Provide upgrade utility

Provide a utility plan to re-issue certificates on systems that were
deployed using peadm 0.5.x, using the new OIDs in use in peadm 1.x.

Author: reidmv

functions/oid.pp

@@ -4,6 +4,8 @@ function peadm::oid (
   case $short_name {
     'peadm_role':  { '1.3.6.1.4.1.34380.1.1.9812' }
     'peadm_availability_group': { '1.3.6.1.4.1.34380.1.1.9813' }
+    'pp_application': { '1.3.6.1.4.1.34380.1.1.8' }
+    'pp_cluster': { '1.3.6.1.4.1.34380.1.1.16' }
     default: { fail("No peadm OID for ${short_name}") }
   }
 }

plans/misc/upgrade_trusted_facts.pp

@@ -0,0 +1,49 @@
+plan peadm::misc::upgrade_trusted_facts (
+  TargetSpec              $targets,
+  Peadm::SingleTargetSpec $master_host,
+  Boolean                 $autosign = false,
+) {
+
+  # Convert input into array of Targets
+  $all_targets   = peadm::get_targets($targets)
+  $master_target = peadm::get_targets($master_host, 1)
+
+  $certdata = run_task('peadm::trusted_facts', $all_targets).reduce({}) |$memo,$result| {
+    # Keep the the OID-form trusted fact key/value pairs. If we accidentally
+    # include an OID and also a shortname that resolves to the same OID,
+    # there'll be a problem trying to sign the cert.
+    $memo + { $result.target => ($result.value + {
+      'extensions' => ($result['extensions'].filter |$k,$v| {
+        $k =~ /^1\.3\.6\.1\.4\.1\.34380\.1/
+      })
+    })}
+  }
+
+  $pserver = '/opt/puppetlabs/bin/puppetserver'
+  $puppet  = '/opt/puppetlabs/bin/puppet'
+
+  $upgrade_results = $all_targets.map |$target| {
+    $new_trusted = $certdata[$target]['extensions'] + {
+      peadm::oid('peadm_role') => $certdata[$target]['extensions'][peadm::oid('pp_application')],
+      peadm::oid('peadm_availability_group') => $certdata[$target]['extensions'][peadm::oid('pp_cluster')],
+    }
+
+    run_plan('peadm::util::insert_csr_extensions', $target,
+      extensions => $new_trusted,
+      merge      => false,
+    )
+
+    run_command("${pserver} ca clean --certname ${certdata[$target]['certname']}", $master_target)
+    run_command("${puppet} ssl clean --certname ${certdata[$target]['certname']}", $target)
+    run_command("${puppet} ssl submit_request --certname ${certdata[$target]['certname']}", $target)
+
+    ctrl::sleep(2) # some lag sometimes before the cert is available to sign
+
+    if !$autosign {
+      run_command("${pserver} ca sign --certname ${certdata[$target]['certname']}", $master_target)
+    }
+
+    run_command("${puppet} ssl download_cert --certname ${certdata[$target]['certname']}", $target)
+  }
+
+}

plans/util/insert_csr_extensions.pp

@@ -1,6 +1,7 @@
 plan peadm::util::insert_csr_extensions (
   TargetSpec $targets,
   Hash       $extensions,
+  Boolean    $merge = true,
 ) {
   get_targets($targets).each |$target| {
     $csr_attributes_data = ($csr_file = run_task('peadm::read_file', $target,
@@ -10,9 +11,17 @@
       default => $csr_file.parseyaml,
     }
 
+    # If we're merging extension requests, existing requests will be preserved.
+    # If we're not merging, only ours will be used; existing requests will be
+    # overritten.
+    $csr_file_data = $merge ? {
+      true  => $csr_attributes_data.deep_merge({'extension_requests' => $extensions}),
+      false => ($csr_attributes_data + {'extension_requests' => $extensions}),
+    }
+
     run_task('peadm::mkdir_p_file', $target,
       path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
-      content => $csr_attributes_data.deep_merge({'extension_requests' => $extensions}).to_yaml,
+      content => $csr_file_data.to_yaml,
     )
   }
 }

tasks/trusted_facts.rb

@@ -18,6 +18,7 @@
 cert = OpenSSL::X509::Certificate.new(raw)
 
 extensions = cert.extensions.reduce({}) do |memo, ext|
+  next memo unless ext.oid.start_with?('1.3.6.1.4.1.34380.1') # ppCertExt
   case oids[ext.oid]
   when nil
     memo.merge(ext.oid => ext.value[2..-1])
@@ -27,6 +28,16 @@
   end
 end
 
-result = { 'extensions' => extensions }
+alt_names = cert.extensions.select do |ext|
+  ext.oid == 'subjectAltName'
+end.map do |ext|
+  ext.value.split(', ').map { |str| str[4..-1] }
+end.first
+
+result = {
+  'certname'      => certname,
+  'dns-alt-names' => alt_names,
+  'extensions'    => extensions,
+}
 
 puts result.to_json