Merge pull request #116 from h0tw1r3/SERVER-2691

(SERVER-2691) configurable root ca name
puppetlabs · Jan 22, 2024 · ce19cbc · ce19cbc
2 parents c573569 + ecad3b7
commit ce19cbc
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 5 deletions.
diff --git a/lib/puppetserver/ca/action/setup.rb b/lib/puppetserver/ca/action/setup.rb
@@ -19,7 +19,7 @@ class Setup
 Usage:
   puppetserver ca setup [--help]
   puppetserver ca setup [--config PATH] [--subject-alt-names NAME[,NAME]]
-                           [--certname NAME] [--ca-name NAME]
+                           [--certname NAME] [--ca-name NAME] [--root-ca-name NAME]
 
 Description:
   Setup a root and intermediate signing CA for Puppet Server
@@ -51,6 +51,7 @@ def run(input)
           settings_overrides = {}
           settings_overrides[:certname] = input['certname'] unless input['certname'].empty?
           settings_overrides[:ca_name] = input['ca-name'] unless input['ca-name'].empty?
+          settings_overrides[:root_ca_name] = input['root-ca-name'] unless input['root-ca-name'].empty?
           # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
           # to ensure that the overriding works correctly.
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
@@ -153,6 +154,7 @@ def parse(cli_args)
         def self.parser(parsed = {})
           parsed['subject-alt-names'] = ''
           parsed['ca-name'] = ''
+          parsed['root-ca-name'] = ''
           parsed['certname'] = ''
           OptionParser.new do |opts|
             opts.banner = BANNER
@@ -170,6 +172,10 @@ def self.parser(parsed = {})
                     'Common name to use for the CA signing cert') do |name|
               parsed['ca-name'] = name
             end
+            opts.on('--root-ca-name NAME',
+                    'Common name to use for the self-signed Root CA cert') do |name|
+              parsed['root-ca-name'] = name
+            end
             opts.on('--certname NAME',
                     'Common name to use for the server cert') do |name|
               parsed['certname'] = name

diff --git a/lib/puppetserver/ca/config/puppet.rb b/lib/puppetserver/ca/config/puppet.rb
@@ -194,6 +194,9 @@ def resolve_settings(overrides = {}, logger, ca_dir_warn: true)
         # class keys/section names but nearly any character values (excluding
         # leading whitespace) up to one of whitespace, opening curly brace, or
         # hash sign (Our concern being to capture filesystem path values).
+        #
+        # ca_root and root_ca_name values may include whitespace
+        #
         # Put values without a section into :main.
         #
         # Return Hash of Symbol section names with Symbol setting keys and
@@ -205,10 +208,15 @@ def parse_text(text)
             case line
             when /^\s*\[(\w+)\].*/
               current_section = $1.to_sym
-            when /^\s*(\w+)\s*=\s*([^\s{#]+).*$/
+            when /^\s*(\w+)\s*=\s*(.+?)\s*(?=[{#]|$)/
               # Using a Hash with a default key breaks RSpec expectations.
               res[current_section] ||= {}
-              res[current_section][$1.to_sym] = $2
+              res[current_section][$1.to_sym] =
+                if [:ca_name, :root_ca_name].include?($1.to_sym)
+                  $2
+                else
+                  $2.split(' ')[0]
+                end
             end
           end
 

diff --git a/spec/puppetserver/ca/action/setup_spec.rb b/spec/puppetserver/ca/action/setup_spec.rb
@@ -32,6 +32,7 @@
         exit_code = subject.run({ 'config' => conf,
                                   'subject-alt-names' => '',
                                   'ca-name' => '',
+                                  'root-ca-name' => '',
                                   'certname' => '' })
         puts stderr.string
         expect(stderr.string).to be_empty
@@ -44,18 +45,20 @@
   include_examples 'properly sets up ca and ssl dir', Puppetserver::Ca::Action::Setup
 
   describe 'command line name overrides' do
-    it 'uses the ca_name as specified on the command line' do
+    it 'uses the ca_name and root_ca_name as specified on the command line' do
       Dir.mktmpdir do |tmpdir|
         with_temp_dirs tmpdir do |conf|
           exit_code = subject.run({ 'config' => conf,
                                     'subject-alt-names' => '',
                                     'ca-name' => 'Foo CA',
+                                    'root-ca-name' => 'Foo Root CA',
                                     'certname' => '' })
           expect(exit_code).to eq(0)
           ca_cert_file = File.join(tmpdir, 'ca', 'ca_crt.pem')
           expect(File.exist?(ca_cert_file)).to be true
           ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_file))
           expect(ca_cert.subject.to_s).to include('Foo CA')
+          expect(ca_cert.issuer.to_s).to include('Foo Root CA')
         end
       end
     end
@@ -66,12 +69,14 @@
           exit_code = subject.run({ 'config' => conf,
                                     'subject-alt-names' => '',
                                     'ca-name' => '',
+                                    'root-ca-name' => '',
                                     'certname' => '' })
           expect(exit_code).to eq(0)
           ca_cert_file = File.join(tmpdir, 'ca', 'ca_crt.pem')
           expect(File.exist?(ca_cert_file)).to be true
           ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_file))
           expect(ca_cert.subject.to_s).to include('Puppet CA')
+          expect(ca_cert.issuer.to_s).to match(/Puppet Root CA: ([0-9a-f]{14})/)
         end
       end
     end

diff --git a/spec/puppetserver/ca/config/puppet_spec.rb b/spec/puppetserver/ca/config/puppet_spec.rb
@@ -55,6 +55,21 @@
     expect(parsed).to include({ca: {cadir: '/var/www/ca'}})
   end
 
+  it 'correctly parses values with spaces and comments' do
+    parsed = subject.parse_text(<<-INI)
+    [master]
+      ca_name = Some Other CA
+      root_ca_name = Another Root CA # comment
+      cadir = /some/where discard/this # here
+    INI
+
+    expect(parsed[:master]).to include({
+      ca_name: 'Some Other CA',
+      root_ca_name: 'Another Root CA',
+      cadir: '/some/where'
+    })
+  end
+
   it 'resolves dependent settings properly' do
     Dir.mktmpdir do |tmpdir|
       puppet_conf = File.join(tmpdir, 'puppet.conf')

diff --git a/spec/shared_examples/setup.rb b/spec/shared_examples/setup.rb
@@ -9,7 +9,7 @@ def mode(file)
 def default_config(conf, bundle, key, chain)
   shared_flags = {'config' => conf, 'subject-alt-names' => '', 'certname' => 'foocert'}
   import_flags = {'cert-bundle' => bundle, 'private-key' => key, 'crl-chain' => chain}
-  importing ? shared_flags.merge(import_flags) : shared_flags.merge({'ca-name' => ''})
+  importing ? shared_flags.merge(import_flags) : shared_flags.merge({'ca-name' => '', 'root-ca-name' => ''})
 end
 
 def flags_without_sans(*args)