kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Vendor the external cookbooks

Browse Source 
Knife-Zero doesn't include Berkshelf support, so vendoring everything in
the repo is convenient again
This commit is contained in:
Greg Karékinian
2019-10-13 19:17:42 +02:00
parent f4bfe31ac1
commit a32f34b408
1245 changed files with 100630 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
cookbooks/openssl/resources/dhparam.rb Normal file
View File

@@ -0,0 +1,48 @@
#
# Copyright:: Copyright 2009-2018, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
resource_name :openssl_dhparam
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :key_length, equal_to: [1024, 2048, 4096, 8192], default: 2048
property :generator, equal_to: [2, 5], default: 2
property :owner, String
property :group, String
property :mode, [Integer, String], default: '0640'
action :create do
unless dhparam_pem_valid?(new_resource.path)
converge_by("Create a dhparam file #{new_resource.path}") do
dhparam_content = gen_dhparam(new_resource.key_length, new_resource.generator).to_pem
log "Generating #{new_resource.key_length} bit "\
"dhparam file at #{new_resource.path}, this may take some time"
file new_resource.path do
action :create
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode
sensitive true
content dhparam_content
end
end
end
end

55
cookbooks/openssl/resources/ec_private_key.rb Normal file
View File

@@ -0,0 +1,55 @@
#
# Copyright:: Copyright 2018, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.4' if respond_to?(:chef_version_for_provides)
resource_name :openssl_ec_private_key
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :key_curve, equal_to: %w(secp384r1 secp521r1 prime256v1 secp224r1 secp256k1), default: 'prime256v1'
property :key_pass, String
property :key_cipher, String, default: 'des3', equal_to: ::OpenSSL::Cipher.ciphers
property :owner, String
property :group, String
property :mode, [Integer, String], default: '0640'
property :force, [true, false], default: false
action :create do
unless new_resource.force || priv_key_file_valid?(new_resource.path, new_resource.key_pass)
converge_by("Create an EC private key #{new_resource.path}") do
log "Generating an #{new_resource.key_curve} "\
"EC key file at #{new_resource.name}, this may take some time"
if new_resource.key_pass
unencrypted_ec_key = gen_ec_priv_key(new_resource.key_curve)
ec_key_content = encrypt_ec_key(unencrypted_ec_key, new_resource.key_pass, new_resource.key_cipher)
else
ec_key_content = gen_ec_priv_key(new_resource.key_curve).to_pem
end
file new_resource.path do
action :create
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode
sensitive true
content ec_key_content
end
end
end
end

45
cookbooks/openssl/resources/ec_public_key.rb Normal file
View File

@@ -0,0 +1,45 @@
#
# Copyright:: Copyright 2018, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.4' if respond_to?(:chef_version_for_provides)
resource_name :openssl_ec_public_key
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :private_key_path, String
property :private_key_content, String
property :private_key_pass, String
property :owner, String
property :group, String
property :mode, [Integer, String], default: '0640'
action :create do
raise ArgumentError, "You cannot specify both 'private_key_path' and 'private_key_content' properties at the same time." if new_resource.private_key_path && new_resource.private_key_content
raise ArgumentError, "You must specify the private key with either 'private_key_path' or 'private_key_content' properties." unless new_resource.private_key_path || new_resource.private_key_content
raise "#{new_resource.private_key_path} not a valid private EC key or password is invalid" unless priv_key_file_valid?((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)
ec_key_content = gen_ec_pub_key((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)
file new_resource.path do
action :create
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode
content ec_key_content
end
end

55
cookbooks/openssl/resources/rsa_private_key.rb Normal file
View File

@@ -0,0 +1,55 @@
#
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
resource_name :openssl_rsa_private_key
provides :openssl_rsa_key # legacy name
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :key_length, equal_to: [1024, 2048, 4096, 8192], default: 2048
property :key_pass, String
property :key_cipher, String, default: 'des3', equal_to: ::OpenSSL::Cipher.ciphers
property :owner, String
property :group, String
property :mode, [Integer, String], default: '0640'
property :force, [true, false], default: false
action :create do
unless new_resource.force || priv_key_file_valid?(new_resource.path, new_resource.key_pass)
converge_by("Create an RSA private key #{new_resource.path}") do
log "Generating #{new_resource.key_length} bit "\
"RSA key file at #{new_resource.path}, this may take some time"
if new_resource.key_pass
unencrypted_rsa_key = gen_rsa_priv_key(new_resource.key_length)
rsa_key_content = encrypt_rsa_key(unencrypted_rsa_key, new_resource.key_pass, new_resource.key_cipher)
else
rsa_key_content = gen_rsa_priv_key(new_resource.key_length).to_pem
end
file new_resource.path do
action :create
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode
sensitive true
content rsa_key_content
end
end
end
end

45
cookbooks/openssl/resources/rsa_public_key.rb Normal file
View File

@@ -0,0 +1,45 @@
#
# Copyright:: Copyright 2018, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
resource_name :openssl_rsa_public_key
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :private_key_path, String
property :private_key_content, String
property :private_key_pass, String
property :owner, String
property :group, String
property :mode, [Integer, String], default: '0640'
action :create do
raise ArgumentError, "You cannot specify both 'private_key_path' and 'private_key_content' properties at the same time." if new_resource.private_key_path && new_resource.private_key_content
raise ArgumentError, "You must specify the private key with either 'private_key_path' or 'private_key_content' properties." unless new_resource.private_key_path || new_resource.private_key_content
raise "#{new_resource.private_key_path} not a valid private RSA key or password is invalid" unless priv_key_file_valid?((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)
rsa_key_content = gen_rsa_pub_key((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)
file new_resource.path do
action :create
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode
content rsa_key_content
end
end

151
cookbooks/openssl/resources/x509_certificate.rb Normal file
View File

@@ -0,0 +1,151 @@
#
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.4' if respond_to?(:chef_version_for_provides)
resource_name :openssl_x509_certificate
provides :openssl_x509 # legacy_name
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :owner, String
property :group, String
property :expire, Integer, default: 365
property :mode, [Integer, String], default: '0644'
property :country, String
property :state, String
property :city, String
property :org, String
property :org_unit, String
property :common_name, String
property :email, String
property :extensions, Hash, default: {}
property :subject_alt_name, Array, default: []
property :key_file, String
property :key_pass, String
property :key_type, equal_to: %w(rsa ec), default: 'rsa'
property :key_length, equal_to: [1024, 2048, 4096, 8192], default: 2048
property :key_curve, equal_to: %w(secp384r1 secp521r1 prime256v1), default: 'prime256v1'
property :csr_file, String
property :ca_cert_file, String
property :ca_key_file, String
property :ca_key_pass, String
action :create do
unless ::File.exist? new_resource.path
converge_by("Create #{@new_resource}") do
file new_resource.path do
action :create_if_missing
mode new_resource.mode
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
sensitive true
content cert.to_pem
end
if new_resource.csr_file.nil?
file new_resource.key_file do
action :create_if_missing
mode new_resource.mode
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
sensitive true
content key.to_pem
end
end
end
end
end
action_class do
def generate_key_file
unless new_resource.key_file
path, file = ::File.split(new_resource.path)
filename = ::File.basename(file, ::File.extname(file))
new_resource.key_file path + '/' + filename + '.key'
end
new_resource.key_file
end
def key
@key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
::OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
elsif new_resource.key_type == 'rsa'
gen_rsa_priv_key(new_resource.key_length)
else
gen_ec_priv_key(new_resource.key_curve)
end
@key
end
def request
request = if new_resource.csr_file.nil?
gen_x509_request(subject, key)
else
::OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
end
request
end
def subject
subject = ::OpenSSL::X509::Name.new()
subject.add_entry('C', new_resource.country) unless new_resource.country.nil?
subject.add_entry('ST', new_resource.state) unless new_resource.state.nil?
subject.add_entry('L', new_resource.city) unless new_resource.city.nil?
subject.add_entry('O', new_resource.org) unless new_resource.org.nil?
subject.add_entry('OU', new_resource.org_unit) unless new_resource.org_unit.nil?
subject.add_entry('CN', new_resource.common_name)
subject.add_entry('emailAddress', new_resource.email) unless new_resource.email.nil?
subject
end
def ca_private_key
ca_private_key = if new_resource.csr_file.nil?
key
else
::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
end
ca_private_key
end
def ca_info
# Will contain issuer (if any) & expiration
ca_info = {}
unless new_resource.ca_cert_file.nil?
ca_info['issuer'] = ::OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file)
end
ca_info['validity'] = new_resource.expire
ca_info
end
def extensions
extensions = gen_x509_extensions(new_resource.extensions)
unless new_resource.subject_alt_name.empty?
extensions += gen_x509_extensions('subjectAltName' => { 'values' => new_resource.subject_alt_name, 'critical' => false })
end
extensions
end
def cert
cert = gen_x509_cert(request, extensions, ca_info, ca_private_key)
cert
end
end

88
cookbooks/openssl/resources/x509_crl.rb Normal file
View File

@@ -0,0 +1,88 @@
#
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.4' if respond_to?(:chef_version_for_provides)
resource_name :openssl_x509_crl
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :serial_to_revoke, [Integer, String]
property :revocation_reason, Integer, default: 0
property :expire, Integer, default: 8
property :renewal_threshold, Integer, default: 1
property :ca_cert_file, String, required: true
property :ca_key_file, String, required: true
property :ca_key_pass, String
property :owner, String
property :group, String
property :mode, String
action :create do
file new_resource.path do
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode unless new_resource.mode.nil?
content crl.to_pem
action :create
end
end
action_class do
def crl_info
# Will contain issuer & expiration
crl_info = {}
crl_info['issuer'] = ::OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file)
crl_info['validity'] = new_resource.expire
crl_info
end
def revoke_info
# Will contain Serial to revoke & reason
revoke_info = {}
revoke_info['serial'] = new_resource.serial_to_revoke
revoke_info['reason'] = new_resource.revocation_reason
revoke_info
end
def ca_private_key
ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
ca_private_key
end
def crl
if crl_file_valid?(new_resource.path)
crl = ::OpenSSL::X509::CRL.new ::File.read(new_resource.path)
else
log "Creating a CRL #{new_resource.path} for CA #{new_resource.ca_cert_file}"
crl = gen_x509_crl(ca_private_key, crl_info)
end
if !new_resource.serial_to_revoke.nil? && serial_revoked?(crl, new_resource.serial_to_revoke) == false
log "Revoking serial #{new_resource.serial_to_revoke} in CRL #{new_resource.path}"
crl = revoke_x509_crl(revoke_info, crl, ca_private_key, crl_info)
elsif crl.next_update <= Time.now + 3600 * 24 * new_resource.renewal_threshold
log "Renewing CRL for CA #{new_resource.ca_cert_file}"
crl = renew_x509_crl(crl, ca_private_key, crl_info)
end
crl
end
end

98
cookbooks/openssl/resources/x509_request.rb Normal file
View File

@@ -0,0 +1,98 @@
#
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
chef_version_for_provides '< 14.4' if respond_to?(:chef_version_for_provides)
resource_name :openssl_x509_request
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :owner, String
property :group, String
property :mode, [Integer, String], default: '0644'
property :country, String
property :state, String
property :city, String
property :org, String
property :org_unit, String
property :common_name, String, required: true
property :email, String
property :key_file, String
property :key_pass, String
property :key_type, equal_to: %w(rsa ec), default: 'ec'
property :key_length, equal_to: [1024, 2048, 4096, 8192], default: 2048
property :key_curve, equal_to: %w(secp384r1 secp521r1 prime256v1), default: 'prime256v1'
action :create do
unless ::File.exist? new_resource.path
converge_by("Create CSR #{@new_resource}") do
file new_resource.name do
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
mode new_resource.mode
content csr.to_pem
action :create
end
file new_resource.key_file do
mode new_resource.mode
owner new_resource.owner unless new_resource.owner.nil?
group new_resource.group unless new_resource.group.nil?
content key.to_pem
sensitive true
action :create_if_missing
end
end
end
end
action_class do
def generate_key_file
unless new_resource.key_file
path, file = ::File.split(new_resource.path)
filename = ::File.basename(file, ::File.extname(file))
new_resource.key_file path + '/' + filename + '.key'
end
new_resource.key_file
end
def key
@key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
::OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
elsif new_resource.key_type == 'rsa'
gen_rsa_priv_key(new_resource.key_length)
else
gen_ec_priv_key(new_resource.key_curve)
end
@key
end
def subject
csr_subject = ::OpenSSL::X509::Name.new()
csr_subject.add_entry('C', new_resource.country) unless new_resource.country.nil?
csr_subject.add_entry('ST', new_resource.state) unless new_resource.state.nil?
csr_subject.add_entry('L', new_resource.city) unless new_resource.city.nil?
csr_subject.add_entry('O', new_resource.org) unless new_resource.org.nil?
csr_subject.add_entry('OU', new_resource.org_unit) unless new_resource.org_unit.nil?
csr_subject.add_entry('CN', new_resource.common_name)
csr_subject.add_entry('emailAddress', new_resource.email) unless new_resource.email.nil?
csr_subject
end
def csr
gen_x509_request(subject, key)
end
end