Jira (PUP-11854) Add agent renew REST implementation

[Josh Cooper (Jira)]

Josh Cooper created an issue

Puppet / PUP-11854 Add agent renew REST implementation Issue Type: Task Assignee: Unassigned Created: 2023/05/18 10:39 AM Priority: Normal Reporter: Josh Cooper Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb See the API details in PE-35563, for example, it should POST the request. The method should accept: name: this is the name of the client whose cert is being renewed, typically Puppet[:certname] ssl_context: the current ssl context to use when making the request If the request is successful, the method should return the renewed client certificate. If the request is not successful, then raise Puppet::HTTP::ResponseError Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception. Add Comment

This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8)

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Josh Cooper Fix Version/s: PUP 8.2.0

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation Change By: Josh Cooper

Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb See the API details in PE-35563, for example, it should POST the request. The method should accept:

* name: this is the name of the client whose cert is being renewed, typically Puppet[:certname] * ssl_context: the current ssl context to use when making the request , including the client cert that needs to be renewed If the request is successful, the method should return the a renewed client certificate. {{OpenSSL::X509::Certificate}}

If the request is not successful, then raise {{Puppet::HTTP::ResponseError}} Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Josh Cooper Sprint: Phoenix 2023-06-07

Add Comment

[Josh Cooper (Jira)]

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Josh Cooper Sprint: Phoenix 2023-06-21

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation Change By: Josh Cooper

Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb See the API details in PE-35563, for example, it should POST the request. The method should accept:

* name (required) : this is the name of the client whose cert is being renewed, typically Puppet[:certname] * ssl_context (required) : the current ssl context to use when making the request, including the client cert that needs to be renewed If the passed in ssl_context does not contain a client cert it should raise ArgumentError If the request is successful, the method should return a renewed {{OpenSSL::X509::Certificate}}

If the request is not successful, then raise {{Puppet::HTTP::ResponseError}} Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Josh Cooper Story Points: 3

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation Change By: Josh Cooper

Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb See the API details in PE-35563, for example, it should POST the request. The method should accept: * name (required): this is the name of the client whose cert is being renewed, typically Puppet[:certname] * ssl_context (required): the current ssl context to use when making the request, including the client cert that needs to be renewed

* name is not required since the REST API doesn't accept one (/puppet-ca/v1/certificate_renewal)

If the passed in ssl_context does not contain a client cert it should raise ArgumentError If the request is successful, the method should return a renewed {{OpenSSL::X509::Certificate}} If the request is not successful, then raise {{Puppet::HTTP::ResponseError}} Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation Change By: Josh Cooper

Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb See the API details in PE-35563, for example, it should POST the request. The method should accept:

* ssl_context (required): the current ssl context to use when making the request, including the client cert that needs to be renewed * name is not required since the REST API doesn't accept one (/puppet-ca/v1/certificate_renewal) If the passed in ssl_context does not contain a client cert it should raise ArgumentError

The method should set {{Accept: text/plain}} since the expected response body contains PEM.

If the request is successful, the method should return a renewed {{OpenSSL::X509::Certificate}} If the request is not successful, then raise {{Puppet::HTTP::ResponseError}} Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception.

This is an example curl command to test the server: {noformat} curl -sk -X POST -H Accept: text/plain --key /etc/puppetlabs/puppet/ssl/private_keys/$(puppet config print hostprivkey) --cert $(puppet config print hostcert) https://$(puppet config print server):8140/puppet-ca/v1/certificate_renewal {noformat}

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation Change By: Josh Cooper

Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb See the API details in PE-35563, for example, it should POST the request. The method should accept: * ssl_context (required): the current ssl context to use when making the request, including the client cert that needs to be renewed * name is not required since the REST API doesn't accept one (/puppet-ca/v1/certificate_renewal) If the passed in ssl_context does not contain a client cert it should raise ArgumentError The method should set {{Accept: text/plain}} since the expected response body contains PEM. If the request is successful, the method should return a renewed {{OpenSSL::X509::Certificate}} If the request is not successful, then raise {{Puppet::HTTP::ResponseError}} Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception. This is an example curl command to test the server: {noformat}

curl -sk -X POST -H Accept: text/plain --key /etc/puppetlabs/puppet/ssl/private_keys/ $(puppet config print hostprivkey) --cert $(puppet config print hostcert) https://$(puppet config print server):8140/puppet-ca/v1/certificate_renewal {noformat}

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11854 Add agent renew REST implementation Change By: Josh Cooper

Add a new method to Puppet::HTTP::Services::CA to renew a client certificate, see [ https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service/ca.rb ] See the API details in PE-35563, for example, it should POST the request. The method should accept: * ssl_context (required): the current ssl context to use when making the request, including the client cert that needs to be renewed * name is not required since the REST API doesn't accept one (/puppet-ca/v1/certificate_renewal) If the passed in ssl_context does not contain a client cert it should raise ArgumentError The method should set {{Accept: text/plain}} since the expected response body contains PEM. If the request is successful, the method should return a renewed {{OpenSSL::X509::Certificate}} If the request is not successful, then raise {{Puppet::HTTP::ResponseError}} Add unit tests to spec/unit/http/services/ca_spec.rb to exercise the API. For example, this is where we test the CSR submission code: [ https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/spec/unit/http/service/ca_spec.rb#L159-L197 ] Test the different HTTP statuses (200, 403, etc) see the API details mentioned above. Unsuccessful requests should raise the appropriate ResponseError exception. This is an example curl command to test the server: {noformat}

curl -sk -X POST -H ' Accept: text/plain ' --key $(puppet config print hostprivkey) --cert $(puppet config print hostcert) https://$(puppet config print server):8140/puppet-ca/v1/certificate_renewal {noformat}

Add Comment

[Michael Hashizume (Jira)]

Michael Hashizume assigned an issue to Michael Hashizume

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Michael Hashizume Assignee: Michael Hashizume

Add Comment

[Michael Hashizume (Jira)]

Michael Hashizume assigned an issue to Unassigned

[Aria Li (Jira)]

Aria Li assigned an issue to Aria Li

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Aria Li Assignee: Aria Li

Add Comment

[Aria Li (Jira)]

Aria Li assigned an issue to Unassigned

[Christopher Thorn (Jira)]

Christopher Thorn updated an issue

Puppet / PUP-11854 Add agent renew REST implementation

Change By: Christopher Thorn Sprint: Phoenix 2023-06-21 , Phoenix 2023-07-05

Add Comment