enable puppet to autosign clients based on a shared secret

autosign-psk

#!/bin/bash

# puppet client part:
# create the file /etc/puppet/csr_attributes.yaml with the PSK in it:
##---
##extension_requests:
##  pp_preshared_key: @the_psk@

# puppet master part:
## puppet config set --section master autosign /usr/local/bin/autosign-psk

# For a more complex autosign script, see:
# http://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#recommended-oids-for-extensions
# which documents all the OIDs that puppet registered. Options are separate keys for environent, for role, for instance-id, etc
# but that would complicate things because an outside agent will need to create the PSK on the client and on the master.

PSK_FILE=/etc/puppet/autosign/psk

csr=$(< /dev/stdin)
certname=$1

# Get the certificate extension with OID $1 from the csr
function extension {
  echo "$csr" | openssl req -noout -text | fgrep -A1 "$1" | tail -n 1 \
      | sed -e 's/^ *//;s/ *$//'
}

if [ ! -f "$PSK_FILE" ] ; then
    echo "Could not find PSK file $PSK_FILE"
    exit 1
fi

PUPPET_PSK=`cat $PSK_FILE`

CLIENT_PSK=$(extension '1.3.6.1.4.1.34380.1.1.4')

if [ ! -n "$CLIENT_PSK" ] ; then
    echo "Did not receive PSK from $certname"
    exit 1
fi

echo "autosign $certname with PSK $CLIENT_PSK"

if [ -n "$PUPPET_PSK" -a "$PUPPET_PSK" = "$CLIENT_PSK" ]; then
    echo "All good!"
    exit 0
else
    echo "PSK does not match $PUPPET_PSK != $CLIENT_PSK"
    exit 1
fi