puppetserver-ca 2.3.6 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 752967f94498efd749219a41bd66937700a3d9118847ab4bdccb3029abe993d9
-  data.tar.gz: 3207d8be773911373ceec30ad9153416ff869060aec1dc9288340bd2bc2bb3d1
+  metadata.gz: 020665126fef9a8fe7bc63652247bf13cf909ab37e2a3336d43724bc63b26d32
+  data.tar.gz: c8d62416aaa1c4ded40daee19907798a13ed6fa3ea123436701adf88b9b497cd
 SHA512:
-  metadata.gz: a60ee59b29cee51967a5a2e56bfd953d04826e09366e83a4246e6ab1f4965e47c41216975cef7e57f37d0506a94a12bcf9d09b78ec9cf13ef94c0377e3ba2292
-  data.tar.gz: 44a29a8098048df7a1d6db75400194c567371ae8bdda5f791872e2db23b58bb7c68d075fd3863f09abbddbc50501cbab4b31fe4910f32384506832a44697bceb
+  metadata.gz: 89f506f4124c95b8b7029043ce46f216b837d3863875077476bfb835cbaf83399734d02dc7bd64ec39234d4d68735e98997ea81a724146ccef7b540e02d59849
+  data.tar.gz: 33b9fa7893650441e456e39edda8d5d4532bcd52fe42f0832769eafad982655d2eb26357b51080a90d1da313b4a69d02f01119ae9dc1e4af645641664e9f8699

data/.github/workflows/mend.yaml

@@ -0,0 +1,37 @@
+name: mend_scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: checkout repo content
+      uses: actions/checkout@v2 # checkout the repository content to github runner.
+      with:
+        fetch-depth: 1
+    - name: setup ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+    - name: create lock
+      run: bundle lock
+    # install java
+    - uses: actions/setup-java@v3
+      with:
+        distribution: 'temurin' # See 'Supported distributions' for available options
+        java-version: '17'
+    # download mend
+    - name: download_mend
+      run: curl -o wss-unified-agent.jar https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar
+    - name: run mend
+      run: java -jar wss-unified-agent.jar
+      env:
+        WS_APIKEY: ${{ secrets.MEND_API_KEY }}
+        WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent
+        WS_USERKEY: ${{ secrets.MEND_TOKEN }}
+        WS_PRODUCTNAME: Puppet Enterprise
+        WS_PROJECTNAME:  ${{ github.event.repository.name }}

data/lib/puppetserver/ca/action/delete.rb

@@ -0,0 +1,286 @@
+require 'openssl'
+require 'optparse'
+require 'time'
+require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/config/puppet'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/inventory'
+require 'puppetserver/ca/x509_loader'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Delete
+        include Puppetserver::Ca::Utils
+
+        CERTNAME_BLOCKLIST = %w{--config --expired --revoked --all}
+
+        SUMMARY = 'Delete signed certificate(s) from disk'
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca delete [--help]
+  puppetserver ca delete [--config CONF] [--expired] [--revoked]
+                         [--certname NAME[,NAME]] [--all]
+
+Description:
+  Deletes signed certificates from disk. Once a certificate is
+  signed and delivered to a node, it no longer necessarily needs
+  to be stored on disk.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+            opts.on('--expired', 'Delete expired signed certificates') do |expired|
+              parsed['expired'] = true
+            end
+            opts.on('--revoked', 'Delete signed certificates that have already been revoked') do |revoked|
+              parsed['revoked'] = true
+            end
+            opts.on('--certname NAME[,NAME]', Array,
+              'One or more comma-separated certnames for which to delete signed certificates') do |certs|
+              parsed['certname'] = [certs].flatten
+            end
+            opts.on('--all', 'Delete all signed certificates on disk') do |all|
+              parsed['all'] = true
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+
+          errors = CliParsing.parse_with_errors(parser, args)
+
+          if results['certname']
+            results['certname'].each do |certname|
+              if CERTNAME_BLOCKLIST.include?(certname)
+                errors << "    Cannot manage cert named `#{certname}` from "+
+                          "the CLI. If needed, use the HTTP API directly."
+              end
+            end
+          end
+
+          unless results['help'] || results['expired'] || results['revoked'] || results['certname'] || results['all']
+            errors << '  Must pass one of the valid flags to determine which certs to delete'
+          end
+
+          if results['all'] && (results['expired'] || results['revoked'] || results['certname'])
+            errors << '  The --all flag must not be used with --expired, --revoked, or --certname'
+          end
+
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def run(args)
+          config = args['config']
+
+          # Validate the config path
+          if config
+            errors = FileSystem.validate_file_paths(config)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Validate puppet config setting
+          puppet = Config::Puppet.parse(config, @logger)
+          settings = puppet.settings
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(settings, @logger)
+
+          # Perform the desired action, keeping track if any errors occurred
+          errored = false
+          deleted_count = 0
+          cadir = settings[:cadir]
+          inventory_file_path = File.join(cadir, 'inventory.txt')
+
+          # Because --revoke has a potentially fatal error it can throw,
+          # process it first.
+          if args['revoked']
+            loader = X509Loader.new(settings[:cacert], settings[:cakey], settings[:cacrl])
+            verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
+            unless verified_crls.length == 1
+              @logger.err("Could not identify Puppet's CRL. Aborting delete action.")
+              return 1
+            end
+            crl = verified_crls.first
+
+            # First, search the inventory for the revoked serial. 
+            # If it matches the current serial for the cert, delete the cert.
+            # If it is an old serial for the certname, verify the file on disk
+            #   is not the serial that was revoked, and then ignore it. If the
+            #   file on disk does match that serial, delete it.
+            # If it isn't in the inventory, fall back to searching every cert on
+            #   disk for the given serial.
+            inventory, err = Inventory.parse_inventory_file(inventory_file_path, @logger)
+            revoked_serials = crl.revoked.map { |r| r.serial.to_i }
+            to_delete = []
+            revoked_serials.each do |revoked_serial|
+              current_serial = inventory.find { |k,v| v[:serial] == revoked_serial }
+              old_serial = inventory.find { |k,v| v[:old_serials].include?(revoked_serial) }
+              if current_serial
+                @logger.debug("#{revoked_serial} is the current serial for #{current_serial.first}")
+                to_delete << current_serial.first
+              elsif old_serial
+                @logger.debug("#{revoked_serial} appears to be an old serial for #{old_serial.first}. Verifying cert on disk is not the revoked serial.")
+                begin
+                  serial = get_cert_serial("#{cadir}/signed/#{old_serial.first}.pem")
+                  # This should never happen unless someone has messed with
+                  # the inventory.txt file or replaced the cert on disk with
+                  # an old one.
+                  to_delete << old_serial.first if serial == revoked_serial
+                rescue Exception => e
+                  @logger.err("Error reading serial from certificate for #{old_serial.first} with exception #{e}")
