puppet 2.6.11 → 2.6.12

data/lib/puppet/network/xmlrpc/client.rb

@@ -1,211 +0,0 @@
-require 'puppet/sslcertificates'
-require 'puppet/network/http_pool'
-require 'openssl'
-require 'puppet/external/base64'
-
-require 'xmlrpc/client'
-require 'net/https'
-require 'yaml'
-
-module Puppet::Network
-  class ClientError < Puppet::Error; end
-  class XMLRPCClientError < Puppet::Error; end
-  class XMLRPCClient < ::XMLRPC::Client
-
-    attr_accessor :puppet_server, :puppet_port
-    @clients = {}
-
-    class << self
-      include Puppet::Util
-      include Puppet::Util::ClassGen
-    end
-
-    # Create a netclient for each handler
-    def self.mkclient(handler)
-      interface = handler.interface
-      namespace = interface.prefix
-
-      # Create a subclass for every client type.  This is
-      # so that all of the methods are on their own class,
-      # so that their namespaces can define the same methods if
-      # they want.
-      constant = handler.name.to_s.capitalize
-      name = namespace.downcase
-      newclient = genclass(name, :hash => @clients, :constant => constant)
-
-      interface.methods.each { |ary|
-        method = ary[0]
-        newclient.send(:define_method,method) { |*args|
-          make_rpc_call(namespace, method, *args)
-        }
-      }
-
-      newclient
-    end
-
-    def self.handler_class(handler)
-      @clients[handler] || self.mkclient(handler)
-    end
-
-    class ErrorHandler
-      def initialize(&block)
-        singleton_class.define_method(:execute, &block)
-      end
-    end
-
-    # Use a class variable so all subclasses have access to it.
-    @@error_handlers = {}
-
-    def self.error_handler(exception)
-      if handler = @@error_handlers[exception.class]
-        return handler
-      else
-        return @@error_handlers[:default]
-      end
-    end
-
-    def self.handle_error(*exceptions, &block)
-      handler = ErrorHandler.new(&block)
-
-      exceptions.each do |exception|
-        @@error_handlers[exception] = handler
-      end
-    end
-
-    handle_error(OpenSSL::SSL::SSLError) do |client, detail, namespace, method|
-      if detail.message =~ /bad write retry/
-        Puppet.warning "Transient SSL write error; restarting connection and retrying"
-        client.recycle_connection
-        return :retry
-      end
-      ["certificate verify failed", "hostname was not match", "hostname not match"].each do |str|
-        Puppet.warning "Certificate validation failed; consider using the certname configuration option" if detail.message.include?(str)
-      end
-      raise XMLRPCClientError, "Certificates were not trusted: #{detail}"
-    end
-
-    handle_error(:default) do |client, detail, namespace, method|
-      if detail.message.to_s =~ /^Wrong size\. Was \d+, should be \d+$/
-        Puppet.warning "XMLRPC returned wrong size.  Retrying."
-        return :retry
-      end
-      Puppet.err "Could not call #{namespace}.#{method}: #{detail.inspect}"
-      error = XMLRPCClientError.new(detail.to_s)
-      error.set_backtrace detail.backtrace
-      raise error
-    end
-
-    handle_error(OpenSSL::SSL::SSLError) do |client, detail, namespace, method|
-      if detail.message =~ /bad write retry/
-        Puppet.warning "Transient SSL write error; restarting connection and retrying"
-        client.recycle_connection
-        return :retry
-      end
-      ["certificate verify failed", "hostname was not match", "hostname not match"].each do |str|
-        Puppet.warning "Certificate validation failed; consider using the certname configuration option" if detail.message.include?(str)
-      end
-      raise XMLRPCClientError, "Certificates were not trusted: #{detail}"
-    end
-
-    handle_error(::XMLRPC::FaultException) do |client, detail, namespace, method|
-      raise XMLRPCClientError, detail.faultString
-    end
-
-    handle_error(Errno::ECONNREFUSED) do |client, detail, namespace, method|
-      msg = "Could not connect to #{client.host} on port #{client.port}"
-      raise XMLRPCClientError, msg
-    end
-
-    handle_error(SocketError) do |client, detail, namespace, method|
-      Puppet.err "Could not find server #{@host}: #{detail}"
-      error = XMLRPCClientError.new("Could not find server #{client.host}")
-      error.set_backtrace detail.backtrace
-      raise error
-    end
-
-    handle_error(Errno::EPIPE, EOFError) do |client, detail, namespace, method|
-      Puppet.info "Other end went away; restarting connection and retrying"
-      client.recycle_connection
-      return :retry
-    end
-
-    handle_error(Timeout::Error) do |client, detail, namespace, method|
-      Puppet.err "Connection timeout calling #{namespace}.#{method}: #{detail}"
-      error = XMLRPCClientError.new("Connection Timeout")
-      error.set_backtrace(detail.backtrace)
-      raise error
-    end
-
-    def make_rpc_call(namespace, method, *args)
-      Puppet.debug "Calling #{namespace}.#{method}"
-      begin
-        call("#{namespace}.#{method}",*args)
-      rescue SystemExit,NoMemoryError
-        raise
-      rescue Exception => detail
-        retry if self.class.error_handler(detail).execute(self, detail, namespace, method) == :retry
-      end
-    ensure
-      http.finish if http.started?
-    end
-
-    def http
-      @http ||= Puppet::Network::HttpPool.http_instance(host, port, true)
-    end
-
-    attr_reader :host, :port
-
-    def initialize(hash = {})
-      hash[:Path] ||= "/RPC2"
-      hash[:Server] ||= Puppet[:server]
-      hash[:Port] ||= Puppet[:masterport]
-      hash[:HTTPProxyHost] ||= Puppet[:http_proxy_host]
-      hash[:HTTPProxyPort] ||= Puppet[:http_proxy_port]
-
-      if "none" == hash[:HTTPProxyHost]
-        hash[:HTTPProxyHost] = nil
-        hash[:HTTPProxyPort] = nil
-      end
-
-
-            super(
-                
-        hash[:Server],
-        hash[:Path],
-        hash[:Port],
-        hash[:HTTPProxyHost],
-        hash[:HTTPProxyPort],
-        
-        nil, # user
-        nil, # password
-        true, # use_ssl
-        Puppet[:configtimeout] # use configured timeout (#1176)
-      )
-      @http = Puppet::Network::HttpPool.http_instance(@host, @port)
-    end
-
-    # Get rid of our existing connection, replacing it with a new one.
-    # This should only happen if we lose our connection somehow (e.g., an EPIPE)
-    # or we've just downloaded certs and we need to create new http instances
-    # with the certs added.
-    def recycle_connection
-      http.finish if http.started?
-      @http = nil
-      self.http # force a new one
-    end
-
-    def start
-        @http.start unless @http.started?
-    rescue => detail
-        Puppet.err "Could not connect to server: #{detail}"
-    end
-
-    def local
-      false
-    end
-
-    def local?
-      false
-    end
-  end
-end

data/lib/puppet/sslcertificates.rb

@@ -1,146 +0,0 @@
-# The library for manipulating SSL certs.
-
-require 'puppet'
-
-raise Puppet::Error, "You must have the Ruby openssl library installed" unless Puppet.features.openssl?
-
-module Puppet::SSLCertificates
-  #def self.mkcert(type, name, dnsnames, ttl, issuercert, issuername, serial, publickey)
-  def self.mkcert(hash)
-    [:type, :name, :ttl, :issuer, :serial, :publickey].each { |param|
-      raise ArgumentError, "mkcert called without #{param}" unless hash.include?(param)
-    }
-
-    cert = OpenSSL::X509::Certificate.new
-    # Make the certificate valid as of yesterday, because
-    # so many people's clocks are out of sync.
-    from = Time.now - (60*60*24)
-
-    cert.subject = hash[:name]
-    if hash[:issuer]
-      cert.issuer = hash[:issuer].subject
-    else
-      # we're a self-signed cert
-      cert.issuer = hash[:name]
-    end
-    cert.not_before = from
-    cert.not_after = from + hash[:ttl]
-    cert.version = 2 # X509v3
-
-    cert.public_key = hash[:publickey]
-    cert.serial = hash[:serial]
-
-    basic_constraint = nil
-    key_usage = nil
-    ext_key_usage = nil
-    subject_alt_name = []
-
-    ef = OpenSSL::X509::ExtensionFactory.new
-
-    ef.subject_certificate = cert
-
-    if hash[:issuer]
-      ef.issuer_certificate = hash[:issuer]
-    else
-      ef.issuer_certificate = cert
-    end
-
-    ex = []
-    case hash[:type]
-    when :ca
-      basic_constraint = "CA:TRUE"
-      key_usage = %w{cRLSign keyCertSign}
-    when :terminalsubca
-      basic_constraint = "CA:TRUE,pathlen:0"
-      key_usage = %w{cRLSign keyCertSign}
-    when :server
-      basic_constraint = "CA:FALSE"
-      dnsnames = Puppet[:certdnsnames]
-      name = hash[:name].to_s.sub(%r{/CN=},'')
-      if dnsnames != ""
-        dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
-        subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
-      elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
-        subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
-        subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
-        subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
-      end
-      key_usage = %w{digitalSignature keyEncipherment}
-      ext_key_usage = %w{serverAuth clientAuth emailProtection}
-    when :ocsp
-      basic_constraint = "CA:FALSE"
-      key_usage = %w{nonRepudiation digitalSignature}
-      ext_key_usage = %w{serverAuth OCSPSigning}
-    when :client
-      basic_constraint = "CA:FALSE"
-      key_usage = %w{nonRepudiation digitalSignature keyEncipherment}
-      ext_key_usage = %w{clientAuth emailProtection}
-      ex << ef.create_extension("nsCertType", "client,email")
-    else
-      raise Puppet::Error, "unknown cert type '#{hash[:type]}'"
-    end
-
-
-      ex << ef.create_extension(
-        "nsComment",
-
-          "Puppet Ruby/OpenSSL Generated Certificate")
-    ex << ef.create_extension("basicConstraints", basic_constraint, true)
-    ex << ef.create_extension("subjectKeyIdentifier", "hash")
-
-    ex << ef.create_extension("keyUsage", key_usage.join(",")) if key_usage
-    ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) if ext_key_usage
-    ex << ef.create_extension("subjectAltName", subject_alt_name.join(",")) if ! subject_alt_name.empty?
-
-    #if @ca_config[:cdp_location] then
-    #  ex << ef.create_extension("crlDistributionPoints",
-    #                            @ca_config[:cdp_location])
-    #end
-
-    #if @ca_config[:ocsp_location] then
-    #  ex << ef.create_extension("authorityInfoAccess",
-    #                            "OCSP;" << @ca_config[:ocsp_location])
-    #end
-    cert.extensions = ex
-
-    # for some reason this _must_ be the last extension added
-    ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if hash[:type] == :ca
-
-    cert
-  end
-
-  def self.mkhash(dir, cert, certfile)
-    # Make sure the hash is zero-padded to 8 chars
-    hash = "%08x" % cert.issuer.hash
-    hashpath = nil
-    10.times { |i|
-      path = File.join(dir, "#{hash}.#{i}")
-      if FileTest.exists?(path)
-        if FileTest.symlink?(path)
-          dest = File.readlink(path)
-          if dest == certfile
-            # the correct link already exists
-            hashpath = path
-            break
-          else
-            next
-          end
-        else
-          next
-        end
-      end
-
-      File.symlink(certfile, path)
-
-      hashpath = path
-      break
-    }
-
-
-    hashpath
-  end
-  require 'puppet/sslcertificates/certificate'
-  require 'puppet/sslcertificates/inventory'
-  require 'puppet/sslcertificates/ca'
-end
-

data/lib/puppet/sslcertificates/ca.rb

@@ -1,375 +0,0 @@
-require 'sync'
-
-class Puppet::SSLCertificates::CA
-  include Puppet::Util::Warnings
-
-  Certificate = Puppet::SSLCertificates::Certificate
-  attr_accessor :keyfile, :file, :config, :dir, :cert, :crl
-
-  def certfile
-    @config[:cacert]
-  end
-
-  # Remove all traces of a given host.  This is kind of hackish, but, eh.
-  def clean(host)
-    host = host.downcase
-    [:csrdir, :signeddir, :publickeydir, :privatekeydir, :certdir].each do |name|
-      dir = Puppet[name]
-
-      file = File.join(dir, host + ".pem")
-
-      if FileTest.exists?(file)
-        begin
-          if Puppet[:name] == "cert"
-            puts "Removing #{file}"
-          else
-            Puppet.info "Removing #{file}"
-          end
-          File.unlink(file)
-        rescue => detail
-          raise Puppet::Error, "Could not delete #{file}: #{detail}"
-        end
-      end
-
-    end
-  end
-
-  def host2csrfile(hostname)
-    File.join(Puppet[:csrdir], [hostname.downcase, "pem"].join("."))
-  end
-
-  # this stores signed certs in a directory unrelated to
-  # normal client certs
-  def host2certfile(hostname)
-    File.join(Puppet[:signeddir], [hostname.downcase, "pem"].join("."))
-  end
-
-  # Turn our hostname into a Name object
-  def thing2name(thing)
-    thing.subject.to_a.find { |ary|
-      ary[0] == "CN"
-    }[1]
-  end
-
-  def initialize(hash = {})
-    Puppet.settings.use(:main, :ca, :ssl)
-    self.setconfig(hash)
-
-    if Puppet[:capass]
-      if FileTest.exists?(Puppet[:capass])
-        #puts "Reading #{Puppet[:capass]}"
-        #system "ls -al #{Puppet[:capass]}"
-        #File.read Puppet[:capass]
-        @config[:password] = self.getpass
-      else
-        # Don't create a password if the cert already exists
-        @config[:password] = self.genpass unless FileTest.exists?(@config[:cacert])
-      end
-    end
-
-    self.getcert
-    init_crl
-    unless FileTest.exists?(@config[:serial])
-      Puppet.settings.write(:serial) do |f|
-        f << "%04X" % 1
-      end
-    end
-  end
-
-  # Generate a new password for the CA.
-  def genpass
-    pass = ""
-    20.times { pass += (rand(74) + 48).chr }
-
-    begin
-      Puppet.settings.write(:capass) { |f| f.print pass }
-    rescue Errno::EACCES => detail
-      raise Puppet::Error, detail.to_s
-    end
-    pass
-  end
-
-  # Get the CA password.
-  def getpass
-    if @config[:capass] and File.readable?(@config[:capass])
-      return File.read(@config[:capass])
-    else
-      raise Puppet::Error, "Could not decrypt CA key with password: #{detail}"
-    end
-  end
-
-  # Get the CA cert.
-  def getcert
-    if FileTest.exists?(@config[:cacert])
-      @cert = OpenSSL::X509::Certificate.new(
-        File.read(@config[:cacert])
-      )
-    else
-      self.mkrootcert
-    end
-  end
-
-  # Retrieve a client's CSR.
-  def getclientcsr(host)
-    csrfile = host2csrfile(host)
-    return nil unless File.exists?(csrfile)
-
-    OpenSSL::X509::Request.new(File.read(csrfile))
-  end
-
-  # Retrieve a client's certificate.
-  def getclientcert(host)
-    certfile = host2certfile(host)
-    return [nil, nil] unless File.exists?(certfile)
-
-    [OpenSSL::X509::Certificate.new(File.read(certfile)), @cert]
-  end
-
-  # List certificates waiting to be signed.  This returns a list of hostnames, not actual
-  # files -- the names can be converted to full paths with host2csrfile.
-  def list(dummy_argument=:work_arround_for_ruby_GC_bug)
-    return Dir.entries(Puppet[:csrdir]).find_all { |file|
-      file =~ /\.pem$/
-    }.collect { |file|
-      file.sub(/\.pem$/, '')
-    }
-  end
-
-  # List signed certificates.  This returns a list of hostnames, not actual
-  # files -- the names can be converted to full paths with host2csrfile.
-  def list_signed(dummy_argument=:work_arround_for_ruby_GC_bug)
-    return Dir.entries(Puppet[:signeddir]).find_all { |file|
-      file =~ /\.pem$/
-    }.collect { |file|
-      file.sub(/\.pem$/, '')
-    }
-  end
-
-  # Create the root certificate.
-  def mkrootcert
-    # Make the root cert's name "Puppet CA: " plus the FQDN of the host running the CA.
-    name = "Puppet CA: #{Facter["hostname"].value}"
-    if domain = Facter["domain"].value
-      name += ".#{domain}"
-    end
-
-    cert = Certificate.new(
-      :name => name,
-      :cert => @config[:cacert],
-      :encrypt => @config[:capass],
-      :key => @config[:cakey],
-      :selfsign => true,
-      :ttl => ttl,
-      :type => :ca
-    )
-
-    # This creates the cakey file
-    Puppet::Util::SUIDManager.asuser(Puppet[:user], Puppet[:group]) do
-      @cert = cert.mkselfsigned
-    end
-    Puppet.settings.write(:cacert) do |f|
-      f.puts @cert.to_pem
-    end
-    Puppet.settings.write(:capub) do |f|
-      f.puts @cert.public_key
-    end
-    cert
-  end
-
-  def removeclientcsr(host)
-    csrfile = host2csrfile(host)
-    raise Puppet::Error, "No certificate request for #{host}" unless File.exists?(csrfile)
-
-    File.unlink(csrfile)
-  end
-
-  # Revoke the certificate with serial number SERIAL issued by this
-  # CA. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons
-  def revoke(serial, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
-    time = Time.now
-    revoked = OpenSSL::X509::Revoked.new
-    revoked.serial = serial
-    revoked.time = time
-    enum = OpenSSL::ASN1::Enumerated(reason)
-    ext = OpenSSL::X509::Extension.new("CRLReason", enum)
-    revoked.add_extension(ext)
-    @crl.add_revoked(revoked)
-    store_crl
-  end
-
-  # Take the Puppet config and store it locally.
-  def setconfig(hash)
-    @config = {}
-    Puppet.settings.params("ca").each { |param|
-      param = param.intern if param.is_a? String
-      if hash.include?(param)
-        @config[param] = hash[param]
-        Puppet[param] = hash[param]
-        hash.delete(param)
-      else
-        @config[param] = Puppet[param]
-      end
-    }
-
-    if hash.include?(:password)
-      @config[:password] = hash[:password]
-      hash.delete(:password)
-    end
-
-    raise ArgumentError, "Unknown parameters #{hash.keys.join(",")}" if hash.length > 0
-
-    [:cadir, :csrdir, :signeddir].each { |dir|
-      raise Puppet::DevError, "#{dir} is undefined" unless @config[dir]
-    }
-  end
-
-  # Sign a given certificate request.
-  def sign(csr)
-    unless csr.is_a?(OpenSSL::X509::Request)
-      raise Puppet::Error,
-        "CA#sign only accepts OpenSSL::X509::Request objects, not #{csr.class}"
-    end
-
-    raise Puppet::Error, "CSR sign verification failed" unless csr.verify(csr.public_key)
-
-    serial = nil
-    Puppet.settings.readwritelock(:serial) { |f|
-      serial = File.read(@config[:serial]).chomp.hex
-      # increment the serial
-      f << "%04X" % (serial + 1)
-    }
-
-    newcert = Puppet::SSLCertificates.mkcert(
-      :type => :server,
-      :name => csr.subject,
-      :ttl => ttl,
-      :issuer => @cert,
-      :serial => serial,
-      :publickey => csr.public_key
-    )
-
-    sign_with_key(newcert)
-
-    self.storeclientcert(newcert)
-
-    [newcert, @cert]
-  end
-
-  # Store the client's CSR for later signing.  This is called from
-  # server/ca.rb, and the CSRs are deleted once the certificate is actually
-  # signed.
-  def storeclientcsr(csr)
-    host = thing2name(csr)
-
-    csrfile = host2csrfile(host)
-    raise Puppet::Error, "Certificate request for #{host} already exists" if File.exists?(csrfile)
-
-    Puppet.settings.writesub(:csrdir, csrfile) do |f|
-      f.print csr.to_pem
-    end
-  end
-
-  # Store the certificate that we generate.
-  def storeclientcert(cert)
-    host = thing2name(cert)
-
-    certfile = host2certfile(host)
-    Puppet.notice "Overwriting signed certificate #{certfile} for #{host}" if File.exists?(certfile)
-
-    Puppet::SSLCertificates::Inventory::add(cert)
-    Puppet.settings.writesub(:signeddir, certfile) do |f|
-      f.print cert.to_pem
-    end
-  end
-
-  # TTL for new certificates in seconds. If config param :ca_ttl is set,
-  # use that, otherwise use :ca_days for backwards compatibility
-  def ttl
-    days = @config[:ca_days]
-    if days && days.size > 0
-      warnonce "Parameter ca_ttl is not set. Using depecated ca_days instead."
-      return @config[:ca_days] * 24 * 60 * 60
-    else
-      ttl = @config[:ca_ttl]
-      if ttl.is_a?(String)
-        unless ttl =~ /^(\d+)(y|d|h|s)$/
-          raise ArgumentError, "Invalid ca_ttl #{ttl}"
-        end
-        case $2
-        when 'y'
-          unit = 365 * 24 * 60 * 60
-        when 'd'
-          unit = 24 * 60 * 60
-        when 'h'
-          unit = 60 * 60
-        when 's'
-          unit = 1
-        else
-          raise ArgumentError, "Invalid unit for ca_ttl #{ttl}"
-        end
-        return $1.to_i * unit
-      else
-        return ttl
-      end
-    end
-  end
-
-  private
-  def init_crl
-    if FileTest.exists?(@config[:cacrl])
-      @crl = OpenSSL::X509::CRL.new(
-        File.read(@config[:cacrl])
-      )
-    else
-      # Create new CRL
-      @crl = OpenSSL::X509::CRL.new
-      @crl.issuer = @cert.subject
-      @crl.version = 1
-      store_crl
-      @crl
-    end
-  end
-
-  def store_crl
-    # Increment the crlNumber
-    e = @crl.extensions.find { |e| e.oid == 'crlNumber' }
-    ext = @crl.extensions.reject { |e| e.oid == 'crlNumber' }
-    crlNum = OpenSSL::ASN1::Integer(e ? e.value.to_i + 1 : 0)
-    ext << OpenSSL::X509::Extension.new("crlNumber", crlNum)
-    @crl.extensions = ext
-
-    # Set last/next update
-    now = Time.now
-    @crl.last_update = now
-    # Keep CRL valid for 5 years
-    @crl.next_update = now + 5 * 365*24*60*60
-
-    sign_with_key(@crl)
-    Puppet.settings.write(:cacrl) do |f|
-      f.puts @crl.to_pem
-    end
-  end
-
-  def sign_with_key(signable, digest = OpenSSL::Digest::SHA1.new)
-    cakey = nil
-    if @config[:password]
-      begin
-        cakey = OpenSSL::PKey::RSA.new(
-          File.read(@config[:cakey]), @config[:password]
-        )
-      rescue
-        raise Puppet::Error,
-          "Decrypt of CA private key with password stored in @config[:capass] not possible"
-      end
-    else
-      cakey = OpenSSL::PKey::RSA.new(
-        File.read(@config[:cakey])
-      )
-    end
-
-    raise Puppet::Error, "CA Certificate is invalid" unless @cert.check_private_key(cakey)
-
-    signable.sign(cakey, digest)
-  end
-end
-