From 6c8e54b657633cafad63ea5a620492bf0cb893fd Mon Sep 17 00:00:00 2001 From: Arthur Lawson Date: Mon, 18 Dec 2023 11:50:06 -0800 Subject: [PATCH] (PE-37345) Create new bulk signing endpoints --- .../ca/certificate_authority_core.clj | 24 +++++++++- .../certificate_authority_int_test.clj | 47 +++++++++++++++++++ 2 files changed, 69 insertions(+), 2 deletions(-) diff --git a/src/clj/puppetlabs/services/ca/certificate_authority_core.clj b/src/clj/puppetlabs/services/ca/certificate_authority_core.clj index 2a59daa7b..6f0d6cbec 100644 --- a/src/clj/puppetlabs/services/ca/certificate_authority_core.clj +++ b/src/clj/puppetlabs/services/ca/certificate_authority_core.clj @@ -257,6 +257,22 @@ request-cert) (log/warn (i18n/trs "Request is missing a certificate for an endpoint that requires a certificate.")))))) + +(schema/defn handle-bulk-cert-signing + [_request + {:keys _certnames :- [schema/str] :as _ca-settings} :- ca/CaSettings] + (-> (rr/response (cheshire/generate-string {})) + (rr/status 200) + (rr/content-type "application/json"))) + +(schema/defn handle-bulk-cert-signing-all + [_request + _ca-settings :- ca/CaSettings] + (-> (rr/response (cheshire/generate-string {})) + (rr/status 200) + (rr/content-type "application/json"))) + + (schema/defn ^:always-validate handle-cert-renewal "Given a request and the CA settings, if there is a cert present in the request @@ -517,7 +533,7 @@ (comidi/routes (comidi/context ["/v1"] (ANY ["/certificate_status/" :subject] [subject] - (certificate-status subject ca-settings report-activity)) + (certificate-status subject ca-settings report-activity)) (comidi/context ["/certificate_statuses/"] (ANY [[#"[^/]+" :ignored-but-required]] request (certificate-statuses request ca-settings)) @@ -540,7 +556,11 @@ (PUT ["/clean"] request (handle-cert-clean request ca-settings report-activity)) (POST ["/certificate_renewal"] request - (handle-cert-renewal request ca-settings report-activity))) + (handle-cert-renewal request ca-settings report-activity)) + (POST ["/sign"] request + (handle-bulk-cert-signing request ca-settings)) + (POST ["/sign/all"] request + (handle-bulk-cert-signing-all request ca-settings))) (comidi/not-found "Not Found"))) (schema/defn ^:always-validate diff --git a/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj b/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj index f36b1e81d..71fc036f1 100644 --- a/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj +++ b/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj @@ -1152,6 +1152,53 @@ :body "Bad data"})] (is (= 400 (:status response))))))) +(deftest ca-bulk-signing-endpoint-test + (testing "returns a 200 when provided certname array " + (bootstrap/with-puppetserver-running-with-mock-jrubies + "JRuby mocking is safe here because all of the requests are to the CA + endpoints, which are implemented in Clojure." + app + {:jruby-puppet + {:gem-path [(ks/absolute-path jruby-testutils/gem-path)]} + :webserver + {:ssl-cert (str bootstrap/server-conf-dir "/ssl/certs/localhost.pem") + :ssl-key (str bootstrap/server-conf-dir "/ssl/private_keys/localhost.pem") + :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :ssl-crl-path (str bootstrap/server-conf-dir "/ssl/crl.pem")} + :certificate-authority + {:certnames ["cert3" "cert1" "cert8"]}} + (let [response (http-client/post + "https://localhost:8140/puppet-ca/v1/sign" + {:ssl-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :ssl-key (str bootstrap/server-conf-dir "/ca/ca_key.pem") + :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :as :text + :headers {"Accept" "application/json"}})] + (is (= 200 (:status response))))))) + +(deftest ca-bulk-signing-all-endpoint-test + (testing "returns a 200 when provided certname array " + (bootstrap/with-puppetserver-running-with-mock-jrubies + "JRuby mocking is safe here because all of the requests are to the CA + endpoints, which are implemented in Clojure." + app + {:jruby-puppet + {:gem-path [(ks/absolute-path jruby-testutils/gem-path)]} + :webserver + {:ssl-cert (str bootstrap/server-conf-dir "/ssl/certs/localhost.pem") + :ssl-key (str bootstrap/server-conf-dir "/ssl/private_keys/localhost.pem") + :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :ssl-crl-path (str bootstrap/server-conf-dir "/ssl/crl.pem")} + :certificate-authority} + (let [response (http-client/post + "https://localhost:8140/puppet-ca/v1/all" + {:ssl-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :ssl-key (str bootstrap/server-conf-dir "/ca/ca_key.pem") + :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :as :text + :headers {"Accept" "application/json"}})] + (is (= 200 (:status response))))))) + (deftest ca-certificate-renew-endpoint-test (testing "with the feature enabled" (testing "with allow-header-cert-info = false (default)"