bolt 0.21.1 → 0.21.2

data/vendored/puppet/lib/puppet/rest/routes.rb

@@ -2,12 +2,13 @@ require 'puppet/rest/route'
 
 module Puppet::Rest
   module Routes
+
     ACCEPT_ENCODING = 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3'
 
     def self.ca
       @ca ||= Route.new(api: '/puppet-ca/v1/',
-                        default_server: Puppet[:ca_server],
-                        default_port: Puppet[:ca_port],
+                        server_setting: :ca_server,
+                        port_setting: :ca_port,
                         srv_service: :ca)
     end
 
@@ -18,12 +19,71 @@ module Puppet::Rest
     # @raise [Puppet::Rest::ResponseError] if the response status is not OK
     # @return [String] the PEM-encoded certificate or certificate bundle
     def self.get_certificate(client, name)
-      ca.with_base_url(client.dns_resolver) do |base_url|
-        header = { 'Accept' => 'text/plain', 'accept-encoding' => ACCEPT_ENCODING }
+      ca.with_base_url(client.dns_resolver) do |url|
+        header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
+        body = ''
+        url.path += "certificate/#{name}"
+        client.get(url, header: header) do |chunk|
+          body << chunk
+        end
+        Puppet.info _("Downloaded certificate for %{name} from %{server}") % { name: name, server: ca.server }
+        body
+      end
+    end
+
+    # Make an HTTP request to fetch the named crl, using the given
+    # HTTP client. Accepts a block to stream responses to disk.
+    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # @param [String] name the crl to fetch
+    # @raise [Puppet::Rest::ResponseError] if the response status is not OK
+    # @return nil
+    def self.get_crls(client, name, &block)
+      ca.with_base_url(client.dns_resolver) do |url|
+        header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
+        url.path += "certificate_revocation_list/#{name}"
+        client.get(url, header: header) do |chunk|
+          block.call(chunk)
+        end
+        Puppet.debug _("Downloaded certificate revocation list for %{name} from %{server}") % { name: name, server: ca.server }
+      end
+    end
+
+    # Make an HTTP request to send the named CSR, using the given
+    # HTTP client.
+    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # @param [String] csr_pem the contents of the CSR to sent to the CA
+    # @param [String] name the name of the host whose CSR is being submitted
+    # @rasies [Puppet::Rest::ResponseError] if the response status is not OK
+    def self.put_certificate_request(client, csr_pem, name)
+      ca.with_base_url(client.dns_resolver) do |url|
+        header = { 'Accept' => 'text/plain',
+                   'Accept-Encoding' => ACCEPT_ENCODING,
+                   'Content-Type' => 'text/plain' }
+        url.path += "certificate_request/#{name}"
+        response = client.put(url, body: csr_pem, header: header)
+        if response.ok?
+          Puppet.debug "Submitted certificate request to server."
+        else
+          raise response.to_exception
+        end
+      end
+    end
+
+    # Make an HTTP request to get the named CSR, using the given
+    # HTTP client.
+    # @param [Puppet::Rest::Client] client the HTTP client to use to make the request
+    # @param [String] name the name of the host whose CSR is being queried
+    # @rasies [Puppet::Rest::ResponseError] if the response status is not OK
+    # @return [String] the PEM encoded certificate request
+    def self.get_certificate_request(client, name)
+      ca.with_base_url(client.dns_resolver) do |url|
+        header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
         body = ''
-        client.get(base_url + "certificate/#{name}", header: header) do |chunk|
+        url.path += "certificate_request/#{name}"
+        client.get(url, header: header) do |chunk|
           body << chunk
         end
+        Puppet.debug _("Downloaded existing certificate request for %{name} from %{server}") % { name: name, server: ca.server }
         body
       end
     end

data/vendored/puppet/lib/puppet/rest/ssl_context.rb

@@ -0,0 +1,13 @@
+module Puppet::Rest
+  class SSLContext
+
+    attr_reader :verify_mode, :cert_store
+
+    # @param [OpenSSL::SSL::VERIFY_NONE, OpenSSL::SSL::VERIFY_PEER] verify_mode
+    # @param [OpenSSL::X509::SSLStore] cert_store
+    def initialize(verify_mode, cert_store = OpenSSL::X509::Store.new)
+      @verify_mode = verify_mode
+      @cert_store = cert_store
+    end
+  end
+end

data/vendored/puppet/lib/puppet/settings.rb

@@ -452,6 +452,12 @@ class Puppet::Settings
   # Prints the contents of a config file with the available config settings, or it
   # prints a single value of a config setting.
   def print_config_options
+    if Puppet::Util::Log.sendlevel?(:info)
+      Puppet::Util::Log.newdestination(:console)
+      message = (_("Using --configprint is deprecated. Use 'puppet config <subcommand>' instead."))
+      Puppet.deprecation_warning(message)
+    end
+
     env = value(:environment)
     val = value(:configprint)
     if val == "all"

data/vendored/puppet/lib/puppet/settings/config_file.rb

@@ -25,8 +25,7 @@ class Puppet::Settings::ConfigFile
       allowed_section_names << 'main' unless allowed_section_names.include?('main')
     end
 
-    # in Ruby 1.9.3 strings are not UTF-8 by default, so ensure text is treated properly
-    ini = Puppet::Settings::IniFile.parse(StringIO.new(text).set_encoding(Encoding::UTF_8))
+    ini = Puppet::Settings::IniFile.parse(text.encode(Encoding::UTF_8))
     unique_sections_in(ini, file, allowed_section_names).each do |section_name|
       section = Section.new(section_name.to_sym)
       result.with_section(section)

data/vendored/puppet/lib/puppet/ssl/certificate_request.rb

@@ -103,7 +103,11 @@ DOC
     raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(key.public_key)
 
     @content = csr
-    Puppet.info _("Certificate Request fingerprint (%{digest}): %{hex_digest}") % { digest: digest.name, hex_digest: digest.to_hex }
+
+    # we won't be able to get the digest on jruby
+    if @content.signature_algorithm
+      Puppet.info _("Certificate Request fingerprint (%{digest}): %{hex_digest}") % { digest: digest.name, hex_digest: digest.to_hex }
+    end
     @content
   end
 

data/vendored/puppet/lib/puppet/ssl/host.rb

@@ -7,6 +7,14 @@ require 'puppet/ssl/certificate_revocation_list'
 require 'puppet/ssl/certificate_request_attributes'
 require 'puppet/rest/errors'
 require 'puppet/rest/routes'
+require 'puppet/rest/ssl_context'
+begin
+  # This may fail when being loaded from Puppet Server. However loading the
+  # client monkey patches the SSL Store and we need to have those monkey
+  # patches in as soon as possible on the agent.
+  require 'puppet/rest/client'
+rescue LoadError
+end
 
 # The class that manages all aspects of our SSL certificates --
 # private keys, public keys, requests, etc.
@@ -158,10 +166,6 @@ DOC
     true
   end
 
-  def certificate_request
-    @certificate_request ||= CertificateRequest.indirection.find(name)
-  end
-
   # Our certificate request requires the key but that's all.
   def generate_certificate_request(options = {})
     generate_key unless key
@@ -185,7 +189,7 @@ DOC
     @certificate_request = CertificateRequest.new(name)
     @certificate_request.generate(key.content, options)
     begin
-      CertificateRequest.indirection.save(@certificate_request)
+      submit_certificate_request(@certificate_request)
     rescue
       @certificate_request = nil
       raise
@@ -194,11 +198,8 @@ DOC
     true
   end
 
-  def http_client
-    # This can't be required top-level because Puppetserver uses the Host class too,
-    # and we don't ship the gem in that context.
-    require 'puppet/rest/client'
-    @http_client ||= Puppet::Rest::Client.new
+  def http_client(ssl_context)
+    Puppet::Rest::Client.new(ssl_context: ssl_context)
   end
 
   def certificate
@@ -237,10 +238,26 @@ ERROR_STRING
     end
   end
 
+  # Search for an existing CSR for this host either cached on
+  # disk or stored by the CA. Returns nil if no request exists.
+  # @return [Puppet::SSL::CertificateRequest, nil]
+  def certificate_request
+    unless @certificate_request
+      if csr = load_certificate_request_from_file
+        @certificate_request = csr
+      elsif Puppet::SSL::Host.ca_location == :remote
+        if csr = download_csr_from_ca
+          @certificate_request = csr
+        end
+      end
+    end
+    @certificate_request
+  end
+
   # Generate all necessary parts of our ssl host.
   def generate
     generate_key unless key
-    # ask indirector to find any existing requests and download them
+
     existing_request = certificate_request
 
     # if CSR downloaded from master, but the local keypair was just generated and
@@ -298,7 +315,6 @@ ERROR_STRING
   # connections.
   def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY)
     if @ssl_store.nil?
-      ensure_crl_if_needed
       @ssl_store = build_ssl_store(purpose)
     end
     @ssl_store
@@ -395,43 +411,88 @@ ERROR_STRING
 
   private
 
-  # Ensures that CRL is either on disk, or that CRL checking has been disabled
-  def ensure_crl_if_needed
-    if use_crl? && !Puppet::FileSystem.exist?(crl_path)
-      # The CertificateRevocationList indirector will attempt to download the
-      # CRL from the CA if it does not exist on disk. It will ask host for
-      # its ssl_store again, but expect crl checking to be disabled for that
-      # store. This is not thread safe, and should be replaced as soon as we
-      # no longer need to use the indirector to download the CRL (PUP-8654).
-      old_crl_usage = @crl_usage
-      @crl_usage = false
-      Puppet.debug _("Disabling certificate revocation checking when fetching the CRL and no CRL is present")
-      if !CertificateRevocationList.indirection.find(CA_NAME)
-        raise Puppet::Error,
-              _("Certificate revocation checking is enabled but a CRL cannot be found; CRL checking will not be performed.")
+  # Load a previously generated CSR either from memory or from disk
+  # @return [Puppet::SSL::CertificateRequest, nil]
+  def load_certificate_request_from_file
+    if Puppet::SSL::CertificateRequest.indirection.terminus_class == :memory
+      return Puppet::SSL::CertificateRequest.indirection.find(cert_name)
+    end
+
+    request_path = certificate_request_location(name)
+    if Puppet::FileSystem.exist?(request_path)
+      Puppet::SSL::CertificateRequest.from_s(Puppet::FileSystem.read(request_path))
+    end
+  end
+
+  # Download the CSR for this host from the CA. Returns nil if the CA
+  # has no saved CSR for this host.
+  # @raises [Puppet::Error] if the response from the server is not a valid
+  #                         CSR or an error occurs while fetching.
+  # @return [Puppet::SSL::CertificateRequest, nil]
+  def download_csr_from_ca
+    begin
+      body = Puppet::Rest::Routes.get_certificate_request(
+                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)),
+                    name)
+      begin
+        Puppet::SSL::CertificateRequest.from_s(body)
+      rescue OpenSSL::X509::RequestError => e
+        raise Puppet::Error, _("Response from the CA did not contain a valid certificate request: %{message}") % { message: e.message }
+      end
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.status_code == 404
+        nil
+      else
+        raise Puppet::Error, _('Could not download certificate request: %{message}') % { message: e.message }
       end
-      @crl_usage = old_crl_usage
     end
   end
+  # Submit the CSR to the CA, either via an HTTP PUT request, or when testing,
+  # via the indirector (needed for both memory and CA terminii). This also
+  # caches a copy of the CSR on disk.
+  # @param [Puppet::SSL::CertificateRequest] csr the request to submit
+  def submit_certificate_request(csr)
+    if Puppet::SSL::CertificateRequest.indirection.terminus_class == :memory ||
+      Puppet::SSL::CertificateRequest.indirection.terminus_class == :ca
+      Puppet::SSL::CertificateRequest.indirection.save(csr)
+      return
+    end
 
-  # @param path [String] Path to CRL Chain
+    if Puppet::SSL::Host.ca_location == :remote
+      Puppet::Rest::Routes.put_certificate_request(
+                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)),
+                    csr.render, name)
+    end
+
+    Puppet::Util.replace_file(certificate_request_location(name), 0644) do |file|
+      file.write(csr.render)
+    end
+  end
+
+  # @param crl_string [String] CRLs read from disk or obtained from server
   # @return [Array<OpenSSL::X509::CRL>] CRLs from chain
-  # @raise [Errno::ENOENT] if file does not exist
   # @raise [Puppet::Error<OpenSSL::X509::CRLError>] if the CRL chain is malformed
-  def load_crls(path)
+  def process_crl_string(crl_string)
     delimiters = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
-    crls_pems = Puppet::FileSystem.read(path, encoding: Encoding::UTF_8)
-    crls_pems.scan(delimiters).map do |crl|
+    crl_string.scan(delimiters).map do |crl|
       begin
         OpenSSL::X509::CRL.new(crl)
       rescue OpenSSL::X509::CRLError => e
         raise Puppet::Error.new(
-            _("Failed attempting to load CRL from %{crl_path}! The CRL below caused the error '%{error}':\n%{crl}" % {crl_path: crl_path, error: e.message, crl: crl}),
+          _("Failed attempting to load CRL from %{crl_path}! The CRL below caused the error '%{error}':\n%{crl}" % {crl_path: crl_path, error: e.message, crl: crl}),
           e)
       end
     end
   end
 
+  # @param path [String] Path to CRL Chain
+  # @return [Array<OpenSSL::X509::CRL>] CRLs from chain
+  # @raise [Puppet::Error<OpenSSL::X509::CRLError>] if the CRL chain is malformed
+  def load_crls(path)
+    crls_pems = Puppet::FileSystem.read(path, encoding: Encoding::UTF_8)
+    process_crl_string(crls_pems)
+  end
+
   # Ensures that the CA certificate is available for either generating or
   # validating the host's cert.
   # It will first check if the cert is present in memory (used for testing),
@@ -454,7 +515,7 @@ ERROR_STRING
     else
       bundle = download_ca_certificate_bundle
       if bundle
-        save_certificate_bundle(bundle)
+        save_bundle(bundle, certificate_location(CA_NAME))
         true
       else
         false
@@ -484,6 +545,30 @@ ERROR_STRING
     end
   end
 
+  # Fetches and saves the crl bundle from the CA server without validating
+  # its contents. Takes an optional store to use with the http_client,
+  # necessary for initial download of the CRL because `build_ssl_store`
+  # calls this `download_and_save_crl_bundle`. If there is an error during
+  # this downloading process, the file should not be replaced at all. This
+  # streams the file directly to disk to avoid loading the entire CRL in memory.
+  # @param [OpenSSL::X509::Store] store optional ssl_store to use with http_client
+  # @raise [Puppet::Error<Puppet::Rest::ResponseError>] if bad response from server
+  # @return nil
+  def download_and_save_crl_bundle(store=nil)
+    begin
+      # If no SSL store was suppoed, use this host's SSL store
+      store ||= ssl_store
+      client = http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, store))
+      Puppet::Util.replace_file(crl_path, 0644) do |file|
+        Puppet::Rest::Routes.get_crls(client, CA_NAME) do |chunk|
+          file.write(chunk)
+        end
+      end
+    rescue Puppet::Rest::ResponseError => e
+      raise Puppet::Error, _('Could not download CRLs: %{message}') % { message: e.message }
+    end
+  end
+
   # Fetches the CA certificate bundle from the CA server
   # @raise [Puppet::Error] if response from the server is not a valid certificate
   #                        bundle
@@ -492,7 +577,9 @@ ERROR_STRING
     return nil if Puppet::SSL::Host.ca_location != :remote
 
     begin
-      cert_bundle = Puppet::Rest::Routes.get_certificate(http_client, CA_NAME)
+      cert_bundle = Puppet::Rest::Routes.get_certificate(
+                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE)),
+                    CA_NAME)
       # This load ensures that the response body is a valid cert bundle.
       # If the text is malformed, load_certificate_bundle will raise.
       begin
@@ -505,11 +592,11 @@ ERROR_STRING
     end
   end
 
-  # Saves the given certs to disc, to a location determined based
-  # on this host's configuration.
-  # @param [[OpenSSL::X509::Certificate]] the certs to save
-  def save_certificate_bundle(cert_bundle)
-    Puppet::Util.replace_file(certificate_location(CA_NAME), 0644) do |f|
+  # Saves the given bundle to disk to a specified file path.
+  # @param bundle [[OpenSSL::X509::Certificate/CRL]] the certs to save
+  # @param location [String] place on disk to save bundle
+  def save_bundle(cert_bundle, location)
+    Puppet::Util.replace_file(location, 0644) do |f|
       bundle_string = cert_bundle.map(&:to_pem).join("\n")
       f.write(bundle_string)
     end
@@ -569,7 +656,9 @@ ERROR_STRING
     return nil if Puppet::SSL::Host.ca_location != :remote
 
     begin
-      cert = Puppet::Rest::Routes.get_certificate(http_client, cert_name)
+      cert = Puppet::Rest::Routes.get_certificate(
+                    http_client(Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)),
+                    cert_name)
       begin
         Puppet::SSL::Certificate.from_s(cert)
       rescue OpenSSL::X509::CertificateError
@@ -598,7 +687,7 @@ ERROR_STRING
   # Returns the file path for the named certificate, based on this host's
   # configuration.
   # @param [String] name the name of the cert to find
-  # @return [String] file path to the certs location
+  # @return [String] file path to the cert's location
   def certificate_location(cert_name)
     if Puppet::SSL::Host.ca_location == :only
       cert_name == CA_NAME ? Puppet[:cacert] : File.join(Puppet[:signeddir], "#{cert_name}.pem")
@@ -607,13 +696,25 @@ ERROR_STRING
     end
   end
 
+  # Returns the file path for the named CSR, based on this host's configuration.
+  # @param [String] name the name of the CSR to find
+  # @return [String] file path to the CSR's location
+  def certificate_request_location(cert_name)
+    if Puppet::SSL::Host.ca_location == :only ||
+        Puppet::SSL::Host.ca_location == :local
+      File.join(Puppet[:csrdir], "#{cert_name}.pem")
+    else
+      File.join(Puppet[:requestdir], "#{cert_name}.pem")
+    end
+  end
+
   # @param [OpenSSL::X509::PURPOSE_*] constant defining the kinds of certs
   #   this store can verify
   # @return [OpenSSL::X509::Store]
   # @raise [OpenSSL::X509::StoreError] if localcacert is malformed or non-existant
   # @raise [Puppet::Error] if the CRL chain is malformed
   # @raise [Errno::ENOENT] if the CRL does not exist on disk but use_crl? is true
-  def build_ssl_store(purpose)
+  def build_ssl_store(purpose=OpenSSL::X509::PURPOSE_ANY)
     store = OpenSSL::X509::Store.new
     store.purpose = purpose
 
@@ -622,6 +723,10 @@ ERROR_STRING
     store.add_file(Puppet.settings[:localcacert])
 
     if use_crl?
+      if !Puppet::FileSystem.exist?(crl_path)
+        download_and_save_crl_bundle(store)
+      end
+
       crls = load_crls(crl_path)
 
       flags = OpenSSL::X509::V_FLAG_CRL_CHECK