bolt 0.23.0 → 0.24.0

data/vendored/puppet/lib/puppet/application/cert.rb

@@ -1,341 +1,76 @@
 require 'puppet/application'
-require 'puppet/ssl/certificate_authority/interface'
 
 class Puppet::Application::Cert < Puppet::Application
 
-  run_mode :master
-
-  attr_accessor :all, :ca, :digest, :signed
-
-  def subcommand
-    @subcommand
-  end
-
-  def subcommand=(name)
-    # Handle the nasty, legacy mapping of "clean" to "destroy".
-    sub = name.to_sym
-    @subcommand = (sub == :clean ? :destroy : sub)
-  end
-
-  option("--clean", "-c") do |arg|
-    self.subcommand = "destroy"
-  end
-
-  option("--all", "-a") do |arg|
-    @all = true
-  end
-
-  option("--digest DIGEST") do |arg|
-    @digest = arg
-  end
-
-  option("--signed", "-s") do |arg|
-    @signed = true
-  end
-
-  option("--debug", "-d") do |arg|
-    options[:debug] = true
-    set_log_level
-  end
-
-  option("--list", "-l") do |arg|
-    self.subcommand = :list
-  end
-
-  option("--revoke", "-r") do |arg|
-    self.subcommand = :revoke
-  end
-
-  option("--generate", "-g") do |arg|
-    self.subcommand = :generate
-  end
-
-  option("--sign", "-s") do |arg|
-    self.subcommand = :sign
-  end
-
-  option("--print", "-p") do |arg|
-    self.subcommand = :print
-  end
-
-  option("--verify", "-v") do |arg|
-    self.subcommand = :verify
-  end
-
-  option("--fingerprint", "-f") do |arg|
-    self.subcommand = :fingerprint
-  end
-
-  option("--reinventory") do |arg|
-    self.subcommand = :reinventory
-  end
-
-  option("--[no-]allow-dns-alt-names") do |value|
-    options[:allow_dns_alt_names] = value
-  end
-
-  option("--[no-]allow-authorization-extensions") do |value|
-    options[:allow_authorization_extensions] = value
-  end
-
-  option("--verbose", "-v") do |arg|
-    options[:verbose] = true
-    set_log_level
-  end
-
-  option("--human-readable", "-H") do |arg|
-    options[:format] = :human
-  end
-
-  option("--machine-readable", "-m") do |arg|
-    options[:format] = :machine
-  end
-
-  option("--interactive", "-i") do |arg|
-    options[:interactive] = true
-  end
-
-  option("--assume-yes", "-y") do |arg|
-    options[:yes] = true
-  end
-
   def summary
-    _("Manage certificates and requests (Deprecated)")
+    _("Manage certificates and requests (Disabled)")
   end
 
   def help
-    <<-HELP
+     <<-HELP
+This command is no longer functional, please use `puppetserver ca` instead.
 
 puppet-cert(8) -- #{summary}
 ========
 
-SYNOPSIS
---------
-Standalone certificate authority. Capable of generating certificates,
-but mostly used for signing certificate requests from puppet clients.
-
-
-USAGE
------
-puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
-  [--digest <digest>] [<host>]
-
-
-DESCRIPTION
------------
-Because the puppet master service defaults to not signing client
-certificate requests, this script is available for signing outstanding
-requests. It can be used to list outstanding requests and then either
-sign them individually or sign all of them.
-
 ACTIONS
 -------
-
 Every action except 'list' and 'generate' requires a hostname to act on,
 unless the '--all' option is set.
 
-The most important actions for day-to-day use are 'list' and 'sign'.
-
 * clean:
-  Revoke a host's certificate (if applicable) and remove all files
-  related to that host from puppet cert's storage. This is useful when
-  rebuilding hosts, since new certificate signing requests will only be
-  honored if puppet cert does not have a copy of a signed certificate
-  for that host. If '--all' is specified then all host certificates,
-  both signed and unsigned, will be removed.
+  Use `puppetserver ca clean --certname NAME[,NAME...]`
 
 * fingerprint:
-  Print the DIGEST (defaults to the signing algorithm) fingerprint of a
-  host's certificate.
+  Use openssl directly:
+  `openssl x509 -noout -fingerprint -<digest> -inform pem -in certificate.crt`
 
 * generate:
-  Generate a certificate for a named client. A certificate/keypair will
-  be generated for each client named on the command line.
+  Use `puppetserver ca generate --certname NAME[,NAME...]`
 
 * list:
-  List outstanding certificate requests. If '--all' is specified, signed
-  certificates are also listed, prefixed by '+', and revoked or invalid
-  certificates are prefixed by '-' (the verification outcome is printed
-  in parenthesis). If '--human-readable' or '-H' is specified,
-  certificates are formatted in a way to improve human scan-ability. If
-  '--machine-readable' or '-m' is specified, output is formatted concisely
-  for consumption by a script.
+  Use `puppetserver ca list [--all]`
 
 * print:
-  Print the full-text version of a host's certificate.
+  Use openssl directly:
+  `openssl x509 -noout -text -in certificate.pem`
 
 * revoke:
-  Revoke the certificate of a client. The certificate can be specified either
-  by its serial number (given as a hexadecimal number prefixed by '0x') or by its
-  hostname. The certificate is revoked by adding it to the Certificate Revocation
-  List given by the 'cacrl' configuration option. Note that the puppet master
-  needs to be restarted after revoking certificates.
+  Use `puppetserver ca revoke --cerntname NAME[,NAME...]`
 
 * sign:
-  Sign an outstanding certificate request. If '--interactive' or '-i' is
-  supplied the user will be prompted to confirm that they are signing the
-  correct certificate (recommended). If '--assume-yes' or '-y' is supplied
-  the interactive prompt will assume the answer of 'yes'.
+  Use `puppetserver ca sign --cerntname NAME[,NAME...]`
 
 * verify:
-  Verify the named certificate against the local CA certificate.
+  Use `puppet ssl verify [--certname NAME]`
 
 * reinventory:
-  Build an inventory of the issued certificates. This will destroy the current
-  inventory file specified by 'cert_inventory' and recreate it from the
-  certificates found in the 'certdir'. Ensure the puppet master is stopped
-  before running this action.
+  Removed.
 
 OPTIONS
 -------
-Note that any setting that's valid in the configuration
-file is also a valid long argument. For example, 'ssldir' is a valid
-setting, so you can specify '--ssldir <directory>' as an
-argument.
-
-See the configuration file documentation at
-https://puppet.com/docs/puppet/latest/configuration.html for the
-full list of acceptable parameters. A commented list of all
-configuration options can also be generated by running puppet cert with
-'--genconfig'.
-
-* --all:
-  Operate on all items. Currently only makes sense with the 'sign',
-  'list', and 'fingerprint' actions.
+There are a couple important notes about previously-supported options.
 
 * --allow-dns-alt-names:
-  Sign a certificate request even if it contains one or more alternate DNS
-  names. If this option isn't specified, 'puppet cert sign' will ignore any
-  requests that contain alternate names.
-
-  In general, ONLY certs intended for a Puppet master server should include
-  alternate DNS names, since Puppet agent relies on those names for identifying
-  its rightful server.
-
-  You can make Puppet agent request a certificate with alternate names by
-  setting 'dns_alt_names' in puppet.conf or specifying '--dns_alt_names' on the
-  command line. The output of 'puppet cert list' shows any requested alt names
-  for pending certificate requests.
+  In order to sign certificates with subject alternative names using
+  `puppetserver ca sign`, the `allow-subject-alt-names` setting must be
+  set to true in the `certificate-authority` section of Puppet Server's
+  config.
 
 * --allow-authorization-extensions:
-  Enable the signing of a request with authorization extensions. Such requests
-  are sensitive because they can be used to write access rules in Puppet Server.
-  Currently, this is the only means by which such requests can be signed.
-
-* --digest:
-  Set the digest for fingerprinting (defaults to the digest used when
-  signing the cert). Valid values depends on your openssl and openssl ruby
-  extension version.
-
-* --debug:
-  Enable full debugging.
-
-* --help:
-  Print this help message
-
-* --verbose:
-  Enable verbosity.
-
-* --version:
-  Print the puppet version number and exit.
-
-
-EXAMPLE
--------
-    $ puppet cert list
-    culain.madstop.com
-    $ puppet cert sign culain.madstop.com
-
-
-AUTHOR
-------
-Luke Kanies
-
-
-COPYRIGHT
----------
-Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
-
-    HELP
-  end
-
-  def main
-    if @all
-      hosts = :all
-    elsif @signed
-      hosts = :signed
-    else
-      hosts = command_line.args.collect { |h| h.downcase }
-    end
-    begin
-      if subcommand == :destroy
-        raise _("Refusing to destroy all certs, provide an explicit list of certs to destroy") if hosts == :all
-
-        signed_hosts = hosts - @ca.waiting?
-        apply(@ca, :revoke, options.merge(:to => signed_hosts)) unless signed_hosts.empty?
-      end
-      apply(@ca, subcommand, options.merge(:to => hosts, :digest => @digest))
-    rescue => detail
-      Puppet.log_exception(detail)
-      exit(24)
-    end
+  In order to sign certificates with authorization extensions using
+  `puppetserver ca sign`, the `allow-authorization-extensions` setting must be
+  set to true in the `certificate-authority` section of Puppet Server's
+  config.
+HELP
   end
 
   def setup
     deprecate
-
-    require 'puppet/ssl/certificate_authority'
-    exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
-
-    Puppet::SSL::Oids.register_puppet_oids
-    Puppet::SSL::Oids.load_custom_oid_file(Puppet[:trusted_oid_mapping_file])
-
-    Puppet::Util::Log.newdestination :console
-
-    if [:generate, :destroy].include? subcommand
-      Puppet::SSL::Host.ca_location = :local
-    else
-      Puppet::SSL::Host.ca_location = :only
-    end
-
-    # If we are generating, and the option came from the CLI, it gets added to
-    # the data.  This will do the right thing for non-local certificates, in
-    # that the command line but *NOT* the config file option will apply.
-    if subcommand == :generate
-      if Puppet.settings.set_by_cli?(:dns_alt_names)
-        options[:dns_alt_names] = Puppet[:dns_alt_names]
-      end
-    end
-
-    begin
-      @ca = Puppet::SSL::CertificateAuthority.new
-    rescue => detail
-      Puppet.log_exception(detail)
-      exit(23)
-    end
   end
 
   def parse_options
-    # handle the bareword subcommand pattern.
-    result = super
-    unless self.subcommand then
-      if sub = self.command_line.args.shift then
-        self.subcommand = sub
-      else
-        puts help
-        exit
-      end
-    end
-
-    result
+    puts help
+    exit 1
   end
-
-  # Create and run an applicator.  I wanted to build an interface where you could do
-  # something like 'ca.apply(:generate).to(:all) but I don't think it's really possible.
-  def apply(ca, method, options)
-    raise ArgumentError, _("You must specify the hosts to apply to; valid values are an array or the symbol :all") unless options[:to]
-    applier = Puppet::SSL::CertificateAuthority::Interface.new(method, options)
-    applier.apply(ca)
-  end
-
 end

data/vendored/puppet/lib/puppet/application/device.rb

@@ -376,11 +376,6 @@ Licensed under the Apache 2.0 License
 
       Puppet.settings.use :main, :agent, :device, :ssl
 
-      # We need to specify a ca location for all of the SSL-related
-      # indirected classes to work; in fingerprint mode we just need
-      # access to the local files and we don't need a ca.
-      Puppet::SSL::Host.ca_location = :remote
-
       Puppet::Transaction::Report.indirection.terminus_class = :rest
 
       if Puppet[:catalog_cache_terminus]

data/vendored/puppet/lib/puppet/application/lookup.rb

@@ -353,7 +353,7 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
       if fact_file.end_with?("json")
         given_facts = Puppet::Util::Json.load(Puppet::FileSystem.read(fact_file, :encoding => 'utf-8'))
       else
-        given_facts = YAML.load(Puppet::FileSystem.read(fact_file, :encoding => 'utf-8'))
+        given_facts = Puppet::Util::Yaml.safe_load_file(fact_file)
       end
 
       unless given_facts.instance_of?(Hash)

data/vendored/puppet/lib/puppet/application/ssl.rb

@@ -0,0 +1,133 @@
+require 'puppet/application'
+require 'puppet/ssl/oids'
+
+class Puppet::Application::Ssl < Puppet::Application
+  def summary
+    _("Manage SSL keys and certificates for puppet SSL clients")
+  end
+
+  def help
+    <<-HELP
+puppet-ssl(8) -- #{summary}
+========
+
+SYNOPSIS
+--------
+Manage SSL keys and certificates for an SSL clients needed
+to communicate with a puppet infrastructure.
+
+USAGE
+-----
+puppet ssl <action> [--certname <NAME>]
+
+ACTIONS
+-------
+
+* submit_request:
+  Generate a certificate signing request (CSR) and submit it to the CA. If a private and
+  public key pair already exist, they will be used to generate the CSR. Otherwise a new
+  key pair will be generated. If a CSR has already been submitted with the given `certname`,
+  then the operation will fail.
+
+* download_cert:
+  Download a certificate for this host. If the current private key matches the downloaded
+  certificate, then the certificate will be saved and used for subsequent requests. If
+  there is already an existing certificate, it will be overwritten.
+
+* verify:
+  Verify the private key and certificate are present and match, verify the certificate is
+  issued by a trusted CA, and check revocation status.
+HELP
+  end
+
+  option('--certname NAME') do |arg|
+    options[:certname] = arg
+  end
+
+  def main
+    if command_line.args.empty?
+      puts help
+      exit(1)
+    end
+
+    Puppet.settings.use(:main, :agent)
+    host = Puppet::SSL::Host.new(options[:certname])
+
+    action = command_line.args.first
+    case action
+    when 'submit_request'
+      submit_request(host)
+      download_cert(host)
+    when 'download_cert'
+      download_cert(host)
+    when 'verify'
+      verify(host)
+    else
+      puts "Unknown action '#{action}'"
+      exit(1)
+    end
+
+    exit(0)
+  end
+
+  def submit_request(host)
+    host.ensure_ca_certificate
+
+    host.submit_request
+    puts "Submitted certificate request for '#{host.name}' to https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
+  rescue => e
+    puts "Failed to submit certificate request: #{e.message}"
+    exit(1)
+  end
+
+  def download_cert(host)
+    host.ensure_ca_certificate
+
+    puts "Downloading certificate '#{host.name}' from https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
+    if cert = host.download_host_certificate
+      puts "Downloaded certificate '#{host.name}' with fingerprint #{cert.fingerprint}"
+    else
+      puts "No certificate for '#{host.name}' on CA"
+    end
+  rescue => e
+    puts "Failed to download certificate: #{e.message}"
+    exit(1)
+  end
+
+  def verify(host)
+    host.ensure_ca_certificate
+
+    key = host.key
+    unless key
+      puts "The host's private key is missing"
+      exit(1)
+    end
+
+    cert = host.check_for_certificate_on_disk(host.name)
+    unless cert
+      puts "The host's certificate is missing"
+      exit(1)
+    end
+
+    if cert.content.public_key.to_pem != key.content.public_key.to_pem
+      puts "The host's key does not match the certificate"
+      exit(1)
+    end
+
+    store = host.ssl_store
+    unless store.verify(cert.content)
+      puts "Failed to verify certificate '#{host.name}': #{store.error_string} (#{store.error})"
+      exit(1)
+    end
+
+    puts "Verified certificate '#{host.name}'"
+    # store.chain.reverse.each_with_index do |issuer, i|
+    #   indent = "  " * (i+1)
+    #   puts "#{indent}#{issuer.subject.to_s}"
+    # end
+    exit(0)
+  rescue => e
+    puts "Verify failed: #{e.message}"
+    exit(1)
+  end
+end