puppet 0.13.6 → 0.16.0

data/lib/puppet/server/master.rb

@@ -9,6 +9,8 @@ module Puppet
 class Server
     class MasterError < Puppet::Error; end
     class Master < Handler
+        include Puppet::Util
+
         attr_accessor :ast, :local
         attr_reader :ca
 
@@ -17,6 +19,16 @@ class Server
                 iface.add_method("int freshness()")
         }
 
+        # FIXME At some point, this should be autodocumenting.
+        def addfacts(facts)
+            # Add our server version to the fact list
+            facts["serverversion"] = Puppet.version.to_s
+
+            # And then add the server name and IP
+            facts["servername"] = Facter["hostname"].value
+            facts["serverip"] = Facter["ipaddress"].value
+        end
+
         def filetimeout
             @interpreter.filetimeout
         end
@@ -35,10 +47,14 @@ class Server
         end
 
         def initialize(hash = {})
-            # FIXME this should all be s/:File/:Manifest/g or something
-            # build our AST
-            @file = hash[:File] || Puppet[:manifest]
-            hash.delete(:File)
+            args = {}
+
+            # Allow specification of a code snippet or of a file
+            if code = hash[:Code]
+                args[:Code] = code
+            else
+                args[:Manifest] = hash[:Manifest] || Puppet[:manifest]
+            end
 
             if hash[:Local]
                 @local = hash[:Local]
@@ -46,25 +62,26 @@ class Server
                 @local = false
             end
 
+            args[:Local] = @local
+
             if hash.include?(:CA) and hash[:CA]
                 @ca = Puppet::SSLCertificates::CA.new()
             else
                 @ca = nil
             end
 
-            @parsecheck = hash[:FileTimeout] || 15
+            args[:ParseCheck] = hash[:FileTimeout] || 15
 
             Puppet.debug("Creating interpreter")
 
-            args = {:Manifest => @file, :ParseCheck => @parsecheck}
-
             if hash.include?(:UseNodes)
                 args[:UseNodes] = hash[:UseNodes]
             elsif @local
                 args[:UseNodes] = false
             end
 
-            # This is only used by the cfengine module
+            # This is only used by the cfengine module, or if --loadclasses was
+            # specified in +puppet+.
             if hash.include?(:Classes)
                 args[:Classes] = hash[:Classes]
             end
@@ -110,17 +127,39 @@ class Server
                 clientip = facts["ipaddress"]
             end
 
-            Puppet.notice("Compiling configuration for %s" % client)
-            begin
-                retobjects = @interpreter.run(client, facts)
-            rescue Puppet::Error => detail
-                Puppet.err detail
-                raise XMLRPC::FaultException.new(
-                    1, detail.to_s
-                )
-            rescue => detail
-                Puppet.err detail.to_s
-                return ""
+            # Add any server-side facts to our server.
+            addfacts(facts)
+
+            retobjects = nil
+
+            # This is hackish, but there's no "silence" option for benchmarks
+            # right now
+            if @local
+                begin
+                    retobjects = @interpreter.run(client, facts)
+                rescue Puppet::Error => detail
+                    Puppet.err detail
+                    raise XMLRPC::FaultException.new(
+                        1, detail.to_s
+                    )
+                rescue => detail
+                    Puppet.err detail.to_s
+                    return ""
+                end
+            else
+                benchmark(:notice, "Compiled configuration for %s" % client) do
+                    begin
+                        retobjects = @interpreter.run(client, facts)
+                    rescue Puppet::Error => detail
+                        Puppet.err detail
+                        raise XMLRPC::FaultException.new(
+                            1, detail.to_s
+                        )
+                    rescue => detail
+                        Puppet.err detail.to_s
+                        return ""
+                    end
+                end
             end
 
             if @local

data/lib/puppet/server/pelement.rb

@@ -0,0 +1,176 @@
+require 'puppet'
+require 'puppet/server'
+
+module Puppet
+
+# Serve Puppet elements.  Useful for querying, copying, and, um, other stuff.
+class Server::PElement < Server::Handler
+    attr_accessor :local
+
+    @interface = XMLRPC::Service::Interface.new("pelementserver") { |iface|
+        iface.add_method("string apply(string, string)")
+        iface.add_method("string describe(string, string, array, array)")
+        iface.add_method("string list(string, array, string)")
+    }
+
+    # Apply a TransBucket as a transaction.
+    def apply(bucket, format = "yaml", client = nil, clientip = nil)
+        unless @local
+            begin
+                case format
+                when "yaml":
+                    tmp = YAML::load(CGI.unescape(bucket))
+                    bucket = tmp
+                else
+                    raise Puppet::Error, "Unsupported format '%s'" % format
+                end
+            rescue => detail
+                raise Puppet::Error, "Could not load YAML TransBucket: %s" % detail
+            end
+        end
+
+        component = bucket.to_type
+
+        # Create a client, but specify the remote machine as the server
+        # because the class requires it, even though it's unused
+        client = Puppet::Client::MasterClient.new(:Server => client||"localhost")
+
+        # Set the objects
+        client.objects = component
+
+        # And then apply the configuration.  This way we're reusing all
+        # the code in there.  It should probably just be separated out, though.
+        transaction = client.apply
+
+        # It'd be nice to return some kind of report, but... at this point
+        # we have no such facility.
+        return "success"
+    end
+
+    # Describe a given object.  This returns the 'is' values for every state
+    # available on the object type.
+    def describe(type, name, retrieve = nil, ignore = [], format = "yaml", client = nil, clientip = nil)
+        @local = true unless client
+        typeklass = nil
+        unless typeklass = Puppet.type(type)
+            raise Puppet::Error, "Puppet type %s is unsupported" % type
+        end
+
+        obj = nil
+
+        retrieve ||= :all
+
+        if obj = typeklass[name]
+            obj[:check] = retrieve
+        else
+            begin
+                obj = typeklass.create(:name => name, :check => retrieve)
+            rescue Puppet::Error => detail
+                raise Puppet::Error, "%s[%s] could not be created: %s" %
+                    [type, name, detail]
+            end
+        end
+
+        trans = obj.to_trans
+
+        # Now get rid of any attributes they specifically don't want
+        ignore.each do |st|
+            if trans.include? st
+                trans.delete(st)
+            end
+        end
+
+        # And get rid of any attributes that are nil
+        trans.each do |attr, value|
+            if value.nil?
+                trans.delete(attr)
+            end
+        end
+
+        if @local
+            return trans
+        else
+            str = nil
+            case format
+            when "yaml":
+                str = CGI.escape(YAML::dump(trans))
+            else
+                raise XMLRPC::FaultException.new(
+                    1, "Unavailable config format %s" % format
+                )
+            end
+            return CGI.escape(str)
+        end
+    end
+
+    # Create a new fileserving module.
+    def initialize(hash = {})
+        if hash[:Local]
+            @local = hash[:Local]
+        else
+            @local = false
+        end
+    end
+
+    # List all of the elements of a given type.
+    def list(type, ignore = [], base = nil, client = nil, clientip = nil)
+        @local = true unless client
+        typeklass = nil
+        unless typeklass = Puppet.type(type)
+            raise Puppet::Error, "Puppet type %s is unsupported" % type
+        end
+
+        ignore = [ignore] unless ignore.is_a? Array
+        bucket = TransBucket.new
+        bucket.type = typeklass.name
+
+        typeklass.list.each do |obj|
+            next if ignore.include? obj.name
+
+            object = TransObject.new(obj.name, typeklass.name)
+            bucket << object
+        end
+
+        if @local
+            return bucket
+        else
+            str = nil
+            case format
+            when "yaml":
+                str = YAML.dump(bucket)
+            else
+                raise XMLRPC::FaultException.new(
+                    1, "Unavailable config format %s" % format
+                )
+            end
+            return CGI.escape(str)
+        end
+    end
+
+    private
+
+    def authcheck(file, mount, client, clientip)
+        unless mount.allowed?(client, clientip)
+            mount.warning "%s cannot access %s" %
+                [client, file]
+            raise Puppet::Server::AuthorizationError, "Cannot access %s" % mount
+        end
+    end
+
+    # Deal with ignore parameters.
+    def handleignore(children, path, ignore)            
+        ignore.each { |ignore|                
+            Dir.glob(File.join(path,ignore), File::FNM_DOTMATCH) { |match|
+                children.delete(File.basename(match))
+            }                
+        }
+        return children
+    end  
+
+    def to_s
+        "pelementserver"
+    end
+end
+end
+
+# $Id: pelement.rb 1129 2006-04-21 19:14:59Z luke $

data/lib/puppet/server/rights.rb

@@ -0,0 +1,78 @@
+require 'ipaddr'
+require 'puppet/server/authstore'
+
+module Puppet
+class Server
+    # Define a set of rights and who has access to them.
+    class Rights < Hash
+        # We basically just proxy directly to our rights.  Each Right stores
+        # its own auth abilities.
+        [:allow, :allowed?, :deny].each do |method|
+            define_method(method) do |name, *args|
+                name = name.intern if name.is_a? String
+
+                if obj = right(name)
+                    obj.send(method, *args)
+                else
+                    raise ArgumentError, "Unknown right '%s'" % name
+                end
+            end
+        end
+
+        def [](name)
+            name = name.intern if name.is_a? String
+            super(name)
+        end
+
+        # Define a new right to which access can be provided.
+        def newright(name)
+            name = name.intern if name.is_a? String
+            shortname = Right.shortname(name)
+            if self.include? name
+                raise ArgumentError, "Right '%s' is already defined" % name
+            else
+                self[name] = Right.new(name, shortname)
+            end
+        end
+
+        private
+
+        # Retrieve a right by name.
+        def right(name)
+            name = name.intern if name.is_a? String
+            self[name]
+        end
+
+        # A right.
+        class Right < AuthStore
+            attr_accessor :name, :shortname
+
+            Puppet::Util.logmethods(self, true)
+
+            def self.shortname(name)
+                name.to_s[0..0]
+            end
+
+            def initialize(name, shortname = nil)
+                @name = name
+                @shortname = shortname
+                unless @shortname
+                    @shortname = Right.shortname(name)
+                end
+                super()
+            end
+
+            def to_s
+                "access[%s]" % @name
+            end
+
+            # There's no real check to do at this point
+            def valid?
+                true
+            end
+        end
+    end
+end
+end
+#
+# $Id: rights.rb 1129 2006-04-21 19:14:59Z luke $

data/lib/puppet/server/servlet.rb

@@ -34,15 +34,29 @@ class Server
         end
 
         # Verify that our client has access.  We allow untrusted access to
-        # puppetca methods but none others.
+        # puppetca methods but no others.
         def authorize(request, method)
             namespace = method.sub(/\..+/, '')
             client = request.peeraddr[2]
             ip = request.peeraddr[3]
             if request.client_cert
-                Servlet.log "Allowing %s(%s) trusted access to %s" %
-                    [client, ip, method]
-                return true
+                if @puppetserver.authconfig.exists?
+                    return @puppetserver.authconfig.allowed?(method, client, ip)
+                else
+                    # This is pretty hackish, but...
+                    # This means we can't actually test this method at this point.
+                    # The next release of Puppet will almost definitely require
+                    # this file to exist or will default to denying all access.
+                    if Puppet.name == "puppetmasterd" or defined? Test::Unit::TestCase
+                        Servlet.log "Allowing %s(%s) trusted access to %s" %
+                            [client, ip, method]
+                        return true
+                    else
+                        Servlet.log "Denying %s(%s) trusted access to %s on %s" %
+                            [client, ip, method, Puppet.name]
+                        return false
+                    end
+                end
             else
                 if method =~ /^puppetca\./
                     Puppet.notice "Allowing %s(%s) untrusted access to CA methods" %
@@ -69,8 +83,7 @@ class Server
         end
 
         def initialize(server, handlers)
-            #Puppet.info server.inspect
-            
+            @puppetserver = server
             # the servlet base class does not consume any arguments
             # and its BasicServer base class only accepts a 'class_delim'
             # option which won't change in Puppet at all

data/lib/puppet/sslcertificates.rb

@@ -124,7 +124,8 @@ module Puppet::SSLCertificates
     end
 
     def self.mkhash(dir, cert, certfile)
-        hash = "%x" % cert.issuer.hash
+        # Make sure the hash is zero-padded to 8 chars
+        hash = "%08x" % cert.issuer.hash
         hashpath = nil
         10.times { |i|
             path = File.join(dir, "%s.%s" % [hash, i])
@@ -149,10 +150,11 @@ module Puppet::SSLCertificates
             break
         }
 
+
         return hashpath
     end
     require 'puppet/sslcertificates/certificate'
     require 'puppet/sslcertificates/ca'
 end
 
-# $Id: sslcertificates.rb 966 2006-03-02 17:12:26Z luke $
+# $Id: sslcertificates.rb 1117 2006-04-19 15:35:04Z luke $

data/lib/puppet/sslcertificates/ca.rb

@@ -4,34 +4,56 @@ class Puppet::SSLCertificates::CA
 
     Puppet.setdefaults(:ca,
         :cadir => {  :default => "$ssldir/ca",
+            :owner => "$user",
+            :group => "$group",
             :mode => 0770,
             :desc => "The root directory for the certificate authority."
         },
         :cacert => { :default => "$cadir/ca_crt.pem",
+            :owner => "$user",
+            :group => "$group",
             :mode => 0660,
             :desc => "The CA certificate."
         },
         :cakey => { :default => "$cadir/ca_key.pem",
+            :owner => "$user",
+            :group => "$group",
             :mode => 0660,
             :desc => "The CA private key."
         },
-        :capub => ["$cadir/ca_pub.pem", "The CA public key."],
+        :capub => { :default => "$cadir/ca_pub.pem",
+            :owner => "$user",
+            :group => "$group",
+            :desc => "The CA public key."
+        },
         :caprivatedir => { :default => "$cadir/private",
+            :owner => "$user",
+            :group => "$group",
             :mode => 0770,
             :desc => "Where the CA stores private certificate information."
         },
-        :csrdir => ["$cadir/requests",
-            "Where the CA stores certificate requests"],
+        :csrdir => { :default => "$cadir/requests",
+            :owner => "$user",
+            :group => "$group",
+            :desc => "Where the CA stores certificate requests"
+        },
         :signeddir => { :default => "$cadir/signed",
+            :owner => "$user",
+            :group => "$group",
             :mode => 0770,
             :desc => "Where the CA stores signed certificates."
         },
         :capass => { :default => "$caprivatedir/ca.pass",
+            :owner => "$user",
+            :group => "$group",
             :mode => 0660,
             :desc => "Where the CA stores the password for the private key"
         },
-        :serial => ["$cadir/serial",
-            "Where the serial number for certificates is stored."],
+        :serial => { :default => "$cadir/serial",
+            :owner => "$user",
+            :group => "$group",
+            :desc => "Where the serial number for certificates is stored."
+        },
         :autosign => { :default => "$confdir/autosign.conf",
             :mode => 0640,
             :desc => "Whether to enable autosign.  Valid values are true (which
@@ -44,10 +66,6 @@ class Puppet::SSLCertificates::CA
         :keylength => [1024, "The bit length of keys."]
     )
 
-    #@@params.each { |param|
-    #    Puppet.setdefault(param,@@defaults[param])
-    #}
-
     def certfile
         @config[:cacert]
     end
@@ -62,6 +80,7 @@ class Puppet::SSLCertificates::CA
         File.join(Puppet[:signeddir], [hostname, "pem"].join("."))
     end
 
+    # Turn our hostname into a Name object
     def thing2name(thing)
         thing.subject.to_a.find { |ary|
             ary[0] == "CN"
@@ -88,29 +107,26 @@ class Puppet::SSLCertificates::CA
 
         self.getcert
         unless FileTest.exists?(@config[:serial])
-            File.open(@config[:serial], "w") { |f|
+            Puppet.config.write(:serial) do |f|
                 f << "%04X" % 1
-            }
+            end
         end
     end
 
+    # Generate a new password for the CA.
     def genpass
         pass = ""
         20.times { pass += (rand(74) + 48).chr }
 
-        # FIXME It's a hack that this still needs to be here :/
-        unless FileTest.exists?(File.dirname(@config[:capass]))
-            Puppet::Util.recmkdir(File.dirname(@config[:capass]), 0770)
-        end
-
         begin
-            File.open(@config[:capass], "w", 0600) { |f| f.print pass }
+            Puppet.config.write(:capass) { |f| f.print pass }
         rescue Errno::EACCES => detail
             raise Puppet::Error, detail.to_s
         end
         return pass
     end
 
+    # Get the CA password.
     def getpass
         if @config[:capass] and File.readable?(@config[:capass])
             return File.read(@config[:capass])
@@ -119,6 +135,7 @@ class Puppet::SSLCertificates::CA
         end
     end
 
+    # Get the CA cert.
     def getcert
         if FileTest.exists?(@config[:cacert])
             @cert = OpenSSL::X509::Certificate.new(
@@ -129,6 +146,7 @@ class Puppet::SSLCertificates::CA
         end
     end
 
+    # Retrieve a client's CSR.
     def getclientcsr(host)
         csrfile = host2csrfile(host)
         unless File.exists?(csrfile)
@@ -138,6 +156,7 @@ class Puppet::SSLCertificates::CA
         return OpenSSL::X509::Request.new(File.read(csrfile))
     end
 
+    # Retrieve a client's certificate.
     def getclientcert(host)
         certfile = host2certfile(host)
         unless File.exists?(certfile)
@@ -147,17 +166,24 @@ class Puppet::SSLCertificates::CA
         return [OpenSSL::X509::Certificate.new(File.read(certfile)), @cert]
     end
 
+    # List certificates waiting to be signed.
     def list
-        return Dir.entries(Puppet[:csrdir]).reject { |file|
-            file =~ /^\.+$/
+        return Dir.entries(Puppet[:csrdir]).find_all { |file|
+            file =~ /\.pem$/
         }.collect { |file|
             file.sub(/\.pem$/, '')
         }
     end
 
+    # Create the root certificate.
     def mkrootcert
+        # Make the root cert's name the FQDN of the host running the CA.
+        name = Facter["hostname"].value
+        if domain = Facter["domain"].value
+            name += "." + domain
+        end
         cert = Certificate.new(
-            :name => "CAcert",
+            :name => name,
             :cert => @config[:cacert],
             :encrypt => @config[:capass],
             :key => @config[:cakey],
@@ -165,10 +191,14 @@ class Puppet::SSLCertificates::CA
             :length => 1825,
             :type => :ca
         )
-        @cert = cert.mkselfsigned
-        File.open(@config[:cacert], "w", 0660) { |f|
+
+        # This creates the cakey file
+        Puppet::Util.asuser(Puppet[:user], Puppet[:group]) do
+            @cert = cert.mkselfsigned
+        end
+        Puppet.config.write(:cacert) do |f|
             f.puts @cert.to_pem
-        }
+        end
         @key = cert.key
         return cert
     end
@@ -182,6 +212,7 @@ class Puppet::SSLCertificates::CA
         File.unlink(csrfile)
     end
 
+    # Take the Puppet config and store it locally.
     def setconfig(hash)
         @config = {}
         Puppet.config.params("ca").each { |param|
@@ -208,12 +239,10 @@ class Puppet::SSLCertificates::CA
             unless @config[dir]
                 raise Puppet::DevError, "%s is undefined" % dir
             end
-            unless FileTest.exists?(@config[dir])
-                Puppet.recmkdir(@config[dir])
-            end
         }
     end
 
+    # Sign a given certificate request.
     def sign(csr)
         unless csr.is_a?(OpenSSL::X509::Request)
             raise Puppet::Error,
@@ -238,7 +267,6 @@ class Puppet::SSLCertificates::CA
                 File.read(@config[:cakey]), @config[:password]
             )
         else
-            system("ls -al %s" % Puppet[:capass])
             cakey = OpenSSL::PKey::RSA.new(
                 File.read(@config[:cakey])
             )
@@ -259,9 +287,9 @@ class Puppet::SSLCertificates::CA
         )
 
         # increment the serial
-        File.open(@config[:serial], "w") { |f|
+        Puppet.config.write(:serial) do |f|
             f << "%04X" % (serial + 1)
-        }
+        end
 
         newcert.sign(cakey, OpenSSL::Digest::SHA1.new)
 
@@ -270,6 +298,9 @@ class Puppet::SSLCertificates::CA
         return [newcert, cacert]
     end
 
+    # Store the client's CSR for later signing.  This is called from
+    # server/ca.rb, and the CSRs are deleted once the certificate is actually
+    # signed.
     def storeclientcsr(csr)
         host = thing2name(csr)
 
@@ -278,11 +309,12 @@ class Puppet::SSLCertificates::CA
             raise Puppet::Error, "Certificate request for %s already exists" % host
         end
 
-        File.open(csrfile, "w", 0660) { |f|
+        Puppet.config.writesub(:csrdir, csrfile) do |f|
             f.print csr.to_pem
-        }
+        end
     end
 
+    # Store the certificate that we generate.
     def storeclientcert(cert)
         host = thing2name(cert)
 
@@ -292,10 +324,10 @@ class Puppet::SSLCertificates::CA
                 [certfile, host]
         end
 
-        File.open(certfile, "w", 0660) { |f|
+        Puppet.config.writesub(:signeddir, certfile) do |f|
             f.print cert.to_pem
-        }
+        end
     end
 end
 
-# $Id: ca.rb 965 2006-03-02 07:30:14Z luke $
+# $Id: ca.rb 1117 2006-04-19 15:35:04Z luke $