Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1583

Add missing CA oid mappings from PUP-5355

    Details

    • Template:
    • Team:
      Next Generation
    • Story Points:
      1
    • Sprint:
      NG 2016-10-19, NG 2016-11-02
    • Release Notes Summary:
      Hide
      The Puppet Server CA will now display the short names for all of Puppet's pp_* custom cert extensions. Previously it did not honor the short names of:: pp_region, pp_datacenter, pp_zone, pp_network, pp_securitypolicy, pp_cloudplatform, pp_apptier, and pp_hostname.
      Show
      The Puppet Server CA will now display the short names for all of Puppet's pp_* custom cert extensions. Previously it did not honor the short names of:: pp_region, pp_datacenter, pp_zone, pp_network, pp_securitypolicy, pp_cloudplatform, pp_apptier, and pp_hostname.

      Description

      Puppet Server's CA service maintains a list of the oid to mnemonic mappings in the puppet-short-names function, duplicating the same list from the `Puppet::SSL::Oids` namespace in Puppet Ruby code. Several OIDs were added to the Puppet Ruby list in PUP-5355 - see here for the list as of Puppet 4.7.0 - but were not added to the corresponding Puppet Server CA list - see here for the list as of Puppet Server 2.6.0. This makes it not possible to use the names in a csr_attributes.yaml file when Puppet Server's CA creates the master certificate and in any Trapperkeeper Authorization rules which reference the names in certificate extensions. The missing mappings should be added to the Puppet Server CA service.

      Along with doing this work, we should also consider improving the behavior that you see when the csr_attributes.yaml file contains a name that does not match the list. Currently you see a startup error like this:

      Exception in thread "main" java.lang.AssertionError: Assert failed: (keyword? kw), compiling:(/private/var/folders/y5/24bhmms53nv2b4g8gyq6tl340000gn/T/form-init2323869083754856717.clj:1:125)
             	at clojure.lang.Compiler.load(Compiler.java:7239)
             	at clojure.lang.Compiler.loadFile(Compiler.java:7165)
             	at clojure.main$load_script.invoke(main.clj:275)
       ... 
      Caused by: java.lang.AssertionError: Assert failed: (keyword? kw)
             	at puppetlabs.kitchensink.core$without_ns.invoke(core.clj:566)
             	at puppetlabs.trapperkeeper.core$main.doInvoke(core.clj:175)
             	at clojure.lang.RestFn.invoke(RestFn.java:421)
             	at clojure.lang.Var.invoke(Var.java:383)
             	at clojure.lang.AFn.applyToHelper(AFn.java:156)
             	at clojure.lang.Var.applyTo(Var.java:700)
             	at clojure.core$apply.invoke(core.clj:630)
             	at puppetlabs.trapperkeeper.main$_main.doInvoke(main.clj:7)
             	at clojure.lang.RestFn.invoke(RestFn.java:421)
             	at clojure.lang.Var.invoke(Var.java:383)
             	at user$eval5609.invoke(form-init2323869083754856717.clj:1)
             	at clojure.lang.Compiler.eval(Compiler.java:6782)
             	at clojure.lang.Compiler.eval(Compiler.java:6772)
             	at clojure.lang.Compiler.load(Compiler.java:7227)
             	... 11 more
      

      Erroring out at startup rather than creating a certificate / auth rule with unintended content seems reasonable. We should come up with a more descriptive error message than this which highlights what the problem is.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                justin Justin Stoller
                Reporter:
                russ russ
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support