puppetserver-ca 1.10.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7200d67071717855a415f5b10ea96e2d008eb9e758b6c1bfcf367d41be1355c4
-  data.tar.gz: 9b94632f35b636420a5bb80fe6e1878daefb77b4d113aed5122a116113e7ff20
+  metadata.gz: 92fe6ca44899e2b5aeec75304212ff99b5e4530cbed2e0b451ad2dd77e2bf09a
+  data.tar.gz: c46bc437a85f0a52fde2d3b2b51bda909ad179c1997056810b397d4b27ae4867
 SHA512:
-  metadata.gz: 82cca168aa2217dd81a68acb3acaabdaddcc06d494a783a04a27a03965110d0ca66fe5a3eee01e4d949073e4e8594d61a3203f83066e8e64b2e857344a723566
-  data.tar.gz: 95708d9c5f670001c8c3018cf9804fd189d44cb52bcee4e0e86665c4b8d5fd114ebb7480a6576fcffe81fd2289ba28b1fe2c61a8d610d0733b6d6f947df0f04a
+  metadata.gz: 5c7ff17130d558382fa05f5f5bcb537ce9f2bc63a13078d1014783f636fcf0b0c02e604a0d4bf5694a486f67a56dec653430cea0c31eb911b7c15c9ea4e7f59d
+  data.tar.gz: 3ad80f74f02aac6a0dab1601cf54aad14756e0b1c0e2e0a30075d1eeafedff03b4546bc7c0cb7bc6dc6197b71abdb9f74816cd4596050b39e6c0f47ca47baf45

data/README.md

@@ -84,8 +84,8 @@ To test your changes on a VM:
 1. Copy the gem to your VM: `scp puppetserver-ca-<version>.gem <your-vm>:.`
 1. Install puppetserver (FOSS) by installing the relevant release package and then installing the puppetserver package. For example:
     ```
-    $ wget http://nightlies.puppet.com/yum/puppet6-nightly-release-el-7.noarch.rpm
-    $ rpm -i puppet6-nightly-release-el-7.noarch.rpm
+    $ wget http://nightlies.puppet.com/yum/puppet-nightly-release-el-7.noarch.rpm
+    $ rpm -i puppet-nightly-release-el-7.noarch.rpm
     $ yum update
     $ yum install -y puppetserver
     ```
@@ -97,8 +97,7 @@ To test your changes on a VM:
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
 ### Releasing
-To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
-
+To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 
 ## Contributing & Support
 

data/lib/puppetserver/ca/action/clean.rb

@@ -85,7 +85,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result = clean_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/enable.rb

@@ -45,7 +45,7 @@ BANNER
           end
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load(logger: @logger)
           settings = puppet.settings
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 

data/lib/puppetserver/ca/action/generate.rb

@@ -126,7 +126,7 @@ BANNER
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # We don't want generate to respect the alt names setting, since it is usually

data/lib/puppetserver/ca/action/import.rb

@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
 require 'puppetserver/ca/x509_loader'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -130,6 +131,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 

data/lib/puppetserver/ca/action/list.rb

@@ -78,7 +78,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           if certnames.any?

data/lib/puppetserver/ca/action/migrate.rb

@@ -1,24 +1,26 @@
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/http_client'
+require 'puppetserver/ca/utils/config'
 
 module Puppetserver
   module Ca
     module Action
       class Migrate
         include Puppetserver::Ca::Utils
-        PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
+        PUPPETSERVER_CA_DIR = Puppetserver::Ca::Utils::Config.new_default_cadir
 
-        SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
+        SUMMARY = "Migrate the existing CA directory to #{PUPPETSERVER_CA_DIR}"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca migrate [--help]
   puppetserver ca migrate [--config PATH]
 
 Description:
-  Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
-  upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
-  puppet.conf file in your installation, or supply one using the `--config` flag.
+  Migrate an existing CA directory to #{PUPPETSERVER_CA_DIR}. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Uses the default puppet.conf
+  in your installation, or use a different config by supplying the `--config` flag.
+
 Options:
 BANNER
 
@@ -29,7 +31,7 @@ BANNER
         def run(input)
           config_path = input['config']
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load(logger: @logger, ca_dir_warn: false)
           return 1 if HttpClient.check_server_online(puppet.settings, @logger)
 
           errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
@@ -65,15 +67,7 @@ SUCCESS_MESSAGE
 
         def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
           FileUtils.mv(old_cadir, new_cadir)
-          FileUtils.symlink(new_cadir, old_cadir)
-          # Ensure the symlink has the same ownership as the actual cadir.
-          # This requires using `FileUtils.chown` rather than `File.chown`, as
-          # the latter will update the ownership of the target rather than the
-          # link itself.
-          # Symlink permissions are ignored in favor of the target's permissions,
-          # so we don't have to change those.
-          cadir = File.stat(new_cadir)
-          FileUtils.chown(cadir.uid, cadir.gid, old_cadir)
+          FileSystem.forcibly_symlink(new_cadir, old_cadir)
         end
 
         def parse(args)

data/lib/puppetserver/ca/action/revoke.rb

@@ -83,7 +83,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result =  revoke_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/setup.rb

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -135,6 +136,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 

data/lib/puppetserver/ca/action/sign.rb

@@ -62,7 +62,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)

data/lib/puppetserver/ca/config/puppet.rb

@@ -23,9 +23,9 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
 
-        def self.parse(config_path)
+        def self.parse(config_path, logger)
           instance = new(config_path)
-          instance.load
+          instance.load(logger: logger)
 
           return instance
         end
@@ -34,7 +34,7 @@ module Puppetserver
 
         def initialize(supplied_config_path = nil)
           @using_default_location = !supplied_config_path
-          @config_path = supplied_config_path || user_specific_conf_file
+          @config_path = supplied_config_path || user_specific_puppet_config
 
           @settings = nil
           @errors = []
@@ -46,20 +46,15 @@ module Puppetserver
         # on Windows are unsupported.
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
-        def user_specific_conf_dir
-          @user_specific_conf_dir ||=
-            if Puppetserver::Ca::Utils::Config.running_as_root?
-              '/etc/puppetlabs/puppet'
-            else
-              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-            end
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
         end
 
-        def user_specific_conf_file
-          user_specific_conf_dir + '/puppet.conf'
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
         end
 
-        def load(cli_overrides = {})
+        def load(cli_overrides: {}, logger:, ca_dir_warn: true)
           if explicitly_given_config_file_or_default_config_exists?
             results = parse_text(File.read(@config_path))
           end
@@ -78,7 +73,7 @@ module Puppetserver
             overrides[:serverport] ||= overrides.delete(:masterport)
           end
 
-          @settings = resolve_settings(overrides).freeze
+          @settings = resolve_settings(overrides, logger, ca_dir_warn: ca_dir_warn).freeze
         end
 
         def default_certname
@@ -94,7 +89,7 @@ module Puppetserver
 
         # Resolve settings from default values, with any overrides for the
         # specific settings or their dependent settings (ssldir, cadir) taken into account.
-        def resolve_settings(overrides = {})
+        def resolve_settings(overrides = {}, logger, ca_dir_warn: true)
           unresolved_setting = /\$[a-z_]+/
 
           # Returning the key for unknown keys (rather than nil) is required to
@@ -106,7 +101,7 @@ module Puppetserver
           # These need to be evaluated before we can construct their dependent
           # defaults below
           base_defaults = [
-            [:confdir, user_specific_conf_dir],
+            [:confdir, user_specific_puppet_confdir],
             [:ssldir,'$confdir/ssl'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
@@ -153,9 +148,13 @@ module Puppetserver
           end
 
           cadir = find_cadir(overrides.fetch(:cadir, false),
-                             settings[:confdir])
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger,
+                             ca_dir_warn)
           settings[:cadir] = substitutions['$cadir'] = cadir
 
+
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -218,17 +217,29 @@ module Puppetserver
 
        private
 
-        def find_cadir(configured_cadir, confdir)
+
+        def find_cadir(configured_cadir, confdir, ssldir, logger, ca_dir_warn)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+
           if configured_cadir
+            if ca_dir_warn && configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
             configured_cadir
+
           else
             old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
             new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
-
-            if File.exist?("#{new_cadir}/ca_crt.pem")
-              new_cadir
-            else
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir}) if ca_dir_warn
               old_cadir
+            else
+              new_cadir
             end
           end
         end

data/lib/puppetserver/ca/utils/config.rb

@@ -1,3 +1,5 @@
+require 'puppetserver/ca/utils/file_system'
+
 module Puppetserver
   module Ca
     module Utils
@@ -31,6 +33,10 @@ module Puppetserver
           File.join(File.dirname(puppet_confdir), 'puppetserver')
         end
 
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+
         def self.old_default_cadir(confdir = puppet_confdir)
           File.join(confdir, 'ssl', 'ca')
         end
@@ -38,6 +44,17 @@ module Puppetserver
         def self.new_default_cadir(confdir = puppet_confdir)
           File.join(puppetserver_confdir(confdir), 'ca')
         end
+
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -50,6 +50,19 @@ module Puppetserver
           errors
         end
 
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+          # Ensure the symlink has the same ownership as the source.
+          # This requires using `FileUtils.chown` rather than `File.chown`, as
+          # the latter will update the ownership of the source rather than the
+          # link itself.
+          # Symlink permissions are ignored in favor of the source's permissions,
+          # so we don't have to change those.
+          source_info = File.stat(source)
+          FileUtils.chown(source_info.uid, source_info.gid, link_target)
+        end
+
         def initialize
           @user, @group = find_user_and_group
         end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.10.0"
+    VERSION = "2.2.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.10.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Puppet, Inc.