puppetserver-ca 1.9.3 → 1.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2425e37368e436ac075108565392b12b76bfc4979211314f9546b28d91c4436c
-  data.tar.gz: c4be371798d5a7baed4d9eeac5c96d2dad2ec822f94f243500b1e647248a4c89
+  metadata.gz: 813b9f6f9913cd98abd4b81219cfb4882e7c9c1ace77f024218706be07411d7a
+  data.tar.gz: 8f7bd49d04fc6f23f4674006f1d159756286f9b3ae50a686cb4faa5b7b71832d
 SHA512:
-  metadata.gz: fb89a14f1cf7f137cf970854ab1f7604c3d60e8bb6c3d2b45035a2567a1606f490e1f8ab5386d84b270121abe1278de4777aeddeda039f4597125e3297933d14
-  data.tar.gz: 0f66e2871e19442d382b23c035546affe368990df2ba051672b55c549cf01fe267f930b4aae4ec465f2e4e0b82ee73ccc30708df04c680a0d2c1b2dac8f7cf4d
+  metadata.gz: a2dbfac65155e9dbd593931305b9f99079f2610bd02d64c20e1be00f8f61058f85bfcf410f5987439de892b6adf9e46beadb60d85a4f970c07a4eec2643c54d9
+  data.tar.gz: 26964af97f64152d3d5e1bfbcc931daa102734b1facf2ef588890552aee36791be3a6091e5e5563d328254149133035597773486c53e67ddd8e1624327f289bb

data/README.md

@@ -55,20 +55,30 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
 
+To remove duplicated entries from Puppet's CRL:
+```
+puppetserver ca prune
+```
+
+To enable verbose mode:
+```
+puppetserver ca --verbose <action>
+```
+
 For more details, see the help output:
 ```
 puppetserver ca --help
 ```
 
 This code in this project is licensed under the Apache Software License v2,
-please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/LICENSE.md)
+please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/LICENSE.md)
 for more details.
 
 
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then,
-run `rake spec` to run the tests. You can also run `bin/console` for an
+run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
@@ -92,7 +102,7 @@ To test your changes on a VM:
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
 ### Releasing
-To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
+To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
 
 
 ## Contributing & Support
@@ -105,9 +115,9 @@ Freenode, or the Puppet Community Slack channel.
 
 Contributions are welcome at https://github.com/puppetlabs/puppetserver-ca-cli/pulls.
 Contributors should both be sure to read the
-[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/CONTRIBUTING.md)
+[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CONTRIBUTING.md)
 and sign the [contributor license agreement](https://cla.puppet.com/).
 
 Everyone interacting with the project’s codebase, issue tracker, etc is expected
 to follow the
-[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/CODE_OF_CONDUCT.md).
+[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CODE_OF_CONDUCT.md).

data/lib/puppetserver/ca/action/clean.rb

@@ -14,7 +14,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        CERTNAME_BLACKLIST = %w{--all --config}
+        CERTNAME_BLOCKLIST = %w{--all --config}
 
         SUMMARY = 'Revoke cert(s) and remove related files from CA'
         BANNER = <<-BANNER
@@ -59,7 +59,7 @@ BANNER
           errors = CliParsing.parse_with_errors(parser, args)
 
           results['certnames'].each do |certname|
-            if CERTNAME_BLACKLIST.include?(certname)
+            if CERTNAME_BLOCKLIST.include?(certname)
               errors << "    Cannot manage cert named `#{certname}` from " +
                         "the CLI, if needed use the HTTP API directly"
             end

data/lib/puppetserver/ca/action/generate.rb

@@ -18,7 +18,7 @@ module Puppetserver
 
         # Only allow printing ascii characters, excluding /
         VALID_CERTNAME = /\A[ -.0-~]+\Z/
-        CERTNAME_BLACKLIST = %w{--all --config}
+        CERTNAME_BLOCKLIST = %w{--all --config}
 
