puppetserver-ca 0.5.0 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2f958c8e39c9f5a84c417138710b43c09d088189
-  data.tar.gz: 33f332146f6f3c3318dbfe7cc786205d74a3a021
+  metadata.gz: 0dd41110cba4e9687ea841124cf513084d141a49
+  data.tar.gz: 49dc042190dee2e2d34012c6453a3d36cea1209b
 SHA512:
-  metadata.gz: 77847b302859de89a4566dff4d4230e049c488f09baeca6b1b9ec86b68c68803942dfb6c187b37b5f9eb80a2ee531f62fe5fd0f4877ffd820cba10ecd672c0a5
-  data.tar.gz: 3234826e83a9a397216cf1133c80572e5ad3f4d8f06f4c0fc5189f1eac048d08e82814be8e54e4bc8008962fbd28c5780406952a64d03ba349aeb7fd90141c63
+  metadata.gz: c4c1b41ff1f497680000ac46f214352555c6c017a8bca2eca6ca193a2abcd06dc72cb945f6331001fe337f61393c89db5c685bfd8bfc9454981ff8976f0c897f
+  data.tar.gz: aceb6b70657912c7b4dc3bcc3b30417c5e89aa9ee0369925ab0d9b9342fb26951aa555f4d88ae923e6541dadfe436752a01ab2288bf7fc603a424e62d979f870

data/lib/puppetserver/ca/action/create.rb

@@ -153,7 +153,10 @@ BANNER
           private_key = host.create_private_key(settings[:keylength])
           extensions = []
           if !settings[:subject_alt_names].empty?
-            extensions << OpenSSL::X509::Extension.new("subjectAltName", settings[:subject_alt_names], false)
+            ef = OpenSSL::X509::ExtensionFactory.new
+            extensions << ef.create_extension("subjectAltName",
+                                              settings[:subject_alt_names],
+                                              false)
           end
           csr = host.create_csr(name: certname,
                                 key: private_key,

data/lib/puppetserver/ca/action/generate.rb

@@ -106,7 +106,14 @@ BANNER
             [settings[:cakey], int_key],
           ]
 
-          errors = FileSystem.check_for_existing_files(public_files.map(&:first) + private_files.map(&:first))
+          files_to_check = public_files + private_files
+          # We don't want to error if master's keys exist. Certain workflows
+          # allow the agent to have already be installed with keys and then
+          # upgraded to be a master. The host class will honor keys, if both
+          # public and private exist, and error if only one exists - as is
+          # previous behavior.
+          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
+          errors = FileSystem.check_for_existing_files(files_to_check)
 
           if !errors.empty?
             instructions = <<-ERR

data/lib/puppetserver/ca/action/import.rb

@@ -100,7 +100,14 @@ BANNER
             [settings[:cakey], loader.key],
           ]
 
-          errors = FileSystem.check_for_existing_files(public_files.map(&:first) + private_files.map(&:first))
+          files_to_check = public_files + private_files
+          # We don't want to error if master's keys exist. Certain workflows
+          # allow the agent to have already be installed with keys and then
+          # upgraded to be a master. The host class will honor keys, if both
+          # public and private exist, and error if only one exists - as is
+          # previous behavior.
+          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
+          errors = FileSystem.check_for_existing_files(files_to_check)
 
           if !errors.empty?
             instructions = <<-ERR

data/lib/puppetserver/ca/config/puppet.rb

@@ -162,6 +162,7 @@ module Puppetserver
           settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
           settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
           settings[:subject_alt_names] = munge_alt_names(settings[:subject_alt_names])
+          settings[:keylength] = settings[:keylength].to_i
 
           settings.each do |key, value|
             next unless value.is_a? String

data/lib/puppetserver/ca/host.rb

@@ -57,8 +57,22 @@ module Puppetserver
         @errors = []
       end
 
-      def create_private_key(keylength)
-        OpenSSL::PKey::RSA.new(keylength)
+      # If both the private and public keys exist for a master then we want
+      # to honor them here, if only one key exists we want to surface an error,
+      # and if neither exist we generate a new key. This logic is necessary for
+      # proper bootstrapping for certain master workflows.
+      def create_private_key(keylength, private_path = '', public_path = '')
+        if File.exists?(private_path) && File.exists?(public_path)
+          return OpenSSL::PKey.read(File.read(private_path))
+        elsif !File.exists?(private_path) && !File.exists?(public_path)
+          return OpenSSL::PKey::RSA.new(keylength)
+        elsif !File.exists?(private_path) && File.exists?(public_path)
+          @errors << "Missing private key to match public key at #{public_path}"
+          return nil
+        elsif File.exists?(private_path) && !File.exists?(public_path)
+          @errors << "Missing public key to match private key at #{private_path}"
+          return nil
+        end
       end
 
       def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -67,9 +67,15 @@ module Puppetserver
       end
 
       def create_master_cert(ca_key, ca_cert)
-        master_key = @host.create_private_key(@settings[:keylength])
-        master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
-        master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
+        master_cert = nil
+        master_key = @host.create_private_key(@settings[:keylength],
+                                              @settings[:hostprivkey],
+                                              @settings[:hostpubkey])
+        if master_key
+          master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
+          master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
+        end
+
         return master_key, master_cert
       end
 

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.5.0"
+    VERSION = "0.5.1"
   end
 end

data/puppetserver-ca.gemspec

@@ -16,8 +16,6 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
-bindir: exe
+bindir: bin
 cert_chain: []
-date: 2018-08-31 00:00:00.000000000 Z
+date: 2018-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -75,8 +75,7 @@ dependencies:
 description: 
 email:
 - release@puppet.com
-executables:
-- puppetserver-ca
+executables: []
 extensions: []
 extra_rdoc_files: []
 files: