puppet 3.0.0.rc5 → 3.0.0.rc7

data/lib/puppet/indirector/certificate/disabled_ca.rb

@@ -0,0 +1,22 @@
+require 'puppet/indirector/code'
+require 'puppet/ssl/certificate'
+
+class Puppet::SSL::Certificate::DisabledCa < Puppet::Indirector::Code
+  desc "Manage SSL certificates on disk, but reject any remote access
+to the SSL data store.  Used when a master has an explicitly disabled
+CA to prevent clients getting confusing 'success' behaviour."
+
+  def initialize
+    @file = Puppet::SSL::Certificate.indirection.terminus(:file)
+  end
+
+  [:find, :head, :search, :save, :destroy].each do |name|
+    define_method(name) do |request|
+      if request.remote?
+        raise Puppet::Error, "this master is not a CA"
+      else
+        @file.send(name, request)
+      end
+    end
+  end
+end

data/lib/puppet/indirector/certificate_request/disabled_ca.rb

@@ -0,0 +1,22 @@
+require 'puppet/indirector/code'
+require 'puppet/ssl/certificate_request'
+
+class Puppet::SSL::CertificateRequest::DisabledCa < Puppet::Indirector::Code
+  desc "Manage SSL certificate requests on disk, but reject any remote access
+to the SSL data store. Used when a master has an explicitly disabled CA to
+prevent clients getting confusing 'success' behaviour."
+
+  def initialize
+    @file = Puppet::SSL::CertificateRequest.indirection.terminus(:file)
+  end
+
+  [:find, :head, :search, :save, :destroy].each do |name|
+    define_method(name) do |request|
+      if request.remote?
+        raise Puppet::Error, "this master is not a CA"
+      else
+        @file.send(name, request)
+      end
+    end
+  end
+end

data/lib/puppet/indirector/certificate_revocation_list/disabled_ca.rb

@@ -0,0 +1,22 @@
+require 'puppet/indirector/code'
+require 'puppet/ssl/certificate_revocation_list'
+
+class Puppet::SSL::CertificateRevocationList::DisabledCa < Puppet::Indirector::Code
+  desc "Manage SSL certificate revocation lists, but reject any remote access
+to the SSL data store. Used when a master has an explicitly disabled CA to
+prevent clients getting confusing 'success' behaviour."
+
+  def initialize
+    @file = Puppet::SSL::CertificateRevocationList.indirection.terminus(:file)
+  end
+
+  [:find, :head, :search, :save, :destroy].each do |name|
+    define_method(name) do |request|
+      if request.remote?
+        raise Puppet::Error, "this master is not a CA"
+      else
+        @file.send(name, request)
+      end
+    end
+  end
+end

data/lib/puppet/indirector/face.rb

@@ -51,11 +51,11 @@ class Puppet::Indirector::Face < Puppet::Face
 
   option "--extra HASH" do
     summary "Extra arguments to pass to the indirection request"
-    description <<-end
+    description <<-EOT
       A terminus can take additional arguments to refine the operation, which
       are passed as an arbitrary hash to the back-end.  Anything passed as
       the extra value is just send direct to the back-end.
-    end
+    EOT
     default_to do Hash.new end
   end
 
@@ -94,7 +94,7 @@ class Puppet::Indirector::Face < Puppet::Face
     description <<-EOT
       Prints the default terminus class for this subcommand. Note that different
       run modes may have different default termini; when in doubt, specify the
-      run mode with the '--mode' option.
+      run mode with the '--run_mode' option.
     EOT
 
     when_invoked do |options|

data/lib/puppet/indirector/facts/active_record.rb

@@ -6,6 +6,11 @@ require 'puppet/indirector/active_record'
 class Puppet::Node::Facts::ActiveRecord < Puppet::Indirector::ActiveRecord
   use_ar_model Puppet::Rails::Host
 
+  def initialize
+    Puppet.deprecation_warning "ActiveRecord-based storeconfigs and inventory are deprecated. See http://links.puppetlabs.com/activerecord-deprecation"
+    super
+  end
+
   # Find the Rails host and pull its facts as a Facts instance.
   def find(request)
     return nil unless host = ar_model.find_by_name(request.key, :include => {:fact_values => :fact_name})

data/lib/puppet/indirector/facts/facter.rb

@@ -1,10 +1,7 @@
 require 'puppet/node/facts'
 require 'puppet/indirector/code'
-require 'puppet/util/config_timeout'
 
 class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
-  extend Puppet::Util::ConfigTimeout
-
   desc "Retrieve facts from Facter.  This provides a somewhat abstract interface
     between Puppet and Facter.  It's only `somewhat` abstract because it always
     returns the local host's facts, regardless of what you attempt to find."
@@ -35,7 +32,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
         fqfile = ::File.join(dir, file)
         begin
           Puppet.info "Loading facts in #{fqfile}"
-          ::Timeout::timeout(self.timeout_interval) do
+          ::Timeout::timeout(Puppet[:configtimeout]) do
             load file
           end
         rescue SystemExit,NoMemoryError

data/lib/puppet/indirector/facts/inventory_active_record.rb

@@ -5,6 +5,12 @@ require 'puppet/indirector/active_record'
 require 'puppet/util/retryaction'
 
 class Puppet::Node::Facts::InventoryActiveRecord < Puppet::Indirector::ActiveRecord
+
+  def initialize
+    Puppet.deprecation_warning "ActiveRecord-based storeconfigs and inventory are deprecated. See http://links.puppetlabs.com/activerecord-deprecation"
+    super
+  end
+
   def find(request)
     node = Puppet::Rails::InventoryNode.find_by_name(request.key)
     return nil unless node

data/lib/puppet/indirector/file_bucket_file/file.rb

@@ -67,9 +67,10 @@ module Puppet::FileBucketFile
       dir_path = path_for(bucket_file.bucket_path, bucket_file.checksum_data)
       paths_path = ::File.join(dir_path, 'paths')
 
-      # If the file already exists, do nothing.
+      # If the file already exists, touch it.
       if ::File.exist?(filename)
         verify_identical_file!(bucket_file)
+        ::FileUtils.touch(filename)
       else
         # Make the directories if necessary.
         unless ::File.directory?(dir_path)

data/lib/puppet/indirector/indirection.rb

@@ -72,7 +72,7 @@ class Puppet::Indirector::Indirection
 
   # Default to the runinterval for the ttl.
   def ttl
-    @ttl ||= Puppet[:runinterval].to_i
+    @ttl ||= Puppet[:runinterval]
   end
 
   # Calculate the expiration date for a returned instance.
@@ -133,7 +133,7 @@ class Puppet::Indirector::Indirection
   def terminus_class
     unless @terminus_class
       if setting = self.terminus_setting
-        self.terminus_class = Puppet.settings[setting].to_sym
+        self.terminus_class = Puppet.settings[setting]
       else
         raise Puppet::DevError, "No terminus class nor terminus setting was provided for indirection #{self.name}"
       end

data/lib/puppet/indirector/key/disabled_ca.rb

@@ -0,0 +1,22 @@
+require 'puppet/indirector/code'
+require 'puppet/ssl/key'
+
+class Puppet::SSL::Key::DisabledCa < Puppet::Indirector::Code
+  desc "Manage the CA private key, but reject any remote access
+to the SSL data store. Used when a master has an explicitly disabled CA to
+prevent clients getting confusing 'success' behaviour."
+
+  def initialize
+    @file = Puppet::SSL::Key.indirection.terminus(:file)
+  end
+
+  [:find, :head, :search, :save, :destroy].each do |name|
+    define_method(name) do |request|
+      if request.remote?
+        raise Puppet::Error, "this master is not a CA"
+      else
+        @file.send(name, request)
+      end
+    end
+  end
+end

data/lib/puppet/indirector/node/active_record.rb

@@ -5,6 +5,11 @@ require 'puppet/node'
 class Puppet::Node::ActiveRecord < Puppet::Indirector::ActiveRecord
   use_ar_model Puppet::Rails::Host
 
+  def initialize
+    Puppet.deprecation_warning "ActiveRecord-based storeconfigs and inventory are deprecated. See http://links.puppetlabs.com/activerecord-deprecation"
+    super
+  end
+
   def find(request)
     node = super
     node.environment = request.environment

data/lib/puppet/indirector/request.rb

@@ -216,6 +216,10 @@ class Puppet::Indirector::Request
     return yield(self)
   end
 
+  def remote?
+    self.node or self.ip
+  end
+
   private
 
   def set_attributes(options)

data/lib/puppet/indirector/resource/active_record.rb

@@ -1,6 +1,11 @@
 require 'puppet/indirector/active_record'
 
 class Puppet::Resource::ActiveRecord < Puppet::Indirector::ActiveRecord
+  def initialize
+    Puppet.deprecation_warning "ActiveRecord-based storeconfigs and inventory are deprecated. See http://links.puppetlabs.com/activerecord-deprecation"
+    super
+  end
+
   def search(request)
     type   = request_to_type_name(request)
     host   = request.options[:host]

data/lib/puppet/network/authentication.rb

@@ -0,0 +1,30 @@
+require 'puppet/ssl/certificate_authority'
+require 'puppet/util/log/rate_limited_logger'
+
+# Place for any authentication related bits
+module Puppet::Network::Authentication
+  # Create a rate-limited logger for the expiration warning that uses the run interval
+  # as the minimum amount of time before a warning about the same cert can be logged again.
+  # This is a class variable so that all classes that include the module share the same logger.
+  @@logger = Puppet::Util::Log::RateLimitedLogger.new(Puppet[:runinterval])
+
+  # Check the expiration of known certificates and optionally any that are specified as part of a request
+  def warn_if_near_expiration(*certs)
+    # Check CA cert if we're functioning as a CA
+    certs << Puppet::SSL::CertificateAuthority.instance.host.certificate if Puppet::SSL::CertificateAuthority.ca?
+
+    # Always check the host cert if we have one, this will be the agent or master cert depending on the run mode
+    certs << Puppet::SSL::Host.localhost.certificate if FileTest.exist?(Puppet[:hostcert])
+
+    # Remove nil values for caller convenience
+    certs.compact.each do |cert|
+      # Allow raw OpenSSL certificate instances or Puppet certificate wrappers to be specified
+      cert = Puppet::SSL::Certificate.from_instance(cert) if cert.is_a?(OpenSSL::X509::Certificate)
+      raise ArgumentError, "Invalid certificate '#{cert.inspect}'" unless cert.is_a?(Puppet::SSL::Certificate)
+
+      if cert.near_expiration?
+        @@logger.warning("Certificate '#{cert.unmunged_name}' will expire on #{cert.expiration.strftime('%Y-%m-%dT%H:%M:%S%Z')}")
+      end
+    end
+  end
+end

data/lib/puppet/network/http.rb

@@ -1,15 +1,2 @@
 module Puppet::Network::HTTP
-  def self.server_class_by_type(kind)
-    case kind.to_sym
-    when :webrick
-      require 'puppet/network/http/webrick'
-      return Puppet::Network::HTTP::WEBrick
-    when :mongrel
-      raise ArgumentError, "Mongrel is not installed on this platform" unless Puppet.features.mongrel?
-      require 'puppet/network/http/mongrel'
-      return Puppet::Network::HTTP::Mongrel
-    else
-      raise ArgumentError, "Unknown HTTP server name [#{kind}]"
-    end
-  end
 end

data/lib/puppet/network/http/connection.rb

@@ -1,6 +1,7 @@
 require 'net/https'
 require 'puppet/ssl/host'
 require 'puppet/ssl/configuration'
+require 'puppet/network/authentication'
 
 module Puppet::Network::HTTP
 
@@ -14,6 +15,7 @@ module Puppet::Network::HTTP
   # * Provides some useful error handling for any SSL errors that occur
   #   during a request.
   class Connection
+    include Puppet::Network::Authentication
 
     def initialize(host, port, use_ssl = true)
       @host = host
@@ -50,7 +52,7 @@ module Puppet::Network::HTTP
         # constructing the error message if the verification failed.
         # This is necessary since we don't have direct access to the
         # cert that we expected the connection to use otherwise.
-        peer_certs << Puppet::SSL::Certificate.from_s(ssl_context.current_cert.to_pem)
+        peer_certs << Puppet::SSL::Certificate.from_instance(ssl_context.current_cert)
         # And also keep the detailed verification error if such an error occurs
         if ssl_context.error_string and not preverify_ok
           verify_errors << "#{ssl_context.error_string} for #{ssl_context.current_cert.subject}"
@@ -58,7 +60,13 @@ module Puppet::Network::HTTP
         preverify_ok
       end
 
-      connection.send(method, *args)
+      response = connection.send(method, *args)
+
+      # Now that the request completed successfully, lets check the involved
+      # certificates for approaching expiration dates
+      warn_if_near_expiration(*peer_certs)
+
+      response
     rescue OpenSSL::SSL::SSLError => error
       if error.message.include? "certificate verify failed"
         msg = error.message

data/lib/puppet/network/http/handler.rb

@@ -3,12 +3,14 @@ end
 
 require 'puppet/network/http/api/v1'
 require 'puppet/network/authorization'
+require 'puppet/network/authentication'
 require 'puppet/network/rights'
 require 'resolv'
 
 module Puppet::Network::HTTP::Handler
   include Puppet::Network::HTTP::API::V1
   include Puppet::Network::Authorization
+  include Puppet::Network::Authentication
 
   attr_reader :server, :handler
 
@@ -64,6 +66,7 @@ module Puppet::Network::HTTP::Handler
     indirection, method, key, params = uri2indirection(http_method(request), path(request), params(request))
 
     check_authorization(indirection, method, key, params)
+    warn_if_near_expiration(client_cert(request))
 
     send("do_#{method}", indirection, key, params, request, response)
   rescue SystemExit,NoMemoryError
@@ -216,6 +219,11 @@ module Puppet::Network::HTTP::Handler
     raise NotImplementedError
   end
 
+  # Retrieve the client certificate from the request if possible
+  def client_cert(request)
+    raise NotImplementedError
+  end
+
   def decode_params(params)
     params.inject({}) do |result, ary|
       param, value = ary

data/lib/puppet/network/http/mongrel/rest.rb

@@ -51,6 +51,11 @@ class Puppet::Network::HTTP::MongrelREST < Mongrel::HttpHandler
     body
   end
 
+  # There is no standard way of retrieving the client certificate since it is completely
+  # dictated by the web server environment; this is a stub to prevent a NotImplementedError
+  def client_cert(request)
+  end
+
   def set_content_type(response, format)
     response.header['Content-Type'] = format_to_mime(format)
   end

data/lib/puppet/network/http/rack/rest.rb

@@ -79,6 +79,13 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
     request.body.read
   end
 
+  def client_cert(request)
+    # This environment variable is set by mod_ssl, note that it
+    # requires the `+ExportCertData` option in the `SSLOptions` directive
+    return nil unless cert = request.env['SSL_CLIENT_CERT']
+    OpenSSL::X509::Certificate.new(cert)
+  end
+
   def extract_client_info(request)
     result = {}
     result[:ip] = request.ip

data/lib/puppet/network/http/webrick.rb

@@ -8,16 +8,13 @@ require 'puppet/ssl/certificate_revocation_list'
 require 'puppet/ssl/configuration'
 
 class Puppet::Network::HTTP::WEBrick
-  def initialize(args = {})
+  def initialize
     @listening = false
     @mutex = Mutex.new
   end
 
-  def listen(args = {})
-    raise ArgumentError, ":address must be specified." unless args[:address]
-    raise ArgumentError, ":port must be specified." unless args[:port]
-
-    arguments = {:BindAddress => args[:address], :Port => args[:port]}
+  def listen(address, port)
+    arguments = {:BindAddress => address, :Port => port}
     arguments.merge!(setup_logger)
     arguments.merge!(setup_ssl)
 

data/lib/puppet/network/http/webrick/rest.rb

@@ -44,6 +44,10 @@ class Puppet::Network::HTTP::WEBrickREST < WEBrick::HTTPServlet::AbstractServlet
     request.body
   end
 
+  def client_cert(request)
+    request.client_cert
+  end
+
   # Set the specified format as the content type of the response.
   def set_content_type(response, format)
     response["content-type"] = format_to_mime(format)

data/lib/puppet/network/server.rb

@@ -1,8 +1,9 @@
 require 'puppet/network/http'
 require 'puppet/util/pidlock'
+require 'puppet/network/http/webrick'
 
 class Puppet::Network::Server
-  attr_reader :server_type, :address, :port
+  attr_reader :address, :port
 
   # TODO: does anything actually call this?  It seems like it's a duplicate of
   # the code in Puppet::Daemon, but that it's not actually called anywhere.
@@ -45,19 +46,14 @@ class Puppet::Network::Server
     Puppet[:pidfile]
   end
 
-  def initialize(args = {})
-    valid_args = [:handlers, :port]
-    bad_args = args.keys.find_all { |p| ! valid_args.include?(p) }.collect { |p| p.to_s }.join(",")
-    raise ArgumentError, "Invalid argument(s) #{bad_args}" unless bad_args == ""
-    @server_type = Puppet[:servertype] or raise "No servertype configuration found."  # e.g.,  WEBrick, Mongrel, etc.
-    http_server_class || raise(ArgumentError, "Could not determine HTTP Server class for server type [#{@server_type}]")
-
-    @port = args[:port] || Puppet[:masterport] || raise(ArgumentError, "Must specify :port or configure Puppet :masterport")
-    @address = determine_bind_address
+  def initialize(address, port, handlers = nil)
+    @port = port
+    @address = address
+    @http_server = Puppet::Network::HTTP::WEBrick.new
 
     @listening = false
     @routes = {}
-    self.register(args[:handlers]) if args[:handlers]
+    self.register(handlers) if handlers
 
     # Make sure we have all of the directories we need to function.
     Puppet.settings.use(:main, :ssl, :application)
@@ -93,19 +89,15 @@ class Puppet::Network::Server
   def listen
     raise "Cannot listen -- already listening." if listening?
     @listening = true
-    http_server.listen(:address => address, :port => port, :handlers => @routes.keys)
+    @http_server.listen(address, port)
   end
 
   def unlisten
     raise "Cannot unlisten -- not currently listening." unless listening?
-    http_server.unlisten
+    @http_server.unlisten
     @listening = false
   end
 
-  def http_server_class
-    http_server_class_by_type(@server_type)
-  end
-
   def start
     create_pidfile
     close_streams if Puppet[:daemonize]
@@ -116,20 +108,4 @@ class Puppet::Network::Server
     unlisten
     remove_pidfile
   end
-
-  private
-
-  def http_server
-    @http_server ||= http_server_class.new
-  end
-
-  def http_server_class_by_type(kind)
-    Puppet::Network::HTTP.server_class_by_type(kind)
-  end
-
-  def determine_bind_address
-    tmp = Puppet[:bindaddress]
-    return tmp if tmp != ""
-    server_type.to_s == "webrick" ? "0.0.0.0" : "127.0.0.1"
-  end
 end