Merge pull request #2668 from nmburgan/mergeup/main/from_7.x_2022_10_03

Mergeup 7.x -> main

Author: nmburgan

locales/eo.po

@@ -76,7 +76,7 @@ msgid "Certificate names must be lower case."
 msgstr ""
 
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj
-msgid "Subject contains unprintable or non-ASCII characters"
+msgid "Subject hostname format is invalid"
 msgstr ""
 
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj

locales/puppetserver.pot

@@ -77,7 +77,7 @@ msgid "Certificate names must be lower case."
 msgstr ""
 
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj
-msgid "Subject contains unprintable or non-ASCII characters"
+msgid "Subject hostname format is invalid"
 msgstr ""
 
 #: src/clj/puppetlabs/puppetserver/certificate_authority.clj

project.clj

@@ -27,14 +27,14 @@
 
   :min-lein-version "2.9.1"
 
-  :parent-project {:coords [puppetlabs/clj-parent "5.2.3"]
+  :parent-project {:coords [puppetlabs/clj-parent "5.2.11"]
                    :inherit [:managed-dependencies]}
 
   :dependencies [[org.clojure/clojure]
 
                  [slingshot]
                  [clj-commons/clj-yaml]
-                 [org.yaml/snakeyaml "1.31"]
+                 [org.yaml/snakeyaml]
                  [commons-lang]
                  [commons-io]
 
@@ -123,7 +123,7 @@
                                         [beckon]
                                         [lambdaisland/uri "1.4.70"]]}
              :dev [:defaults
-                   {:dependencies [[org.bouncycastle/bcpkix-jdk15on]]}]
+                   {:dependencies [[org.bouncycastle/bcpkix-jdk18on]]}]
              :fips [:defaults
                     {:dependencies [[org.bouncycastle/bcpkix-fips]
                                     [org.bouncycastle/bc-fips]
@@ -154,7 +154,7 @@
                     ;; when a test fails.
                     :dependencies [[pjstadig/humane-test-output "0.8.3"]]
                     :injections [(require 'pjstadig.humane-test-output)
-                                (pjstadig.humane-test-output/activate!)]}
+                                 (pjstadig.humane-test-output/activate!)]}
 
 
              :ezbake {:dependencies ^:replace [;; we need to explicitly pull in our parent project's
@@ -164,13 +164,13 @@
                                                ;; in the list above, so any version overrides need to be
                                                ;; specified in both places. TODO: fix this.
                                                [org.clojure/clojure]
-                                               [org.bouncycastle/bcpkix-jdk15on]
+                                               [org.bouncycastle/bcpkix-jdk18on]
                                                [puppetlabs/jruby-utils]
                                                [puppetlabs/puppetserver ~ps-version]
                                                [puppetlabs/trapperkeeper-webserver-jetty9]]
                       :plugins [[puppetlabs/lein-ezbake "2.3.2"]]
                       :name "puppetserver"}
-             :uberjar {:dependencies [[org.bouncycastle/bcpkix-jdk15on]
+             :uberjar {:dependencies [[org.bouncycastle/bcpkix-jdk18on]
                                       [puppetlabs/trapperkeeper-webserver-jetty9]]
                        :aot [puppetlabs.trapperkeeper.main
                              puppetlabs.trapperkeeper.services.status.status-service

src/clj/puppetlabs/puppetserver/certificate_authority.clj

@@ -806,15 +806,15 @@
       {:kind :invalid-subject-name
        :msg  (i18n/tru "Certificate names must be lower case.")}))
 
-  (when-not (re-matches #"\A[ -.0-~]+\Z" subject)
+  (when (.contains subject "*")
     (sling/throw+
       {:kind :invalid-subject-name
-       :msg  (i18n/tru "Subject contains unprintable or non-ASCII characters")}))
-
-  (when (.contains subject "*")
+       :msg  (i18n/tru "Subject contains a wildcard, which is not allowed: {0}" subject)}))
+  
+  (when-not (re-matches #"^([a-z0-9](?:(?:[a-z0-9\-_]*|(?<!-)\.(?![\-.]))*[a-z0-9]+)?)$" subject)
     (sling/throw+
       {:kind :invalid-subject-name
-       :msg  (i18n/tru "Subject contains a wildcard, which is not allowed: {0}" subject)})))
+       :msg  (i18n/tru "Subject hostname format is invalid")})))
 
 (schema/defn allowed-extension?
   "A predicate that answers if an extension is allowed or not.

test/unit/puppetlabs/puppetserver/certificate_authority_test.clj

@@ -1153,7 +1153,7 @@
                           (select-keys % [:kind :msg]))]
                      ["invalid characters in name" "super/bad" "bad-subject-name-1.pem"
                       #(= {:kind :invalid-subject-name
-                           :msg "Subject contains unprintable or non-ASCII characters"}
+                           :msg "Subject hostname format is invalid"}
                           (select-keys % [:kind :msg]))]
                      ["wildcard in name" "foo*bar" "bad-subject-name-wildcard.pem"
                       #(= {:kind :invalid-subject-name
@@ -1189,7 +1189,7 @@
                           (select-keys % [:kind :msg]))]
                      ["subject contains invalid characters" "super/bad" "bad-subject-name-1.pem"
                       #(= {:kind :invalid-subject-name
-                           :msg "Subject contains unprintable or non-ASCII characters"}
+                           :msg "Subject hostname format is invalid"}
                           (select-keys % [:kind :msg]))]
                      ["subject contains wildcard character" "foo*bar" "bad-subject-name-wildcard.pem"
                       #(=  {:kind :invalid-subject-name
@@ -1609,17 +1609,101 @@
 (deftest validate-subject!-test
   (testing "an exception is thrown when the hostnames don't match"
     (is (thrown+?
-          [:kind :hostname-mismatch
-           :msg "Instance name \"test-agent\" does not match requested key \"not-test-agent\""]
-          (validate-subject!
-            "not-test-agent" "test-agent"))))
+         [:kind :hostname-mismatch
+          :msg "Instance name \"test-agent\" does not match requested key \"not-test-agent\""]
+         (validate-subject!
+          "not-test-agent" "test-agent"))))
 
   (testing "an exception is thrown if the subject name contains a capital letter"
     (is (thrown+?
-          [:kind :invalid-subject-name
-           :msg "Certificate names must be lower case."]
-          (validate-subject! "Host-With-Capital-Letters"
-                             "Host-With-Capital-Letters")))))
+         [:kind :invalid-subject-name
+          :msg "Certificate names must be lower case."]
+         (validate-subject! "Host-With-Capital-Letters"
+                            "Host-With-Capital-Letters"))))
+
+  (testing "an exception is thrown when the hostnames ends in hyphen"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "rootca-.example.org" "rootca-.example.org"))))
+
+  (testing "an exception is thrown when the hostnames starts with hyphen"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "-rootca.example.org" "-rootca.example.org"))))
+
+  (testing "an exception is thrown when the hostnames contains a space"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "root ca.example.org" "root ca.example.org"))))
+
+  (testing "an exception is thrown when the hostnames contain an ampersand"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "root&ca.example.org" "root&ca.example.org"))))
+
+  (testing "an exception is thrown when the hostname is empty"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "" ""))))
+
+  (testing "an exception is thrown when the hostnames contain multiple dots in a row"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "rootca..example.org" "rootca..example.org"))))
+
+  (testing "an exception is thrown when the hostnames end in dot"
+    (is (thrown+?
+         [:kind :invalid-subject-name
+          :msg "Subject hostname format is invalid"]
+         (validate-subject!
+          "rootca." "rootca."))))
+
+  (testing "Single word hostnames are allowed"
+    (is (nil?
+         (validate-subject!
+          "rootca" "rootca"))))
+
+  (testing "Domain names are allowed"
+    (is (nil?
+         (validate-subject!
+          "puppet.com" "puppet.com"))))
+
+  (testing "Subdomains are allowed"
+    (is (nil?
+         (validate-subject!
+          "ca.puppet.com" "ca.puppet.com"))))
+
+  (testing "Hostnames containing underscores are allowed"
+    (is (nil?
+         (validate-subject!
+          "root_ca" "root_ca"))))
+
+  (testing "Hostnames containing dashes are allowed"
+    (is (nil?
+         (validate-subject!
+          "root-ca" "root-ca"))))
+
+  (testing "Hostnames containing numbers are allowed"
+    (is (nil?
+         (validate-subject!
+          "root123" "root123"))))
+
+  (testing "Domains containing numbers are allowed"
+    (is (nil?
+         (validate-subject!
+          "root123.com" "root123.com")))))
 
 (deftest validate-subject-alt-names!-test
   (testing "Both DNS and IP alt names are allowed"

test/unit/puppetlabs/services/ca/certificate_authority_core_test.clj

@@ -450,7 +450,7 @@
                   response   (handle-put-certificate-request!
                               subject csr-stream settings)]
               (is (= 400 (:status response)))
-              (is (= "Subject contains unprintable or non-ASCII characters"
+              (is (= "Subject hostname format is invalid"
                      (:body response)))))))
 
       (testing "no wildcards allowed"