bolt 0.23.0 → 0.24.0

data/vendored/puppet/lib/puppet/ssl/certificate_authority/autosign_command.rb

@@ -1,45 +0,0 @@
-require 'puppet/ssl/certificate_authority'
-require 'puppet/file_system/uniquefile'
-
-# This class wraps a given command and invokes it with a CSR name and body to
-# determine if the given CSR should be autosigned
-#
-# @api private
-class Puppet::SSL::CertificateAuthority::AutosignCommand
-
-  class CheckFailure < Puppet::Error; end
-
-  def initialize(path)
-    @path = path
-  end
-
-  # Run the autosign command with the given CSR name as an argument and the
-  # CSR body on stdin.
-  #
-  # @param csr [String] The CSR name to check for autosigning
-  # @return [true, false] If the CSR should be autosigned
-  def allowed?(csr)
-    name = csr.name
-    cmd = [@path, name]
-
-    output = Puppet::FileSystem::Uniquefile.open_tmp('puppet-csr') do |csr_file|
-      csr_file.write(csr.to_s)
-      csr_file.flush
-
-      execute_options = {:stdinfile => csr_file.path, :combine => true, :failonfail => false}
-      Puppet::Util::Execution.execute(cmd, execute_options)
-    end
-
-    output.chomp!
-
-    Puppet.debug "Autosign command '#{@path}' exit status: #{output.exitstatus}"
-    Puppet.debug "Autosign command '#{@path}' output: #{output}"
-
-    case output.exitstatus
-    when 0
-      true
-    else
-      false
-    end
-  end
-end

data/vendored/puppet/lib/puppet/ssl/certificate_authority/interface.rb

@@ -1,324 +0,0 @@
-module Puppet
-  module SSL
-    class CertificateAuthority
-      # This class is basically a hidden class that knows how to act on the
-      # CA.  Its job is to provide a CLI-like interface to the CA class.
-      class Interface
-        INTERFACE_METHODS = [:destroy, :list, :revoke, :generate, :sign, :print, :verify, :fingerprint, :reinventory]
-        DESTRUCTIVE_METHODS = [:destroy, :revoke]
-        SUBJECTLESS_METHODS = [:list, :reinventory]
-
-        CERT_STATUS_GLYPHS = {:signed => '+', :request => ' ', :invalid => '-'}
-        VALID_CONFIRMATION_VALUES = %w{y Y yes Yes YES}
-
-        class InterfaceError < ArgumentError; end
-
-        attr_reader :method, :subjects, :digest, :options
-
-        # Actually perform the work.
-        def apply(ca)
-          unless subjects || SUBJECTLESS_METHODS.include?(method)
-            raise ArgumentError, _("You must provide hosts or --all when using %{method}") % { method: method }
-          end
-
-          destructive_subjects = [:signed, :all].include?(subjects)
-          if DESTRUCTIVE_METHODS.include?(method) && destructive_subjects
-            subject_text = (subjects == :all ? subjects : _("all signed"))
-            raise ArgumentError, _("Refusing to %{method} %{subject_text} certs, provide an explicit list of certs to %{method}") % { method: method, subject_text: subject_text }
-          end
-
-          # if the interface implements the method, use it instead of the ca's method
-          if respond_to?(method)
-            send(method, ca)
-          else
-            (subjects == :all ? ca.list : subjects).each do |host|
-              ca.send(method, host)
-            end
-          end
-        end
-
-        def generate(ca)
-          raise InterfaceError, _("It makes no sense to generate all hosts; you must specify a list") if subjects == :all
-
-          subjects.each do |host|
-            ca.generate(host, options)
-          end
-        end
-
-        def initialize(method, options)
-          self.method = method
-          self.subjects = options.delete(:to)
-          @digest = options.delete(:digest)
-          @options = options
-        end
-
-        # List the hosts.
-        def list(ca)
-          signed = ca.list if [:signed, :all].include?(subjects)
-          requests = ca.waiting?
-
-          case subjects
-          when :all
-            hosts = [signed, requests].flatten
-          when :signed
-            hosts = signed.flatten
-          when nil
-            hosts = requests
-          else
-            hosts = subjects
-            signed = ca.list(hosts)
-          end
-
-          certs = {:signed => {}, :invalid => {}, :request => {}}
-
-          return if hosts.empty?
-
-          hosts.uniq.sort.each do |host|
-            verify_error = nil
-
-            begin
-              ca.verify(host) unless requests.include?(host)
-            rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError => details
-              verify_error = "(#{details.to_s})"
-            end
-
-            if verify_error
-              type = :invalid
-              cert = Puppet::SSL::Certificate.indirection.find(host)
-            elsif (signed and signed.include?(host))
-              type = :signed
-              cert = Puppet::SSL::Certificate.indirection.find(host)
-            else
-              type = :request
-              cert = Puppet::SSL::CertificateRequest.indirection.find(host)
-            end
-
-            certs[type][host] = {
-              :cert         => cert,
-              :type         => type,
-              :verify_error => verify_error,
-            }
-          end
-
-          names = certs.values.map(&:keys).flatten
-
-          name_width = names.sort_by(&:length).last.length rescue 0
-          # We quote these names, so account for those characters
-          name_width += 2
-
-          output = [:request, :signed, :invalid].map do |type|
-            next if certs[type].empty?
-
-            certs[type].map do |host, info|
-              format_host(host, info, name_width, options[:format])
-            end
-          end.flatten.compact.sort.join("\n")
-
-          puts output
-        end
-
-        def format_host(host, info, width, format)
-          case format
-          when :machine
-            machine_host_formatting(host, info)
-          when :human
-            human_host_formatting(host, info)
-          else
-            if options[:verbose]
-              machine_host_formatting(host, info)
-            else
-              legacy_host_formatting(host, info, width)
-            end
-          end
-        end
-
-        def machine_host_formatting(host, info)
-          type         = info[:type]
-          verify_error = info[:verify_error]
-          cert         = info[:cert]
-          alt_names    = cert.subject_alt_names - [host]
-          extensions   = format_attrs_and_exts(cert)
-
-          glyph       = CERT_STATUS_GLYPHS[type]
-          name        = host.inspect
-          fingerprint = cert.digest(@digest).to_s
-
-          expiration  = cert.expiration.iso8601 if type == :signed
-
-          if type != :invalid
-            if !alt_names.empty?
-              extensions.unshift("alt names: #{alt_names.map(&:inspect).join(', ')}")
-            end
-
-            if !extensions.empty?
-              metadata_string = "(#{extensions.join(', ')})" unless extensions.empty?
-            end
-          end
-
-          [glyph, name, fingerprint, expiration, metadata_string, verify_error].compact.join(' ')
-        end
-
-        def human_host_formatting(host, info)
-          type         = info[:type]
-          verify_error = info[:verify_error]
-          cert         = info[:cert]
-          alt_names    = cert.subject_alt_names - [host]
-          extensions   = format_attrs_and_exts(cert)
-
-          glyph       = CERT_STATUS_GLYPHS[type]
-          fingerprint = cert.digest(@digest).to_s
-
-          if type == :invalid || (extensions.empty? && alt_names.empty?)
-            extension_string = ''
-          else
-            if !alt_names.empty?
-              extensions.unshift("alt names: #{alt_names.map(&:inspect).join(', ')}")
-            end
-
-            extension_string = "\n    Extensions:\n      "
-            extension_string << extensions.join("\n      ")
-          end
-
-          if type == :signed
-            expiration_string = "\n    Expiration: #{cert.expiration.iso8601}"
-          else
-            expiration_string = ''
-          end
-
-          status = case type
-                   when :invalid then "Invalid - #{verify_error}"
-                   when :request then "Request Pending"
-                   when :signed then "Signed"
-                   end
-
-          output = "#{glyph} #{host.inspect}"
-          output << "\n  #{fingerprint}"
-          output << "\n    Status: #{status}"
-          output << expiration_string
-          output << extension_string
-          output << "\n"
-
-          output
-        end
-
-        def legacy_host_formatting(host, info, width)
-          type         = info[:type]
-          verify_error = info[:verify_error]
-          cert         = info[:cert]
-          alt_names    = cert.subject_alt_names - [host]
-          extensions   = format_attrs_and_exts(cert)
-
-          glyph       = CERT_STATUS_GLYPHS[type]
-          name        = host.inspect.ljust(width)
-          fingerprint = cert.digest(@digest).to_s
-
-          if type != :invalid
-            if alt_names.empty?
-              alt_name_string = nil
-            else
-              alt_name_string = "(alt names: #{alt_names.map(&:inspect).join(', ')})"
-            end
-
-            if extensions.empty?
-              extension_string = nil
-            else
-              extension_string = "**"
-            end
-          end
-
-          [glyph, name, fingerprint, alt_name_string, verify_error, extension_string].compact.join(' ')
-        end
-
-        def format_attrs_and_exts(cert)
-          exts = []
-          exts += cert.custom_extensions if cert.respond_to?(:custom_extensions)
-          exts += cert.custom_attributes if cert.respond_to?(:custom_attributes)
-          exts += cert.request_extensions if cert.respond_to?(:request_extensions)
-
-          exts.map {|e| "#{e['oid']}: #{e['value'].inspect}" }.sort
-        end
-
-        # Set the method to apply.
-        def method=(method)
-          raise ArgumentError, "Invalid method #{method} to apply" unless INTERFACE_METHODS.include?(method)
-          @method = method
-        end
-
-        # Print certificate information.
-        def print(ca)
-          (subjects == :all ? ca.list  : subjects).each do |host|
-            if value = ca.print(host)
-              puts value
-            else
-              raise ArgumentError, _("Could not find certificate for %{host}") % { host: host }
-            end
-          end
-        end
-
-        # Print certificate information.
-        def fingerprint(ca)
-          (subjects == :all ? ca.list + ca.waiting?: subjects).each do |host|
-            if cert = (Puppet::SSL::Certificate.indirection.find(host) || Puppet::SSL::CertificateRequest.indirection.find(host))
-              puts "#{host} #{cert.digest(@digest)}"
-            else
-	      raise ArgumentError, _("Could not find certificate for %{host}") % { host: host }
-            end
-          end
-        end
-
-        # Signs given certificates or all waiting if subjects == :all
-        def sign(ca)
-          list = subjects == :all ? ca.waiting? : subjects
-          raise InterfaceError, _("No waiting certificate requests to sign") if list.empty?
-
-          signing_options = options.select { |k,_|
-            [:allow_authorization_extensions, :allow_dns_alt_names].include?(k)
-          }
-
-          list.each do |host|
-            cert = Puppet::SSL::CertificateRequest.indirection.find(host)
-
-            raise InterfaceError, _("Could not find CSR for: %{host}.") % { host: host.inspect } unless cert
-
-            # ca.sign will also do this - and it should if it is called
-            # elsewhere - but we want to reject an attempt to sign a
-            # problematic csr as early as possible for usability concerns.
-            ca.check_internal_signing_policies(host, cert, signing_options)
-
-            name_width = host.inspect.length
-            info = {:type => :request, :cert => cert}
-            host_string = format_host(host, info, name_width, options[:format])
-            puts _("Signing Certificate Request for:\n%{host_string}") % { host_string: host_string }
-
-            if options[:interactive]
-              STDOUT.print _("Sign Certificate Request? [y/N] ")
-
-              if !options[:yes]
-                input = STDIN.gets.chomp
-                raise InterfaceError, _("NOT Signing Certificate Request") unless VALID_CONFIRMATION_VALUES.include?(input)
-              else
-                puts _("Assuming YES from `-y' or `--assume-yes' flag")
-              end
-            end
-
-            ca.sign(host, signing_options)
-          end
-        end
-
-        def reinventory(ca)
-          ca.inventory.rebuild
-        end
-
-        # Set the list of hosts we're operating on.  Also supports keywords.
-        def subjects=(value)
-          unless value == :all || value == :signed || value.is_a?(Array)
-            raise ArgumentError, _("Subjects must be an array or :all; not %{value}") % { value: value }
-          end
-
-          @subjects = (value == []) ? nil : value
-        end
-      end
-    end
-  end
-end
-

data/vendored/puppet/lib/puppet/ssl/certificate_factory.rb

@@ -1,219 +0,0 @@
-require 'puppet/ssl'
-
-# This class encapsulates the logic of creating and adding extensions to X509
-# certificates.
-#
-# @api private
-module Puppet::SSL::CertificateFactory
-
-  # Create a new X509 certificate and add any needed extensions to the cert.
-  #
-  # @param cert_type [Symbol] The certificate type to create, which specifies
-  #   what extensions are added to the certificate.
-  #   One of (:ca, :terminalsubca, :server, :ocsp, :client)
-  # @param csr [Puppet::SSL::CertificateRequest] The signing request associated with
-  #   the certificate being created.
-  # @param issuer [OpenSSL::X509::Certificate, OpenSSL::X509::Request] An X509 CSR
-  #   if this is a self signed certificate, or the X509 certificate of the CA if
-  #   this is a CA signed certificate.
-  # @param serial [Integer] The serial number for the given certificate, which
-  #   MUST be unique for the given CA.
-  # @param ttl [String] The duration of the validity for the given certificate.
-  #   defaults to Puppet[:ca_ttl]
-  #
-  # @api public
-  #
-  # @return [OpenSSL::X509::Certificate]
-  def self.build(cert_type, csr, issuer, serial, ttl = nil)
-    # Work out if we can even build the requested type of certificate.
-    build_extensions = "build_#{cert_type.to_s}_extensions"
-    respond_to?(build_extensions) or
-      raise ArgumentError, _("%{cert_type} is an invalid certificate type!") % { cert_type: cert_type.to_s }
-
-    raise ArgumentError, _("Certificate TTL must be an integer") unless ttl.nil? || ttl.is_a?(Integer)
-
-    # set up the certificate, and start building the content.
-    cert = OpenSSL::X509::Certificate.new
-
-    cert.version    = 2 # X509v3
-    cert.subject    = csr.content.subject
-    cert.issuer     = issuer.subject
-    cert.public_key = csr.content.public_key
-    cert.serial     = serial
-
-    # Make the certificate valid as of yesterday, because so many people's
-    # clocks are out of sync.  This gives one more day of validity than people
-    # might expect, but is better than making every person who has a messed up
-    # clock fail, and better than having every cert we generate expire a day
-    # before the user expected it to when they asked for "one year".
-    cert.not_before = Time.now - (60*60*24)
-    cert.not_after  = Time.now + (ttl || Puppet[:ca_ttl])
-
-    add_extensions_to(cert, csr, issuer, send(build_extensions))
-
-    return cert
-  end
-
-  # Add X509v3 extensions to the given certificate.
-  #
-  # @param cert [OpenSSL::X509::Certificate] The certificate to add the
-  #   extensions to.
-  # @param csr [OpenSSL::X509::Request] The CSR associated with the given
-  #   certificate, which may specify requested extensions for the given cert.
-  #   See https://tools.ietf.org/html/rfc2985 Section 5.4.2 Extension request
-  # @param issuer [OpenSSL::X509::Certificate, OpenSSL::X509::Request] An X509 CSR
-  #   if this is a self signed certificate, or the X509 certificate of the CA if
-  #   this is a CA signed certificate.
-  # @param extensions [Hash<String, Array<String> | String>] The extensions to
-  #   add to the certificate, based on the certificate type being created (CA,
-  #   server, client, etc)
-  #
-  # @api private
-  #
-  # @return [void]
-  def self.add_extensions_to(cert, csr, issuer, extensions)
-    ef = OpenSSL::X509::ExtensionFactory.new
-    ef.subject_certificate = cert
-    ef.issuer_certificate  = issuer.is_a?(OpenSSL::X509::Request) ? cert : issuer
-
-    # Extract the requested extensions from the CSR.
-    requested_exts = csr.request_extensions.inject({}) do |hash, re|
-      hash[re["oid"]] = [re["value"], re["critical"]]
-      hash
-    end
-
-    # Produce our final set of extensions.  We deliberately order these to
-    # build the way we want:
-    # 1. "safe" default values, like the comment, that no one cares about.
-    # 2. request extensions, from the CSR
-    # 3. extensions based on the type we are generating
-    # 4. overrides, which we always want to have in their form
-    #
-    # This ordering *is* security-critical, but we want to allow the user
-    # enough rope to shoot themselves in the foot, if they want to ignore our
-    # advice and externally approve a CSR that sets the basicConstraints.
-    #
-    # Swapping the order of 2 and 3 would ensure that you couldn't slip a
-    # certificate through where the CA constraint was true, though, if
-    # something went wrong up there. --daniel 2011-10-11
-    defaults = { "nsComment" => "Puppet Ruby/OpenSSL Internal Certificate" }
-
-    # See https://www.openssl.org/docs/apps/x509v3_config.html
-    # for information about the special meanings of 'hash', 'keyid', 'issuer'
-    override = {
-      "subjectKeyIdentifier"   => "hash",
-      "authorityKeyIdentifier" => "keyid,issuer"
-    }
-
-    exts = [defaults, requested_exts, extensions, override].
-      inject({}) {|ret, val| ret.merge(val) }
-
-    cert.extensions = exts.map do |oid, val|
-      generate_extension(ef, oid, *val)
-    end
-  end
-  private_class_method :add_extensions_to
-
-  # Woot! We're a CA.
-  def self.build_ca_extensions
-    {
-      # This was accidentally omitted in the previous version of this code: an
-      # effort was made to add it last, but that actually managed to avoid
-      # adding it to the certificate at all.
-      #
-      # We have some sort of bug, which means that when we add it we get a
-      # complaint that the issuer keyid can't be fetched, which breaks all
-      # sorts of things in our test suite and, e.g., bootstrapping the CA.
-      #
-      # https://tools.ietf.org/html/rfc5280#section-4.2.1.1 says that, to be a
-      # conforming CA we MAY omit the field if we are self-signed, which I
-      # think gives us a pass in the specific case.
-      #
-      # It also notes that we MAY derive the ID from the subject and serial
-      # number of the issuer, or from the key ID, and we definitely have the
-      # former data, should we want to restore this...
-      #
-      # Anyway, preserving this bug means we don't risk breaking anything in
-      # the field, even though it would be nice to have. --daniel 2011-10-11
-      #
-      # "authorityKeyIdentifier" => "keyid:always,issuer:always",
-      "keyUsage"               => [%w{cRLSign keyCertSign}, true],
-      "basicConstraints"       => ["CA:TRUE", true],
-    }
-  end
-
-  # We're a terminal CA, probably not self-signed.
-  def self.build_terminalsubca_extensions
-    {
-      "keyUsage"         => [%w{cRLSign keyCertSign}, true],
-      "basicConstraints" => ["CA:TRUE,pathlen:0", true],
-    }
-  end
-
-  # We're a normal server.
-  def self.build_server_extensions
-    {
-      "keyUsage"         => [%w{digitalSignature keyEncipherment}, true],
-      "extendedKeyUsage" => [%w{serverAuth clientAuth}, true],
-      "basicConstraints" => ["CA:FALSE", true],
-    }
-  end
-
-  # Um, no idea.
-  def self.build_ocsp_extensions
-    {
-      "keyUsage"         => [%w{nonRepudiation digitalSignature}, true],
-      "extendedKeyUsage" => [%w{serverAuth OCSPSigning}, true],
-      "basicConstraints" => ["CA:FALSE", true],
-    }
-  end
-
-  # Normal client.
-  def self.build_client_extensions
-    {
-      "keyUsage"         => [%w{nonRepudiation digitalSignature keyEncipherment}, true],
-      # We don't seem to use this, but that seems much more reasonable here...
-      "extendedKeyUsage" => [%w{clientAuth emailProtection}, true],
-      "basicConstraints" => ["CA:FALSE", true],
-      "nsCertType"       => "client,email",
-    }
-  end
-
-  # Generate an extension with the given OID, value, and critical state
-  #
-  # @param oid [String] The numeric value or short name of a given OID. X509v3
-  #   extensions must be passed by short name or long name, while custom
-  #   extensions may be passed by short name, long name, oid numeric OID.
-  # @param ef [OpenSSL::X509::ExtensionFactory] The extension factory to use
-  #   when generating the extension.
-  # @param val [String, Array<String>] The extension value.
-  # @param crit [true, false] Whether the given extension is critical, defaults
-  #   to false.
-  #
-  # @return [OpenSSL::X509::Extension]
-  #
-  # @api private
-  def self.generate_extension(ef, oid, val, crit = false)
-
-    val = val.join(', ') unless val.is_a? String
-
-    # Enforce the X509v3 rules about subjectAltName being critical:
-    # specifically, it SHOULD NOT be critical if we have a subject, which we
-    # always do. --daniel 2011-10-18
-    crit = false if oid == "subjectAltName"
-
-    if Puppet::SSL::Oids.subtree_of?('id-ce', oid) or Puppet::SSL::Oids.subtree_of?('id-pkix', oid)
-      # Attempt to create a X509v3 certificate extension. Standard certificate
-      # extensions may need access to the associated subject certificate and
-      # issuing certificate, so must be created by the OpenSSL::X509::ExtensionFactory
-      # which provides that context.
-      ef.create_ext(oid, val, crit)
-    else
-      # This is not an X509v3 extension which means that the extension
-      # factory cannot generate it. We need to generate the extension
-      # manually.
-      OpenSSL::X509::Extension.new(oid, OpenSSL::ASN1::UTF8String.new(val).to_der, crit)
-    end
-  end
-  private_class_method :generate_extension
-end