puppet 3.1.1 → 3.2.0.rc1

data/lib/puppet/ssl/certificate.rb

@@ -10,7 +10,10 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
   wraps OpenSSL::X509::Certificate
 
   extend Puppet::Indirector
-  indirects :certificate, :terminus_class => :file
+  indirects :certificate, :terminus_class => :file, :doc => <<DOC
+    This indirection wraps an `OpenSSL::X509::Certificate` object, representing a certificate (signed public key).
+    The indirection key is the certificate CN (generally a hostname).
+DOC
 
   # Because of how the format handler class is included, this
   # can't be in the base class.

data/lib/puppet/ssl/certificate_request.rb

@@ -19,7 +19,10 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     end
   end
 
-  indirects :certificate_request, :terminus_class => :file, :extend => AutoSigner
+  indirects :certificate_request, :terminus_class => :file, :extend => AutoSigner, :doc => <<DOC
+    This indirection wraps an `OpenSSL::X509::Request` object, representing a certificate signing request (CSR).
+    The indirection key is the certificate CN (generally a hostname).
+DOC
 
   # Because of how the format handler class is included, this
   # can't be in the base class.

data/lib/puppet/ssl/certificate_revocation_list.rb

@@ -8,7 +8,10 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
   wraps OpenSSL::X509::CRL
 
   extend Puppet::Indirector
-  indirects :certificate_revocation_list, :terminus_class => :file
+  indirects :certificate_revocation_list, :terminus_class => :file, :doc => <<DOC
+    This indirection wraps an `OpenSSL::X509::CRL` object, representing a certificate revocation list (CRL).
+    The indirection key is the CA name (usually literally `ca`).
+DOC
 
   # Convert a string into an instance.
   def self.from_s(string)

data/lib/puppet/ssl/configuration.rb

@@ -1,4 +1,5 @@
 require 'puppet/ssl'
+require 'openssl'
 module Puppet
 module SSL
   # Puppet::SSL::Configuration is intended to separate out the following concerns:
@@ -27,6 +28,37 @@ class Configuration
   def ca_auth_file
     @ca_auth_file || @localcacert
   end
+
+  ##
+  # ca_auth_certificates returns an Array of OpenSSL::X509::Certificate
+  # instances intended to be used in the connection verify_callback.  This
+  # method loads and parses the {#ca_auth_file} from the filesystem.
+  #
+  # @api private
+  #
+  # @return [Array<OpenSSL::X509::Certificate>]
+  def ca_auth_certificates
+    @ca_auth_certificates ||= decode_cert_bundle(read_file(ca_auth_file))
+  end
+
+  ##
+  # Decode a string of concatenated certificates
+  #
+  # @return [Array<OpenSSL::X509::Certificate>]
+  def decode_cert_bundle(bundle_str)
+    re = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
+    pem_ary = bundle_str.scan(re)
+    pem_ary.map do |pem_str|
+      OpenSSL::X509::Certificate.new(pem_str)
+    end
+  end
+  private :decode_cert_bundle
+
+  # read_file makes testing easier.
+  def read_file(path)
+    File.read(path)
+  end
+  private :read_file
 end
 end
 end

data/lib/puppet/ssl/host.rb

@@ -16,7 +16,10 @@ class Puppet::SSL::Host
   CertificateRevocationList = Puppet::SSL::CertificateRevocationList
 
   extend Puppet::Indirector
-  indirects :certificate_status, :terminus_class => :file
+  indirects :certificate_status, :terminus_class => :file, :doc => <<DOC
+    This indirection represents the host that ties a key, certificate, and certificate request together.
+    The indirection key is the certificate CN (generally a hostname).
+DOC
 
   attr_reader :name
   attr_accessor :ca
@@ -156,20 +159,12 @@ class Puppet::SSL::Host
     @certificate_request ||= CertificateRequest.indirection.find(name)
   end
 
-  def this_csr_is_for_the_current_host
-    name == Puppet[:certname].downcase
-  end
-
-  def this_csr_is_for_the_current_host
-    name == Puppet[:certname].downcase
-  end
-
   # Our certificate request requires the key but that's all.
   def generate_certificate_request(options = {})
     generate_key unless key
 
-    # If this is for the current machine...
-    if this_csr_is_for_the_current_host
+    # If this CSR is for the current machine...
+    if name == Puppet[:certname].downcase
       # ...add our configured dns_alt_names
       if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
         options[:dns_alt_names] ||= Puppet[:dns_alt_names]
@@ -257,10 +252,12 @@ ERROR_STRING
       # a lookup in the middle of setting our ssl connection.
       @ssl_store.add_file(Puppet[:localcacert])
 
-      # If there's a CRL, add it to our store.
-      if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
-        @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
-        @ssl_store.add_crl(crl.content)
+      # If we're doing revocation and there's a CRL, add it to our store.
+      if Puppet.settings[:certificate_revocation]
+        if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
+          @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+          @ssl_store.add_crl(crl.content)
+        end
       end
       return @ssl_store
     end
@@ -284,7 +281,7 @@ ERROR_STRING
     # It appears that we have no internal consumers of this api
     # --jeffweiss 30 aug 2012
     pson_hash[:fingerprint] = thing_to_use.fingerprint
-    
+
     # The above fingerprint doesn't tell us what message digest algorithm was used
     # No problem, except that the default is changing between 2.7 and 3.0. Also, as
     # we move to FIPS 140-2 compliance, MD5 is no longer allowed (and, gasp, will
@@ -294,15 +291,15 @@ ERROR_STRING
     # --jeffweiss 31 july 2012
     pson_hash[:fingerprints] = {}
     pson_hash[:fingerprints][:default] = thing_to_use.fingerprint
-    
-    suitable_message_digest_algorithms.each do |md| 
+
+    suitable_message_digest_algorithms.each do |md|
       pson_hash[:fingerprints][md] = thing_to_use.fingerprint md
     end
     pson_hash[:dns_alt_names] = thing_to_use.subject_alt_names
 
     pson_hash.to_pson(*args)
   end
-  
+
   # eventually we'll probably want to move this somewhere else or make it
   # configurable
   # --jeffweiss 29 aug 2012
@@ -319,7 +316,7 @@ ERROR_STRING
     rescue SystemExit,NoMemoryError
       raise
     rescue Exception => detail
-      Puppet.log_exception(detail, "Could not request certificate: #{detail}")
+      Puppet.log_exception(detail, "Could not request certificate: #{detail.message}")
       if time < 1
         puts "Exiting; failed to retrieve certificate and waitforcert is disabled"
         exit(1)
@@ -340,7 +337,7 @@ ERROR_STRING
         break if certificate
         Puppet.notice "Did not receive certificate"
       rescue StandardError => detail
-        Puppet.log_exception(detail, "Could not request certificate: #{detail}")
+        Puppet.log_exception(detail, "Could not request certificate: #{detail.message}")
       end
     end
   end

data/lib/puppet/ssl/key.rb

@@ -6,7 +6,10 @@ class Puppet::SSL::Key < Puppet::SSL::Base
   wraps OpenSSL::PKey::RSA
 
   extend Puppet::Indirector
-  indirects :key, :terminus_class => :file
+  indirects :key, :terminus_class => :file, :doc => <<DOC
+    This indirection wraps an `OpenSSL::PKey::RSA object, representing a private key.
+    The indirection key is the certificate CN (generally a hostname).
+DOC
 
