puppet 2.6.16 → 2.6.17

data/CHANGELOG

@@ -1,3 +1,16 @@
+2.6.17
+===
+554eefc Reject directory traversal in store report processor
+9607bd7 Use "inspect" when listing certificates
+0144e68 Don't allow the creation of SSL objects with invalid certnames
+dfedaa5 Validate CSR CN and provided certname before signing
+8eb0cd8 Add specs for selector terminuses of file_{content,metadata}
+828c16a Fix whitespace inside parentheses
+e7ef153 Always use the local file_bucket on master
+29ae87d Fail more gracefully when finding module files if no file is specified
+c872619 Reject file requests containing ..
+c3c7462 Add Selector terminus for file_content/file_metadata
+
 2.6.16
 ===
 65446c9 Revert "(#5246) Puppetd does not remove it's pidfile when it exits"

data/conf/redhat/puppet.spec

@@ -5,7 +5,7 @@
 %global confdir conf/redhat
 
 Name:           puppet
-Version:        2.6.13
+Version:        2.6.17
 Release:        1%{?dist}
 Summary:        A network tool for managing many disparate systems
 License:        GPLv2
@@ -253,6 +253,9 @@ fi
 rm -rf %{buildroot}
 
 %changelog
+* Mon Jul 19 2012 Moses Mendoza <moses@puppetlabs.com> - 2.6.17-1
+- Update for 2.7.17
+
 * Mon Dec 12 2011 Matthaus Litteken <matthaus@puppetlabs.com> - 2.6.13-1
 - Release of 2.6.13
 

data/lib/puppet.rb

@@ -24,7 +24,7 @@ require 'puppet/util/run_mode'
 # it's also a place to find top-level commands like 'debug'
 
 module Puppet
-  PUPPETVERSION = '2.6.16'
+  PUPPETVERSION = '2.6.17'
 
   def Puppet.version
     PUPPETVERSION

data/lib/puppet/application/master.rb

@@ -75,8 +75,6 @@ class Puppet::Application::Master < Puppet::Application
 
   def main
     require 'etc'
-    require 'puppet/file_serving/content'
-    require 'puppet/file_serving/metadata'
 
     xmlrpc_handlers = [:Status, :FileServer, :Master, :Report, :Filebucket]
 
@@ -117,7 +115,7 @@ class Puppet::Application::Master < Puppet::Application
     end
   end
 
-  def setup
+  def setup_logs
     # Handle the logging settings.
     if options[:debug] or options[:verbose]
       if options[:debug]
@@ -133,14 +131,22 @@ class Puppet::Application::Master < Puppet::Application
     end
 
     Puppet::Util::Log.newdestination(:syslog) unless options[:setdest]
+  end
 
-    exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
-
-    Puppet.settings.use :main, :master, :ssl, :metrics
+  def setup_terminuses
+    require 'puppet/file_serving/content'
+    require 'puppet/file_serving/metadata'
 
     # Cache our nodes in yaml.  Currently not configurable.
     Puppet::Node.cache_class = :yaml
 
+    Puppet::FileServing::Content.indirection.terminus_class = :file_server
+    Puppet::FileServing::Metadata.indirection.terminus_class = :file_server
+
+    Puppet::FileBucket::File.indirection.terminus_class = :file
+  end
+
+  def setup_ssl
     # Configure all of the SSL stuff.
     if Puppet::SSL::CertificateAuthority.ca?
       Puppet::SSL::Host.ca_location = :local
@@ -150,4 +156,18 @@ class Puppet::Application::Master < Puppet::Application
       Puppet::SSL::Host.ca_location = :none
     end
   end
+
+  def setup
+    raise Puppet::Error.new("Puppet master is not supported on Microsoft Windows") if Puppet.features.microsoft_windows?
+
+    setup_logs
+
+    exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
+
+    Puppet.settings.use :main, :master, :ssl, :metrics
+
+    setup_terminuses
+
+    setup_ssl
+  end
 end

data/lib/puppet/file_bucket/file.rb

@@ -8,8 +8,7 @@ class Puppet::FileBucket::File
   # There are mechanisms to save and load this file locally and remotely in puppet/indirector/filebucketfile/*
   # There is a compatibility class that emulates pre-indirector filebuckets in Puppet::FileBucket::Dipper
   extend Puppet::Indirector
-  require 'puppet/file_bucket/file/indirection_hooks'
-  indirects :file_bucket_file, :terminus_class => :file, :extend => Puppet::FileBucket::File::IndirectionHooks
+  indirects :file_bucket_file, :terminus_class => :selector
 
   attr :contents
   attr :bucket_path
@@ -42,15 +41,15 @@ class Puppet::FileBucket::File
     "#{checksum_type}/#{checksum_data}"
   end
 
-  def self.from_s( contents )
-    self.new( contents )
+  def self.from_s(contents)
+    self.new(contents)
   end
 
   def to_pson
     { "contents" => contents }.to_pson
   end
 
-  def self.from_pson( pson )
-    self.new( pson["contents"] )
+  def self.from_pson(pson)
+    self.new(pson["contents"])
   end
 end

data/lib/puppet/file_serving/configuration.rb

@@ -70,7 +70,8 @@ class Puppet::FileServing::Configuration
 
     mount_name, path = request.key.split(File::Separator, 2)
 
-    raise(ArgumentError, "Cannot find file: Invalid path '#{mount_name}'") unless mount_name =~ %r{^[-\w]+$}
+    raise(ArgumentError, "Cannot find file: Invalid mount '#{mount_name}'") unless mount_name =~ %r{^[-\w]+$}
+    raise(ArgumentError, "Cannot find file: Invalid relative path '#{path}'") if path and path.split('/').include?('..')
 
     return nil unless mount = find_mount(mount_name, request.environment)
     if mount.name == "modules" and mount_name != "modules"

data/lib/puppet/file_serving/content.rb

@@ -5,14 +5,13 @@
 require 'puppet/indirector'
 require 'puppet/file_serving'
 require 'puppet/file_serving/base'
-require 'puppet/file_serving/indirection_hooks'
 
 # A class that handles retrieving file contents.
 # It only reads the file when its content is specifically
 # asked for.
 class Puppet::FileServing::Content < Puppet::FileServing::Base
   extend Puppet::Indirector
-  indirects :file_content, :extend => Puppet::FileServing::IndirectionHooks
+  indirects :file_content, :terminus_class => :selector
 
   attr_writer :content
 

data/lib/puppet/file_serving/metadata.rb

@@ -7,7 +7,6 @@ require 'puppet/indirector'
 require 'puppet/file_serving'
 require 'puppet/file_serving/base'
 require 'puppet/util/checksums'
-require 'puppet/file_serving/indirection_hooks'
 
 # A class that handles retrieving file metadata.
 class Puppet::FileServing::Metadata < Puppet::FileServing::Base
@@ -15,7 +14,7 @@ class Puppet::FileServing::Metadata < Puppet::FileServing::Base
   include Puppet::Util::Checksums
 
   extend Puppet::Indirector
-  indirects :file_metadata, :extend => Puppet::FileServing::IndirectionHooks
+  indirects :file_metadata, :terminus_class => :selector
 
   attr_reader :path, :owner, :group, :mode, :checksum_type, :checksum, :ftype, :destination
 

data/lib/puppet/file_serving/mount/modules.rb

@@ -5,6 +5,7 @@ require 'puppet/file_serving/mount'
 class Puppet::FileServing::Mount::Modules < Puppet::FileServing::Mount
   # Return an instance of the appropriate class.
   def find(path, request)
+    raise "No module specified" if path.to_s.empty?
     module_name, relative_path = path.split("/", 2)
     return nil unless mod = request.environment.module(module_name)
 
@@ -12,11 +13,9 @@ class Puppet::FileServing::Mount::Modules < Puppet::FileServing::Mount
   end
 
   def search(path, request)
-    module_name, relative_path = path.split("/", 2)
-    return nil unless mod = request.environment.module(module_name)
-
-    return nil unless path = mod.file(relative_path)
-    [path]
+    if result = find(path, request)
+      [result]
+    end
   end
 
   def valid?

data/lib/puppet/file_serving/{indirection_hooks.rb → terminus_selector.rb}

@@ -8,11 +8,10 @@ require 'puppet/file_serving'
 # This module is used to pick the appropriate terminus
 # in file-serving indirections.  This is necessary because
 # the terminus varies based on the URI asked for.
-module Puppet::FileServing::IndirectionHooks
+module Puppet::FileServing::TerminusSelector
   PROTOCOL_MAP = {"puppet" => :rest, "file" => :file}
 
-  # Pick an appropriate terminus based on the protocol.
-  def select_terminus(request)
+  def select(request)
     # We rely on the request's parsing of the URI.
 
     # Short-circuit to :file if it's a fully-qualified path or specifies a 'file' protocol.

data/lib/puppet/indirector/file_bucket_file/selector.rb

@@ -0,0 +1,49 @@
+require 'puppet/indirector/code'
+
+module Puppet::FileBucketFile
+  class Selector < Puppet::Indirector::Code
+    desc "Select the terminus based on the request"
+
+    def select(request)
+      if request.protocol == 'https'
+        :rest
+      else
+        :file
+      end
+    end
+
+    def get_terminus(request)
+      indirection.terminus(select(request))
+    end
+
+    def head(request)
+      get_terminus(request).head(request)
+    end
+
+    def find(request)
+      get_terminus(request).find(request)
+    end
+
+    def save(request)
+      get_terminus(request).save(request)
+    end
+
+    def search(request)
+      get_terminus(request).search(request)
+    end
+
+    def destroy(request)
+      get_terminus(request).destroy(request)
+    end
+
+    def authorized?(request)
+      terminus = get_terminus(request)
+      if terminus.respond_to?(:authorized?)
+        terminus.authorized?(request)
+      else
+        true
+      end
+    end
+  end
+end
+

data/lib/puppet/indirector/file_content/selector.rb

@@ -0,0 +1,30 @@
+require 'puppet/file_serving/content'
+require 'puppet/indirector/file_content'
+require 'puppet/indirector/code'
+require 'puppet/file_serving/terminus_selector'
+
+class Puppet::Indirector::FileContent::Selector < Puppet::Indirector::Code
+  desc "Select the terminus based on the request"
+  include Puppet::FileServing::TerminusSelector
+
+  def get_terminus(request)
+    indirection.terminus(select(request))
+  end
+
+  def find(request)
+    get_terminus(request).find(request)
+  end
+
+  def search(request)
+    get_terminus(request).search(request)
+  end
+
+  def authorized?(request)
+    terminus = get_terminus(request)
+    if terminus.respond_to?(:authorized?)
+      terminus.authorized?(request)
+    else
+      true
+    end
+  end
+end

data/lib/puppet/indirector/file_metadata/selector.rb

@@ -0,0 +1,30 @@
+require 'puppet/file_serving/metadata'
+require 'puppet/indirector/file_metadata'
+require 'puppet/indirector/code'
+require 'puppet/file_serving/terminus_selector'
+
+class Puppet::Indirector::FileMetadata::Selector < Puppet::Indirector::Code
+  desc "Select the terminus based on the request"
+  include Puppet::FileServing::TerminusSelector
+
+  def get_terminus(request)
+    indirection.terminus(select(request))
+  end
+
+  def find(request)
+    get_terminus(request).find(request)
+  end
+
+  def search(request)
+    get_terminus(request).search(request)
+  end
+
+  def authorized?(request)
+    terminus = get_terminus(request)
+    if terminus.respond_to?(:authorized?)
+      terminus.authorized?(request)
+    else
+      true
+    end
+  end
+end

data/lib/puppet/reports/store.rb

@@ -1,5 +1,7 @@
 require 'puppet'
 
+SEPARATOR = [Regexp.escape(File::SEPARATOR.to_s), Regexp.escape(File::ALT_SEPARATOR.to_s)].join
+
 Puppet::Reports.register_report(:store) do
   desc "Store the yaml report on disk.  Each host sends its report as a YAML dump
     and this just stores the file on disk, in the `reportdir` directory.
@@ -11,9 +13,11 @@ Puppet::Reports.register_report(:store) do
   def process
     # We don't want any tracking back in the fs.  Unlikely, but there
     # you go.
-    client = self.host.gsub("..",".")
+    if host =~ Regexp.union(/[#{SEPARATOR}]/, /\A\.\.?\Z/)
+      raise ArgumentError, "Invalid node name #{host.inspect}"
+    end
 
-    dir = File.join(Puppet[:reportdir], client)
+    dir = File.join(Puppet[:reportdir], host)
 
     if ! FileTest.exists?(dir)
       FileUtils.mkdir_p(dir)
@@ -35,7 +39,7 @@ Puppet::Reports.register_report(:store) do
       end
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
-      Puppet.warning "Could not write report for #{client} at #{file}: #{detail}"
+      Puppet.warning "Could not write report for #{host} at #{file}: #{detail}"
     end
 
     # Only testing cares about the return value

data/lib/puppet/ssl/base.rb

@@ -5,6 +5,9 @@ class Puppet::SSL::Base
   # For now, use the YAML separator.
   SEPARATOR = "\n---\n"
 
+  # Only allow printing ascii characters, excluding /
+  VALID_CERTNAME = /\A[ -.0-~]+\Z/
+
   def self.from_multiple_s(text)
     text.split(SEPARATOR).collect { |inst| from_s(inst) }
   end
@@ -22,6 +25,10 @@ class Puppet::SSL::Base
     @wrapped_class
   end
 
+  def self.validate_certname(name)
+    raise "Certname #{name.inspect} must not contain unprintable or non-ASCII characters" unless name =~ VALID_CERTNAME
+  end
+
   attr_accessor :name, :content
 
   # Is this file for the CA?
@@ -35,6 +42,7 @@ class Puppet::SSL::Base
 
   def initialize(name)
     @name = name.to_s.downcase
+    self.class.validate_certname(@name)
   end
 
   # Read content from disk appropriately.

data/lib/puppet/ssl/certificate_authority.rb

@@ -300,6 +300,16 @@ class Puppet::SSL::CertificateAuthority
       raise CertificateSigningError.new(hostname), "CSR has request extensions that are not permitted: #{names}"
     end
 
+    # Do not sign misleading CSRs
+    cn = csr.content.subject.to_a.assoc("CN")[1]
+    if hostname != cn
+      raise CertificateSigningError.new(hostname), "CSR subject common name #{cn.inspect} does not match expected certname #{hostname.inspect}"
+    end
+
+    if hostname !~ Puppet::SSL::Base::VALID_CERTNAME
+      raise CertificateSigningError.new(hostname), "CSR #{hostname.inspect} subject contains unprintable or non-ASCII characters"
+    end
+
     # Wildcards: we don't allow 'em at any point.
     #
     # The stringification here makes the content visible, and saves us having

data/lib/puppet/ssl/certificate_authority/interface.rb

@@ -88,6 +88,8 @@ module Puppet
           names = certs.values.map(&:keys).flatten
 
           name_width = names.sort_by(&:length).last.length rescue 0
+          # We quote these names, so account for those characters
+          name_width += 2
 
           output = [:request, :signed, :invalid].map do |type|
             next if certs[type].empty?
@@ -113,11 +115,11 @@ module Puppet
 
           alt_names.delete(host)
 
-          alt_str = "(alt names: #{alt_names.join(', ')})" unless alt_names.empty?
+          alt_str = "(alt names: #{alt_names.map(&:inspect).join(', ')})" unless alt_names.empty?
 
           glyph = {:signed => '+', :request => ' ', :invalid => '-'}[type]
 
-          name = host.ljust(width)
+          name = host.inspect.ljust(width)
           fingerprint = "(#{ca.fingerprint(host, @digest)})"
 
           explanation = "(#{verify_error})" if verify_error

data/lib/puppet/ssl/host.rb

@@ -206,6 +206,7 @@ class Puppet::SSL::Host
 
   def initialize(name = nil)
     @name = (name || Puppet[:certname]).downcase
+    Puppet::SSL::Base.validate_certname(@name)
     @key = @certificate = @certificate_request = nil
     @ca = (name == self.class.ca_name)
   end

data/spec/integration/file_bucket/file_spec.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/env rspec
+
+require 'spec_helper'
+
+require 'puppet/file_bucket/file'
+
+describe Puppet::FileBucket::File do
+  describe "#indirection" do
+    before :each do
+      # Never connect to the network, no matter what
+      described_class.indirection.terminus(:rest).class.any_instance.stubs(:find)
+    end
+
+    describe "when running the master application" do
+      before :each do
+        Puppet::Application[:master].setup_terminuses
+      end
+
+      {
+        "md5/d41d8cd98f00b204e9800998ecf8427e" => :file,
+        "https://puppetmaster:8140/production/file_bucket_file/md5/d41d8cd98f00b204e9800998ecf8427e" => :file,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+
+    describe "when running another application" do
+      {
+        "md5/d41d8cd98f00b204e9800998ecf8427e" => :file,
+        "https://puppetmaster:8140/production/file_bucket_file/md5/d41d8cd98f00b204e9800998ecf8427e" => :rest,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+  end
+end