bolt 0.20.3 → 0.20.5

data/vendored/puppet/lib/puppet/settings.rb

@@ -1176,11 +1176,15 @@ Generated on #{Time.now}.
     if configured_environment == "production" && envdir && Puppet::FileSystem.exist?(envdir)
       configured_environment_path = File.join(envdir, configured_environment)
       if !Puppet::FileSystem.symlink?(configured_environment_path)
-        catalog.add_resource(
-          Puppet::Resource.new(:file,
-                               configured_environment_path,
-                               :parameters => { :ensure => 'directory' })
-        )
+        parameters = { :ensure => 'directory' }
+        unless Puppet::FileSystem.exist?(configured_environment_path)
+          parameters.merge!(:mode => '0750')
+          if Puppet.features.root?
+            parameters.merge!(:owner => Puppet[:user]) if service_user_available?
+            parameters.merge!(:group => Puppet[:group]) if service_group_available?
+          end
+        end
+        catalog.add_resource(Puppet::Resource.new(:file, configured_environment_path, :parameters => parameters))
       end
     end
   end

data/vendored/puppet/lib/puppet/settings/config_file.rb

@@ -90,7 +90,7 @@ private
         message += ' ' + _("The only valid puppet.conf sections are: [%{allowed_sections_list}].") %
             { allowed_sections_list: allowed_section_names.join(", ") }
         message += ' ' + _("Please use the directory environments feature to specify environments.")
-        message += ' ' + _("(See https://docs.puppet.com/puppet/latest/reference/environments.html)")
+        message += ' ' + _("(See https://puppet.com/docs/puppet/latest/environments_about.html)")
         raise(Puppet::Error, message)
       end
       section.name

data/vendored/puppet/lib/puppet/settings/environment_conf.rb

@@ -101,7 +101,7 @@ class Puppet::Settings::EnvironmentConf
       path = modulepath.kind_of?(String) ?
         modulepath.split(File::PATH_SEPARATOR) :
         modulepath
-      path.map { |p| absolute(p) }.join(File::PATH_SEPARATOR)
+      path.map { |p| expand_glob(absolute(p)) }.flatten.join(File::PATH_SEPARATOR)
     end
   end
 
@@ -166,6 +166,15 @@ class Puppet::Settings::EnvironmentConf
     yield value
   end
 
+  def expand_glob(path)
+    return nil if path.nil?
+    if path =~ /[*?\[\{]/
+      Dir.glob(path)
+    else
+      path
+    end
+  end
+
   def absolute(path)
     return nil if path.nil?
     if path =~ /^\$/

data/vendored/puppet/lib/puppet/ssl.rb

@@ -4,7 +4,6 @@ require 'openssl'
 
 module Puppet::SSL # :nodoc:
   CA_NAME = "ca"
-  require 'puppet/ssl/configuration'
   require 'puppet/ssl/host'
   require 'puppet/ssl/oids'
   require 'puppet/ssl/validator'

data/vendored/puppet/lib/puppet/ssl/certificate.rb

@@ -21,12 +21,16 @@ DOC
     [:s]
   end
 
-  def subject_alt_names
-    alts = content.extensions.find{|ext| ext.oid == "subjectAltName"}
+  def self.subject_alt_names_for(cert)
+    alts = cert.extensions.find{|ext| ext.oid == "subjectAltName"}
     return [] unless alts
     alts.value.split(/\s*,\s*/)
   end
 
+  def subject_alt_names
+    self.class.subject_alt_names_for(content)
+  end
+
   def expiration
     return nil unless content
     content.not_after

data/vendored/puppet/lib/puppet/ssl/certificate_authority.rb

@@ -209,7 +209,7 @@ class Puppet::SSL::CertificateAuthority
   #
   # @deprecated Use Puppet::SSL::CertificateAuthority#list or Puppet Server Certificate status API
   def list_certificates(name='*')
-    Puppet.deprecation_warning(_("Puppet::SSL::CertificateAuthority#list_certificates is deprecated. Please use Puppet::SSL::CertificateAuthority#list or the certificate status API to query certificate information. See https://docs.puppet.com/puppet/latest/http_api/http_certificate_status.html"))
+    Puppet.deprecation_warning(_("Puppet::SSL::CertificateAuthority#list_certificates is deprecated. Please use Puppet::SSL::CertificateAuthority#list or the certificate status API to query certificate information. See https://puppet.com/docs/puppet/latest/http_api/http_certificate_status.html"))
     Puppet::SSL::Certificate.indirection.search(name)
   end
 
@@ -446,7 +446,7 @@ class Puppet::SSL::CertificateAuthority
     store.add_file(Puppet[:cacert])
     store.add_crl(crl.content) if self.crl
     store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
-    if Puppet.lookup(:certificate_revocation)
+    if Puppet.settings[:certificate_revocation]
       store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL | OpenSSL::X509::V_FLAG_CRL_CHECK
     end
     store
@@ -477,7 +477,7 @@ class Puppet::SSL::CertificateAuthority
   #
   # @deprecated use Puppet::SSL::CertificateAuthority#verify or Puppet Server certificate status API
   def certificate_is_alive?(cert)
-    Puppet.deprecation_warning(_("Puppet::SSL::CertificateAuthority#certificate_is_alive? is deprecated. Please use Puppet::SSL::CertificateAuthority#verify or the certificate status API to query certificate information. See https://docs.puppet.com/puppet/latest/http_api/http_certificate_status.html"))
+    Puppet.deprecation_warning(_("Puppet::SSL::CertificateAuthority#certificate_is_alive? is deprecated. Please use Puppet::SSL::CertificateAuthority#verify or the certificate status API to query certificate information. See https://puppet.com/docs/puppet/latest/http_api/http_certificate_status.html"))
     x509_store(:cache => true).verify(cert.content)
   end
 

data/vendored/puppet/lib/puppet/ssl/host.rb

@@ -5,6 +5,8 @@ require 'puppet/ssl/certificate'
 require 'puppet/ssl/certificate_request'
 require 'puppet/ssl/certificate_revocation_list'
 require 'puppet/ssl/certificate_request_attributes'
+require 'puppet/rest/errors'
+require 'puppet/rest/routes'
 
 # The class that manages all aspects of our SSL certificates --
 # private keys, public keys, requests, etc.
@@ -22,10 +24,10 @@ class Puppet::SSL::Host
     The indirection key is the certificate CN (generally a hostname).
 DOC
 
-  attr_reader :name
+  attr_reader :name, :crl_path
   attr_accessor :ca
 
-  attr_writer :key, :certificate, :certificate_request
+  attr_writer :key, :certificate, :certificate_request, :crl_usage
 
   # This accessor is used in instances for indirector requests to hold desired state
   attr_accessor :desired_state
@@ -192,14 +194,25 @@ DOC
     true
   end
 
+  def http_client
+    # This can't be required top-level because Puppetserver uses the Host class too,
+    # and we don't ship the gem in that context.
+    require 'puppet/rest/client'
+    @http_client ||= Puppet::Rest::Client.new
+  end
+
   def certificate
     unless @certificate
       generate_key unless key
 
       # get the CA cert first, since it's required for the normal cert
-      # to be of any use.
-      return nil unless Certificate.indirection.find("ca", :fail_on_404 => true) unless ca?
-      return nil unless @certificate = Certificate.indirection.find(name)
+      # to be of any use. If we can't get it, quit.
+      if !ca? && !ensure_ca_certificate
+        return nil
+      end
+
+      @certificate = get_host_certificate
+      return nil unless @certificate
 
       validate_certificate_with_key
     end
@@ -264,6 +277,8 @@ ERROR_STRING
     Puppet::SSL::Base.validate_certname(@name)
     @key = @certificate = @certificate_request = nil
     @ca = (name == self.class.ca_name)
+    @crl_usage = Puppet.settings[:certificate_revocation]
+    @crl_path = Puppet.settings[:hostcrl]
   end
 
   # Extract the public key from the private key.
@@ -271,10 +286,19 @@ ERROR_STRING
     key.content.public_key
   end
 
+  def use_crl?
+    !!@crl_usage
+  end
+
+  def use_crl_chain?
+    @crl_usage == true || @crl_usage == :chain
+  end
+
   # Create/return a store that uses our SSL info to validate
   # connections.
   def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY)
     if @ssl_store.nil?
+      ensure_crl_if_needed
       @ssl_store = build_ssl_store(purpose)
     end
     @ssl_store
@@ -371,27 +395,242 @@ ERROR_STRING
 
   private
 
+  # Ensures that CRL is either on disk, or that CRL checking has been disabled
+  def ensure_crl_if_needed
+    if use_crl? && !Puppet::FileSystem.exist?(crl_path)
+      # The CertificateRevocationList indirector will attempt to download the
+      # CRL from the CA if it does not exist on disk. It will ask host for
+      # its ssl_store again, but expect crl checking to be disabled for that
+      # store. This is not thread safe, and should be replaced as soon as we
+      # no longer need to use the indirector to download the CRL (PUP-8654).
+      old_crl_usage = @crl_usage
+      @crl_usage = false
+      Puppet.debug _("Disabling certificate revocation checking when fetching the CRL and no CRL is present")
+      if !CertificateRevocationList.indirection.find(CA_NAME)
+        raise Puppet::Error,
+              _("Certificate revocation checking is enabled but a CRL cannot be found; CRL checking will not be performed.")
+      end
+      @crl_usage = old_crl_usage
+    end
+  end
+
+  # @param path [String] Path to CRL Chain
+  # @return [Array<OpenSSL::X509::CRL>] CRLs from chain
+  # @raise [Errno::ENOENT] if file does not exist
+  # @raise [Puppet::Error<OpenSSL::X509::CRLError>] if the CRL chain is malformed
+  def load_crls(path)
+    delimiters = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
+    crls_pems = Puppet::FileSystem.read(path, encoding: Encoding::UTF_8)
+    crls_pems.scan(delimiters).map do |crl|
+      begin
+        OpenSSL::X509::CRL.new(crl)
+      rescue OpenSSL::X509::CRLError => e
+        raise Puppet::Error.new(
+            _("Failed attempting to load CRL from %{crl_path}! The CRL below caused the error '%{error}':\n%{crl}" % {crl_path: crl_path, error: e.message, crl: crl}),
+          e)
+      end
+    end
+  end
+
+  # Ensures that the CA certificate is available for either generating or
+  # validating the host's cert.
+  # It will first check if the cert is present in memory (used for testing),
+  # then check on disk, and finally try to download it.
+  # @raise [Puppet::Error] if text form of found certificate bundle is invalid
+  #                        and cannot be loaded into cert objects
+  # @return [Boolean] true if the CA certificate was found, false otherwise
+  def ensure_ca_certificate
+    file_path = certificate_location(CA_NAME)
+    if check_for_certificate_in_memory(CA_NAME)
+      true
+    elsif Puppet::FileSystem.exist?(file_path)
+      begin
+        # This load ensures that the file contents is a valid cert bundle.
+        # If the text is malformed, load_certificate_bundle will raise.
+        load_certificate_bundle(Puppet::FileSystem.read(file_path))
+      rescue Puppet::Error => e
+        raise Puppet::Error, _("The CA certificate at %{file_path} is invalid: %{message}") % { file_path: file_path, message: e.message }
+      end
+    else
+      bundle = download_ca_certificate_bundle
+      if bundle
+        save_certificate_bundle(bundle)
+        true
+      else
+        false
+      end
+    end
+  end
+
+  # Creates an arry of SSL Certificate objects from a PEM-encoding string
+  # of one or more certs.
+  # @param [String] bundle_string PEM-encoded string of certs
+  # @return [[OpenSSL::X509::Certificate], nil] the certs loaded from the
+  #         input string, or nil if none could be loaded
+  def load_certificate_bundle(bundle_string)
+    delimiters = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
+    certs = bundle_string.scan(delimiters)
+
+    if certs.empty?
+      raise Puppet::Error, _("No valid PEM-encoded certificates.")
+    end
+
+    certs.map do |cert|
+      begin
+        OpenSSL::X509::Certificate.new(cert)
+      rescue OpenSSL::X509::CertificateError => e
+        raise Puppet::Error, _("Could not parse certificate: %{message}") % { message: e.message }
+      end
+    end
+  end
+
+  # Fetches the CA certificate bundle from the CA server
+  # @raise [Puppet::Error] if response from the server is not a valid certificate
+  #                        bundle
+  # @return [[OpenSSL::X509::Certificate]] the certs loaded from the response
+  def download_ca_certificate_bundle
+    return nil if Puppet::SSL::Host.ca_location != :remote
+
+    begin
+      cert_bundle = Puppet::Rest::Routes.get_certificate(http_client, CA_NAME)
+      # This load ensures that the response body is a valid cert bundle.
+      # If the text is malformed, load_certificate_bundle will raise.
+      begin
+        load_certificate_bundle(cert_bundle)
+      rescue Puppet::Error => e
+        raise Puppet::Error, _("Response from the CA did not contain a valid CA certificate: %{message}") % { message: e.message }
+      end
+    rescue Puppet::Rest::ResponseError => e
+      raise Puppet::Error, _('Could not download CA certificate: %{message}') % { message: e.message }
+    end
+  end
+
+  # Saves the given certs to disc, to a location determined based
+  # on this host's configuration.
+  # @param [[OpenSSL::X509::Certificate]] the certs to save
+  def save_certificate_bundle(cert_bundle)
+    Puppet::Util.replace_file(certificate_location(CA_NAME), 0644) do |f|
+      bundle_string = cert_bundle.map(&:to_pem).join("\n")
+      f.write(bundle_string)
+    end
+  end
+
+  # Attempts to load or fetch this host's certificate. Returns nil if
+  # no certificate could be found.
+  # @return [Puppet::SSL::Certificate, nil]
+  def get_host_certificate
+    if cert = check_for_certificate_in_memory(name)
+      return cert
+    elsif cert = check_for_certificate_on_disk(name)
+      return cert
+    elsif cert = download_certificate_from_ca(name)
+      save_host_certificate(cert)
+      return cert
+    else
+      return nil
+    end
+  end
+
+  # Checks the certificate indirection for a cert stored in memory.
+  # Only relevant if the memory terminus is in use, and currently
+  # only used in testing.
+  # @param [String] name the name of the cert to look for
+  # @return [Puppet::SSL::Certificate, nil]
+  def check_for_certificate_in_memory(cert_name)
+    if Puppet::SSL::Certificate.indirection.terminus_class == :memory
+      return Puppet::SSL::Certificate.indirection.find(cert_name)
+    end
+  end
+
+  # Checks for the requested certificate on disc, at a location
+  # determined by this host's configuration.
+  # @name [String] name the name of the cert to look for
+  # @raise [Puppet::Error] if contents of certificate file is invalid
+  #                        and could not be loaded
+  # @return [Puppet::SSL::Certificate, nil]
+  def check_for_certificate_on_disk(cert_name)
+    file_path = certificate_location(cert_name)
+    if Puppet::FileSystem.exist?(file_path)
+      begin
+        Puppet::SSL::Certificate.from_s(Puppet::FileSystem.read(file_path))
+      rescue OpenSSL::X509::CertificateError
+        raise Puppet::Error, _("The certificate at %{file_path} is invalid. Could not load.") % { file_path: file_path }
+      end
+    end
+  end
+
+  # Attempts to download this host's certificate from the CA server.
+  # Returns nil if the CA does not yet have a signed cert for this host.
+  # @param [String] name then name of the cert to fetch
+  # @raise [Puppet::Error] if response from the CA does not contain a valid
+  #                        certificate
+  # @return [Puppet::SSL::Certificate, nil]
+  def download_certificate_from_ca(cert_name)
+    return nil if Puppet::SSL::Host.ca_location != :remote
+
+    begin
+      cert = Puppet::Rest::Routes.get_certificate(http_client, cert_name)
+      begin
+        Puppet::SSL::Certificate.from_s(cert)
+      rescue OpenSSL::X509::CertificateError
+        raise Puppet::Error, _("Response from the CA did not contain a valid certificate for %{cert_name}.") % { cert_name: cert_name }
+      end
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.status_code == 404
+        Puppet.debug _("No certificate for %{cert_name} on CA") % { cert_name: cert_name }
+        nil
+      else
+        raise Puppet::Rest::ResponseError, _("Could not download host certificate: %{message}") % { message: e.message }
+      end
+    end
+  end
+
+  # Saves the given certificate to disc, at a location determined by this
+  # host's configuration.
+  # @param [Puppet::SSL::Certificate] cert the cert to save
+  def save_host_certificate(cert)
+    file_path = certificate_location(name)
+    Puppet::Util.replace_file(file_path, 0644) do |f|
+      f.write(cert.to_s)
+    end
+  end
+
+  # Returns the file path for the named certificate, based on this host's
+  # configuration.
+  # @param [String] name the name of the cert to find
+  # @return [String] file path to the certs location
+  def certificate_location(cert_name)
+    if Puppet::SSL::Host.ca_location == :only
+      cert_name == CA_NAME ? Puppet[:cacert] : File.join(Puppet[:signeddir], "#{cert_name}.pem")
+    else
+      cert_name == CA_NAME ? Puppet[:localcacert] : File.join(Puppet[:certdir], "#{cert_name}.pem")
+    end
+  end
+
+  # @param [OpenSSL::X509::PURPOSE_*] constant defining the kinds of certs
+  #   this store can verify
+  # @return [OpenSSL::X509::Store]
+  # @raise [OpenSSL::X509::StoreError] if localcacert is malformed or non-existant
+  # @raise [Puppet::Error] if the CRL chain is malformed
+  # @raise [Errno::ENOENT] if the CRL does not exist on disk but use_crl? is true
   def build_ssl_store(purpose)
     store = OpenSSL::X509::Store.new
     store.purpose = purpose
 
     # Use the file path here, because we don't want to cause
     # a lookup in the middle of setting our ssl connection.
-    store.add_file(Puppet[:localcacert])
-
-    # If we're doing revocation and there's a CRL, add it to our store.
-    if Puppet.lookup(:certificate_revocation)
-      if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
-        flags = OpenSSL::X509::V_FLAG_CRL_CHECK
-        if Puppet.lookup(:certificate_revocation) == :chain
-          flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
-        end
-
-        store.flags = flags
-        store.add_crl(crl.content)
-      else
-        Puppet.debug _("Certificate revocation checking is enabled but a CRL cannot be found; CRL checking will not be performed.")
+    store.add_file(Puppet.settings[:localcacert])
+
+    if use_crl?
+      crls = load_crls(crl_path)
+
+      flags = OpenSSL::X509::V_FLAG_CRL_CHECK
+      if use_crl_chain?
+        flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
       end
+
+      store.flags = flags
+      crls.each {|crl| store.add_crl(crl) }
     end
     store
   end

data/vendored/puppet/lib/puppet/ssl/validator/default_validator.rb

@@ -9,27 +9,20 @@ require 'puppet/ssl'
 class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   attr_reader :peer_certs
   attr_reader :verify_errors
-  attr_reader :ssl_configuration
 