         SUMMARY = "Generate a new certificate signed by the CA"
         BANNER = <<-BANNER
@@ -35,7 +35,7 @@ Description:
   If the `--ca-client` flag is passed, the cert will be generated
   offline, without using Puppet Server's signing code, and will add
   a special extension authorizing it to talk to the CA API. This can
-  be used for regenerating the master's host cert, or for manually
+  be used for regenerating the server's host cert, or for manually
   setting up other nodes to be CA clients. Do not distribute certs
   generated this way to any node that you do not intend to have
   administrative access to the CA (e.g. the ability to sign a cert).
@@ -91,7 +91,7 @@ BANNER
             errors << '    At least one certname is required to generate'
           else
             results['certnames'].each do |certname|
-              if CERTNAME_BLACKLIST.include?(certname)
+              if CERTNAME_BLOCKLIST.include?(certname)
                 errors << "    Cannot manage cert named `#{certname}` from " +
                           "the CLI, if needed use the HTTP API directly"
               end

data/lib/puppetserver/ca/action/import.rb

@@ -14,7 +14,7 @@ module Puppetserver
       class Import
         include Puppetserver::Ca::Utils
 
-        SUMMARY = "Import an external CA chain and generate master PKI"
+        SUMMARY = "Import an external CA chain and generate server PKI"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca import [--help]
@@ -72,7 +72,7 @@ BANNER
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
           ca.initialize_ssl_components(loader)
-          master_key, master_cert = ca.create_master_cert
+          server_key, server_cert = ca.create_server_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -88,25 +88,25 @@ BANNER
             [settings[:cadir] + '/infra_crl.pem', loader.crls],
             [settings[:localcacert], loader.certs],
             [settings[:hostcrl], loader.crls],
-            [settings[:hostpubkey], master_key.public_key],
-            [settings[:hostcert], master_cert],
-            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
+            [settings[:hostpubkey], server_key.public_key],
+            [settings[:hostcert], server_cert],
+            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
             [settings[:capub], loader.key.public_key],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
             [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert]
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert]
           ]
 
           private_files = [
-            [settings[:hostprivkey], master_key],
+            [settings[:hostprivkey], server_key],
             [settings[:cakey], loader.key],
           ]
 
           files_to_check = public_files + private_files
-          # We don't want to error if master's keys exist. Certain workflows
+          # We don't want to error if server's keys exist. Certain workflows
           # allow the agent to have already be installed with keys and then
-          # upgraded to be a master. The host class will honor keys, if both
+          # upgraded to be a server. The host class will honor keys, if both
           # public and private exist, and error if only one exists - as is
           # previous behavior.
           files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
@@ -178,11 +178,11 @@ ERR
               parsed['crl-chain'] = chain
             end
             opts.on('--certname NAME',
-                    'Common name to use for the master cert') do |name|
+                    'Common name to use for the server cert') do |name|
               parsed['certname'] = name
             end
             opts.on('--subject-alt-names NAME[,NAME]',
-                    'Subject alternative names for the master cert') do |sans|
+                    'Subject alternative names for the server cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
           end

data/lib/puppetserver/ca/action/list.rb

@@ -30,6 +30,7 @@ Options:
       BANNER
 
         BODY = JSON.dump({desired_state: 'signed'})
+        VALID_FORMAT = ['text', 'json']
 
         def initialize(logger)
           @logger = logger
@@ -47,6 +48,9 @@ Options:
             opts.on('--all', 'List all certificates') do |a|
               parsed['all'] = true
             end
+            opts.on('--format FORMAT', "Valid formats are: 'text' (default), 'json'") do |f|
+              parsed['format'] = f
+            end
             opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
               parsed['certname'] = cert
             end
@@ -57,9 +61,15 @@ Options:
           config = input['config']
           certnames = input['certname'] || []
           all = input['all']
+          output_format = input['format'] || "text"
+
+          unless VALID_FORMAT.include?(output_format)
+            Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
+            return 1
+          end
 
           if all && certnames.any?
-            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
+            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname.'])
             return 1
           end
 
@@ -71,24 +81,60 @@ Options:
           puppet = Config::Puppet.parse(config)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
-          filter_names = certnames.any? \
-            ? lambda { |x| certnames.include?(x['name']) }
-            : lambda { |x| true }
+          if certnames.any?
+            filter_names = lambda { |x| certnames.include?(x['name']) }
+          else
+            filter_names = lambda { |x| true }
+          end
 
           all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
           requested, signed, revoked = separate_certs(all_certs)
           missing = certnames - all_certs.map { |cert| cert['name'] }
 
-          (all || certnames.any?) \
-            ? output_certs_by_state(requested, signed, revoked, missing)
-            : output_certs_by_state(requested)
+          if (all || certnames.any?)
+            output_certs_by_state(all, output_format, requested, signed, revoked, missing)
+          else
+            output_certs_by_state(all, output_format, requested)
+          end
+
+          return missing.any? ? 1 : 0
+        end
 
-          return missing.any? \
-            ? 1
-            : 0
+        def output_certs_by_state(all, output_format, requested, signed = [], revoked = [], missing = [])
+          if output_format == 'json'
+            output_certs_json_format(all, requested, signed, revoked, missing)
+          else
+            output_certs_text_format(requested, signed, revoked, missing)
+          end
         end
 
-        def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
+        def output_certs_json_format(all, requested, signed, revoked, missing)
+          grouped_cert = {}
+
+          if all
+            grouped_cert = { "requested" => requested,
+                             "signed" => signed,
+                             "revoked" => revoked }.to_json
+            @logger.inform(grouped_cert)
+          else
+            grouped_cert["requested"] = requested unless requested.empty?
+            grouped_cert["signed"] = signed unless signed.empty?
+            grouped_cert["revoked"] = revoked unless revoked.empty?
+            grouped_cert["missing"] = missing unless missing.empty?
+
+            # If neither the '--all' flag or the '--certname' flag was passed in
+            # and the requested cert array is empty, we output a JSON object
+            # with an empty 'requested' key. Otherwise, we display
+            # any of the classes that are currently in grouped_cert
+            if grouped_cert.empty?
+              @logger.inform({ "requested" => requested }.to_json)
+            else
+              @logger.inform(grouped_cert.to_json)
+            end
+          end
+        end
+
+        def output_certs_text_format(requested, signed, revoked, missing)
           if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
             @logger.inform "No certificates to list"
             return
@@ -165,7 +211,12 @@ Options:
 
         def get_all_certs(settings)
           result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
-          result ? JSON.parse(result.body) : []
+
+          if result
+            return JSON.parse(result.body)
+          else
+            return []
+          end
         end
 
         def parse(args)
@@ -176,8 +227,11 @@ Options:
 
           errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
 
-          exit_code = errors_were_handled ? 1 : nil
-
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
           return results, exit_code
         end
       end

data/lib/puppetserver/ca/action/prune.rb

@@ -0,0 +1,116 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/x509_loader'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Prune
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca prune [--help]
+  puppetserver ca prune [--config]
+
+Description:
+  Prune the list of revoked certificates of any duplication within it.  This command
+  will only prune the CRL issued by Puppet's CA cert.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(inputs)
+          config_path = inputs['config']
+
+          # Validate the config path.
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Validate puppet config setting.
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          # Getting the CRL(s)
+          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+
+          puppet_crl = loader.crls.select { |crl| crl.verify(loader.key) }
+          prune_CRLs(puppet_crl)
+          update_pruned_CRL(puppet_crl, loader.key)
+          FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
+
+          @logger.inform("Finished pruning Puppet's CRL")
+          return 0
+        end
+
+        def prune_CRLs(crl_list)
+          crl_list.each do |crl|
+            existed_serial_number = Set.new()
+            revoked_list = crl.revoked
+            @logger.debug("Pruning duplicate entries in CRL for issuer " \
+              "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+
+            revoked_list.delete_if do |revoked|
+              if existed_serial_number.add?(revoked.serial)
+                false
+              else
+                @logger.debug("Removing duplicate of #{revoked.serial}, " \
+                  "revoked on #{revoked.time}\n") if @logger.debug?
+                true
+              end
+            end
+            crl.revoked=(revoked_list)
+          end
+        end
+
+        def update_pruned_CRL(crl_list, pkey)
+          crl_list.each do |crl|
+            crl.version=(crl.version + 1)
+            crl.sign(pkey, OpenSSL::Digest::SHA256.new)
+          end
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/revoke.rb

@@ -12,7 +12,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        CERTNAME_BLACKLIST = %w{--all --config}
+        CERTNAME_BLOCKLIST = %w{--all --config}
 
         SUMMARY = 'Revoke certificate(s)'
         BANNER = <<-BANNER
@@ -55,7 +55,7 @@ BANNER
           errors = CliParsing.parse_with_errors(parser, args)
 
           results['certnames'].each do |certname|
-            if CERTNAME_BLACKLIST.include?(certname)
+            if CERTNAME_BLOCKLIST.include?(certname)
               errors << "    Cannot manage cert named `#{certname}` from " +
                         "the CLI, if needed use the HTTP API directly"
             end

data/lib/puppetserver/ca/action/setup.rb

@@ -23,10 +23,10 @@ Usage:
 Description:
   Setup a root and intermediate signing CA for Puppet Server
   and store generated CA keys, certs, crls, and associated
-  master related files on disk.
+  server related files on disk.
 
   The `--subject-alt-names` flag can be used to add SANs to the
-  certificate generated for the Puppet master. Multiple names can be
+  certificate generated for the Puppet server. Multiple names can be
   listed as a comma separated string. These can be either DNS names or
   IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
   Names with no prefix will be treated as DNS names.
@@ -76,7 +76,7 @@ BANNER
 
           root_key, root_cert, root_crl = ca.create_root_cert
           ca.create_intermediate_cert(root_key, root_cert)
-          master_key, master_cert = ca.create_master_cert
+          server_key, server_cert = ca.create_server_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -90,28 +90,28 @@ BANNER
             [settings[:cacert], [ca.cert, root_cert]],
             [settings[:cacrl], [ca.crl, root_crl]],
             [settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
-            [settings[:hostcert], master_cert],
+            [settings[:hostcert], server_cert],
             [settings[:localcacert], [ca.cert, root_cert]],
             [settings[:hostcrl], [ca.crl, root_crl]],
-            [settings[:hostpubkey], master_key.public_key],
+            [settings[:hostpubkey], server_key.public_key],
             [settings[:capub], ca.key.public_key],
-            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
+            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
             [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert],
           ]
 
           private_files = [
-            [settings[:hostprivkey], master_key],
+            [settings[:hostprivkey], server_key],
             [settings[:rootkey], root_key],
             [settings[:cakey], ca.key],
           ]
 
           files_to_check = public_files + private_files
-          # We don't want to error if master's keys exist. Certain workflows
+          # We don't want to error if server's keys exist. Certain workflows
           # allow the agent to have already be installed with keys and then
-          # upgraded to be a master. The host class will honor keys, if both
+          # upgraded to be a server. The host class will honor keys, if both
           # public and private exist, and error if only one exists - as is
           # previous behavior.
           files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
@@ -160,7 +160,7 @@ ERR
               parsed['config'] = conf
             end
             opts.on('--subject-alt-names NAME[,NAME]',
-                    'Subject alternative names for the master cert') do |sans|
+                    'Subject alternative names for the server cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
             opts.on('--ca-name NAME',
@@ -168,7 +168,7 @@ ERR
               parsed['ca-name'] = name
             end
             opts.on('--certname NAME',
-                    'Common name to use for the master cert') do |name|
+                    'Common name to use for the server cert') do |name|
               parsed['certname'] = name
             end
           end

data/lib/puppetserver/ca/certificate_authority.rb

@@ -23,7 +23,7 @@ module Puppetserver
 
       def initialize(logger, settings)
         @logger = logger
-        @client = HttpClient.new(settings)
+        @client = HttpClient.new(@logger, settings)
         @ca_server = settings[:ca_server]
         @ca_port = settings[:ca_port]
       end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/prune'
 require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
@@ -25,11 +26,12 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      INIT_ACTIONS = {
+      ADMIN_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
-        'enable' => Action::Enable,
-        'migrate' => Action::Migrate,
+        'enable'   => Action::Enable,
+        'migrate'  => Action::Migrate,
+        'prune'    => Action::Prune
       }
 
       MAINT_ACTIONS = {
@@ -40,15 +42,15 @@ BANNER
         'sign'     => Action::Sign
       }
 
-      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+      VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
 
       ACTION_LIST = "\nAvailable Actions:\n\n" +
         "  Certificate Actions (requires a running Puppet Server):\n\n" +
         MAINT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n") + "\n\n" +
-        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
-        INIT_ACTIONS.map do |action, cls|
+        "  Administrative Actions (requires Puppet Server to be stopped):\n\n" +
+        ADMIN_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")
 
@@ -64,8 +66,10 @@ BANNER
 
 
       def self.run(cli_args = ARGV, out = STDOUT, err = STDERR)
-        logger = Puppetserver::Ca::Logger.new(:info, out, err)
         parser, general_options, unparsed = parse_general_inputs(cli_args)
+        level = general_options.delete('verbose') ? :debug : :info
+
+        logger = Puppetserver::Ca::Logger.new(level, out, err)
 
         if general_options['version']
           logger.inform Puppetserver::Ca::VERSION
@@ -121,6 +125,9 @@ BANNER
           opts.on('--version', 'Display the version') do |v|
             parsed['version'] = true
           end
+          opts.on('--verbose', 'Display low-level information') do |verbose|
+            parsed['verbose'] = true
+          end
 
           opts.separator ACTION_OPTIONS
           opts.separator "\nSee `puppetserver ca <action> --help` for detailed info"

data/lib/puppetserver/ca/config/puppet.rb

@@ -74,6 +74,9 @@ module Puppetserver
 
           overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
           overrides.merge!(cli_overrides)
+          if overrides[:masterport]
+            overrides[:serverport] ||= overrides.delete(:masterport)
+          end
 
           @settings = resolve_settings(overrides).freeze
         end
@@ -105,11 +108,10 @@ module Puppetserver
           base_defaults = [
             [:confdir, user_specific_conf_dir],
             [:ssldir,'$confdir/ssl'],
-            [:cadir, '$ssldir/ca'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
             [:server, 'puppet'],
-            [:masterport, '8140'],
+            [:serverport, '8140'],
             [:privatekeydir, '$ssldir/private_keys'],
             [:publickeydir, '$ssldir/public_keys'],
           ]
@@ -127,7 +129,7 @@ module Puppetserver
             :serial => '$cadir/serial',
             :cert_inventory => '$cadir/inventory.txt',
             :ca_server => '$server',
-            :ca_port => '$masterport',
+            :ca_port => '$serverport',
             :localcacert => '$certdir/ca.pem',
             :hostcrl => '$ssldir/crl.pem',
             :hostcert => '$certdir/$certname.pem',
@@ -150,6 +152,10 @@ module Puppetserver
             settings[setting_name] = substitutions[substitution_name] = subbed_value
           end
 
+          cadir = find_cadir(overrides.fetch(:cadir, false),
+                             settings[:confdir])
+          settings[:cadir] = substitutions['$cadir'] = cadir
+
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -212,6 +218,21 @@ module Puppetserver
 
        private
 
+        def find_cadir(configured_cadir, confdir)
+          if configured_cadir
+            configured_cadir
+          else
+            old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
+            new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
+
+            if File.exist?("#{new_cadir}/ca_crt.pem")
+              new_cadir
+            else
+              old_cadir
+            end
+          end
+        end
+
         def explicitly_given_config_file_or_default_config_exists?
           !@using_default_location || File.exist?(@config_path)
         end
@@ -258,7 +279,7 @@ module Puppetserver
           end
 
           if settings.dig(:server_list, 0, 1) &&
-              settings[:ca_port] == '$masterport'
+              settings[:ca_port] == '$serverport'
 
             settings[:ca_port] = settings.dig(:server_list, 0, 1)
           end

data/lib/puppetserver/ca/host.rb

@@ -58,10 +58,10 @@ module Puppetserver
         @errors = []
       end
 
-      # If both the private and public keys exist for a master then we want
+      # If both the private and public keys exist for a server then we want
       # to honor them here, if only one key exists we want to surface an error,
       # and if neither exist we generate a new key. This logic is necessary for
-      # proper bootstrapping for certain master workflows.
+      # proper bootstrapping for certain server workflows.
       def create_private_key(keylength, private_path = '', public_path = '')
         if File.exists?(private_path) && File.exists?(public_path)
           return OpenSSL::PKey.read(File.read(private_path))

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -20,7 +20,7 @@ module Puppetserver
 
       CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
 
-      MASTER_EXTENSIONS = [
+      SERVER_EXTENSIONS = [
         ["basicConstraints", "CA:FALSE", true],
         ["nsComment", "Puppet Server Internal Certificate", false],
         ["authorityKeyIdentifier", "keyid:always", false],
@@ -132,23 +132,23 @@ module Puppetserver
         time.strftime('%Y-%m-%dT%H:%M:%S%Z')
       end
 
-      def create_master_cert
-        master_cert = nil
-        master_key = @host.create_private_key(@settings[:keylength],
+      def create_server_cert
+        server_cert = nil
+        server_key = @host.create_private_key(@settings[:keylength],
                                               @settings[:hostprivkey],
                                               @settings[:hostpubkey])
-        if master_key
-          master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
+        if server_key
+          server_csr = @host.create_csr(name: @settings[:certname], key: server_key)
           if @settings[:subject_alt_names].empty?
             alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
           else
             alt_names = @settings[:subject_alt_names]
           end
 
-          master_cert = sign_authorized_cert(master_csr, alt_names)
+          server_cert = sign_authorized_cert(server_csr, alt_names)
         end
 
-        return master_key, master_cert
+        return server_key, server_cert
       end
 
       def sign_authorized_cert(csr, alt_names = '')
@@ -176,7 +176,7 @@ module Puppetserver
       end
 
       def add_authorized_extensions(cert, ef)
-        MASTER_EXTENSIONS.each do |ext|
+        SERVER_EXTENSIONS.each do |ext|
           extension = ef.create_extension(*ext)
           cert.add_extension(extension)
         end

data/lib/puppetserver/ca/logger.rb

@@ -13,8 +13,16 @@ module Puppetserver
         @err = err
       end
 
+      def level
+        @level
+      end
+
+      def debug?
+        return @level >= LEVELS[:debug]
+      end
+
       def debug(text)
-        if @level >= LEVELS[:debug]
+        if debug?
           @out.puts(text)
         end
       end

data/lib/puppetserver/ca/utils/config.rb

@@ -19,6 +19,25 @@ module Puppetserver
           end.sort.uniq.join(", ")
         end
 
+        def self.puppet_confdir
+          if running_as_root?
+            '/etc/puppetlabs/puppet'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+          end
+        end
+
+        def self.puppetserver_confdir(puppet_confdir)
+          File.join(File.dirname(puppet_confdir), 'puppetserver')
+        end
+
+        def self.old_default_cadir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl', 'ca')
+        end
+
+        def self.new_default_cadir(confdir = puppet_confdir)
+          File.join(puppetserver_confdir(confdir), 'ca')
+        end
       end
     end
   end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -19,7 +19,8 @@ module Puppetserver
 
         # Not all connections require a client cert to be present.
         # For example, when querying the status endpoint.
-        def initialize(settings, with_client_cert: true)
+        def initialize(logger, settings, with_client_cert: true)
+          @logger = logger
           @store = make_store(settings[:localcacert],
                               settings[:certificate_revocation],
                               settings[:hostcrl])
@@ -50,7 +51,7 @@ module Puppetserver
         # The Connection object should have HTTP verbs defined on it that take
         # a body (and optional overrides). Returns whatever the block given returned.
         def with_connection(url, &block)
-          request = ->(conn) { block.call(Connection.new(conn, url)) }
+          request = ->(conn) { block.call(Connection.new(conn, url, @logger)) }
 
           begin
             Net::HTTP.start(url.host, url.port,
@@ -85,29 +86,35 @@ module Puppetserver
         # and defines methods named after HTTP verbs that are called on the
         # saved connection, returning a Result.
         class Connection
-          def initialize(net_http_connection, url_struct)
+          def initialize(net_http_connection, url_struct, logger)
             @conn = net_http_connection
             @url = url_struct
+            @logger = logger
           end
 
           def get(url_overide = nil, headers = {})
             url = url_overide || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
+            @logger.debug("Making a GET request at #{url.full_url}")
+
             request = Net::HTTP::Get.new(url.to_uri, headers)
             result = @conn.request(request)
-
             Result.new(result.code, result.body)
+
           end
 
           def put(body, url_override = nil, headers = {})
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
+            @logger.debug("Making a PUT request at #{url.full_url}")
+
             request = Net::HTTP::Put.new(url.to_uri, headers)
             request.body = body
             result = @conn.request(request)
 
+
             Result.new(result.code, result.body)
           end
 
@@ -115,6 +122,8 @@ module Puppetserver
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
+            @logger.debug("Making a DELETE request at #{url.full_url}")
+
             result = @conn.request(Net::HTTP::Delete.new(url.to_uri, headers))
 
             Result.new(result.code, result.body)
@@ -166,12 +175,12 @@ module Puppetserver
         def self.check_server_online(settings, logger)
           status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
           begin
-            # Generating certs offline is necessary if the master cert has been destroyed
+            # Generating certs offline is necessary if the server cert has been destroyed
             # or compromised. Since querying the status endpoint does not require a client cert, and
             # we commonly won't have one, don't require one for creating the connection.
             # Additionally, we want to ensure the server is stopped before migrating the CA dir to
             # avoid issues with writing to the CA dir and moving it.
-            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+            self.new(logger, settings, with_client_cert: false).with_connection(status_url) do |conn|
               result = conn.get
               if result.body == "running"
                 logger.err "Puppetserver service is running. Please stop it before attempting to run this command."

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.9.3"
+    VERSION = "1.11.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.9.3
+  version: 1.11.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-03-25 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -100,6 +100,7 @@ files:
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/migrate.rb
+- lib/puppetserver/ca/action/prune.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb