puppetserver-ca 2.5.0 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 020665126fef9a8fe7bc63652247bf13cf909ab37e2a3336d43724bc63b26d32
-  data.tar.gz: c8d62416aaa1c4ded40daee19907798a13ed6fa3ea123436701adf88b9b497cd
+  metadata.gz: f3405b0e0be4f947fcec85824880f6b62fb2630d1993e130e1782960e58b5a80
+  data.tar.gz: 92ae8e4b074c7d12609a79beb4c886a95f3299e44b2b4ff602f8b6acf7b002c2
 SHA512:
-  metadata.gz: 89f506f4124c95b8b7029043ce46f216b837d3863875077476bfb835cbaf83399734d02dc7bd64ec39234d4d68735e98997ea81a724146ccef7b540e02d59849
-  data.tar.gz: 33b9fa7893650441e456e39edda8d5d4532bcd52fe42f0832769eafad982655d2eb26357b51080a90d1da313b4a69d02f01119ae9dc1e4af645641664e9f8699
+  metadata.gz: 82fce6d5d561700df09dc132723a600f2943ca86d19b7a2cbe56b1c25c4ebce170cb4a973ef6a07d0271057587cccbd2185c1a392dba9217b6dd6a8c617ce3df
+  data.tar.gz: 130b8dc609b09c2ab7722459f62febcce52452ea419fa69f4ecb70d059b28428962574206a6bc5600f620f541c4205f86fe9e2eb7381a5bee6bb2e9fa24941b4

data/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

data/.travis.yml

@@ -8,6 +8,8 @@ rvm:
   - 2.5
   - 2.6
   - 2.7
+  - 3.1
+  - 3.2
 before_install:
    gem install bundler -v 1.16.1 && (gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true)
 script:

data/CODEOWNERS

@@ -1,4 +1,4 @@
 # This will cause the puppetserver-maintainers group to be assigned
 # review of any opened PRs against the branches containing this file.
 
-* @puppetlabs/puppetserver-maintainers
+* @puppetlabs/dumpling @puppetlabs/skeletor 

data/README.md

@@ -101,16 +101,11 @@ To test your changes on a VM:
     ```
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
-### Releasing
-To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
-
 ## Contributing & Support
 
-Bug reports and feature requests are welcome in JIRA at
-https://tickets.puppetlabs.com/projects/SERVER/issues.
+Bug reports and feature requests are welcome via GitHub issues.
 
-For interactive questions feel free to post to #puppet or #puppet-dev on
-Freenode, or the Puppet Community Slack channel.
+For interactive questions feel free to post to #puppet or #puppet-dev on the Puppet Community Slack channel.
 
 Contributions are welcome at https://github.com/puppetlabs/puppetserver-ca-cli/pulls.
 Contributors should both be sure to read the

data/lib/puppetserver/ca/action/setup.rb

@@ -19,7 +19,7 @@ module Puppetserver
 Usage:
   puppetserver ca setup [--help]
   puppetserver ca setup [--config PATH] [--subject-alt-names NAME[,NAME]]
-                           [--certname NAME] [--ca-name NAME]
+                           [--certname NAME] [--ca-name NAME] [--root-ca-name NAME]
 
 Description:
   Setup a root and intermediate signing CA for Puppet Server
@@ -51,6 +51,7 @@ BANNER
           settings_overrides = {}
           settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
           settings_overrides[:ca_name] = input['ca-name'] unless input['ca-name'].empty?
+          settings_overrides[:root_ca_name] = input['root-ca-name'] unless input['root-ca-name'].empty?
           # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
           # to ensure that the overriding works correctly.
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
@@ -153,6 +154,7 @@ ERR
         def self.parser(parsed = {})
           parsed['subject-alt-names'] = ''
           parsed['ca-name'] = ''
+          parsed['root-ca-name'] = ''
           parsed['certname'] = ''
           OptionParser.new do |opts|
             opts.banner = BANNER
@@ -170,6 +172,10 @@ ERR
                     'Common name to use for the CA signing cert') do |name|
               parsed['ca-name'] = name
             end
+            opts.on('--root-ca-name NAME',
+                    'Common name to use for the self-signed Root CA cert') do |name|
+              parsed['root-ca-name'] = name
+            end
             opts.on('--certname NAME',
                     'Common name to use for the server cert') do |name|
               parsed['certname'] = name

data/lib/puppetserver/ca/action/sign.rb

@@ -66,17 +66,33 @@ Options:
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)
+          bulk_sign = ca.server_has_bulk_signing_endpoints
+
+          # Bulk sign endpoints don't allow setting TTL, so
+          # use single signing endpoint if TTL is specified.
+          success = false
+          if input['ttl'] || !bulk_sign
+            if input['all']
+              requested_certnames = get_all_pending_certs(ca)
+              return 1 if requested_certnames.nil?
+              return 24 if requested_certnames.empty?
+            else
+              requested_certnames = input['certname']
+            end
 
-          if input['all']
-            requested_certnames = get_all_pending_certs(ca)
-            return 1 if requested_certnames.nil?
-            return 24 if requested_certnames.empty?
+            success = ca.sign_certs(requested_certnames, input['ttl'])
+            return success ? 0 : 1
           else
-            requested_certnames = input['certname']
+            result = input['all'] ? ca.sign_all : ca.sign_bulk(input['certname'])
+            case result
+            when :success
+              return 0
+            when :no_requests
+              return 24
+            else
+              return 1
+            end
           end
-
-          success = ca.sign_certs(requested_certnames, input['ttl'])
-          return success ? 0 : 1
         end
 
         def get_all_pending_certs(ca)

data/lib/puppetserver/ca/certificate_authority.rb

@@ -19,7 +19,6 @@ module Puppetserver
       }
 
       REVOKE_BODY = JSON.dump({ desired_state: 'revoked' })
-      SIGN_BODY =   JSON.dump({ desired_state: 'signed' })
 
       def initialize(logger, settings)
         @logger = logger
@@ -28,6 +27,15 @@ module Puppetserver
         @ca_port = settings[:ca_port]
       end
 
+      def server_has_bulk_signing_endpoints
+        url = HttpClient::URL.new('https', @ca_server, @ca_port, 'status', 'v1', 'services')
+        result = @client.with_connection(url) do |connection|
+          connection.get(url)
+        end
+        version = process_results(:server_version, nil, result)
+        return version >= Gem::Version.new('8.4.0')
+      end
+
       def worst_result(previous_result, current_result)
         %i{success invalid not_found error}.each do |state|
           if previous_result == state
@@ -61,13 +69,26 @@ module Puppetserver
         end
       end
 
+      def sign_all
+        return post(resource_type: 'sign',
+          resource_name: 'all',
+          body: '{}',
+          type: :sign_all)
+      end
+
+      def sign_bulk(certnames)
+        return post(resource_type: 'sign',
+          body: "{\"certnames\":#{certnames}}",
+          type: :sign_bulk
+        )
+      end
+
       def sign_certs(certnames, ttl=nil)
         results = []
         if ttl
           lifetime = process_ttl_input(ttl)
           return false if lifetime.nil?
-          body = JSON.dump({ desired_state: 'signed',
-                             cert_ttl: lifetime})
+          body = JSON.dump({ desired_state: 'signed', cert_ttl: lifetime})
           results = put(certnames,
             resource_type: 'certificate_status',
             body: body,
@@ -75,7 +96,7 @@ module Puppetserver
         else
           results = put(certnames,
                         resource_type: 'certificate_status',
-                        body: SIGN_BODY,
+                        body: JSON.dump({ desired_state: 'signed' }),
                         type: :sign)
         end
 
@@ -119,6 +140,48 @@ module Puppetserver
         end
       end
 
+      # Make an HTTP POST request to CA
+      # @param endpoint [String] the endpoint to post to for the url
+      # @param body [JSON/String] body of the post request
+      # @param type [Symbol] type of error processing to perform on result
+      # @return [Boolean] whether all requests were successful
+      def post(resource_type:, resource_name: nil, body:, type:, headers: {})
+        url = make_ca_url(resource_type, resource_name)
+        results = @client.with_connection(url) do |connection|
+          result = connection.post(body, url, headers)
+          process_results(type, nil, result)
+        end
+      end
+
+      # Handle the result data from the /sign and /sign/all endpoints
+      def process_bulk_sign_result_data(result)
+        data = JSON.parse(result.body)
+        signed = data.dig('signed') || []
+        no_csr = data.dig('no-csr') || []
+        signing_errors = data.dig('signing-errors') || []
+
+        if !signed.empty?
+          @logger.inform "Successfully signed the following certificate requests:"
+          signed.each { |s| @logger.inform "  #{s}" }
+        end
+
+        @logger.err 'Error:' if !no_csr.empty? || !signing_errors.empty?
+        if !no_csr.empty?
+          @logger.err '    No certificate request found for the following nodes when attempting to sign:'
+          no_csr.each { |s| @logger.err "      #{s}" }
+        end
+        if !signing_errors.empty?
+          @logger.err '    Error encountered when attempting to sign the certificate request for the following nodes:'
+          signing_errors.each { |s| @logger.err "      #{s}" }
+        end
+        if no_csr.empty? && signing_errors.empty?
+          @logger.err 'No waiting certificate requests to sign.' if signed.empty?
+          return signed.empty? ? :no_requests : :success
+        else
+          return :error
+        end
+      end
+
       # logs the action and returns true/false for success
       def process_results(type, certname, result)
         case type
@@ -138,6 +201,50 @@ module Puppetserver
             @logger.err "      body: #{result.body.to_s}" if result.body
             return :error
           end
+        when :sign_all
+          if result.code == '200'
+            if !result.body
+              @logger.err 'Error:'
+              @logger.err '    Response from /sign/all endpoint did not include a body. Unable to verify certificate requests were signed.'
+              return :error
+            end
+            begin
+              return process_bulk_sign_result_data(result)
+            rescue JSON::ParserError
+              @logger.err 'Error:'
+              @logger.err '    Unable to parse the response from the /sign/all endpoint.'
+              @logger.err "      body #{result.body.to_s}"
+              return :error
+            end
+          else
+            @logger.err 'Error:'
+            @logger.err '    When attempting to sign all certificate requests, received:'
+            @logger.err "      code: #{result.code}"
+            @logger.err "      body: #{result.body.to_s}" if result.body
+            return :error
+          end
+        when :sign_bulk
+          if result.code == '200'
+            if !result.body
+              @logger.err 'Error:'
+              @logger.err '    Response from /sign endpoint did not include a body. Unable to verify certificate requests were signed.'
+              return :error
+            end
+            begin
+              return process_bulk_sign_result_data(result)
+            rescue JSON::ParserError
+              @logger.err 'Error:'
+              @logger.err '    Unable to parse the response from the /sign endpoint.'
+              @logger.err "      body #{result.body.to_s}"
+              return :error
+            end
+          else
+            @logger.err 'Error:'
+            @logger.err '    When attempting to sign certificate requests, received:'
+            @logger.err "      code: #{result.code}"
+            @logger.err "      body: #{result.body.to_s}" if result.body
+            return :error
+          end
         when :revoke
           case result.code
           when '200', '204'
@@ -170,6 +277,19 @@ module Puppetserver
             @logger.err "      body: #{result.body.to_s}" if result.body
             return :error
           end
+        when :server_version
+          if result.code == '200' && result.body
+            begin
+              data = JSON.parse(result.body)
+              version_str = data.dig('ca','service_version')
+              return Gem::Version.new(version_str.match('^\d+\.\d+\.\d+')[0])
+            rescue JSON::ParserError, NoMethodError
+              # If we get bad JSON, version_str is nil, or the matcher doesn't match,
+              # fall through to returning a version of 0.
+            end
+          end
+          @logger.debug 'Could not detect server version. Defaulting to legacy signing endpoints.'
+          return Gem::Version.new(0)
         end
       end
 

data/lib/puppetserver/ca/config/puppet.rb

@@ -194,6 +194,9 @@ module Puppetserver
         # class keys/section names but nearly any character values (excluding
         # leading whitespace) up to one of whitespace, opening curly brace, or
         # hash sign (Our concern being to capture filesystem path values).
+        #
+        # ca_root and root_ca_name values may include whitespace
+        #
         # Put values without a section into :main.
         #
         # Return Hash of Symbol section names with Symbol setting keys and
@@ -205,10 +208,15 @@ module Puppetserver
             case line
             when /^\s*\[(\w+)\].*/
               current_section = $1.to_sym
-            when /^\s*(\w+)\s*=\s*([^\s{#]+).*$/
+            when /^\s*(\w+)\s*=\s*(.+?)\s*(?=[{#]|$)/
               # Using a Hash with a default key breaks RSpec expectations.
               res[current_section] ||= {}
-              res[current_section][$1.to_sym] = $2
+              res[current_section][$1.to_sym] =
+                if [:ca_name, :root_ca_name].include?($1.to_sym)
+                  $2
+                else
+                  $2.split(' ')[0]
+                end
             end
           end
 

data/lib/puppetserver/ca/utils/http_client.rb

@@ -10,17 +10,12 @@ module Puppetserver
       # Utilities for doing HTTPS against the CA that wraps Net::HTTP constructs
       class HttpClient
 
