Get certificate status from primary

ody · ody · commit 548610565ac7 · 2022-05-31T20:50:14.000Z
When running peadm::subplans::modify_certificate also get status of
certificate from the perspective of the primary to detect if the
certificate has been revoked.

Introduces new task, peadm::cert_valid_status which checks different
failure scenarios when validating certificates.
diff --git a/plans/subplans/modify_certificate.pp b/plans/subplans/modify_certificate.pp
@@ -20,6 +20,9 @@
   # Figure out some information from the existing certificate
   $certdata = run_task('peadm::cert_data', $target).first.value
   $certname = $certdata['certname']
+
+
+
   $target_is_primary = ($certname == $primary_certname)
 
   # These vars represent what the extensions currently are, vs. what they should be
@@ -34,7 +37,6 @@
       ($desired_alt_names == $existing_alt_names) and
       ($desired_exts.all |$key,$val| { $existing_exts[$key] == $val }) and
       !($remove_extensions.any |$key| { $key in $existing_exts.keys }) and
-      !$certdata['certificate-revoked'] and
       !$force_regenerate)
   {
     out::message("${certname} already has requested modifications; certificate will not be re-issued")
@@ -66,9 +68,11 @@
     # fail the plan unless it's a known circumstance in which it's okay to proceed.
     # Scenario 1: the primary's cert can't be cleaned because it's already revoked.
     # Scenario 2: the primary's cert can't be cleaned because it's been deleted.
+    # Scenario 3: a component's cert can't be cleaned because it was previously by some other function.
     unless ($target_is_primary and
             ($ca_clean_result[merged_output] =~ /certificate revoked/ or
-              $ca_clean_result[merged_output] =~ /Could not find 'hostcert'/))
+              $ca_clean_result[merged_output] =~ /Could not find 'hostcert'/ or
+                $ca_clean_result[merged_output] =~ /Could not find files to clean/))
     {
       fail_plan($ca_clean_result)
     }
diff --git a/plans/subplans/prepare_agent.pp b/plans/subplans/prepare_agent.pp
@@ -36,19 +36,35 @@
     run_command('/opt/puppetlabs/bin/puppet config delete --section agent server_list', $agent_target)
   }
 
+  # Obtain data about certificate from primary 
+  $certstatus = run_task('peadm::cert_valid_status', $primary_target,
+    certname => $agent_target.peadm::certname()).first.value
+
+  if ($certstatus['certificate-status'] == 'invalid') {
+    $force_regenerate = true
+    $skip_csr = true
+  } else {
+    $force_regenerate = false
+    $skip_csr = false
+
+  }
+
   # Ensures scenarios where agent was pre-installed but never on-boarding and
   # when agent was absent but their was an existing signed certificate with the
   # same name as the one being provisioned.
   #
   # If necessary, manually submit a CSR
   # ignoring errors to simplify logic
-  run_task('peadm::submit_csr', $agent_target, {'_catch_errors' => true})
+  unless $skip_csr {
+    run_task('peadm::submit_csr', $agent_target, {'_catch_errors' => true})
 
-  # On primary, if necessary, sign the certificate request
-  run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$agent_target.peadm::certname()] } )
+    # On primary, if necessary, sign the certificate request
+    run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$agent_target.peadm::certname()] } )
+  }
 
   run_plan('peadm::modify_certificate', $agent_target,
-    primary_host   => $primary_target.peadm::certname(),
-    add_extensions => $certificate_extensions
+    primary_host     => $primary_target.peadm::certname(),
+    add_extensions   => $certificate_extensions,
+    force_regenerate => $force_regenerate
   )
 }
diff --git a/tasks/cert_valid_status.json b/tasks/cert_valid_status.json
@@ -0,0 +1,13 @@
+{
+  "description": "Check primary for valid state of a certificate",
+  "parameters": {
+    "certname": {
+      "type": "String",
+      "description": "The certifcate name to check validation of"
+    }
+  },
+  "input_method": "stdin",
+  "implementations": [
+    {"name": "cert_valid_status.rb"}
+  ]
+}
diff --git a/tasks/cert_valid_status.rb b/tasks/cert_valid_status.rb
@@ -0,0 +1,30 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'puppet'
+require 'json'
+
+$params = JSON.parse(STDIN.read)
+
+Puppet.initialize_settings
+
+Puppet.settings.use(:agent, :server, :master, :main)
+
+begin
+  cert_provider = Puppet::X509::CertProvider.new
+  ssl_provider = Puppet::SSL::SSLProvider.new
+  password = cert_provider.load_private_key_password
+  ssl_context = ssl_provider.load_context(certname: $params['certname'], password: password)
+rescue Puppet::SSL::CertVerifyError => e
+  status = { 'certificate-status' => 'invalid', 'reason' => e.message }
+rescue Puppet::Error => e
+  status = { 'certificate-status' => 'unknown', 'reason' => e.message }
+else
+  cert = ssl_context.client_chain.first
+  status = { 'certificate-status' => 'valid', 'reason' => "Expires - #{cert.not_after}" }
+end
+
+result = status
+
+# Put the result to stdout
+puts result.to_json
