puppet 2.6.11 → 2.6.12

data/lib/puppet/ssl/host.rb

@@ -138,11 +138,24 @@ class Puppet::SSL::Host
     @certificate_request ||= CertificateRequest.find(name)
   end
 
+  def this_csr_is_for_the_current_host
+    name == Puppet[:certname].downcase
+  end
+
   # Our certificate request requires the key but that's all.
-  def generate_certificate_request
+  def generate_certificate_request(options = {})
     generate_key unless key
+
+    # If this is for the current machine...
+    if this_csr_is_for_the_current_host
+      # ...add our configured dns_alt_names
+      if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
+        options[:dns_alt_names] ||= Puppet[:dns_alt_names]
+      end
+    end
+
     @certificate_request = CertificateRequest.new(name)
-    @certificate_request.generate(key.content)
+    @certificate_request.generate(key.content, options)
     begin
       @certificate_request.save
     rescue
@@ -185,7 +198,7 @@ class Puppet::SSL::Host
     # should use it to sign our request; else, just try to read
     # the cert.
     if ! certificate and ca = Puppet::SSL::CertificateAuthority.instance
-      ca.sign(self.name)
+      ca.sign(self.name, true)
     end
   end
 

data/lib/puppet/type/file.rb

@@ -6,7 +6,6 @@ require 'fileutils'
 require 'puppet/network/handler'
 require 'puppet/util/diff'
 require 'puppet/util/checksums'
-require 'puppet/network/client'
 require 'puppet/util/backups'
 
 Puppet::Type.newtype(:file) do

data/lib/puppet/util/command_line/puppetca

@@ -56,6 +56,10 @@
 #   Generate a certificate for a named client.  A certificate/keypair will be
 #   generated for each client named on the command line.
 #
+#   When generate is used the additional `--subject-alt-name` argument can be
+#   used.  The names, separated by `:`, passed will be added as the
+#   subjectAltName of the final certificate.
+#
 # help::
 #   Print this help message
 #
@@ -83,6 +87,19 @@
 #   Sign an outstanding certificate request.  Unless '--all' is specified,
 #   hosts must be listed after all flags.
 #
+#   Puppet will refuse to sign a CSR that requests a `subjectAltName`
+#   extension unless you specify `--allow-subject-alt-name`.  This is required
+#   because of the critical security risks around allowing `subjectAltName`
+#   from client generated certificates.
+#
+#   To further enforce security, if `--allow-subject-alt-name` is given Puppet
+#   will refuse to sign any certificate that does not have request additional
+#   names.
+#
+#   Finally, Puppet will still enforce security policy over the
+#   `subjectAltName` field, and will refuse to allow unknown values, or
+#   wildcards, as part of the certificate.
+#
 # verbose::
 #   Enable verbosity.
 #
@@ -98,6 +115,12 @@
 #   culain.madstop.com
 #   $ puppet cert -s culain.madstop.com
 #
+#   Signing a certificate with `subjectAltName` set, which will be requested
+#   automatically when you bring up a new master in a distributed CA
+#   environment:
+#
+#   $ puppet cert --sign --allow-subject-alt-name master12.local
+#
 # = Author
 #
 # Luke Kanies
@@ -106,5 +129,3 @@
 #
 # Copyright (c) 2005 Puppet Labs, LLC
 # Licensed under the GNU Public License
-
-#Puppet::Application[:cert].run

data/lib/puppet/util/monkey_patches.rb

@@ -69,3 +69,72 @@ class Object
     end
   end
 end
+
+# Workaround for yaml_initialize, which isn't supported before Ruby
+# 1.8.3.
+if RUBY_VERSION == '1.8.1' || RUBY_VERSION == '1.8.2'
+  YAML.add_ruby_type( /^object/ ) { |tag, val|
+    type, obj_class = YAML.read_type_class( tag, Object )
+    r = YAML.object_maker( obj_class, val )
+    if r.respond_to? :yaml_initialize
+      r.instance_eval { instance_variables.each { |name| remove_instance_variable name } }
+      r.yaml_initialize(tag, val)
+    end
+    r
+  }
+end
+
+class Array
+  # Ruby < 1.8.7 doesn't have this method but we use it in tests
+  def combination(num)
+    return [] if num < 0 || num > size
+    return [[]] if num == 0
+    return map{|e| [e] } if num == 1
+    tmp = self.dup
+    self[0, size - (num - 1)].inject([]) do |ret, e|
+      tmp.shift
+      ret += tmp.combination(num - 1).map{|a| a.unshift(e) }
+    end
+  end unless method_defined? :combination
+
+  alias :count :length unless method_defined? :count
+end
+
+
+class Symbol
+  def to_proc
+    Proc.new { |*args| args.shift.__send__(self, *args) }
+  end unless method_defined? :to_proc
+end
+
+module Enumerable
+  # Use *args so we can distinguish no argument from nil.
+  def count(*args)
+    seq = 0
+    if !args.empty?
+      item = args[0]
+      each { |o| seq += 1 if item == o }
+    elsif block_given?
+      each { |o| seq += 1 if yield(o) }
+    else
+      each { seq += 1 }
+    end
+    seq
+  end unless method_defined? :count
+end
+
+class String
+  def lines(separator = $/)
+    lines = split(separator)
+    block_given? and lines.each {|line| yield line }
+    lines
+  end
+end
+
+class IO
+  def lines(separator = $/)
+    lines = split(separator)
+    block_given? and lines.each {|line| yield line }
+    lines
+  end
+end

data/lib/puppet/util/settings.rb

@@ -495,6 +495,11 @@ class Puppet::Util::Settings
     end
     type = legacy_to_mode(type, param)
     @sync.synchronize do # yay, thread-safe
+      # Allow later inspection to determine if the setting was set on the
+      # command line, or through some other code path.  Used for the
+      # `dns_alt_names` option during cert generate. --daniel 2011-10-18
+      setting.setbycli = true if type == :cli
+
       @values[type][param] = value
       @cache.clear
 

data/spec/integration/defaults_spec.rb

@@ -45,6 +45,17 @@ describe "Puppet defaults" do
     end
   end
 
+  describe "when :certdnsnames is set" do
+    it "should not fail" do
+      expect { Puppet[:certdnsnames] = 'fred:wilma' }.should_not raise_error
+    end
+
+    it "should warn the value is ignored" do
+      Puppet.expects(:warning).with {|msg| msg =~ /CVE-2011-3872/ }
+      Puppet[:certdnsnames] = 'fred:wilma'
+    end
+  end
+
   describe "when configuring the :crl" do
     it "should warn if :cacrl is set to false" do
       Puppet.expects(:warning)

data/spec/integration/network/handler_spec.rb

@@ -2,7 +2,7 @@
 
 require File.dirname(__FILE__) + '/../../spec_helper'
 
-require 'puppet/network/client'
+require 'puppet/network/handler'
 
 describe Puppet::Network::Handler do
   %w{ca filebucket fileserver master report runner status}.each do |name|

data/spec/unit/configurer_spec.rb

@@ -242,7 +242,7 @@ describe Puppet::Configurer do
       Puppet.settings[:prerun_command] = "/my/command"
       Puppet::Util.expects(:execute).with(["/my/command"]).raises(Puppet::ExecutionFailure, "Failed")
 
-      report.expects(:<<).with { |log| log.message.start_with?("Could not run command from prerun_command") }
+      report.expects(:<<).with { |log| log.message.include?("Could not run command from prerun_command") }
 
       @agent.run.should be_nil
     end
@@ -265,7 +265,7 @@ describe Puppet::Configurer do
       Puppet.settings[:postrun_command] = "/my/command"
       Puppet::Util.expects(:execute).with(["/my/command"]).raises(Puppet::ExecutionFailure, "Failed")
 
-      report.expects(:<<).with { |log| log.message.start_with?("Could not run command from postrun_command") }
+      report.expects(:<<).with { |log| log.message.include?("Could not run command from postrun_command") }
 
       @agent.run.should be_nil
     end

data/spec/unit/network/handler/ca_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+require 'puppet/network/handler/ca'
+
+describe Puppet::Network::Handler::CA do
+  include PuppetSpec::Files
+
+  describe "#getcert" do
+    let(:host)      { "testhost" }
+    let(:x509_name) { OpenSSL::X509::Name.new [['CN', host]] }
+    let(:key)       { Puppet::SSL::Key.new(host).generate }
+
+    let(:csr) do
+      csr = OpenSSL::X509::Request.new
+      csr.subject = x509_name
+      csr.public_key = key.public_key
+      csr
+    end
+
+    let(:ca)     { Puppet::SSL::CertificateAuthority.new }
+    let(:cacert) { ca.instance_variable_get(:@certificate) }
+
+    before :each do
+      Puppet[:confdir] = tmpdir('conf')
+
+      Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
+      Puppet::SSL::CertificateAuthority.stubs(:singleton_instance).returns ca
+    end
+
+    it "should do nothing if the master is not a CA" do
+      Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false
+
+      csr = OpenSSL::X509::Request.new
+      subject.getcert(csr.to_pem).should == ''
+    end
+
+    describe "when a certificate already exists for the host" do
+      let!(:cert)    { ca.generate(host) }
+
+      it "should return the existing cert if it matches the public key of the CSR" do
+        csr.public_key = cert.content.public_key
+
+        subject.getcert(csr.to_pem).should == [cert.to_s, cacert.to_s]
+      end
+
+      it "should fail if the public key of the CSR does not match the existing cert" do
+        expect do
+          subject.getcert(csr.to_pem)
+        end.to raise_error(Puppet::Error, /Certificate request does not match existing certificate/)
+      end
+    end
+
+    describe "when autosign is enabled" do
+      before :each do
+        Puppet[:autosign] = true
+      end
+
+      it "should return the new cert and the CA cert" do
+        cert_str, cacert_str = subject.getcert(csr.to_pem)
+
+        returned_cert = Puppet::SSL::Certificate.from_s(cert_str)
+        returned_cacert = Puppet::SSL::Certificate.from_s(cacert_str)
+
+        returned_cert.name.should == host
+        returned_cacert.content.subject.cmp(cacert.content.subject).should == 0
+      end
+    end
+
+    describe "when autosign is disabled" do
+      before :each do
+        Puppet[:autosign] = false
+      end
+
+      it "should save the CSR without signing it" do
+        subject.getcert(csr.to_pem)
+
+        Puppet::SSL::Certificate.find(host).should be_nil
+        Puppet::SSL::CertificateRequest.find(host).should be_a(Puppet::SSL::CertificateRequest)
+      end
+
+      it "should not return a cert" do
+        subject.getcert(csr.to_pem).should be_nil
+      end
+    end
+  end
+end

data/spec/unit/ssl/certificate_authority/interface_spec.rb

@@ -32,13 +32,13 @@ describe Puppet::SSL::CertificateAuthority::Interface do
   end
   describe "when initializing" do
     it "should set its method using its settor" do
-      @class.any_instance.expects(:method=).with(:generate)
-      @class.new(:generate, :to => :all)
+      instance = @class.new(:generate, :to => :all)
+      instance.method.should == :generate
     end
 
     it "should set its subjects using the settor" do
-      @class.any_instance.expects(:subjects=).with(:all)
-      @class.new(:generate, :to => :all)
+      instance = @class.new(:generate, :to => :all)
+      instance.subjects.should == :all
     end
 
     it "should set the digest if given" do
@@ -54,23 +54,27 @@ describe Puppet::SSL::CertificateAuthority::Interface do
 
   describe "when setting the method" do
     it "should set the method" do
-      @class.new(:generate, :to => :all).method.should == :generate
+      instance = @class.new(:generate, :to => :all)
+      instance.method = :list
+
+      instance.method.should == :list
     end
 
     it "should fail if the method isn't a member of the INTERFACE_METHODS array" do
-      Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.expects(:include?).with(:thing).returns false
-
-      lambda { @class.new(:thing, :to => :all) }.should raise_error(ArgumentError)
+      lambda { @class.new(:thing, :to => :all) }.should raise_error(ArgumentError, /Invalid method thing to apply/)
     end
   end
 
   describe "when setting the subjects" do
     it "should set the subjects" do
-      @class.new(:generate, :to => :all).subjects.should == :all
+      instance = @class.new(:generate, :to => :all)
+      instance.subjects = :signed
+
+      instance.subjects.should == :signed
     end
 
     it "should fail if the subjects setting isn't :all or an array" do
-      lambda { @class.new(:generate, "other") }.should raise_error(ArgumentError)
+      lambda { @class.new(:generate, :to => "other") }.should raise_error(ArgumentError, /Subjects must be an array or :all; not other/)
     end
   end
 
@@ -118,8 +122,8 @@ describe Puppet::SSL::CertificateAuthority::Interface do
       it "should call :generate on the CA for each host specified" do
         @applier = @class.new(:generate, :to => %w{host1 host2})
 
-        @ca.expects(:generate).with("host1")
-        @ca.expects(:generate).with("host2")
+        @ca.expects(:generate).with("host1", {})
+        @ca.expects(:generate).with("host2", {})
 
         @applier.apply(@ca)
       end
@@ -150,15 +154,24 @@ describe Puppet::SSL::CertificateAuthority::Interface do
 
     describe ":sign" do
       describe "and an array of names was provided" do
-        before do
-          @applier = @class.new(:sign, :to => %w{host1 host2})
-        end
+        let(:applier) { @class.new(:sign, @options.merge(:to => %w{host1 host2})) }
 
         it "should sign the specified waiting certificate requests" do
-          @ca.expects(:sign).with("host1")
-          @ca.expects(:sign).with("host2")
+          @options = {:allow_dns_alt_names => false}
 
-          @applier.apply(@ca)
+          @ca.expects(:sign).with("host1", false)
+          @ca.expects(:sign).with("host2", false)
+
+          applier.apply(@ca)
+        end
+
+        it "should sign the certificate requests with alt names if specified" do
+          @options = {:allow_dns_alt_names => true}
+
+          @ca.expects(:sign).with("host1", true)
+          @ca.expects(:sign).with("host2", true)
+
+          applier.apply(@ca)
         end
       end
 
@@ -166,8 +179,8 @@ describe Puppet::SSL::CertificateAuthority::Interface do
         it "should sign all waiting certificate requests" do
           @ca.stubs(:waiting?).returns(%w{cert1 cert2})
 
-          @ca.expects(:sign).with("cert1")
-          @ca.expects(:sign).with("cert2")
+          @ca.expects(:sign).with("cert1", nil)
+          @ca.expects(:sign).with("cert2", nil)
 
           @applier = @class.new(:sign, :to => :all)
           @applier.apply(@ca)
@@ -183,63 +196,89 @@ describe Puppet::SSL::CertificateAuthority::Interface do
     end
 
     describe ":list" do
-      describe "and an empty array was provided" do
-        it "should print a string containing all certificate requests" do
-          @ca.expects(:waiting?).returns %w{host1 host2}
-          @ca.stubs(:verify)
+      before :each do
+        certish = stub('certish', :subject_alt_names => [])
+        Puppet::SSL::Certificate.indirection.stubs(:find).returns certish
+        Puppet::SSL::CertificateRequest.indirection.stubs(:find).returns certish
+
+        @ca.expects(:waiting?).returns %w{host1 host2 host3}
+        @ca.expects(:list).returns %w{host4 host5 host6}
+        @ca.stubs(:fingerprint).returns "fingerprint"
+        @ca.stubs(:verify)
+      end
 
-          @applier = @class.new(:list, :to => [])
+      describe "and an empty array was provided" do
+        it "should print all certificate requests" do
+          applier = @class.new(:list, :to => [])
 
-          @applier.expects(:puts).with "host1\nhost2"
+          applier.expects(:puts).with(<<-OUTPUT.chomp)
+  host1 (fingerprint)
+  host2 (fingerprint)
+  host3 (fingerprint)
+          OUTPUT
 
-          @applier.apply(@ca)
+          applier.apply(@ca)
         end
       end
 
       describe "and :all was provided" do
         it "should print a string containing all certificate requests and certificates" do
-          @ca.expects(:waiting?).returns %w{host1 host2}
-          @ca.expects(:list).returns %w{host3 host4}
-          @ca.stubs(:verify)
-          @ca.stubs(:fingerprint).returns "fingerprint"
-          @ca.expects(:verify).with("host3").raises(Puppet::SSL::CertificateAuthority::CertificateVerificationError.new(23), "certificate revoked")
+          @ca.stubs(:verify).with("host4").raises(Puppet::SSL::CertificateAuthority::CertificateVerificationError.new(23), "certificate revoked")
 
-          @applier = @class.new(:list, :to => :all)
+          applier = @class.new(:list, :to => :all)
 
-          @applier.expects(:puts).with "host1 (fingerprint)"
-          @applier.expects(:puts).with "host2 (fingerprint)"
-          @applier.expects(:puts).with "- host3 (fingerprint) (certificate revoked)"
-          @applier.expects(:puts).with "+ host4 (fingerprint)"
+          applier.expects(:puts).with(<<-OUTPUT.chomp)
+  host1 (fingerprint)
+  host2 (fingerprint)
+  host3 (fingerprint)
++ host5 (fingerprint)
++ host6 (fingerprint)
+- host4 (fingerprint) (certificate revoked)
+          OUTPUT
 
-          @applier.apply(@ca)
+          applier.apply(@ca)
         end
       end
 
       describe "and :signed was provided" do
         it "should print a string containing all signed certificate requests and certificates" do
-          @ca.expects(:list).returns %w{host1 host2}
+          applier = @class.new(:list, :to => :signed)
 
-          @applier = @class.new(:list, :to => :signed)
+          applier.expects(:puts).with(<<-OUTPUT.chomp)
++ host4 (fingerprint)
++ host5 (fingerprint)
++ host6 (fingerprint)
+          OUTPUT
 
-          @applier.apply(@ca)
+          applier.apply(@ca)
+        end
+
+        it "should include subject alt names if they are on the certificate request" do
+          request = stub 'request', :subject_alt_names => ["DNS:foo", "DNS:bar"]
+          Puppet::SSL::CertificateRequest.indirection.stubs(:find).returns(request)
+
+          applier = @class.new(:list, :to => ['host1'])
+
+          applier.expects(:puts).with(<<-OUTPUT.chomp)
+  host1 (fingerprint) (alt names: DNS:foo, DNS:bar)
+          OUTPUT
+
+          applier.apply(@ca)
         end
       end
 
       describe "and an array of names was provided" do
-        it "should print a string of all named hosts that have a waiting request" do
-          @ca.expects(:waiting?).returns %w{host1 host2}
-          @ca.expects(:list).returns %w{host3 host4}
-          @ca.stubs(:fingerprint).returns "fingerprint"
-          @ca.stubs(:verify)
-
-          @applier = @class.new(:list, :to => %w{host1 host2 host3 host4})
+        it "should print all named hosts" do
+          applier = @class.new(:list, :to => %w{host1 host2 host4 host5})
 
-          @applier.expects(:puts).with "host1 (fingerprint)"
-          @applier.expects(:puts).with "host2 (fingerprint)"
-          @applier.expects(:puts).with "+ host3 (fingerprint)"
-          @applier.expects(:puts).with "+ host4 (fingerprint)"
+          applier.expects(:puts).with(<<-OUTPUT.chomp)
+  host1 (fingerprint)
+  host2 (fingerprint)
++ host4 (fingerprint)
++ host5 (fingerprint)
+            OUTPUT
 
-          @applier.apply(@ca)
+          applier.apply(@ca)
         end
       end
     end