puppet 2.7.5 → 2.7.6

data/lib/puppet/network/handler/master.rb

@@ -1,6 +1,5 @@
 require 'openssl'
 require 'puppet'
-require 'puppet/sslcertificates'
 require 'xmlrpc/server'
 require 'yaml'
 
@@ -33,8 +32,6 @@ class Puppet::Network::Handler
 
       args[:Local] = true
 
-      @ca = (hash.include?(:CA) and hash[:CA]) ? Puppet::SSLCertificates::CA.new : nil
-
       # This is only used by the cfengine module, or if --loadclasses was
       # specified in +puppet+.
       args[:Classes] = hash[:Classes] if hash.include?(:Classes)

data/lib/puppet/network/handler/runner.rb

@@ -1,4 +1,5 @@
 require 'puppet/run'
+require 'puppet/network/handler'
 
 class Puppet::Network::Handler
   class MissingMasterError < RuntimeError; end # Cannot find the master client

data/lib/puppet/parser/scope.rb

@@ -418,6 +418,16 @@ class Puppet::Parser::Scope
     environment.known_resource_types.find_definition(namespaces, type.to_s.downcase)
   end
 
+  def method_missing(method, *args, &block)
+    method.to_s =~ /^function_(.*)$/
+    super unless $1
+    super unless Puppet::Parser::Functions.function($1)
+
+    # Calling .function(name) adds "function_#{name}" as a callable method on
+    # self if it's found, so now we can just send it
+    send(method, *args)
+  end
+
   def resolve_type_and_titles(type, titles)
     raise ArgumentError, "titles must be an array" unless titles.is_a?(Array)
 

data/lib/puppet/provider/file/posix.rb

@@ -8,15 +8,13 @@ Puppet::Type.type(:file).provide :posix do
 
   require 'etc'
 
-  def id2name(id)
-    return id.to_s if id.is_a?(Symbol)
+  def uid2name(id)
+    return id.to_s if id.is_a?(Symbol) or id.is_a?(String)
     return nil if id > Puppet[:maximum_uid].to_i
 
     begin
       user = Etc.getpwuid(id)
-    rescue TypeError
-      return nil
-    rescue ArgumentError
+    rescue TypeError, ArgumentError
       return nil
     end
 
@@ -27,33 +25,33 @@ Puppet::Type.type(:file).provide :posix do
     end
   end
 
-  def is_owner_insync?(current, should)
-    should.each do |value|
-      if value =~ /^\d+$/
-        uid = Integer(value)
-      elsif value.is_a?(String)
-        fail "Could not find user #{value}" unless uid = uid(value)
-      else
-        uid = value
-      end
-
-      return true if uid == current
-    end
+  # Determine if the user is valid, and if so, return the UID
+  def name2uid(value)
+    Integer(value) rescue uid(value) || false
+  end
 
-    unless Puppet.features.root?
-      warnonce "Cannot manage ownership unless running as root"
-      return true
+  def gid2name(id)
+    return id.to_s if id.is_a?(Symbol) or id.is_a?(String)
+    return nil if id > Puppet[:maximum_uid].to_i
+
+    begin
+      group = Etc.getgrgid(id)
+    rescue TypeError, ArgumentError
+      return nil
     end
 
-    false
+    if group.gid == ""
+      return nil
+    else
+      return group.name
+    end
   end
 
-  # Determine if the user is valid, and if so, return the UID
-  def validuser?(value)
-    Integer(value) rescue uid(value) || false
+  def name2gid(value)
+    Integer(value) rescue gid(value) || false
   end
 
-  def retrieve(resource)
+  def owner
     unless stat = resource.stat
       return :absent
     end
@@ -71,27 +69,67 @@ Puppet::Type.type(:file).provide :posix do
     currentvalue
   end
 
-  def sync(path, links, should)
+  def owner=(should)
     # Set our method appropriately, depending on links.
-    if links == :manage
+    if resource[:links] == :manage
       method = :lchown
     else
       method = :chown
     end
 
-    uid = nil
-    should.each do |user|
-      break if uid = validuser?(user)
+    begin
+      File.send(method, should, nil, resource[:path])
+    rescue => detail
+      raise Puppet::Error, "Failed to set owner to '#{should}': #{detail}"
+    end
+  end
+
+  def group
+    return :absent unless stat = resource.stat
+
+    currentvalue = stat.gid
+
+    # On OS X, files that are owned by -2 get returned as really
+    # large GIDs instead of negative ones.  This isn't a Ruby bug,
+    # it's an OS X bug, since it shows up in perl, too.
+    if currentvalue > Puppet[:maximum_uid].to_i
+      self.warning "Apparently using negative GID (#{currentvalue}) on a platform that does not consistently handle them"
+      currentvalue = :silly
     end
 
-    raise Puppet::Error, "Could not find user(s) #{should.join(",")}" unless uid
+    currentvalue
+  end
+
+  def group=(should)
+    # Set our method appropriately, depending on links.
+    if resource[:links] == :manage
+      method = :lchown
+    else
+      method = :chown
+    end
 
     begin
-      File.send(method, uid, nil, path)
+      File.send(method, nil, should, resource[:path])
     rescue => detail
-      raise Puppet::Error, "Failed to set owner to '#{uid}': #{detail}"
+      raise Puppet::Error, "Failed to set group to '#{should}': #{detail}"
+    end
+  end
+
+  def mode
+    if stat = resource.stat
+      return (stat.mode & 007777).to_s(8)
+    else
+      return :absent
     end
+  end
 
-    :file_changed
+  def mode=(value)
+    begin
+      File.chmod(value.to_i(8), resource[:path])
+    rescue => detail
+      error = Puppet::Error.new("failed to set mode #{mode} on #{resource[:path]}: #{detail.message}")
+      error.set_backtrace detail.backtrace
+      raise error
+    end
   end
 end

data/lib/puppet/provider/file/windows.rb

@@ -0,0 +1,100 @@
+Puppet::Type.type(:file).provide :windows do
+  desc "Uses Microsoft Windows functionality to manage file's users and rights."
+
+  confine :feature => :microsoft_windows
+
+  include Puppet::Util::Warnings
+
+  if Puppet.features.microsoft_windows?
+    require 'puppet/util/windows'
+    require 'puppet/util/adsi'
+    include Puppet::Util::Windows::Security
+  end
+
+  ERROR_INVALID_SID_STRUCTURE = 1337
+
+  def id2name(id)
+    # If it's a valid sid, get the name. Otherwise, it's already a name, so
+    # just return it.
+    begin
+      if string_to_sid_ptr(id)
+        name = nil
+        Puppet::Util::ADSI.execquery(
+          "SELECT Name FROM Win32_Account WHERE SID = '#{id}'
+           AND LocalAccount = true"
+        ).each { |a| name ||= a.name }
+        return name
+      end
+    rescue Puppet::Util::Windows::Error => e
+      raise unless e.code == ERROR_INVALID_SID_STRUCTURE
+    end
+
+    id
+  end
+
+  # Determine if the account is valid, and if so, return the UID
+  def name2id(value)
+    # If it's a valid sid, then return it. Else, it's a name we need to convert
+    # to sid.
+    begin
+      return value if string_to_sid_ptr(value)
+    rescue Puppet::Util::Windows::Error => e
+      raise unless e.code == ERROR_INVALID_SID_STRUCTURE
+    end
+
+    Puppet::Util::ADSI.sid_for_account(value) rescue nil
+  end
+
+  # We use users and groups interchangeably, so use the same methods for both
+  # (the type expects different methods, so we have to oblige).
+  alias :uid2name :id2name
+  alias :gid2name :id2name
+
+  alias :name2gid :name2id
+  alias :name2uid :name2id
+
+  def owner
+    return :absent unless resource.exist?
+    get_owner(resource[:path])
+  end
+
+  def owner=(should)
+    begin
+      set_owner(should, resource[:path])
+    rescue => detail
+      raise Puppet::Error, "Failed to set owner to '#{should}': #{detail}"
+    end
+  end
+
+  def group
+    return :absent unless resource.exist?
+    get_group(resource[:path])
+  end
+
+  def group=(should)
+    begin
+      set_group(should, resource[:path])
+    rescue => detail
+      raise Puppet::Error, "Failed to set group to '#{should}': #{detail}"
+    end
+  end
+
+  def mode
+    if resource.exist?
+      get_mode(resource[:path]).to_s(8)
+    else
+      :absent
+    end
+  end
+
+  def mode=(value)
+    begin
+      set_mode(value.to_i(8), resource[:path])
+    rescue => detail
+      error = Puppet::Error.new("failed to set mode #{mode} on #{resource[:path]}: #{detail.message}")
+      error.set_backtrace detail.backtrace
+      raise error
+    end
+    :file_changed
+  end
+end

data/lib/puppet/provider/group/windows_adsi.rb

@@ -35,11 +35,11 @@ Puppet::Type.type(:group).provide :windows_adsi do
   end
 
   def gid
-    nil
+    Puppet::Util::ADSI.sid_for_account(@resource[:name])
   end
 
   def gid=(value)
-    warning "No support for managing property gid of group #{@resource[:name]} on Windows"
+    fail "gid is read-only"
   end
 
   def self.instances

data/lib/puppet/provider/user/windows_adsi.rb

@@ -7,7 +7,7 @@ Puppet::Type.type(:user).provide :windows_adsi do
   confine :operatingsystem => :windows
   confine :feature => :microsoft_windows
 
-  has_features :manages_homedir
+  has_features :manages_homedir, :manages_passwords
 
   def user
     @user ||= Puppet::Util::ADSI::User.new(@resource[:name])
@@ -57,11 +57,26 @@ Puppet::Type.type(:user).provide :windows_adsi do
     user['HomeDirectory'] = value
   end
 
-  [:uid, :gid, :shell].each do |prop|
-    define_method(prop) { nil }
+  def password
+    user.password_is?( @resource[:password] ) ? @resource[:password] : :absent
+  end
 
+  def password=(value)
+    user.password = value
+  end
+
+  def uid
+    Puppet::Util::ADSI.sid_for_account(@resource[:name])
+  end
+
+  def uid=(value)
+    fail "uid is read-only"
+  end
+
+  [:gid, :shell].each do |prop|
+    define_method(prop) { nil }
     define_method("#{prop}=") do |v|
-      warning "No support for managing property #{prop} of user #{@resource[:name]} on Windows"
+      fail "No support for managing property #{prop} of user #{@resource[:name]} on Windows"
     end
   end
 

data/lib/puppet/resource.rb

@@ -355,6 +355,22 @@ class Puppet::Resource
     raise ArgumentError, "Invalid parameter #{name}" unless valid_parameter?(name)
   end
 
+  def prune_parameters(options = {})
+    properties = resource_type.properties.map(&:name)
+
+    dup.collect do |attribute, value|
+      if value.to_s.empty? or Array(value).empty?
+        delete(attribute)
+      elsif value.to_s == "absent" and attribute.to_s != "ensure"
+        delete(attribute)
+      end
+
+      parameters_to_include = options[:parameters_to_include] || []
+      delete(attribute) unless properties.include?(attribute) || parameters_to_include.include?(attribute)
+    end
+    self
+  end
+
   private
 
   # Produce a canonical method name.

data/lib/puppet/resource/catalog.rb

@@ -546,7 +546,7 @@ class Puppet::Resource::Catalog < Puppet::SimpleGraph
   def write_resource_file
     ::File.open(Puppet[:resourcefile], "w") do |f|
       to_print = resources.map do |resource|
-        next if resource.type == :component
+        next unless resource.managed?
         "#{resource.type}[#{resource[resource.name_var]}]"
       end.compact
       f.puts to_print.join("\n")

data/lib/puppet/ssl/certificate.rb

@@ -27,10 +27,10 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     [:s]
   end
 
-  def alternate_names
+  def subject_alt_names
     alts = content.extensions.find{|ext| ext.oid == "subjectAltName"}
     return [] unless alts
-    alts.value.split(/,\s+/).map{|al| al.sub(/^DNS:/,'')}
+    alts.value.split(/\s*,\s*/)
   end
 
   def expiration

data/lib/puppet/ssl/certificate_authority.rb

@@ -11,6 +11,15 @@ require 'puppet/ssl/certificate_request'
 # it can also be seen as a general interface into all of the
 # SSL stuff.
 class Puppet::SSL::CertificateAuthority
+  # We will only sign extensions on this whitelist, ever.  Any CSR with a
+  # requested extension that we don't recognize is rejected, against the risk
+  # that it will introduce some security issue through our ignorance of it.
+  #
+  # Adding an extension to this whitelist simply means we will consider it
+  # further, not that we will always accept a certificate with an extension
+  # requested on this list.
+  RequestExtensionWhitelist = %w{subjectAltName}
+
   require 'puppet/ssl/certificate_factory'
   require 'puppet/ssl/inventory'
   require 'puppet/ssl/certificate_revocation_list'
@@ -33,6 +42,14 @@ class Puppet::SSL::CertificateAuthority
     end
   end
 
+  class CertificateSigningError < RuntimeError
+    attr_accessor :host
+
+    def initialize(host)
+      @host = host
+    end
+  end
+
   def self.ca?
     return false unless Puppet[:ca]
     return false unless Puppet.run_mode.master?
@@ -54,7 +71,6 @@ class Puppet::SSL::CertificateAuthority
   def apply(method, options)
     raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless options[:to]
     applier = Interface.new(method, options)
-
     applier.apply(self)
   end
 
@@ -110,13 +126,16 @@ class Puppet::SSL::CertificateAuthority
   end
 
   # Generate a new certificate.
-  def generate(name)
+  def generate(name, options = {})
     raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.indirection.find(name)
     host = Puppet::SSL::Host.new(name)
 
-    host.generate_certificate_request
+    # Pass on any requested subjectAltName field.
+    san = options[:dns_alt_names]
 
