puppetserver-ca 1.5.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6675ef6328d11ddc9d47becb63063089f1eab59d
-  data.tar.gz: f8f0e62f01297a56d238ffc7d074b6ed1300a448
+SHA256:
+  metadata.gz: 6523b5628cc4d83aa2627326400a2fb493a18f28d7e4da4b8046eac41e09c555
+  data.tar.gz: 6e8cfbeb2a63ad443f22b196d9cdf2749242ef552c6376fd55b723aa699ceefd
 SHA512:
-  metadata.gz: ce20b8b249b03b73eeeaed698723df472191269626e37ce232ddf6e5a199fbcc19e29787929efa70e4400dc7a14c38fc0ad1c62f0de1febee3845d36899b49da
-  data.tar.gz: 37b285c14dff8b48fab045dd699771917ac12e0b3663c61ec42d94ff6773644a7311af02d792ed17241be9b180f4ff041e2d61d04bf9cf7f034eaeefa0d12fa7
+  metadata.gz: 82c62889b706bad66349d5efd8469969b919d8d90741c57c12827eccdedf2de80597ea923509c66de6d6f317da365d860705d556441ce817167d323ad6e80325
+  data.tar.gz: 72cca87e22e38e8c6b2b7975d4920057f5364c7a9499bcf30553894b9285468a0cb1d3fd93aace8974a889a0e0a0ed35f348d902139a07d0f588957e61f479f4

data/.travis.yml

@@ -6,6 +6,8 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
+  - 2.6
+  - 2.7
 before_install:
    gem install bundler -v 1.16.1 && (gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true)
 script:

data/Gemfile

@@ -5,6 +5,11 @@ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 # Specify your gem's dependencies in puppetserver-ca.gemspec
 gemspec
 
-gem 'pry'
-gem 'pry-byebug'
 gem 'hocon', '~> 1.2', require: false
+gem 'rake', '~> 13.0', require: false
+gem 'rspec', '~> 3.4', require: false
+
+group(:development, optional: true) do
+  gem 'pry'
+  gem 'pry-byebug'
+end

data/README.md

@@ -73,8 +73,26 @@ interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
 
-To release a new version, update the version number in `version.rb`, and then
-speak with Release Engineering.
+### Testing
+To test your changes on a VM:
+1. Build the gem with your changes: `gem build puppetserver-ca.gemspec`
+1. Copy the gem to your VM: `scp puppetserver-ca-<version>.gem <your-vm>:.`
+1. Install puppetserver (FOSS) by installing the relevant release package and then installing the puppetserver package. For example:
+    ```
+    $ wget http://nightlies.puppet.com/yum/puppet6-nightly-release-el-7.noarch.rpm
+    $ rpm -i puppet6-nightly-release-el-7.noarch.rpm
+    $ yum update
+    $ yum install -y puppetserver
+    ```
+1. Restart your shell so that puppet's bin dir is on your $PATH: `exec bash`
+1. Install the gem into puppet's gem directory using puppet's gem command:
+    ```
+    $ /opt/puppetlabs/puppet/bin/gem install --install-dir "/opt/puppetlabs/puppet/lib/ruby/vendor_gems" puppetserver-ca-<version>.gem
+    ```
+1. To confirm that installation was successful, run `puppetserver ca --help`
+
+### Releasing
+To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 
 
 ## Contributing & Support

data/lib/puppetserver/ca/action/clean.rb

@@ -85,7 +85,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result = clean_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/enable.rb

@@ -45,7 +45,7 @@ BANNER
           end
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           settings = puppet.settings
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 

data/lib/puppetserver/ca/action/generate.rb

@@ -126,7 +126,7 @@ BANNER
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # We don't want generate to respect the alt names setting, since it is usually
@@ -140,7 +140,7 @@ BANNER
           # Generate and save certs and associated keys
           if input['ca-client']
             # Refused to generate certs offfline if the CA service is running
-            return 1 if check_server_online(puppet.settings)
+            return 1 if HttpClient.check_server_online(puppet.settings, @logger)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
             all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
@@ -148,34 +148,6 @@ BANNER
           return all_passed ? 0 : 1
         end
 
-        # Queries the simple status endpoint for the status of the CA service.
-        # Returns true if it receives back a response of "running", and false if
-        # no connection can be made, or a different response is received.
-        def check_server_online(settings)
-          status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
-          begin
-            # Generating certs offline is necessary if the master cert has been destroyed
-            # or compromised. Since querying the status endpoint does not require a client cert, and
-            # we commonly won't have one, don't require one for creating the connection.
-            HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
-              result = conn.get
-              if result.body == "running"
-                @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
-                true
-              else
-                false
-              end
-            end
-            true
-          rescue Puppetserver::Ca::ConnectionFailed => e
-            if e.wrapped.is_a? Errno::ECONNREFUSED
-              return false
-            else
-              raise e
-            end
-          end
-        end
-
         # Certs authorized to talk to the CA API need to be signed offline,
         # in order to securely add the special auth extension.
         def generate_authorized_certs(certnames, alt_names, settings, digest)

data/lib/puppetserver/ca/action/import.rb

@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
 require 'puppetserver/ca/x509_loader'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -130,6 +131,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 

data/lib/puppetserver/ca/action/list.rb

@@ -68,7 +68,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           filter_names = certnames.any? \
@@ -118,20 +118,41 @@ Options:
         end
 
         def output_certs(certs)
-          padded = 0
+          cert_column_width = certs.map { |c| c['name'].size }.max
+
           certs.each do |cert|
-            cert_size = cert["name"].size
-            padded = cert_size if cert_size > padded
+            @logger.inform(format_cert(cert, cert_column_width))
           end
+        end
 
-          certs.each do |cert|
-            # In newer versions of the CA api we return subjcet_alt_names
-            # in addition to dns_alt_names, this field includes DNS alt
-            # names but also IP alt names.
-            alt_names = cert["subject_alt_names"] || cert["dns_alt_names"]
-            @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
-                               (alt_names.empty? ? "" : "\talt names: #{alt_names}")
-            end
+        def format_cert(cert, cert_column_width)
+          [
+            format_cert_and_sha(cert, cert_column_width),
+            format_alt_names(cert),
+            format_authorization_extensions(cert)
+          ].compact.join("\t")
+        end
+
+        def format_cert_and_sha(cert, cert_column_width)
+          justified_certname = cert['name'].ljust(cert_column_width + 6)
+          sha = cert['fingerprints']['SHA256']
+          "    #{justified_certname} (SHA256)  #{sha}"
+        end
+
+        def format_alt_names(cert)
+          # In newer versions of the CA api we return subject_alt_names
+          # in addition to dns_alt_names, this field includes DNS alt
+          # names but also IP alt names.
+          alt_names = cert['subject_alt_names'] || cert['dns_alt_names']
+          "alt names: #{alt_names}" unless alt_names.empty?
+        end
+
+        def format_authorization_extensions(cert)
+          auth_exts = cert['authorization_extensions']
+          return nil if auth_exts.nil? || auth_exts.empty?
+
+          values = auth_exts.map { |ext, value| "#{ext}: #{value}" }.join(', ')
+          "authorization extensions: [#{values}]"
         end
 
         def separate_certs(all_certs)

data/lib/puppetserver/ca/action/migrate.rb

@@ -0,0 +1,95 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/http_client'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Migrate
+        include Puppetserver::Ca::Utils
+        PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
+
+        SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca migrate [--help]
+  puppetserver ca migrate [--config PATH]
+
+Description:
+  Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
+  puppet.conf file in your installation, or supply one using the `--config` flag.
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config_path = input['config']
+          puppet = Config::Puppet.new(config_path)
+          puppet.load({}, @logger)
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
+          if !errors.empty?
+            instructions = <<-ERR
+Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
+run this migration tool? Is this a puppet 7 installation? It is likely that you have
+already successfully run the migration or do not need to run it.
+ERR
+            errors << instructions
+            Errors.handle_with_usage(@logger, errors)
+            return 1
+          end
+
+          current_cadir = puppet.settings[:cadir]
+          if FileSystem.check_for_existing_files(current_cadir).empty?
+            error_message = <<-ERR
+No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
+puppet.conf file and verify its contents.
+ERR
+            Errors.handle_with_usage(@logger, [error_message])
+            return 1
+          end
+
+          migrate(current_cadir)
+
+          @logger.inform <<-SUCCESS_MESSAGE
+CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
+for backwards compatibility. The puppetserver can be safely restarted now.
+SUCCESS_MESSAGE
+          return 0
+        end
+
+        def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
+          FileUtils.mv(old_cadir, new_cadir)
+          FileUtils.symlink(new_cadir, old_cadir)
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/revoke.rb

@@ -83,7 +83,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result =  revoke_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/setup.rb

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -135,6 +136,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 

data/lib/puppetserver/ca/action/sign.rb

@@ -62,7 +62,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
 require 'puppetserver/ca/utils/cli_parsing'
@@ -28,6 +29,7 @@ BANNER
         'import'   => Action::Import,
         'setup'    => Action::Setup,
         'enable' => Action::Enable,
+        'migrate' => Action::Migrate,
       }
 
       MAINT_ACTIONS = {

data/lib/puppetserver/ca/config/puppet.rb

@@ -23,9 +23,9 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
 
-        def self.parse(config_path)
+        def self.parse(config_path, logger)
           instance = new(config_path)
-          instance.load
+          instance.load({}, logger)
 
           return instance
         end
@@ -34,7 +34,7 @@ module Puppetserver
 
         def initialize(supplied_config_path = nil)
           @using_default_location = !supplied_config_path
-          @config_path = supplied_config_path || user_specific_conf_file
+          @config_path = supplied_config_path || user_specific_puppet_config
 
           @settings = nil
           @errors = []
@@ -46,20 +46,15 @@ module Puppetserver
         # on Windows are unsupported.
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
-        def user_specific_conf_dir
-          @user_specific_conf_dir ||=
-            if Puppetserver::Ca::Utils::Config.running_as_root?
-              '/etc/puppetlabs/puppet'
-            else
-              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-            end
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
         end
 
-        def user_specific_conf_file
-          user_specific_conf_dir + '/puppet.conf'
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
         end
 
-        def load(cli_overrides = {})
+        def load(cli_overrides = {}, logger)
           if explicitly_given_config_file_or_default_config_exists?
             results = parse_text(File.read(@config_path))
           end
@@ -72,7 +67,7 @@ module Puppetserver
           overrides = results[:agent].merge(results[:main]).merge(results[:master])
           overrides.merge!(cli_overrides)
 
-          @settings = resolve_settings(overrides).freeze
+          @settings = resolve_settings(overrides, logger).freeze
         end
 
         def default_certname
@@ -89,7 +84,7 @@ module Puppetserver
 
         # Resolve settings from default values, with any overrides for the
         # specific settings or their dependent settings (ssldir, cadir) taken into account.
-        def resolve_settings(overrides = {})
+        def resolve_settings(overrides = {}, logger)
           unresolved_setting = /\$[a-z_]+/
 
           # Returning the key for unknown keys (rather than nil) is required to
@@ -101,9 +96,8 @@ module Puppetserver
           # These need to be evaluated before we can construct their dependent
           # defaults below
           base_defaults = [
-            [:confdir, user_specific_conf_dir],
+            [:confdir, user_specific_puppet_confdir],
             [:ssldir,'$confdir/ssl'],
-            [:cadir, '$ssldir/ca'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
             [:server, 'puppet'],
@@ -148,6 +142,13 @@ module Puppetserver
             settings[setting_name] = substitutions[substitution_name] = subbed_value
           end
 
+          cadir = find_cadir(overrides.fetch(:cadir, false),
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger)
+          settings[:cadir] = substitutions['$cadir'] = cadir
+
+
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -210,6 +211,33 @@ module Puppetserver
 
        private
 
+
+        def find_cadir(configured_cadir, confdir, ssldir, logger)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+
+          if configured_cadir
+            if configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
+            configured_cadir
+
+          else
+            old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
+            new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir})
+              old_cadir
+            else
+              new_cadir
+            end
+          end
+        end
+
         def explicitly_given_config_file_or_default_config_exists?
           !@using_default_location || File.exist?(@config_path)
         end

data/lib/puppetserver/ca/host.rb

@@ -47,6 +47,7 @@ module Puppetserver
        'pp_cloudplatform' =>    "1.3.6.1.4.1.34380.1.1.23",
        'pp_apptier' =>          "1.3.6.1.4.1.34380.1.1.24",
        'pp_hostname' =>         "1.3.6.1.4.1.34380.1.1.25",
+       'pp_owner' =>            "1.3.6.1.4.1.34380.1.1.26",
        'pp_authorization' =>    "1.3.6.1.4.1.34380.1.3.1",
        'pp_auth_role' =>        "1.3.6.1.4.1.34380.1.3.13"}
 

data/lib/puppetserver/ca/utils/config.rb

@@ -1,3 +1,5 @@
+require 'puppetserver/ca/utils/file_system'
+
 module Puppetserver
   module Ca
     module Utils
@@ -19,6 +21,40 @@ module Puppetserver
           end.sort.uniq.join(", ")
         end
 
+        def self.puppet_confdir
+          if running_as_root?
+            '/etc/puppetlabs/puppet'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+          end
+        end
+
+        def self.puppetserver_confdir(puppet_confdir)
+          File.join(File.dirname(puppet_confdir), 'puppetserver')
+        end
+
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+
+        def self.old_default_cadir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl', 'ca')
+        end
+
+        def self.new_default_cadir(confdir = puppet_confdir)
+          File.join(puppetserver_confdir(confdir), 'ca')
+        end
+
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -50,6 +50,11 @@ module Puppetserver
           errors
         end
 
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+        end
+
         def initialize
           @user, @group = find_user_and_group
         end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -159,6 +159,36 @@ module Puppetserver
 
           store
         end
+
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def self.check_server_online(settings, logger)
+          status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the master cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            # Additionally, we want to ensure the server is stopped before migrating the CA dir to
+            # avoid issues with writing to the CA dir and moving it.
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                logger.err "CA service is running. Please stop it before attempting to run this command."
+                true
+              else
+                false
+              end
+            end
+          rescue Puppetserver::Ca::ConnectionFailed => e
+            if e.wrapped.is_a? Errno::ECONNREFUSED
+              return false
+            else
+              raise e
+            end
+          end
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.5.0"
+    VERSION = "2.0.0"
   end
 end

data/puppetserver-ca.gemspec

@@ -20,9 +20,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
+  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 5"]
 
   spec.add_development_dependency "bundler", ">= 1.16"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-12-02 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -19,7 +19,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -48,16 +48,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -99,6 +99,7 @@ files:
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
+- lib/puppetserver/ca/action/migrate.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
@@ -138,8 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority