Better checking for legacy compiler OID

petergmurphy · petergmurphy · commit 10634e01ab85 · 2025-03-19T15:15:45.000Z
diff --git a/plans/upgrade.pp b/plans/upgrade.pp
@@ -135,23 +135,11 @@
 
   peadm::assert_supported_pe_version($_version, $permit_unsafe_versions)
 
-  # Gather certificate extension information from all systems
-  $cert_extensions_temp = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
-    $memo + { $result.target.peadm::certname => $result['extensions'] }
-  }
-
-  # Add legacy compiler role to compilers that are missing it
-  $compilers_with_legacy_compiler_flag = $cert_extensions_temp.filter |$name,$exts| {
-    ($name in $compiler_targets.map |$t| { $t.name }) and
-    ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
-  }
-
-  if $compilers_with_legacy_compiler_flag.size > 0 {
+  $rules_check = run_task('peadm::check_pe_master_rules', $primary_target).first.value
+  unless $rules_check['updated'] {
     fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
     $memo + { $result.target.peadm::certname => $result['extensions'] }
diff --git a/tasks/check_pe_master_rules.json b/tasks/check_pe_master_rules.json
@@ -6,19 +6,5 @@
     {"name": "check_pe_master_rules.rb"}
   ],
   "parameters": {},
-  "supports_noop": false,
-  "output": {
-    "updated": {
-      "description": "Whether the PE Master rules have already been updated",
-      "type": "Boolean"
-    },
-    "message": {
-      "description": "A message describing the current state of the PE Master rules",
-      "type": "String"
-    },
-    "error": {
-      "description": "Error message if the task failed",
-      "type": "Optional[String]"
-    }
-  }
+  "supports_noop": false
 } 
diff --git a/tasks/check_pe_master_rules.rb b/tasks/check_pe_master_rules.rb
@@ -87,18 +87,67 @@ def check_rules_updated(rules)
     false
   end
 
+  def https_pdb_client(port = 8081)
+    client = Net::HTTP.new(Puppet.settings[:certname], port)
+    client.use_ssl = true
+    client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
+    client
+  end
+
+  def check_nodes_with_legacy_compiler_oid
+    pdb = https_pdb_client
+    pdb_request = Net::HTTP::Get.new('/pdb/query/v4')
+    pdb_request.set_form_data({
+      'query' => 'inventory[certname,trusted.extensions] {
+        trusted.extensions."1.3.6.1.4.1.34380.1.1.9814" is not null
+      }'
+    })
+    
+    response = pdb.request(pdb_request)
+    
+    unless response.code == '200'
+      raise "Failed to query PuppetDB: HTTP #{response.code} - #{response.body}"
+    end
+    
+    nodes = JSON.parse(response.body)
+    
+    {
+      'nodes_found' => !nodes.empty?,
+      'count' => nodes.size,
+      'nodes' => nodes.map { |n| n['certname'] }
+    }
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from PuppetDB: #{e.message}"
+  rescue StandardError => e
+    raise "Error checking for legacy compiler OID: #{e.message}"
+  end
+
   def execute!
     begin
       group_id = get_pe_master_group_id
       current_rules = get_current_rules(group_id)
       
-      is_updated = check_rules_updated(current_rules)
+      rules_updated = check_rules_updated(current_rules)
+      legacy_compiler_nodes = check_nodes_with_legacy_compiler_oid
+      
+      # Overall status is updated only if rules are updated AND no nodes have legacy compiler OID
+      is_updated = rules_updated && !legacy_compiler_nodes['nodes_found']
+      
+      message = if !rules_updated
+                  'PE Master rules need to be updated to support pe_compiler_legacy'
+                elsif legacy_compiler_nodes['nodes_found']
+                  'PE Master rules are updated, but nodes with legacy compiler OID still exist'
+                else
+                  'PE Master rules have been updated with pe_compiler_legacy support and no legacy compiler OIDs found'
+                end
       
       result = {
         'updated' => is_updated,
-        'message' => is_updated ? 
-          'PE Master rules have already been updated with pe_compiler_legacy support' : 
-          'PE Master rules need to be updated to support pe_compiler_legacy'
+        'message' => message,
+        'legacy_compiler_oid' => legacy_compiler_nodes
       }
       
       puts result.to_json
diff --git a/tasks/get_peadm_config.rb b/tasks/get_peadm_config.rb
@@ -107,7 +107,7 @@ def compilers
   def legacy_compilers
     @legacy_compilers ||=
       pdb_query('inventory[certname,trusted.extensions] {
-          trusted.extensions.pp_auth_role = "legacy_compiler"
+          trusted.extensions.pp_auth_role = "pe_compiler_legacy"
         }').map do |c|
         {
           'certname' => c['certname'],

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ def compilers`
`107`	`107`	`def legacy_compilers`
`108`	`108`	`@legacy_compilers \|\|=`
`109`	`109`	`pdb_query('inventory[certname,trusted.extensions] {`
`110`		`- trusted.extensions.pp_auth_role = "legacy_compiler"`
	`110`	`+ trusted.extensions.pp_auth_role = "pe_compiler_legacy"`
`111`	`111`	`}').map do \|c\|`
`112`	`112`	`{`
`113`	`113`	`'certname' => c['certname'],`