From 41548c6d745d5ad133dfc66a5263fdaa2b76e5d6 Mon Sep 17 00:00:00 2001
From: Christopher Thorn <christopher.thorn@puppet.com>
Date: Thu, 21 Sep 2023 08:46:55 -0700
Subject: [PATCH] (PUP-11895) ssl application's clean shouldn't allow extra
 args

If a user attempts to get rid of some certs and confuses `puppetserver ca clean` with
`puppet ssl clean`, there is a chance it will wipe out keys/certs that were not intended.
This commit adds some safeguards to the ssl clean subcommand to try to avoid that scenario.
---
 lib/puppet/application/ssl.rb     | 10 ++++++++++
 spec/unit/application/ssl_spec.rb |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/lib/puppet/application/ssl.rb b/lib/puppet/application/ssl.rb
index 5f39a2cfea0..5fa804e7d9e 100644
--- a/lib/puppet/application/ssl.rb
+++ b/lib/puppet/application/ssl.rb
@@ -146,6 +146,16 @@ def main
     when 'verify'
       verify(certname)
     when 'clean'
+      possible_extra_args = command_line.args.drop(1)
+      unless possible_extra_args.empty?
+        raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
+Extra arguments detected: %{args}
+Did you mean to run:
+  puppetserver ca clean --certname <name>
+Or:
+  puppet ssl clean --target <name>
+END
+      end
       clean(certname)
     when 'bootstrap'
       if !Puppet::Util::Log.sendlevel?(:info)
diff --git a/spec/unit/application/ssl_spec.rb b/spec/unit/application/ssl_spec.rb
index b790e70d065..48181280281 100644
--- a/spec/unit/application/ssl_spec.rb
+++ b/spec/unit/application/ssl_spec.rb
@@ -391,6 +391,11 @@ def expects_command_to_fail(message)
       expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
     end
 
+    it 'raises if we have extra args' do
+      ssl.command_line.args << 'hostname.example.biz'
+      expects_command_to_fail(/Extra arguments detected: hostname.example.biz/)
+    end
+
     context 'when deleting local CA' do
       before do
         ssl.command_line.args << '--localca'