RubyGems - bolt - Versions diffs - 0.23.0 → 0.24.0 - Mend

bolt 0.23.0 → 0.24.0

Potentially problematic release.

This version of bolt might be problematic. Click here for more details.

Files changed (192) hide show

data/vendored/puppet/lib/puppet/provider/cron/crontab.rb DELETED

@@ -1,297 +0,0 @@
-require 'puppet/provider/parsedfile'
-Puppet::Type.type(:cron).provide(:crontab, :parent => Puppet::Provider::ParsedFile, :default_target => ENV["USER"] || "root") do
-  commands :crontab => "crontab"
-  text_line :comment, :match => %r{^\s*#}, :post_parse => proc { |record|
-    record[:name] = $1 if record[:line] =~ /Puppet Name: (.+)\s*$/
-  }
-  text_line :blank, :match => %r{^\s*$}
-  text_line :environment, :match => %r{^\s*\w+\s*=}
-  def self.filetype
-  tabname = case Facter.value(:osfamily)
-            when "Solaris"
-              :suntab
-            when "AIX"
-              :aixtab
-            else
-              :crontab
-            end
-    Puppet::Util::FileType.filetype(tabname)
-  end
-  self::TIME_FIELDS = [:minute, :hour, :monthday, :month, :weekday]
-  record_line :crontab,
-    :fields     => %w{time command},
-    :match      => %r{^\s*(@\w+|\S+\s+\S+\s+\S+\s+\S+\s+\S+)\s+(.+)$},
-    :absent     => '*',
-    :block_eval => :instance do
-    def post_parse(record)
-      time = record.delete(:time)
-      if match = /@(\S+)/.match(time)
-        # is there another way to access the constant?
-        Puppet::Type::Cron::ProviderCrontab::TIME_FIELDS.each { |f| record[f] = :absent }
-        record[:special] = match.captures[0]
-      elsif match = /(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/.match(time)
-        record[:special] = :absent
-        Puppet::Type::Cron::ProviderCrontab::TIME_FIELDS.zip(match.captures).each do |field,value|
-          if value == self.absent
-            record[field] = :absent
-          else
-            record[field] = value.split(",")
-          end
-        end
-      else
-        raise Puppet::Error, _("Line got parsed as a crontab entry but cannot be handled. Please file a bug with the contents of your crontab")
-      end
-      record
-    end
-    def pre_gen(record)
-      if record[:special] and record[:special] != :absent
-        record[:special] = "@#{record[:special]}"
-      end
-      Puppet::Type::Cron::ProviderCrontab::TIME_FIELDS.each do |field|
-        if vals = record[field] and vals.is_a?(Array)
-          record[field] = vals.join(",")
-        end
-      end
-      record
-    end
-    def to_line(record)
-      str = ""
-      record[:name] = nil if record[:unmanaged]
-      str = "# Puppet Name: #{record[:name]}\n" if record[:name]
-      if record[:environment] and record[:environment] != :absent
-        str += record[:environment].map {|line| "#{line}\n"}.join('')
-      end
-      if record[:special] and record[:special] != :absent
-        fields = [:special, :command]
-      else
-        fields = Puppet::Type::Cron::ProviderCrontab::TIME_FIELDS + [:command]
-      end
-      str += record.values_at(*fields).map do |field|
-        if field.nil? or field == :absent
-          self.absent
-        else
-          field
-        end
-      end.join(self.joiner)
-      str
-    end
-  end
-  def create
-    if resource.should(:command) then
-      super
-    else
-      resource.err _("no command specified, cannot create")
-    end
-  end
-  # Look up a resource with a given name whose user matches a record target
-  #
-  # @api private
-  #
-  # @note This overrides the ParsedFile method for finding resources by name,
-  #   so that only records for a given user are matched to resources of the
-  #   same user so that orphaned records in other crontabs don't get falsely
-  #   matched (#2251)
-  #
-  # @param [Hash<Symbol, Object>] record
-  # @param [Array<Puppet::Resource>] resources
-  #
-  # @return [Puppet::Resource, nil] The resource if found, else nil
-  def self.resource_for_record(record, resources)
-    resource = super
-    if resource
-      target = resource[:target] || resource[:user]
-      if record[:target] == target
-        resource
-      end
-    end
-  end
-  # Return the header placed at the top of each generated file, warning
-  # users that modifying this file manually is probably a bad idea.
-  def self.header
-%{# HEADER: This file was autogenerated at #{Time.now} by puppet.
-# HEADER: While it can still be managed manually, it is definitely not recommended.
-# HEADER: Note particularly that the comments starting with 'Puppet Name' should
-# HEADER: not be deleted, as doing so could cause duplicate cron jobs.\n}
-  end
-  # Regex for finding one vixie cron header.
-  def self.native_header_regex
-    /# DO NOT EDIT THIS FILE.*?Cron version.*?vixie.*?\n/m
-  end
-  # If a vixie cron header is found, it should be dropped, cron will insert
-  # a new one in any case, so we need to avoid duplicates.
-  def self.drop_native_header
-    true
-  end
-  # See if we can match the record against an existing cron job.
-  def self.match(record, resources)
-    # if the record is named, do not even bother (#19876)
-    # except the resource name was implicitly generated (#3220)
-    return false if record[:name] and !record[:unmanaged]
-    resources.each do |name, resource|
-      # Match the command first, since it's the most important one.
-      next unless record[:target] == resource[:target]
-      next unless record[:command] == resource.value(:command)
-      # Now check the time fields
-      compare_fields = self::TIME_FIELDS + [:special]
-      matched = true
-      compare_fields.each do |field|
-        # If the resource does not manage a property (say monthday) it should
-        # always match. If it is the other way around (e.g. resource defines
-        # a should value for :special but the record does not have it, we do
-        # not match
-        next unless resource[field]
-        unless record.include?(field)
-          matched = false
-          break
-        end
-        if record_value = record[field] and resource_value = resource.value(field)
-          # The record translates '*' into absent in the post_parse hook and
-          # the resource type does exactly the opposite (alias :absent to *)
-          next if resource_value == '*' and record_value == :absent
-          next if resource_value == record_value
-        end
-        matched =false
-        break
-      end
-      return resource if matched
-    end
-    false
-  end
-  @name_index = 0
-  # Collapse name and env records.
-  def self.prefetch_hook(records)
-    name = nil
-    envs = nil
-    result = records.each { |record|
-      case record[:record_type]
-      when :comment
-        if record[:name]
-          name = record[:name]
-          record[:skip] = true
-          # Start collecting env values
-          envs = []
-        end
-      when :environment
-        # If we're collecting env values (meaning we're in a named cronjob),
-        # store the line and skip the record.
-        if envs
-          envs << record[:line]
-          record[:skip] = true
-        end
-      when :blank
-        # nothing
-      else
-        if name
-          record[:name] = name
-          name = nil
-        else
-          cmd_string = record[:command].gsub(/\s+/, "_")
-          index = ( @name_index += 1 )
-          record[:name] = "unmanaged:#{cmd_string}-#{ index.to_s }"
-          record[:unmanaged] = true
-        end
-        if envs.nil? or envs.empty?
-          record[:environment] = :absent
-        else
-          # Collect all of the environment lines, and mark the records to be skipped,
-          # since their data is included in our crontab record.
-          record[:environment] = envs
-          # And turn off env collection again
-          envs = nil
-        end
-      end
-    }.reject { |record| record[:skip] }
-    result
-  end
-  def self.to_file(records)
-    text = super
-    # Apparently Freebsd will "helpfully" add a new TZ line to every
-    # single cron line, but not in all cases (e.g., it doesn't do it
-    # on my machine).  This is my attempt to fix it so the TZ lines don't
-    # multiply.
-    if text =~ /(^TZ=.+\n)/
-      tz = $1
-      text.sub!(tz, '')
-      text = tz + text
-    end
-    text
-  end
-  def user=(user)
-    # we have to mark the target as modified first, to make sure that if
-    # we move a cronjob from userA to userB, userA's crontab will also
-    # be rewritten
-    mark_target_modified
-    @property_hash[:user] = user
-    @property_hash[:target] = user
-  end
-  def user
-    @property_hash[:user] || @property_hash[:target]
-  end
-  CRONTAB_DIR = case Facter.value("osfamily")
-  when "Debian", "HP-UX"
-    "/var/spool/cron/crontabs"
-  when /BSD/
-    "/var/cron/tabs"
-  when "Darwin"
-    "/usr/lib/cron/tabs/"
-  else
-    "/var/spool/cron"
-  end
-  # Yield the names of all crontab files stored on the local system.
-  #
-  # @note Ignores files that are not writable for the puppet process.
-  #
-  # @api private
-  def self.enumerate_crontabs
-    Puppet.debug "looking for crontabs in #{CRONTAB_DIR}"
-    return unless File.readable?(CRONTAB_DIR)
-    Dir.foreach(CRONTAB_DIR) do |file|
-      path = "#{CRONTAB_DIR}/#{file}"
-      yield(file) if File.file?(path) and File.writable?(path)
-    end
-  end
-  # Include all plausible crontab files on the system
-  # in the list of targets (#11383 / PUP-1381)
-  def self.targets(resources = nil)
-    targets = super(resources)
-    enumerate_crontabs do |target|
-      targets << target
-    end
-    targets.uniq
-  end
-end

data/vendored/puppet/lib/puppet/ssl/certificate_authority.rb DELETED

@@ -1,475 +0,0 @@
-require 'puppet/ssl/host'
-require 'puppet/ssl/certificate_request'
-require 'puppet/ssl/certificate_signer'
-require 'puppet/util'
-# The class that knows how to sign certificates.  It creates
-# a 'special' SSL::Host whose name is 'ca', thus indicating
-# that, well, it's the CA.  There's some magic in the
-# indirector/ssl_file terminus base class that does that
-# for us.
-#   This class mostly just signs certs for us, but
-# it can also be seen as a general interface into all of the
-# SSL stuff.
-class Puppet::SSL::CertificateAuthority
-  # We will only sign extensions on this whitelist, ever.  Any CSR with a
-  # requested extension that we don't recognize is rejected, against the risk
-  # that it will introduce some security issue through our ignorance of it.
-  #
-  # Adding an extension to this whitelist simply means we will consider it
-  # further, not that we will always accept a certificate with an extension
-  # requested on this list.
-  RequestExtensionWhitelist = %w{subjectAltName}
-  require 'puppet/ssl/certificate_factory'
-  require 'puppet/ssl/inventory'
-  require 'puppet/ssl/certificate_revocation_list'
-  require 'puppet/ssl/certificate_authority/interface'
-  require 'puppet/ssl/certificate_authority/autosign_command'
-  require 'puppet/network/authstore'
-  class CertificateVerificationError < RuntimeError
-    attr_accessor :error_code
-    def initialize(code)
-      @error_code = code
-    end
-  end
-  def self.singleton_instance
-    @singleton_instance ||= new
-  end
-  class CertificateSigningError < RuntimeError
-    attr_accessor :host
-    def initialize(host)
-      @host = host
-    end
-  end
-  def self.ca?
-    # running as ca? - ensure boolean answer
-    !!(Puppet[:ca] && Puppet.run_mode.master?)
-  end
-  # If this process can function as a CA, then return a singleton instance.
-  def self.instance
-    ca? ? singleton_instance : nil
-  end
-  attr_reader :name, :host
-  # If autosign is configured, autosign the csr we are passed.
-  # @param csr [Puppet::SSL::CertificateRequest] The csr to sign.
-  # @return [Void]
-  # @api private
-  def autosign(csr)
-    if autosign?(csr)
-      Puppet.info _("Autosigning %{csr}") % { csr: csr.name }
-      sign(csr.name)
-    end
-  end
-  # Determine if a CSR can be autosigned by the autosign store or autosign command
-  #
-  # @param csr [Puppet::SSL::CertificateRequest] The CSR to check
-  # @return [true, false]
-  # @api private
-  def autosign?(csr)
-    auto = Puppet[:autosign]
-    decider = case auto
-      when false
-        AutosignNever.new
-      when true
-        AutosignAlways.new
-      else
-        file = Puppet::FileSystem.pathname(auto)
-        if Puppet::FileSystem.executable?(file)
-          Puppet::SSL::CertificateAuthority::AutosignCommand.new(auto)
-        elsif Puppet::FileSystem.exist?(file)
-          AutosignConfig.new(file)
-        else
-          AutosignNever.new
-        end
-      end
-    decider.allowed?(csr)
-  end
-  # Retrieves (or creates, if necessary) the certificate revocation list.
-  def crl
-    unless defined?(@crl)
-      unless @crl = Puppet::SSL::CertificateRevocationList.indirection.find(Puppet::SSL::CA_NAME)
-        @crl = Puppet::SSL::CertificateRevocationList.new(Puppet::SSL::CA_NAME)
-        @crl.generate(host.certificate.content, host.key.content)
-        Puppet::SSL::CertificateRevocationList.indirection.save(@crl)
-      end
-    end
-    @crl
-  end
-  # Delegates this to our Host class.
-  def destroy(name)
-    Puppet::SSL::Host.destroy(name)
-  end
-  # Generates a new certificate.
-  # @return Puppet::SSL::Certificate
-  def generate(name, options = {})
-    raise ArgumentError, _("A Certificate already exists for %{name}") % { name: name } if Puppet::SSL::Certificate.indirection.find(name)
-    # Pass on any requested subjectAltName field.
-    san = options[:dns_alt_names]
-    host = Puppet::SSL::Host.new(name)
-    host.generate_certificate_request(:dns_alt_names => san)
-    # CSR may have been implicitly autosigned, generating a certificate
-    # Or sign explicitly
-    host.certificate || sign(name, {allow_dns_alt_names: !!san})
-  end
-  # Generate our CA certificate.
-  def generate_ca_certificate
-    generate_password unless password?
-    host.generate_key unless host.key
-    # Create a new cert request.  We do this specially, because we don't want
-    # to actually save the request anywhere.
-    request = Puppet::SSL::CertificateRequest.new(host.name)
-    # We deliberately do not put any subjectAltName in here: the CA
-    # certificate absolutely does not need them. --daniel 2011-10-13
-    request.generate(host.key)
-    # Create a self-signed certificate.
-    @certificate = sign(host.name, {allow_dns_alt_names: false,
-                                    self_signing_csr: request})
-    # And make sure we initialize our CRL.
-    crl
-  end
-  def initialize
-    Puppet.settings.use :main, :ssl, :ca
-    @name = Puppet[:certname]
-    @host = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name)
-    setup
-  end
-  # Retrieve (or create, if necessary) our inventory manager.
-  def inventory
-    @inventory ||= Puppet::SSL::Inventory.new
-  end
-  # Generate a new password for the CA.
-  def generate_password
-    pass = ""
-    20.times { pass += (rand(74) + 48).chr }
-    begin
-      # random password is limited to ASCII characters 48 ('0') through 122 ('z')
-      Puppet.settings.setting(:capass).open('w:ASCII') { |f| f.print pass }
-    rescue Errno::EACCES => detail
-      raise Puppet::Error, _("Could not write CA password: %{detail}") % { detail: detail }, detail.backtrace
-    end
-    @password = pass
-    pass
-  end
-  # Lists the names of all signed certificates.
-  #
-  # @param name [Array<string>] filter to cerificate names
-  #
-  # @return [Array<String>]
-  def list(name='*')
-    Puppet::SSL::Certificate.indirection.search(name).collect { |c| c.name }
-  end
-  # Read the next serial from the serial file, and increment the
-  # file so this one is considered used.
-  def next_serial
-    serial = 1
-    # the serial is 4 hex digits - limited to ASCII
-    Puppet.settings.setting(:serial).exclusive_open('a+:ASCII') do |f|
-      f.rewind
-      serial = f.read.chomp.hex
-      if serial == 0
-        serial = 1
-      end
-      f.truncate(0)
-      f.rewind
-      # We store the next valid serial, not the one we just used.
-      f << "%04X" % (serial + 1)
-    end
-    serial
-  end
-  # Does the password file exist?
-  def password?
-    Puppet::FileSystem.exist?(Puppet[:capass])
-  end
-  # Print a given host's certificate as text.
-  def print(name)
-    (cert = Puppet::SSL::Certificate.indirection.find(name)) ? cert.to_text : nil
-  end
-  # Revoke a given certificate.
-  def revoke(name)
-    raise ArgumentError, _("Cannot revoke certificates when the CRL is disabled") unless crl
-    cert = Puppet::SSL::Certificate.indirection.find(name)
-    serials = if cert
-                [cert.content.serial]
-              elsif name =~ /^0x[0-9A-Fa-f]+$/
-                [name.hex]
-              else
-                inventory.serials(name)
-              end
-    if serials.empty?
-      raise ArgumentError, _("Could not find a serial number for %{name}") % { name: name }
-    end
-    serials.each do |s|
-      crl.revoke(s, host.key.content)
-    end
-  end
-  # This initializes our CA so it actually works.  This should be a private
-  # method, except that you can't any-instance stub private methods, which is
-  # *awesome*.  This method only really exists to provide a stub-point during
-  # testing.
-  def setup
-    generate_ca_certificate unless @host.certificate
-  end
-  # Sign a given certificate request.
-  def sign(hostname, options={})
-    options[:allow_authorization_extensions] ||= false
-    options[:allow_dns_alt_names] ||= false
-    options[:self_signing_csr] ||= nil
-    self_signing_csr = options.delete(:self_signing_csr)
-    if self_signing_csr
-      # # This is a self-signed certificate, which is for the CA.  Since this
-      # # forces the certificate to be self-signed, anyone who manages to trick
-      # # the system into going through this path gets a certificate they could
-      # # generate anyway.  There should be no security risk from that.
-      csr = self_signing_csr
-      cert_type = :ca
-      issuer = csr.content
-    else
-      unless csr = Puppet::SSL::CertificateRequest.indirection.find(hostname)
-        raise ArgumentError, _("Could not find certificate request for %{hostname}") % { hostname: hostname }
-      end
-      cert_type = :server
-      issuer = host.certificate.content
-      # Make sure that the CSR conforms to our internal signing policies.
-      # This will raise if the CSR doesn't conform, but just in case...
-      check_internal_signing_policies(hostname, csr, options) or
-        raise CertificateSigningError.new(hostname), _("CSR had an unknown failure checking internal signing policies, will not sign!")
-    end
-    cert = Puppet::SSL::Certificate.new(hostname)
-    cert.content = Puppet::SSL::CertificateFactory.
-      build(cert_type, csr, issuer, next_serial)
-    signer = Puppet::SSL::CertificateSigner.new
-    signer.sign(cert.content, host.key.content)
-    Puppet.notice _("Signed certificate request for %{hostname}") % { hostname: hostname }
-    # Add the cert to the inventory before we save it, since
-    # otherwise we could end up with it being duplicated, if
-    # this is the first time we build the inventory file.
-    inventory.add(cert)
-    # Save the now-signed cert.  This should get routed correctly depending
-    # on the certificate type.
-    Puppet::SSL::Certificate.indirection.save(cert)
-    # And remove the CSR if this wasn't self signed.
-    Puppet::SSL::CertificateRequest.indirection.destroy(csr.name) unless self_signing_csr
-    cert
-  end
-  def check_internal_signing_policies(hostname, csr, options = {})
-    options[:allow_authorization_extensions] ||= false
-    options[:allow_dns_alt_names] ||= false
-    # This allows for masters to bootstrap themselves in certain scenarios
-    options[:allow_dns_alt_names] = true if hostname == Puppet[:certname].downcase
-    # Reject unknown request extensions.
-    unknown_req = csr.request_extensions.reject do |x|
-      RequestExtensionWhitelist.include? x["oid"] or
-        Puppet::SSL::Oids.subtree_of?('ppRegCertExt', x["oid"], true) or
-        Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', x["oid"], true) or
-        Puppet::SSL::Oids.subtree_of?('ppAuthCertExt', x["oid"], true)
-    end
-    if unknown_req and not unknown_req.empty?
-      names = unknown_req.map {|x| x["oid"] }.sort.uniq.join(", ")
-      raise CertificateSigningError.new(hostname), _("CSR has request extensions that are not permitted: %{names}") % { names: names }
-    end
-    # Do not sign misleading CSRs
-    cn = csr.content.subject.to_a.assoc("CN")[1]
-    if hostname != cn
-      raise CertificateSigningError.new(hostname), _("CSR subject common name %{name} does not match expected certname %{expected}") % { name: cn.inspect, expected: hostname.inspect }
-    end
-    if hostname !~ Puppet::SSL::Base::VALID_CERTNAME
-      raise CertificateSigningError.new(hostname), _("CSR %{hostname} subject contains unprintable or non-ASCII characters") % { hostname: hostname.inspect }
-    end
-    # Wildcards: we don't allow 'em at any point.
-    #
-    # The stringification here makes the content visible, and saves us having
-    # to scrobble through the content of the CSR subject field to make sure it
-    # is what we expect where we expect it.
-    if csr.content.subject.to_s.include? '*'
-      raise CertificateSigningError.new(hostname), _("CSR subject contains a wildcard, which is not allowed: %{subject}") % { subject: csr.content.subject.to_s }
-    end
-    unless csr.content.verify(csr.content.public_key)
-      raise CertificateSigningError.new(hostname), _("CSR contains a public key that does not correspond to the signing key")
-    end
-    auth_extensions = csr.request_extensions.select do |extension|
-      Puppet::SSL::Oids.subtree_of?('ppAuthCertExt', extension['oid'], true)
-    end
-    if auth_extensions.any? && !options[:allow_authorization_extensions]
-      ext_names = auth_extensions.map do |extension|
-        extension['oid']
-      end
-      raise CertificateSigningError.new(hostname), _("CSR '%{csr}' contains authorization extensions (%{extensions}), which are disallowed by default. Use `puppet cert --allow-authorization-extensions sign %{csr}` to sign this request.") % { csr: csr.name, extensions: ext_names.join(', ') }
-    end
-    unless csr.subject_alt_names.empty?
-      # If you alt names are allowed, they are required. Otherwise they are
-      # disallowed. Self-signed certs are implicitly trusted, however.
-      unless options[:allow_dns_alt_names]
-        raise CertificateSigningError.new(hostname), _("CSR '%{csr}' contains subject alternative names (%{alt_names}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign %{csr}` to sign this request.") % { csr: csr.name, alt_names: csr.subject_alt_names.join(', ') }
-      end
-      # If subjectAltNames are present, validate that they are only for DNS
-      # labels, not any other kind.
-      unless csr.subject_alt_names.all? {|x| x =~ /^DNS:/ }
-        raise CertificateSigningError.new(hostname), _("CSR '%{csr}' contains a subjectAltName outside the DNS label space: %{alt_names}.  To continue, this CSR needs to be cleaned.") % { csr: csr.name, alt_names: csr.subject_alt_names.join(', ') }
-      end
-      # Check for wildcards in the subjectAltName fields too.
-      if csr.subject_alt_names.any? {|x| x.include? '*' }
-        raise CertificateSigningError.new(hostname), _("CSR '%{csr}' subjectAltName contains a wildcard, which is not allowed: %{alt_names}.  To continue, this CSR needs to be cleaned.") % { csr: csr.name, alt_names: csr.subject_alt_names.join(', ') }
-      end
-    end
-    return true                 # good enough for us!
-  end
-  # Creates a brand new OpenSSL::X509::Store with the appropriate
-  # Certificate Revocation List and flags
-  #
-  # @return [OpenSSL::X509::Store]
-  def create_x509_store(purpose)
-    store = OpenSSL::X509::Store.new
-    store.add_file(Puppet[:cacert])
-    store.add_crl(crl.content) if self.crl
-    store.purpose = purpose
-    if Puppet.settings[:certificate_revocation]
-      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL | OpenSSL::X509::V_FLAG_CRL_CHECK
-    end
-    store
-  end
-  private :create_x509_store
-  # Verify a given host's certificate. The certname is passed in, and
-  # the indirector will be used to locate the actual contents of the
-  # certificate with that name.
-  #
-  # @param name [String] certificate name to verify
-  # @param purpose [Integer] bitwise combination of X509::PURPOSE_*
-  #
-  # @raise [ArgumentError] if the certificate name cannot be found
-  #   (i.e. doesn't exist or is unsigned)
-  # @raise [CertificateVerficationError] if the certificate has been revoked
-  #
-  # @return [Boolean] true if signed, there are no cases where false is returned
-  def verify(name, purpose = OpenSSL::X509::PURPOSE_ANY)
-    unless cert = Puppet::SSL::Certificate.indirection.find(name)
-      raise ArgumentError, _("Could not find a certificate for %{name}") % { name: name }
-    end
-    store = create_x509_store(purpose)
-    raise CertificateVerificationError.new(store.error), store.error_string unless store.verify(cert.content)
-  end
-  def fingerprint(name, md = :SHA256)
-    unless cert = Puppet::SSL::Certificate.indirection.find(name) || Puppet::SSL::CertificateRequest.indirection.find(name)
-      raise ArgumentError, _("Could not find a certificate or csr for %{name}") % { name: name }
-    end
-    cert.fingerprint(md)
-  end
-  # List the waiting certificate requests.
-  def waiting?
-    Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r| r.name }
-  end
-  # @api private
-  class AutosignAlways
-    def allowed?(csr)
-      true
-    end
-  end
-  # @api private
-  class AutosignNever
-    def allowed?(csr)
-      false
-    end
-  end
-  # @api private
-  class AutosignConfig
-    def initialize(config_file)
-      @config = config_file
-    end
-    def allowed?(csr)
-      autosign_store.allowed?(csr.name, '127.1.1.1')
-    end
-    private
-    def autosign_store
-      auth = Puppet::Network::AuthStore.new
-      Puppet::FileSystem.each_line(@config) do |line|
-        next if line =~ /^\s*#/
-        next if line =~ /^\s*$/
-        auth.allow(line.chomp)
-      end
-      auth
-    end
-  end
-end