Merge branch 'puppetlabs:main' into main

acceptance/config/beaker/options.rb

@@ -11,4 +11,5 @@
  "puppetserver-confdir"=>"/etc/puppetlabs/puppetserver/conf.d",
  "puppetserver-config"=>
   "/etc/puppetlabs/puppetserver/conf.d/puppetserver.conf",
- :puppet_build_version=>"cac0f53a340bd0490cd4edcee7d9a09bc9b51ceb"}
+ :puppet_build_version=>"75cd90a7dcbbf6120602a2071e5b8800b7c71087",
+ :ssh=>{:config=>true}}

acceptance/suites/pre_suite/foss/70_install_puppet.rb

@@ -21,10 +21,10 @@
     nss_package_name="nss"
   end
   if nss_package_name
-    if master['platform'] != 'el-8-x86_64'
-      master.upgrade_package(nss_package_name)
-    else
+    if master['platform'] == 'el-8-x86_64' || master['platform'] == 'el-9-x86_64'
       master.install_package(nss_package_name)
+    else
+      master.upgrade_package(nss_package_name)
     end
   else
     logger.warn("Don't know what nss package to use for #{variant} so not installing one")

dev/puppetserver.conf

@@ -199,7 +199,7 @@ certificate-authority: {
     # Disable auto renewal of certs by default.
     allow-auto-renewal: false
     # This value determines the lifetime of the cert if auto-renewal is enabled
-    auto-renewal-cert-ttl: "60d"
+    auto-renewal-cert-ttl: "90d"
     # Default cert expiration time. If the value is set here, it will take precedence over ca-ttl setting in puppet.conf
     #ca-ttl: "60d"
 }

ezbake/config/conf.d/auth.conf

@@ -56,6 +56,18 @@ authorization: {
             sort-order: 500
             name: "puppetlabs csr"
         },
+        {
+            # Allow nodes to renew their certificate
+            match-request: {
+                path: "/puppet-ca/v1/certificate_renewal"
+                type: path
+                method: post
+            }
+            # this endpoint should never be unauthenticated, as it requires the cert to be provided.
+            allow: "*"
+            sort-order: 500
+            name: "puppetlabs certificate renewal"
+        },
         {
             # Allow the CA CLI to access the certificate_status endpoint
             match-request: {

locales/puppetserver.pot

@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: puppetlabs.puppetserver \n"
-"X-Git-Ref: 4dc7b77e0db804b7a046682903df2660ec1b9304\n"
+"X-Git-Ref: b74338698b919c1bb53ba0718fb232ea7391b0d3\n"
 "Report-Msgid-Bugs-To: docs@puppet.com\n"
 "POT-Creation-Date: \n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
@@ -238,6 +238,26 @@ msgid_plural "Entity {1} {2} {0} certificates: {3}."
 msgstr[0] ""
 msgstr[1] ""
 
+#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
+msgid "Found auto-renew-attribute {0}"
+msgstr ""
+
+#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
+msgid "Deleted certificate request for {0} at {1}"
+msgstr ""
+
+#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
+msgid "Path {0} exists but could not be deleted"
+msgstr ""
+
+#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
+msgid "No certificate request for {0} at expected path {1}"
+msgstr ""
+
+#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
+msgid "Calculating validity dates for {0} from ttl of {1} "
+msgstr ""
+
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj
 msgid "Saving CSR to ''{0}''"
 msgstr ""
@@ -280,18 +300,6 @@ msgid ""
 "your ca.conf file."
 msgstr ""
 
-#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
-msgid "Deleted certificate request for {0}"
-msgstr ""
-
-#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
-msgid "Path {0} exists but could not be deleted"
-msgstr ""
-
-#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
-msgid "No certificate request for {0} at expected path {1}"
-msgstr ""
-
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj
 msgid "Cannot support delta CRL."
 msgstr ""
@@ -340,10 +348,6 @@ msgstr ""
 msgid "CA already initialized for SSL"
 msgstr ""
 
-#: src/clj/puppetlabs/puppetserver/certificate_authority.clj
-msgid "Removed certificate request for {0} at ''{1}''"
-msgstr ""
-
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj
 msgid "Certificate with serial {0} is already revoked."
 msgstr ""

project.clj

@@ -1,4 +1,4 @@
-(def ps-version "8.0.1-SNAPSHOT")
+(def ps-version "8.2.1-SNAPSHOT")
 
