(PUP-10589) Add a generate_request option to puppet ssl

nickgw · joshcooper · commit 54aead025896 · 2023-09-12T12:55:04.000-07:00
diff --git a/lib/puppet/application/ssl.rb b/lib/puppet/application/ssl.rb
@@ -59,6 +59,11 @@ def help
   the CSR. Otherwise a new key pair will be generated. If a CSR has already
   been submitted with the given `certname`, then the operation will fail.
 
+* generate_request:
+  Generate a certificate signing request (CSR). If
+  a private and public key pair already exist, they will be used to generate
+  the CSR. Otherwise a new key pair will be generated.
+
 * download_cert:
   Download a certificate for this host. If the current private key matches
   the downloaded certificate, then the certificate will be saved and used
@@ -136,6 +141,8 @@ def main
       unless cert
         raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
+    when 'generate_request'
+      generate_request(certname)
     when 'verify'
       verify(certname)
     when 'clean'
@@ -187,6 +194,26 @@ def submit_request(ssl_context)
     raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
+  def generate_request(certname)
+    key = @cert_provider.load_private_key(certname)
+    unless key
+      if Puppet[:key_type] == 'ec'
+        Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
+        key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+      else
+        Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
+        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+      end
+      @cert_provider.save_private_key(certname, key)
+    end
+
+    csr = @cert_provider.create_request(certname, key)
+    @cert_provider.save_request(certname, csr)
+    Puppet.notice _("Generated certificate request for '%{name}' at %{requestdir}") % { name: certname, requestdir: Puppet[:requestdir] }
+  rescue => e
+    raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
+  end
+
   def download_cert(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
 
diff --git a/spec/unit/application/ssl_spec.rb b/spec/unit/application/ssl_spec.rb
@@ -171,6 +171,50 @@ def expects_command_to_fail(message)
     end
   end
 
+  context 'when generating a CSR' do
+    let(:csr_path) { Puppet[:hostcsr] }
+    let(:requestdir) { Puppet[:requestdir] }
+
+    before do
+      ssl.command_line.args << 'generate_request'
+    end
+
+    it 'generates an RSA private key' do
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request for '#{name}' at #{requestdir}})
+    end
+
+    it 'generates an EC private key' do
+      Puppet[:key_type] = 'ec'
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request for '#{name}' at #{requestdir}})
+    end
+
+    it 'registers OIDs' do
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
+
+      expects_command_to_pass(%r{Generated certificate request for '#{name}' at #{requestdir}})
+    end
+
+    it 'saves the CSR locally' do
+      expects_command_to_pass(%r{Generated certificate request for '#{name}' at #{requestdir}})
+
+      expect(Puppet::FileSystem).to be_exist(csr_path)
+    end
+
+    it 'accepts dns alt names' do
+      Puppet[:dns_alt_names] = 'majortom'
+
+      expects_command_to_pass
+
+      csr = Puppet::SSL::CertificateRequest.new(name)
+      csr.read(csr_path)
+      expect(csr.subject_alt_names).to include('DNS:majortom')
+    end
+  end
+
   context 'when downloading a certificate' do
     before do
       ssl.command_line.args << 'download_cert'
