puppetserver-ca 2.2.0 → 2.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92fe6ca44899e2b5aeec75304212ff99b5e4530cbed2e0b451ad2dd77e2bf09a
-  data.tar.gz: c46bc437a85f0a52fde2d3b2b51bda909ad179c1997056810b397d4b27ae4867
+  metadata.gz: 145cb62d733040dca7ad410a86146e0a0c82c29746a2c7de392004ad98737ed5
+  data.tar.gz: bd0db987a4af957208395f53134c3d59ab45f3c76d2e5d4205b589b75b1b9873
 SHA512:
-  metadata.gz: 5c7ff17130d558382fa05f5f5bcb537ce9f2bc63a13078d1014783f636fcf0b0c02e604a0d4bf5694a486f67a56dec653430cea0c31eb911b7c15c9ea4e7f59d
-  data.tar.gz: 3ad80f74f02aac6a0dab1601cf54aad14756e0b1c0e2e0a30075d1eeafedff03b4546bc7c0cb7bc6dc6197b71abdb9f74816cd4596050b39e6c0f47ca47baf45
+  metadata.gz: d5ec57e3cfd1d2947521b50a2923892452f25c4ae43c0daa45e9a0ba17ebd969431933f17d71866ff8e9e15bcdeb633c754084c618ea8bd2b1891ae0438751a5
+  data.tar.gz: ebfc68d10303eea0d66b61a636b069986e6f4d65e1af4a222bfea5d74a45951edb2d6f01192f4d0bafdbe3392e80a356074c334212651d2489e5d2dae0e8120b

data/README.md

@@ -55,6 +55,11 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
 
+To remove duplicated entries from Puppet's CRL:
+```
+puppetserver ca prune
+```
+
 To enable verbose mode:
 ```
 puppetserver ca --verbose <action>

data/lib/puppetserver/ca/action/list.rb

@@ -62,6 +62,7 @@ Options:
           certnames = input['certname'] || []
           all = input['all']
           output_format = input['format'] || "text"
+          missing = []
 
           unless VALID_FORMAT.include?(output_format)
             Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
@@ -87,14 +88,14 @@ Options:
             filter_names = lambda { |x| true }
           end
 
-          all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
-          requested, signed, revoked = separate_certs(all_certs)
-          missing = certnames - all_certs.map { |cert| cert['name'] }
-
           if (all || certnames.any?)
+            all_certs = get_certs_or_csrs(puppet.settings).select { |cert| filter_names.call(cert) }
+            requested, signed, revoked = separate_certs(all_certs)
+            missing = certnames - all_certs.map { |cert| cert['name'] }
             output_certs_by_state(all, output_format, requested, signed, revoked, missing)
           else
-            output_certs_by_state(all, output_format, requested)
+            all_csrs = get_certs_or_csrs(puppet.settings, "requested")
+            output_certs_by_state(all, output_format, all_csrs)
           end
 
           return missing.any? ? 1 : 0
@@ -209,8 +210,9 @@ Options:
           return requested, signed, revoked
         end
 
-        def get_all_certs(settings)
-          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
+        def get_certs_or_csrs(settings, queried_state = nil)
+          query = queried_state ? { :state => queried_state } : {}
+          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses(query)
 
           if result
             return JSON.parse(result.body)

data/lib/puppetserver/ca/action/prune.rb

@@ -0,0 +1,136 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/x509_loader'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Prune
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca prune [--help]
+  puppetserver ca prune [--config]
+
+Description:
+  Prune the list of revoked certificates of any duplication within it.  This command
+  will only prune the CRL issued by Puppet's CA cert.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(inputs)
+          config_path = inputs['config']
+          exit_code = 0
+
+          # Validate the config path.
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Validate puppet config setting.
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          # Getting the CRL(s)
+          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+
+          verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
+
+          if verified_crls.length == 1
+            puppet_crl = verified_crls.first
+            @logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
+            number_of_removed_duplicates = prune_CRL(puppet_crl)
+
+            if number_of_removed_duplicates > 0
+              update_pruned_CRL(puppet_crl, loader.key)
+              FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
+              @logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
+            else
+              @logger.inform("No duplicate revocations found in the CRL.")
+            end
+          else
+            @logger.err("Could not identify Puppet's CRL. Aborting prune action.")
+            exit_code = 1
+          end
+
+          return exit_code
+        end
+
+        def prune_CRL(crl)
+          number_of_removed_duplicates = 0
+
+          existed_serial_number = Set.new()
+          revoked_list = crl.revoked
+          @logger.debug("Pruning duplicate entries in CRL for issuer " \
+            "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+
+          revoked_list.delete_if do |revoked|
+            if existed_serial_number.add?(revoked.serial)
+              false
+            else
+              number_of_removed_duplicates += 1
+              @logger.debug("Removing duplicate of #{revoked.serial}, " \
+                "revoked on #{revoked.time}\n") if @logger.debug?
+              true
+            end
+          end
+          crl.revoked=(revoked_list)
+
+          return number_of_removed_duplicates
+        end
+
+        def update_pruned_CRL(crl, pkey)
+          number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
+          number_ext.each do |crl_number|
+            updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
+            crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
+          end
+          crl.extensions=(number_ext + other_ext)
+          crl.sign(pkey, OpenSSL::Digest::SHA256.new)
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/certificate_authority.rb

@@ -41,8 +41,8 @@ module Puppetserver
       end
 
       # Returns a URI-like wrapper around CA specific urls
-      def make_ca_url(resource_type = nil, certname = nil)
-        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
+      def make_ca_url(resource_type = nil, certname = nil, query = {})
+        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname, query)
       end
 
       def process_ttl_input(ttl)
@@ -141,7 +141,7 @@ module Puppetserver
         when :revoke
           case result.code
           when '200', '204'
-            @logger.inform "Revoked certificate for #{certname}"
+            @logger.inform "Certificate for #{certname} has been revoked"
             return :success
           when '404'
             @logger.err 'Error:'
@@ -215,7 +215,7 @@ module Puppetserver
       def check_revocation(certname, result)
         case result.code
         when '200', '204'
-          @logger.inform "Revoked certificate for #{certname}"
+          @logger.inform "Certificate for #{certname} has been revoked"
           return :success
         when '409'
           return :invalid
@@ -250,8 +250,8 @@ module Puppetserver
       end
 
       # Returns nil for errors, else the result of the GET request
-      def get_certificate_statuses
-        result = get('certificate_statuses', 'any_key')
+      def get_certificate_statuses(query = {})
+        result = get('certificate_statuses', 'any_key', query)
 
         unless result.code == '200'
           @logger.err 'Error:'
@@ -287,8 +287,8 @@ module Puppetserver
       # @param resource_type [String] the resource type of url
       # @param resource_name [String] the resource name of url
       # @return [Struct] an instance of the Result struct with :code, :body
-      def get(resource_type, resource_name)
-        url = make_ca_url(resource_type, resource_name)
+      def get(resource_type, resource_name, query = {})
+        url = make_ca_url(resource_type, resource_name, query)
         @client.with_connection(url) do |connection|
           connection.get(url)
         end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/prune'
 require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
@@ -25,11 +26,12 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      INIT_ACTIONS = {
+      ADMIN_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
-        'enable' => Action::Enable,
-        'migrate' => Action::Migrate,
+        'enable'   => Action::Enable,
+        'migrate'  => Action::Migrate,
+        'prune'    => Action::Prune
       }
 
       MAINT_ACTIONS = {
@@ -40,15 +42,15 @@ BANNER
         'sign'     => Action::Sign
       }
 
-      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+      VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
 
       ACTION_LIST = "\nAvailable Actions:\n\n" +
         "  Certificate Actions (requires a running Puppet Server):\n\n" +
         MAINT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n") + "\n\n" +
-        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
-        INIT_ACTIONS.map do |action, cls|
+        "  Administrative Actions (requires Puppet Server to be stopped):\n\n" +
+        ADMIN_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")
 

data/lib/puppetserver/ca/logger.rb

@@ -17,8 +17,12 @@ module Puppetserver
         @level
       end
 
+      def debug?
+        return @level >= LEVELS[:debug]
+      end
+
       def debug(text)
-        if @level >= LEVELS[:debug]
+        if debug?
           @out.puts(text)
         end
       end

data/lib/puppetserver/ca/utils/http_client.rb

@@ -1,5 +1,6 @@
 require 'net/https'
 require 'openssl'
+require 'uri'
 
 require 'puppetserver/ca/errors'
 
@@ -114,7 +115,6 @@ module Puppetserver
             request.body = body
             result = @conn.request(request)
 
-
             Result.new(result.code, result.body)
           end
 
@@ -136,10 +136,13 @@ module Puppetserver
         # Like URI, but not... maybe of suspicious value
         URL = Struct.new(:protocol, :host, :port,
                          :endpoint, :version,
-                         :resource_type, :resource_name) do
+                         :resource_type, :resource_name, :query) do
                 def full_url
-                  protocol + '://' + host + ':' + port + '/' +
-                  [endpoint, version, resource_type, resource_name].join('/')
+                  url = protocol + '://' + host + ':' + port + '/' +
+                        [endpoint, version, resource_type, resource_name].join('/')
+
+                  url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
+                  return url
                 end
 
                 def to_uri

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "2.2.0"
+    VERSION = "2.3.3"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.3
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-06 00:00:00.000000000 Z
+date: 2021-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -100,6 +100,7 @@ files:
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/migrate.rb
+- lib/puppetserver/ca/action/prune.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb