puppetserver-ca 1.10.0 → 1.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7200d67071717855a415f5b10ea96e2d008eb9e758b6c1bfcf367d41be1355c4
-  data.tar.gz: 9b94632f35b636420a5bb80fe6e1878daefb77b4d113aed5122a116113e7ff20
+  metadata.gz: 813b9f6f9913cd98abd4b81219cfb4882e7c9c1ace77f024218706be07411d7a
+  data.tar.gz: 8f7bd49d04fc6f23f4674006f1d159756286f9b3ae50a686cb4faa5b7b71832d
 SHA512:
-  metadata.gz: 82cca168aa2217dd81a68acb3acaabdaddcc06d494a783a04a27a03965110d0ca66fe5a3eee01e4d949073e4e8594d61a3203f83066e8e64b2e857344a723566
-  data.tar.gz: 95708d9c5f670001c8c3018cf9804fd189d44cb52bcee4e0e86665c4b8d5fd114ebb7480a6576fcffe81fd2289ba28b1fe2c61a8d610d0733b6d6f947df0f04a
+  metadata.gz: a2dbfac65155e9dbd593931305b9f99079f2610bd02d64c20e1be00f8f61058f85bfcf410f5987439de892b6adf9e46beadb60d85a4f970c07a4eec2643c54d9
+  data.tar.gz: 26964af97f64152d3d5e1bfbcc931daa102734b1facf2ef588890552aee36791be3a6091e5e5563d328254149133035597773486c53e67ddd8e1624327f289bb

data/README.md

@@ -55,6 +55,11 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
 
+To remove duplicated entries from Puppet's CRL:
+```
+puppetserver ca prune
+```
+
 To enable verbose mode:
 ```
 puppetserver ca --verbose <action>

data/lib/puppetserver/ca/action/prune.rb

@@ -0,0 +1,116 @@
+require 'optparse'
+require 'openssl'
+require 'puppetserver/ca/errors'
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/config'
+require 'puppetserver/ca/x509_loader'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Prune
+        include Puppetserver::Ca::Utils
+
+        SUMMARY = "Prune the local CRL on disk to remove any duplicated certificates"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca prune [--help]
+  puppetserver ca prune [--config]
+
+Description:
+  Prune the list of revoked certificates of any duplication within it.  This command
+  will only prune the CRL issued by Puppet's CA cert.
+
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(inputs)
+          config_path = inputs['config']
+
+          # Validate the config path.
+          if config_path
+            errors = FileSystem.validate_file_paths(config_path)
+            return 1 if Errors.handle_with_usage(@logger, errors)
+          end
+
+          # Validate puppet config setting.
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger)
+          return 1 if Errors.handle_with_usage(@logger, puppet.errors)
+
+          # Validate that we are offline
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          # Getting the CRL(s)
+          loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
+
+          puppet_crl = loader.crls.select { |crl| crl.verify(loader.key) }
+          prune_CRLs(puppet_crl)
+          update_pruned_CRL(puppet_crl, loader.key)
+          FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
+
+          @logger.inform("Finished pruning Puppet's CRL")
+          return 0
+        end
+
+        def prune_CRLs(crl_list)
+          crl_list.each do |crl|
+            existed_serial_number = Set.new()
+            revoked_list = crl.revoked
+            @logger.debug("Pruning duplicate entries in CRL for issuer " \
+              "#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
+
+            revoked_list.delete_if do |revoked|
+              if existed_serial_number.add?(revoked.serial)
+                false
+              else
+                @logger.debug("Removing duplicate of #{revoked.serial}, " \
+                  "revoked on #{revoked.time}\n") if @logger.debug?
+                true
+              end
+            end
+            crl.revoked=(revoked_list)
+          end
+        end
+
+        def update_pruned_CRL(crl_list, pkey)
+          crl_list.each do |crl|
+            crl.version=(crl.version + 1)
+            crl.sign(pkey, OpenSSL::Digest::SHA256.new)
+          end
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to the puppet.conf file on disk') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+
+          if errors_were_handled
+            exit_code = 1
+          else
+            exit_code = nil
+          end
+          return results, exit_code
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/prune'
 require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
@@ -25,11 +26,12 @@ Manage the Private Key Infrastructure for
 Puppet Server's built-in Certificate Authority
 BANNER
 
-      INIT_ACTIONS = {
+      ADMIN_ACTIONS = {
         'import'   => Action::Import,
         'setup'    => Action::Setup,
-        'enable' => Action::Enable,
-        'migrate' => Action::Migrate,
+        'enable'   => Action::Enable,
+        'migrate'  => Action::Migrate,
+        'prune'    => Action::Prune
       }
 
       MAINT_ACTIONS = {
@@ -40,15 +42,15 @@ BANNER
         'sign'     => Action::Sign
       }
 
-      VALID_ACTIONS = INIT_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
+      VALID_ACTIONS = ADMIN_ACTIONS.merge(MAINT_ACTIONS).sort.to_h
 
       ACTION_LIST = "\nAvailable Actions:\n\n" +
         "  Certificate Actions (requires a running Puppet Server):\n\n" +
         MAINT_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n") + "\n\n" +
-        "  Initialization Actions (requires Puppet Server to be stopped):\n\n" +
-        INIT_ACTIONS.map do |action, cls|
+        "  Administrative Actions (requires Puppet Server to be stopped):\n\n" +
+        ADMIN_ACTIONS.map do |action, cls|
           "    #{action}\t#{cls::SUMMARY}"
         end.join("\n")
 

data/lib/puppetserver/ca/logger.rb

@@ -17,8 +17,12 @@ module Puppetserver
         @level
       end
 
+      def debug?
+        return @level >= LEVELS[:debug]
+      end
+
       def debug(text)
-        if @level >= LEVELS[:debug]
+        if debug?
           @out.puts(text)
         end
       end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.10.0"
+    VERSION = "1.11.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.10.0
+  version: 1.11.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-06 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -100,6 +100,7 @@ files:
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
 - lib/puppetserver/ca/action/migrate.rb
+- lib/puppetserver/ca/action/prune.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb