Fix puppetserver ca sign with puppet 8.

spec/classes/puppet_server_puppetserver_spec.rb

@@ -117,6 +117,10 @@
             .with_content(/^\s+name: "puppetlabs cert status"/)
             .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_statuses"})
             .with_content(/^\s+name: "puppetlabs cert statuses"/)
+            .with_content(%r{^\s+path: "/puppet-ca/v1/sign"})
+            .with_content(/^\s+name: "puppetlabs cert sign"/)
+            .with_content(%r{^\s+path: "/puppet-ca/v1/sign/all"})
+            .with_content(/^\s+name: "puppetlabs cert sign all"/)
             .with_content(%r{^\s+path: "/puppet-admin-api/v1/environment-cache"})
             .with_content(/^\s+name: "environment-cache"/)
             .with_content(%r{^\s+path: "/puppet-admin-api/v1/jruby-pool"})
@@ -577,6 +581,48 @@
           it { expect(rule['allow']).to eq(['localhost', 'host.example.com']) }
         end
       end
+
+      describe 'cert sign endpoint' do
+        let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] }
+        let(:rules) { Hocon.parse(content)['authorization']['rules'] }
+        let(:rule) { rules.find {|rule| rule['name'] == 'puppetlabs cert sign' } }
+
+        context 'by default' do
+          it { expect(rule).not_to be_nil }
+          it { expect(rule['match-request']['path']).to eq('/puppet-ca/v1/sign') }
+          it { expect(rule['match-request']['type']).to eq('path') }
+          it { expect(rule['match-request']['method']).to eq('post') }
+          it { expect(rule['sort-order']).to eq(500) }
+          it { expect(rule['allow']).to eq(['localhost', 'foo.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) }
+        end
+
+        context 'with server_ca_client_allowlist set' do
+          let(:params) { super().merge(server_ca_client_allowlist: ['puppetserver.example.com', 'admin.example.com']) }
+
+          it { expect(rule['allow']).to eq(['puppetserver.example.com', 'admin.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) }
+        end
+      end
+
+      describe 'cert sign all endpoint' do
+        let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] }
+        let(:rules) { Hocon.parse(content)['authorization']['rules'] }
+        let(:rule) { rules.find {|rule| rule['name'] == 'puppetlabs cert sign all' } }
+
+        context 'by default' do
+          it { expect(rule).not_to be_nil }
+          it { expect(rule['match-request']['path']).to eq('/puppet-ca/v1/sign/all') }
+          it { expect(rule['match-request']['type']).to eq('path') }
+          it { expect(rule['match-request']['method']).to eq('post') }
+          it { expect(rule['sort-order']).to eq(500) }
+          it { expect(rule['allow']).to eq(['localhost', 'foo.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) }
+        end
+
+        context 'with server_ca_client_allowlist set' do
+          let(:params) { super().merge(server_ca_client_allowlist: ['puppetserver.example.com', 'admin.example.com']) }
+
+          it { expect(rule['allow']).to eq(['puppetserver.example.com', 'admin.example.com', {'extensions' => {'pp_cli_auth' => 'true'}}]) }
+        end
+      end
     end
   end
 end

spec/classes/puppet_server_spec.rb

@@ -478,7 +478,7 @@
             )
           end
 
           it 'should not sync the crl' do
             # https://github.com/puppetlabs/rspec-puppet/issues/37
             pending("rspec-puppet always sets $server_facts['servername']")
             should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
@@ -524,6 +524,11 @@
           it 'should not sync the crl' do
             should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
           end
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/certificate_renewal"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/certificate_status"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/certificate_statuses"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/sign"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path:\s*"/puppet-ca/v1/sign/all"}) }
         end
       end
 

templates/server/puppetserver/conf.d/auth.conf.erb

@@ -202,6 +202,46 @@ authorization: {
             sort-order: 500
             name: "puppetlabs cert clean"
         },
+        {
+            # Allow the CA CLI to access the certificate sign endpoint
+            match-request: {
+                path: "/puppet-ca/v1/sign"
+                type: path
+                method: post
+            }
+            allow: [
+<%- @server_ca_client_allowlist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
+            sort-order: 500
+            name: "puppetlabs cert sign"
+        },
+        {
+            # Allow the CA CLI to access the certificate sign all endpoint
+            match-request: {
+                path: "/puppet-ca/v1/sign/all"
+                type: path
+                method: post
+            }
+            allow: [
+<%- @server_ca_client_allowlist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
+            sort-order: 500
+            name: "puppetlabs cert sign all"
+        },
         {
             # Allow unauthenticated access to the status service endpoint
             match-request: {