Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2290

Add a setting to enable signing CSRs with authorization extensions

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.3.6, SERVER 6.0.0
    • Component/s: DOCS
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      • Puppetserver has a allow-authorization-extensions setting that allows the API to sign CSRs with auth extensions.
      • The setting is false by default
    • Team:
      Server
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Puppet Server now has a setting called `allow-authorization-extensions` in the `certificate-authority` section of its config for enabling signing certs with authorization extensions. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configued in the config file.
      Show
      Puppet Server now has a setting called `allow-authorization-extensions` in the `certificate-authority` section of its config for enabling signing certs with authorization extensions. It is false by default for security reasons, but if users know they need to do this, they should enable the setting here. `puppet cert sign` used to allow this via a flag, but `puppetserver ca sign` requires it to be configued in the config file.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently we completely disallow signing certificate requests with authorization extensions from Puppetserver's certificate_status endpoint. However, with the removal of the puppet cert command, users need a way to allow this. Because it could still be risky (see comments on SERVER-2268), we should introduce a setting that users can enable in puppetserver's config if they need this behavior, similar to the Ruby CA's allow-authorization-extensions.

       

      Useful code: 

      Take a look at how we did:  https://tickets.puppetlabs.com/browse/SERVER-2278  We'll want to do something similar.

      https://github.com/puppetlabs/puppetserver/blob/2e271f7c6768cf60f56d396f74b28ce62e3bd677/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L1054

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                amy.sahli Amy Sahli
                Reporter:
                maggie Maggie Dreyer
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support