From 68c59d148cacd058a88afe0c9f5875743b2cea2b Mon Sep 17 00:00:00 2001
From: Neil Townsend <neil.townsend@smxemail.com>
Date: Fri, 20 Mar 2020 12:16:28 +1300
Subject: [PATCH 1/2] Add server_ca_client_self_delete to CA Servers

Add the server_ca_client_self_delete boolean parameter to CA servers.
When true, allows puppet clients to delete their own certificate from
the Puppet CA.
---
 manifests/init.pp                                  |  4 ++++
 manifests/params.pp                                |  1 +
 manifests/server.pp                                |  4 ++++
 manifests/server/puppetserver.pp                   |  1 +
 spec/classes/puppet_server_puppetserver_spec.rb    |  8 ++++++++
 templates/server/puppetserver/conf.d/auth.conf.erb | 12 ++++++++++++
 6 files changed, 30 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index 1b310683..efc57c11 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -421,6 +421,9 @@
 # $server_ca_auth_required::                Whether client certificates are needed to access the puppet-admin api
 #                                           Defaults to true
 #
+# $server_ca_client_self_delete::           Adds a rule to auth.conf, that allows a client to delete its own certificate
+#                                           Defaults to false
+#
 # $server_use_legacy_auth_conf::            Should the puppetserver use the legacy puppet auth.conf?
 #                                           Defaults to false (the puppetserver will use its own conf.d/auth.conf)
 #
@@ -611,6 +614,7 @@
   Boolean $server_ca_crl_sync = $puppet::params::server_ca_crl_sync,
   Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable,
   Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required,
+  Boolean $server_ca_client_self_delete = $puppet::params::server_ca_client_self_delete,
   Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist,
   Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping,
   Boolean $server_http = $puppet::params::server_http,
diff --git a/manifests/params.pp b/manifests/params.pp
index e98dee70..86448904 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -397,6 +397,7 @@
   $server_web_idle_timeout                = 30000
   $server_connect_timeout                 = 120000
   $server_ca_auth_required                = true
+  $server_ca_client_self_delete           = false
   $server_admin_api_whitelist             = [ 'localhost', $lower_fqdn ]
   $server_ca_client_whitelist             = [ 'localhost', $lower_fqdn ]
   $server_cipher_suites                   = [
diff --git a/manifests/server.pp b/manifests/server.pp
index ee142f35..5107ed00 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -255,6 +255,9 @@
 # $ca_auth_required::                  Whether client certificates are needed to access the puppet-admin api
 #                                      Defaults to true
 #
+# $ca_client_self_delete::             Adds a rule to auth.conf, that allows a client to self delete its own certificate
+#                                      Defaults to false
+#
 # $use_legacy_auth_conf::              Should the puppetserver use the legacy puppet auth.conf?
 #                                      Defaults to false (the puppetserver will use its own conf.d/auth.conf)
 #
@@ -349,6 +352,7 @@
   Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync,
   Optional[Boolean] $crl_enable = $::puppet::server_crl_enable,
   Boolean $ca_auth_required = $::puppet::server_ca_auth_required,
+  Boolean $ca_client_self_delete = $::puppet::server_ca_client_self_delete,
   Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist,
   Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $::puppet::server_custom_trusted_oid_mapping,
   Boolean $http = $::puppet::server_http,
diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
index 2ecdb00c..2a80d282 100644
--- a/manifests/server/puppetserver.pp
+++ b/manifests/server/puppetserver.pp
@@ -103,6 +103,7 @@
   $server_web_idle_timeout                = $::puppet::server::web_idle_timeout,
   $server_connect_timeout                 = $::puppet::server::connect_timeout,
   $server_ca_auth_required                = $::puppet::server::ca_auth_required,
+  $server_ca_client_self_delete           = $::puppet::server::ca_client_self_delete,
   $server_ca_client_whitelist             = $::puppet::server::ca_client_whitelist,
   $server_admin_api_whitelist             = $::puppet::server::admin_api_whitelist,
   $server_puppetserver_version            = $::puppet::server::real_puppetserver_version,
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
index a48c270f..4b45aff9 100644
--- a/spec/classes/puppet_server_puppetserver_spec.rb
+++ b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -280,6 +280,14 @@
         end
       end
 
+      describe 'ca_client_self_delete' do
+        context 'when set' do
+          let(:params) { super().merge(server_ca_client_self_delete: true)}
+          it { should contain_file(auth_conf)
+            .with_content(%r{^(\ *)name: "Allow nodes to delete their own certificates",$}) }
+        end
+      end
+
       describe 'server_jruby9k', unless: facts[:osfamily] == 'FreeBSD' do
         context 'when server_jruby9k => true' do
           let(:params) { super().merge(server_puppetserver_jruby9k: true) }
diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
index 90455c47..deff354f 100644
--- a/templates/server/puppetserver/conf.d/auth.conf.erb
+++ b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -111,6 +111,18 @@ authorization: {
             sort-order: 500
             name: "puppetlabs cert statuses"
         },
+<%- if @server_ca_client_self_delete -%>
+        {
+            name: "Allow nodes to delete their own certificates",
+            match-request: {
+                path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$"
+                type: regex
+                method: [delete]
+            },
+            allow: "$2"
+            sort-order: 500
+        },
+<%- end -%>
 <%- end -%>
         {
             # Allow unauthenticated access to the status service endpoint

From 05cca1dacace1cc1a4faea4849d63edeb0d74436 Mon Sep 17 00:00:00 2001
From: Neil Townsend <neil.townsend@smxemail.com>
Date: Tue, 24 Mar 2020 10:18:26 +1300
Subject: [PATCH 2/2] Add default test for server_ca_client_self_delete

Spec test that checks config is not added with default parameters set.
---
 spec/classes/puppet_server_puppetserver_spec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
index 4b45aff9..d77d7496 100644
--- a/spec/classes/puppet_server_puppetserver_spec.rb
+++ b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -107,6 +107,7 @@
             .with_content(%r{^(\ *)path: "/puppet/v3/tasks"$})
             .with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$})
             .with_content(/^( *)pp_cli_auth: "true"$/)
+            .without_content(%r{^(\ *)name: "Allow nodes to delete their own certificates",$})
         }
       end