puppet 3.0.0.rc5 → 3.0.0.rc7

data/lib/puppet/settings/duration_setting.rb

@@ -0,0 +1,34 @@
+require 'puppet/settings/base_setting'
+
+# A setting that represents a span of time, and evaluates to an integer
+# number of seconds after being parsed
+class Puppet::Settings::DurationSetting < Puppet::Settings::BaseSetting
+  # How we convert from various units to seconds.
+  UNITMAP = {
+    # 365 days isn't technically a year, but is sufficient for most purposes
+    "y" => 365 * 24 * 60 * 60,
+    "d" => 24 * 60 * 60,
+    "h" => 60 * 60,
+    "m" => 60,
+    "s" => 1
+  }
+
+  # A regex describing valid formats with groups for capturing the value and units
+  FORMAT = /^(\d+)(y|d|h|m|s)?$/
+
+  def type
+    :duration
+  end
+
+  # Convert the value to an integer, parsing numeric string with units if necessary.
+  def munge(value)
+    case
+    when value.is_a?(Integer)
+      value
+    when (value.is_a?(String) and value =~ FORMAT)
+      $1.to_i * UNITMAP[$2 || 's']
+    else
+      raise Puppet::Settings::ValidationError, "Invalid duration format '#{value.inspect}' for parameter: #{@name}"
+    end
+  end
+end

data/lib/puppet/settings/terminus_setting.rb

@@ -0,0 +1,16 @@
+require 'puppet/settings/base_setting'
+
+class Puppet::Settings::TerminusSetting < Puppet::Settings::BaseSetting
+  def munge(value)
+    case value
+    when '', nil
+      nil
+    when String
+      value.intern
+    when Symbol
+      value
+    else
+      raise Puppet::Settings::ValidationError, "Invalid terminus setting: #{value}"
+    end
+  end
+end

data/lib/puppet/ssl/base.rb

@@ -1,5 +1,6 @@
 require 'openssl'
 require 'puppet/ssl'
+require 'puppet/ssl/digest'
 
 # The base class for wrapping SSL instances.
 class Puppet::SSL::Base
@@ -46,6 +47,28 @@ class Puppet::SSL::Base
     self.class.validate_certname(@name)
   end
 
+  # Method to extract a 'name' from the subject of a certificate
+  def self.name_from_subject(subject)
+    subject.to_s.sub(/\/CN=/i, '')
+  end
+
+  # Create an instance of our Puppet::SSL::* class using a given instance of the wrapped class
+  def self.from_instance(instance, name = nil)
+    raise ArgumentError, "Object must be an instance of #{wrapped_class}, #{instance.class} given" unless instance.is_a? wrapped_class
+    raise ArgumentError, "Name must be supplied if it cannot be determined from the instance" if name.nil? and !instance.respond_to?(:subject)
+
+    name ||= name_from_subject(instance.subject)
+    result = new(name)
+    result.content = instance
+    result
+  end
+
+  # Convert a string into an instance
+  def self.from_s(string, name = nil)
+    instance = wrapped_class.new(string)
+    from_instance(instance, name)
+  end
+
   # Read content from disk appropriately.
   def read(path)
     @content = wrapped_class.new(File.read(path))
@@ -64,18 +87,35 @@ class Puppet::SSL::Base
   end
 
   def fingerprint(md = :SHA256)
-    # ruby 1.8.x openssl digest constants are string
-    # but in 1.9.x they are symbols
     mds = md.to_s.upcase
-    if OpenSSL::Digest.constants.include?(mds)
-      md = mds
-    elsif OpenSSL::Digest.constants.include?(mds.to_sym)
-      md = mds.to_sym
-    else
-      raise ArgumentError, "#{md} is not a valid digest algorithm for fingerprinting certificate #{name}"
+    digest(mds).to_hex
+  end
+
+  def digest(algorithm=nil)
+    unless algorithm
+      algorithm = digest_algorithm
     end
 
-    OpenSSL::Digest.const_get(md).hexdigest(content.to_der).scan(/../).join(':').upcase
+    Puppet::SSL::Digest.new(algorithm, content.to_der)
+  end
+
+  def digest_algorithm
+    # The signature_algorithm on the X509 cert is a combination of the digest
+    # algorithm and the encryption algorithm
+    # e.g. md5WithRSAEncryption, sha256WithRSAEncryption
+    # Unfortunately there isn't a consistent pattern
+    # See RFCs 3279, 5758
+    digest_re = Regexp.union(
+      /ripemd160/i,
+      /md[245]/i,
+      /sha\d*/i
+    )
+    ln = content.signature_algorithm
+    if match = digest_re.match(ln)
+      match[0].downcase
+    else
+      raise Puppet::Error, "Unknown signature algorithm '#{ln}'"
+    end
   end
 
   private

data/lib/puppet/ssl/certificate.rb

@@ -12,15 +12,6 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
   extend Puppet::Indirector
   indirects :certificate, :terminus_class => :file
 
-  # Convert a string into an instance.
-  def self.from_s(string)
-    instance = wrapped_class.new(string)
-    name = instance.subject.to_s.sub(/\/CN=/i, '').downcase
-    result = new(name)
-    result.content = instance
-    result
-  end
-
   # Because of how the format handler class is included, this
   # can't be in the base class.
   def self.supported_formats
@@ -37,4 +28,17 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     return nil unless content
     content.not_after
   end
+
+  def near_expiration?(interval = nil)
+    return false unless expiration
+    interval ||= Puppet[:certificate_expire_warning]
+    # Certificate expiration timestamps are always in UTC
+    expiration < Time.now.utc + interval
+  end
+
+  # This name is what gets extracted from the subject before being passed
+  # to the constructor, so it's not downcased
+  def unmunged_name
+    self.class.name_from_subject(content.subject)
+  end
 end

data/lib/puppet/ssl/certificate_authority.rb

@@ -323,6 +323,10 @@ class Puppet::SSL::CertificateAuthority
       raise CertificateSigningError.new(hostname), "CSR subject contains a wildcard, which is not allowed: #{csr.content.subject.to_s}"
     end
 
+    unless csr.content.verify(csr.content.public_key)
+      raise CertificateSigningError.new(hostname), "CSR contains a public key that does not correspond to the signing key"
+    end
+
     unless csr.subject_alt_names.empty?
       # If you alt names are allowed, they are required. Otherwise they are
       # disallowed. Self-signed certs are implicitly trusted, however.

data/lib/puppet/ssl/certificate_authority/interface.rb

@@ -16,17 +16,10 @@ module Puppet
             raise ArgumentError, "You must provide hosts or --all when using #{method}"
           end
 
-          begin
-            return send(method, ca) if respond_to?(method)
+          return send(method, ca) if respond_to?(method)
 
-            (subjects == :all ? ca.list : subjects).each do |host|
-              ca.send(method, host)
-            end
-          rescue InterfaceError
-            raise
-          rescue => detail
-            Puppet.log_exception(detail, "Could not call #{method}: #{detail}")
-            raise
+          (subjects == :all ? ca.list : subjects).each do |host|
+            ca.send(method, host)
           end
         end
 
@@ -41,7 +34,7 @@ module Puppet
         def initialize(method, options)
           self.method = method
           self.subjects = options.delete(:to)
-          @digest = options.delete(:digest) || :SHA256
+          @digest = options.delete(:digest)
           @options = options
         end
 
@@ -102,12 +95,12 @@ module Puppet
         end
 
         def format_host(ca, host, type, info, width)
-          certish, verify_error = info
+          cert, verify_error = info
           alt_names = case type
                       when :signed
-                        certish.subject_alt_names
+                        cert.subject_alt_names
                       when :request
-                        certish.subject_alt_names
+                        cert.subject_alt_names
                       else
                         []
                       end
@@ -119,7 +112,7 @@ module Puppet
           glyph = {:signed => '+', :request => ' ', :invalid => '-'}[type]
 
           name = host.inspect.ljust(width)
-          fingerprint = "(#{ca.fingerprint(host, @digest)})"
+          fingerprint = cert.digest(@digest).to_s
 
           explanation = "(#{verify_error})" if verify_error
 
@@ -146,8 +139,8 @@ module Puppet
         # Print certificate information.
         def fingerprint(ca)
           (subjects == :all ? ca.list + ca.waiting?: subjects).each do |host|
-            if value = ca.fingerprint(host, @digest)
-              puts "#{host} #{value}"
+            if cert = (Puppet::SSL::Certificate.indirection.find(host) || Puppet::SSL::CertificateRequest.indirection.find(host))
+              puts "#{host} #{cert.digest(@digest)}"
             else
               Puppet.err "Could not find certificate for #{host}"
             end

data/lib/puppet/ssl/certificate_factory.rb

@@ -3,20 +3,14 @@ require 'puppet/ssl'
 # The tedious class that does all the manipulations to the
 # certificate to correctly sign it.  Yay.
 module Puppet::SSL::CertificateFactory
-  # How we convert from various units to the required seconds.
-  UNITMAP = {
-    "y" => 365 * 24 * 60 * 60,
-    "d" => 24 * 60 * 60,
-    "h" => 60 * 60,
-    "s" => 1
-  }
-
-  def self.build(cert_type, csr, issuer, serial)
+  def self.build(cert_type, csr, issuer, serial, ttl = nil)
     # Work out if we can even build the requested type of certificate.
     build_extensions = "build_#{cert_type.to_s}_extensions"
     respond_to?(build_extensions) or
       raise ArgumentError, "#{cert_type.to_s} is an invalid certificate type!"
 
+    raise ArgumentError, "Certificate TTL must be an integer" unless ttl.nil? || ttl.is_a?(Fixnum)
+
     # set up the certificate, and start building the content.
     cert = OpenSSL::X509::Certificate.new
 
@@ -32,7 +26,7 @@ module Puppet::SSL::CertificateFactory
     # clock fail, and better than having every cert we generate expire a day
     # before the user expected it to when they asked for "one year".
     cert.not_before = Time.now - (60*60*24)
-    cert.not_after  = Time.now + ttl
+    cert.not_after  = Time.now + (ttl || Puppet[:ca_ttl])
 
     add_extensions_to(cert, csr, issuer, send(build_extensions))
 
@@ -86,17 +80,6 @@ module Puppet::SSL::CertificateFactory
     end
   end
 
-  # TTL for new certificates in seconds.
-  def self.ttl
-    ttl = Puppet.settings[:ca_ttl]
-
-    return ttl unless ttl.is_a?(String)
-
-    raise ArgumentError, "Invalid ca_ttl #{ttl}" unless ttl =~ /^(\d+)(y|d|h|s)$/
-
-    $1.to_i * UNITMAP[$2]
-  end
-
   # Woot! We're a CA.
   def self.build_ca_extensions
     {

data/lib/puppet/ssl/certificate_request.rb

@@ -20,15 +20,6 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
 
   indirects :certificate_request, :terminus_class => :file, :extend => AutoSigner
 
-  # Convert a string into an instance.
-  def self.from_s(string)
-    instance = wrapped_class.new(string)
-    name = instance.subject.to_s.sub(/\/CN=/i, '').downcase
-    result = new(name)
-    result.content = instance
-    result
-  end
-
   # Because of how the format handler class is included, this
   # can't be in the base class.
   def self.supported_formats
@@ -73,7 +64,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for #{name} on the server" unless csr.verify(key.public_key)
 
     @content = csr
-    Puppet.info "Certificate Request fingerprint (sha256): #{fingerprint}"
+    Puppet.info "Certificate Request fingerprint (#{digest.name}): #{digest.to_hex}"
     @content
   end
 

data/lib/puppet/ssl/certificate_revocation_list.rb

@@ -12,9 +12,7 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
 
   # Convert a string into an instance.
   def self.from_s(string)
-    crl = new('foo') # The name doesn't matter
-    crl.content = wrapped_class.new(string)
-    crl
+    super(string, 'foo') # The name doesn't matter
   end
 
   # Because of how the format handler class is included, this

data/lib/puppet/ssl/digest.rb

@@ -0,0 +1,20 @@
+class Puppet::SSL::Digest
+  attr_reader :digest
+
+  def initialize(algorithm, content)
+    algorithm ||= 'SHA256'
+    @digest = OpenSSL::Digest.new(algorithm, content)
+  end
+
+  def to_s
+    "(#{name}) #{to_hex}"
+  end
+
+  def to_hex
+    @digest.hexdigest.scan(/../).join(':').upcase
+  end
+
+  def name
+    @digest.name.upcase
+  end
+end

data/lib/puppet/ssl/host.rb

@@ -54,7 +54,7 @@ class Puppet::SSL::Host
     CertificateRequest.indirection.terminus_class = terminus
     CertificateRevocationList.indirection.terminus_class = terminus
 
-    host_map = {:ca => :file, :file => nil, :rest => :rest}
+    host_map = {:ca => :file, :disabled_ca => nil, :file => nil, :rest => :rest}
     if term = host_map[terminus]
       self.indirection.terminus_class = term
     else
@@ -94,7 +94,7 @@ class Puppet::SSL::Host
     # We are the CA, so we don't have read/write access to the normal certificates.
     :only => [:ca],
     # We have no CA, so we just look in the local file store.
-    :none => [:file]
+    :none => [:disabled_ca]
   }
 
   # Specify how we expect to interact with our certificate authority.
@@ -276,14 +276,39 @@ ERROR_STRING
     pson_hash[:state] = my_state
     pson_hash[:desired_state] = desired_state if desired_state
 
-    if my_state == 'requested'
-      pson_hash[:fingerprint] = certificate_request.fingerprint
-    else
-      pson_hash[:fingerprint] = my_cert.fingerprint
+    thing_to_use = (my_state == 'requested') ? certificate_request : my_cert
+
+    # this is for backwards-compatibility
+    # we should deprecate it and transition people to using
+    # pson[:fingerprints][:default]
+    # It appears that we have no internal consumers of this api
+    # --jeffweiss 30 aug 2012
+    pson_hash[:fingerprint] = thing_to_use.fingerprint
+    
+    # The above fingerprint doesn't tell us what message digest algorithm was used
+    # No problem, except that the default is changing between 2.7 and 3.0. Also, as
+    # we move to FIPS 140-2 compliance, MD5 is no longer allowed (and, gasp, will
+    # segfault in rubies older than 1.9.3)
+    # So, when we add the newer fingerprints, we're explicit about the hashing
+    # algorithm used.
+    # --jeffweiss 31 july 2012
+    pson_hash[:fingerprints] = {}
+    pson_hash[:fingerprints][:default] = thing_to_use.fingerprint
+    
+    suitable_message_digest_algorithms.each do |md| 
+      pson_hash[:fingerprints][md] = thing_to_use.fingerprint md
     end
+    pson_hash[:dns_alt_names] = thing_to_use.subject_alt_names
 
     pson_hash.to_pson(*args)
   end
+  
+  # eventually we'll probably want to move this somewhere else or make it
+  # configurable
+  # --jeffweiss 29 aug 2012
+  def suitable_message_digest_algorithms
+    [:SHA1, :SHA256, :SHA512]
+  end
 
   # Attempt to retrieve a cert, if we don't already have one.
   def wait_for_cert(time)

data/lib/puppet/test/test_helper.rb

@@ -134,7 +134,6 @@ module Puppet::Test
 
     def self.app_defaults_for_tests()
       {
-          :run_mode   => :user,
           :logdir     => "/dev/null",
           :confdir    => "/dev/null",
           :vardir     => "/dev/null",
@@ -145,6 +144,7 @@ module Puppet::Test
     private_class_method :app_defaults_for_tests
 
     def self.initialize_settings_before_each()
+      Puppet.settings.preferred_run_mode = "user"
       # Initialize "app defaults" settings to a good set of test values
       app_defaults_for_tests.each do |key, value|
         Puppet.settings.set_value(key, value, :application_defaults)

data/lib/puppet/transaction/report.rb

@@ -11,7 +11,8 @@ class Puppet::Transaction::Report
   indirects :report, :terminus_class => :processor
 
   attr_accessor :configuration_version, :host, :environment
-  attr_reader :resource_statuses, :logs, :metrics, :time, :kind, :status
+  attr_reader :resource_statuses, :logs, :metrics, :time, :kind, :status,
+              :puppet_version, :report_format
 
   # This is necessary since Marshall doesn't know how to
   # dump hash with default proc (see below @records)

data/lib/puppet/type.rb

@@ -413,7 +413,7 @@ class Type
         # make sure the parameter doesn't have any errors
         property.value = value
       rescue => detail
-        error = Puppet::Error.new("Parameter #{name} failed: #{detail}")
+        error = Puppet::Error.new("Parameter #{name} failed on #{ref}: #{detail}")
         error.set_backtrace(detail.backtrace)
         raise error
       end