puppetserver-ca 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06307ad34518843e6fb558b64f2edd2f801e2bde08be15c52730d019641bea01
-  data.tar.gz: dde31e01a803c9ace9fa261c5601a985cde01af5cd77bc7e6b1f9de6bb11f3e5
+  metadata.gz: 03925b461bffbaec27b5c3d76c62393e68451a2e69ef9d82f34f51044ecd3fbd
+  data.tar.gz: e86c0137e287be5f8bf09dad3610e412aa49bb06b4b35c0c367a9ec6b5a76153
 SHA512:
-  metadata.gz: 912f14160990a27a4c422ce9febcb3a8ce68dc7df6a86934734360e6d052a391a59b0fdaaa9cf565a004873f368769742fe814eff44489557df9cb5b24791180
-  data.tar.gz: 258079b488691eacdd6866051e237bd430333b1981d8e11b8685a34ec1cc3ea2d111a5b9d8dfa3c1b7d70b9e98272b2344dc55acda0f78da2baf6bc63544b369
+  metadata.gz: dcd960ea4199af2446c45cbc3ac692d79c5e1e6e1abefbb1d07c53b6605dd6fd5cfb86c7e808bfe6657919df7a9503c494653c3b111a2461d972bb3deee25719
+  data.tar.gz: 90d4c6a649898aa536392b653d6ba8d70c1c2b48e50bd0ecfeac57a6468f48d0ad040b9b3ff4c83de87150c678a659e34985b4ca90341c7885224862cd53a82b

data/lib/puppetserver/ca/action/generate.rb

@@ -140,7 +140,7 @@ BANNER
           # Generate and save certs and associated keys
           if input['ca-client']
             # Refused to generate certs offfline if the CA service is running
-            return 1 if check_server_online(puppet.settings)
+            return 1 if HttpClient.check_server_online(puppet.settings, @logger)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
             all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
@@ -148,34 +148,6 @@ BANNER
           return all_passed ? 0 : 1
         end
 
-        # Queries the simple status endpoint for the status of the CA service.
-        # Returns true if it receives back a response of "running", and false if
-        # no connection can be made, or a different response is received.
-        def check_server_online(settings)
-          status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
-          begin
-            # Generating certs offline is necessary if the master cert has been destroyed
-            # or compromised. Since querying the status endpoint does not require a client cert, and
-            # we commonly won't have one, don't require one for creating the connection.
-            HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
-              result = conn.get
-              if result.body == "running"
-                @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
-                true
-              else
-                false
-              end
-            end
-            true
-          rescue Puppetserver::Ca::ConnectionFailed => e
-            if e.wrapped.is_a? Errno::ECONNREFUSED
-              return false
-            else
-              raise e
-            end
-          end
-        end
-
         # Certs authorized to talk to the CA API need to be signed offline,
         # in order to securely add the special auth extension.
         def generate_authorized_certs(certnames, alt_names, settings, digest)

data/lib/puppetserver/ca/action/migrate.rb

@@ -0,0 +1,95 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/http_client'
+
+module Puppetserver
+  module Ca
+    module Action
+      class Migrate
+        include Puppetserver::Ca::Utils
+        PUPPETSERVER_CA_DIR = '/etc/puppetlabs/puppetserver/ca'
+
+        SUMMARY = "Migrate the existing CA directory to /etc/puppetlabs/puppetserver/ca"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca migrate [--help]
+  puppetserver ca migrate [--config PATH]
+
+Description:
+  Migrate an existing CA directory to /etc/puppetlabs/puppetserver/ca. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
+  puppet.conf file in your installation, or supply one using the `--config` flag.
+Options:
+BANNER
+
+        def initialize(logger)
+          @logger = logger
+        end
+
+        def run(input)
+          config_path = input['config']
+          puppet = Config::Puppet.new(config_path)
+          puppet.load
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+
+          errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
+          if !errors.empty?
+            instructions = <<-ERR
+Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
+run this migration tool? Is this a puppet 7 installation? It is likely that you have
+already successfully run the migration or do not need to run it.
+ERR
+            errors << instructions
+            Errors.handle_with_usage(@logger, errors)
+            return 1
+          end
+
+          current_cadir = puppet.settings[:cadir]
+          if FileSystem.check_for_existing_files(current_cadir).empty?
+            error_message = <<-ERR
+No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
+puppet.conf file and verify its contents.
+ERR
+            Errors.handle_with_usage(@logger, [error_message])
+            return 1
+          end
+
+          migrate(current_cadir)
+
+          @logger.inform <<-SUCCESS_MESSAGE
+CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
+for backwards compatibility. The puppetserver can be safely restarted now.
+SUCCESS_MESSAGE
+          return 0
+        end
+
+        def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
+          FileUtils.mv(old_cadir, new_cadir)
+          FileUtils.symlink(new_cadir, old_cadir)
+        end
+
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/cli.rb

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
 require 'puppetserver/ca/utils/cli_parsing'
@@ -28,6 +29,7 @@ BANNER
         'import'   => Action::Import,
         'setup'    => Action::Setup,
         'enable' => Action::Enable,
+        'migrate' => Action::Migrate,
       }
 
       MAINT_ACTIONS = {

data/lib/puppetserver/ca/utils/http_client.rb

@@ -159,6 +159,36 @@ module Puppetserver
 
           store
         end
+
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def self.check_server_online(settings, logger)
+          status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the master cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            # Additionally, we want to ensure the server is stopped before migrating the CA dir to
+            # avoid issues with writing to the CA dir and moving it.
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                logger.err "CA service is running. Please stop it before attempting to run this command."
+                true
+              else
+                false
+              end
+            end
+          rescue Puppetserver::Ca::ConnectionFailed => e
+            if e.wrapped.is_a? Errno::ECONNREFUSED
+              return false
+            else
+              raise e
+            end
+          end
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.8.0"
+    VERSION = "1.9.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-19 00:00:00.000000000 Z
+date: 2020-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -99,6 +99,7 @@ files:
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
+- lib/puppetserver/ca/action/migrate.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority