feat(facts): add facts about certificates

minorOffense · minorOffense · commit a7fc1a9f9277 · 2019-05-17T16:06:10.000-04:00
Add readme entry for facts
Add readme entry puppet function
diff --git a/README.md b/README.md
@@ -347,6 +347,27 @@ letsencrypt::renew_deploy_hook_commands:
   - '...'
 ```
 
+## Facts
+
+Facts about your live certificates are available through facter. You can query the list of live certificates from puppet using `$::letsencrypt_directory` in your puppet code, hiera data or from the command line.
+
+```
+facter -p letsencrypt_directory
+{
+  legacyfiles.ijc.org => "/etc/letsencrypt/live/legacyfiles.ijc.org",
+  static.ijc.org => "/etc/letsencrypt/live/static.ijc.org",
+  ijc.org => "/etc/letsencrypt/live/ijc.org",
+  new.ijc.org => "/etc/letsencrypt/live/new.ijc.org",
+  www.ijc.org => "/etc/letsencrypt/live/ijc.org",
+  training.ijc.org => "/etc/letsencrypt/live/training.ijc.org"
+}
+```
+
+## Puppet Functions
+
+This module profiles a custom puppet function `letsencrypt_lookup` which allows you to load information about your certificates into puppet.
+This returns the same information as in the facts but for a particular domain. It accepts a single argument for your domain or wildcard domain.
+
 ## Development
 
 1. Fork it
diff --git a/lib/facter/letsencrypt_directory.rb b/lib/facter/letsencrypt_directory.rb
@@ -0,0 +1,29 @@
+require 'openssl'
+require 'pathname'
+
+Facter.add(:letsencrypt_directory) do
+  confine kernel: %w[FreeBSD Linux OpenBSD]
+
+  setcode do
+    certs = {}
+
+    # locate the certificate repository
+    livedir = ['/etc/letsencrypt/live', '/etc/certbot/live'].
+              map { |path| Pathname.new path }.
+              find(&:directory?)
+
+    unless livedir.nil?
+      Pathname.new(livedir).children.select(&:directory?).each do |path|
+        pem = File.join(path, 'cert.pem')
+        cert = OpenSSL::X509::Certificate.new(File.new(pem).read)
+        san = cert.extensions.find { |e| e.oid == 'subjectAltName' }
+        names = san.value.split(',').map { |entry| entry.split(':')[1] }
+        names.each do |n|
+          certs[n] = path.to_s
+        end
+      end
+    end
+
+    certs
+  end
+end
diff --git a/lib/puppet/functions/letsencrypt_lookup.rb b/lib/puppet/functions/letsencrypt_lookup.rb
@@ -0,0 +1,8 @@
+Puppet::Functions.create_function(:letsencrypt_lookup) do
+  def letsencrypt_lookup(cn)
+    domain = cn.split('.', 2)[1]
+    wildcard = "*.#{domain}"
+    certs = closure_scope['facts'].fetch('letsencrypt_directory', nil)
+    certs.fetch(cn, certs.fetch(wildcard, nil)) unless certs.nil?
+  end
+end
