puppetserver-ca 1.4.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e7759fd051a92708f8ac8aad4b8e89a636472b05
-  data.tar.gz: f3cfd8de0bbdd17fd5c0f13656486dbbdbc243f1
+SHA256:
+  metadata.gz: 03925b461bffbaec27b5c3d76c62393e68451a2e69ef9d82f34f51044ecd3fbd
+  data.tar.gz: e86c0137e287be5f8bf09dad3610e412aa49bb06b4b35c0c367a9ec6b5a76153
 SHA512:
-  metadata.gz: bbaac0d6e00a9ed1d30dfb5f0ccc1d92e459fc07aaecb0fa2e8cdf61a320d3baf63d3752bf3adf1f4dacf9f25d051f4f239139bf45c4842975448e154e9353d0
-  data.tar.gz: 1de3171122351341e0eb50ac675c6f168a8b6df37209f6e50723528485a120cf3fbdef023d28c066a80fd64b1a8f125930d81a620e4966e22bdb7468000fd0a1
+  metadata.gz: dcd960ea4199af2446c45cbc3ac692d79c5e1e6e1abefbb1d07c53b6605dd6fd5cfb86c7e808bfe6657919df7a9503c494653c3b111a2461d972bb3deee25719
+  data.tar.gz: 90d4c6a649898aa536392b653d6ba8d70c1c2b48e50bd0ecfeac57a6468f48d0ad040b9b3ff4c83de87150c678a659e34985b4ca90341c7885224862cd53a82b

data/.travis.yml

@@ -6,6 +6,8 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
+  - 2.6
+  - 2.7
 before_install:
    gem install bundler -v 1.16.1 && (gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true)
 script:

data/CODEOWNERS

@@ -0,0 +1,4 @@
+# This will cause the puppetserver-maintainers group to be assigned
+# review of any opened PRs against the branches containing this file.
+
+* @puppetlabs/puppetserver-maintainers

data/Gemfile

@@ -5,6 +5,11 @@ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 # Specify your gem's dependencies in puppetserver-ca.gemspec
 gemspec
 
-gem 'pry'
-gem 'pry-byebug'
 gem 'hocon', '~> 1.2', require: false
+gem 'rake', '~> 13.0', require: false
+gem 'rspec', '~> 3.4', require: false
+
+group(:development, optional: true) do
+  gem 'pry'
+  gem 'pry-byebug'
+end

data/lib/puppetserver/ca/action/generate.rb

@@ -75,6 +75,9 @@ BANNER
                     'Causes the cert to be generated offline.') do |ca_client|
               parsed['ca-client'] = true
             end
+            opts.on('--ttl TTL', 'The time-to-live for each cert generated and signed') do |ttl|
+              parsed['ttl'] = ttl
+            end
           end
         end
 
@@ -137,42 +140,14 @@ BANNER
           # Generate and save certs and associated keys
           if input['ca-client']
             # Refused to generate certs offfline if the CA service is running
-            return 1 if check_server_online(puppet.settings)
+            return 1 if HttpClient.check_server_online(puppet.settings, @logger)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
-            all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
+            all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
           end
           return all_passed ? 0 : 1
         end
 
-        # Queries the simple status endpoint for the status of the CA service.
-        # Returns true if it receives back a response of "running", and false if
-        # no connection can be made, or a different response is received.
-        def check_server_online(settings)
-          status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
-          begin
-            # Generating certs offline is necessary if the master cert has been destroyed
-            # or compromised. Since querying the status endpoint does not require a client cert, and
-            # we commonly won't have one, don't require one for creating the connection.
-            HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
-              result = conn.get
-              if result.body == "running"
-                @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
-                true
-              else
-                false
-              end
-            end
-            true
-          rescue Puppetserver::Ca::ConnectionFailed => e
-            if e.wrapped.is_a? Errno::ECONNREFUSED
-              return false
-            else
-              raise e
-            end
-          end
-        end
-
         # Certs authorized to talk to the CA API need to be signed offline,
         # in order to securely add the special auth extension.
         def generate_authorized_certs(certnames, alt_names, settings, digest)
@@ -209,8 +184,10 @@ BANNER
         # Generate csrs and keys, then submit them to CA, request for the CA to sign
         # them, download the signed certificates from the CA, and finally save
         # the signed certs and associated keys. Returns true if all certs were
-        # successfully created and saved.
-        def generate_certs(certnames, alt_names, settings, digest)
+        # successfully created and saved. Takes a ttl to use if certificates
+        # are signed by this CLI, not autosigned by the CA. if ttl is nil, uses
+        # the CA's settings.
+        def generate_certs(certnames, alt_names, settings, digest, ttl)
           # Make sure we have all the directories where we will be writing files
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:certdir],
@@ -228,17 +205,26 @@ BANNER
             next false unless submit_csr(certname, ca, settings, digest, current_alt_names)
 
