From 33d3834825fa7545d783a50fe2a84254e9f39b69 Mon Sep 17 00:00:00 2001 From: dforste Date: Tue, 4 Nov 2025 19:23:32 +0000 Subject: [PATCH 1/6] Fix puppetserver ca sign with puppet 8. --- .../server/puppetserver/conf.d/auth.conf.erb | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index 85c69346..91680a2d 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -202,6 +202,36 @@ authorization: { sort-order: 500 name: "puppetlabs cert clean" }, + { + # Allow the CA CLI to access the certificate sign endpoint + match-request: { + path: "/puppet-ca/v1/sign" + type: path + method: post + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs cert sign" + }, + { + # Allow the CA CLI to access the certificate sign all endpoint + match-request: { + path: "/puppet-ca/v1/sign/all" + type: path + method: post + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs cert sign all" + }, { # Allow unauthenticated access to the status service endpoint match-request: { From 30c31b1298299cd14f5c55d8367f012a2be98867 Mon Sep 17 00:00:00 2001 From: dforste Date: Tue, 4 Nov 2025 20:08:18 +0000 Subject: [PATCH 2/6] Fixing to be more in line with rest of ca endpoints. --- templates/server/puppetserver/conf.d/auth.conf.erb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index 91680a2d..a24b5e27 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -210,6 +210,9 @@ authorization: { method: post } allow: { +<%- @server_ca_client_allowlist.each do |client| -%> + "<%= client %>", +<%- end -%> extensions: { pp_cli_auth: "true" } @@ -225,6 +228,9 @@ authorization: { method: post } allow: { +<%- @server_ca_client_allowlist.each do |client| -%> + "<%= client %>", +<%- end -%> extensions: { pp_cli_auth: "true" } From 34bad27792a552b976eb4503232bf5c8427d9a27 Mon Sep 17 00:00:00 2001 From: dforste Date: Tue, 4 Nov 2025 20:19:39 +0000 Subject: [PATCH 3/6] Fixing formatting. --- .../server/puppetserver/conf.d/auth.conf.erb | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index a24b5e27..d6069ecc 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -209,14 +209,16 @@ authorization: { type: path method: post } - allow: { + allow: [ <%- @server_ca_client_allowlist.each do |client| -%> "<%= client %>", <%- end -%> - extensions: { - pp_cli_auth: "true" - } - } + { + extensions: { + pp_cli_auth: "true" + } + } + ] sort-order: 500 name: "puppetlabs cert sign" }, @@ -227,14 +229,16 @@ authorization: { type: path method: post } - allow: { + allow: [ <%- @server_ca_client_allowlist.each do |client| -%> "<%= client %>", <%- end -%> - extensions: { - pp_cli_auth: "true" - } - } + { + extensions: { + pp_cli_auth: "true" + } + } + ] sort-order: 500 name: "puppetlabs cert sign all" }, From acf56b72bb29a9cc01e41626d443419966b88a1e Mon Sep 17 00:00:00 2001 From: Brian Witt Date: Tue, 25 Nov 2025 23:11:17 -0800 Subject: [PATCH 4/6] add auth conf tests --- .../puppet_server_puppetserver_spec.rb | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 37a78b7d..1802aac8 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -117,6 +117,10 @@ .with_content(/^\s+name: "puppetlabs cert status"/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_statuses"}) .with_content(/^\s+name: "puppetlabs cert statuses"/) + .with_content(%r{^\s+path: "/puppet-ca/v1/sign"}) + .with_content(/^\s+name: "puppetlabs cert sign"/) + .with_content(%r{^\s+path: "/puppet-ca/v1/sign/all"}) + .with_content(/^\s+name: "puppetlabs cert sign all"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/environment-cache"}) .with_content(/^\s+name: "environment-cache"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/jruby-pool"}) @@ -577,6 +581,48 @@ it { expect(rule['allow']).to eq(['localhost', 'host.example.com']) } end end + + describe 'cert sign endpoint' do + let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] } + let(:rules) { Hocon.parse(content)['authorization']['rules'] } + let(:rule) { rules.find {|rule| rule['name'] == 'puppetlabs cert sign' } } + + context 'by default' do + it { expect(rule).not_to be_nil } + it { expect(rule['match-request']['path']).to eq('/puppet-ca/v1/sign') } + it { expect(rule['match-request']['type']).to eq('path') } + it { expect(rule['match-request']['method']).to eq('post') } + it { expect(rule['sort-order']).to eq(500) } + it { expect(rule['allow']).to eq(['localhost', 'foo.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) } + end + + context 'with server_ca_client_allowlist set' do + let(:params) { super().merge(server_ca_client_allowlist: ['puppetserver.example.com', 'admin.example.com']) } + + it { expect(rule['allow']).to eq(['puppetserver.example.com', 'admin.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) } + end + end + + describe 'cert sign all endpoint' do + let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] } + let(:rules) { Hocon.parse(content)['authorization']['rules'] } + let(:rule) { rules.find {|rule| rule['name'] == 'puppetlabs cert sign all' } } + + context 'by default' do + it { expect(rule).not_to be_nil } + it { expect(rule['match-request']['path']).to eq('/puppet-ca/v1/sign/all') } + it { expect(rule['match-request']['type']).to eq('path') } + it { expect(rule['match-request']['method']).to eq('post') } + it { expect(rule['sort-order']).to eq(500) } + it { expect(rule['allow']).to eq(['localhost', 'foo.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) } + end + + context 'with server_ca_client_allowlist set' do + let(:params) { super().merge(server_ca_client_allowlist: ['puppetserver.example.com', 'admin.example.com']) } + + it { expect(rule['allow']).to eq(['puppetserver.example.com', 'admin.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) } + end + end end end end From 8ade46214fe83ab8f1535f2555e7abe90f0c9efd Mon Sep 17 00:00:00 2001 From: dforste Date: Fri, 28 Nov 2025 21:10:31 -0500 Subject: [PATCH 5/6] Adding spec tests. Add tests for auth.conf file content in puppet_server_spec.rb --- spec/classes/puppet_server_spec.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index dd8907a0..a5664f65 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -524,6 +524,11 @@ it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_renewal"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_status"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_statuses"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/sign"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/sign/all"}) } end end From fc344c01d19b0e7cce34303099b3015fd0531532 Mon Sep 17 00:00:00 2001 From: Brian Witt Date: Fri, 28 Nov 2025 20:40:08 -0800 Subject: [PATCH 6/6] fix tests --- spec/classes/puppet_server_spec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index a5664f65..ea481ded 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -524,11 +524,11 @@ it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end - it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_renewal"}) } - it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_status"}) } - it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_statuses"}) } - it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/sign"}) } - it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/sign/all"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/certificate_renewal"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/certificate_status"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/certificate_statuses"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/sign"}) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/sign/all"}) } end end