Fixes #23799 - Refactor: Make PuppetCa pluggable

config/settings.d/puppetca.yml.example

@@ -2,7 +2,9 @@
 # Can be true, false, or http/https to enable just one of the protocols
 :enabled: false
 
+# valid providers:
+#   - puppetca_hostverify (verify CSRs based on hostnames)
+#:use_provider: puppetca_hostverify
 #:ssldir: /var/lib/puppet/ssl
-#:autosignfile: /etc/puppet/autosign.conf
 #:puppetca_use_sudo: true
 #:sudo_command: /usr/bin/sudo

config/settings.d/puppetca_hostverify.yml.example

@@ -0,0 +1,6 @@
+---
+#
+# Configuration of the PuppetCA hostverify provider
+#
+
+#:autosignfile: /etc/puppet/autosign.conf

lib/smart_proxy_main.rb

@@ -67,6 +67,7 @@ module Proxy
   require 'dhcp_native_ms/dhcp_native_ms'
   require 'dhcp_libvirt/dhcp_libvirt'
   require 'puppetca/puppetca'
+  require 'puppetca_hostverify/puppetca_hostverify'
   require 'puppet_proxy/puppet'
   require 'puppet_proxy_customrun/puppet_proxy_customrun'
   require 'puppet_proxy_legacy/puppet_proxy_legacy'

modules/puppetca/dependency_injection.rb

@@ -0,0 +1,8 @@
+module Proxy::PuppetCa
+  module DependencyInjection
+    include Proxy::DependencyInjection::Accessors
+    def container_instance
+      @container_instance ||= ::Proxy::Plugins.instance.find {|p| p[:name] == :puppetca }[:di_container]
+    end
+  end
+end

modules/puppetca/plugin_configuration.rb

@@ -0,0 +1,13 @@
+module ::Proxy::PuppetCa
+  class PluginConfiguration
+    def load_classes
+      require 'puppetca/puppetca_certmanager'
+      require 'puppetca/dependency_injection'
+      require 'puppetca/puppetca_api'
+    end
+
+    def load_dependency_injection_wirings(container_instance, settings)
+      container_instance.dependency :cert_manager, lambda { ::Proxy::PuppetCa::Certmanager.new }
+    end
+  end
+end

modules/puppetca/puppetca.rb

@@ -1,3 +1,2 @@
+require 'puppetca/plugin_configuration'
 require 'puppetca/puppetca_plugin'
-
-module Proxy::PuppetCa; end

modules/puppetca/puppetca_api.rb

@@ -2,14 +2,18 @@
 
 module Proxy::PuppetCa
   class Api < ::Sinatra::Base
+    extend Proxy::PuppetCa::DependencyInjection
+    inject_attr :cert_manager, :cert_manager
+    inject_attr :autosigner, :autosigner
+
     helpers ::Proxy::Helpers
     authorize_with_trusted_hosts
     authorize_with_ssl_client
 
     get "/?" do
       content_type :json
       begin
-        Proxy::PuppetCa.list.to_json
+        cert_manager.list.to_json
       rescue => e
         log_halt 406, "Failed to list certificates: #{e}"
       end
@@ -18,7 +22,7 @@ class Api < ::Sinatra::Base
     get "/autosign" do
       content_type :json
       begin
-        Proxy::PuppetCa.autosign_list.to_json
+        autosigner.autosign_list.to_json
       rescue => e
         log_halt 406, "Failed to list autosign entries: #{e}"
       end
@@ -28,7 +32,7 @@ class Api < ::Sinatra::Base
       content_type :json
       certname = params[:certname]
       begin
-        Proxy::PuppetCa.autosign(certname)
+        autosigner.autosign(certname)
       rescue => e
         log_halt 406, "Failed to enable autosign for #{certname}: #{e}"
       end
@@ -38,7 +42,7 @@ class Api < ::Sinatra::Base
       content_type :json
       certname = params[:certname]
       begin
-        Proxy::PuppetCa.disable(certname)
+        autosigner.disable(certname)
       rescue Proxy::PuppetCa::NotPresent => e
         log_halt 404, e.to_s
       rescue => e
@@ -50,7 +54,7 @@ class Api < ::Sinatra::Base
       content_type :json
       certname = params[:certname]
       begin
-        Proxy::PuppetCa.sign(certname)
+        cert_manager.sign(certname)
       rescue => e
         log_halt 406, "Failed to sign certificate(s) for #{certname}: #{e}"
       end
@@ -60,7 +64,7 @@ class Api < ::Sinatra::Base
       begin
         content_type :json
         certname = params[:certname]
-        Proxy::PuppetCa.clean(certname)
+        cert_manager.clean(certname)
       rescue Proxy::PuppetCa::NotPresent => e
         log_halt 404, e.to_s
       rescue => e

modules/puppetca/puppetca_main.rb → modules/puppetca/puppetca_certmanager.rb

@@ -2,12 +2,13 @@
 require 'set'
 
 module Proxy::PuppetCa
-  extend ::Proxy::Log
-  extend ::Proxy::Util
 
   class NotPresent < RuntimeError; end
 
-  class << self
+  class Certmanager
+    include ::Proxy::Log
+    include ::Proxy::Util
+
     def sign certname
       puppetca("sign", certname)
     end
@@ -16,53 +17,6 @@ def clean certname
       puppetca("clean", certname)
     end
 