 (defn deploy-info
   [url]
@@ -27,13 +27,12 @@
 
   :min-lein-version "2.9.1"
 
-  :parent-project {:coords [puppetlabs/clj-parent "6.0.0"]
+  :parent-project {:coords [puppetlabs/clj-parent "7.1.0"]
                    :inherit [:managed-dependencies]}
 
   :dependencies [[org.clojure/clojure]
 
                  [slingshot]
-                 [clj-commons/clj-yaml]
                  [org.yaml/snakeyaml]
                  [commons-lang]
                  [commons-io]
@@ -45,6 +44,7 @@
                  [liberator]
                  [org.apache.commons/commons-exec]
                  [io.dropwizard.metrics/metrics-core]
+                 [org.yaml/snakeyaml "2.0"]
 
                  ;; We do not currently use this dependency directly, but
                  ;; we have documentation that shows how users can use it to
@@ -172,7 +172,7 @@
                                                [puppetlabs/jruby-utils]
                                                [puppetlabs/puppetserver ~ps-version]
                                                [puppetlabs/trapperkeeper-webserver-jetty9]]
-                      :plugins [[puppetlabs/lein-ezbake "2.4.1"]]
+                      :plugins [[puppetlabs/lein-ezbake "2.5.3"]]
                       :name "puppetserver"}
              :uberjar {:dependencies [[org.bouncycastle/bcpkix-jdk18on]
                                       [puppetlabs/trapperkeeper-webserver-jetty9]]

src/clj/puppetlabs/puppetserver/certificate_authority.clj

@@ -26,7 +26,6 @@
             [puppetlabs.puppetserver.common :as common]
             [puppetlabs.puppetserver.ringutils :as ringutils]
             [puppetlabs.ssl-utils.core :as utils]
-            [clj-yaml.core :as yaml]
             [puppetlabs.puppetserver.shell-utils :as shell-utils]
             [puppetlabs.i18n.core :as i18n]))
 
@@ -242,10 +241,10 @@
   60)
 
 (def default-auto-ttl-renewal
-  "60d") ; 60 days by default
+  "90d") ; 90 days by default
 
 (def default-auto-ttl-renewal-seconds
-  (duration-str->sec default-auto-ttl-renewal)) ; 60 days by default
+  (duration-str->sec default-auto-ttl-renewal)) ; 90 days by default
 
 (schema/defn ^:always-validate initialize-ca-config
   "Adds in default ca config keys/values, which may be overwritten if a value for
@@ -339,6 +338,10 @@
    :pp_auth_role        "1.3.6.1.4.1.34380.1.3.13"
    :pp_cli_auth         cli-auth-oid})
 
+;; OID for the attribute that indicates if the agent supports auto-renewal or not
+(def pp_auth_auto_renew-attribute
+  "1.3.6.1.4.1.34380.1.3.2",)
+
 (def netscape-comment-value
   "Standard value applied to the Netscape Comment extension for certificates"
   "Puppet Server Internal Certificate")
@@ -497,6 +500,10 @@
   (into (mapv (partial str "IP:") (utils/get-subject-ip-alt-names cert-or-csr))
         (mapv (partial str "DNS:") (utils/get-subject-dns-alt-names cert-or-csr))))
 
+(schema/defn get-csr-attributes :- utils/SSLMultiValueAttributeList
+  [csr :- PKCS10CertificationRequest]
+  (utils/get-attributes csr))
+
 (schema/defn authorization-extensions :- {schema/Str schema/Str}
   "Get the authorization extensions for the certificate or CSR.
   These are extensions that fall under the ppAuthCert OID arc.
@@ -1001,7 +1008,7 @@
   certificate extensions from the `extensions_requests` section."
   [csr-attributes-file :- schema/Str]
   (if (fs/file? csr-attributes-file)
-    (let [csr-attrs (yaml/parse-string (slurp csr-attributes-file))
+    (let [csr-attrs (common/parse-yaml (slurp csr-attributes-file))
           ext-req (:extension_requests csr-attrs)]
       (map (fn [[oid value]]
              {:oid (or (get puppet-short-names oid)
@@ -1022,7 +1029,7 @@
         csr-attr-exts (create-csr-attrs-exts csr-attributes)
         base-ext-list [(utils/netscape-comment
                          netscape-comment-value)
-                       (utils/authority-key-identifier ca-cert)
+                       (utils/authority-key-identifier-options ca-cert)
                        (utils/basic-constraints-for-non-ca true)
                        (utils/ext-key-usages
                          [ssl-server-cert ssl-client-cert] true)
@@ -1386,7 +1393,7 @@
         csr-ext-list (utils/get-extensions csr)
         base-ext-list [(utils/netscape-comment
                          netscape-comment-value)
-                       (utils/authority-key-identifier
+                       (utils/authority-key-identifier-options
                          cacert)
                        (utils/basic-constraints-for-non-ca true)
                        (utils/ext-key-usages
@@ -1438,15 +1445,51 @@
     (let [[msg signee certnames ip] (generate-cert-message-from-request request subjects activity-type)]
       (report-cert-event report-activity msg signee certnames ip activity-type))))
 
+(schema/defn supports-auto-renewal? :- schema/Bool
+  "Given a csr, determine if the requester is capable of supporting auto-renewal by looking for a specific attribute"
+  [csr]
+  (if-let [auto-renew-attribute (first (filter #(= pp_auth_auto_renew-attribute (:oid %)) (get-csr-attributes csr)))]
+    (do
+      (log/debug (i18n/trs "Found auto-renew-attribute {0}" (first (:values auto-renew-attribute))))
+      ;; the values is a sequence of results, assume the first one is correct.
+      (= "true" (first (:values auto-renew-attribute))))
+    false))
+
+(schema/defn ^:always-validate delete-certificate-request! :- OutcomeInfo
+  "Delete pending certificate requests for subject"
+  [{:keys [csrdir]} :- CaSettings
+   subject :- schema/Str]
+  (let [csr-path (path-to-cert-request csrdir subject)]
+
+    (if (fs/exists? csr-path)
+      (if (fs/delete csr-path)
+        (let [msg (i18n/trs "Deleted certificate request for {0} at {1}" subject csr-path)]
+          (log/debug msg)
+          {:outcome :success
+           :message msg})
+        (let [msg (i18n/trs "Path {0} exists but could not be deleted" csr-path)]
+          (log/error msg)
+          {:outcome :error
+           :message msg}))
+      (let [msg (i18n/trs "No certificate request for {0} at expected path {1}"
+                          subject csr-path)]
+        (log/warn msg)
+        {:outcome :not-found
+         :message msg}))))
+
 (schema/defn ^:always-validate
   autosign-certificate-request!
   "Given a subject name, their certificate request, and the CA settings
   from Puppet, auto-sign the request and write the certificate to disk."
   [subject :- schema/Str
    csr :- CertificateRequest
-   {:keys [cacert cakey signeddir ca-ttl] :as ca-settings} :- CaSettings
+   {:keys [cacert cakey signeddir ca-ttl allow-auto-renewal auto-renewal-cert-ttl] :as ca-settings} :- CaSettings
    report-activity]
-  (let [validity    (cert-validity-dates ca-ttl)
+  (let [renewal-ttl (if (and allow-auto-renewal (supports-auto-renewal? csr))
+                      auto-renewal-cert-ttl
+                      ca-ttl)
+        _           (log/debug (i18n/trs "Calculating validity dates for {0} from ttl of {1} " subject renewal-ttl))
+        validity    (cert-validity-dates renewal-ttl)
         ;; if part of a CA bundle, the intermediate CA will be first in the chain
         cacert      (utils/pem->ca-cert cacert cakey)
         signed-cert (utils/sign-certificate (utils/get-subject-from-x509-certificate
@@ -1462,6 +1505,7 @@
                                              cacert))]
     (write-cert-to-inventory! signed-cert ca-settings)
     (write-cert signed-cert (path-to-cert signeddir subject))
+    (delete-certificate-request! ca-settings subject)
     (report-activity [subject] "signed")))
 
 (schema/defn ^:always-validate
@@ -1475,7 +1519,7 @@
     (write-csr csr csr-path)))
 
 (schema/defn validate-duplicate-cert-policy!
-  "Throw a slingshot exception if allow-duplicate-certs is false
+  "Throw a slingshot exception if allow-duplicate-certs is false,
    and we already have a certificate or CSR for the subject.
    The exception map will look like:
    {:kind :duplicate-cert
@@ -1552,6 +1596,7 @@
                            (i18n/tru "To allow subject alternative names, set allow-subject-alt-names to true in your ca.conf file.")
                            (i18n/tru "Then restart the puppetserver and try signing this certificate again."))})))))))
 
+
 (schema/defn ^:always-validate process-csr-submission!
   "Given a CSR for a subject (typically from the HTTP endpoint),
    perform policy checks and sign or save the CSR (based on autosign).
@@ -1573,29 +1618,8 @@
         (ensure-no-authorization-extensions! csr allow-authorization-extensions)
         (validate-extensions! (utils/get-extensions csr))
         (validate-csr-signature! csr)
-        (autosign-certificate-request! subject csr settings report-activity)
-        (fs/delete (path-to-cert-request csrdir subject))))))
+        (autosign-certificate-request! subject csr settings report-activity)))))
 
-(schema/defn ^:always-validate delete-certificate-request! :- OutcomeInfo
-  "Delete pending certificate requests for subject"
-  [{:keys [csrdir]} :- CaSettings
-   subject :- schema/Str]
-  (let [csr-path (path-to-cert-request csrdir subject)]
-    (if (fs/exists? csr-path)
-      (if (fs/delete csr-path)
-        (let [msg (i18n/trs "Deleted certificate request for {0}" subject)]
-          (log/debug msg)
-          {:outcome :success
-           :message msg})
-        (let [msg (i18n/trs "Path {0} exists but could not be deleted" csr-path)]
-          (log/error msg)
-          {:outcome :error
-           :message msg}))
-      (let [msg (i18n/trs "No certificate request for {0} at expected path {1}"
-                  subject csr-path)]
-        (log/warn msg)
-        {:outcome :not-found
-         :message msg}))))
 
 (schema/defn ^:always-validate
   get-certificate-revocation-list :- schema/Str
@@ -1884,9 +1908,7 @@
    subject :- schema/Str
    report-activity]
   (let [csr-path (path-to-cert-request csrdir subject)]
-    (autosign-certificate-request! subject (utils/pem->csr csr-path) settings report-activity)
-    (fs/delete csr-path)
-    (log/debug (i18n/trs "Removed certificate request for {0} at ''{1}''" subject csr-path))))
+    (autosign-certificate-request! subject (utils/pem->csr csr-path) settings report-activity)))
 
 (schema/defn filter-already-revoked-serials :- [schema/Int]
   "Given a list of serials and Puppet's CA CRL, returns vector of serials with
@@ -2028,7 +2050,7 @@
   shortnames"
   [custom-oid-mapping-file :- schema/Str]
   (if (fs/file? custom-oid-mapping-file)
-    (let [oid-mappings (:oid_mapping (yaml/parse-string (slurp custom-oid-mapping-file)))]
+    (let [oid-mappings (:oid_mapping (common/parse-yaml (slurp custom-oid-mapping-file)))]
       (into {} (for [[oid names] oid-mappings] [(name oid) (keyword (:shortname names))])))
     (log/debug (i18n/trs "No custom OID mapping configuration file found at {0}, custom OID mappings will not be loaded"
                 custom-oid-mapping-file))))
@@ -2106,9 +2128,9 @@
   "Given a certificate and CaSettings create a new signed certificate using the public key from the certificate.
   It recreates all the extensions in the original certificate."
   [certificate :- X509Certificate
-   {:keys [cacert cakey auto_renewal_cert_ttl] :as ca-settings} :- CaSettings
+   {:keys [cacert cakey auto-renewal-cert-ttl] :as ca-settings} :- CaSettings
    report-activity]
-  (let [validity (cert-validity-dates (or auto_renewal_cert_ttl default-auto-ttl-renewal-seconds))
+  (let [validity (cert-validity-dates (or auto-renewal-cert-ttl default-auto-ttl-renewal-seconds))
         cacert (utils/pem->ca-cert cacert cakey)
         cert-subject (utils/get-subject-from-x509-certificate certificate)
         cert-name (utils/x500-name->CN cert-subject)