puppet 0.24.9 → 0.25.0

data/lib/puppet/network/http/mongrel.rb

@@ -6,46 +6,50 @@ class Puppet::Network::HTTP::Mongrel
     def initialize(args = {})
         @listening = false
     end
-    
+
     def listen(args = {})
-        raise ArgumentError, ":handlers must be specified." if !args[:handlers] or args[:handlers].empty?
         raise ArgumentError, ":protocols must be specified." if !args[:protocols] or args[:protocols].empty?
         raise ArgumentError, ":address must be specified." unless args[:address]
         raise ArgumentError, ":port must be specified." unless args[:port]
         raise "Mongrel server is already listening" if listening?
 
         @protocols = args[:protocols]
-        @handlers = args[:handlers]
-        @server = Mongrel::HttpServer.new(args[:address], args[:port]) 
+        @xmlrpc_handlers = args[:xmlrpc_handlers]
+        @server = Mongrel::HttpServer.new(args[:address], args[:port])
         setup_handlers
 
         @listening = true
         @server.run
     end
-    
+
     def unlisten
         raise "Mongrel server is not listening" unless listening?
         @server.stop
         @server = nil
         @listening = false
     end
-    
+
     def listening?
         @listening
     end
-    
+
   private
-  
+
     def setup_handlers
-        @protocols.each do |protocol|
-            klass = class_for_protocol(protocol)
-            @handlers.each do |handler|
-                @server.register('/' + handler.to_s, klass.new(:server => @server, :handler => handler))
-                @server.register('/' + handler.to_s + 's', klass.new(:server => @server, :handler => handler))
-            end
+        # Register our REST support at /
+        klass = class_for_protocol(:rest)
+        @server.register('/', klass.new(:server => @server))
+
+        if @protocols.include?(:xmlrpc) and ! @xmlrpc_handlers.empty?
+            setup_xmlrpc_handlers
         end
     end
-  
+
+    # Use our existing code to provide the xmlrpc backward compatibility.
+    def setup_xmlrpc_handlers
+        @server.register('/RPC2', Puppet::Network::HTTPServer::Mongrel.new(@xmlrpc_handlers))
+    end
+
     def class_for_protocol(protocol)
         return Puppet::Network::HTTP::MongrelREST if protocol.to_sym == :rest
         raise ArgumentError, "Unknown protocol [#{protocol}]."

data/lib/puppet/network/http/mongrel/rest.rb

@@ -4,44 +4,61 @@ class Puppet::Network::HTTP::MongrelREST < Mongrel::HttpHandler
 
     include Puppet::Network::HTTP::Handler
 
+    ACCEPT_HEADER = "HTTP_ACCEPT".freeze # yay, zed's a crazy-man
+
     def initialize(args={})
         super()
         initialize_for_puppet(args)
     end
 
-    # Return the query params for this request.  We had to expose this method for
-    # testing purposes.
-    def params(request)
-        Mongrel::HttpRequest.query_parse(request.params["QUERY_STRING"]).merge(client_info(request))
+    def accept_header(request)
+        request.params[ACCEPT_HEADER]
     end
 
-  private
+    def content_type_header(request)
+        request.params["HTTP_CONTENT_TYPE"]
+    end
 
     # which HTTP verb was used in this request
     def http_method(request)
         request.params[Mongrel::Const::REQUEST_METHOD]
     end
 
-    # what path was requested?
-    def path(request)
-        # LAK:NOTE See http://snurl.com/21zf8  [groups_google_com] 
-        x = '/' + request.params[Mongrel::Const::REQUEST_PATH].split('/')[1]
+    # Return the query params for this request.  We had to expose this method for
+    # testing purposes.
+    def params(request)
+        params = Mongrel::HttpRequest.query_parse(request.params["QUERY_STRING"])
+        params = decode_params(params)
+        params.merge(client_info(request))
     end
 
-    # return the key included in the request path
-    def request_key(request)
-        # LAK:NOTE See http://snurl.com/21zf8  [groups_google_com] 
-        x = request.params[Mongrel::Const::REQUEST_PATH].split('/')[2]        
+    # what path was requested?
+    def path(request)
+        # LAK:NOTE See http://snurl.com/21zf8  [groups_google_com]
+        #x = '/' + request.params[Mongrel::Const::REQUEST_PATH]
+        request.params[Mongrel::Const::REQUEST_PATH]
     end
 
     # return the request body
     def body(request)
-        request.body
+        request.body.read
+    end
+
+    def set_content_type(response, format)
+        response.header['Content-Type'] = format_to_mime(format)
     end
 
     # produce the body of the response
-    def encode_result(request, response, result, status = 200)
-        response.start(status) do |head, body|
+    def set_response(response, result, status = 200)
+        args = [status]
+
+        # Set the 'reason' (or 'message', as it's called in Webrick), when
+        # we have a failure.
+        if status >= 300
+            args << false << result
+        end
+
+        response.start(*args) do |head, body|
             body.write(result)
         end
     end
@@ -49,7 +66,7 @@ class Puppet::Network::HTTP::MongrelREST < Mongrel::HttpHandler
     def client_info(request)
         result = {}
         params = request.params
-        result[:ip] = params["REMOTE_ADDR"]
+        result[:ip] = params["HTTP_X_FORWARDED_FOR"] ? params["HTTP_X_FORWARDED_FOR"].split(',').last.strip : params["REMOTE_ADDR"]
 
         # JJM #906 The following dn.match regular expression is forgiving
         # enough to match the two Distinguished Name string contents
@@ -58,6 +75,7 @@ class Puppet::Network::HTTP::MongrelREST < Mongrel::HttpHandler
             result[:node] = dn_matchdata[1].to_str
             result[:authenticated] = (params[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
         else
+            result[:node] = resolve_node(result)
             result[:authenticated] = false
         end
 

data/lib/puppet/network/http/rack.rb

@@ -0,0 +1,62 @@
+
+require 'puppet/network/http'
+require 'puppet/network/http/rack/rest'
+require 'puppet/network/http/rack/xmlrpc'
+
+# An rack application, for running the Puppet HTTP Server.
+class Puppet::Network::HTTP::Rack
+
+    def initialize(args)
+        raise ArgumentError, ":protocols must be specified." if !args[:protocols] or args[:protocols].empty?
+        protocols = args[:protocols]
+
+        # Always prepare a REST handler
+        @rest_http_handler = Puppet::Network::HTTP::RackREST.new()
+        protocols.delete :rest
+
+        # Prepare the XMLRPC handler, for backward compatibility (if requested)
+        @xmlrpc_path = '/RPC2'
+        if args[:protocols].include?(:xmlrpc)
+            raise ArgumentError, "XMLRPC was requested, but no handlers were given" if !args.include?(:xmlrpc_handlers)
+
+            @xmlrpc_http_handler = Puppet::Network::HTTP::RackXMLRPC.new(args[:xmlrpc_handlers])
+            protocols.delete :xmlrpc
+        end
+
+        raise ArgumentError, "there were unknown :protocols specified." if !protocols.empty?
+    end
+
+    # The real rack application (which needs to respond to call).
+    # The work we need to do, roughly is:
+    # * Read request (from env) and prepare a response
+    # * Route the request to the correct handler
+    # * Return the response (in rack-format) to our caller.
+    def call(env)
+        request = Rack::Request.new(env)
+        response = Rack::Response.new()
+        Puppet.debug 'Handling request: %s %s' % [request.request_method, request.fullpath]
+
+        # if we shall serve XMLRPC, have /RPC2 go to the xmlrpc handler
+        if @xmlrpc_http_handler and @xmlrpc_path == request.path_info[0, @xmlrpc_path.size]
+            handler = @xmlrpc_http_handler
+        else
+            # everything else is handled by the new REST handler
+            handler = @rest_http_handler
+        end
+
+        begin
+            handler.process(request, response)
+        rescue => detail
+            # Send a Status 500 Error on unhandled exceptions.
+            response.status = 500
+            response['Content-Type'] = 'text/plain'
+            response.write 'Internal Server Error: "%s"' % detail.message
+            # log what happened
+            Puppet.err "Puppet Server (Rack): Internal Server Error: Unhandled Exception: \"%s\"" % detail.message
+            Puppet.err "Backtrace:"
+            detail.backtrace.each { |line| Puppet.err " > %s" % line }
+        end
+        response.finish()
+    end
+end
+

data/lib/puppet/network/http/rack/httphandler.rb

@@ -0,0 +1,34 @@
+require 'openssl'
+require 'puppet/ssl/certificate'
+
+class Puppet::Network::HTTP::RackHttpHandler
+
+    def initialize()
+    end
+
+    # do something useful with request (a Rack::Request) and use
+    # response to fill your Rack::Response
+    def process(request, response)
+        raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)"
+    end
+
+    def ssl_client_header(request)
+        env_or_request_env(Puppet[:ssl_client_header], request)
+    end
+
+    def ssl_client_verify_header(request)
+        env_or_request_env(Puppet[:ssl_client_verify_header], request)
+    end
+
+    # Older Passenger versions passed all Environment vars in app(env),
+    # but since 2.2.3 they (some?) are really in ENV.
+    # Mongrel, etc. may also still use request.env.
+    def env_or_request_env(var, request)
+        if ENV.include?(var)
+            ENV[var]
+        else
+            request.env[var]
+        end
+    end
+end
+

data/lib/puppet/network/http/rack/rest.rb

@@ -0,0 +1,79 @@
+require 'puppet/network/http/handler'
+require 'puppet/network/http/rack/httphandler'
+
+class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
+
+    include Puppet::Network::HTTP::Handler
+
+    HEADER_ACCEPT = 'HTTP_ACCEPT'.freeze
+    ContentType = 'Content-Type'.freeze
+
+    def initialize(args={})
+        super()
+        initialize_for_puppet(args)
+    end
+
+    def set_content_type(response, format)
+        response[ContentType] = format_to_mime(format)
+    end
+
+    # produce the body of the response
+    def set_response(response, result, status = 200)
+        response.status = status
+        response.write result
+    end
+
+    # Retrieve the accept header from the http request.
+    def accept_header(request)
+        request.env[HEADER_ACCEPT]
+    end
+
+    # Retrieve the accept header from the http request.
+    def content_type_header(request)
+        request.content_type
+    end
+
+    # Return which HTTP verb was used in this request.
+    def http_method(request)
+        request.request_method
+    end
+
+    # Return the query params for this request.
+    def params(request)
+        result = decode_params(request.params)
+        result.merge(extract_client_info(request))
+    end
+
+    # what path was requested? (this is, without any query parameters)
+    def path(request)
+        request.path
+    end
+
+    # return the request body
+    # request.body has some limitiations, so we need to concat it back
+    # into a regular string, which is something puppet can use.
+    def body(request)
+        body = ''
+        request.body.each { |part| body += part }
+        body
+    end
+
+    def extract_client_info(request)
+        result = {}
+        result[:ip] = request.ip
+
+        # if we find SSL info in the headers, use them to get a hostname.
+        # try this with :ssl_client_header.
+        # For Apache you need special configuration, see ext/rack/README.
+        if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+            result[:node] = dn_matchdata[1].to_str
+            result[:authenticated] = (ssl_client_verify_header(request) == 'SUCCESS')
+        else
+            result[:node] = resolve_node(result)
+            result[:authenticated] = false
+        end
+
+        result
+    end
+
+end

data/lib/puppet/network/http/rack/xmlrpc.rb

@@ -0,0 +1,65 @@
+require 'puppet/network/http/rack/httphandler'
+require 'puppet/network/xmlrpc/server'
+require 'resolv'
+
+class Puppet::Network::HTTP::RackXMLRPC < Puppet::Network::HTTP::RackHttpHandler
+    def initialize(handlers)
+        @xmlrpc_server = Puppet::Network::XMLRPCServer.new
+        handlers.each do |name|
+            Puppet.debug "  -> register xmlrpc namespace %s" % name
+            unless handler = Puppet::Network::Handler.handler(name)
+                raise ArgumentError, "Invalid XMLRPC handler %s" % name
+            end
+            @xmlrpc_server.add_handler(handler.interface, handler.new({}))
+        end
+        super()
+    end
+
+    def process(request, response)
+        # errors are sent as text/plain
+        response['Content-Type'] = 'text/plain'
+        if not request.post? then
+            response.status = 405
+            response.write 'Method Not Allowed'
+            return
+        end
+        if request.media_type() != "text/xml" then
+            response.status = 400
+            response.write 'Bad Request'
+            return
+        end
+
+        # get auth/certificate data
+        client_request = build_client_request(request)
+
+        response_body = @xmlrpc_server.process(request.body.read(), client_request)
+
+        response.status = 200
+        response['Content-Type'] =  'text/xml; charset=utf-8'
+        response.write response_body
+    end
+
+    def build_client_request(request)
+        ip = request.ip
+
+        # if we find SSL info in the headers, use them to get a hostname.
+        # try this with :ssl_client_header.
+        # For Apache you need special configuration, see ext/rack/README.
+        if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+            node = dn_matchdata[1].to_str
+            authenticated = (ssl_client_verify_header(request) == 'SUCCESS')
+        else
+            begin
+                node = Resolv.getname(ip)
+            rescue => detail
+                Puppet.err "Could not resolve %s: %s" % [ip, detail]
+                node = "unknown"
+            end
+            authenticated = false
+        end
+
+        Puppet::Network::ClientRequest.new(node, ip, authenticated)
+    end
+
+end
+

data/lib/puppet/network/http/webrick.rb

@@ -1,37 +1,46 @@
 require 'webrick'
 require 'webrick/https'
 require 'puppet/network/http/webrick/rest'
+require 'puppet/network/xmlrpc/webrick_servlet'
 require 'thread'
 
+require 'puppet/ssl/certificate'
+require 'puppet/ssl/certificate_revocation_list'
+
 class Puppet::Network::HTTP::WEBrick
     def initialize(args = {})
         @listening = false
         @mutex = Mutex.new
     end
-    
+
     def self.class_for_protocol(protocol)
         return Puppet::Network::HTTP::WEBrickREST if protocol.to_sym == :rest
         raise "Unknown protocol [#{protocol}]."
     end
-    
+
     def listen(args = {})
-        raise ArgumentError, ":handlers must be specified." if !args[:handlers] or args[:handlers].empty?
         raise ArgumentError, ":protocols must be specified." if !args[:protocols] or args[:protocols].empty?
         raise ArgumentError, ":address must be specified." unless args[:address]
         raise ArgumentError, ":port must be specified." unless args[:port]
-        
+
         @protocols = args[:protocols]
-        @handlers = args[:handlers]        
-        @server = WEBrick::HTTPServer.new(:BindAddress => args[:address], :Port => args[:port])
+        @xmlrpc_handlers = args[:xmlrpc_handlers]
+
+        arguments = {:BindAddress => args[:address], :Port => args[:port]}
+        arguments.merge!(setup_logger)
+        arguments.merge!(setup_ssl)
+
+        @server = WEBrick::HTTPServer.new(arguments)
+
         setup_handlers
 
         @mutex.synchronize do
-            raise "WEBrick server is already listening" if @listening        
+            raise "WEBrick server is already listening" if @listening
             @listening = true
             @thread = Thread.new { @server.start }
         end
     end
-    
+
     def unlisten
         @mutex.synchronize do
             raise "WEBrick server is not listening" unless @listening
@@ -41,22 +50,86 @@ class Puppet::Network::HTTP::WEBrick
             @listening = false
         end
     end
-    
+
     def listening?
         @mutex.synchronize do
             @listening
         end
     end
 
+    # Configure our http log file.
+    def setup_logger
+        # Make sure the settings are all ready for us.
+        Puppet.settings.use(:main, :ssl, Puppet[:name])
+
+        if Puppet[:name] == "puppetmasterd"
+            file = Puppet[:masterhttplog]
+        else
+            file = Puppet[:httplog]
+        end
+
+        # open the log manually to prevent file descriptor leak
+        file_io = ::File.open(file, "a+")
+        file_io.sync
+        file_io.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
+
+        args = [file_io]
+        args << WEBrick::Log::DEBUG if Puppet::Util::Log.level == :debug
+
+        logger = WEBrick::Log.new(*args)
+        return :Logger => logger, :AccessLog => [
+            [logger, WEBrick::AccessLog::COMMON_LOG_FORMAT ],
+            [logger, WEBrick::AccessLog::REFERER_LOG_FORMAT ]
+        ]
+    end
+
+    # Add all of the ssl cert information.
+    def setup_ssl
+        results = {}
+
+        # Get the cached copy.  We know it's been generated, too.
+        host = Puppet::SSL::Host.localhost
+
+        raise Puppet::Error, "Could not retrieve certificate for %s and not running on a valid certificate authority" % host.name unless host.certificate
+
+        results[:SSLPrivateKey] = host.key.content
+        results[:SSLCertificate] = host.certificate.content
+        results[:SSLStartImmediately] = true
+        results[:SSLEnable] = true
+
+        unless Puppet::SSL::Certificate.find("ca")
+            raise Puppet::Error, "Could not find CA certificate"
+        end
+
+        results[:SSLCACertificateFile] = Puppet[:localcacert]
+        results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
+
+        results[:SSLCertificateStore] = host.ssl_store
+
+        results
+    end
+
   private
-    
+
     def setup_handlers
-        @protocols.each do |protocol|
-            klass = self.class.class_for_protocol(protocol)
-            @handlers.each do |handler|
-                @server.mount('/' + handler.to_s, klass, handler)
-                @server.mount('/' + handler.to_s + 's', klass, handler)
-            end
+        # Set up the new-style protocols.
+        klass = self.class.class_for_protocol(:rest)
+        @server.mount('/', klass, :this_value_is_apparently_necessary_but_unused)
+
+        # And then set up xmlrpc, if configured.
+        if @protocols.include?(:xmlrpc) and ! @xmlrpc_handlers.empty?
+            @server.mount("/RPC2", xmlrpc_servlet)
         end
     end
+
+    # Create our xmlrpc servlet, which provides backward compatibility.
+    def xmlrpc_servlet
+        handlers = @xmlrpc_handlers.collect { |handler|
+            unless hclass = Puppet::Network::Handler.handler(handler)
+                raise "Invalid xmlrpc handler %s" % handler
+            end
+            hclass.new({})
+        }
+        Puppet::Network::XMLRPC::WEBrickServlet.new handlers
+    end
 end