puppetserver-ca 1.5.0 → 1.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6675ef6328d11ddc9d47becb63063089f1eab59d
-  data.tar.gz: f8f0e62f01297a56d238ffc7d074b6ed1300a448
+SHA256:
+  metadata.gz: 6b557070928191df64bd5c16ffe5f523953056da761ba306f6601c422bf442e2
+  data.tar.gz: 0cb7ba011bd18b86a8842922d1b7c673754f1bacdcf25f3e80182bae237cde24
 SHA512:
-  metadata.gz: ce20b8b249b03b73eeeaed698723df472191269626e37ce232ddf6e5a199fbcc19e29787929efa70e4400dc7a14c38fc0ad1c62f0de1febee3845d36899b49da
-  data.tar.gz: 37b285c14dff8b48fab045dd699771917ac12e0b3663c61ec42d94ff6773644a7311af02d792ed17241be9b180f4ff041e2d61d04bf9cf7f034eaeefa0d12fa7
+  metadata.gz: 4dc1a23d03d22196b32f6dc6af78033c2600c1b1afac7f7d50df6b2abe56ed44197b07aafb76e9a95e5916cbc21464b5b1ce30cd6cfb74d81793206b04be7224
+  data.tar.gz: 06390ed9834caebe8b3847dc349d9a1af887086cd1ffee0ba774148c7da2c4c6e1055b4349e505e6cb67856315b325dff4f0f72502112e2628f34fb064c68457

data/.travis.yml

@@ -6,6 +6,8 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
+  - 2.6
+  - 2.7
 before_install:
    gem install bundler -v 1.16.1 && (gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true)
 script:

data/Gemfile

@@ -5,6 +5,11 @@ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 # Specify your gem's dependencies in puppetserver-ca.gemspec
 gemspec
 
-gem 'pry'
-gem 'pry-byebug'
 gem 'hocon', '~> 1.2', require: false
+gem 'rake', '~> 13.0', require: false
+gem 'rspec', '~> 3.4', require: false
+
+group(:development, optional: true) do
+  gem 'pry'
+  gem 'pry-byebug'
+end

data/README.md

@@ -73,8 +73,26 @@ interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
 
-To release a new version, update the version number in `version.rb`, and then
-speak with Release Engineering.
+### Testing
+To test your changes on a VM:
+1. Build the gem with your changes: `gem build puppetserver-ca.gemspec`
+1. Copy the gem to your VM: `scp puppetserver-ca-<version>.gem <your-vm>:.`
+1. Install puppetserver (FOSS) by installing the relevant release package and then installing the puppetserver package. For example:
+    ```
+    $ wget http://nightlies.puppet.com/yum/puppet6-nightly-release-el-7.noarch.rpm
+    $ rpm -i puppet6-nightly-release-el-7.noarch.rpm
+    $ yum update
+    $ yum install -y puppetserver
+    ```
+1. Restart your shell so that puppet's bin dir is on your $PATH: `exec bash`
+1. Install the gem into puppet's gem directory using puppet's gem command:
+    ```
+    $ /opt/puppetlabs/puppet/bin/gem install --install-dir "/opt/puppetlabs/puppet/lib/ruby/vendor_gems" puppetserver-ca-<version>.gem
+    ```
+1. To confirm that installation was successful, run `puppetserver ca --help`
+
+### Releasing
+To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
 
 
 ## Contributing & Support

data/lib/puppetserver/ca/action/generate.rb

@@ -140,7 +140,7 @@ BANNER
           # Generate and save certs and associated keys
           if input['ca-client']
             # Refused to generate certs offfline if the CA service is running
-            return 1 if check_server_online(puppet.settings)
+            return 1 if HttpClient.check_server_online(puppet.settings, @logger)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
             all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
@@ -148,34 +148,6 @@ BANNER
           return all_passed ? 0 : 1
         end
 
-        # Queries the simple status endpoint for the status of the CA service.
-        # Returns true if it receives back a response of "running", and false if
-        # no connection can be made, or a different response is received.
-        def check_server_online(settings)
-          status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
-          begin
-            # Generating certs offline is necessary if the master cert has been destroyed
-            # or compromised. Since querying the status endpoint does not require a client cert, and
-            # we commonly won't have one, don't require one for creating the connection.
-            HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
-              result = conn.get
-              if result.body == "running"
-                @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
-                true
-              else
-                false
-              end
-            end
-            true
-          rescue Puppetserver::Ca::ConnectionFailed => e
-            if e.wrapped.is_a? Errno::ECONNREFUSED
-              return false
-            else
-              raise e
-            end
-          end
-        end
-
         # Certs authorized to talk to the CA API need to be signed offline,
         # in order to securely add the special auth extension.
         def generate_authorized_certs(certnames, alt_names, settings, digest)

data/lib/puppetserver/ca/action/list.rb

@@ -118,20 +118,41 @@ Options:
         end
 
         def output_certs(certs)
-          padded = 0
+          cert_column_width = certs.map { |c| c['name'].size }.max
+
           certs.each do |cert|
-            cert_size = cert["name"].size
-            padded = cert_size if cert_size > padded
+            @logger.inform(format_cert(cert, cert_column_width))
           end
+        end
 