   FIVE_MINUTES_AS_SECONDS = 5 * 60
 
   # Creates a new DefaultValidator, optionally with an SSL Configuration and SSL Host.
   #
-  # @param ssl_configuration [Puppet::SSL::Configuration] (a default configuration) ssl_configuration the SSL configuration to use
-  # @param ssl_host [Puppet::SSL::Host] The SSL host to use
+  # @param ca_path [String] Filepath for the cacert
   #
   # @api private
   #
   def initialize(
-      ssl_configuration = Puppet::SSL::Configuration.new(
-                                        Puppet[:localcacert], {
-                                          :ca_auth_file  => Puppet[:ssl_client_ca_auth]
-                                        }),
-      ssl_host = Puppet.lookup(:ssl_host))
+    ca_path = Puppet[:ssl_client_ca_auth] || Puppet[:localcacert])
 
     reset!
-    @ssl_configuration = ssl_configuration
-    @ssl_host = ssl_host
+    @ca_path = ca_path
   end
 
 
@@ -70,7 +63,7 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   #
   def call(preverify_ok, store_context)
     current_cert = store_context.current_cert
-    @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
+    @peer_certs << current_cert
 
     # We must make a copy since the scope of the store_context will be lost
     # across invocations of this method.
@@ -113,16 +106,17 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   #
   # @param [Net::HTTP] connection The connection to validate
   #
+  # @param [Puppet::SSL::Host] host The host object containing SSL data
   # @return [void]
   #
   # @api private
   #
-  def setup_connection(connection)
+  def setup_connection(connection, ssl_host = Puppet.lookup(:ssl_host))
     if ssl_certificates_are_present?
-      connection.cert_store = @ssl_host.ssl_store
-      connection.ca_file = @ssl_configuration.ca_auth_file
-      connection.cert = @ssl_host.certificate.content
-      connection.key = @ssl_host.key.content
+      connection.cert_store = ssl_host.ssl_store
+      connection.ca_file = @ca_path
+      connection.cert = ssl_host.certificate.content
+      connection.key = ssl_host.key.content
       connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
       connection.verify_callback = self
     else
@@ -130,13 +124,33 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
     end
   end
 
+  ##
+  # Decode a string of concatenated certificates
+  #
+  # @return [Array<OpenSSL::X509::Certificate>]
+  def decode_cert_bundle(bundle_str)
+    re = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
+    pem_ary = bundle_str.scan(re)
+    pem_ary.map do |pem_str|
+      OpenSSL::X509::Certificate.new(pem_str)
+    end
+  end
+
+  # read_file makes testing easier.
+  def read_file(path)
+    # https://www.ietf.org/rfc/rfc2459.txt defines the x509 V3 certificate format
+    # CA bundles are concatenated X509 certificates, but may also include
+    # comments, which could have UTF-8 characters
+    Puppet::FileSystem.read(path, :encoding => Encoding::UTF_8)
+  end
+
   # Validates the peer certificates against the authorized certificates.
   #
   # @api private
   #
   def valid_peer?
-    descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
-    authz_ca_certs = ssl_configuration.ca_auth_certificates
+    descending_cert_chain = @peer_certs.reverse
+    authz_ca_certs = decode_cert_bundle(read_file(@ca_path))
 
     if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
       msg = "The server presented a SSL certificate chain which does not include a " <<
@@ -168,6 +182,6 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
   # @api private
   #
   def ssl_certificates_are_present?
-    Puppet::FileSystem.exist?(Puppet[:hostcert]) && Puppet::FileSystem.exist?(@ssl_configuration.ca_auth_file)
+    Puppet::FileSystem.exist?(Puppet[:hostcert]) && Puppet::FileSystem.exist?(@ca_path)
   end
 end