Make www root and URLs configurable, fix hardcoded CA variables.

Realiserad · Realiserad · commit 4171854670ce · 2022-11-25T14:24:19.000+01:00
diff --git a/filter_plugins/pronounce.py b/filter_plugins/pronounce.py
@@ -0,0 +1,45 @@
+from ansible.module_utils.common.text.converters import to_text
+from ansible.errors import AnsibleError
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'pronounce': self.pronounce
+        }
+
+    def pronounce(self, value):
+        """
+        Jinja2 filter for Ansible to pronounce positive numbers less than 13 in English.
+
+        Example of usage in a Jinja2 template:
+        {{ 13 | pronounce }} -> "13"
+        {{ 12 | pronounce }} -> "twelve"
+        {{ 0 | pronounce }} -> "zero"
+        {{ -1 | pronounce }} -> AnsibleError("Cannot pronounce negative numbers.")
+
+        :param value: value to be pronounced
+        :return: the pronunciation of the value, or the number itself if the value is greater than 12
+        :rtype: str
+        :raises AnsibleError: if the value is negative or the value is not an integer
+        """
+        if value < 0:
+            raise AnsibleError("Cannot pronounce negative numbers.")
+        try:
+            pronounciation = {
+                0: "zero",
+                1: "one",
+                2: "two",
+                3: "three",
+                4: "four",
+                5: "five",
+                6: "six",
+                7: "seven",
+                8: "eight",
+                9: "nine",
+                10: "ten",
+                11: "eleven",
+                12: "twelve",
+            }.get(int(value)) or value
+            return to_text(pronounciation)
+        except ValueError:
+            raise AnsibleError('Cannot parse ' + value + ' as an integer.')
diff --git a/roles/installation_manual/files/chapters/installation.rst.j2 b/roles/installation_manual/files/chapters/installation.rst.j2
@@ -72,11 +72,11 @@ Create {{ server.name }}
 
 #. Create a folder where the repository files should be stored::
 
-    New-Item -Path "C:\inetpub" -Name "pki" -ItemType "directory"
+    New-Item -Path "{{ server.www_root | default('C:\inetpub')}}" -Name "pki" -ItemType "directory"
 
 #. Create a new website for the repository::
 
-    New-IISSite -Name PKI -PhysicalPath "C:\inetpub\pki" -Protocol http -BindingInformation "*:80:" -Force
+    New-IISSite -Name PKI -PhysicalPath "{{ server.www_root | default('C:\inetpub')}}\pki" -Protocol http -BindingInformation "*:80:" -Force
     Remove-IISSite -Name "Default Web Site"
     Start-IISSite -Name PKI
 
@@ -89,14 +89,14 @@ Create {{ server.name }}
 
 #. Create an SMB share using PowerShell::
 
-    New-SmbShare -Name "PKI Repository" -Path "C:\inetpub\pki"
+    New-SmbShare -Name "PKI Repository" -Path "{{ server.www_root | default('C:\inetpub')}}\pki"
 
 #. Grant NTFS and SMB share permissions::
 
-    $Acl = Get-ACL "C:\inetpub\pki\"
+    $Acl = Get-ACL "{{ server.www_root | default('C:\inetpub')}}\pki\"
     $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "ContainerInherit,Objectinherit", "None", "Allow")
     $Acl.AddAccessRule($AccessRule)
-    Set-ACL "C:\inetpub\pki\" $Acl
+    Set-ACL "{{ server.www_root | default('C:\inetpub')}}\pki\" $Acl
 {% if server.connected_to_ad %}
     Grant-SmbShareAccess -Name "PKI Repository" -AccountName "{{ customer.domain.split('.')[0].upper() }}\{{ accounts.service.user }}" -AccessRight Full -Force
 {% else %}
@@ -184,9 +184,9 @@ Create the root CA
 #. Create a root CA using PowerShell::
 
 {% if servers.root_ca.policy.key_specification == 'P256' %}
-    Install-AdcsCertificationAuthority -CAType StandaloneRootCa -CryptoProviderName "ECDSA_P256#{{ servers.root_ca.policy.key_storage_provider }}" -KeyLength 256 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 25 -CACommonName "R1" -CADistinguishedNameSuffix "O={{ customer.name }},C={{ customer.country }}" -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -Force
+    Install-AdcsCertificationAuthority -CAType StandaloneRootCa -CryptoProviderName "ECDSA_P256#{{ servers.root_ca.policy.key_storage_provider }}" -KeyLength 256 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 25 -CACommonName "{{ servers.root_ca.cn }}" -CADistinguishedNameSuffix "O={{ customer.name }},C={{ customer.country }}" -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -Force
 {% elif servers.root_ca.policy.key_specification == 'RSA4096' %}
-    Install-AdcsCertificationAuthority -CAType StandaloneRootCa -CryptoProviderName "RSA#{{ servers.root_ca.policy.key_storage_provider }}" -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 25 -CACommonName "R1" -CADistinguishedNameSuffix "O={{ customer.name }},C={{ customer.country }}" -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -Force
+    Install-AdcsCertificationAuthority -CAType StandaloneRootCa -CryptoProviderName "RSA#{{ servers.root_ca.policy.key_storage_provider }}" -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 25 -CACommonName "{{ servers.root_ca.cn }}" -CADistinguishedNameSuffix "O={{ customer.name }},C={{ customer.country }}" -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -Force
 {% else %}
     Unknown key specification '{{ servers.root_ca.policy.key_specification }}'.
 {% endif %}
@@ -223,22 +223,22 @@ Publish root CA artefacts
 
 #. Export a copy of the root CA certificate::
 
-    CertUtil "-ca.cert" "C:\R1.crt"
+    CertUtil "-ca.cert" "C:\{{ servers.root_ca.cn }}.crt"
 
 #. Issue a CRL from the root CA::
 
     CertUtil -crl
 
 {% for server in servers.repositories %}
-#. Transfer the files ``C:\R1.crt`` and ``C:\R1.crl`` to ``C:\inetpub\pki`` on {{ server.name }}.
+#. Transfer the files ``C:\{{ servers.root_ca.cn }}.crt`` and ``C:\{{ servers.root_ca.cn }}.crl`` to ``{{ server.www_root | default('C:\inetpub')}}\pki`` on {{ server.name }}.
 {% endfor %}
 
 {% if servers.root_ca.location.existing_backup is not defined %}
-#. Transfer ``C:\R1.crt`` to servers.issuing_cas[0] and log in to servers.issuing_cas[0] using RDP.
+#. Transfer ``C:\{{ servers.root_ca.cn }}.crt`` to servers.issuing_cas[0] and log in to servers.issuing_cas[0] using RDP.
 
 #. Publish the root CA certificate to AD::
 
-    CertUtil -dspublish -f C:\R1.crt
+    CertUtil -dspublish -f C:\{{ servers.root_ca.cn }}.crt
 
 {% endif %}
 {% endif %}
@@ -328,7 +328,7 @@ Activate {{ issuing_ca.cn }} and restore a backup
     CertUtil "-ca.cert" "C:\{{ issuing_ca.cn }}.crt"
 
 {% for server in servers.repositories %}
-#. Transfer the file ``C:\{{ issuing_ca.cn }}.crt`` to ``C:\inetpub\pki`` on {{ server.name }}.
+#. Transfer the file ``C:\{{ issuing_ca.cn }}.crt`` to ``{{ server.www_root | default('C:\inetpub')}}\pki`` on {{ server.name }}.
 {% endfor %}
 
 {% endif %}
@@ -354,18 +354,18 @@ Sign the CA certificate
 
 #. Submit the CSR for {{ issuing_ca.cn }} and save the request ID::
 
-    $request = CertReq -submit -config - C:\ICA1.csr | Out-String | Select-String 'RequestId: (\d+)'
+    $request = CertReq -submit -config - C:\{{ issuing_ca.cn }}.csr | Out-String | Select-String 'RequestId: (\d+)'
     $requestId = $request.Matches[0].Groups[1].Value.Trim()
 
 #. Accept the request and retrieve a copy of the issuing CA certificate::
 
     CertUtil -resubmit $requestId
     CertReq -retrieve -config - $requestId C:\{{ issuing_ca.cn }}.crt
 
-#. Transfer the files ``C:\{{ issuing_ca.cn }}.crt`` and ``C:\R1.crt`` to {{ issuing_ca.name }}.
+#. Transfer the files ``C:\{{ issuing_ca.cn }}.crt`` and ``C:\{{ servers.root_ca.cn }}.crt`` to {{ issuing_ca.name }}.
 
 {% for server in servers.repositories %}
-#. Transfer the file ``C:\{{ issuing_ca.cn }}.crt`` to ``C:\inetpub\pki`` on {{ server.name }}.
+#. Transfer the file ``C:\{{ issuing_ca.cn }}.crt`` to ``{{ server.www_root | default('C:\inetpub')}}\pki`` on {{ server.name }}.
 {% endfor %}
 
 Import the CA certificate
@@ -375,7 +375,7 @@ Import the CA certificate
 
 #. Install the CA certificate chain::
 
-    Import-Certificate -FilePath C:\R1.crt -CertStoreLocation Cert:\LocalMachine\Root
+    Import-Certificate -FilePath C:\{{ servers.root_ca.cn }}.crt -CertStoreLocation Cert:\LocalMachine\Root
     CertUtil -installcert "C:\{{ issuing_ca.cn }}.crt"
 
 Configure registry settings
diff --git a/roles/installation_manual/files/chapters/system-overview.rst.j2 b/roles/installation_manual/files/chapters/system-overview.rst.j2
@@ -34,7 +34,11 @@ The following servers are a part of the PKI. For details, refer to *Appendix B*.
 Topology
 --------
 
-The PKI has been implemented as a two-tier CA hierachy with one root CA and one issuing CA.
+{% if servers.issuing_cas | length == 1 %}
+The PKI has been implemented as a two-tier CA hierachy with a root CA and a single issuing CA.
+{% else %}
+The PKI has been implemented as a two-tier CA hierachy with a root CA and {{ servers.issuing_cas | length | pronounce }} issuing CAs.
+{% endif %}
 
 The root CA signs the CA certificate for the issuing CA, and is stored offline when not in use. If the private key for the issuing CA is compromised, it is possible to revoke the issuing CA using the root CA without having to create a new CA hierarchy.
 
@@ -88,10 +92,24 @@ The following endpoints are used for distribution of *Certificate Revocation Lis
 
    * - Certificate Authority
      - CRL Distribution Point
-   * - R1
-     - ``http://pki.{{ customer.domain }}/R1.crl``
-   * - ICA1
+{% if servers.root_ca is defined %}
+{% if servers.root_ca.urls is defined %}
+   * - {{ servers.root_ca.cn }}
+     - ``{{ servers.root_ca.urls.cdp }}``
+{% else %}
+   * - {{ servers.root_ca.cn }}
+     - ``http://pki.{{ customer.domain }}/{{ servers.root_ca.cn }}.crl``
+{% endif %}
+{% endif %}
+{% for issuing_ca in servers.issuing_cas %}
+{% if issuing_ca.urls is defined %}
+   * - {{ issuing_ca.cn }}
+     - ``{{ issuing_ca.urls.aia }}``
+{% else %}
+   * - {{ issuing_ca.cn }}
      - ``http://pki.{{ customer.domain }}/ICA1-<CRLNameSuffix>.crl``
+{% endif %}
+{% endfor %}
 
 The appropriate URLs are put in the *CRL Distribution Points* certificate extension (2.5.29.31) of issued certificates.
 
@@ -104,10 +122,24 @@ The following endpoints are used for distribution of CA certificates.
    :widths: 1 3
    :header-rows: 1
 
-   * - R1
+{% if servers.root_ca is defined %}
+{% if servers.root_ca.urls is defined %}
+   * - {{ servers.root_ca.cn }}
+     - ``{{ servers.root_ca.urls.cdp }}``
+{% else %}
+   * - {{ servers.root_ca.cn }}
      - ``http://pki.{{ customer.domain }}/R1.crt``
-   * - ICA1
+{% endif %}
+{% endif %}
+{% for issuing_ca in servers.issuing_cas %}
+{% if issuing_ca.urls is defined %}
+   * - {{ issuing_ca.cn }}
+     - ``{{ issuing_ca.urls.aia }}``
+{% else %}
+   * - {{ issuing_ca.cn }}
      - ``http://pki.{{ customer.domain }}/<CertificateName>.crt``
+{% endif %}
+{% endfor %}
 
 The appropriate URLs are put in the *Authority Information Access* certificate extension (1.3.6.1.5.5.7.1.1) of issued certificates.
 
diff --git a/roles/operations_manual/files/chapters/operations.rst.j2 b/roles/operations_manual/files/chapters/operations.rst.j2
@@ -139,7 +139,7 @@ When configuring Windows, configure the name of the server to be ``{{ servers.ro
 #. Restore the CA certificate and private key::
 
     $BackupPassword = Read-Host -AsSecureString
-    Install-AdcsCertificationAuthority -CAType StandaloneRootCa -CertFile 'C:\Backup\R1.p12' -CertFilePassword $BackupPassword -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -Force
+    Install-AdcsCertificationAuthority -CAType StandaloneRootCa -CertFile 'C:\Backup\{{ servers.root_ca.cn}}.p12' -CertFilePassword $BackupPassword -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -Force
 
 #. Restore the CA database using CertUtil::
 
@@ -169,7 +169,7 @@ Issue a new root CA CRL
     CertUtil -crl
 
 {% for server in servers.repositories %}
-#. Transfer the file ``C:\R1.crt`` to ``C:\inetpub\pki`` on {{ server.name }}.
+#. Transfer the file ``C:\{{ servers.root_ca.cn }}.crt`` to ``{{ server.www_root | default('C:\inetpub') }}\pki`` on {{ server.name }}.
 {% endfor %}
 
 #. Turn off ``{{ servers.root_ca.name }}``.
@@ -214,7 +214,7 @@ Renew the root CA
 
 #. Click on **OK** to add the snap-in.
 
-#. Expand **Certification Authority (Local)** the left pane, right-click on **R1** and choose **All Tasks → Renew CA Certificate...**.
+#. Expand **Certification Authority (Local)** the left pane, right-click on **{{ servers.root_ca.cn }}** and choose **All Tasks → Renew CA Certificate...**.
 
 #. Click **Yes** to stop ADCS.
 
@@ -226,15 +226,15 @@ Renew the root CA
 
 #. Export the new root CA certificate to a file::
 
-    CertUtil "-ca.cert" "C:\R1.crt"
+    CertUtil "-ca.cert" "C:\{{ servers.root_ca.cn }}.crt"
 
 {% for server in servers.repositories %}
-#. Transfer the files ``C:\R1.crt`` and ``C:\R1.crl`` to ``C:\inetpub\pki`` on {{ server.name }}.
+#. Transfer the files ``C:\{{ servers.root_ca.cn }}.crt`` and ``C:\{{ servers.root_ca.cn }}.crl`` to ``{{ server.www_root | default('C:\inetpub') }}\pki`` on {{ server.name }}.
 {% endfor %}
 
-#. Transfer the file `C:\R1.crt`` to {{ servers.issuing_cas[0].name }} and publish the root CA certificate to AD::
+#. Transfer the file `C:\{{ servers.root_ca.cn }}.crt`` to {{ servers.issuing_cas[0].name }} and publish the root CA certificate to AD::
 
-    CertUtil -dspublish -f C:\R1.crt
+    CertUtil -dspublish -f C:\{{ servers.root_ca.cn }}.crt
 
 {% endif %}
 
@@ -288,8 +288,8 @@ Renew {{ issuing_ca.cn }} and create a new keypair
 
     CertUtil -installcert "C:\{{ issuing_ca.cn }}-G2.crt"
 
-{% for repository in servers.repositories %}
-#. Transfer the file ``C:\{{ issuing_ca.cn }}-G2.crt`` to ``C:\inetpub\pki`` on {{ repository.name }}.
+{% for server in servers.repositories %}
+#. Transfer the file ``C:\{{ issuing_ca.cn }}-G2.crt`` to ``{{ server.www_root | default('C:\inetpub') }}\pki`` on {{ server.name }}.
 {% endfor %}
 
 #. Update the CDP and AIA paths to point to the new CRL and CA certificate::
@@ -362,8 +362,8 @@ Renew {{ issuing_ca.cn }} with an existing keypair
     CertUtil -crl
     Start-ScheduledTask -TaskName "CopyCRL"
 
-{% for repository in servers.repositories %}
-#. Transfer the file ``C:\{{ issuing_ca.cn }}.crt`` to ``C:\inetpub\pki`` on {{ repository.name }}. Replace the existing file.
+{% for server in servers.repositories %}
+#. Transfer the file ``C:\{{ issuing_ca.cn }}.crt`` to ``{{ server.www_root | default('C:\inetpub') }}\pki`` on {{ server.name }}. Replace the existing file.
 {% endfor %}
 
 {% endfor %}
