puppetserver-ca 2.1.0 → 2.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 497bfffece8f53a956a7b1e668e9e822cd96e1e14ee9491c8e7cc88d9344a373
-  data.tar.gz: a77a2b34ef63e9952daf7b67f90ba895427584e02e859739a93092246775a5a6
+  metadata.gz: ffcdb4b7a4972842dd5f3cc03d3879998e1ab8fcba4066d49e919a1ba6c7312c
+  data.tar.gz: d32629c393a75fa5f6291e97bc84a4620738ef97804f569e031a4f975ac7b059
 SHA512:
-  metadata.gz: 175e6787a090312bca7d48f042fba739e35b0eb41bde6059408ad1490788049906b5ccfa1c4408c1c391491c7ea73a98ba31b34062ec61eeb101aad20aaf749e
-  data.tar.gz: 1fd6b2216952dca8053b03d5f2b09db65e6b4b3529a6c025ebb86331901f56aa3f1a25bb2c7cda3bbd7da3592ecd691a1e3b169b6e2166b57802b48adb0c6101
+  metadata.gz: aa99515bb8c32de7529d63bc4242bc4ef71ea8ba0c3f00137fa31cdec0a08e8b6da13d9daaaefd922e50abdbe287ced9ec2395802d4012754a4086c804d27907
+  data.tar.gz: '059760fa95029609e65f15726944c342053f66ac092cafb2f073896d3e143caf7f7a3029642749001b3fb6a289cf78ffe26dfb56a33399c60d268a1b303609d3'

data/README.md

@@ -55,6 +55,16 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
 
+To remove duplicated entries from Puppet's CRL:
+```
+puppetserver ca prune
+```
+
+To enable verbose mode:
+```
+puppetserver ca --verbose <action>
+```
+
 For more details, see the help output:
 ```
 puppetserver ca --help
@@ -68,7 +78,7 @@ for more details.
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then,
-run `rake spec` to run the tests. You can also run `bin/console` for an
+run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
@@ -92,8 +102,7 @@ To test your changes on a VM:
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
 ### Releasing
-To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
-
+To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 
 ## Contributing & Support
 

data/lib/puppetserver/ca/action/list.rb

@@ -30,6 +30,7 @@ Options:
       BANNER
 
         BODY = JSON.dump({desired_state: 'signed'})
+        VALID_FORMAT = ['text', 'json']
 
         def initialize(logger)
           @logger = logger
@@ -47,6 +48,9 @@ Options:
             opts.on('--all', 'List all certificates') do |a|
               parsed['all'] = true
             end
+            opts.on('--format FORMAT', "Valid formats are: 'text' (default), 'json'") do |f|
+              parsed['format'] = f
+            end
             opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
               parsed['certname'] = cert
             end
@@ -57,9 +61,16 @@ Options:
           config = input['config']
           certnames = input['certname'] || []
           all = input['all']
+          output_format = input['format'] || "text"
+          missing = []
+
+          unless VALID_FORMAT.include?(output_format)
+            Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
+            return 1
+          end
 
           if all && certnames.any?
-            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
+            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname.'])
             return 1
           end
 
@@ -71,24 +82,60 @@ Options:
           puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
-          filter_names = certnames.any? \
-            ? lambda { |x| certnames.include?(x['name']) }
-            : lambda { |x| true }
+          if certnames.any?
+            filter_names = lambda { |x| certnames.include?(x['name']) }
+          else
+            filter_names = lambda { |x| true }
+          end
+
+          if (all || certnames.any?)
+            all_certs = get_certs_or_csrs(puppet.settings).select { |cert| filter_names.call(cert) }
+            requested, signed, revoked = separate_certs(all_certs)
+            missing = certnames - all_certs.map { |cert| cert['name'] }
+            output_certs_by_state(all, output_format, requested, signed, revoked, missing)
+          else
+            all_csrs = get_certs_or_csrs(puppet.settings, "requested")
+            output_certs_by_state(all, output_format, all_csrs)
+          end
 
-          all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
-          requested, signed, revoked = separate_certs(all_certs)
-          missing = certnames - all_certs.map { |cert| cert['name'] }
+          return missing.any? ? 1 : 0
+        end
 
-          (all || certnames.any?) \
-            ? output_certs_by_state(requested, signed, revoked, missing)
-            : output_certs_by_state(requested)
+        def output_certs_by_state(all, output_format, requested, signed = [], revoked = [], missing = [])
+          if output_format == 'json'
+            output_certs_json_format(all, requested, signed, revoked, missing)
+          else
+            output_certs_text_format(requested, signed, revoked, missing)
+          end
+        end
 
-          return missing.any? \
-            ? 1
-            : 0
+        def output_certs_json_format(all, requested, signed, revoked, missing)
+          grouped_cert = {}
+
+          if all
+            grouped_cert = { "requested" => requested,
+                             "signed" => signed,
+                             "revoked" => revoked }.to_json
+            @logger.inform(grouped_cert)
+          else
+            grouped_cert["requested"] = requested unless requested.empty?
+            grouped_cert["signed"] = signed unless signed.empty?
+            grouped_cert["revoked"] = revoked unless revoked.empty?
+            grouped_cert["missing"] = missing unless missing.empty?
+
+            # If neither the '--all' flag or the '--certname' flag was passed in
+            # and the requested cert array is empty, we output a JSON object
+            # with an empty 'requested' key. Otherwise, we display
+            # any of the classes that are currently in grouped_cert
+            if grouped_cert.empty?
+              @logger.inform({ "requested" => requested }.to_json)
+            else
+              @logger.inform(grouped_cert.to_json)
+            end
+          end
         end
 
-        def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
+        def output_certs_text_format(requested, signed, revoked, missing)
           if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
             @logger.inform "No certificates to list"
             return
@@ -163,9 +210,15 @@ Options:
           return requested, signed, revoked
         end
 
-        def get_all_certs(settings)
-          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
-          result ? JSON.parse(result.body) : []
+        def get_certs_or_csrs(settings, queried_state = nil)
+          query = queried_state ? { :state => queried_state } : {}
+          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses(query)
+
+          if result
+            return JSON.parse(result.body)
+          else
+            return []
+          end
         end
 
         def parse(args)
@@ -176,8 +229,11 @@ Options:
 
           errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
 
-          exit_code = errors_were_handled ? 1 : nil
-
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
           return results, exit_code
         end
       end

data/lib/puppetserver/ca/action/prune.rb

@@ -0,0 +1,131 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/x509_loader'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Prune
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca prune [--help]
+  puppetserver ca prune [--config]
+
+Description:
+  Prune the list of revoked certificates of any duplication within it.  This command
+  will only prune the CRL issued by Puppet's CA cert.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(inputs)
+          config_path = inputs['config']
+
+          # Validate the config path.
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Validate puppet config setting.
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          # Getting the CRL(s)
+          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+
+          puppet_crl = loader.crls.select { |crl| crl.verify(loader.key) }
+          number_of_removed_duplicates = prune_CRLs(puppet_crl)
+
+          if number_of_removed_duplicates > 0
+            update_pruned_CRL(puppet_crl, loader.key)
+            FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
+            @logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
+          else
+            @logger.inform("No duplicate revocations found in the CRL.")
+          end
+
+          return 0
+        end
+
+        def prune_CRLs(crl_list)
+          number_of_removed_duplicates = 0
+
+          crl_list.each do |crl|
+            existed_serial_number = Set.new()
+            revoked_list = crl.revoked
+            @logger.debug("Pruning duplicate entries in CRL for issuer " \
+              "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+
+            revoked_list.delete_if do |revoked|
+              if existed_serial_number.add?(revoked.serial)
+                false
+              else
+                number_of_removed_duplicates += 1
+                @logger.debug("Removing duplicate of #{revoked.serial}, " \
+                  "revoked on #{revoked.time}\n") if @logger.debug?
+                true
+              end
+            end
+            crl.revoked=(revoked_list)
+          end
+
+          return number_of_removed_duplicates
+        end
+
+        def update_pruned_CRL(crl_list, pkey)
+          crl_list.each do |crl|
+            number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
+            number_ext.each do |crl_number|
+              updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
+              crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
+            end
+            crl.extensions=(number_ext + other_ext)
+            crl.sign(pkey, OpenSSL::Digest::SHA256.new)
+          end
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/certificate_authority.rb

@@ -23,7 +23,7 @@ module Puppetserver
 
       def initialize(logger, settings)
         @logger = logger
-        @client = HttpClient.new(settings)
+        @client = HttpClient.new(@logger, settings)
         @ca_server = settings[:ca_server]
         @ca_port = settings[:ca_port]
       end
@@ -41,8 +41,8 @@ module Puppetserver
       end
 
       # Returns a URI-like wrapper around CA specific urls
-      def make_ca_url(resource_type = nil, certname = nil)
-        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
+      def make_ca_url(resource_type = nil, certname = nil, query = {})
+        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname, query)
       end
 
       def process_ttl_input(ttl)
@@ -141,7 +141,7 @@ module Puppetserver
         when :revoke
           case result.code
           when '200', '204'
-            @logger.inform "Revoked certificate for #{certname}"
+            @logger.inform "Certificate for #{certname} has been revoked"
             return :success
           when '404'
             @logger.err 'Error:'
@@ -215,7 +215,7 @@ module Puppetserver
       def check_revocation(certname, result)
         case result.code
         when '200', '204'
-          @logger.inform "Revoked certificate for #{certname}"
+          @logger.inform "Certificate for #{certname} has been revoked"
           return :success
         when '409'
           return :invalid
@@ -250,8 +250,8 @@ module Puppetserver
       end
 
       # Returns nil for errors, else the result of the GET request
-      def get_certificate_statuses
-        result = get('certificate_statuses', 'any_key')
+      def get_certificate_statuses(query = {})
+        result = get('certificate_statuses', 'any_key', query)
 
         unless result.code == '200'
           @logger.err 'Error:'
@@ -287,8 +287,8 @@ module Puppetserver
       # @param resource_type [String] the resource type of url
       # @param resource_name [String] the resource name of url
       # @return [Struct] an instance of the Result struct with :code, :body
-      def get(resource_type, resource_name)
-        url = make_ca_url(resource_type, resource_name)
+      def get(resource_type, resource_name, query = {})
+        url = make_ca_url(resource_type, resource_name, query)
         @client.with_connection(url) do |connection|
           connection.get(url)
         end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/prune'
 require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
@@ -25,11 +26,12 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      INIT_ACTIONS = {
+      ADMIN_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
-        'enable' => Action::Enable,
-        'migrate' => Action::Migrate,
+        'enable'   => Action::Enable,
+        'migrate'  => Action::Migrate,
+        'prune'    => Action::Prune
       }
 
       MAINT_ACTIONS = {
@@ -40,15 +42,15 @@ BANNER
         'sign'     => Action::Sign
       }
 
-      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+      VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
 
       ACTION_LIST = "\nAvailable Actions:\n\n" +
         "  Certificate Actions (requires a running Puppet Server):\n\n" +
         MAINT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n") + "\n\n" +
-        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
-        INIT_ACTIONS.map do |action, cls|
+        "  Administrative Actions (requires Puppet Server to be stopped):\n\n" +
+        ADMIN_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")
 
@@ -64,8 +66,10 @@ BANNER
 
 
       def self.run(cli_args = ARGV, out = STDOUT, err = STDERR)
-        logger = Puppetserver::Ca::Logger.new(:info, out, err)
         parser, general_options, unparsed = parse_general_inputs(cli_args)
+        level = general_options.delete('verbose') ? :debug : :info
+
+        logger = Puppetserver::Ca::Logger.new(level, out, err)
 
         if general_options['version']
           logger.inform Puppetserver::Ca::VERSION
@@ -121,6 +125,9 @@ BANNER
           opts.on('--version', 'Display the version') do |v|
             parsed['version'] = true
           end
+          opts.on('--verbose', 'Display low-level information') do |verbose|
+            parsed['verbose'] = true
+          end
 
           opts.separator ACTION_OPTIONS
           opts.separator "\nSee `puppetserver ca <action> --help` for detailed info"

data/lib/puppetserver/ca/logger.rb

@@ -13,8 +13,16 @@ module Puppetserver
         @err = err
       end
 
+      def level
+        @level
+      end
+
+      def debug?
+        return @level >= LEVELS[:debug]
+      end
+
       def debug(text)
-        if @level >= LEVELS[:debug]
+        if debug?
           @out.puts(text)
         end
       end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -1,5 +1,6 @@
 require 'net/https'
 require 'openssl'
+require 'uri'
 
 require 'puppetserver/ca/errors'
 
@@ -19,7 +20,8 @@ module Puppetserver
 
         # Not all connections require a client cert to be present.
         # For example, when querying the status endpoint.
-        def initialize(settings, with_client_cert: true)
+        def initialize(logger, settings, with_client_cert: true)
+          @logger = logger
           @store = make_store(settings[:localcacert],
                               settings[:certificate_revocation],
                               settings[:hostcrl])
@@ -50,7 +52,7 @@ module Puppetserver
         # The Connection object should have HTTP verbs defined on it that take
         # a body (and optional overrides). Returns whatever the block given returned.
         def with_connection(url, &block)
-          request = ->(conn) { block.call(Connection.new(conn, url)) }
+          request = ->(conn) { block.call(Connection.new(conn, url, @logger)) }
 
           begin
             Net::HTTP.start(url.host, url.port,
@@ -85,25 +87,30 @@ module Puppetserver
         # and defines methods named after HTTP verbs that are called on the
         # saved connection, returning a Result.
         class Connection
-          def initialize(net_http_connection, url_struct)
+          def initialize(net_http_connection, url_struct, logger)
             @conn = net_http_connection
             @url = url_struct
+            @logger = logger
           end
 
           def get(url_overide = nil, headers = {})
             url = url_overide || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
+            @logger.debug("Making a GET request at #{url.full_url}")
+
             request = Net::HTTP::Get.new(url.to_uri, headers)
             result = @conn.request(request)
-
             Result.new(result.code, result.body)
+
           end
 
           def put(body, url_override = nil, headers = {})
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
+            @logger.debug("Making a PUT request at #{url.full_url}")
+
             request = Net::HTTP::Put.new(url.to_uri, headers)
             request.body = body
             result = @conn.request(request)
@@ -115,6 +122,8 @@ module Puppetserver
             url = url_override || @url
             headers = DEFAULT_HEADERS.merge(headers)
 
+            @logger.debug("Making a DELETE request at #{url.full_url}")
+
             result = @conn.request(Net::HTTP::Delete.new(url.to_uri, headers))
 
             Result.new(result.code, result.body)
@@ -127,10 +136,13 @@ module Puppetserver
         # Like URI, but not... maybe of suspicious value
         URL = Struct.new(:protocol, :host, :port,
                          :endpoint, :version,
-                         :resource_type, :resource_name) do
+                         :resource_type, :resource_name, :query) do
                 def full_url
-                  protocol + '://' + host + ':' + port + '/' +
-                  [endpoint, version, resource_type, resource_name].join('/')
+                  url = protocol + '://' + host + ':' + port + '/' +
+                        [endpoint, version, resource_type, resource_name].join('/')
+
+                  url = url + "?" + URI.encode_www_form(query) unless query.empty?
+                  return url
                 end
 
                 def to_uri
@@ -171,7 +183,7 @@ module Puppetserver
             # we commonly won't have one, don't require one for creating the connection.
             # Additionally, we want to ensure the server is stopped before migrating the CA dir to
             # avoid issues with writing to the CA dir and moving it.
-            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+            self.new(logger, settings, with_client_cert: false).with_connection(status_url) do |conn|
               result = conn.get
               if result.body == "running"
                 logger.err "Puppetserver service is running. Please stop it before attempting to run this command."

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "2.1.0"
+    VERSION = "2.3.2"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.3.2
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-04-21 00:00:00.000000000 Z
+date: 2021-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -100,6 +100,7 @@ files:
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/migrate.rb
+- lib/puppetserver/ca/action/prune.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb