puppetserver-ca 1.11.7 → 2.0.0

data/lib/puppetserver/ca/cli.rb

@@ -8,7 +8,6 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
-require 'puppetserver/ca/action/prune'
 require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
@@ -26,12 +25,11 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      ADMIN_ACTIONS = {
+      INIT_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
-        'enable'   => Action::Enable,
-        'migrate'  => Action::Migrate,
-        'prune'    => Action::Prune
+        'enable' => Action::Enable,
+        'migrate' => Action::Migrate,
       }
 
       MAINT_ACTIONS = {
@@ -42,15 +40,15 @@ BANNER
         'sign'     => Action::Sign
       }
 
-      VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
 
       ACTION_LIST = "\nAvailable Actions:\n\n" +
         "  Certificate Actions (requires a running Puppet Server):\n\n" +
         MAINT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n") + "\n\n" +
-        "  Administrative Actions (requires Puppet Server to be stopped):\n\n" +
-        ADMIN_ACTIONS.map do |action, cls|
+        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
+        INIT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")
 
@@ -66,10 +64,8 @@ BANNER
 
 
       def self.run(cli_args = ARGV, out = STDOUT, err = STDERR)
+        logger = Puppetserver::Ca::Logger.new(:info, out, err)
         parser, general_options, unparsed = parse_general_inputs(cli_args)
-        level = general_options.delete('verbose') ? :debug : :info
-
-        logger = Puppetserver::Ca::Logger.new(level, out, err)
 
         if general_options['version']
           logger.inform Puppetserver::Ca::VERSION
@@ -125,9 +121,6 @@ BANNER
           opts.on('--version', 'Display the version') do |v|
             parsed['version'] = true
           end
-          opts.on('--verbose', 'Display low-level information') do |verbose|
-            parsed['verbose'] = true
-          end
 
           opts.separator ACTION_OPTIONS
           opts.separator "\nSee `puppetserver ca <action> --help` for detailed info"

data/lib/puppetserver/ca/config/puppet.rb

@@ -23,9 +23,9 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
 
-        def self.parse(config_path)
+        def self.parse(config_path, logger)
           instance = new(config_path)
-          instance.load
+          instance.load({}, logger)
 
           return instance
         end
@@ -34,7 +34,7 @@ module Puppetserver
 
         def initialize(supplied_config_path = nil)
           @using_default_location = !supplied_config_path
-          @config_path = supplied_config_path || user_specific_conf_file
+          @config_path = supplied_config_path || user_specific_puppet_config
 
           @settings = nil
           @errors = []
@@ -46,55 +46,45 @@ module Puppetserver
         # on Windows are unsupported.
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
-        def user_specific_conf_dir
-          @user_specific_conf_dir ||=
-            if Puppetserver::Ca::Utils::Config.running_as_root?
-              '/etc/puppetlabs/puppet'
-            else
-              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-            end
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
         end
 
-        def user_specific_conf_file
-          user_specific_conf_dir + '/puppet.conf'
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
         end
 
-        def load(cli_overrides = {})
+        def load(cli_overrides = {}, logger)
           if explicitly_given_config_file_or_default_config_exists?
             results = parse_text(File.read(@config_path))
           end
 
           results ||= {}
           results[:main] ||= {}
-          # The [master] config section is deprecated
-          # We now favor [server], but support both for backwards compatibility
           results[:master] ||= {}
-          results[:server] ||= {}
           results[:agent] ||= {}
 
-          overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
+          overrides = results[:agent].merge(results[:main]).merge(results[:master])
           overrides.merge!(cli_overrides)
-          if overrides[:masterport]
-            overrides[:serverport] ||= overrides.delete(:masterport)
-          end
 
-          @settings = resolve_settings(overrides).freeze
+          @settings = resolve_settings(overrides, logger).freeze
         end
 
         def default_certname
-          hostname = Facter.value(:hostname)
-          domain = Facter.value(:domain)
-          if domain and domain != ''
-            fqdn = [hostname, domain].join('.')
-          else
-            fqdn = hostname
-          end
-          fqdn.chomp('.')
+          @certname ||=
+            hostname = Facter.value(:hostname)
+            domain = Facter.value(:domain)
+            if domain and domain != ''
+              fqdn = [hostname, domain].join('.')
+            else
+              fqdn = hostname
+            end
+            fqdn.chomp('.')
         end
 
         # Resolve settings from default values, with any overrides for the
         # specific settings or their dependent settings (ssldir, cadir) taken into account.
-        def resolve_settings(overrides = {})
+        def resolve_settings(overrides = {}, logger)
           unresolved_setting = /\$[a-z_]+/
 
           # Returning the key for unknown keys (rather than nil) is required to
@@ -106,12 +96,12 @@ module Puppetserver
           # These need to be evaluated before we can construct their dependent
           # defaults below
           base_defaults = [
-            [:confdir, user_specific_conf_dir],
+            [:confdir, user_specific_puppet_confdir],
             [:ssldir,'$confdir/ssl'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
             [:server, 'puppet'],
-            [:serverport, '8140'],
+            [:masterport, '8140'],
             [:privatekeydir, '$ssldir/private_keys'],
             [:publickeydir, '$ssldir/public_keys'],
           ]
@@ -129,7 +119,7 @@ module Puppetserver
             :serial => '$cadir/serial',
             :cert_inventory => '$cadir/inventory.txt',
             :ca_server => '$server',
-            :ca_port => '$serverport',
+            :ca_port => '$masterport',
             :localcacert => '$certdir/ca.pem',
             :hostcrl => '$ssldir/crl.pem',
             :hostcert => '$certdir/$certname.pem',
@@ -153,9 +143,12 @@ module Puppetserver
           end
 
           cadir = find_cadir(overrides.fetch(:cadir, false),
-                             settings[:confdir])
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger)
           settings[:cadir] = substitutions['$cadir'] = cadir
 
+
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -218,17 +211,29 @@ module Puppetserver
 
        private
 
-        def find_cadir(configured_cadir, confdir)
+
+        def find_cadir(configured_cadir, confdir, ssldir, logger)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+
           if configured_cadir
+            if configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
             configured_cadir
+
           else
             old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
             new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
-
-            if File.exist?("#{new_cadir}/ca_crt.pem")
-              new_cadir
-            else
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir})
               old_cadir
+            else
+              new_cadir
             end
           end
         end
@@ -279,7 +284,7 @@ module Puppetserver
           end
 
           if settings.dig(:server_list, 0, 1) &&
-              settings[:ca_port] == '$serverport'
+              settings[:ca_port] == '$masterport'
 
             settings[:ca_port] = settings.dig(:server_list, 0, 1)
           end

data/lib/puppetserver/ca/host.rb

@@ -58,10 +58,10 @@ module Puppetserver
         @errors = []
       end
 
-      # If both the private and public keys exist for a server then we want
+      # If both the private and public keys exist for a master then we want
       # to honor them here, if only one key exists we want to surface an error,
       # and if neither exist we generate a new key. This logic is necessary for
-      # proper bootstrapping for certain server workflows.
+      # proper bootstrapping for certain master workflows.
       def create_private_key(keylength, private_path = '', public_path = '')
         if File.exists?(private_path) && File.exists?(public_path)
           return OpenSSL::PKey.read(File.read(private_path))

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -20,7 +20,7 @@ module Puppetserver
 
       CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
 
-      SERVER_EXTENSIONS = [
+      MASTER_EXTENSIONS = [
         ["basicConstraints", "CA:FALSE", true],
         ["nsComment", "Puppet Server Internal Certificate", false],
         ["authorityKeyIdentifier", "keyid:always", false],
@@ -132,23 +132,23 @@ module Puppetserver
         time.strftime('%Y-%m-%dT%H:%M:%S%Z')
       end
 
-      def create_server_cert
-        server_cert = nil
-        server_key = @host.create_private_key(@settings[:keylength],
+      def create_master_cert
+        master_cert = nil
+        master_key = @host.create_private_key(@settings[:keylength],
                                               @settings[:hostprivkey],
                                               @settings[:hostpubkey])
-        if server_key
-          server_csr = @host.create_csr(name: @settings[:certname], key: server_key)
+        if master_key
+          master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
           if @settings[:subject_alt_names].empty?
             alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
           else
             alt_names = @settings[:subject_alt_names]
           end
 
-          server_cert = sign_authorized_cert(server_csr, alt_names)
+          master_cert = sign_authorized_cert(master_csr, alt_names)
         end
 
-        return server_key, server_cert
+        return master_key, master_cert
       end
 
       def sign_authorized_cert(csr, alt_names = '')
@@ -176,7 +176,7 @@ module Puppetserver
       end
 
       def add_authorized_extensions(cert, ef)
-        SERVER_EXTENSIONS.each do |ext|
+        MASTER_EXTENSIONS.each do |ext|
           extension = ef.create_extension(*ext)
           cert.add_extension(extension)
         end

data/lib/puppetserver/ca/logger.rb

@@ -13,16 +13,8 @@ module Puppetserver
         @err = err
       end
 
-      def level
-        @level
-      end
-
-      def debug?
-        return @level >= LEVELS[:debug]
-      end
-
       def debug(text)
-        if debug?
+        if @level >= LEVELS[:debug]
           @out.puts(text)
         end
       end

data/lib/puppetserver/ca/utils/config.rb

@@ -1,3 +1,5 @@
+require 'puppetserver/ca/utils/file_system'
+
 module Puppetserver
   module Ca
     module Utils
@@ -31,6 +33,10 @@ module Puppetserver
           File.join(File.dirname(puppet_confdir), 'puppetserver')
         end
 
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+
         def self.old_default_cadir(confdir = puppet_confdir)
           File.join(confdir, 'ssl', 'ca')
         end
@@ -38,6 +44,17 @@ module Puppetserver
         def self.new_default_cadir(confdir = puppet_confdir)
           File.join(puppetserver_confdir(confdir), 'ca')
         end
+
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -50,6 +50,11 @@ module Puppetserver
           errors
         end
 
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+        end
+
         def initialize
           @user, @group = find_user_and_group
         end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -1,6 +1,5 @@
 require 'net/https'
 require 'openssl'
-require 'uri'
 
 require 'puppetserver/ca/errors'
 
@@ -20,8 +19,7 @@ module Puppetserver
 
         # Not all connections require a client cert to be present.
         # For example, when querying the status endpoint.
-        def initialize(logger, settings, with_client_cert: true)
-          @logger = logger
+        def initialize(settings, with_client_cert: true)
           @store = make_store(settings[:localcacert],
                               settings[:certificate_revocation],
                               settings[:hostcrl])
@@ -52,7 +50,7 @@ module Puppetserver
         # The Connection object should have HTTP verbs defined on it that take
         # a body (and optional overrides). Returns whatever the block given returned.
         def with_connection(url, &block)
-          request = ->(conn) { block.call(Connection.new(conn, url, @logger)) }
+          request = ->(conn) { block.call(Connection.new(conn, url)) }
 
           begin
             Net::HTTP.start(url.host, url.port,
@@ -87,30 +85,25 @@ module Puppetserver
         # and defines methods named after HTTP verbs that are called on the
         # saved connection, returning a Result.
         class Connection
-          def initialize(net_http_connection, url_struct, logger)
+          def initialize(net_http_connection, url_struct)
             @conn = net_http_connection
             @url = url_struct
-            @logger = logger
           end
 
           def get(url_overide = nil, headers = {})
             url = url_overide || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
-            @logger.debug("Making a GET request at #{url.full_url}")
-
             request = Net::HTTP::Get.new(url.to_uri, headers)
             result = @conn.request(request)
-            Result.new(result.code, result.body)
 
+            Result.new(result.code, result.body)
           end
 
           def put(body, url_override = nil, headers = {})
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
-            @logger.debug("Making a PUT request at #{url.full_url}")
-
             request = Net::HTTP::Put.new(url.to_uri, headers)
             request.body = body
             result = @conn.request(request)
@@ -122,8 +115,6 @@ module Puppetserver
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
-            @logger.debug("Making a DELETE request at #{url.full_url}")
-
             result = @conn.request(Net::HTTP::Delete.new(url.to_uri, headers))
 
             Result.new(result.code, result.body)
@@ -136,13 +127,10 @@ module Puppetserver
         # Like URI, but not... maybe of suspicious value
         URL = Struct.new(:protocol, :host, :port,
                          :endpoint, :version,
-                         :resource_type, :resource_name, :query) do
+                         :resource_type, :resource_name) do
                 def full_url
-                  url = protocol + '://' + host + ':' + port + '/' +
-                        [endpoint, version, resource_type, resource_name].join('/')
-
-                  url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
-                  return url
+                  protocol + '://' + host + ':' + port + '/' +
+                  [endpoint, version, resource_type, resource_name].join('/')
                 end
 
                 def to_uri
@@ -178,15 +166,15 @@ module Puppetserver
         def self.check_server_online(settings, logger)
           status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
           begin
-            # Generating certs offline is necessary if the server cert has been destroyed
+            # Generating certs offline is necessary if the master cert has been destroyed
             # or compromised. Since querying the status endpoint does not require a client cert, and
             # we commonly won't have one, don't require one for creating the connection.
             # Additionally, we want to ensure the server is stopped before migrating the CA dir to
             # avoid issues with writing to the CA dir and moving it.
-            self.new(logger, settings, with_client_cert: false).with_connection(status_url) do |conn|
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
               result = conn.get
               if result.body == "running"
-                logger.err "Puppetserver service is running. Please stop it before attempting to run this command."
+                logger.err "CA service is running. Please stop it before attempting to run this command."
                 true
               else
                 false

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.11.7"
+    VERSION = "2.0.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.11.7
+  version: 2.0.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-11 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -100,7 +100,6 @@ files:
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/migrate.rb
-- lib/puppetserver/ca/action/prune.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
@@ -140,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.9
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority

data/lib/puppetserver/ca/action/prune.rb

@@ -1,137 +0,0 @@
-require 'optparse'
-require 'openssl'
-require 'set'
-require 'puppetserver/ca/errors'
-require 'puppetserver/ca/utils/cli_parsing'
-require 'puppetserver/ca/utils/file_system'
-require 'puppetserver/ca/utils/config'
-require 'puppetserver/ca/x509_loader'
-
-module Puppetserver
-  module Ca
-    module Action
-      class Prune
-        include Puppetserver::Ca::Utils
-
-        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
-        BANNER = <<-BANNER
-Usage:
-  puppetserver ca prune [--help]
-  puppetserver ca prune [--config]
-
-Description:
-  Prune the list of revoked certificates of any duplication within it.  This command
-  will only prune the CRL issued by Puppet's CA cert.
-
-Options:
-BANNER
-
-        def initialize(logger)
-          @logger = logger
-        end
-
-        def run(inputs)
-          config_path = inputs['config']
-          exit_code = 0
-
-          # Validate the config path.
-          if config_path
-            errors = FileSystem.validate_file_paths(config_path)
-            return 1 if Errors.handle_with_usage(@logger, errors)
-          end
-
-          # Validate puppet config setting.
-          puppet = Config::Puppet.new(config_path)
-          puppet.load(logger: @logger)
-          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
-
-          # Validate that we are offline
-          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
-
-          # Getting the CRL(s)
-          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
-
-          verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
-
-          if verified_crls.length == 1
-            puppet_crl = verified_crls.first
-            @logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
-            number_of_removed_duplicates = prune_CRL(puppet_crl)
-
-            if number_of_removed_duplicates > 0
-              update_pruned_CRL(puppet_crl, loader.key)
-              FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
-              @logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
-            else
-              @logger.inform("No duplicate revocations found in the CRL.")
-            end
-          else
-            @logger.err("Could not identify Puppet's CRL. Aborting prune action.")
-            exit_code = 1
-          end
-
-          return exit_code
-        end
-
-        def prune_CRL(crl)
-          number_of_removed_duplicates = 0
-
-          existed_serial_number = Set.new()
-          revoked_list = crl.revoked
-          @logger.debug("Pruning duplicate entries in CRL for issuer " \
-            "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
-
-          revoked_list.delete_if do |revoked|
-            if existed_serial_number.add?(revoked.serial)
-              false
-            else
-              number_of_removed_duplicates += 1
-              @logger.debug("Removing duplicate of #{revoked.serial}, " \
-                "revoked on #{revoked.time}\n") if @logger.debug?
-              true
-            end
-          end
-          crl.revoked=(revoked_list)
-
-          return number_of_removed_duplicates
-        end
-
-        def update_pruned_CRL(crl, pkey)
-          number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
-          number_ext.each do |crl_number|
-            updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
-            crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
-          end
-          crl.extensions=(number_ext + other_ext)
-          crl.sign(pkey, OpenSSL::Digest::SHA256.new)
-        end
-
-        def self.parser(parsed = {})
-          OptionParser.new do |opts|
-            opts.banner = BANNER
-            opts.on('--help', 'Display this command-specific help output') do |help|
-              parsed['help'] = true
-            end
-            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
-              parsed['config'] = conf
-            end
-          end
-        end
-
-        def parse(args)
-          results = {}
-          parser = self.class.parser(results)
-          errors = CliParsing.parse_with_errors(parser, args)
-          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
-
-          if errors_were_handled
-            exit_code = 1
-          else
-            exit_code = nil
-          end
-          return results, exit_code
-        end
-      end
-    end
-  end
-end