-          certs.each do |cert|
-            # In newer versions of the CA api we return subjcet_alt_names
-            # in addition to dns_alt_names, this field includes DNS alt
-            # names but also IP alt names.
-            alt_names = cert["subject_alt_names"] || cert["dns_alt_names"]
-            @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
-                               (alt_names.empty? ? "" : "\talt names: #{alt_names}")
-            end
+        def format_cert(cert, cert_column_width)
+          [
+            format_cert_and_sha(cert, cert_column_width),
+            format_alt_names(cert),
+            format_authorization_extensions(cert)
+          ].compact.join("\t")
+        end
+
+        def format_cert_and_sha(cert, cert_column_width)
+          justified_certname = cert['name'].ljust(cert_column_width + 6)
+          sha = cert['fingerprints']['SHA256']
+          "    #{justified_certname} (SHA256)  #{sha}"
+        end
+
+        def format_alt_names(cert)
+          # In newer versions of the CA api we return subject_alt_names
+          # in addition to dns_alt_names, this field includes DNS alt
+          # names but also IP alt names.
+          alt_names = cert['subject_alt_names'] || cert['dns_alt_names']
+          "alt names: #{alt_names}" unless alt_names.empty?
+        end
+
+        def format_authorization_extensions(cert)
+          auth_exts = cert['authorization_extensions']
+          return nil if auth_exts.nil? || auth_exts.empty?
+
+          values = auth_exts.map { |ext, value| "#{ext}: #{value}" }.join(', ')
+          "authorization extensions: [#{values}]"
         end
 
         def separate_certs(all_certs)

data/lib/puppetserver/ca/action/migrate.rb

@@ -0,0 +1,103 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/http_client'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Migrate
+        include Puppetserver::Ca::Utils
+        PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
+
+        SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca migrate [--help]
+  puppetserver ca migrate [--config PATH]
+
+Description:
+  Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
+  puppet.conf file in your installation, or supply one using the `--config` flag.
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config_path = input['config']
+          puppet = Config::Puppet.new(config_path)
+          puppet.load
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
+          if !errors.empty?
+            instructions = <<-ERR
+Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
+run this migration tool? Is this a puppet 7 installation? It is likely that you have
+already successfully run the migration or do not need to run it.
+ERR
+            errors << instructions
+            Errors.handle_with_usage(@logger, errors)
+            return 1
+          end
+
+          current_cadir = puppet.settings[:cadir]
+          if FileSystem.check_for_existing_files(current_cadir).empty?
+            error_message = <<-ERR
+No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
+puppet.conf file and verify its contents.
+ERR
+            Errors.handle_with_usage(@logger, [error_message])
+            return 1
+          end
+
+          migrate(current_cadir)
+
+          @logger.inform <<-SUCCESS_MESSAGE
+CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
+for backwards compatibility. The puppetserver can be safely restarted now.
+SUCCESS_MESSAGE
+          return 0
+        end
+
+        def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
+          FileUtils.mv(old_cadir, new_cadir)
+          FileUtils.symlink(new_cadir, old_cadir)
+          # Ensure the symlink has the same ownership as the actual cadir.
+          # This requires using `FileUtils.chown` rather than `File.chown`, as
+          # the latter will update the ownership of the target rather than the
+          # link itself.
+          # Symlink permissions are ignored in favor of the target's permissions,
+          # so we don't have to change those.
+          cadir = File.stat(new_cadir)
+          FileUtils.chown(cadir.uid, cadir.gid, old_cadir)
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
 require 'puppetserver/ca/utils/cli_parsing'
@@ -28,6 +29,7 @@ BANNER
         'import'   => Action::Import,
         'setup'    => Action::Setup,
         'enable' => Action::Enable,
+        'migrate' => Action::Migrate,
       }
 
       MAINT_ACTIONS = {

data/lib/puppetserver/ca/config/puppet.rb

@@ -66,10 +66,13 @@ module Puppetserver
 
           results ||= {}
           results[:main] ||= {}
+          # The [master] config section is deprecated
+          # We now favor [server], but support both for backwards compatibility
           results[:master] ||= {}
+          results[:server] ||= {}
           results[:agent] ||= {}
 
-          overrides = results[:agent].merge(results[:main]).merge(results[:master])
+          overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
           overrides.merge!(cli_overrides)
 
           @settings = resolve_settings(overrides).freeze

data/lib/puppetserver/ca/host.rb

@@ -47,6 +47,7 @@ module Puppetserver
        'pp_cloudplatform' =>    "1.3.6.1.4.1.34380.1.1.23",
        'pp_apptier' =>          "1.3.6.1.4.1.34380.1.1.24",
        'pp_hostname' =>         "1.3.6.1.4.1.34380.1.1.25",
+       'pp_owner' =>            "1.3.6.1.4.1.34380.1.1.26",
        'pp_authorization' =>    "1.3.6.1.4.1.34380.1.3.1",
        'pp_auth_role' =>        "1.3.6.1.4.1.34380.1.3.13"}
 

data/lib/puppetserver/ca/utils/http_client.rb

@@ -159,6 +159,36 @@ module Puppetserver
 
           store
         end
+
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def self.check_server_online(settings, logger)
+          status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the master cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            # Additionally, we want to ensure the server is stopped before migrating the CA dir to
+            # avoid issues with writing to the CA dir and moving it.
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                logger.err "Puppetserver service is running. Please stop it before attempting to run this command."
+                true
+              else
+                false
+              end
+            end
+          rescue Puppetserver::Ca::ConnectionFailed => e
+            if e.wrapped.is_a? Errno::ECONNREFUSED
+              return false
+            else
+              raise e
+            end
+          end
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.5.0"
+    VERSION = "1.9.1"
   end
 end

data/puppetserver-ca.gemspec

@@ -20,9 +20,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
+  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 5"]
 
   spec.add_development_dependency "bundler", ">= 1.16"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.9.1
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-12-02 00:00:00.000000000 Z
+date: 2020-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -19,7 +19,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -48,16 +48,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -99,6 +99,7 @@ files:
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
+- lib/puppetserver/ca/action/migrate.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
@@ -138,8 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority