Skip to content

Commit e6339f7

Browse files
joshcooperjoshcooper
authored
Merge pull request #9076 from AriaXLi/PUP-11896/auto-renew_extension
(PUP-11896) Send auto-renew extension in CSR
2 parents c359b6a + ae2cf20 commit e6339f7

File tree

4 files changed

+33
-1
lines changed

4 files changed

+33
-1
lines changed

lib/puppet/ssl/oids.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ module Puppet::SSL::Oids
7171
["1.3.6.1.4.1.34380.1.3", 'ppAuthCertExt', 'Puppet Certificate Authorization Extension'],
7272

7373
["1.3.6.1.4.1.34380.1.3.1", 'pp_authorization', 'Certificate Extension Authorization'],
74+
["1.3.6.1.4.1.34380.1.3.2", 'pp_auth_auto_renew', 'Auto-Renew Certificate Extension'],
7475
["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
7576
]
7677

lib/puppet/x509/cert_provider.rb

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -311,6 +311,13 @@ def create_request(name, private_key)
311311
options[:extension_requests] = csr_attributes.extension_requests
312312
end
313313

314+
# Adds auto-renew extension to CSR if the agent supports auto-renewal of
315+
# certificates
316+
if Puppet[:hostcert_renewal_interval] && Puppet[:hostcert_renewal_interval] > 0
317+
options[:extension_requests] ||= {}
318+
options[:extension_requests].merge!({'1.3.6.1.4.1.34380.1.3.2' => 'true'})
319+
end
320+
314321
csr = Puppet::SSL::CertificateRequest.new(name)
315322
csr.generate(private_key, options)
316323
end

spec/unit/ssl/state_machine_spec.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -843,7 +843,8 @@ def write_csr_attributes(data)
843843
csr.request_extensions
844844
).to contain_exactly(
845845
{'oid' => '1.3.6.1.4.1.34380.1.1.31415', 'value' => 'pi'},
846-
{'oid' => '1.3.6.1.4.1.34380.1.1.2718', 'value' => 'e'}
846+
{'oid' => '1.3.6.1.4.1.34380.1.1.2718', 'value' => 'e'},
847+
{'oid' => 'pp_auth_auto_renew', 'value' => 'true'}
847848
)
848849
end.to_return(status: 200)
849850

spec/unit/x509/cert_provider_spec.rb

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -586,6 +586,29 @@ def expects_private_file(path)
586586
end
587587
end
588588

589+
context 'when creating' do
590+
context 'requests' do
591+
let(:name) { 'tom' }
592+
let(:requestdir) { tmpdir('cert_provider') }
593+
let(:provider) { create_provider(requestdir: requestdir) }
594+
let(:key) { OpenSSL::PKey::RSA.new(Puppet[:keylength]) }
595+
596+
it 'has the auto-renew extension by default for agents that support automatic renewal' do
597+
csr = provider.create_request(name, key)
598+
# need to create CertificateRequest instance from csr in order to use request_extensions()
599+
wrapped_csr = Puppet::SSL::CertificateRequest.from_instance csr
600+
expect(wrapped_csr.request_extensions).to include('oid' => 'pp_auth_auto_renew', 'value' => 'true')
601+
end
602+
603+
it 'does not have the auto-renew extension for agents that do not support automatic renewal' do
604+
Puppet[:hostcert_renewal_interval] = 0
605+
csr = provider.create_request(name, key)
606+
wrapped_csr = Puppet::SSL::CertificateRequest.from_instance csr
607+
expect(wrapped_csr.request_extensions.length).to eq(0)
608+
end
609+
end
610+
end
611+
589612
context 'CA last update time' do
590613
let(:ca_path) { tmpfile('pem_ca') }
591614

0 commit comments

Comments
 (0)