-        DEFAULT_HEADERS = {
-          'User-Agent'   => 'PuppetserverCaCli',
-          'Content-Type' => 'application/json',
-          'Accept'       => 'application/json'
-        }
-
         attr_reader :store
 
         # Not all connections require a client cert to be present.
         # For example, when querying the status endpoint.
         def initialize(logger, settings, with_client_cert: true)
+          @default_headers = make_headers(ENV['HOME'])
           @logger = logger
           @store = make_store(settings[:localcacert],
                               settings[:certificate_revocation],
@@ -52,7 +47,7 @@ module Puppetserver
         # The Connection object should have HTTP verbs defined on it that take
         # a body (and optional overrides). Returns whatever the block given returned.
         def with_connection(url, &block)
-          request = ->(conn) { block.call(Connection.new(conn, url, @logger)) }
+          request = ->(conn) { block.call(Connection.new(conn, url, @logger, @default_headers)) }
 
           begin
             Net::HTTP.start(url.host, url.port,
@@ -68,7 +63,22 @@ module Puppetserver
 
         private
 
-       def load_with_errors(path, setting, &block)
+        def make_headers(home)
+          headers = {
+            'User-Agent'   => 'PuppetserverCaCli',
+            'Content-Type' => 'application/json',
+            'Accept'       => 'application/json'
+          }
+
+          token_path = "#{home}/.puppetlabs/token"
+          if File.exist?(token_path)
+            headers['X-Authentication'] = File.read(token_path)
+          end
+
+          headers
+        end
+
+        def load_with_errors(path, setting, &block)
           begin
             content = File.read(path)
             block.call(content)
@@ -81,21 +91,23 @@ module Puppetserver
                     "Could not parse '#{setting}' at '#{path}'.\n" +
                     "  OpenSSL returned: #{e.message}")
           end
-       end
+        end
 
         # Helper class that wraps a Net::HTTP connection, a HttpClient::URL
         # and defines methods named after HTTP verbs that are called on the
         # saved connection, returning a Result.
         class Connection
-          def initialize(net_http_connection, url_struct, logger)
+
+          def initialize(net_http_connection, url_struct, logger, default_headers)
             @conn = net_http_connection
             @url = url_struct
             @logger = logger
+            @default_headers = default_headers
           end
 
-          def get(url_overide = nil, headers = {})
+          def get(url_overide = nil, header_overrides = {})
             url = url_overide || @url
-            headers = DEFAULT_HEADERS.merge(headers)
+            headers = @default_headers.merge(header_overrides)
 
             @logger.debug("Making a GET request at #{url.full_url}")
 
@@ -105,9 +117,9 @@ module Puppetserver
 
           end
 
-          def put(body, url_override = nil, headers = {})
+          def put(body, url_override = nil, header_overrides = {})
             url = url_override || @url
-            headers = DEFAULT_HEADERS.merge(headers)
+            headers = @default_headers.merge(header_overrides)
 
             @logger.debug("Making a PUT request at #{url.full_url}")
 
@@ -118,9 +130,22 @@ module Puppetserver
             Result.new(result.code, result.body)
           end
 
-          def delete(url_override = nil, headers = {})
+          def post(body, url_override = nil, header_overrides = {})
+            url = url_override || @url
+            headers = @default_headers.merge(header_overrides)
+
+            @logger.debug("Making a POST request at #{url.full_url}")
+
+            request = Net::HTTP::Post.new(url.to_uri, headers)
+            request.body = body
+            result = @conn.request(request)
+
+            Result.new(result.code, result.body)
+          end
+
+          def delete(url_override = nil, header_overrides = {})
             url = url_override || @url
-            headers = DEFAULT_HEADERS.merge(headers)
+            headers = @default_headers.merge(header_overrides)
 
             @logger.debug("Making a DELETE request at #{url.full_url}")
 
@@ -139,7 +164,7 @@ module Puppetserver
                          :resource_type, :resource_name, :query) do
                 def full_url
                   url = protocol + '://' + host + ':' + port + '/' +
-                        [endpoint, version, resource_type, resource_name].join('/')
+                        [endpoint, version, resource_type, resource_name].compact.join('/')
 
                   url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
                   return url

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "2.5.0"
+    VERSION = "2.7.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-03-14 00:00:00.000000000 Z
+date: 2024-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -80,6 +80,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/mend.yaml"
 - ".gitignore"
 - ".rspec"
@@ -143,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.9
+rubygems_version: 3.4.20
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority