puppetserver-ca 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e7759fd051a92708f8ac8aad4b8e89a636472b05
-  data.tar.gz: f3cfd8de0bbdd17fd5c0f13656486dbbdbc243f1
+  metadata.gz: 6675ef6328d11ddc9d47becb63063089f1eab59d
+  data.tar.gz: f8f0e62f01297a56d238ffc7d074b6ed1300a448
 SHA512:
-  metadata.gz: bbaac0d6e00a9ed1d30dfb5f0ccc1d92e459fc07aaecb0fa2e8cdf61a320d3baf63d3752bf3adf1f4dacf9f25d051f4f239139bf45c4842975448e154e9353d0
-  data.tar.gz: 1de3171122351341e0eb50ac675c6f168a8b6df37209f6e50723528485a120cf3fbdef023d28c066a80fd64b1a8f125930d81a620e4966e22bdb7468000fd0a1
+  metadata.gz: ce20b8b249b03b73eeeaed698723df472191269626e37ce232ddf6e5a199fbcc19e29787929efa70e4400dc7a14c38fc0ad1c62f0de1febee3845d36899b49da
+  data.tar.gz: 37b285c14dff8b48fab045dd699771917ac12e0b3663c61ec42d94ff6773644a7311af02d792ed17241be9b180f4ff041e2d61d04bf9cf7f034eaeefa0d12fa7

data/CODEOWNERS

@@ -0,0 +1,4 @@
+# This will cause the puppetserver-maintainers group to be assigned
+# review of any opened PRs against the branches containing this file.
+
+* @puppetlabs/puppetserver-maintainers

data/lib/puppetserver/ca/action/generate.rb

@@ -75,6 +75,9 @@ BANNER
                     'Causes the cert to be generated offline.') do |ca_client|
               parsed['ca-client'] = true
             end
+            opts.on('--ttl TTL', 'The time-to-live for each cert generated and signed') do |ttl|
+              parsed['ttl'] = ttl
+            end
           end
         end
 
@@ -140,7 +143,7 @@ BANNER
             return 1 if check_server_online(puppet.settings)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
-            all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
+            all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
           end
           return all_passed ? 0 : 1
         end
@@ -209,8 +212,10 @@ BANNER
         # Generate csrs and keys, then submit them to CA, request for the CA to sign
         # them, download the signed certificates from the CA, and finally save
         # the signed certs and associated keys. Returns true if all certs were
-        # successfully created and saved.
-        def generate_certs(certnames, alt_names, settings, digest)
+        # successfully created and saved. Takes a ttl to use if certificates
+        # are signed by this CLI, not autosigned by the CA. if ttl is nil, uses
+        # the CA's settings.
+        def generate_certs(certnames, alt_names, settings, digest, ttl)
           # Make sure we have all the directories where we will be writing files
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:certdir],
@@ -228,17 +233,26 @@ BANNER
             next false unless submit_csr(certname, ca, settings, digest, current_alt_names)
 
             # Check if the CA autosigned the cert
-            if download_cert(ca, certname, settings)
-              @logger.inform "Certificate for #{certname} was autosigned."
-              true
-            else
-              next false unless ca.sign_certs([certname])
-              download_cert(ca, certname, settings)
-            end
+            next acquire_signed_cert(ca, certname, settings, ttl)
           end
           passed.all?
         end
 
+        # Try to download a signed certificate; sign the cert with the given ttl if it needs
+        # signing before download.
+        def acquire_signed_cert(ca, certname, settings, ttl)
+          if download_cert(ca, certname, settings)
+            @logger.inform "Certificate for #{certname} was autosigned."
+            if ttl
+              @logger.warn "ttl was specified, but the CA autosigned the CSR. Unable to specify #{ttl} for #{certname}"
+            end
+            true
+          else
+            false unless ca.sign_certs([certname], ttl)
+            download_cert(ca, certname, settings)
+          end
+        end
+
         def submit_csr(certname, ca, settings, digest, alt_names)
           key, csr = generate_key_csr(certname, settings, digest, alt_names)
           return false unless csr

data/lib/puppetserver/ca/action/sign.rb

@@ -32,6 +32,9 @@ Options:
         def self.parser(parsed = {})
           OptionParser.new do |opts|
             opts.banner = BANNER
+            opts.on('--ttl TTL', 'The time-to-live for each cert signed') do |ttl|
+              parsed['ttl'] = ttl
+            end
             opts.on('--certname NAME[,NAME]', Array, 'the name(s) of the cert(s) to be signed') do |cert|
               parsed['certname'] = cert
             end
@@ -72,7 +75,7 @@ Options:
             requested_certnames = input['certname']
           end
 
-          success = ca.sign_certs(requested_certnames)
+          success = ca.sign_certs(requested_certnames, input['ttl'])
           return success ? 0 : 1
         end
 

data/lib/puppetserver/ca/certificate_authority.rb

@@ -8,6 +8,16 @@ module Puppetserver
 
       include Puppetserver::Ca::Utils
 
+      # Taken from puppet/lib/settings/duration_settings.rb
+      UNITMAP = {
+        # 365 days isn't technically a year, but is sufficient for most purposes
+        "y" => 365 * 24 * 60 * 60,
+        "d" => 24 * 60 * 60,
+        "h" => 60 * 60,
+        "m" => 60,
+        "s" => 1
+      }
+
       REVOKE_BODY = JSON.dump({ desired_state: 'revoked' })
       SIGN_BODY =   JSON.dump({ desired_state: 'signed' })
 
@@ -35,11 +45,40 @@ module Puppetserver
         HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
       end
 
-      def sign_certs(certnames)
-        results = put(certnames,
-                      resource_type: 'certificate_status',
-                      body: SIGN_BODY,
-                      type: :sign)
+      def process_ttl_input(ttl)
+        match = /^(\d+)(s|m|h|d|y)?$/.match(ttl)
+        if match
+          if match[2]
+            match[1].to_i * UNITMAP[match[2]].to_i
+          else
+            ttl
+          end
+        else
+          @logger.err "Error:"
+          @logger.err " '#{ttl}' is an invalid ttl value"
+          @logger.err "Value should match regex \"^(\d+)(s|m|h|d|y)?$\""
+          nil
+        end
+      end
+
+      def sign_certs(certnames, ttl=nil)
+        results = []
+        if ttl
+          lifetime = process_ttl_input(ttl)
+          return false if lifetime.nil?
+          body = JSON.dump({ desired_state: 'signed',
+                             cert_ttl: lifetime})
+          results = put(certnames,
+            resource_type: 'certificate_status',
+            body: body,
+            type: :sign)
+        else
+          results = put(certnames,
+                        resource_type: 'certificate_status',
+                        body: SIGN_BODY,
+                        type: :sign)
+        end
+
 
         results.all? { |result| result == :success }
       end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.4.0"
+    VERSION = "1.5.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-15 00:00:00.000000000 Z
+date: 2019-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -83,6 +83,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- CODEOWNERS
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Gemfile