puppetserver-ca 1.8.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 06307ad34518843e6fb558b64f2edd2f801e2bde08be15c52730d019641bea01
4
- data.tar.gz: dde31e01a803c9ace9fa261c5601a985cde01af5cd77bc7e6b1f9de6bb11f3e5
3
+ metadata.gz: 03925b461bffbaec27b5c3d76c62393e68451a2e69ef9d82f34f51044ecd3fbd
4
+ data.tar.gz: e86c0137e287be5f8bf09dad3610e412aa49bb06b4b35c0c367a9ec6b5a76153
5
5
  SHA512:
6
- metadata.gz: 912f14160990a27a4c422ce9febcb3a8ce68dc7df6a86934734360e6d052a391a59b0fdaaa9cf565a004873f368769742fe814eff44489557df9cb5b24791180
7
- data.tar.gz: 258079b488691eacdd6866051e237bd430333b1981d8e11b8685a34ec1cc3ea2d111a5b9d8dfa3c1b7d70b9e98272b2344dc55acda0f78da2baf6bc63544b369
6
+ metadata.gz: dcd960ea4199af2446c45cbc3ac692d79c5e1e6e1abefbb1d07c53b6605dd6fd5cfb86c7e808bfe6657919df7a9503c494653c3b111a2461d972bb3deee25719
7
+ data.tar.gz: 90d4c6a649898aa536392b653d6ba8d70c1c2b48e50bd0ecfeac57a6468f48d0ad040b9b3ff4c83de87150c678a659e34985b4ca90341c7885224862cd53a82b
@@ -140,7 +140,7 @@ BANNER
140
140
  # Generate and save certs and associated keys
141
141
  if input['ca-client']
142
142
  # Refused to generate certs offfline if the CA service is running
143
- return 1 if check_server_online(puppet.settings)
143
+ return 1 if HttpClient.check_server_online(puppet.settings, @logger)
144
144
  all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
145
145
  else
146
146
  all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
@@ -148,34 +148,6 @@ BANNER
148
148
  return all_passed ? 0 : 1
149
149
  end
150
150
 
151
- # Queries the simple status endpoint for the status of the CA service.
152
- # Returns true if it receives back a response of "running", and false if
153
- # no connection can be made, or a different response is received.
154
- def check_server_online(settings)
155
- status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
156
- begin
157
- # Generating certs offline is necessary if the master cert has been destroyed
158
- # or compromised. Since querying the status endpoint does not require a client cert, and
159
- # we commonly won't have one, don't require one for creating the connection.
160
- HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
161
- result = conn.get
162
- if result.body == "running"
163
- @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
164
- true
165
- else
166
- false
167
- end
168
- end
169
- true
170
- rescue Puppetserver::Ca::ConnectionFailed => e
171
- if e.wrapped.is_a? Errno::ECONNREFUSED
172
- return false
173
- else
174
- raise e
175
- end
176
- end
177
- end
178
-
179
151
  # Certs authorized to talk to the CA API need to be signed offline,
180
152
  # in order to securely add the special auth extension.
181
153
  def generate_authorized_certs(certnames, alt_names, settings, digest)
@@ -0,0 +1,95 @@
1
+ require 'puppetserver/ca/utils/cli_parsing'
2
+ require 'puppetserver/ca/utils/file_system'
3
+ require 'puppetserver/ca/utils/http_client'
4
+
5
+ module Puppetserver
6
+ module Ca
7
+ module Action
8
+ class Migrate
9
+ include Puppetserver::Ca::Utils
10
+ PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
11
+
12
+ SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
13
+ BANNER = <<-BANNER
14
+ Usage:
15
+ puppetserver ca migrate [--help]
16
+ puppetserver ca migrate [--config PATH]
17
+
18
+ Description:
19
+ Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
20
+ upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
21
+ puppet.conf file in your installation, or supply one using the `--config` flag.
22
+ Options:
23
+ BANNER
24
+
25
+ def initialize(logger)
26
+ @logger = logger
27
+ end
28
+
29
+ def run(input)
30
+ config_path = input['config']
31
+ puppet = Config::Puppet.new(config_path)
32
+ puppet.load
33
+ return 1 if HttpClient.check_server_online(puppet.settings, @logger)
34
+
35
+ errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
36
+ if !errors.empty?
37
+ instructions = <<-ERR
38
+ Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
39
+ run this migration tool? Is this a puppet 7 installation? It is likely that you have
40
+ already successfully run the migration or do not need to run it.
41
+ ERR
42
+ errors << instructions
43
+ Errors.handle_with_usage(@logger, errors)
44
+ return 1
45
+ end
46
+
47
+ current_cadir = puppet.settings[:cadir]
48
+ if FileSystem.check_for_existing_files(current_cadir).empty?
49
+ error_message = <<-ERR
50
+ No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
51
+ puppet.conf file and verify its contents.
52
+ ERR
53
+ Errors.handle_with_usage(@logger, [error_message])
54
+ return 1
55
+ end
56
+
57
+ migrate(current_cadir)
58
+
59
+ @logger.inform <<-SUCCESS_MESSAGE
60
+ CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
61
+ for backwards compatibility. The puppetserver can be safely restarted now.
62
+ SUCCESS_MESSAGE
63
+ return 0
64
+ end
65
+
66
+ def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
67
+ FileUtils.mv(old_cadir, new_cadir)
68
+ FileUtils.symlink(new_cadir, old_cadir)
69
+ end
70
+
71
+ def parse(args)
72
+ results = {}
73
+ parser = self.class.parser(results)
74
+ errors = CliParsing.parse_with_errors(parser, args)
75
+ errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
76
+ exit_code = errors_were_handled ? 1 : nil
77
+ return results, exit_code
78
+ end
79
+
80
+ def self.parser(parsed = {})
81
+ OptionParser.new do |opts|
82
+ opts.banner = BANNER
83
+ opts.on('--help', 'Display this command-specific help output') do |help|
84
+ parsed['help'] = true
85
+ end
86
+ opts.on('--config CONF', 'Path to puppet.conf') do |conf|
87
+ parsed['config'] = conf
88
+ end
89
+ end
90
+ end
91
+
92
+ end
93
+ end
94
+ end
95
+ end
@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
8
8
  require 'puppetserver/ca/action/revoke'
9
9
  require 'puppetserver/ca/action/setup'
10
10
  require 'puppetserver/ca/action/sign'
11
+ require 'puppetserver/ca/action/migrate'
11
12
  require 'puppetserver/ca/errors'
12
13
  require 'puppetserver/ca/logger'
13
14
  require 'puppetserver/ca/utils/cli_parsing'
@@ -28,6 +29,7 @@ BANNER
28
29
  'import' => Action::Import,
29
30
  'setup' => Action::Setup,
30
31
  'enable' => Action::Enable,
32
+ 'migrate' => Action::Migrate,
31
33
  }
32
34
 
33
35
  MAINT_ACTIONS = {
@@ -159,6 +159,36 @@ module Puppetserver
159
159
 
160
160
  store
161
161
  end
162
+
163
+ # Queries the simple status endpoint for the status of the CA service.
164
+ # Returns true if it receives back a response of "running", and false if
165
+ # no connection can be made, or a different response is received.
166
+ def self.check_server_online(settings, logger)
167
+ status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
168
+ begin
169
+ # Generating certs offline is necessary if the master cert has been destroyed
170
+ # or compromised. Since querying the status endpoint does not require a client cert, and
171
+ # we commonly won't have one, don't require one for creating the connection.
172
+ # Additionally, we want to ensure the server is stopped before migrating the CA dir to
173
+ # avoid issues with writing to the CA dir and moving it.
174
+ self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
175
+ result = conn.get
176
+ if result.body == "running"
177
+ logger.err "CA service is running. Please stop it before attempting to run this command."
178
+ true
179
+ else
180
+ false
181
+ end
182
+ end
183
+ rescue Puppetserver::Ca::ConnectionFailed => e
184
+ if e.wrapped.is_a? Errno::ECONNREFUSED
185
+ return false
186
+ else
187
+ raise e
188
+ end
189
+ end
190
+ end
191
+
162
192
  end
163
193
  end
164
194
  end
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "1.8.0"
3
+ VERSION = "1.9.0"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.0
4
+ version: 1.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-05-19 00:00:00.000000000 Z
11
+ date: 2020-10-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter
@@ -99,6 +99,7 @@ files:
99
99
  - lib/puppetserver/ca/action/generate.rb
100
100
  - lib/puppetserver/ca/action/import.rb
101
101
  - lib/puppetserver/ca/action/list.rb
102
+ - lib/puppetserver/ca/action/migrate.rb
102
103
  - lib/puppetserver/ca/action/revoke.rb
103
104
  - lib/puppetserver/ca/action/setup.rb
104
105
  - lib/puppetserver/ca/action/sign.rb
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
138
139
  - !ruby/object:Gem::Version
139
140
  version: '0'
140
141
  requirements: []
141
- rubygems_version: 3.0.6
142
+ rubygems_version: 3.0.8
142
143
  signing_key:
143
144
  specification_version: 4
144
145
  summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority