File generatesysconfig.rb of Package cfssl
serve_help_text = <<EOF
-address=127.0.0.1: Address to bind
-port=8888: Port to bind
-min-tls-version="": Minimum version of TLS to use, defaults to 1.0
-ca="": CA used to sign the new certificate -- accepts '[file:]fname' or 'env:varname'
-ca-key="": CA private key -- accepts '[file:]fname' or 'env:varname'
-ca-bundle="": path to root certificate store
-int-bundle="": path to intermediate certificate store
-int-dir="": specify intermediates directory
-metadata="": Metadata file for root certificate presence. The content of the file is a json dictionary (k,v): each key k is SHA-1 digest of a root certificate while value v is a list of key store filenames.
-remote="": remote CFSSL server
-config="": path to configuration file
-responder="": Certificate for OCSP responder
-responder-key="": private key for OCSP responder certificate
-tls-key="": Other endpoint CA private key
-tls-cert="": Other endpoint CA to set up TLS protocol
-mutual-tls-ca="": Mutual TLS - require clients be signed by this CA
-mutual-tls-cn="": Mutual TLS - regex for whitelist of allowed client CNs
-tls-remote-ca="": CAs to trust for remote TLS requests
-mutual-tls-client-cert="": Mutual TLS - client certificate to call remote instance requiring client certs
-mutual-tls-client-key="": Mutual TLS - client key to call remote instance requiring client certs
-db-config="": certificate db configuration file
-disable="": endpoints to disable
-loglevel=1: Log level (0 = DEBUG, 5 = FATAL)
EOF
ocsp_help_text = <<EOF
-address=127.0.0.1: Address to bind
-port=8888: Port to bind
-responses="": file to load OCSP responses from
-db-config="": certificate db configuration file
-loglevel=1: Log level (0 = DEBUG, 5 = FATAL)
EOF
require 'pry'
class CfsslOptParser
def initialize(prefix, helptext)
@prefix = prefix.upcase
@helptext = helptext
@options_map = {
'CFSSL_SERVE_LOGLEVEL' => 'CFSSL_LOGLEVEL',
'CFSSL_OCSPSERVE_LOGLEVEL' => 'CFSSL_LOGLEVEL',
'CFSSL_SERVE_DB_CONFIG' => 'CFSSL_DB_CONFIG',
'CFSSL_OCSPSERVE_DB_CONFIG' => 'CFSSL_DB_CONFIG',
'CFSSL_SERVE_CONFIG' => 'CFSSL_CA_CONFIG',
}
@defaults = {
'CFSSL_CA_CONFIG' => '"/etc/cfssl/ca-config.json"',
'CFSSL_DB_CONFIG' => '"/etc/cfssl/db.json"',
'CFSSL_LOGLEVEL' => '"1"',
'CFSSL_SERVE_ADDRESS' => '"127.0.0.1"',
'CFSSL_SERVE_PORT' => '"8888"',
'CFSSL_OCSPSERVE_ADDRESS' => '"127.0.0.1"',
'CFSSL_OCSPSERVE_PORT' => '"8888"',
'CFSSL_SERVE_CA' => '"/etc/cfssl/certs/intermediates/ca-server.pem"',
'CFSSL_SERVE_CA_KEY' => '"/etc/cfssl/certs/intermediates/ca-server-key.pem"',
'CFSSL_SERVE_RESPONDER' => '"/etc/cfssl/certs/ocsp/server-ocsp.pem"',
'CFSSL_SERVE_RESPONDER_KEY' => '"/etc/cfssl/certs/ocsp/server-ocsp-key.pem"',
}
@order = %w{
CFSSL_DB_CONFIG
CFSSL_LOGLEVEL
CFSSL_MIN_TLS_VERSION
CFSSL_SERVE_PORT
CFSSL_SERVE_ADDRESS
CFSSL_SERVE_CA
CFSSL_SERVE_CA_KEY
CFSSL_SERVE_CA_BUNDLE
CFSSL_SERVE_RESPONDER
CFSSL_SERVE_RESPONDER_KEY
CFSSL_SERVE_INT_BUNDLE
CFSSL_SERVE_INT_DIR
CFSSL_SERVE_METADATA
CFSSL_SERVE_REMOTE
CFSSL_SERVE_TLS_KEY
CFSSL_SERVE_TLS_CERT
CFSSL_SERVE_MUTUAL_TLS_CA
CFSSL_SERVE_MUTUAL_TLS_CN
CFSSL_SERVE_TLS_REMOTE_CA
CFSSL_SERVE_MUTUAL_TLS_CLIENT_CERT
CFSSL_SERVE_MUTUAL_TLS_CLIENT_KEY
CFSSL_SERVE_DISABLE
CFSSL_OCSPSERVE_ADDRESS
CFSSL_OCSPSERVE_PORT
CFSSL_OCSPSERVE_RESPONSES
}
@help_regexp = /\A\s+-(?<option>.*)=(?<value>[^:]+):(?<help>.*)\z/
@sysconfig_sections = {}
@cmdline_options = {}
end
def sysconfig_option(option)
option = option.gsub(/-/, '_').upcase
sysconfig = "CFSSL_#{@prefix}_#{option}"
@options_map[sysconfig] || sysconfig
end
def handleline(mo)
option = mo[:option]
value = mo[:value]
help = mo[:help]
sysconfig_var=sysconfig_option(option)
value = @defaults[sysconfig_var] || value
sysconfig_str=<<EOF
## Path: System/Security/cfssl
## Description: #{help}
## Type: string
## Default: #{value}
## Config: cfssl
## ServiceReload: cfssl-serve,cfssl-ocspserve
#
# Will be used as:
#
# -#{option}="$#{sysconfig_var}"
#
#{sysconfig_var}=#{value}
EOF
@sysconfig_sections[sysconfig_var] = sysconfig_str
@cmdline_options[sysconfig_var] = "-#{option}=\"\$#{sysconfig_var}\""
end
def run
@helptext.each_line do |line|
mo=@help_regexp.match(line.chomp)
if mo
handleline(mo)
else
STDERR.puts("unparsed line: #{line.chomp}")
end
end
@order.each do |section|
puts @sysconfig_sections[section] if @sysconfig_sections[section]
end
options = []
@order.each do |section|
options << @cmdline_options[section] if @cmdline_options[section]
end
puts options.join(" ")
end
end
cop=CfsslOptParser.new('serve', serve_help_text)
cop.run
cop=CfsslOptParser.new('ocspserve',ocsp_help_text)
cop.run
