puppetserver-ca 1.1.1 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f9d9c6fbbbdd5256db4b75b2dc5f84d039c7d349
-  data.tar.gz: 041f40524bf0eb4afd478dac9c508ac8ab904272
+  metadata.gz: 8ef4177b1921aaa80d30844823c81a28b3465c65
+  data.tar.gz: e7e494cf9f9f93127cf0b693afeba8cedfcb8659
 SHA512:
-  metadata.gz: 3c7979c8a3e0148349e39a35cef01a75d2c71e0d7b193e1fa5a4647592c6c95f3a21565fcc2ca331e2a1664c2d2c12d3b13757fa99c35ef2fe8bfdb1b5ea60da
-  data.tar.gz: d713bf41103d5debfa8ddffbaa13e28560b20dee9d429e5f46a6c72ab9ce794025b1e304b2d398f665300e5d6537fcb7f90b54e348edf12a75ab2b4b3af26407
+  metadata.gz: 95c956f2395ff96c6e6108d3fb67441052fb7de89581427cdeacee0de73415a46633b5dedc113fa56200e84963e6e3255f84fc58c8cd5676044171673e45f5b2
+  data.tar.gz: 66c067a3f40bc1d5c4c096bf5afb5eda563f8caebd431638a913f3ea26f797ecde05547a18864841755a779426d6003dc00f0d412940e53a643a08c21b0412b3

data/lib/puppetserver/ca/action/generate.rb

@@ -139,6 +139,8 @@ BANNER
 
           # Generate and save certs and associated keys
           if input['ca-client']
+            # Refused to generate certs offfline if the CA service is running
+            return 1 if check_server_online(puppet.settings)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
             all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
@@ -146,6 +148,31 @@ BANNER
           return all_passed ? 0 : 1
         end
 
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def check_server_online(settings)
+          status_url = HttpClient::URL.new('https', settings[:server], settings[:masterport], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the master cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
+                true
+              else
+                false
+              end
+            end
+            true
+          rescue Errno::ECONNREFUSED => e
+            # Couldn't make a connection
+            false
+          end
+        end
+
         # Certs authorized to talk to the CA API need to be signed offline,
         # in order to securely add the special auth extension.
         def generate_authorized_certs(certnames, alt_names, settings, digest)
@@ -199,21 +226,38 @@ BANNER
 
             current_alt_names = process_alt_names(alt_names, certname)
 
-            key, csr = generate_key_csr(certname, settings, digest, current_alt_names)
-            next false unless csr
-            next false unless ca.submit_certificate_request(certname, csr)
-            next false unless ca.sign_certs([certname])
-            if result = ca.get_certificate(certname)
-              next false unless save_file(result.body, certname, settings[:certdir], "Certificate")
-              next false unless save_keys(certname, settings, key)
+            next false unless submit_csr(certname, ca, settings, digest, current_alt_names)
+
+            # Check if the CA autosigned the cert
+            if download_cert(ca, certname, settings)
+              @logger.inform "Certificate for #{certname} was autosigned."
               true
             else
-              false
+              next false unless ca.sign_certs([certname])
+              download_cert(ca, certname, settings)
             end
           end
           passed.all?
         end
 
+        def submit_csr(certname, ca, settings, digest, alt_names)
+          key, csr = generate_key_csr(certname, settings, digest, alt_names)
+          return false unless csr
+          # Always save the keys, since soemtimes the server saves the CSR
+          # even when it returns a 400 (e.g. when the CSR contains alt names
+          # but the server isn't configured to sign such certs)
+          return false unless save_keys(certname, settings, key)
+          return false unless ca.submit_certificate_request(certname, csr)
+          true
+        end
+
+        def download_cert(ca, certname, settings)
+          if result = ca.get_certificate(certname)
+            return false unless save_file(result.body, certname, settings[:certdir], "Certificate")
+            true
+          end
+        end
+
         # For certs signed offline, any alt names are added directly to the cert,
         # rather than to the CSR.
         def generate_key_csr(certname, settings, digest, alt_names = '')

data/lib/puppetserver/ca/certificate_authority.rb

@@ -41,7 +41,7 @@ module Puppetserver
                       body: SIGN_BODY,
                       type: :sign)
 
-        results.all? {|result| result == :success }
+        results.all? { |result| result == :success }
       end
 
       def revoke_certs(certnames)
@@ -50,7 +50,7 @@ module Puppetserver
                     body: REVOKE_BODY,
                     type: :revoke)
 
-        results.reduce {|prev, curr| worst_result(prev, curr) }
+        results.reduce { |prev, curr| worst_result(prev, curr) }
       end
 
       def submit_certificate_request(certname, csr)
@@ -60,7 +60,7 @@ module Puppetserver
                     headers: {'Content-Type' => 'text/plain'},
                     type: :submit)
 
-        results.all? {|result| result == :success }
+        results.all? { |result| result == :success }
       end
 
       # Make an HTTP PUT request to CA

data/lib/puppetserver/ca/utils/http_client.rb

@@ -15,12 +15,20 @@ module Puppetserver
 
         attr_reader :store
 
-        def initialize(settings)
+        # Not all connections require a client cert to be present.
+        # For example, when querying the status endpoint.
+        def initialize(settings, with_client_cert: true)
           @store = make_store(settings[:localcacert],
                               settings[:certificate_revocation],
                               settings[:hostcrl])
-          @cert = load_cert(settings[:hostcert])
-          @key = load_key(settings[:hostprivkey])
+
+          if with_client_cert
+            @cert = load_cert(settings[:hostcert])
+            @key = load_key(settings[:hostprivkey])
+          else
+            @cert = nil
+            @key = nil
+          end
         end
 
         def load_cert(cert_path)
@@ -126,4 +134,4 @@ module Puppetserver
       end
     end
   end
-end
+end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.1.1"
+    VERSION = "1.1.2"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.1.2
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-26 00:00:00.000000000 Z
+date: 2018-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter