_id,
            common_name,
            organization_id,
            ou_name=organization_units[0],
            shatype=certificate["signature_hash"],
            key_len=key_len,
            password=cert_key_passphrase,
        )
    else:
        csr = gen_csr(
            minion_id,
            common_name,
            organization_id,
            shatype=certificate["signature_hash"],
            key_len=key_len,
            password=cert_key_passphrase,
        )

    certificate["csr"] = csr

    if server_platform:
        certificate["server_platform"]["id"] = server_platform

    body["organization"] = {"id": organization_id}

    if custom_expiration_date:
        body["custom_expiration_date"] = custom_expiration_date

    if validity_years:
        body["validity_years"] = validity_years

    if comments:
        body["comments"] = comments

    body["disable_renewal_notifications"] = disable_renewal_notifications

    if product_type_hint:
        body["product"] = {"type_hint": product_type_hint}
    if renewal_of_order_id:
        body["renewal_of_order_id"] = renewal_of_order_id

    body["certificate"] = certificate
    encoded_body = salt.utils.json.dumps(body)

    qdata = salt.utils.http.query(
        "{0}/order/certificate/ssl".format(_base_url()),
        method="POST",
        data=encoded_body,
        decode=True,
        decode_type="json",
        header_dict={
            "X-DC-DEVKEY": _api_key(),
            "Content-Type": "application/json"
        },
        raise_error=False,
    )
    if "errors" not in qdata["dict"]:
        bank = "digicert/domains"
        cache = salt.cache.Cache(__opts__, syspaths.CACHE_DIR)
        data = cache.fetch(bank, common_name)
        if data is None:
            data = {}
        data.update({
            "minion_id": minion_id,
            "order_id": qdata["dict"]["requests"][0]["id"],
            "csr": csr,
        })
        cache.store(bank, common_name, data)
        _id_map(minion_id, common_name)

    return {"order": qdata["dict"]}
Exemplo n.º 4
0
def update(branch=None, repo=None):
    '''
    .. versionadded:: 2014.1.0

    .. versionchanged:: 2015.8.4
        This runner function now supports the :ref:`git_pillar
        configuration schema <git-pillar-configuration>` introduced in
        2015.8.0. Additionally, the branch and repo can now be omitted to
        update all git_pillar remotes. The return data has also changed to
        a dictionary. The values will be ``True`` only if new commits were
        fetched, and ``False`` if there were errors or no new commits were
        fetched.

    .. versionchanged:: 2018.3.0
        The return for a given git_pillar remote will now be ``None`` when no
        changes were fetched. ``False`` now is reserved only for instances in
        which there were errors.

    Fetch one or all configured git_pillar remotes.

    .. note::
        This will *not* fast-forward the git_pillar cachedir on the master. All
        it does is perform a ``git fetch``. If this runner is executed with
        ``-l debug``, you may see a log message that says that the repo is
        up-to-date. Keep in mind that Salt automatically fetches git_pillar
        repos roughly every 60 seconds (or whatever
        :conf_master:`loop_interval` is set to). So, it is possible that the
        repo was fetched automatically in the time between when changes were
        pushed to the repo, and when this runner was executed. When in doubt,
        simply refresh pillar data using :py:func:`saltutil.refresh_pillar
        <salt.modules.saltutil.refresh_pillar>` and then use
        :py:func:`pillar.item <salt.modules.pillar.item>` to check if the
        pillar data has changed as expected.

    CLI Example:

    .. code-block:: bash

        # Update specific branch and repo
        salt-run git_pillar.update branch='branch' repo='https://foo.com/bar.git'
        # Update all repos
        salt-run git_pillar.update
        # Run with debug logging
        salt-run git_pillar.update -l debug
    '''
    ret = {}
    for ext_pillar in __opts__.get('ext_pillar', []):
        pillar_type = next(iter(ext_pillar))
        if pillar_type != 'git':
            continue
        pillar_conf = ext_pillar[pillar_type]
        pillar = salt.utils.gitfs.GitPillar(
            __opts__,
            pillar_conf,
            per_remote_overrides=salt.pillar.git_pillar.PER_REMOTE_OVERRIDES,
            per_remote_only=salt.pillar.git_pillar.PER_REMOTE_ONLY)
        for remote in pillar.remotes:
            # Skip this remote if it doesn't match the search criteria
            if branch is not None:
                if branch != remote.branch:
                    continue
            if repo is not None:
                if repo != remote.url:
                    continue
            try:
                result = remote.fetch()
            except Exception as exc:
                log.error(
                    'Exception \'%s\' caught while fetching git_pillar '
                    'remote \'%s\'',
                    exc,
                    remote.id,
                    exc_info_on_loglevel=logging.DEBUG)
                result = False
            finally:
                remote.clear_lock()
            ret[remote.id] = result

    if not ret:
        if branch is not None or repo is not None:
            raise SaltRunnerError(
                'Specified git branch/repo not found in ext_pillar config')
        else:
            raise SaltRunnerError('No git_pillar remotes are configured')

    return ret
Exemplo n.º 5
0
def gen_csr(minion_id,
            dns_name,
            organization_id,
            ou_name=None,
            key_len=2048,
            shatype='sha256',
            password=None):
    '''

    CLI Example:

    .. code-block:: bash

        salt-run digicert.gen_csr <minion_id> <dns_name>
    '''
    org_details = get_org_details(organization_id)

    if 'error' in org_details:
        raise SaltRunnerError(
            'Problem getting organization details for organization_id={0} ({1})'
            .format(organization_id, org_details['error']))
    if org_details['dict'].get('status', 'active') == 'inactive':
        raise SaltRunnerError(
            'Organization with organization_id={0} is marked inactive'.format(
                organization_id))

    tmpdir = tempfile.mkdtemp()
    os.chmod(tmpdir, 0o700)

    bank = 'digicert/domains'
    cache = salt.cache.Cache(__opts__, syspaths.CACHE_DIR)
    data = cache.fetch(bank, dns_name)
    if data is None:
        data = {}
    if 'private_key' not in data:
        data['private_key'] = gen_key(minion_id,
                                      dns_name,
                                      password,
                                      key_len=key_len)

    tmppriv = '{0}/priv'.format(tmpdir)
    tmpcsr = '{0}/csr'.format(tmpdir)
    with salt.utils.files.fopen(tmppriv, 'w') as if_:
        if_.write(salt.utils.stringutils.to_str(data['private_key']))

    subject = '/C={0}/ST={1}/L={2}/O={3}'.format(
        org_details['dict']['country'], org_details['dict']['state'],
        org_details['dict']['city'], org_details['dict']['display_name'])

    if ou_name:
        subject = subject + '/OU={0}'.format(ou_name)

    subject = subject + '/CN={0}'.format(dns_name)

    cmd = "openssl req -new -{0} -key {1} -out {2} -subj '{3}'".format(
        shatype, tmppriv, tmpcsr, subject)
    output = __salt__['salt.cmd']('cmd.run', cmd)

    if 'problems making Certificate Request' in output:
        raise CommandExecutionError(
            'There was a problem generating the CSR. Please ensure that you '
            'have a valid Organization established inside CertCentral')

    with salt.utils.files.fopen(tmpcsr, 'r') as of_:
        csr = salt.utils.stringutils.to_unicode(of_.read())

    data['minion_id'] = minion_id
    data['csr'] = csr
    cache.store(bank, dns_name, data)
    return csr
Exemplo n.º 6
0
def order_certificate(minion_id,
                      common_name,
                      organization_id,
                      validity_years,
                      cert_key_passphrase=None,
                      signature_hash=None,
                      key_len=2048,
                      dns_names=None,
                      organization_units=None,
                      server_platform=None,
                      custom_expiration_date=None,
                      comments=None,
                      disable_renewal_notifications=False,
                      product_type_hint=None,
                      renewal_of_order_id=None):
    '''
    Order a certificate.  Requires that an Organization has been created inside Digicert's CertCentral.

    See here for API documentation:
    https://www.digicert.com/services/v2/documentation/order/order-ssl-determinator

    CLI Example:

    .. code-block:: bash

        salt-run digicert.order_certificate my_minionid my.domain.com 10 \
            3 signature_hash=sha256 \
            dns_names=['this.domain.com', 'that.domain.com'] \
            organization_units='My Domain Org Unit' \
            comments='Comment goes here for the approver'

    This runner can also be used to renew a certificate by passing `renewal_of_order_id`.
    Previous order details can be retrieved with digicertapi.list_orders.
    '''

    if dns_names and isinstance(dns_names, six.string_types):
        dns_names = [dns_names]
    if dns_names and not isinstance(dns_names, collections.Sequence):
        raise SaltRunnerError(
            'order_certificate needs a single dns_name, or an array of dns_names.'
        )
    certificate = {'common_name': common_name}
    certificate['dns_names'] = dns_names

    if signature_hash:
        certificate['signature_hash'] = signature_hash
    else:
        certificate['signature_hash'] = __opts__.get('digicert', {}).get(
            'shatype', 'sha256')

    body = {}

    if organization_units and isinstance(organization_units, six.string_types):
        organization_units = [organization_units]
    if organization_units and not isinstance(organization_units,
                                             collections.Sequence):
        raise SaltRunnerError('Organization_units is not a valid data type.')
    if organization_units:
        certificate['organization_units'] = organization_units

    if organization_units:
        # Currently the Digicert API requires organization units to be an array
        # but only pays attention to the first one.
        csr = gen_csr(minion_id,
                      common_name,
                      organization_id,
                      ou_name=organization_units[0],
                      shatype=certificate['signature_hash'],
                      key_len=key_len,
                      password=cert_key_passphrase)
    else:
        csr = gen_csr(minion_id,
                      common_name,
                      organization_id,
                      shatype=certificate['signature_hash'],
                      key_len=key_len,
                      password=cert_key_passphrase)

    certificate['csr'] = csr

    if server_platform:
        certificate['server_platform']['id'] = server_platform

    body['organization'] = {'id': organization_id}

    if custom_expiration_date:
        body['custom_expiration_date'] = custom_expiration_date

    if validity_years:
        body['validity_years'] = validity_years

    if comments:
        body['comments'] = comments

    body['disable_renewal_notifications'] = disable_renewal_notifications

    if product_type_hint:
        body['product'] = {'type_hint': product_type_hint}
    if renewal_of_order_id:
        body['renewal_of_order_id'] = renewal_of_order_id

    body['certificate'] = certificate
    encoded_body = salt.utils.json.dumps(body)

    qdata = salt.utils.http.query('{0}/order/certificate/ssl'.format(
        _base_url()),
                                  method='POST',
                                  data=encoded_body,
                                  decode=True,
                                  decode_type='json',
                                  header_dict={
                                      'X-DC-DEVKEY': _api_key(),
                                      'Content-Type': 'application/json',
                                  },
                                  raise_error=False)
    if 'errors' not in qdata['dict']:
        bank = 'digicert/domains'
        cache = salt.cache.Cache(__opts__, syspaths.CACHE_DIR)
        data = cache.fetch(bank, common_name)
        if data is None:
            data = {}
        data.update({
            'minion_id': minion_id,
            'order_id': qdata['dict']['requests'][0]['id'],
            'csr': csr,
        })
        cache.store(bank, common_name, data)
        _id_map(minion_id, common_name)

    return {'order': qdata['dict']}
Exemplo n.º 7
0
def update(branch=None, repo=None):
    '''
    .. versionadded:: 2014.1.0

    .. versionchanged:: 2015.8.4
        This runner function now supports the :ref:`new git_pillar
        configuration schema <git-pillar-2015-8-0-and-later>` introduced in
        2015.8.0. Additionally, the branch and repo can now be omitted to
        update all git_pillar remotes. The return data has also changed. For
        releases 2015.8.3 and earlier, there is no value returned. Starting
        with 2015.8.4, the return data is a dictionary. If using the :ref:`old
        git_pillar configuration schema <git-pillar-pre-2015-8-0>`, then the
        dictionary values will be ``True`` if the update completed without
        error, and ``False`` if an error occurred. If using the :ref:`new
        git_pillar configuration schema <git-pillar-2015-8-0-and-later>`, the
        values will be ``True`` only if new commits were fetched, and ``False``
        if there were errors or no new commits were fetched.

    Fetch one or all configured git_pillar remotes.

    .. note::
        This will *not* fast-forward the git_pillar cachedir on the master. All
        it does is perform a ``git fetch``. If this runner is executed with
        ``-l debug``, you may see a log message that says that the repo is
        up-to-date. Keep in mind that Salt automatically fetches git_pillar
        repos roughly every 60 seconds (or whatever
        :conf_master:`loop_interval` is set to). So, it is possible that the
        repo was fetched automatically in the time between when changes were
        pushed to the repo, and when this runner was executed. When in doubt,
        simply refresh pillar data using :py:func:`saltutil.refresh_pillar
        <salt.modules.saltutil.refresh_pillar>` and then use
        :py:func:`pillar.item <salt.modules.pillar.item>` to check if the
        pillar data has changed as expected.

    CLI Example:

    .. code-block:: bash

        # Update specific branch and repo
        salt-run git_pillar.update branch='branch' repo='https://foo.com/bar.git'
        # Update all repos (2015.8.4 and later)
        salt-run git_pillar.update
        # Run with debug logging
        salt-run git_pillar.update -l debug
    '''
    ret = {}
    for ext_pillar in __opts__.get('ext_pillar', []):
        pillar_type = next(iter(ext_pillar))
        if pillar_type != 'git':
            continue
        pillar_conf = ext_pillar[pillar_type]
        if isinstance(pillar_conf, six.string_types):
            parts = pillar_conf.split()
            if len(parts) >= 2:
                desired_branch, desired_repo = parts[:2]
                # Skip this remote if it doesn't match the search criteria
                if branch is not None:
                    if branch != desired_branch:
                        continue
                if repo is not None:
                    if repo != desired_repo:
                        continue
                ret[pillar_conf] = salt.pillar.git_pillar._LegacyGitPillar(
                    parts[0], parts[1], __opts__).update()

        else:
            pillar = salt.utils.gitfs.GitPillar(__opts__)
            pillar.init_remotes(pillar_conf,
                                salt.pillar.git_pillar.PER_REMOTE_OVERRIDES,
                                salt.pillar.git_pillar.PER_REMOTE_ONLY)
            for remote in pillar.remotes:
                # Skip this remote if it doesn't match the search criteria
                if branch is not None:
                    if branch != remote.branch:
                        continue
                if repo is not None:
                    if repo != remote.url:
                        continue
                try:
                    result = remote.fetch()
                except Exception as exc:
                    log.error(
                        'Exception \'{0}\' caught while fetching git_pillar '
                        'remote \'{1}\''.format(exc, remote.id),
                        exc_info_on_loglevel=logging.DEBUG)
                    result = False
                finally:
                    remote.clear_lock()
                ret[remote.id] = result

    if not ret:
        if branch is not None or repo is not None:
            raise SaltRunnerError(
                'Specified git branch/repo not found in ext_pillar config')
        else:
            raise SaltRunnerError('No git_pillar remotes are configured')

    return ret
Exemplo n.º 8
0
def update(branch=None, repo=None):
    '''
    .. versionadded:: 2014.1.0

    .. versionchanged:: 2015.8.4
        This runner function now supports the :ref:`new git_pillar
        configuration schema <git-pillar-2015-8-0-and-later>` introduced in
        2015.8.0. Additionally, the branch and repo can now be omitted to
        update all git_pillar remotes. The return data has also changed. For
        releases 2015.8.3 and earlier, there is no value returned. Starting
        with 2015.8.4, the return data is a dictionary. If using the :ref:`old
        git_pillar configuration schema <git-pillar-pre-2015-8-0>`, then the
        dictionary values will be ``True`` if the update completed without
        error, and ``False`` if an error occurred. If using the :ref:`new
        git_pillar configuration schema <git-pillar-2015-8-0-and-later>`, the
        values will be ``True`` only if new commits were fetched, and ``False``
        if there were errors or no new commits were fetched.

    Update one or all configured git_pillar remotes.

    CLI Example:

    .. code-block:: bash

        # Update specific branch and repo
        salt-run git_pillar.update branch='branch' repo='https://foo.com/bar.git'
        # Update all repos (2015.8.4 and later)
        salt-run git_pillar.update
        # Run with debug logging
        salt-run git_pillar.update -l debug
    '''
    ret = {}
    for ext_pillar in __opts__.get('ext_pillar', []):
        pillar_type = next(iter(ext_pillar))
        if pillar_type != 'git':
            continue
        pillar_conf = ext_pillar[pillar_type]
        if isinstance(pillar_conf, six.string_types):
            parts = pillar_conf.split()
            if len(parts) >= 2:
                desired_branch, desired_repo = parts[:2]
                # Skip this remote if it doesn't match the search criteria
                if branch is not None:
                    if branch != desired_branch:
                        continue
                if repo is not None:
                    if repo != desired_repo:
                        continue
                ret[pillar_conf] = salt.pillar.git_pillar._LegacyGitPillar(
                    parts[0],
                    parts[1],
                    __opts__).update()

        else:
            pillar = salt.utils.gitfs.GitPillar(__opts__)
            pillar.init_remotes(pillar_conf,
                                salt.pillar.git_pillar.PER_REMOTE_OVERRIDES)
            for remote in pillar.remotes:
                # Skip this remote if it doesn't match the search criteria
                if branch is not None:
                    if branch != remote.branch:
                        continue
                if repo is not None:
                    if repo != remote.url:
                        continue
                try:
                    result = remote.fetch()
                except Exception as exc:
                    log.error(
                        'Exception \'{0}\' caught while fetching git_pillar '
                        'remote \'{1}\''.format(exc, remote.id),
                        exc_info_on_loglevel=logging.DEBUG
                    )
                    result = False
                finally:
                    remote.clear_lock()
                ret[remote.id] = result

    if not ret:
        if branch is not None or repo is not None:
            raise SaltRunnerError(
                'Specified git branch/repo not found in ext_pillar config'
            )
        else:
            raise SaltRunnerError('No git_pillar remotes are configured')

    return ret