-    sign(name)
+    host = Puppet::SSL::Host.new(name)
+    host.generate_certificate_request(:dns_alt_names => san)
+    sign(name, !!san)
   end
 
   # Generate our CA certificate.
@@ -125,14 +144,16 @@ class Puppet::SSL::CertificateAuthority
 
     host.generate_key unless host.key
 
-    # Create a new cert request.  We do this
-    # specially, because we don't want to actually
-    # save the request anywhere.
+    # Create a new cert request.  We do this specially, because we don't want
+    # to actually save the request anywhere.
     request = Puppet::SSL::CertificateRequest.new(host.name)
+
+    # We deliberately do not put any subjectAltName in here: the CA
+    # certificate absolutely does not need them. --daniel 2011-10-13
     request.generate(host.key)
 
     # Create a self-signed certificate.
-    @certificate = sign(host.name, :ca, request)
+    @certificate = sign(host.name, false, request)
 
     # And make sure we initialize our CRL.
     crl
@@ -225,20 +246,34 @@ class Puppet::SSL::CertificateAuthority
   end
 
   # Sign a given certificate request.
-  def sign(hostname, cert_type = :server, self_signing_csr = nil)
+  def sign(hostname, allow_dns_alt_names = false, self_signing_csr = nil)
     # This is a self-signed certificate
     if self_signing_csr
+      # # This is a self-signed certificate, which is for the CA.  Since this
+      # # forces the certificate to be self-signed, anyone who manages to trick
+      # # the system into going through this path gets a certificate they could
+      # # generate anyway.  There should be no security risk from that.
       csr = self_signing_csr
+      cert_type = :ca
       issuer = csr.content
     else
+      allow_dns_alt_names = true if hostname == Puppet[:certname].downcase
       unless csr = Puppet::SSL::CertificateRequest.indirection.find(hostname)
         raise ArgumentError, "Could not find certificate request for #{hostname}"
       end
+
+      cert_type = :server
       issuer = host.certificate.content
+
+      # Make sure that the CSR conforms to our internal signing policies.
+      # This will raise if the CSR doesn't conform, but just in case...
+      check_internal_signing_policies(hostname, csr, allow_dns_alt_names) or
+        raise CertificateSigningError.new(hostname), "CSR had an unknown failure checking internal signing policies, will not sign!"
     end
 
     cert = Puppet::SSL::Certificate.new(hostname)
-    cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
+    cert.content = Puppet::SSL::CertificateFactory.
+      build(cert_type, csr, issuer, next_serial)
     cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)
 
     Puppet.notice "Signed certificate request for #{hostname}"
@@ -258,6 +293,47 @@ class Puppet::SSL::CertificateAuthority
     cert
   end
 
+  def check_internal_signing_policies(hostname, csr, allow_dns_alt_names)
+    # Reject unknown request extensions.
+    unknown_req = csr.request_extensions.
+      reject {|x| RequestExtensionWhitelist.include? x["oid"] }
+
+    if unknown_req and not unknown_req.empty?
+      names = unknown_req.map {|x| x["oid"] }.sort.uniq.join(", ")
+      raise CertificateSigningError.new(hostname), "CSR has request extensions that are not permitted: #{names}"
+    end
+
+    # Wildcards: we don't allow 'em at any point.
+    #
+    # The stringification here makes the content visible, and saves us having
+    # to scrobble through the content of the CSR subject field to make sure it
+    # is what we expect where we expect it.
+    if csr.content.subject.to_s.include? '*'
+      raise CertificateSigningError.new(hostname), "CSR subject contains a wildcard, which is not allowed: #{csr.content.subject.to_s}"
+    end
+
+    unless csr.subject_alt_names.empty?
+      # If you alt names are allowed, they are required. Otherwise they are
+      # disallowed. Self-signed certs are implicitly trusted, however.
+      unless allow_dns_alt_names
+        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains subject alternative names (#{csr.subject_alt_names.join(', ')}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign this request."
+      end
+
+      # If subjectAltNames are present, validate that they are only for DNS
+      # labels, not any other kind.
+      unless csr.subject_alt_names.all? {|x| x =~ /^DNS:/ }
+        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains a subjectAltName outside the DNS label space: #{csr.subject_alt_names.join(', ')}.  To continue, this CSR needs to be cleaned."
+      end
+
+      # Check for wildcards in the subjectAltName fields too.
+      if csr.subject_alt_names.any? {|x| x.include? '*' }
+        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' subjectAltName contains a wildcard, which is not allowed: #{csr.subject_alt_names.join(', ')}  To continue, this CSR needs to be cleaned."
+      end
+    end
+
+    return true                 # good enough for us!
+  end
+
   # Verify a given host's certificate.
   def verify(name)
     unless cert = Puppet::SSL::Certificate.indirection.find(name)