[WIP] Fixes #23211 - Token based PuppetCA autosigning

[juliantodt]

Removes old autosigning endpoints and adds new ones
that take a incoming CSR from puppet, extract the token
and forward it to foreman for verfication.

See also PRs in foreman-core, community-templates, puppet-foreman_proxy & puppet-puppet.

We would like to see some feedback early on while we are testing this thoroughly.

[dmitri-d]

Please do not remove old api endpoints, log a warning about them being deprecated instead. We usually keep api for one or two releases after the deprecation announcement.

[dmitri-d]

Since the api is being changed, why not change it to something like:

post "/autosign/:csr" instead of JSON encoding and then decoding a single parameter.

[juliantodt]

I'm pretty sure that CSRs are not URL-safe, as they include slashes and line-breaks.

[dmitri-d]

You could UR-encode the parameter? Alternatively, instead of putting the parameter in the url, you could put it in the body of the request (would still need to be url-encoded though), which is a bit cleaner.

[dmitri-d]

This looks fragile: are all of the intermediate calls guaranteed to not return nils?

[timogoebel]

I think this should be fine. Openssl is not known for its nice code.

[juliantodt]

Yeah, would probably be better to catch possible errors from this.

[dmitri-d]

Is signall needed? If so, please put warnings both when it's triggered and during initialization.

[juliantodt]

signall is the equivalent of putting * in your autosign.conf at the moment. As there are currently people using this it was a requested feature, so we're adding this as a setting. I don't think we need warnings for this as it is disabled by default and only is used if you manually update the settings, so you need to know what you're doing.

[dmitri-d]

I think a warning would be a good thing -- people forget to switch things back all the time. This flag completely circumvents token authorization, a warning would be a nice reminder (if verbose).

[dmitri-d]

Could you use something more descriptive for the method name, something like csr_recognised?

[juliantodt]

Will do.

[dmitri-d]

I would suggested splitting the check and cleanup into two separate actions: not only removal of data on check not something that is expected, but it might make sense to keep the token until the host has been successfully created.

[timogoebel]

Removing the token is part of the design. For security reasons, it should just be able to use the token once.

[juliantodt]

In what scenario do you think would it make sense to still have the token after the CSR was verified with it? If anything goes wrong during the verification, the token will not be deleted, so we just deleted it when the host has his cert signed, when we don't need the token anymore.

[dmitri-d]

It felt to me that this is a call with a (big) side-effect, which also broke the pattern of how we use "delete" method in smart-proxy.

If you renamed foreman_callback to something like delete_token, this would resolve the whole side-effect issue.

[dmitri-d]

Please log this at the error level.

[juliantodt]

Will change that. Do you think that the other logs are correct on debug? Considering you normally don't run it on debug-loglevel, you won't be able to trace back why a CSR wasn't verified if you wanted.

[dmitri-d]

I'm ok either way, but perhaps a warning would be a bit more helpful.

[dmitri-d]

I would also suggest replacing all class-methods in Proxy::PuppetCa with instance ones in a dedicated class, and use dependency injection to configure the module/api controller (please see dhcp, dns, or other modules for examples. Also see http://projects.theforeman.org/projects/foreman/wiki/How_to_Create_a_Smart-Proxy_Plugin#How-to-Load-Dependencies).

[timogoebel]

tap might come in handy here.

[juliantodt]

It's the same as in all the other functions there...

[timogoebel]

I think this should be fine. Openssl is not known for its nice code.

[timogoebel]

Can we rename this to sign_all? I always read it as signal and start wondering where the second l comes from.

[juliantodt]

Will do.

[timogoebel]

Removing the token is part of the design. For security reasons, it should just be able to use the token once.

[juliantodt]

@witlessbird
Removing old API-Endpoints: Puppet use the autosign.conf XOR the autosign-script. When we change to the script, the autosign.conf will be useless and with it all functions editing it. Sure we could keep the API endpoints and log warnings but they will have no effect aswell.

Outsourcing Methods: I will take a look at this.

Also some comments inline.
Could you take a look at the test? I don't think the fails are related to my changes, are they?

[timogoebel]

Could you take a look at the test? I don't think the fails are related to my changes, are they?

Don't worry, [test] failures are unrelated.

[dmitri-d]

I'd say this is too specific, any 2xx would be ok?

[juliantodt]

Since we write the Foreman-API at the same time, why not be specific?

[dmitri-d]

Foreman side of things can change which would require this code to be updated. Since we don't care about particulars of the response as long as it is an "ok" (aka 2xx) one, making it too specific makes it more fragile.

[timogoebel]

@juliantodt: Thanks. Some more comments that came up when I read the code. The DI stuff looks good now.

[timogoebel]

Nit: missing .

[timogoebel]

The class name should match the name of the file.

[dmitri-d]

Removing old API-Endpoints: Puppet use the autosign.conf XOR the autosign-script. When we change to the script, the autosign.conf will be useless and with it all functions editing it. Sure we could keep the API endpoints and log warnings but they will have no effect aswell.

If old behavior cannot be preserved at all, then all of these changes must reside in a new module/provider.

[timogoebel]

If old behavior cannot be preserved at all, then all of these changes must reside in a new module/provider.

@witlessbird: Why is that? Do we want to continue to support the old behavior so that users can use a newer smart-proxy version with an older Foreman version? Or is this meant for all the standalone users who use smart-proxy without Foreman?

[juliantodt]

Took care of all the comments as well as the test failures.

@witlessbird I can see that removing the old functionality might seem problematic, but it will be same with the updates to the foreman-core and I don't think we need to support older foreman versions with newer smart-proxy versions. Also allowing both signing options to be chosen by the user (-> will need to allow this in the foreman-core as well), will just cause problems like foreman & smart-proxy using tokens but puppet is configured to use the autosign.conf. When we are strict with these new changes and remove old functions we get obvious error messages at misconfigurations and the solution will be to just update to the latest version. I know it's not perfect to make these changes that affect multiple components that are backwards-incompatible, but I prefer it over the alternatives.

[ekohl]

I agree with @witlessbird that the API shouldn't change behavior of endpoints. If it changes, then it should use other URLs so Foreman gets a clear error. There are good reasons for this: until now we've always been flexible with versions. Running a 1.17 proxy with a 1.16 foreman worked, but also a 1.16 proxy with a 1.17 foreman. We know there are users with many proxies and upgrading them all at once is not feasible.

That said, I think there's still room for a compatible API. The one that's currently changed is GET /autosign. It could return an empty list.

[dmitri-d]

What @ekohl said. There is also a number of people who use smart-proxy api for integration with their own software -- they'll be affected by such a break too.

[juliantodt]

@witlessbird @ekohl So what you're saying is that you don't necessarily have a problem with removing old endpoints in favour of new ones but with keeping some and changing how they work. So change the name of the /autosign endpoint and done?

[dmitri-d]

@juliantodt: not quite. Old endpoints have to keep names and preserve functionality for a couple releases after being declared as deprecated.

If new functionality is being added to an existing end-point, the old behaviour must also be preserved.

[timogoebel]

@juliantodt: It looks like there is a lot of resistance in getting this in, which is unfortunate as we did ask if there were any concerns before starting the implementation. I'd suggest to split this up and try to get the refactorings in (moving the code to a provider) so the puppetca api is pluggable. Maybe we can then either support both providers or move this to a plugin.

[juliantodt]

Closing this in favour of the pluggable, backwards compatible approach #586.