puppet 2.7.5 → 2.7.6

data/lib/puppet/defaults.rb

@@ -112,9 +112,15 @@ module Puppet
     :show_diff => [false, "Whether to print a contextual diff when files are being replaced.  The diff
       is printed on stdout, so this option is meaningless unless you are running Puppet interactively.
       This feature currently requires the `diff/lcs` Ruby library."],
-    :daemonize => { :default => true,
+    :daemonize => {
+      :default => (Puppet.features.microsoft_windows? ? false : true),
       :desc => "Send the process into the background.  This is the default.",
-      :short => "D"
+      :short => "D",
+      :hook => proc do |value|
+        if value and Puppet.features.microsoft_windows?
+          raise "Cannot daemonize on Windows"
+        end
+      end
     },
     :maximum_uid => [4294967290, "The maximum allowed UID.  Some platforms use negative UIDs
       but then ship with tools that do not know how to handle signed ints, so the UIDs show up as
@@ -210,9 +216,58 @@ module Puppet
       to the fully qualified domain name.",
       :call_on_define => true, # Call our hook with the default value, so we're always downcased
       :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }},
-    :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
-      If it's anything other than an empty string, it will be used as an alias in the created
-      certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
+    :certdnsnames => {
+      :default => '',
+      :hook    => proc do |value|
+        unless value.nil? or value == '' then
+          Puppet.warning <<WARN
+The `certdnsnames` setting is no longer functional,
+after CVE-2011-3872. We ignore the value completely.
+
+For your own certificate request you can set `dns_alt_names` in the
+configuration and it will apply locally.  There is no configuration option to
+set DNS alt names, or any other `subjectAltName` value, for another nodes
+certificate.
+
+Alternately you can use the `--dns_alt_names` command line option to set the
+labels added while generating your own CSR.
+WARN
+        end
+      end,
+      :desc    => <<EOT
+The `certdnsnames` setting is no longer functional,
+after CVE-2011-3872. We ignore the value completely.
+
+For your own certificate request you can set `dns_alt_names` in the
+configuration and it will apply locally.  There is no configuration option to
+set DNS alt names, or any other `subjectAltName` value, for another nodes
+certificate.
+
+Alternately you can use the `--dns_alt_names` command line option to set the
+labels added while generating your own CSR.
+EOT
+    },
+    :dns_alt_names => {
+      :default => '',
+      :desc    => <<EOT,
+The comma-separated list of alternative DNS names to use for the local host.
+
+When the node generates a CSR for itself, these are added to the request
+as the desired `subjectAltName` in the certificate: additional DNS labels
+that the certificate is also valid answering as.
+
+This is generally required if you use a non-hostname `certname`, or if you
+want to use `puppet kick` or `puppet resource -H` and the primary certname
+does not match the DNS name you use to communicate with the host.
+
+This is unnecessary for agents, unless you intend to use them as a server for
+`puppet kick` or remote `puppet resource` management.
+
+It is rarely necessary for servers; it is usually helpful only if you need to
+have a pool of multiple load balanced masters, or for the same master to
+respond on two physically separate networks under different names.
+EOT
+    },
     :certdir => {
       :default => "$ssldir/certs",
       :owner => "service",

data/lib/puppet/face/ca.rb

@@ -124,6 +124,11 @@ Puppet::Face.define(:ca, '0.1.0') do
   end
 
   action :generate do
+    option "--dns-alt-names NAMES" do
+      summary "Additional DNS names to add to the certificate request"
+      description Puppet.settings.setting(:dns_alt_names).desc
+    end
+
     when_invoked do |host, options|
       raise "Not a CA" unless Puppet::SSL::CertificateAuthority.ca?
       unless ca = Puppet::SSL::CertificateAuthority.instance
@@ -131,7 +136,7 @@ Puppet::Face.define(:ca, '0.1.0') do
       end
 
       begin
-        ca.generate host
+        ca.generate(host, :dns_alt_names => options[:dns_alt_names])
       rescue RuntimeError => e
         if e.to_s =~ /already has a requested certificate/
           "#{host} already has a certificate request; use sign instead"
@@ -149,6 +154,10 @@ Puppet::Face.define(:ca, '0.1.0') do
   end
 
   action :sign do
+    option("--[no-]allow-dns-alt-names") do
+      summary "Whether or not to accept DNS alt names in the certificate request"
+    end
+
     when_invoked do |host, options|
       raise "Not a CA" unless Puppet::SSL::CertificateAuthority.ca?
       unless ca = Puppet::SSL::CertificateAuthority.instance
@@ -156,7 +165,7 @@ Puppet::Face.define(:ca, '0.1.0') do
       end
 
       begin
-        ca.sign host
+        ca.sign(host, options[:allow_dns_alt_names])
       rescue ArgumentError => e
         if e.to_s =~ /Could not find certificate request/
           e.to_s

data/lib/puppet/face/certificate.rb

@@ -51,10 +51,21 @@ Puppet::Indirector::Face.define(:certificate, '0.0.1') do
       $ puppet certificate generate somenode.puppetlabs.lan --ca-location remote
     EOT
 
+    # Duplicate the option here explicitly to distinguish if it was passed arg
+    # us vs. set in the config file.
+    option "--dns-alt-names NAMES" do
+      summary "Additional DNS names to add to the certificate request"
+      description Puppet.settings.setting(:dns_alt_names).desc
+    end
+
     when_invoked do |name, options|
       host = Puppet::SSL::Host.new(name)
-      host.generate_certificate_request
-      host.certificate_request.class.indirection.save(host.certificate_request)
+
+      # If dns_alt_names are specified via the command line, we will always add
+      # them. Otherwise, they will default to the config file setting iff this
+      # cert is for the host we're running on.
+
+      host.generate_certificate_request(:dns_alt_names => options[:dns_alt_names])
     end
   end
 
@@ -86,10 +97,28 @@ Puppet::Indirector::Face.define(:certificate, '0.0.1') do
       $ puppet certificate sign somenode.puppetlabs.lan --ca-location remote
     EOT
 
+    option("--[no-]allow-dns-alt-names") do
+      summary "Whether or not to accept DNS alt names in the certificate request"
+    end
+
     when_invoked do |name, options|
       host = Puppet::SSL::Host.new(name)
-      host.desired_state = 'signed'
-      Puppet::SSL::Host.indirection.save(host)
+      if options[:ca_location] == :remote
+        if options[:allow_dns_alt_names]
+          raise ArgumentError, "--allow-dns-alt-names may not be specified with a remote CA"
+        end
+
+        host.desired_state = 'signed'
+        Puppet::SSL::Host.indirection.save(host)
+      else
+        # We have to do this case manually because we need to specify
+        # allow_dns_alt_names.
+        unless ca = Puppet::SSL::CertificateAuthority.instance
+          raise ArgumentError, "This process is not configured as a certificate authority"
+        end
+
+        ca.sign(name, options[:allow_dns_alt_names])
+      end
     end
   end
 

data/lib/puppet/file_serving/fileset.rb

@@ -61,7 +61,7 @@ class Puppet::FileServing::Fileset
     else
       path = path.chomp(File::SEPARATOR) unless path == File::SEPARATOR
     end
-    raise ArgumentError.new("Fileset paths must be fully qualified: #{path}") unless File.expand_path(path) == path
+    raise ArgumentError.new("Fileset paths must be fully qualified: #{path}") unless Puppet::Util.absolute_path?(path)
 
     @path = path
 

data/lib/puppet/file_serving/indirection_hooks.rb

@@ -1,5 +1,6 @@
 require 'uri'
 require 'puppet/file_serving'
+require 'puppet/util'
 
 # This module is used to pick the appropriate terminus
 # in file-serving indirections.  This is necessary because
@@ -12,8 +13,7 @@ module Puppet::FileServing::IndirectionHooks
     # We rely on the request's parsing of the URI.
 