+                  errored = true
+                end
+              else
+                @logger.debug("Could not find #{revoked_serial} in inventory.txt. Searching certs on disk for this serial.")
+                begin
+                  certname = find_cert_with_serial(cadir, revoked_serial)
+                  if certname
+                    to_delete << certname
+                  else
+                    @logger.err("Could not find serial #{revoked_serial} in inventory.txt or in any certificate file currently on disk.")
+                    errored = true
+                  end
+                rescue Exception => e
+                  @logger.err("Error reading serial from certificates when trying to find certificate with serial #{revoked_serial} with exception #{e}")
+                  errored = true
+                end
+              end
+            end
+            # Because the CRL will likely contain certs that no longer exist on disk,
+            # don't show an error if we can't find the file.
+            count, err = delete_certs(cadir, to_delete, false)
+            errored ||= err
+            deleted_count += count
+          end
+
+          if args['expired']
+            # Delete expired certs found in inventory first since this is cheaper.
+            # Then, look for any certs not in the inventory, check if they
+            # are expired, then delete those.
+            inventory, err = Inventory.parse_inventory_file(inventory_file_path, @logger)
+            errored ||= err
+            expired_in_inventory = inventory.select { |k,v| v[:not_after] < Time.now }.map(&:first)
+            # Don't print errors if the cert is not found, since the inventory
+            # file can contain old entries that have already been deleted.
+            count, err = delete_certs(cadir, expired_in_inventory, false)
+            deleted_count += count
+            errored ||= err
+            other_certs_to_check = find_certs_not_in_inventory(cadir, inventory.map(&:first))
+            count, err = delete_expired_certs(cadir, other_certs_to_check)
+            deleted_count += count
+            errored ||= err
+          end
+
+          if args['certname']
+            count, errored = delete_certs(cadir, args['certname'])
+            deleted_count += count
+          end
+
+          if args['all']
+            certnames = Dir.glob("#{cadir}/signed/*.pem").map{ |c| File.basename(c, '.pem') }
+            # Since we don't run this with any other flags, we can set these variables directly
+            deleted_count, errored = delete_certs(cadir, certnames)
+          end
+
+          plural = deleted_count == 1 ? "" : "s"
+          @logger.inform("#{deleted_count} certificate#{plural} deleted.")
+          # If encountered non-fatal errors (an invalid entry in inventory.txt, cert not existing on disk)
+          # return 24. Returning 1 should be for fatal errors where we could not do any part of the action.
+          return errored ? 24 : 0
+        end
+
+        def find_certs_not_in_inventory(cadir, inventory_certnames)
+          all_cert_files = Dir.glob("#{cadir}/signed/*.pem").map { |f| File.basename(f, '.pem') }
+          all_cert_files - inventory_certnames
+        end
+
+        def delete_certs(cadir, certnames, error_on_not_found = true)
+          deleted = 0
+          errored = false
+          certnames.each do |cert|
+            path = "#{cadir}/signed/#{cert}.pem"
+            if File.exist?(path)
+              @logger.inform("Deleting certificate at #{path}")
+              File.delete(path)
+              deleted += 1
+            else
+              if error_on_not_found
+                @logger.err("Could not find certificate file at #{path}")
+                errored = true
+              end
+            end
+          end
+          [deleted, errored]
+        end
+
+        def delete_expired_certs(cadir, certnames)
+          deleted = 0
+          errored = false
+          files = certnames.map { |c| "#{cadir}/signed/#{c}.pem" }
+          files.each do |f|
+            # Shouldn't really be possible since we look for certs on disk
+            # before calling this function, but just in case.
+            unless File.exist?(f)
+              @logger.err("Could not find certificate file at #{f}")
+              errored = true
+              next
+            end
+            begin
+              cert = OpenSSL::X509::Certificate.new(File.read(f))
+            rescue OpenSSL::X509::CertificateError
+              @logger.err("Error reading certificate at #{f}")
+              errored = true
+              next
+            end
+            if cert.not_after < Time.now
+              @logger.inform("Deleting certificate at #{f}")
+              File.delete(f)
+              deleted += 1
+            end
+          end
+          [deleted, errored]
+        end
+
+        def get_cert_serial(file)
+          cert = OpenSSL::X509::Certificate.new(File.read(file))
+          cert.serial.to_i
+        end
+
+        def find_cert_with_serial(cadir, serial)
+          files = Dir.glob("#{cadir}/signed/*.pem")
+          files.each do |f|
+            begin
+              s = get_cert_serial(f)
+              return File.basename(f, '.pem') if s == serial # Remove .pem
+            rescue Exception => e
+              @logger.debug("Error reading certificate at #{f} with exception #{e}. Skipping this file.")
+            end
+          end
+          return nil
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/prune.rb

@@ -6,6 +6,7 @@ require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/x509_loader'
+require 'puppetserver/ca/config/puppet'
 
 module Puppetserver
   module Ca
@@ -13,15 +14,22 @@ module Puppetserver
       class Prune
         include Puppetserver::Ca::Utils
 
-        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
+        SUMMARY = "Prune the local CRL on disk to remove certificate entries"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca prune [--help]
   puppetserver ca prune [--config]
+  puppetserver ca prune [--config] [--remove-duplicates]
+  puppetserver ca prune [--config] [--remove-expired]
+  puppetserver ca prune [--config] [--remove-entries] [--serial NUMBER[,NUMBER]] [--certname NAME[,NAME]]
 
 Description:
-  Prune the list of revoked certificates of any duplication within it.  This command
-  will only prune the CRL issued by Puppet's CA cert.
+  Prune the list of revoked certificates. If no options are provided or
+  --remove-duplicates is specified, prune CRL of any duplicate entries.
+  If --remove-expired is specified, remove expired entries from CRL.
+  If --remove-entries is specified, remove matching entries provided by
+  --serial and/or --certname values. This command will only prune the CRL
+  issued by Puppet's CA cert.
 
 Options:
 BANNER
@@ -32,6 +40,11 @@ BANNER
 
         def run(inputs)
           config_path = inputs['config']
+          remove_duplicates = inputs['remove-duplicates']
+          remove_expired = inputs['remove-expired']
+          remove_entries = inputs['remove-entries']
+          serialnumbers = inputs['serial']
+          certnames = inputs['certname']
           exit_code = 0
 
           # Validate the config path.
@@ -45,31 +58,57 @@ BANNER
           puppet.load(logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
+          # Validate arguments
+          if (remove_entries && (!serialnumbers && !certnames))
+            return 1 if Errors.handle_with_usage(@logger,["--remove-entries option require --serial or --certname values"])
+          end
+
           # Validate that we are offline
           return 1 if HttpClient.check_server_online(puppet.settings, @logger)
 
           # Getting the CRL(s)
           loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+          inventory_file = puppet.settings[:cert_inventory]
+          cadir = puppet.settings[:cadir]
 
           verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
+          number_of_removed_duplicates = 0
+          number_of_removed_crl_entries = 0
 
           if verified_crls.length == 1
             puppet_crl = verified_crls.first
             @logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
-            number_of_removed_duplicates = prune_CRL(puppet_crl)
 
-            if number_of_removed_duplicates > 0
+            if remove_entries
+              if serialnumbers
+                number_of_removed_crl_entries += prune_using_serial(puppet_crl, loader.key, serialnumbers)
+              end
+              if certnames
+                number_of_removed_crl_entries += prune_using_certname(puppet_crl, loader.key, inventory_file, cadir, certnames)
+              end
+            end
+
+            if remove_expired
+              number_of_removed_crl_entries += prune_expired(puppet_crl, loader.key, inventory_file, cadir)
+            end
+
+            if (remove_duplicates || (!remove_entries && !remove_expired))
+               number_of_removed_duplicates += prune_CRL(puppet_crl)
+            end
+
+
+            if (number_of_removed_duplicates > 0 || number_of_removed_crl_entries > 0)
               update_pruned_CRL(puppet_crl, loader.key)
               FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
-              @logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
+              @logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.") if number_of_removed_duplicates > 0
+              @logger.inform("Removed #{number_of_removed_crl_entries} certs from Puppet's CRL.") if number_of_removed_crl_entries > 0
             else
-              @logger.inform("No duplicate revocations found in the CRL.")
+              @logger.inform("No matching revocations found in the CRL for pruning")
             end
           else
             @logger.err("Could not identify Puppet's CRL. Aborting prune action.")
             exit_code = 1
           end
-
           return exit_code
         end
 
@@ -106,6 +145,89 @@ BANNER
           crl.sign(pkey, OpenSSL::Digest::SHA256.new)
         end
 
+        def prune_using_serial(crl, key, serialnumbers)
+          removed_serials = []
+          revoked_list = crl.revoked
+          @logger.debug("Removing entries in CRL for issuer " \
+            "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+          serialnumbers.each do |serial|
+            if serial.match(/^(?:0[xX])?[A-Fa-f0-9]+$/)
+              revoked_list.delete_if do |revoked|
+                if revoked.serial == OpenSSL::BN.new(serial.hex)
+                  removed_serials.push(serial)
+                  true
+                end
+              end
+            end
+          end
+          crl.revoked = (revoked_list)
+          @logger.debug("Removed these CRL entries : #{removed_serials}") if @logger.debug?
+          return removed_serials.length
+        end
+
+        def prune_using_certname(crl, key, inventory_file, cadir, certnames)
+          serialnumbers = []
+          @logger.debug("Checking inventory file #{inventory_file} for matching cert names") if @logger.debug?
+          errors = FileSystem.validate_file_paths(inventory_file)
+          if errors.empty?
+            File.open(inventory_file).each_line do |line|
+              certnames.each do |certname|
+                if line.match(/\/CN=#{certname}$/) && line.split.length == 4
+                  serialnumbers.push(line.split.first)
+                  certnames.delete(certname)
+                end
+              end
+            end
+          else
+            @logger.warn "Reading inventory file at #{inventory_file} failed with error #{errors}"
+          end
+          if certnames
+            @logger.debug("Checking CA dir #{cadir} for matching cert names")
+            certnames.each do |certname|
+              cert_file = "#{cadir}/signed/#{certname}.pem"
+              if File.file?(cert_file)
+                raw = File.read(cert_file)
+                certificate = OpenSSL::X509::Certificate.new(raw)
+                serial = certificate.serial
+                serialnumbers.push(serial.to_s(16))
+              end
+            end
+            prune_using_serial(crl, key, serialnumbers)
+          end
+        end
+
+        def prune_expired (crl, key, inventory_file, cadir)
+          serialnumbers = []
+          signed_dir = "#{cadir}/signed"
+          @logger.debug("Checking inventory file #{inventory_file} for expired entries") if @logger.debug?
+          errors = FileSystem.validate_file_paths(inventory_file)
+          if errors.empty?
+            File.open(inventory_file).each_line do |line|
+              if line.match(/\/CN=.*$/) && line.split.length == 4
+                not_after = line.split[2]
+                begin
+                  not_after = Time.parse(line.split[2])
+                  serialnumbers.push(line.split.first) if not_after < Time.now
+                rescue ArgumentError
+                  @logger.warn "Invalid not_after time found in inventory.txt file at #{line}"
+                  next
+                end
+              end
+            end
+          else
+            @logger.warn "Reading inventory file at #{inventory_file} failed with error #{errors}"
+          end
+          @logger.debug("Checking CA dir #{cadir} for expired certs")
+          Dir.foreach(signed_dir) do |filename|
+            if File.extname(filename) == '.pem'
+              raw = File.read("#{signed_dir}/#{filename}")
+              certificate = OpenSSL::X509::Certificate.new(raw)
+              serialnumbers.push(certificate.serial.to_s(16)) if certificate.not_after < Time.now
+            end
+          end
+          prune_using_serial(crl, key, serialnumbers)
+        end
+
         def self.parser(parsed = {})
           OptionParser.new do |opts|
             opts.banner = BANNER
@@ -115,6 +237,21 @@ BANNER
             opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
               parsed['config'] = conf
             end
+            opts.on('--remove-duplicates', 'Remove duplicate entries from CRL(default)') do |remove_duplicates|
+              parsed['remove-duplicates'] = true
+            end
+            opts.on('--remove-expired', 'Remove expired  entries from CRL') do |remove_expired|
+              parsed['remove-expired'] = true
+            end
+            opts.on('--remove-entries', 'Remove entries from CRL') do |remove_entries|
+              parsed['remove-entries'] = true
+            end
+            opts.on('--serial NUMBER[,NUMBER]', Array, 'Serial numbers(s) in HEX to be removed from CRL') do |serialnumbers|
+              parsed['serial'] = serialnumbers
+            end
+            opts.on('--certname NAME[,NAME]', Array, 'Name(s) of the cert(s) to be removed from CRL') do |certnames|
+              parsed['certname'] = certnames
+            end
           end
         end
 
@@ -134,4 +271,4 @@ BANNER
       end
     end
   end
-end
+end

data/lib/puppetserver/ca/cli.rb

@@ -1,6 +1,7 @@
 require 'optparse'
 
 require 'puppetserver/ca/action/clean'
+require 'puppetserver/ca/action/delete'
 require 'puppetserver/ca/action/generate'
 require 'puppetserver/ca/action/import'
 require 'puppetserver/ca/action/enable'
@@ -27,6 +28,7 @@ Puppet Server's built-in Certificate Authority
 BANNER
 
       ADMIN_ACTIONS = {
+        'delete'   => Action::Delete,
         'import'   => Action::Import,
         'setup'    => Action::Setup,
         'enable'   => Action::Enable,

data/lib/puppetserver/ca/host.rb

@@ -63,14 +63,14 @@ module Puppetserver
       # and if neither exist we generate a new key. This logic is necessary for
       # proper bootstrapping for certain server workflows.
       def create_private_key(keylength, private_path = '', public_path = '')
-        if File.exists?(private_path) && File.exists?(public_path)
+        if File.exist?(private_path) && File.exist?(public_path)
           return OpenSSL::PKey.read(File.read(private_path))
-        elsif !File.exists?(private_path) && !File.exists?(public_path)
+        elsif !File.exist?(private_path) && !File.exist?(public_path)
           return OpenSSL::PKey::RSA.new(keylength)
-        elsif !File.exists?(private_path) && File.exists?(public_path)
+        elsif !File.exist?(private_path) && File.exist?(public_path)
           @errors << "Missing private key to match public key at #{public_path}"
           return nil
-        elsif File.exists?(private_path) && !File.exists?(public_path)
+        elsif File.exist?(private_path) && !File.exist?(public_path)
           @errors << "Missing public key to match private key at #{private_path}"
           return nil
         end

data/lib/puppetserver/ca/utils/inventory.rb

@@ -0,0 +1,84 @@
+require 'time'
+
+module Puppetserver
+  module Ca
+    module Utils
+      module Inventory
+
+        # Note that the inventory file may have multiple entries for the same certname,
+        # so it should only provide the latest cert for the given certname.
+        def self.parse_inventory_file(path, logger)
+          unless File.exist?(path)
+            logger.err("Could not find inventory at #{path}")
+            return [{}, true]
+          end
+          inventory = {}
+          errored = false
+          File.readlines(path).each do |line|
+            # Shouldn't be any blank lines, but skip them if there are
+            next if line.strip.empty?
+            
+            items = line.strip.split
+            if items.count != 4
+              logger.err("Invalid entry found in inventory.txt: #{line}")
+              errored = true
+              next
+            end
+            unless items[0].match(/^(?:0x)?[A-Fa-f0-9]+$/)
+              logger.err("Invalid serial found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            serial = items[0].hex
+            not_before = nil
+            not_after = nil
+            begin
+              not_before = Time.parse(items[1])
+            rescue ArgumentError
+              logger.err("Invalid not_before time found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            begin
+              not_after = Time.parse(items[2])
+            rescue ArgumentError
+              logger.err("Invalid not_after time found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            unless items[3].start_with?('/CN=')
+              logger.err("Invalid certname found in inventory.txt line: #{line}")
+              errored = true
+              next
+            end
+            certname = items[3][4..-1]
+
+            if !inventory.keys.include?(certname) 
+              inventory[certname] = {
+                :serial => serial,
+                :old_serials => [],
+                :not_before => not_before,
+                :not_after => not_after,
+              }
+            else
+              if not_after >= inventory[certname][:not_after]
+                # This is a newer cert than the one we currently have recorded,
+                # so save the previous serial in :old_serials
+                inventory[certname][:old_serials] << inventory[certname][:serial]
+                inventory[certname][:serial] = serial
+                inventory[certname][:not_before] = not_before
+                inventory[certname][:not_after] = not_after
+              else
+                # This somehow is an older cert (shouldn't really be possible as we just append
+                # to the file with each new cert and we are reading it order)
+                inventory[certname][:old_serials] << serial
+              end
+            end
+          end
+          [inventory, errored]
+        end
+      end
+    end
+  end
+end
+

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "2.3.6"
+    VERSION = "2.5.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 2.3.6
+  version: 2.5.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-11 00:00:00.000000000 Z
+date: 2023-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -80,6 +80,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/mend.yaml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
@@ -95,6 +96,7 @@ files:
 - exe/puppetserver-ca
 - lib/puppetserver/ca.rb
 - lib/puppetserver/ca/action/clean.rb
+- lib/puppetserver/ca/action/delete.rb
 - lib/puppetserver/ca/action/enable.rb
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
@@ -117,6 +119,7 @@ files:
 - lib/puppetserver/ca/utils/config.rb
 - lib/puppetserver/ca/utils/file_system.rb
 - lib/puppetserver/ca/utils/http_client.rb
+- lib/puppetserver/ca/utils/inventory.rb
 - lib/puppetserver/ca/utils/signing_digest.rb
 - lib/puppetserver/ca/version.rb
 - lib/puppetserver/ca/x509_loader.rb