-    #remove certname from autosign if exists
-    def disable certname
-      raise "No such file #{autosign_file}" unless File.exist?(autosign_file)
-
-      found = false
-      entries = File.readlines(autosign_file).collect do |l|
-        if l.chomp != certname
-          l
-        else
-          found = true
-          nil
-        end
-      end.uniq.compact
-      if found
-        open(autosign_file, File::TRUNC|File::RDWR) do |autosign|
-          autosign.write entries.join
-        end
-        logger.debug "Removed #{certname} from autosign"
-      else
-        logger.debug "Attempt to remove nonexistent client autosign for #{certname}"
-        raise NotPresent, "Attempt to remove nonexistent client autosign for #{certname}"
-      end
-    end
-
-    # add certname to puppet autosign file
-    # parameter is certname to use
-    def autosign certname
-      FileUtils.touch(autosign_file) unless File.exist?(autosign_file)
-
-      open(autosign_file, File::RDWR) do |autosign|
-        # Check that we don't have that host already
-        found = autosign.readlines.find { |line| line.chomp == certname }
-        autosign.puts certname unless found
-      end
-      logger.debug "Added #{certname} to autosign"
-    end
-
-    # list of hosts which are now allowed to be installed via autosign
-    def autosign_list
-      return [] unless File.exist?(autosign_file)
-      File.read(autosign_file).split("\n").reject do |v|
-        v =~ /^\s*#.*|^$/ ## Remove comments and empty lines
-      end.map do |v|
-        v.chomp ## Strip trailing spaces
-      end
-    end
-
     # list of all certificates and their state/fingerprint
     def list
       find_puppetca
@@ -129,10 +83,6 @@ def ssldir
       Proxy::PuppetCa::Plugin.settings.ssldir
     end
 
-    def autosign_file
-      Proxy::PuppetCa::Plugin.settings.autosignfile
-    end
-
     # parse the puppetca --list output
     def certificate str
       case str

modules/puppetca/puppetca_plugin.rb

@@ -3,8 +3,13 @@ class Plugin < ::Proxy::Plugin
     http_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
     https_rackup_path File.expand_path("http_config.ru", File.expand_path("../", __FILE__))
 
-    default_settings :ssldir => '/var/lib/puppet/ssl', :autosignfile => '/etc/puppet/autosign.conf'
+    default_settings :ssldir => '/var/lib/puppet/ssl'
 
+    uses_provider
+    default_settings :use_provider => 'puppetca_hostverify'
+
+    load_classes ::Proxy::PuppetCa::PluginConfiguration
+    load_dependency_injection_wirings ::Proxy::PuppetCa::PluginConfiguration
     plugin :puppetca, ::Proxy::VERSION
   end
 end

modules/puppetca_hostverify/plugin_configuration.rb

@@ -0,0 +1,12 @@
+module ::Proxy::PuppetCa::Hostverify
+  class PluginConfiguration
+    def load_classes
+      require 'puppetca_hostverify/puppetca_hostverify_autosigner'
+    end
+
+    def load_dependency_injection_wirings(container_instance, settings)
+      container_instance.dependency :autosigner, lambda { ::Proxy::PuppetCa::Hostverify::Autosigner.new }
+    end
+  end
+end
+

modules/puppetca_hostverify/puppetca_hostverify.rb

@@ -0,0 +1,2 @@
+require 'puppetca_hostverify/plugin_configuration'
+require 'puppetca_hostverify/puppetca_hostverify_plugin'

modules/puppetca_hostverify/puppetca_hostverify_autosigner.rb

@@ -0,0 +1,57 @@
+module ::Proxy::PuppetCa::Hostverify
+  class Autosigner
+    include ::Proxy::Log
+    include ::Proxy::Util
+
+    def autosign_file
+      Proxy::PuppetCa::Hostverify::Plugin.settings.autosignfile
+    end
+
+    #remove certname from autosign if exists
+    def disable certname
+      raise "No such file #{autosign_file}" unless File.exist?(autosign_file)
+
+      found = false
+      entries = File.readlines(autosign_file).collect do |l|
+        if l.chomp != certname
+          l
+        else
+          found = true
+          nil
+        end
+      end.uniq.compact
+      if found
+        open(autosign_file, File::TRUNC|File::RDWR) do |autosign|
+          autosign.write entries.join
+        end
+        logger.debug "Removed #{certname} from autosign"
+      else
+        logger.debug "Attempt to remove nonexistent client autosign for #{certname}"
+        raise ::Proxy::PuppetCa::NotPresent, "Attempt to remove nonexistent client autosign for #{certname}"
+      end
+    end
+
+    # add certname to puppet autosign file
+    # parameter is certname to use
+    def autosign certname
+      FileUtils.touch(autosign_file) unless File.exist?(autosign_file)
+
+      open(autosign_file, File::RDWR) do |autosign|
+        # Check that we don't have that host already
+        found = autosign.readlines.find { |line| line.chomp == certname }
+        autosign.puts certname unless found
+      end
+      logger.debug "Added #{certname} to autosign"
+    end
+
+    # list of hosts which are now allowed to be installed via autosign
+    def autosign_list
+      return [] unless File.exist?(autosign_file)
+      File.read(autosign_file).split("\n").reject do |v|
+        v =~ /^\s*#.*|^$/ ## Remove comments and empty lines
+      end.map do |v|
+        v.chomp ## Strip trailing spaces
+      end
+    end
+  end
+end

modules/puppetca_hostverify/puppetca_hostverify_plugin.rb

@@ -0,0 +1,11 @@
+module ::Proxy::PuppetCa::Hostverify
+  class Plugin < ::Proxy::Provider
+    plugin :puppetca_hostverify, ::Proxy::VERSION
+
+    requires :puppetca, ::Proxy::VERSION
+    default_settings :autosignfile => '/etc/puppet/autosign.conf'
+
+    load_classes ::Proxy::PuppetCa::Hostverify::PluginConfiguration
+    load_dependency_injection_wirings ::Proxy::PuppetCa::Hostverify::PluginConfiguration
+  end
+end