   # Because of how the format handler class is included, this
   # can't be in the base class.

data/lib/puppet/ssl/validator.rb

@@ -0,0 +1,116 @@
+require 'puppet/ssl'
+require 'openssl'
+module Puppet
+module SSL
+class Validator
+  attr_reader :peer_certs
+  attr_reader :verify_errors
+  attr_reader :ssl_configuration
+
+  ##
+  # @param [Hash] opts the options to initialze the instance with.
+  #
+  # @option opts [Puppet::SSL::Configuration] :ssl_configuration to use for
+  #   authorizing the peer certificate chain.
+  def initialize(opts = {})
+    reset!
+    @ssl_configuration = opts[:ssl_configuration] or raise ArgumentError, ":ssl_configuration is required"
+  end
+
+  ##
+  # reset to the initial state.
+  def reset!
+    @peer_certs = []
+    @verify_errors = []
+  end
+
+  ##
+  # call performs verification of the SSL connection and collection of the
+  # certificates for use in constructing the error message if the verification
+  # failed.  This callback will be executed once for each certificate in a
+  # chain being verified.
+  #
+  # From the [OpenSSL
+  # documentation](http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html):
+  # The `verify_callback` function is used to control the behaviour when the
+  # SSL_VERIFY_PEER flag is set. It must be supplied by the application and
+  # receives two arguments: preverify_ok indicates, whether the verification of
+  # the certificate in question was passed (preverify_ok=1) or not
+  # (preverify_ok=0). x509_ctx is a pointer to the complete context used for
+  # the certificate chain verification.
+  #
+  # See {Puppet::Network::HTTP::Connection} for more information and where this
+  # class is intended to be used.
+  #
+  # @param [Boolean] preverify_ok indicates whether the verification of the
+  #   certificate in question was passed (preverify_ok=true)
+  # @param [OpenSSL::SSL::SSLContext] ssl_context holds the SSLContext for the
+  #   chain being verified.
+  #
+  # @return [Boolean] false if the peer is invalid, true otherwise.
+  def call(preverify_ok, ssl_context)
+    # We must make a copy since the scope of the ssl_context will be lost
+    # across invocations of this method.
+    current_cert = ssl_context.current_cert
+    @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
+
+    if preverify_ok
+      # If we've copied all of the certs in the chain out of the SSL library
+      if @peer_certs.length == ssl_context.chain.length
+        # (#20027) The peer cert must be issued by a specific authority
+        preverify_ok = valid_peer?
+      end
+    else
+      if ssl_context.error_string
+        @verify_errors << "#{ssl_context.error_string} for #{current_cert.subject}"
+      end
+    end
+    preverify_ok
+  rescue => ex
+    @verify_errors << ex.message
+    false
+  end
+
+  ##
+  # Register the instance's call method with the connection.
+  #
+  # @param [Net::HTTP] connection The connection to velidate
+  #
+  # @return [void]
+  def register_verify_callback(connection)
+    connection.verify_callback = self
+  end
+
+  ##
+  # Validate the peer certificates against the authorized certificates.
+  def valid_peer?
+    descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
+    authz_ca_certs = ssl_configuration.ca_auth_certificates
+
+    if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
+      msg = "The server presented a SSL certificate chain which does not include a " <<
+        "CA listed in the ssl_client_ca_auth file.  "
+      msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')}  " <<
+        "Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
+      @verify_errors << msg
+      false
+    else
+      true
+    end
+  end
+
+  ##
+  # checks if the set of peer_certs contains at least one certificate issued
+  # by a certificate listed in authz_certs
+  #
+  # @return [Boolean]
+  def has_authz_peer_cert(peer_certs, authz_certs)
+    peer_certs.any? do |peer_cert|
+      authz_certs.any? do |authz_cert|
+        peer_cert.verify(authz_cert.public_key)
+      end
+    end
+  end
+end
+end
+end

data/lib/puppet/transaction.rb

@@ -224,7 +224,7 @@ class Puppet::Transaction
 
   # Should we ignore tags?
   def ignore_tags?
-    ! @catalog.host_config? 
+    ! @catalog.host_config?
   end
 
   # this should only be called by a Puppet::Type::Component resource now

data/lib/puppet/transaction/event.rb

@@ -9,7 +9,7 @@ class Puppet::Transaction::Event
   include Puppet::Util::Tagging
   include Puppet::Util::Logging
 
-  ATTRIBUTES = [:name, :resource, :property, :previous_value, :desired_value, :historical_value, :status, :message, :file, :line, :source_description, :audited]
+  ATTRIBUTES = [:name, :resource, :property, :previous_value, :desired_value, :historical_value, :status, :message, :file, :line, :source_description, :audited, :invalidate_refreshes]
   YAML_ATTRIBUTES = %w{@audited @property @previous_value @desired_value @historical_value @message @name @status @time}.map(&:to_sym)
   attr_accessor *ATTRIBUTES
   attr_writer :tags
@@ -29,15 +29,8 @@ class Puppet::Transaction::Event
   end
 
   def resource=(res)
-    begin
-      # In Ruby 1.8 looking up a symbol on a string gives nil; in 1.9 it will
-      # raise a TypeError, which we then catch.  This should work on both
-      # versions, for all that it is a bit naff. --daniel 2012-03-11
-      if res.respond_to?(:[]) and level = res[:loglevel]
-        @default_log_level = level
-      end
-    rescue TypeError => e
-      raise unless e.to_s == "can't convert Symbol into Integer"
+    if res.respond_to?(:[]) and level = res[:loglevel]
+      @default_log_level = level
     end
     @resource = res.to_s
   end

data/lib/puppet/transaction/event_manager.rb

@@ -59,6 +59,13 @@ class Puppet::Transaction::EventManager
 
       queue_events_for_resource(resource, resource, :refresh, [event]) if resource.self_refresh? and ! resource.deleting?
     end
+
+    dequeue_events_for_resource(resource, :refresh) if events.detect { |e| e.invalidate_refreshes }
+  end
+
+  def dequeue_events_for_resource(target, callback)
+    target.info "Unscheduling #{callback} on #{target}"
+    @event_queues[target][callback] = {} if @event_queues[target]
   end
 
   def queue_events_for_resource(source, target, callback, events)
@@ -83,7 +90,7 @@ class Puppet::Transaction::EventManager
   def queued_events(resource)
     return unless callbacks = @event_queues[resource]
     callbacks.each do |callback, events|
-      yield callback, events
+      yield callback, events unless events.empty?
     end
   end
 

data/lib/puppet/transaction/report.rb

@@ -3,16 +3,16 @@ require 'puppet/indirector'
 
 # This class is used to report what happens on a client.
 # There are two types of data in a report; _Logs_ and _Metrics_.
-# 
+#
 # * **Logs** - are the output that each change produces.
 # * **Metrics** - are all of the numerical data involved in the transaction.
-# 
+#
 # Use {Puppet::Reports} class to create a new custom report type. This class is indirectly used
 # as a source of data to report in such a registered report.
-# 
+#
 # ##Metrics
 # There are three types of metrics in each report, and each type of metric has one or more values.
-# 
+#
 # * Time: Keeps track of how long things took.
 #   * Total: Total time for the configuration run
 #   * File:
@@ -42,36 +42,36 @@ class Puppet::Transaction::Report
   # The version of the configuration
   # @todo Uncertain what this is?
   # @return [???] the configuration version
-  attr_accessor :configuration_version 
-  
+  attr_accessor :configuration_version
+
   # The host name for which the report is generated
   # @return [String] the host name
   attr_accessor :host
-  
+
   # The name of the environment the host is in
   # @return [String] the environment name
   attr_accessor :environment
-  
+
   # A hash with a map from resource to status
   # @return [Hash<{String => String}>] Resource name to status string.
   # @todo Uncertain if the types in the hash are correct...
   attr_reader :resource_statuses
-  
+
   # A list of log messages.
   # @return [Array<String>] logged messages
   attr_reader :logs
-  
+
   # A hash of metric name to metric value.
   # @return [Hash<{String => Object}>] A map of metric name to value.
   # @todo Uncertain if all values are numbers - now marked as Object.
   #
   attr_reader :metrics
-  
+
   # The time when the report data was generated.
   # @return [Time] A time object indicating when the report data was generated
   #
   attr_reader :time
-  
+
   # The 'kind' of report is the name of operation that triggered the report to be produced.
   # Typically "apply".
   # @return [String] the kind of operation that triggered the generation of the report.
@@ -80,14 +80,14 @@ class Puppet::Transaction::Report
 
   # The status of the client run is an enumeration: 'failed', 'changed' or 'unchanged'
   # @return [String] the status of the run - one of the values 'failed', 'changed', or 'unchanged'
-  # 
+  #
   attr_reader :status
-  
+
   # @return [String] The Puppet version in String form.
   # @see Puppet::version()
   #
   attr_reader :puppet_version
-  
+
   # @return [Integer] (3) a report format version number
   # @todo Unclear what this is - a version?
   #
@@ -237,7 +237,7 @@ class Puppet::Transaction::Report
   # individual bits represent the presence of different metrics.
   #
   # * 0x2 set if there are changes
-  # * 0x4 set if there are failures
+  # * 0x4 set if there are resource failures or resources that failed to restart
   # @return [Integer] A bitmask where 0x2 is set if there are changes, and 0x4 is set of there are failures.
   # @api public
   #
@@ -245,6 +245,7 @@ class Puppet::Transaction::Report
     status = 0
     status |= 2 if @metrics["changes"]["total"] > 0
     status |= 4 if @metrics["resources"]["failed"] > 0
+    status |= 4 if @metrics["resources"]["failed_to_restart"] > 0
     status
   end