RubyGems - puppetserver-ca - Versions diffs - 2.2.0 → 2.3.0 - Mend

puppetserver-ca 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +5 -0
data/lib/puppetserver/ca/action/prune.rb +116 -0
data/lib/puppetserver/ca/cli.rb +8 -6
data/lib/puppetserver/ca/logger.rb +5 -1
data/lib/puppetserver/ca/version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92fe6ca44899e2b5aeec75304212ff99b5e4530cbed2e0b451ad2dd77e2bf09a
-  data.tar.gz: c46bc437a85f0a52fde2d3b2b51bda909ad179c1997056810b397d4b27ae4867
+  metadata.gz: af10497de6396a89adeeb920ea09df98f728c97a6e219e6baf5d92ab1f063937
+  data.tar.gz: 39e54eaa7e05c9274add48f046e0328d68bb74146343abef6bc2be8fd4aba2be
 SHA512:
-  metadata.gz: 5c7ff17130d558382fa05f5f5bcb537ce9f2bc63a13078d1014783f636fcf0b0c02e604a0d4bf5694a486f67a56dec653430cea0c31eb911b7c15c9ea4e7f59d
-  data.tar.gz: 3ad80f74f02aac6a0dab1601cf54aad14756e0b1c0e2e0a30075d1eeafedff03b4546bc7c0cb7bc6dc6197b71abdb9f74816cd4596050b39e6c0f47ca47baf45
+  metadata.gz: 4e58d65112ae40fbd21881cb0514321c86311cea8d5947db8b049b1b19959268850a320375419a1b1506bae4dc805773e82d2ff23aeb43c528dd9e13157b8713
+  data.tar.gz: 9fe0a51c4966a39bef6317498f79ab1e953ed410ec409bc940003fb7ab295d09bf244a46832c4845c0dae1fef197c7da5ea4c4b77839256eb7724462d0d9ab52

data/README.md CHANGED Viewed

@@ -55,6 +55,11 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
+To remove duplicated entries from Puppet's CRL:
+```
+puppetserver ca prune
+```
 To enable verbose mode:
 ```
 puppetserver ca --verbose <action>

data/lib/puppetserver/ca/action/prune.rb ADDED Viewed

@@ -0,0 +1,116 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/x509_loader'
+module Puppetserver
+  module Ca
+    module Action
+      class Prune
+        include Puppetserver::Ca::Utils
+        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca prune [--help]
+  puppetserver ca prune [--config]
+Description:
+  Prune the list of revoked certificates of any duplication within it.  This command
+  will only prune the CRL issued by Puppet's CA cert.
+Options:
+BANNER
+        def initialize(logger)
+          @logger = logger
+        end
+        def run(inputs)
+          config_path = inputs['config']
+          # Validate the config path.
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+          # Validate puppet config setting.
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+          # Getting the CRL(s)
+          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+          puppet_crl = loader.crls.select { |crl| crl.verify(loader.key) }
+          prune_CRLs(puppet_crl)
+          update_pruned_CRL(puppet_crl, loader.key)
+          FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
+          @logger.inform("Finished pruning Puppet's CRL")
+          return 0
+        end
+        def prune_CRLs(crl_list)
+          crl_list.each do |crl|
+            existed_serial_number = Set.new()
+            revoked_list = crl.revoked
+            @logger.debug("Pruning duplicate entries in CRL for issuer " \
+              "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+            revoked_list.delete_if do |revoked|
+              if existed_serial_number.add?(revoked.serial)
+                false
+              else
+                @logger.debug("Removing duplicate of #{revoked.serial}, " \
+                  "revoked on #{revoked.time}\n") if @logger.debug?
+                true
+              end
+            end
+            crl.revoked=(revoked_list)
+          end
+        end
+        def update_pruned_CRL(crl_list, pkey)
+          crl_list.each do |crl|
+            crl.version=(crl.version + 1)
+            crl.sign(pkey, OpenSSL::Digest::SHA256.new)
+          end
+        end
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/cli.rb CHANGED Viewed

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/prune'
 require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
@@ -25,11 +26,12 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
-      INIT_ACTIONS = {
+      ADMIN_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
-        'enable' => Action::Enable,
-        'migrate' => Action::Migrate,
+        'enable'   => Action::Enable,
+        'migrate'  => Action::Migrate,
+        'prune'    => Action::Prune
       }
       MAINT_ACTIONS = {
@@ -40,15 +42,15 @@ BANNER
         'sign'     => Action::Sign
       }
-      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+      VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
       ACTION_LIST = "\nAvailable Actions:\n\n" +
         "  Certificate Actions (requires a running Puppet Server):\n\n" +
         MAINT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n") + "\n\n" +
-        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
-        INIT_ACTIONS.map do |action, cls|
+        "  Administrative Actions (requires Puppet Server to be stopped):\n\n" +
+        ADMIN_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")

data/lib/puppetserver/ca/logger.rb CHANGED Viewed

@@ -17,8 +17,12 @@ module Puppetserver
         @level
       end
+      def debug?
+        return @level >= LEVELS[:debug]
+      end
       def debug(text)
-        if @level >= LEVELS[:debug]
+        if debug?
           @out.puts(text)
         end
       end

data/lib/puppetserver/ca/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "2.2.0"
+    VERSION = "2.3.0"
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-07-06 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -100,6 +100,7 @@ files:
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/migrate.rb
+- lib/puppetserver/ca/action/prune.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb