diff --git a/lib/puppet/face/certificate.rb b/lib/puppet/face/certificate.rb index 5e176e27e..8019b6bea 100644 --- a/lib/puppet/face/certificate.rb +++ b/lib/puppet/face/certificate.rb @@ -1,119 +1,119 @@ require 'puppet/indirector/face' require 'puppet/ssl/host' Puppet::Indirector::Face.define(:certificate, '0.0.1') do copyright "Puppet Labs", 2011 license "Apache 2 license; see COPYING" summary "Provide access to the CA for certificate management." description <<-EOT This subcommand interacts with a local or remote Puppet certificate authority. Currently, its behavior is not a full superset of `puppet cert`; specifically, it is unable to mimic puppet cert's "clean" option, and its "generate" action submits a CSR rather than creating a signed certificate. EOT option "--ca-location LOCATION" do required summary "Which certificate authority to use (local or remote)." description <<-EOT Whether to act on the local certificate authority or one provided by a remote puppet master. Allowed values are 'local' and 'remote.' This option is required. EOT before_action do |action, args, options| unless [:remote, :local, :only].include? options[:ca_location].to_sym raise ArgumentError, "Valid values for ca-location are 'remote', 'local', 'only'." end Puppet::SSL::Host.ca_location = options[:ca_location].to_sym end end action :generate do summary "Generate a new certificate signing request." arguments "" returns "Nothing." description <<-EOT Generates and submits a certificate signing request (CSR) for the specified host. This CSR will then have to be signed by a user with the proper authorization on the certificate authority. Puppet agent usually handles CSR submission automatically. This action is primarily useful for requesting certificates for individual users and external applications. EOT examples <<-EOT Request a certificate for "somenode" from the site's CA: $ puppet certificate generate somenode.puppetlabs.lan --ca-location remote EOT when_invoked do |name, options| host = Puppet::SSL::Host.new(name) host.generate_certificate_request host.certificate_request.class.indirection.save(host.certificate_request) end end action :list do summary "List all certificate signing requests." returns <<-EOT An array of #inspect output from CSR objects. This output is currently messy, but does contain the names of nodes requesting certificates. This action returns #inspect strings even when used from the Ruby API. EOT when_invoked do |options| Puppet::SSL::Host.indirection.search("*", { :for => :certificate_request, }).map { |h| h.inspect } end end action :sign do summary "Sign a certificate signing request for HOST." arguments "" returns <<-EOT A string that appears to be (but isn't) an x509 certificate. EOT examples <<-EOT Sign somenode.puppetlabs.lan's certificate: $ puppet certificate sign somenode.puppetlabs.lan --ca-location remote EOT when_invoked do |name, options| host = Puppet::SSL::Host.new(name) host.desired_state = 'signed' Puppet::SSL::Host.indirection.save(host) end end # Indirector action doc overrides find = get_action(:find) find.summary "Retrieve a certificate." find.arguments "" + find.render_as = :s find.returns <<-EOT - An x509 SSL certificate. You will usually want to render this as a - string (--render-as s). + An x509 SSL certificate. Note that this action has a side effect of caching a copy of the certificate in Puppet's `ssldir`. EOT destroy = get_action(:destroy) destroy.summary "Delete a certificate." destroy.arguments "" destroy.returns "Nothing." destroy.description <<-EOT Deletes a certificate. This action currently only works on the local CA. EOT get_action(:search).summary "Invalid for this subcommand." get_action(:save).summary "Invalid for this subcommand." get_action(:save).description "Invalid for this subcommand." end diff --git a/lib/puppet/face/certificate_request.rb b/lib/puppet/face/certificate_request.rb index 1fb4e81cc..cf342d51a 100644 --- a/lib/puppet/face/certificate_request.rb +++ b/lib/puppet/face/certificate_request.rb @@ -1,55 +1,53 @@ require 'puppet/indirector/face' Puppet::Indirector::Face.define(:certificate_request, '0.0.1') do copyright "Puppet Labs", 2011 license "Apache 2 license; see COPYING" summary "Manage certificate requests." description <<-EOT This subcommand retrieves and submits certificate signing requests (CSRs). EOT # Per-action doc overrides get_action(:destroy).summary "Invalid for this subcommand." find = get_action(:find) find.summary "Retrieve a single CSR." find.arguments "" + find.render_as = :s find.returns <<-EOT A single certificate request. When used from the Ruby API, returns a Puppet::SSL::CertificateRequest object. - - RENDERING ISSUES: In most cases, you will want to render this as a string - ('--render-as s'). EOT find.examples <<-EOT Retrieve a single CSR from the puppet master's CA: $ puppet certificate_request find somenode.puppetlabs.lan --terminus rest EOT search = get_action(:search) search.summary "Retrieve all outstanding CSRs." search.arguments "" - A list of certificate requests; be sure to to render this as a string - ('--render-as s'). When used from the Ruby API, returns an array of - Puppet::SSL::CertificateRequest objects. + search.render_as = :s search.returns <<-EOT + A list of certificate requests. When used from the Ruby API, returns an + array of Puppet::SSL::CertificateRequest objects. EOT search.short_description <<-EOT Retrieves all outstanding certificate signing requests. Due to a known bug, this action requires a dummy search key, the content of which is irrelevant. EOT search.notes <<-EOT Although this action always returns all CSRs, it requires a dummy search key; this is a known bug. EOT search.examples <<-EOT Retrieve all CSRs from the local CA (similar to 'puppet cert list'): $ puppet certificate_request search x --terminus ca EOT get_action(:save).summary "API only: submit a certificate signing request." get_action(:save).arguments "" end diff --git a/lib/puppet/face/certificate_revocation_list.rb b/lib/puppet/face/certificate_revocation_list.rb index 1623d4342..022323b29 100644 --- a/lib/puppet/face/certificate_revocation_list.rb +++ b/lib/puppet/face/certificate_revocation_list.rb @@ -1,60 +1,58 @@ require 'puppet/indirector/face' Puppet::Indirector::Face.define(:certificate_revocation_list, '0.0.1') do copyright "Puppet Labs", 2011 license "Apache 2 license; see COPYING" summary "Manage the list of revoked certificates." description <<-EOT This subcommand is primarily for retrieving the certificate revocation list from the CA. EOT find = get_action(:find) find.summary "Retrieve the certificate revocation list." find.arguments "" + find.render_as = :s find.returns <<-EOT The certificate revocation list. When used from the Ruby API: returns an OpenSSL::X509::CRL object. - - RENDERING ISSUES: this should usually be rendered as a string - ('--render-as s'). EOT find.short_description <<-EOT Retrieves the certificate revocation list. Due to a known bug, this action requires a dummy argument, the content of which is irrelevant. EOT find.notes <<-EOT Although this action always returns the CRL from the specified terminus, it requires a dummy argument; this is a known bug. EOT find.examples <<-EXAMPLES Retrieve a copy of the puppet master's CRL: $ puppet certificate_revocation_list find crl --terminus rest EXAMPLES destroy = get_action(:destroy) destroy.summary "Delete the certificate revocation list." destroy.arguments "" destroy.returns "Nothing." destroy.description <<-EOT Deletes the certificate revocation list. This cannot be done over REST, but it is possible to delete the locally cached copy or the local CA's copy of the CRL. EOT destroy.short_description <<-EOT Deletes the certificate revocation list. This cannot be done over REST, but it is possible to delete the locally cached copy or the local CA's copy of the CRL. Due to a known bug, this action requires a dummy argument, the content of which is irrelevant. EOT destroy.notes <<-EOT Although this action always deletes the CRL from the specified terminus, it requires a dummy argument; this is a known bug. EOT get_action(:search).summary "Invalid for this subcommand." get_action(:save).summary "Invalid for this subcommand." get_action(:save).description "Invalid for this subcommand." end