RubyGems - puppetserver-ca - Versions diffs - 0.5.0 → 0.5.1 - Mend

puppetserver-ca 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/puppetserver/ca/action/create.rb +4 -1
data/lib/puppetserver/ca/action/generate.rb +8 -1
data/lib/puppetserver/ca/action/import.rb +8 -1
data/lib/puppetserver/ca/config/puppet.rb +1 -0
data/lib/puppetserver/ca/host.rb +16 -2
data/lib/puppetserver/ca/local_certificate_authority.rb +9 -3
data/lib/puppetserver/ca/version.rb +1 -1
data/puppetserver-ca.gemspec +0 -2
metadata +4 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2f958c8e39c9f5a84c417138710b43c09d088189
-  data.tar.gz: 33f332146f6f3c3318dbfe7cc786205d74a3a021
+  metadata.gz: 0dd41110cba4e9687ea841124cf513084d141a49
+  data.tar.gz: 49dc042190dee2e2d34012c6453a3d36cea1209b
 SHA512:
-  metadata.gz: 77847b302859de89a4566dff4d4230e049c488f09baeca6b1b9ec86b68c68803942dfb6c187b37b5f9eb80a2ee531f62fe5fd0f4877ffd820cba10ecd672c0a5
-  data.tar.gz: 3234826e83a9a397216cf1133c80572e5ad3f4d8f06f4c0fc5189f1eac048d08e82814be8e54e4bc8008962fbd28c5780406952a64d03ba349aeb7fd90141c63
+  metadata.gz: c4c1b41ff1f497680000ac46f214352555c6c017a8bca2eca6ca193a2abcd06dc72cb945f6331001fe337f61393c89db5c685bfd8bfc9454981ff8976f0c897f
+  data.tar.gz: aceb6b70657912c7b4dc3bcc3b30417c5e89aa9ee0369925ab0d9b9342fb26951aa555f4d88ae923e6541dadfe436752a01ab2288bf7fc603a424e62d979f870

data/lib/puppetserver/ca/action/create.rb CHANGED

@@ -153,7 +153,10 @@ BANNER
           private_key = host.create_private_key(settings[:keylength])
           extensions = []
           if !settings[:subject_alt_names].empty?
-            extensions << OpenSSL::X509::Extension.new("subjectAltName", settings[:subject_alt_names], false)
+            ef = OpenSSL::X509::ExtensionFactory.new
+            extensions << ef.create_extension("subjectAltName",
+                                              settings[:subject_alt_names],
+                                              false)
           end
           csr = host.create_csr(name: certname,
                                 key: private_key,

data/lib/puppetserver/ca/action/generate.rb CHANGED

@@ -106,7 +106,14 @@ BANNER
             [settings[:cakey], int_key],
           ]
-          errors = FileSystem.check_for_existing_files(public_files.map(&:first) + private_files.map(&:first))
+          files_to_check = public_files + private_files
+          # We don't want to error if master's keys exist. Certain workflows
+          # allow the agent to have already be installed with keys and then
+          # upgraded to be a master. The host class will honor keys, if both
+          # public and private exist, and error if only one exists - as is
+          # previous behavior.
+          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
+          errors = FileSystem.check_for_existing_files(files_to_check)
           if !errors.empty?
             instructions = <<-ERR

data/lib/puppetserver/ca/action/import.rb CHANGED

@@ -100,7 +100,14 @@ BANNER
             [settings[:cakey], loader.key],
           ]
-          errors = FileSystem.check_for_existing_files(public_files.map(&:first) + private_files.map(&:first))
+          files_to_check = public_files + private_files
+          # We don't want to error if master's keys exist. Certain workflows
+          # allow the agent to have already be installed with keys and then
+          # upgraded to be a master. The host class will honor keys, if both
+          # public and private exist, and error if only one exists - as is
+          # previous behavior.
+          files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
+          errors = FileSystem.check_for_existing_files(files_to_check)
           if !errors.empty?
             instructions = <<-ERR

data/lib/puppetserver/ca/config/puppet.rb CHANGED

@@ -162,6 +162,7 @@ module Puppetserver
           settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
           settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
           settings[:subject_alt_names] = munge_alt_names(settings[:subject_alt_names])
+          settings[:keylength] = settings[:keylength].to_i
           settings.each do |key, value|
             next unless value.is_a? String

data/lib/puppetserver/ca/host.rb CHANGED

@@ -57,8 +57,22 @@ module Puppetserver
         @errors = []
       end
-      def create_private_key(keylength)
-        OpenSSL::PKey::RSA.new(keylength)
+      # If both the private and public keys exist for a master then we want
+      # to honor them here, if only one key exists we want to surface an error,
+      # and if neither exist we generate a new key. This logic is necessary for
+      # proper bootstrapping for certain master workflows.
+      def create_private_key(keylength, private_path = '', public_path = '')
+        if File.exists?(private_path) && File.exists?(public_path)
+          return OpenSSL::PKey.read(File.read(private_path))
+        elsif !File.exists?(private_path) && !File.exists?(public_path)
+          return OpenSSL::PKey::RSA.new(keylength)
+        elsif !File.exists?(private_path) && File.exists?(public_path)
+          @errors << "Missing private key to match public key at #{public_path}"
+          return nil
+        elsif File.exists?(private_path) && !File.exists?(public_path)
+          @errors << "Missing public key to match private key at #{private_path}"
+          return nil
+        end
       end
       def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')

data/lib/puppetserver/ca/local_certificate_authority.rb CHANGED

@@ -67,9 +67,15 @@ module Puppetserver
       end
       def create_master_cert(ca_key, ca_cert)
-        master_key = @host.create_private_key(@settings[:keylength])
-        master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
-        master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
+        master_cert = nil
+        master_key = @host.create_private_key(@settings[:keylength],
+                                              @settings[:hostprivkey],
+                                              @settings[:hostpubkey])
+        if master_key
+          master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
+          master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
+        end
         return master_key, master_cert
       end

data/lib/puppetserver/ca/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.5.0"
+    VERSION = "0.5.1"
   end
 end

data/puppetserver-ca.gemspec CHANGED

@@ -16,8 +16,6 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
   spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire:
-bindir: exe
+bindir: bin
 cert_chain: []
-date: 2018-08-31 00:00:00.000000000 Z
+date: 2018-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -75,8 +75,7 @@ dependencies:
 description:
 email:
 - release@puppet.com
-executables:
-- puppetserver-ca
+executables: []
 extensions: []
 extra_rdoc_files: []
 files: