Enforce SSL configuration using puppet, add dirs for debian and global CAs
authorPaul Wise <pabs@debian.org>
Wed, 31 Dec 2014 02:32:55 +0000 (10:32 +0800)
committerPaul Wise <pabs@debian.org>
Wed, 7 Jan 2015 05:11:34 +0000 (13:11 +0800)
modules/buildd/manifests/init.pp
modules/samhain/templates/samhainrc.erb
modules/ssl/files/README.ca-debian [new file with mode: 0644]
modules/ssl/files/README.ca-global [new file with mode: 0644]
modules/ssl/files/README.certs [new file with mode: 0644]
modules/ssl/files/local-ssl-ca-global [new file with mode: 0644]
modules/ssl/files/update-ca-certificates-dsa [new file with mode: 0755]
modules/ssl/manifests/init.pp

index c4087d2..3c64de2 100644 (file)
@@ -53,7 +53,7 @@ class buildd ($ensure=present) {
 
        if ($::lsbmajdistrelease >= 8) {
                file { '/etc/apt/apt.conf.d/puppet-https-buildd':
-                       content => "Acquire::https::buildd.debian.org::CaInfo \"/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt\";\n",
+                       content => "Acquire::https::buildd.debian.org::CaInfo \"/etc/ssl/ca-debian/ca-certificates.crt\";\n",
                }
        } else {
                file { '/etc/apt/apt.conf.d/puppet-https-buildd':
index 9ba82ad..2758d46 100644 (file)
@@ -368,6 +368,7 @@ file=/etc/apt/sources.list.d/backports.org.list
 file=/etc/apt/apt.conf.d/local-compression
 file=/etc/apt/apt.conf.d/local-recommends
 file=/etc/apt/apt.conf.d/local-pdiffs
+file=/etc/apt/apt.conf.d/local-ssl-ca-global
 file=/etc/apt/preferences.d/buildd
 file=/etc/systemd/system/puppet.service
 file=/etc/puppet/puppet.conf
@@ -452,6 +453,11 @@ file=/etc/ferm/conf.d/defs.conf
 file=/etc/ferm/ferm.conf
 dir=2/etc/ssl/debian
 dir=1/etc/ssl/certs
+dir=1/etc/ssl/ca-debian
+dir=1/etc/ssl/ca-global
+file=/etc/ca-certificates.conf
+file=/etc/ca-certificates-debian.conf
+file=/etc/ca-certificates-global.conf
 file=/etc/unbound/unbound.conf
 <% if scope.lookupvar('::fqdn') == "draghi.debian.org" -%>
 file=/etc/openvpn/deb-mgmt-clients.pool
diff --git a/modules/ssl/files/README.ca-debian b/modules/ssl/files/README.ca-debian
new file mode 100644 (file)
index 0000000..316bd8d
--- /dev/null
@@ -0,0 +1,13 @@
+This directory contains the certificate(s) for the certificate authorities
+that have signed current service certificates for debian.org services.
+
+The purpose of this directory is to allow verification of service certificates
+for debian.org services by software that is unable to properly verify service
+certificates that are available in the default certificate store.
+
+Please *do not* use it for verification of debian.org service certificates
+unless the software you are using is buggy and there is no other alternative.
+Please *file bugs* on any software that you find that needs to use this
+directory and usertag those bugs using this bts command:
+
+bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team
diff --git a/modules/ssl/files/README.ca-global b/modules/ssl/files/README.ca-global
new file mode 100644 (file)
index 0000000..5fb1778
--- /dev/null
@@ -0,0 +1,13 @@
+This directory contains all of the certificates for certificate authorities
+trusted by the ca-certificates Debian package, which is mostly a copy
+of the certificates trusted by the Mozilla certificate store.
+
+The purpose of this directory is to allow verification of certificates from
+a wide variety of external services on the global Internet that could
+change their certificate at any time and could change their certificate
+signing authority at any time.
+
+Please *do not* use it for verification of debian.org service certificates.
+
+Please *do not* use it for verification of certificates when pinning to a
+specific service certificate or certificate authority is a viable option.
diff --git a/modules/ssl/files/README.certs b/modules/ssl/files/README.certs
new file mode 100644 (file)
index 0000000..edf4cc6
--- /dev/null
@@ -0,0 +1,8 @@
+This directory *only* contains the certificate(s) for the current service
+certificates for debian.org services.
+
+The purpose of this directory is to allow verification of service certificates
+for debian.org services by software that is able to properly verify service
+certificates that are available in the default certificate store.
+
+Please *use it* in preference to other certificate stores when possible.
diff --git a/modules/ssl/files/local-ssl-ca-global b/modules/ssl/files/local-ssl-ca-global
new file mode 100644 (file)
index 0000000..cb8bb34
--- /dev/null
@@ -0,0 +1,6 @@
+DPkg::Pre-Install-Pkgs {
+  "if grep -q '^ca-certificates_.*\.deb$' ; then touch /run/dsa-ca-certificates-global ; fi";
+};
+DPkg::Post-Invoke {
+  "if [ -e /run/dsa-ca-certificates-global ]; then /usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null ; rm -f /run/dsa-ca-certificates-global ; fi";
+};
diff --git a/modules/ssl/files/update-ca-certificates-dsa b/modules/ssl/files/update-ca-certificates-dsa
new file mode 100755 (executable)
index 0000000..b6d35a1
--- /dev/null
@@ -0,0 +1,210 @@
+#!/bin/sh -e
+# This is a copy of update-ca-certificates from the ca-certificates package in jessie
+# with patches applied to allow custom paths and to allow setting to default certs:
+# https://bugs.debian.org/774059
+# https://bugs.debian.org/774201
+#
+# update-ca-certificates
+#
+# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
+# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
+# USA.
+#
+
+verbose=0
+fresh=0
+default=0
+CERTSCONF=/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=/etc/ssl/certs
+HOOKSDIR=/etc/ca-certificates/update.d
+
+while [ $# -gt 0 ];
+do
+  case $1 in
+    --verbose|-v)
+      verbose=1;;
+    --fresh|-f)
+      fresh=1;;
+    --default|-d)
+      default=1
+      fresh=1;;
+    --certsconf)
+      shift
+      CERTSCONF="$1";;
+    --certsdir)
+      shift
+      CERTSDIR="$1";;
+    --localcertsdir)
+      shift
+      LOCALCERTSDIR="$1";;
+    --certbundle)
+      shift
+      CERTBUNDLE="$1";;
+    --etccertsdir)
+      shift
+      ETCCERTSDIR="$1";;
+    --hooksdir)
+      shift
+      HOOKSDIR="$1";;
+    --help|-h|*)
+      echo "$0: [--verbose] [--fresh]"
+      exit;;
+  esac
+  shift
+done
+
+if [ ! -s "$CERTSCONF" ]
+then
+  fresh=1
+fi
+
+cleanup() {
+  rm -f "$TEMPBUNDLE"
+  rm -f "$ADDED"
+  rm -f "$REMOVED"
+}
+trap cleanup 0
+
+# Helper files.  (Some of them are not simple arrays because we spawn
+# subshells later on.)
+TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
+ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+
+# Adds a certificate to the list of trusted ones.  This includes a symlink
+# in /etc/ssl/certs to the certificate file and its inclusion into the
+# bundle.
+add() {
+  CERT="$1"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+                                                  -e 's/[()]/=/g' \
+                                                  -e 's/,/_/g').pem"
+  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+  then
+    ln -sf "$CERT" "$PEM"
+    echo +$PEM >> "$ADDED"
+  fi
+  # Add trailing newline to certificate, if it is missing (#635570)
+  sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
+}
+
+remove() {
+  CERT="$1"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
+  if test -L "$PEM"
+  then
+    rm -f "$PEM"
+    echo -$PEM >> "$REMOVED"
+  fi
+}
+
+cd $ETCCERTSDIR
+if [ "$fresh" = 1 ]; then
+  echo -n "Clearing symlinks in $ETCCERTSDIR..."
+  find . -type l -print | while read symlink
+  do
+    case $(readlink $symlink) in
+      $CERTSDIR*) rm -f $symlink;;
+    esac
+  done
+  find . -type l -print | while read symlink
+  do
+    test -f $symlink || rm -f $symlink
+  done
+  echo "done."
+fi
+
+echo -n "Updating certificates in $ETCCERTSDIR... "
+
+# Add default certificate authorities if requested
+if [ "$default" = 1 ]; then
+  find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
+  do
+    add "$crt"
+  done
+fi
+
+# Handle certificates that should be removed.  This is an explicit act
+# by prefixing lines in the configuration files with exclamation marks (!).
+sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
+do
+  remove "$CERTSDIR/$crt"
+done
+
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt
+do
+  if ! test -f "$CERTSDIR/$crt"
+  then
+    echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
+    continue
+  fi
+  add "$CERTSDIR/$crt"
+done
+
+# Now process certificate authorities installed by the local system
+# administrator.
+if [ -d "$LOCALCERTSDIR" ]
+then
+  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
+  do
+    add "$crt"
+  done
+fi
+
+rm -f "$CERTBUNDLE"
+
+ADDED_CNT=$(wc -l < "$ADDED")
+REMOVED_CNT=$(wc -l < "$REMOVED")
+
+if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
+then
+  # only run if set of files has changed
+  if [ "$verbose" = 0 ]
+  then
+    c_rehash . > /dev/null
+  else
+    c_rehash .
+  fi
+fi
+
+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+# Restore proper SELinux label after moving the file
+[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
+
+echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
+
+if [ -d "$HOOKSDIR" ]
+then
+
+echo -n "Running hooks in $HOOKSDIR...."
+VERBOSE_ARG=
+[ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
+eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook
+do
+  ( cat $ADDED
+    cat $REMOVED ) | $hook || echo E: $hook exited with code $?.
+done
+echo "done."
+
+fi
+
+# vim:set et sw=2:
+
index 2d4a140..127869a 100644 (file)
@@ -11,6 +11,33 @@ class ssl {
                ensure   => installed,
        }
 
+       file { '/etc/ca-certificates.conf':
+               content => "# This file is under puppet control\n# Only debian.org service certs are trusted, see /etc/ssl/certs/README",
+               notify  => Exec['refresh_normal_hashes'],
+       }
+       file { '/etc/ca-certificates-debian.conf':
+               mode    => '0444',
+               content => "# This file is under puppet control\n# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README\nmozilla/AddTrust_External_Root.crt",
+               notify  => Exec['refresh_ca_debian_hashes'],
+       }
+       file { '/etc/ca-certificates-global.conf':
+               content => "# This file is under puppet control\n# All CAs are trusted, see /etc/ssl/ca-global/README",
+               notify  => Exec['refresh_ca_global_hashes'],
+       }
+
+       file { '/etc/apt/apt.conf.d/local-ssl-ca-global':
+               mode   => '0444',
+               source => 'puppet:///modules/ssl/local-ssl-ca-global',
+       }
+
+       file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':
+               ensure => absent,
+               notify => Exec['refresh_normal_hashes'],
+       }
+       file { '/etc/ssl/private/ssl-cert-snakeoil.key':
+               ensure => absent,
+       }
+
        file { '/etc/ssl/servicecerts':
                ensure   => link,
                purge    => true,
@@ -28,6 +55,26 @@ class ssl {
                force    => true,
                notify   => Exec['refresh_normal_hashes'],
        }
+       file { '/etc/ssl/certs/README':
+               mode   => '0444',
+               source => 'puppet:///modules/ssl/README.certs',
+       }
+       file { '/etc/ssl/ca-debian':
+               ensure => directory,
+               mode   => '0755',
+       }
+       file { '/etc/ssl/ca-debian/README':
+               mode   => '0444',
+               source => 'puppet:///modules/ssl/README.ca-debian',
+       }
+       file { '/etc/ssl/ca-global':
+               ensure => directory,
+               mode   => '0755',
+       }
+       file { '/etc/ssl/ca-debian/README':
+               mode   => '0444',
+               source => 'puppet:///modules/ssl/README.ca-global',
+       }
        file { '/etc/ssl/debian':
                ensure   => directory,
                source   => 'puppet:///files/empty/',
@@ -78,6 +125,11 @@ class ssl {
                require => Package['ssl-cert'],
        }
 
+       file { '/usr/local/sbin/update-ca-certificates-dsa':
+               mode   => '0555',
+               source => 'puppet:///modules/ssl/update-ca-certificates-dsa',
+       }
+
        exec { 'retire_debian_links':
                command     => 'find -lname "../servicecerts/*" -exec rm {} +',
                cwd         => '/etc/ssl/certs',
@@ -99,5 +151,25 @@ class ssl {
                refreshonly => true,
                require     => Package['ca-certificates'],
        }
+       exec { 'refresh_ca_debian_hashes':
+               command     => '/usr/local/sbin/update-ca-certificates-dsa --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null',
+               refreshonly => true,
+               require     => [
+                       Package['ca-certificates'],
+                       File['/etc/ssl/ca-debian'],
+                       File['/etc/ca-certificates-debian.conf'],
+                       File['/usr/local/sbin/update-ca-certificates-dsa'],
+               ]
+       }
+       exec { 'refresh_ca_global_hashes':
+               command     => '/usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null',
+               refreshonly => true,
+               require     => [
+                       Package['ca-certificates'],
+                       File['/etc/ssl/ca-global'],
+                       File['/etc/ca-certificates-global.conf'],
+                       File['/usr/local/sbin/update-ca-certificates-dsa'],
+               ]
+       }
 
 }