(PUP-11856) State machine renews host cert

mhashizume · mhashizume · commit 7aec0c737709 · 2023-06-27T15:58:47.000-07:00
This commit adds a new NeedRenewedCert class and related logic to the
state machine to handle automatic host/client certificate renewal.
diff --git a/lib/puppet/ssl/state_machine.rb b/lib/puppet/ssl/state_machine.rb
@@ -262,7 +262,11 @@ def next_state
           next_ctx = @ssl_provider.create_context(
             cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: key, client_cert: cert
           )
-          return Done.new(@machine, next_ctx)
+          if needs_refresh?(cert)
+            return NeedRenewedCert.new(@machine, next_ctx, key)
+          else
+            return Done.new(@machine, next_ctx)
+          end
         end
       else
         if Puppet[:key_type] == 'ec'
@@ -278,6 +282,15 @@ def next_state
 
       NeedSubmitCSR.new(@machine, @ssl_context, key)
     end
+
+    private
+
+    def needs_refresh?(cert)
+      cert_ttl = Puppet[:hostcert_renewal_interval]
+      return false unless cert_ttl
+
+      Time.now.to_i >= (cert.not_after.to_i - cert_ttl)
+    end
   end
 
   # Base class for states with a private key.
@@ -349,6 +362,39 @@ def next_state
     end
   end
 
+  # Class to renew a client/host certificate automatically.
+  #
+  class NeedRenewedCert < KeySSLState
+    def next_state
+      Puppet.debug(_("Renewing client certificate"))
+
+      route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
+      cert = OpenSSL::X509::Certificate.new(
+        route.post_certificate_renewal(@ssl_context)[1]
+      )
+
+      # verify client cert before saving
+      next_ctx = @ssl_provider.create_context(
+        cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
+      )
+      @cert_provider.save_client_cert(Puppet[:certname], cert)
+
+      Puppet.info(_("Refreshed client certificate: %{cert_digest}, not before '%{not_before}', not after '%{not_after}'") % { cert_digest: @machine.digest_as_hex(cert.to_pem), not_before: cert.not_before, not_after: cert.not_after })
+      
+      Done.new(@machine, next_ctx)
+    rescue Puppet::HTTP::ResponseError => e
+      if e.response.code == 404
+        Puppet.info(_("Certificate autorenewal has not been enabled on the server."))
+      else
+        Puppet.warning(_("Failed to automatically renew certificate: %{code} %{reason}") % { code: e.response.code, reason: e.response.reason })
+      end
+      Done.new(@machine, @ssl_context)
+    rescue => e
+      Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e })
+      Done.new(@machine, @ssl_context)
+    end
+  end
+
   # We cannot make progress, so wait if allowed to do so, or exit.
   #
   class Wait < SSLState
diff --git a/spec/unit/ssl/state_machine_spec.rb b/spec/unit/ssl/state_machine_spec.rb
@@ -745,6 +745,26 @@ def expect_lockfile_to_contain(pid)
           state.next_state
         }.to raise_error(OpenSSL::PKey::RSAError)
       end
+
+      it "transitions to Done if current time plus renewal interval is less than cert's \"NotAfter\" time" do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
+
+        st = state.next_state
+        expect(st).to be_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it "returns NeedRenewedCert if current time plus renewal interval is greater than cert's \"NotAfter\" time" do
+        client_cert.not_after=(Time.now + 300)
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
+
+        ssl_context = Puppet::SSL::SSLContext.new(cacerts: [cacert], client_cert: client_cert, crls: [crl])
+        state = Puppet::SSL::StateMachine::NeedKey.new(machine, ssl_context)
+
+        st = state.next_state
+        expect(st).to be_instance_of(Puppet::SSL::StateMachine::NeedRenewedCert)
+      end
     end
 
     context 'in state NeedSubmitCSR' do
@@ -1049,5 +1069,48 @@ def write_csr_attributes(data)
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::LockFailure)
       end
     end
+
+    context 'in state NeedRenewedCert' do
+      before :each do
+        client_cert.not_after=(Time.now + 300)
+      end
+
+      let(:ssl_context) { Puppet::SSL::SSLContext.new(cacerts: cacerts, client_cert: client_cert, crls: crls,)}
+      let(:state) { Puppet::SSL::StateMachine::NeedRenewedCert.new(machine, ssl_context, private_key) }
+      let(:renewed_cert) { cert_fixture('renewed.pem') }
+
+      it 'returns Done with renewed cert when successful' do
+        allow(cert_provider).to receive(:save_client_cert)
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 200, body: renewed_cert.to_pem)
+
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+        expect(st.ssl_context[:client_cert]).to eq(renewed_cert)
+      end
+
+      it 'logs a warning message when failing with a non-404 status' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 400, body: 'Failed to automatically renew certificate: 400 Bad request')
+
+        expect(Puppet).to receive(:warning).with(/Failed to automatically renew certificate/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it 'logs an info message when failing with 404' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 404, body: 'Certificate autorenewal has not been enabled on the server.')
+
+        expect(Puppet).to receive(:info).with('Certificate autorenewal has not been enabled on the server.')
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it 'logs a warning message when failing with no HTTP status' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_raise(Errno::ECONNREFUSED)
+
+        expect(Puppet).to receive(:warning).with(/Unable to automatically renew certificate:/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+    end
   end
 end
