Merge pull request #9072 from mhashizume/PUP-11854/main/agent-renew

AriaXLi · web-flow · commit 2095c8b1d709 · 2023-06-20T10:29:52.000-07:00
(PUP-11854) Add method to renew certificate
diff --git a/lib/puppet/http/service/ca.rb b/lib/puppet/http/service/ca.rb
@@ -104,4 +104,29 @@ def put_certificate_request(name, csr, ssl_context: nil)
 
     response
   end
+
+  # Submit a POST request to send a certificate renewal request to the server
+  #
+  # @param [Puppet::SSL::SSLContext] ssl_context
+  #
+  # @return [Puppet::HTTP::Response] The request response
+  #
+  # @api public
+  def post_certificate_renewal(ssl_context)
+    headers = add_puppet_headers(HEADERS)
+    headers['Content-Type'] = 'text/plain'
+
+    response = @client.post(
+      with_base_url('/certificate_renewal'),
+      '', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
+      headers: headers,
+      options: {ssl_context: ssl_context}
+    )
+
+    raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
+
+    process_response(response)
+
+    [response, response.body.to_s]
+  end
 end
diff --git a/spec/unit/http/service/ca_spec.rb b/spec/unit/http/service/ca_spec.rb
@@ -207,4 +207,75 @@
       end
     end
   end
+
+  context 'when getting certificates' do
+    let(:cert) { cert_fixture('signed.pem') }
+    let(:pem) { cert.to_pem }
+    let(:url) { "https://www.example.com/puppet-ca/v1/certificate_renewal" }
+    let(:cert_context) { Puppet::SSL::SSLContext.new(client_cert: pem) }
+    let(:client) { Puppet::HTTP::Client.new(ssl_context: cert_context) }
+    let(:session) { Puppet::HTTP::Session.new(client, []) }
+    let(:subject) { client.create_session.route_to(:ca) }
+
+    it "gets a certificate from the 'certificate_renewal' endpoint" do
+      stub_request(:post, url).to_return(body: pem)
+
+      _, body = subject.post_certificate_renewal(cert_context)
+      expect(body).to eq(pem)
+    end
+
+    it 'returns the request response' do
+      stub_request(:post, url).to_return(body: 'pem')
+
+      resp, _ = subject.post_certificate_renewal(cert_context)
+      expect(resp).to be_a(Puppet::HTTP::Response)
+    end
+
+    it 'accepts text/plain responses' do
+      stub_request(:post, url).with(headers: {'Accept' => 'text/plain'})
+
+      subject.post_certificate_renewal(cert_context)
+    end
+
+    it 'raises an ArgumentError if the SSL context does not contain a client cert' do
+      stub_request(:post, url)
+      expect { subject.post_certificate_renewal(ssl_context) }.to raise_error(ArgumentError, 'SSL context must contain a client certificate.')
+    end
+
+    it 'raises response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [400, 'Bad Request'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq('Bad Request')
+        expect(err.response.code).to eq(400)
+      end
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [404, 'Not Found'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Found")
+        expect(err.response.code).to eq(404)
+      end
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [404, 'Forbidden'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Forbidden")
+        expect(err.response.code).to eq(404)
+      end
+    end
+  end
 end