     # Short-circuit to :file if it's a fully-qualified path or specifies a 'file' protocol.
-    return PROTOCOL_MAP["file"] if request.key =~ /^#{::File::SEPARATOR}/
-    return PROTOCOL_MAP["file"] if request.key =~ /^[a-z]:[\/\\]/i
+    return PROTOCOL_MAP["file"] if Puppet::Util.absolute_path?(request.key)
     return PROTOCOL_MAP["file"] if request.protocol == "file"
 
     # We're heading over the wire the protocol is 'puppet' and we've got a server name or we're not named 'apply' or 'puppet'

data/lib/puppet/file_serving/metadata.rb

@@ -37,16 +37,55 @@ class Puppet::FileServing::Metadata < Puppet::FileServing::Base
     @checksum_type = type
   end
 
+  class MetaStat
+    extend Forwardable
+
+    def initialize(stat)
+      @stat = stat
+    end
+
+    def_delegator :@stat, :uid, :owner
+    def_delegator :@stat, :gid, :group
+    def_delegators :@stat, :mode, :ftype
+  end
+
+  class WindowsStat < MetaStat
+    if Puppet.features.microsoft_windows?
+      require 'puppet/util/windows/security'
+    end
+
+    def initialize(stat, path)
+      super(stat)
+      @path = path
+    end
+
+    [:owner, :group, :mode].each do |method|
+      define_method method do
+        Puppet::Util::Windows::Security.send("get_#{method}", @path)
+      end
+    end
+  end
+
+  def collect_stat(path)
+    stat = stat()
+
+    if Puppet.features.microsoft_windows?
+      WindowsStat.new(stat, path)
+    else
+      MetaStat.new(stat)
+    end
+  end
+
   # Retrieve the attributes for this file, relative to a base directory.
   # Note that File.stat raises Errno::ENOENT if the file is absent and this
   # method does not catch that exception.
   def collect
     real_path = full_path
-    stat = stat()
-    @owner = stat.uid
-    @group = stat.gid
-    @ftype = stat.ftype
 
+    stat = collect_stat(real_path)
+    @owner = stat.owner
+    @group = stat.group
+    @ftype = stat.ftype
 
     # We have to mask the mode, yay.
     @mode = stat.mode & 007777

data/lib/puppet/indirector.rb

@@ -49,7 +49,6 @@ module Puppet::Indirector
     attr_reader :indirection
   end
 
-
   # Helper definition for indirections that handle filenames.
   BadNameRegexp = Regexp.union(/^\.\./,
                                %r{[\\/]},

data/lib/puppet/indirector/request.rb

@@ -76,9 +76,8 @@ class Puppet::Indirector::Request
       # because it rewrites the key.  We could otherwise strip server/port/etc
       # info out in the REST class, but it seemed bad design for the REST
       # class to rewrite the key.
-      if key.to_s =~ /^[a-z]:[\/\\]/i # It's an absolute path for Windows.
-        @key = key
-      elsif key.to_s =~ /^\w+:\/\// # it's a URI
+
+      if key.to_s =~ /^\w+:\// and not Puppet::Util.absolute_path?(key.to_s) # it's a URI
         set_uri_key(key)
       else
         @key = key
@@ -173,7 +172,7 @@ class Puppet::Indirector::Request
 
     # Just short-circuit these to full paths
     if uri.scheme == "file"
-      @key = URI.unescape(uri.path)
+      @key = Puppet::Util.uri_to_path(uri)
       return
     end
 

data/lib/puppet/indirector/resource/active_record.rb

@@ -16,9 +16,8 @@ class Puppet::Resource::ActiveRecord < Puppet::Indirector::ActiveRecord
 
   private
   def request_to_type_name(request)
-    name = request.key.split('/', 2)[0]
-    type = Puppet::Type.type(name) or raise Puppet::Error, "Could not find type #{name}"
-    type.name
+    request.key.split('/', 2)[0] or
+      raise "No key found in the request, failing: #{request.inspect}"
   end
 
   def filter_to_active_record(filter)
@@ -59,13 +58,7 @@ class Puppet::Resource::ActiveRecord < Puppet::Indirector::ActiveRecord
     raise Puppet::DevError, "Cannot collect resources for a nil host" unless host
 
     search = "(exported=? AND restype=?)"
-    # Some versions of ActiveRecord just to_s a symbol, which our type is, but
-    # others preserve the symbol-nature, which causes our storage (string) and
-    # query (symbol) to mismatch.  So, manually stringify. --daniel 2011-09-08
-    #
-    # Also, PostgreSQL is case sensitive; we need to make sure our type name
-    # here matches what we inject. --daniel 2011-09-30
-    arguments = [true, type.to_s.capitalize]
+    arguments = [true, type]
 
     if filter then
       sql, values = filter_to_active_record(filter)

data/lib/puppet/indirector/resource/ral.rb

@@ -27,9 +27,9 @@ class Puppet::Resource::Ral < Puppet::Indirector::Code
 
     catalog = Puppet::Resource::Catalog.new
     catalog.add_resource ral_res
-    catalog.apply
+    transaction = catalog.apply
 
-    ral_res.to_resource
+    [ral_res.to_resource, transaction.report]
   end
 
   private

data/lib/puppet/indirector/rest.rb

@@ -98,7 +98,7 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
     elsif error.message.include? "hostname was not match"
       raise unless cert = peer_certs.find { |c| c.name !~ /^puppet ca/i }
 
-      valid_certnames = [cert.name, *cert.alternate_names].uniq
+      valid_certnames = [cert.name, *cert.subject_alt_names].uniq
       msg = valid_certnames.length > 1 ? "one of #{valid_certnames.join(', ')}" : valid_certnames.first
 
       raise Puppet::Error, "Server hostname '#{http_connection.address}' did not match server certificate; expected #{msg}"

data/lib/puppet/network/handler/ca.rb

@@ -1,10 +1,7 @@
 require 'openssl'
 require 'puppet'
-require 'puppet/sslcertificates'
 require 'xmlrpc/server'
-
-# Much of this was taken from QuickCert:
-#   http://segment7.net/projects/ruby/QuickCert/
+require 'puppet/network/handler'
 
 class Puppet::Network::Handler
   class CA < Handler
@@ -18,73 +15,17 @@ class Puppet::Network::Handler
       iface.add_method("array getcert(csr)")
     }
 
-    def autosign
-      if defined?(@autosign)
-        @autosign
-      else
-        Puppet[:autosign]
-      end
-    end
-
-    # FIXME autosign? should probably accept both hostnames and IP addresses
-    def autosign?(hostname)
-      # simple values are easy
-      if autosign == true or autosign == false
-        return autosign
-      end
-
-      # we only otherwise know how to handle files
-      unless autosign =~ /^\//
-        raise Puppet::Error, "Invalid autosign value #{autosign.inspect}"
-      end
-
-      unless FileTest.exists?(autosign)
-        unless defined?(@@warnedonautosign)
-          @@warnedonautosign = true
-          Puppet.info "Autosign is enabled but #{autosign} is missing"
-        end
-        return false
-      end
-      auth = Puppet::Network::AuthStore.new
-      File.open(autosign) { |f|
-        f.each { |line|
-          next if line =~ /^\s*#/
-          next if line =~ /^\s*$/
-          auth.allow(line.chomp)
-        }
-      }
-
-      # for now, just cheat and pass a fake IP address to allowed?
-      auth.allowed?(hostname, "127.1.1.1")
-    end
-
     def initialize(hash = {})
       Puppet.settings.use(:main, :ssl, :ca)
-      @autosign = hash[:autosign] if hash.include? :autosign
 
-      @ca = Puppet::SSLCertificates::CA.new(hash)
+      @ca = Puppet::SSL::CertificateAuthority.instance
     end
 
     # our client sends us a csr, and we either store it for later signing,
     # or we sign it right away
     def getcert(csrtext, client = nil, clientip = nil)
-      csr = OpenSSL::X509::Request.new(csrtext)
-
-      # Use the hostname from the CSR, not from the network.
-      subject = csr.subject
-
-      nameary = subject.to_a.find { |ary|
-        ary[0] == "CN"
-      }
-
-      if nameary.nil?
-        Puppet.err(
-          "Invalid certificate request: could not retrieve server name"
-        )
-        return "invalid"
-      end
-
-      hostname = nameary[1]
+      csr = Puppet::SSL::CertificateRequest.from_s(csrtext)
+      hostname = csr.name
 
       unless @ca
         Puppet.notice "Host #{hostname} asked for signing from non-CA master"
@@ -93,57 +34,26 @@ class Puppet::Network::Handler
 
       # We used to save the public key, but it's basically unnecessary
       # and it mucks with the permissions requirements.
-      # save_pk(hostname, csr.public_key)
-
-      certfile = File.join(Puppet[:certdir], [hostname, "pem"].join("."))
 
       # first check to see if we already have a signed cert for the host
-      cert, cacert = ca.getclientcert(hostname)
-      if cert and cacert
+      cert = Puppet::SSL::Certificate.indirection.find(hostname)
+      cacert = Puppet::SSL::Certificate.indirection.find(@ca.host.name)
+
+      if cert
         Puppet.info "Retrieving existing certificate for #{hostname}"
-        unless csr.public_key.to_s == cert.public_key.to_s
+        unless csr.content.public_key.to_s == cert.content.public_key.to_s
           raise Puppet::Error, "Certificate request does not match existing certificate; run 'puppetca --clean #{hostname}'."
         end
-        return [cert.to_pem, cacert.to_pem]
-      elsif @ca
-        if self.autosign?(hostname) or client.nil?
-          Puppet.info "Signing certificate for CA server" if client.nil?
-          # okay, we don't have a signed cert
-          # if we're a CA and autosign is turned on, then go ahead and sign
-          # the csr and return the results
-          Puppet.info "Signing certificate for #{hostname}"
-          cert, cacert = @ca.sign(csr)
-          #Puppet.info "Cert: #{cert.class}; Cacert: #{cacert.class}"
-          return [cert.to_pem, cacert.to_pem]
-        else # just write out the csr for later signing
-          if @ca.getclientcsr(hostname)
-            Puppet.info "Not replacing existing request from #{hostname}"
-          else
-            Puppet.notice "Host #{hostname} has a waiting certificate request"
-            @ca.storeclientcsr(csr)
-          end
-          return ["", ""]
-        end
+        [cert.to_s, cacert.to_s]
       else
-        raise "huh?"
-      end
-    end
+        Puppet::SSL::CertificateRequest.indirection.save(csr)
 
-    private
-
-    # Save the public key.
-    def save_pk(hostname, public_key)
-      pkeyfile = File.join(Puppet[:publickeydir], [hostname, "pem"].join('.'))
-
-      if FileTest.exists?(pkeyfile)
-        currentkey = File.open(pkeyfile) { |k| k.read }
-        unless currentkey == public_key.to_s
-          raise Puppet::Error, "public keys for #{hostname} differ"
+        # We determine whether we signed the csr by checking if there's a certificate for it
+        if cert = Puppet::SSL::Certificate.indirection.find(hostname)
+          [cert.to_s, cacert.to_s]
+        else
+          nil
         end
-      else
-        File.open(pkeyfile, "w", 0644) { |f|
-          f.print public_key.to_s
-        }
       end
     end
   end