puppetserver-ca 1.8.0 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 03925b461bffbaec27b5c3d76c62393e68451a2e69ef9d82f34f51044ecd3fbd
|
4
|
+
data.tar.gz: e86c0137e287be5f8bf09dad3610e412aa49bb06b4b35c0c367a9ec6b5a76153
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dcd960ea4199af2446c45cbc3ac692d79c5e1e6e1abefbb1d07c53b6605dd6fd5cfb86c7e808bfe6657919df7a9503c494653c3b111a2461d972bb3deee25719
|
7
|
+
data.tar.gz: 90d4c6a649898aa536392b653d6ba8d70c1c2b48e50bd0ecfeac57a6468f48d0ad040b9b3ff4c83de87150c678a659e34985b4ca90341c7885224862cd53a82b
|
@@ -140,7 +140,7 @@ BANNER
|
|
140
140
|
# Generate and save certs and associated keys
|
141
141
|
if input['ca-client']
|
142
142
|
# Refused to generate certs offfline if the CA service is running
|
143
|
-
return 1 if check_server_online(puppet.settings)
|
143
|
+
return 1 if HttpClient.check_server_online(puppet.settings, @logger)
|
144
144
|
all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
|
145
145
|
else
|
146
146
|
all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
|
@@ -148,34 +148,6 @@ BANNER
|
|
148
148
|
return all_passed ? 0 : 1
|
149
149
|
end
|
150
150
|
|
151
|
-
# Queries the simple status endpoint for the status of the CA service.
|
152
|
-
# Returns true if it receives back a response of "running", and false if
|
153
|
-
# no connection can be made, or a different response is received.
|
154
|
-
def check_server_online(settings)
|
155
|
-
status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
|
156
|
-
begin
|
157
|
-
# Generating certs offline is necessary if the master cert has been destroyed
|
158
|
-
# or compromised. Since querying the status endpoint does not require a client cert, and
|
159
|
-
# we commonly won't have one, don't require one for creating the connection.
|
160
|
-
HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
|
161
|
-
result = conn.get
|
162
|
-
if result.body == "running"
|
163
|
-
@logger.err "CA service is running. Please stop it before attempting to generate certs offline."
|
164
|
-
true
|
165
|
-
else
|
166
|
-
false
|
167
|
-
end
|
168
|
-
end
|
169
|
-
true
|
170
|
-
rescue Puppetserver::Ca::ConnectionFailed => e
|
171
|
-
if e.wrapped.is_a? Errno::ECONNREFUSED
|
172
|
-
return false
|
173
|
-
else
|
174
|
-
raise e
|
175
|
-
end
|
176
|
-
end
|
177
|
-
end
|
178
|
-
|
179
151
|
# Certs authorized to talk to the CA API need to be signed offline,
|
180
152
|
# in order to securely add the special auth extension.
|
181
153
|
def generate_authorized_certs(certnames, alt_names, settings, digest)
|
@@ -0,0 +1,95 @@
|
|
1
|
+
require 'puppetserver/ca/utils/cli_parsing'
|
2
|
+
require 'puppetserver/ca/utils/file_system'
|
3
|
+
require 'puppetserver/ca/utils/http_client'
|
4
|
+
|
5
|
+
module Puppetserver
|
6
|
+
module Ca
|
7
|
+
module Action
|
8
|
+
class Migrate
|
9
|
+
include Puppetserver::Ca::Utils
|
10
|
+
PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
|
11
|
+
|
12
|
+
SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
|
13
|
+
BANNER = <<-BANNER
|
14
|
+
Usage:
|
15
|
+
puppetserver ca migrate [--help]
|
16
|
+
puppetserver ca migrate [--config PATH]
|
17
|
+
|
18
|
+
Description:
|
19
|
+
Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
|
20
|
+
upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
|
21
|
+
puppet.conf file in your installation, or supply one using the `--config` flag.
|
22
|
+
Options:
|
23
|
+
BANNER
|
24
|
+
|
25
|
+
def initialize(logger)
|
26
|
+
@logger = logger
|
27
|
+
end
|
28
|
+
|
29
|
+
def run(input)
|
30
|
+
config_path = input['config']
|
31
|
+
puppet = Config::Puppet.new(config_path)
|
32
|
+
puppet.load
|
33
|
+
return 1 if HttpClient.check_server_online(puppet.settings, @logger)
|
34
|
+
|
35
|
+
errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
|
36
|
+
if !errors.empty?
|
37
|
+
instructions = <<-ERR
|
38
|
+
Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
|
39
|
+
run this migration tool? Is this a puppet 7 installation? It is likely that you have
|
40
|
+
already successfully run the migration or do not need to run it.
|
41
|
+
ERR
|
42
|
+
errors << instructions
|
43
|
+
Errors.handle_with_usage(@logger, errors)
|
44
|
+
return 1
|
45
|
+
end
|
46
|
+
|
47
|
+
current_cadir = puppet.settings[:cadir]
|
48
|
+
if FileSystem.check_for_existing_files(current_cadir).empty?
|
49
|
+
error_message = <<-ERR
|
50
|
+
No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
|
51
|
+
puppet.conf file and verify its contents.
|
52
|
+
ERR
|
53
|
+
Errors.handle_with_usage(@logger, [error_message])
|
54
|
+
return 1
|
55
|
+
end
|
56
|
+
|
57
|
+
migrate(current_cadir)
|
58
|
+
|
59
|
+
@logger.inform <<-SUCCESS_MESSAGE
|
60
|
+
CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
|
61
|
+
for backwards compatibility. The puppetserver can be safely restarted now.
|
62
|
+
SUCCESS_MESSAGE
|
63
|
+
return 0
|
64
|
+
end
|
65
|
+
|
66
|
+
def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
|
67
|
+
FileUtils.mv(old_cadir, new_cadir)
|
68
|
+
FileUtils.symlink(new_cadir, old_cadir)
|
69
|
+
end
|
70
|
+
|
71
|
+
def parse(args)
|
72
|
+
results = {}
|
73
|
+
parser = self.class.parser(results)
|
74
|
+
errors = CliParsing.parse_with_errors(parser, args)
|
75
|
+
errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
|
76
|
+
exit_code = errors_were_handled ? 1 : nil
|
77
|
+
return results, exit_code
|
78
|
+
end
|
79
|
+
|
80
|
+
def self.parser(parsed = {})
|
81
|
+
OptionParser.new do |opts|
|
82
|
+
opts.banner = BANNER
|
83
|
+
opts.on('--help', 'Display this command-specific help output') do |help|
|
84
|
+
parsed['help'] = true
|
85
|
+
end
|
86
|
+
opts.on('--config CONF', 'Path to puppet.conf') do |conf|
|
87
|
+
parsed['config'] = conf
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
91
|
+
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
data/lib/puppetserver/ca/cli.rb
CHANGED
@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
|
|
8
8
|
require 'puppetserver/ca/action/revoke'
|
9
9
|
require 'puppetserver/ca/action/setup'
|
10
10
|
require 'puppetserver/ca/action/sign'
|
11
|
+
require 'puppetserver/ca/action/migrate'
|
11
12
|
require 'puppetserver/ca/errors'
|
12
13
|
require 'puppetserver/ca/logger'
|
13
14
|
require 'puppetserver/ca/utils/cli_parsing'
|
@@ -28,6 +29,7 @@ BANNER
|
|
28
29
|
'import' => Action::Import,
|
29
30
|
'setup' => Action::Setup,
|
30
31
|
'enable' => Action::Enable,
|
32
|
+
'migrate' => Action::Migrate,
|
31
33
|
}
|
32
34
|
|
33
35
|
MAINT_ACTIONS = {
|
@@ -159,6 +159,36 @@ module Puppetserver
|
|
159
159
|
|
160
160
|
store
|
161
161
|
end
|
162
|
+
|
163
|
+
# Queries the simple status endpoint for the status of the CA service.
|
164
|
+
# Returns true if it receives back a response of "running", and false if
|
165
|
+
# no connection can be made, or a different response is received.
|
166
|
+
def self.check_server_online(settings, logger)
|
167
|
+
status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
|
168
|
+
begin
|
169
|
+
# Generating certs offline is necessary if the master cert has been destroyed
|
170
|
+
# or compromised. Since querying the status endpoint does not require a client cert, and
|
171
|
+
# we commonly won't have one, don't require one for creating the connection.
|
172
|
+
# Additionally, we want to ensure the server is stopped before migrating the CA dir to
|
173
|
+
# avoid issues with writing to the CA dir and moving it.
|
174
|
+
self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
|
175
|
+
result = conn.get
|
176
|
+
if result.body == "running"
|
177
|
+
logger.err "CA service is running. Please stop it before attempting to run this command."
|
178
|
+
true
|
179
|
+
else
|
180
|
+
false
|
181
|
+
end
|
182
|
+
end
|
183
|
+
rescue Puppetserver::Ca::ConnectionFailed => e
|
184
|
+
if e.wrapped.is_a? Errno::ECONNREFUSED
|
185
|
+
return false
|
186
|
+
else
|
187
|
+
raise e
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
191
|
+
|
162
192
|
end
|
163
193
|
end
|
164
194
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.9.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-10-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -99,6 +99,7 @@ files:
|
|
99
99
|
- lib/puppetserver/ca/action/generate.rb
|
100
100
|
- lib/puppetserver/ca/action/import.rb
|
101
101
|
- lib/puppetserver/ca/action/list.rb
|
102
|
+
- lib/puppetserver/ca/action/migrate.rb
|
102
103
|
- lib/puppetserver/ca/action/revoke.rb
|
103
104
|
- lib/puppetserver/ca/action/setup.rb
|
104
105
|
- lib/puppetserver/ca/action/sign.rb
|
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
138
139
|
- !ruby/object:Gem::Version
|
139
140
|
version: '0'
|
140
141
|
requirements: []
|
141
|
-
rubygems_version: 3.0.
|
142
|
+
rubygems_version: 3.0.8
|
142
143
|
signing_key:
|
143
144
|
specification_version: 4
|
144
145
|
summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority
|