             # Check if the CA autosigned the cert
-            if download_cert(ca, certname, settings)
-              @logger.inform "Certificate for #{certname} was autosigned."
-              true
-            else
-              next false unless ca.sign_certs([certname])
-              download_cert(ca, certname, settings)
-            end
+            next acquire_signed_cert(ca, certname, settings, ttl)
           end
           passed.all?
         end
 
+        # Try to download a signed certificate; sign the cert with the given ttl if it needs
+        # signing before download.
+        def acquire_signed_cert(ca, certname, settings, ttl)
+          if download_cert(ca, certname, settings)
+            @logger.inform "Certificate for #{certname} was autosigned."
+            if ttl
+              @logger.warn "ttl was specified, but the CA autosigned the CSR. Unable to specify #{ttl} for #{certname}"
+            end
+            true
+          else
+            false unless ca.sign_certs([certname], ttl)
+            download_cert(ca, certname, settings)
+          end
+        end
+
         def submit_csr(certname, ca, settings, digest, alt_names)
           key, csr = generate_key_csr(certname, settings, digest, alt_names)
           return false unless csr

data/lib/puppetserver/ca/action/list.rb

@@ -118,20 +118,41 @@ Options:
         end
 
         def output_certs(certs)
-          padded = 0
+          cert_column_width = certs.map { |c| c['name'].size }.max
+
           certs.each do |cert|
-            cert_size = cert["name"].size
-            padded = cert_size if cert_size > padded
+            @logger.inform(format_cert(cert, cert_column_width))
           end
+        end
 
-          certs.each do |cert|
-            # In newer versions of the CA api we return subjcet_alt_names
-            # in addition to dns_alt_names, this field includes DNS alt
-            # names but also IP alt names.
-            alt_names = cert["subject_alt_names"] || cert["dns_alt_names"]
-            @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
-                               (alt_names.empty? ? "" : "\talt names: #{alt_names}")
-            end
+        def format_cert(cert, cert_column_width)
+          [
+            format_cert_and_sha(cert, cert_column_width),
+            format_alt_names(cert),
+            format_authorization_extensions(cert)
+          ].compact.join("\t")
+        end
+
+        def format_cert_and_sha(cert, cert_column_width)
+          justified_certname = cert['name'].ljust(cert_column_width + 6)
+          sha = cert['fingerprints']['SHA256']
+          "    #{justified_certname} (SHA256)  #{sha}"
+        end
+
+        def format_alt_names(cert)
+          # In newer versions of the CA api we return subject_alt_names
+          # in addition to dns_alt_names, this field includes DNS alt
+          # names but also IP alt names.
+          alt_names = cert['subject_alt_names'] || cert['dns_alt_names']
+          "alt names: #{alt_names}" unless alt_names.empty?
+        end
+
+        def format_authorization_extensions(cert)
+          auth_exts = cert['authorization_extensions']
+          return nil if auth_exts.nil? || auth_exts.empty?
+
+          values = auth_exts.map { |ext, value| "#{ext}: #{value}" }.join(', ')
+          "authorization extensions: [#{values}]"
         end
 
         def separate_certs(all_certs)

data/lib/puppetserver/ca/action/migrate.rb

@@ -0,0 +1,95 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/http_client'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Migrate
+        include Puppetserver::Ca::Utils
+        PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
+
+        SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca migrate [--help]
+  puppetserver ca migrate [--config PATH]
+
+Description:
+  Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
+  puppet.conf file in your installation, or supply one using the `--config` flag.
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config_path = input['config']
+          puppet = Config::Puppet.new(config_path)
+          puppet.load
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
+          if !errors.empty?
+            instructions = <<-ERR
+Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
+run this migration tool? Is this a puppet 7 installation? It is likely that you have
+already successfully run the migration or do not need to run it.
+ERR
+            errors << instructions
+            Errors.handle_with_usage(@logger, errors)
+            return 1
+          end
+
+          current_cadir = puppet.settings[:cadir]
+          if FileSystem.check_for_existing_files(current_cadir).empty?
+            error_message = <<-ERR
+No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
+puppet.conf file and verify its contents.
+ERR
+            Errors.handle_with_usage(@logger, [error_message])
+            return 1
+          end
+
+          migrate(current_cadir)
+
+          @logger.inform <<-SUCCESS_MESSAGE
+CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
+for backwards compatibility. The puppetserver can be safely restarted now.
+SUCCESS_MESSAGE
+          return 0
+        end
+
+        def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
+          FileUtils.mv(old_cadir, new_cadir)
+          FileUtils.symlink(new_cadir, old_cadir)
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/sign.rb

@@ -32,6 +32,9 @@ Options:
         def self.parser(parsed = {})
           OptionParser.new do |opts|
             opts.banner = BANNER
+            opts.on('--ttl TTL', 'The time-to-live for each cert signed') do |ttl|
+              parsed['ttl'] = ttl
+            end
             opts.on('--certname NAME[,NAME]', Array, 'the name(s) of the cert(s) to be signed') do |cert|
               parsed['certname'] = cert
             end
@@ -72,7 +75,7 @@ Options:
             requested_certnames = input['certname']
           end
 
-          success = ca.sign_certs(requested_certnames)
+          success = ca.sign_certs(requested_certnames, input['ttl'])
           return success ? 0 : 1
         end
 

data/lib/puppetserver/ca/certificate_authority.rb

@@ -8,6 +8,16 @@ module Puppetserver
 
       include Puppetserver::Ca::Utils
 
+      # Taken from puppet/lib/settings/duration_settings.rb
+      UNITMAP = {
+        # 365 days isn't technically a year, but is sufficient for most purposes
+        "y" => 365 * 24 * 60 * 60,
+        "d" => 24 * 60 * 60,
+        "h" => 60 * 60,
+        "m" => 60,
+        "s" => 1
+      }
+
       REVOKE_BODY = JSON.dump({ desired_state: 'revoked' })
       SIGN_BODY =   JSON.dump({ desired_state: 'signed' })
 
@@ -35,11 +45,40 @@ module Puppetserver
         HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
       end
 
-      def sign_certs(certnames)
-        results = put(certnames,
-                      resource_type: 'certificate_status',
-                      body: SIGN_BODY,
-                      type: :sign)
+      def process_ttl_input(ttl)
+        match = /^(\d+)(s|m|h|d|y)?$/.match(ttl)
+        if match
+          if match[2]
+            match[1].to_i * UNITMAP[match[2]].to_i
+          else
+            ttl
+          end
+        else
+          @logger.err "Error:"
+          @logger.err " '#{ttl}' is an invalid ttl value"
+          @logger.err "Value should match regex \"^(\d+)(s|m|h|d|y)?$\""
+          nil
+        end
+      end
+
+      def sign_certs(certnames, ttl=nil)
+        results = []
+        if ttl
+          lifetime = process_ttl_input(ttl)
+          return false if lifetime.nil?
+          body = JSON.dump({ desired_state: 'signed',
+                             cert_ttl: lifetime})
+          results = put(certnames,
+            resource_type: 'certificate_status',
+            body: body,
+            type: :sign)
+        else
+          results = put(certnames,
+                        resource_type: 'certificate_status',
+                        body: SIGN_BODY,
+                        type: :sign)
+        end
+
 
         results.all? { |result| result == :success }
       end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
 require 'puppetserver/ca/utils/cli_parsing'
@@ -28,6 +29,7 @@ BANNER
         'import'   => Action::Import,
         'setup'    => Action::Setup,
         'enable' => Action::Enable,
+        'migrate' => Action::Migrate,
       }
 
       MAINT_ACTIONS = {

data/lib/puppetserver/ca/host.rb

@@ -47,6 +47,7 @@ module Puppetserver
        'pp_cloudplatform' =>    "1.3.6.1.4.1.34380.1.1.23",
        'pp_apptier' =>          "1.3.6.1.4.1.34380.1.1.24",
        'pp_hostname' =>         "1.3.6.1.4.1.34380.1.1.25",
+       'pp_owner' =>            "1.3.6.1.4.1.34380.1.1.26",
        'pp_authorization' =>    "1.3.6.1.4.1.34380.1.3.1",
        'pp_auth_role' =>        "1.3.6.1.4.1.34380.1.3.13"}
 

data/lib/puppetserver/ca/utils/http_client.rb

@@ -159,6 +159,36 @@ module Puppetserver
 
           store
         end
+
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def self.check_server_online(settings, logger)
+          status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the master cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            # Additionally, we want to ensure the server is stopped before migrating the CA dir to
+            # avoid issues with writing to the CA dir and moving it.
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                logger.err "CA service is running. Please stop it before attempting to run this command."
+                true
+              else
+                false
+              end
+            end
+          rescue Puppetserver::Ca::ConnectionFailed => e
+            if e.wrapped.is_a? Errno::ECONNREFUSED
+              return false
+            else
+              raise e
+            end
+          end
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.4.0"
+    VERSION = "1.9.0"
   end
 end

data/puppetserver-ca.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
+  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 5"]
 
   spec.add_development_dependency "bundler", ">= 1.16"
   spec.add_development_dependency "rake", "~> 10.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-15 00:00:00.000000000 Z
+date: 2020-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -19,7 +19,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -83,6 +83,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- CODEOWNERS
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Gemfile
@@ -98,6 +99,7 @@ files:
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
+- lib/puppetserver/ca/action/migrate.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
@@ -137,8 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority