puppetserver-ca 1.9.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b557070928191df64bd5c16ffe5f523953056da761ba306f6601c422bf442e2
-  data.tar.gz: 0cb7ba011bd18b86a8842922d1b7c673754f1bacdcf25f3e80182bae237cde24
+  metadata.gz: 6523b5628cc4d83aa2627326400a2fb493a18f28d7e4da4b8046eac41e09c555
+  data.tar.gz: 6e8cfbeb2a63ad443f22b196d9cdf2749242ef552c6376fd55b723aa699ceefd
 SHA512:
-  metadata.gz: 4dc1a23d03d22196b32f6dc6af78033c2600c1b1afac7f7d50df6b2abe56ed44197b07aafb76e9a95e5916cbc21464b5b1ce30cd6cfb74d81793206b04be7224
-  data.tar.gz: 06390ed9834caebe8b3847dc349d9a1af887086cd1ffee0ba774148c7da2c4c6e1055b4349e505e6cb67856315b325dff4f0f72502112e2628f34fb064c68457
+  metadata.gz: 82c62889b706bad66349d5efd8469969b919d8d90741c57c12827eccdedf2de80597ea923509c66de6d6f317da365d860705d556441ce817167d323ad6e80325
+  data.tar.gz: 72cca87e22e38e8c6b2b7975d4920057f5364c7a9499bcf30553894b9285468a0cb1d3fd93aace8974a889a0e0a0ed35f348d902139a07d0f588957e61f479f4

data/README.md

@@ -92,7 +92,7 @@ To test your changes on a VM:
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
 ### Releasing
-To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
+To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 
 
 ## Contributing & Support

data/lib/puppetserver/ca/action/clean.rb

@@ -85,7 +85,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result = clean_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/enable.rb

@@ -45,7 +45,7 @@ BANNER
           end
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           settings = puppet.settings
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 

data/lib/puppetserver/ca/action/generate.rb

@@ -126,7 +126,7 @@ BANNER
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # We don't want generate to respect the alt names setting, since it is usually

data/lib/puppetserver/ca/action/import.rb

@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
 require 'puppetserver/ca/x509_loader'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -130,6 +131,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 

data/lib/puppetserver/ca/action/list.rb

@@ -68,7 +68,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           filter_names = certnames.any? \

data/lib/puppetserver/ca/action/migrate.rb

@@ -29,7 +29,7 @@ BANNER
         def run(input)
           config_path = input['config']
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           return 1 if HttpClient.check_server_online(puppet.settings, @logger)
 
           errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
@@ -66,14 +66,6 @@ SUCCESS_MESSAGE
         def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
           FileUtils.mv(old_cadir, new_cadir)
           FileUtils.symlink(new_cadir, old_cadir)
-          # Ensure the symlink has the same ownership as the actual cadir.
-          # This requires using `FileUtils.chown` rather than `File.chown`, as
-          # the latter will update the ownership of the target rather than the
-          # link itself.
-          # Symlink permissions are ignored in favor of the target's permissions,
-          # so we don't have to change those.
-          cadir = File.stat(new_cadir)
-          FileUtils.chown(cadir.uid, cadir.gid, old_cadir)
         end
 
         def parse(args)

data/lib/puppetserver/ca/action/revoke.rb

@@ -83,7 +83,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result =  revoke_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/setup.rb

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -135,6 +136,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 

data/lib/puppetserver/ca/action/sign.rb

@@ -62,7 +62,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)

data/lib/puppetserver/ca/config/puppet.rb

@@ -23,9 +23,9 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
 
-        def self.parse(config_path)
+        def self.parse(config_path, logger)
           instance = new(config_path)
-          instance.load
+          instance.load({}, logger)
 
           return instance
         end
@@ -34,7 +34,7 @@ module Puppetserver
 
         def initialize(supplied_config_path = nil)
           @using_default_location = !supplied_config_path
-          @config_path = supplied_config_path || user_specific_conf_file
+          @config_path = supplied_config_path || user_specific_puppet_config
 
           @settings = nil
           @errors = []
@@ -46,36 +46,28 @@ module Puppetserver
         # on Windows are unsupported.
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
-        def user_specific_conf_dir
-          @user_specific_conf_dir ||=
-            if Puppetserver::Ca::Utils::Config.running_as_root?
-              '/etc/puppetlabs/puppet'
-            else
-              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-            end
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
         end
 
-        def user_specific_conf_file
-          user_specific_conf_dir + '/puppet.conf'
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
         end
 
-        def load(cli_overrides = {})
+        def load(cli_overrides = {}, logger)
           if explicitly_given_config_file_or_default_config_exists?
             results = parse_text(File.read(@config_path))
           end
 
           results ||= {}
           results[:main] ||= {}
-          # The [master] config section is deprecated
-          # We now favor [server], but support both for backwards compatibility
           results[:master] ||= {}
-          results[:server] ||= {}
           results[:agent] ||= {}
 
-          overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
+          overrides = results[:agent].merge(results[:main]).merge(results[:master])
           overrides.merge!(cli_overrides)
 
-          @settings = resolve_settings(overrides).freeze
+          @settings = resolve_settings(overrides, logger).freeze
         end
 
         def default_certname
@@ -92,7 +84,7 @@ module Puppetserver
 
         # Resolve settings from default values, with any overrides for the
         # specific settings or their dependent settings (ssldir, cadir) taken into account.
-        def resolve_settings(overrides = {})
+        def resolve_settings(overrides = {}, logger)
           unresolved_setting = /\$[a-z_]+/
 
           # Returning the key for unknown keys (rather than nil) is required to
@@ -104,9 +96,8 @@ module Puppetserver
           # These need to be evaluated before we can construct their dependent
           # defaults below
           base_defaults = [
-            [:confdir, user_specific_conf_dir],
+            [:confdir, user_specific_puppet_confdir],
             [:ssldir,'$confdir/ssl'],
-            [:cadir, '$ssldir/ca'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
             [:server, 'puppet'],
@@ -151,6 +142,13 @@ module Puppetserver
             settings[setting_name] = substitutions[substitution_name] = subbed_value
           end
 
+          cadir = find_cadir(overrides.fetch(:cadir, false),
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger)
+          settings[:cadir] = substitutions['$cadir'] = cadir
+
+
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -213,6 +211,33 @@ module Puppetserver
 
        private
 
+
+        def find_cadir(configured_cadir, confdir, ssldir, logger)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+
+          if configured_cadir
+            if configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
+            configured_cadir
+
+          else
+            old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
+            new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir})
+              old_cadir
+            else
+              new_cadir
+            end
+          end
+        end
+
         def explicitly_given_config_file_or_default_config_exists?
           !@using_default_location || File.exist?(@config_path)
         end

data/lib/puppetserver/ca/utils/config.rb

@@ -1,3 +1,5 @@
+require 'puppetserver/ca/utils/file_system'
+
 module Puppetserver
   module Ca
     module Utils
@@ -19,6 +21,40 @@ module Puppetserver
           end.sort.uniq.join(", ")
         end
 
+        def self.puppet_confdir
+          if running_as_root?
+            '/etc/puppetlabs/puppet'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+          end
+        end
+
+        def self.puppetserver_confdir(puppet_confdir)
+          File.join(File.dirname(puppet_confdir), 'puppetserver')
+        end
+
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+
+        def self.old_default_cadir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl', 'ca')
+        end
+
+        def self.new_default_cadir(confdir = puppet_confdir)
+          File.join(puppetserver_confdir(confdir), 'ca')
+        end
+
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/utils/file_system.rb

@@ -50,6 +50,11 @@ module Puppetserver
           errors
         end
 
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+        end
+
         def initialize
           @user, @group = find_user_and_group
         end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -174,7 +174,7 @@ module Puppetserver
             self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
               result = conn.get
               if result.body == "running"
-                logger.err "Puppetserver service is running. Please stop it before attempting to run this command."
+                logger.err "CA service is running. Please stop it before attempting to run this command."
                 true
               else
                 false

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.9.1"
+    VERSION = "2.0.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.9.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-12-09 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter