puppetserver-ca 1.10.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7200d67071717855a415f5b10ea96e2d008eb9e758b6c1bfcf367d41be1355c4
-  data.tar.gz: 9b94632f35b636420a5bb80fe6e1878daefb77b4d113aed5122a116113e7ff20
+  metadata.gz: 6523b5628cc4d83aa2627326400a2fb493a18f28d7e4da4b8046eac41e09c555
+  data.tar.gz: 6e8cfbeb2a63ad443f22b196d9cdf2749242ef552c6376fd55b723aa699ceefd
 SHA512:
-  metadata.gz: 82cca168aa2217dd81a68acb3acaabdaddcc06d494a783a04a27a03965110d0ca66fe5a3eee01e4d949073e4e8594d61a3203f83066e8e64b2e857344a723566
-  data.tar.gz: 95708d9c5f670001c8c3018cf9804fd189d44cb52bcee4e0e86665c4b8d5fd114ebb7480a6576fcffe81fd2289ba28b1fe2c61a8d610d0733b6d6f947df0f04a
+  metadata.gz: 82c62889b706bad66349d5efd8469969b919d8d90741c57c12827eccdedf2de80597ea923509c66de6d6f317da365d860705d556441ce817167d323ad6e80325
+  data.tar.gz: 72cca87e22e38e8c6b2b7975d4920057f5364c7a9499bcf30553894b9285468a0cb1d3fd93aace8974a889a0e0a0ed35f348d902139a07d0f588957e61f479f4

data/README.md

@@ -55,25 +55,20 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
 
-To enable verbose mode:
-```
-puppetserver ca --verbose <action>
-```
-
 For more details, see the help output:
 ```
 puppetserver ca --help
 ```
 
 This code in this project is licensed under the Apache Software License v2,
-please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/LICENSE.md)
+please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/LICENSE.md)
 for more details.
 
 
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then,
-run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an
+run `rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
@@ -97,7 +92,7 @@ To test your changes on a VM:
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
 ### Releasing
-To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
+To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 
 
 ## Contributing & Support
@@ -110,9 +105,9 @@ Freenode, or the Puppet Community Slack channel.
 
 Contributions are welcome at https://github.com/puppetlabs/puppetserver-ca-cli/pulls.
 Contributors should both be sure to read the
-[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CONTRIBUTING.md)
+[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/CONTRIBUTING.md)
 and sign the [contributor license agreement](https://cla.puppet.com/).
 
 Everyone interacting with the project’s codebase, issue tracker, etc is expected
 to follow the
-[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CODE_OF_CONDUCT.md).
+[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/CODE_OF_CONDUCT.md).

data/lib/puppetserver/ca/action/clean.rb

@@ -14,7 +14,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        CERTNAME_BLOCKLIST = %w{--all --config}
+        CERTNAME_BLACKLIST = %w{--all --config}
 
         SUMMARY = 'Revoke cert(s) and remove related files from CA'
         BANNER = <<-BANNER
@@ -59,7 +59,7 @@ BANNER
           errors = CliParsing.parse_with_errors(parser, args)
 
           results['certnames'].each do |certname|
-            if CERTNAME_BLOCKLIST.include?(certname)
+            if CERTNAME_BLACKLIST.include?(certname)
               errors << "    Cannot manage cert named `#{certname}` from " +
                         "the CLI, if needed use the HTTP API directly"
             end
@@ -85,7 +85,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result = clean_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/enable.rb

@@ -45,7 +45,7 @@ BANNER
           end
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           settings = puppet.settings
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 

data/lib/puppetserver/ca/action/generate.rb

@@ -18,7 +18,7 @@ module Puppetserver
 
         # Only allow printing ascii characters, excluding /
         VALID_CERTNAME = /\A[ -.0-~]+\Z/
-        CERTNAME_BLOCKLIST = %w{--all --config}
+        CERTNAME_BLACKLIST = %w{--all --config}
 
         SUMMARY = "Generate a new certificate signed by the CA"
         BANNER = <<-BANNER
@@ -35,7 +35,7 @@ Description:
   If the `--ca-client` flag is passed, the cert will be generated
   offline, without using Puppet Server's signing code, and will add
   a special extension authorizing it to talk to the CA API. This can
-  be used for regenerating the server's host cert, or for manually
+  be used for regenerating the master's host cert, or for manually
   setting up other nodes to be CA clients. Do not distribute certs
   generated this way to any node that you do not intend to have
   administrative access to the CA (e.g. the ability to sign a cert).
@@ -91,7 +91,7 @@ BANNER
             errors << '    At least one certname is required to generate'
           else
             results['certnames'].each do |certname|
-              if CERTNAME_BLOCKLIST.include?(certname)
+              if CERTNAME_BLACKLIST.include?(certname)
                 errors << "    Cannot manage cert named `#{certname}` from " +
                           "the CLI, if needed use the HTTP API directly"
               end
@@ -126,7 +126,7 @@ BANNER
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # We don't want generate to respect the alt names setting, since it is usually
@@ -296,9 +296,7 @@ BANNER
         end
 
         def process_alt_names(alt_names, certname)
-          # It is recommended (and sometimes enforced) to always include
-          # the certname as a SAN, see RFC 2818 https://tools.ietf.org/html/rfc2818#section-3.1.
-          return "DNS:#{certname}" if alt_names.empty?
+          return '' if alt_names.empty?
 
           current_alt_names = alt_names.dup
           # When validating the cert, OpenSSL will ignore the CN field if

data/lib/puppetserver/ca/action/import.rb

@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
 require 'puppetserver/ca/x509_loader'
@@ -14,7 +15,7 @@ module Puppetserver
       class Import
         include Puppetserver::Ca::Utils
 
-        SUMMARY = "Import an external CA chain and generate server PKI"
+        SUMMARY = "Import an external CA chain and generate master PKI"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca import [--help]
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -72,7 +73,7 @@ BANNER
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
           ca.initialize_ssl_components(loader)
-          server_key, server_cert = ca.create_server_cert
+          master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -88,25 +89,25 @@ BANNER
             [settings[:cadir] + '/infra_crl.pem', loader.crls],
             [settings[:localcacert], loader.certs],
             [settings[:hostcrl], loader.crls],
-            [settings[:hostpubkey], server_key.public_key],
-            [settings[:hostcert], server_cert],
-            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
+            [settings[:hostpubkey], master_key.public_key],
+            [settings[:hostcert], master_cert],
+            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
             [settings[:capub], loader.key.public_key],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
             [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert]
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert]
           ]
 
           private_files = [
-            [settings[:hostprivkey], server_key],
+            [settings[:hostprivkey], master_key],
             [settings[:cakey], loader.key],
           ]
 
           files_to_check = public_files + private_files
-          # We don't want to error if server's keys exist. Certain workflows
+          # We don't want to error if master's keys exist. Certain workflows
           # allow the agent to have already be installed with keys and then
-          # upgraded to be a server. The host class will honor keys, if both
+          # upgraded to be a master. The host class will honor keys, if both
           # public and private exist, and error if only one exists - as is
           # previous behavior.
           files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
@@ -130,6 +131,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 
@@ -178,11 +181,11 @@ ERR
               parsed['crl-chain'] = chain
             end
             opts.on('--certname NAME',
-                    'Common name to use for the server cert') do |name|
+                    'Common name to use for the master cert') do |name|
               parsed['certname'] = name
             end
             opts.on('--subject-alt-names NAME[,NAME]',
-                    'Subject alternative names for the server cert') do |sans|
+                    'Subject alternative names for the master cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
           end

data/lib/puppetserver/ca/action/list.rb

@@ -30,7 +30,6 @@ Options:
       BANNER
 
         BODY = JSON.dump({desired_state: 'signed'})
-        VALID_FORMAT = ['text', 'json']
 
         def initialize(logger)
           @logger = logger
@@ -48,9 +47,6 @@ Options:
             opts.on('--all', 'List all certificates') do |a|
               parsed['all'] = true
             end
-            opts.on('--format FORMAT', "Valid formats are: 'text' (default), 'json'") do |f|
-              parsed['format'] = f
-            end
             opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
               parsed['certname'] = cert
             end
@@ -61,15 +57,9 @@ Options:
           config = input['config']
           certnames = input['certname'] || []
           all = input['all']
-          output_format = input['format'] || "text"
-
-          unless VALID_FORMAT.include?(output_format)
-            Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
-            return 1
-          end
 
           if all && certnames.any?
-            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname.'])
+            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
             return 1
           end
 
@@ -78,63 +68,27 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
-          if certnames.any?
-            filter_names = lambda { |x| certnames.include?(x['name']) }
-          else
-            filter_names = lambda { |x| true }
-          end
+          filter_names = certnames.any? \
+            ? lambda { |x| certnames.include?(x['name']) }
+            : lambda { |x| true }
 
           all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
           requested, signed, revoked = separate_certs(all_certs)
           missing = certnames - all_certs.map { |cert| cert['name'] }
 
-          if (all || certnames.any?)
-            output_certs_by_state(all, output_format, requested, signed, revoked, missing)
-          else
-            output_certs_by_state(all, output_format, requested)
-          end
-
-          return missing.any? ? 1 : 0
-        end
+          (all || certnames.any?) \
+            ? output_certs_by_state(requested, signed, revoked, missing)
+            : output_certs_by_state(requested)
 
-        def output_certs_by_state(all, output_format, requested, signed = [], revoked = [], missing = [])
-          if output_format == 'json'
-            output_certs_json_format(all, requested, signed, revoked, missing)
-          else
-            output_certs_text_format(requested, signed, revoked, missing)
-          end
+          return missing.any? \
+            ? 1
+            : 0
         end
 
-        def output_certs_json_format(all, requested, signed, revoked, missing)
-          grouped_cert = {}
-
-          if all
-            grouped_cert = { "requested" => requested,
-                             "signed" => signed,
-                             "revoked" => revoked }.to_json
-            @logger.inform(grouped_cert)
-          else
-            grouped_cert["requested"] = requested unless requested.empty?
-            grouped_cert["signed"] = signed unless signed.empty?
-            grouped_cert["revoked"] = revoked unless revoked.empty?
-            grouped_cert["missing"] = missing unless missing.empty?
-
-            # If neither the '--all' flag or the '--certname' flag was passed in
-            # and the requested cert array is empty, we output a JSON object
-            # with an empty 'requested' key. Otherwise, we display
-            # any of the classes that are currently in grouped_cert
-            if grouped_cert.empty?
-              @logger.inform({ "requested" => requested }.to_json)
-            else
-              @logger.inform(grouped_cert.to_json)
-            end
-          end
-        end
-
-        def output_certs_text_format(requested, signed, revoked, missing)
+        def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
           if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
             @logger.inform "No certificates to list"
             return
@@ -211,12 +165,7 @@ Options:
 
         def get_all_certs(settings)
           result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
-
-          if result
-            return JSON.parse(result.body)
-          else
-            return []
-          end
+          result ? JSON.parse(result.body) : []
         end
 
         def parse(args)
@@ -227,11 +176,8 @@ Options:
 
           errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
 
-          if errors_were_handled
-            exit_code = 1
-          else
-            exit_code = nil
-          end
+          exit_code = errors_were_handled ? 1 : nil
+
           return results, exit_code
         end
       end

data/lib/puppetserver/ca/action/migrate.rb

@@ -29,7 +29,7 @@ BANNER
         def run(input)
           config_path = input['config']
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           return 1 if HttpClient.check_server_online(puppet.settings, @logger)
 
           errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
@@ -66,14 +66,6 @@ SUCCESS_MESSAGE
         def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
           FileUtils.mv(old_cadir, new_cadir)
           FileUtils.symlink(new_cadir, old_cadir)
-          # Ensure the symlink has the same ownership as the actual cadir.
-          # This requires using `FileUtils.chown` rather than `File.chown`, as
-          # the latter will update the ownership of the target rather than the
-          # link itself.
-          # Symlink permissions are ignored in favor of the target's permissions,
-          # so we don't have to change those.
-          cadir = File.stat(new_cadir)
-          FileUtils.chown(cadir.uid, cadir.gid, old_cadir)
         end
 
         def parse(args)

data/lib/puppetserver/ca/action/revoke.rb

@@ -12,7 +12,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        CERTNAME_BLOCKLIST = %w{--all --config}
+        CERTNAME_BLACKLIST = %w{--all --config}
 
         SUMMARY = 'Revoke certificate(s)'
         BANNER = <<-BANNER
@@ -55,7 +55,7 @@ BANNER
           errors = CliParsing.parse_with_errors(parser, args)
 
           results['certnames'].each do |certname|
-            if CERTNAME_BLOCKLIST.include?(certname)
+            if CERTNAME_BLACKLIST.include?(certname)
               errors << "    Cannot manage cert named `#{certname}` from " +
                         "the CLI, if needed use the HTTP API directly"
             end
@@ -83,7 +83,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result =  revoke_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/setup.rb

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
@@ -23,10 +24,10 @@ Usage:
 Description:
   Setup a root and intermediate signing CA for Puppet Server
   and store generated CA keys, certs, crls, and associated
-  server related files on disk.
+  master related files on disk.
 
   The `--subject-alt-names` flag can be used to add SANs to the
-  certificate generated for the Puppet server. Multiple names can be
+  certificate generated for the Puppet master. Multiple names can be
   listed as a comma separated string. These can be either DNS names or
   IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
   Names with no prefix will be treated as DNS names.
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -76,7 +77,7 @@ BANNER
 
           root_key, root_cert, root_crl = ca.create_root_cert
           ca.create_intermediate_cert(root_key, root_cert)
-          server_key, server_cert = ca.create_server_cert
+          master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -90,28 +91,28 @@ BANNER
             [settings[:cacert], [ca.cert, root_cert]],
             [settings[:cacrl], [ca.crl, root_crl]],
             [settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
-            [settings[:hostcert], server_cert],
+            [settings[:hostcert], master_cert],
             [settings[:localcacert], [ca.cert, root_cert]],
             [settings[:hostcrl], [ca.crl, root_crl]],
-            [settings[:hostpubkey], server_key.public_key],
+            [settings[:hostpubkey], master_key.public_key],
             [settings[:capub], ca.key.public_key],
-            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
+            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
             [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert],
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
           ]
 
           private_files = [
-            [settings[:hostprivkey], server_key],
+            [settings[:hostprivkey], master_key],
             [settings[:rootkey], root_key],
             [settings[:cakey], ca.key],
           ]
 
           files_to_check = public_files + private_files
-          # We don't want to error if server's keys exist. Certain workflows
+          # We don't want to error if master's keys exist. Certain workflows
           # allow the agent to have already be installed with keys and then
-          # upgraded to be a server. The host class will honor keys, if both
+          # upgraded to be a master. The host class will honor keys, if both
           # public and private exist, and error if only one exists - as is
           # previous behavior.
           files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
@@ -135,6 +136,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 
@@ -160,7 +163,7 @@ ERR
               parsed['config'] = conf
             end
             opts.on('--subject-alt-names NAME[,NAME]',
-                    'Subject alternative names for the server cert') do |sans|
+                    'Subject alternative names for the master cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
             opts.on('--ca-name NAME',
@@ -168,7 +171,7 @@ ERR
               parsed['ca-name'] = name
             end
             opts.on('--certname NAME',
-                    'Common name to use for the server cert') do |name|
+                    'Common name to use for the master cert') do |name|
               parsed['certname'] = name
             end
           end

data/lib/puppetserver/ca/action/sign.rb

@@ -62,7 +62,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)

data/lib/puppetserver/ca/certificate_authority.rb

@@ -23,7 +23,7 @@ module Puppetserver
 
       def initialize(logger, settings)
         @logger = logger
-        @client = HttpClient.new(@logger, settings)
+        @client = HttpClient.new(settings)
         @ca_server = settings[:ca_server]
         @ca_port = settings[:ca_port]
       end

data/lib/puppetserver/ca/cli.rb

@@ -64,10 +64,8 @@ BANNER
 
 
       def self.run(cli_args = ARGV, out = STDOUT, err = STDERR)
+        logger = Puppetserver::Ca::Logger.new(:info, out, err)
         parser, general_options, unparsed = parse_general_inputs(cli_args)
-        level = general_options.delete('verbose') ? :debug : :info
-
-        logger = Puppetserver::Ca::Logger.new(level, out, err)
 
         if general_options['version']
           logger.inform Puppetserver::Ca::VERSION
@@ -123,9 +121,6 @@ BANNER
           opts.on('--version', 'Display the version') do |v|
             parsed['version'] = true
           end
-          opts.on('--verbose', 'Display low-level information') do |verbose|
-            parsed['verbose'] = true
-          end
 
           opts.separator ACTION_OPTIONS
           opts.separator "\nSee `puppetserver ca <action> --help` for detailed info"

data/lib/puppetserver/ca/config/puppet.rb

@@ -23,9 +23,9 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
 
-        def self.parse(config_path)
+        def self.parse(config_path, logger)
           instance = new(config_path)
-          instance.load
+          instance.load({}, logger)
 
           return instance
         end
@@ -34,7 +34,7 @@ module Puppetserver
 
         def initialize(supplied_config_path = nil)
           @using_default_location = !supplied_config_path
-          @config_path = supplied_config_path || user_specific_conf_file
+          @config_path = supplied_config_path || user_specific_puppet_config
 
           @settings = nil
           @errors = []
@@ -46,55 +46,45 @@ module Puppetserver
         # on Windows are unsupported.
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
-        def user_specific_conf_dir
-          @user_specific_conf_dir ||=
-            if Puppetserver::Ca::Utils::Config.running_as_root?
-              '/etc/puppetlabs/puppet'
-            else
-              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-            end
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
         end
 
-        def user_specific_conf_file
-          user_specific_conf_dir + '/puppet.conf'
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
         end
 
-        def load(cli_overrides = {})
+        def load(cli_overrides = {}, logger)
           if explicitly_given_config_file_or_default_config_exists?
             results = parse_text(File.read(@config_path))
           end
 
           results ||= {}
           results[:main] ||= {}
-          # The [master] config section is deprecated
-          # We now favor [server], but support both for backwards compatibility
           results[:master] ||= {}
-          results[:server] ||= {}
           results[:agent] ||= {}
 
-          overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
+          overrides = results[:agent].merge(results[:main]).merge(results[:master])
           overrides.merge!(cli_overrides)
-          if overrides[:masterport]
-            overrides[:serverport] ||= overrides.delete(:masterport)
-          end
 
-          @settings = resolve_settings(overrides).freeze
+          @settings = resolve_settings(overrides, logger).freeze
         end
 
         def default_certname
-          hostname = Facter.value(:hostname)
-          domain = Facter.value(:domain)
-          if domain and domain != ''
-            fqdn = [hostname, domain].join('.')
-          else
-            fqdn = hostname
-          end
-          fqdn.chomp('.')
+          @certname ||=
+            hostname = Facter.value(:hostname)
+            domain = Facter.value(:domain)
+            if domain and domain != ''
+              fqdn = [hostname, domain].join('.')
+            else
+              fqdn = hostname
+            end
+            fqdn.chomp('.')
         end
 
         # Resolve settings from default values, with any overrides for the
         # specific settings or their dependent settings (ssldir, cadir) taken into account.
-        def resolve_settings(overrides = {})
+        def resolve_settings(overrides = {}, logger)
           unresolved_setting = /\$[a-z_]+/
 
           # Returning the key for unknown keys (rather than nil) is required to
@@ -106,12 +96,12 @@ module Puppetserver
           # These need to be evaluated before we can construct their dependent
           # defaults below
           base_defaults = [
-            [:confdir, user_specific_conf_dir],
+            [:confdir, user_specific_puppet_confdir],
             [:ssldir,'$confdir/ssl'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
             [:server, 'puppet'],
-            [:serverport, '8140'],
+            [:masterport, '8140'],
             [:privatekeydir, '$ssldir/private_keys'],
             [:publickeydir, '$ssldir/public_keys'],
           ]
@@ -129,7 +119,7 @@ module Puppetserver
             :serial => '$cadir/serial',
             :cert_inventory => '$cadir/inventory.txt',
             :ca_server => '$server',
-            :ca_port => '$serverport',
+            :ca_port => '$masterport',
             :localcacert => '$certdir/ca.pem',
             :hostcrl => '$ssldir/crl.pem',
             :hostcert => '$certdir/$certname.pem',
@@ -153,9 +143,12 @@ module Puppetserver
           end
 
           cadir = find_cadir(overrides.fetch(:cadir, false),
-                             settings[:confdir])
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger)
           settings[:cadir] = substitutions['$cadir'] = cadir
 
+
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -218,17 +211,29 @@ module Puppetserver
 
        private
 
-        def find_cadir(configured_cadir, confdir)
+
+        def find_cadir(configured_cadir, confdir, ssldir, logger)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+
           if configured_cadir
+            if configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
             configured_cadir
+
           else
             old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
             new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
-
-            if File.exist?("#{new_cadir}/ca_crt.pem")
-              new_cadir
-            else
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir})
               old_cadir
+            else
+              new_cadir
             end
           end
         end
@@ -279,7 +284,7 @@ module Puppetserver
           end
 
           if settings.dig(:server_list, 0, 1) &&
-              settings[:ca_port] == '$serverport'
+              settings[:ca_port] == '$masterport'
 
             settings[:ca_port] = settings.dig(:server_list, 0, 1)
           end

data/lib/puppetserver/ca/host.rb

@@ -58,10 +58,10 @@ module Puppetserver
         @errors = []
       end
 
-      # If both the private and public keys exist for a server then we want
+      # If both the private and public keys exist for a master then we want
       # to honor them here, if only one key exists we want to surface an error,
       # and if neither exist we generate a new key. This logic is necessary for
-      # proper bootstrapping for certain server workflows.
+      # proper bootstrapping for certain master workflows.
       def create_private_key(keylength, private_path = '', public_path = '')
         if File.exists?(private_path) && File.exists?(public_path)
           return OpenSSL::PKey.read(File.read(private_path))

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -20,7 +20,7 @@ module Puppetserver
 
       CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
 
-      SERVER_EXTENSIONS = [
+      MASTER_EXTENSIONS = [
         ["basicConstraints", "CA:FALSE", true],
         ["nsComment", "Puppet Server Internal Certificate", false],
         ["authorityKeyIdentifier", "keyid:always", false],
@@ -132,23 +132,23 @@ module Puppetserver
         time.strftime('%Y-%m-%dT%H:%M:%S%Z')
       end
 
-      def create_server_cert
-        server_cert = nil
-        server_key = @host.create_private_key(@settings[:keylength],
+      def create_master_cert
+        master_cert = nil
+        master_key = @host.create_private_key(@settings[:keylength],
                                               @settings[:hostprivkey],
                                               @settings[:hostpubkey])
-        if server_key
-          server_csr = @host.create_csr(name: @settings[:certname], key: server_key)
+        if master_key
+          master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
           if @settings[:subject_alt_names].empty?
             alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
           else
             alt_names = @settings[:subject_alt_names]
           end
 
-          server_cert = sign_authorized_cert(server_csr, alt_names)
+          master_cert = sign_authorized_cert(master_csr, alt_names)
         end
 
-        return server_key, server_cert
+        return master_key, master_cert
       end
 
       def sign_authorized_cert(csr, alt_names = '')
@@ -176,7 +176,7 @@ module Puppetserver
       end
 
       def add_authorized_extensions(cert, ef)
-        SERVER_EXTENSIONS.each do |ext|
+        MASTER_EXTENSIONS.each do |ext|
           extension = ef.create_extension(*ext)
           cert.add_extension(extension)
         end

data/lib/puppetserver/ca/logger.rb

@@ -13,10 +13,6 @@ module Puppetserver
         @err = err
       end
 
-      def level
-        @level
-      end
-
       def debug(text)
         if @level >= LEVELS[:debug]
           @out.puts(text)

data/lib/puppetserver/ca/utils/config.rb

@@ -1,3 +1,5 @@
+require 'puppetserver/ca/utils/file_system'
+
 module Puppetserver
   module Ca
     module Utils
@@ -31,6 +33,10 @@ module Puppetserver
           File.join(File.dirname(puppet_confdir), 'puppetserver')
         end
 
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+
         def self.old_default_cadir(confdir = puppet_confdir)
           File.join(confdir, 'ssl', 'ca')
         end
@@ -38,6 +44,17 @@ module Puppetserver
         def self.new_default_cadir(confdir = puppet_confdir)
           File.join(puppetserver_confdir(confdir), 'ca')
         end
+
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -50,6 +50,11 @@ module Puppetserver
           errors
         end
 
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+        end
+
         def initialize
           @user, @group = find_user_and_group
         end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -19,8 +19,7 @@ module Puppetserver
 
         # Not all connections require a client cert to be present.
         # For example, when querying the status endpoint.
-        def initialize(logger, settings, with_client_cert: true)
-          @logger = logger
+        def initialize(settings, with_client_cert: true)
           @store = make_store(settings[:localcacert],
                               settings[:certificate_revocation],
                               settings[:hostcrl])
@@ -51,7 +50,7 @@ module Puppetserver
         # The Connection object should have HTTP verbs defined on it that take
         # a body (and optional overrides). Returns whatever the block given returned.
         def with_connection(url, &block)
-          request = ->(conn) { block.call(Connection.new(conn, url, @logger)) }
+          request = ->(conn) { block.call(Connection.new(conn, url)) }
 
           begin
             Net::HTTP.start(url.host, url.port,
@@ -86,35 +85,29 @@ module Puppetserver
         # and defines methods named after HTTP verbs that are called on the
         # saved connection, returning a Result.
         class Connection
-          def initialize(net_http_connection, url_struct, logger)
+          def initialize(net_http_connection, url_struct)
             @conn = net_http_connection
             @url = url_struct
-            @logger = logger
           end
 
           def get(url_overide = nil, headers = {})
             url = url_overide || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
-            @logger.debug("Making a GET request at #{url.full_url}")
-
             request = Net::HTTP::Get.new(url.to_uri, headers)
             result = @conn.request(request)
-            Result.new(result.code, result.body)
 
+            Result.new(result.code, result.body)
           end
 
           def put(body, url_override = nil, headers = {})
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
-            @logger.debug("Making a PUT request at #{url.full_url}")
-
             request = Net::HTTP::Put.new(url.to_uri, headers)
             request.body = body
             result = @conn.request(request)
 
-
             Result.new(result.code, result.body)
           end
 
@@ -122,8 +115,6 @@ module Puppetserver
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
-            @logger.debug("Making a DELETE request at #{url.full_url}")
-
             result = @conn.request(Net::HTTP::Delete.new(url.to_uri, headers))
 
             Result.new(result.code, result.body)
@@ -175,15 +166,15 @@ module Puppetserver
         def self.check_server_online(settings, logger)
           status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
           begin
-            # Generating certs offline is necessary if the server cert has been destroyed
+            # Generating certs offline is necessary if the master cert has been destroyed
             # or compromised. Since querying the status endpoint does not require a client cert, and
             # we commonly won't have one, don't require one for creating the connection.
             # Additionally, we want to ensure the server is stopped before migrating the CA dir to
             # avoid issues with writing to the CA dir and moving it.
-            self.new(logger, settings, with_client_cert: false).with_connection(status_url) do |conn|
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
               result = conn.get
               if result.body == "running"
-                logger.err "Puppetserver service is running. Please stop it before attempting to run this command."
+                logger.err "CA service is running. Please stop it before attempting to run this command."
                 true
               else
                 false

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.10.0"
+    VERSION = "2.0.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.10.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-06 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter