puppet 3.3.2 → 3.4.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- data/CONTRIBUTING.md +22 -0
- data/Gemfile +11 -2
- data/README.md +13 -17
- data/README_DEVELOPER.md +1 -1
- data/Rakefile +1 -1
- data/examples/hiera/README.md +4 -4
- data/ext/debian/puppetmaster.init +1 -0
- data/ext/debian/rules +2 -5
- data/ext/nagios/check_puppet.rb +7 -7
- data/ext/osx/file_mapping.yaml +1 -1
- data/ext/osx/preflight.erb +34 -19
- data/ext/rack/{files/config.ru → config.ru} +0 -0
- data/ext/rack/{files/apache2.conf → example-passenger-vhost.conf} +6 -0
- data/ext/redhat/puppet.spec.erb +20 -2
- data/ext/systemd/{puppetagent.service → puppet.service} +0 -0
- data/lib/hiera_puppet.rb +2 -2
- data/lib/puppet/agent.rb +1 -6
- data/lib/puppet/application.rb +15 -2
- data/lib/puppet/application/agent.rb +2 -7
- data/lib/puppet/application/apply.rb +8 -13
- data/lib/puppet/application/cert.rb +47 -7
- data/lib/puppet/application/device.rb +1 -6
- data/lib/puppet/application/face_base.rb +1 -1
- data/lib/puppet/application/filebucket.rb +1 -1
- data/lib/puppet/application/inspect.rb +3 -12
- data/lib/puppet/application/master.rb +1 -6
- data/lib/puppet/application/queue.rb +1 -6
- data/lib/puppet/application/resource.rb +2 -6
- data/lib/puppet/coercion.rb +11 -0
- data/lib/puppet/configurer.rb +5 -3
- data/lib/puppet/configurer/downloader.rb +3 -1
- data/lib/puppet/configurer/plugin_handler.rb +10 -0
- data/lib/puppet/confine.rb +80 -0
- data/lib/puppet/{provider/confine → confine}/exists.rb +3 -3
- data/lib/puppet/{provider/confine → confine}/false.rb +2 -2
- data/lib/puppet/{provider/confine → confine}/feature.rb +2 -2
- data/lib/puppet/{provider/confine → confine}/true.rb +2 -2
- data/lib/puppet/{provider/confine → confine}/variable.rb +2 -2
- data/lib/puppet/{provider/confine_collection.rb → confine_collection.rb} +4 -4
- data/lib/puppet/{provider/confiner.rb → confiner.rb} +4 -4
- data/lib/puppet/daemon.rb +2 -6
- data/lib/puppet/data_binding.rb +2 -30
- data/lib/puppet/defaults.rb +283 -174
- data/lib/puppet/error.rb +1 -0
- data/lib/puppet/external/nagios.rb +0 -2
- data/lib/puppet/external/nagios/base.rb +4 -3
- data/lib/puppet/external/nagios/grammar.ry +173 -112
- data/lib/puppet/external/nagios/parser.rb +233 -184
- data/lib/puppet/face/file/store.rb +1 -1
- data/lib/puppet/face/module/generate.rb +5 -7
- data/lib/puppet/face/parser.rb +12 -2
- data/lib/puppet/face/plugin.rb +6 -0
- data/lib/puppet/feature/base.rb +16 -0
- data/lib/puppet/feature/external_facts.rb +5 -0
- data/lib/puppet/feature/libuser.rb +1 -1
- data/lib/puppet/feature/msgpack.rb +1 -0
- data/lib/puppet/feature/rails.rb +2 -2
- data/lib/puppet/file_bucket/dipper.rb +8 -6
- data/lib/puppet/file_bucket/file.rb +17 -1
- data/lib/puppet/file_serving/base.rb +21 -10
- data/lib/puppet/file_serving/configuration.rb +5 -7
- data/lib/puppet/file_serving/configuration/parser.rb +1 -1
- data/lib/puppet/file_serving/content.rb +1 -1
- data/lib/puppet/file_serving/fileset.rb +3 -3
- data/lib/puppet/file_serving/metadata.rb +22 -18
- data/lib/puppet/file_serving/mount/file.rb +1 -1
- data/lib/puppet/file_serving/mount/pluginfacts.rb +35 -0
- data/lib/puppet/file_system.rb +3 -0
- data/lib/puppet/file_system/file.rb +261 -0
- data/lib/puppet/file_system/file18.rb +5 -0
- data/lib/puppet/file_system/file19.rb +5 -0
- data/lib/puppet/file_system/file19windows.rb +113 -0
- data/lib/puppet/file_system/memory_file.rb +31 -0
- data/lib/puppet/file_system/tempfile.rb +20 -0
- data/lib/puppet/indirector/active_record.rb +1 -0
- data/lib/puppet/indirector/catalog/compiler.rb +28 -0
- data/lib/puppet/indirector/certificate_request/memory.rb +6 -0
- data/lib/puppet/indirector/data_binding/hiera.rb +46 -2
- data/lib/puppet/indirector/direct_file_server.rb +2 -2
- data/lib/puppet/indirector/facts/facter.rb +25 -0
- data/lib/puppet/indirector/file_bucket_file/file.rb +60 -74
- data/lib/puppet/indirector/indirection.rb +5 -1
- data/lib/puppet/indirector/json.rb +1 -1
- data/lib/puppet/indirector/key/ca.rb +4 -0
- data/lib/puppet/indirector/key/file.rb +7 -3
- data/lib/puppet/indirector/key/memory.rb +6 -0
- data/lib/puppet/indirector/node/write_only_yaml.rb +2 -2
- data/lib/puppet/indirector/request.rb +17 -11
- data/lib/puppet/indirector/resource/ral.rb +5 -0
- data/lib/puppet/indirector/resource/rest.rb +1 -0
- data/lib/puppet/indirector/resource/store_configs.rb +4 -0
- data/lib/puppet/indirector/rest.rb +2 -1
- data/lib/puppet/indirector/ssl_file.rb +7 -7
- data/lib/puppet/indirector/terminus.rb +4 -0
- data/lib/puppet/indirector/yaml.rb +3 -3
- data/lib/puppet/interface/documentation.rb +4 -11
- data/lib/puppet/module.rb +19 -6
- data/lib/puppet/module_tool/applications/builder.rb +1 -1
- data/lib/puppet/module_tool/applications/installer.rb +1 -1
- data/lib/puppet/module_tool/checksums.rb +1 -1
- data/lib/puppet/module_tool/dependency.rb +7 -3
- data/lib/puppet/module_tool/metadata.rb +6 -2
- data/lib/puppet/module_tool/tar.rb +2 -1
- data/lib/puppet/module_tool/tar/gnu.rb +6 -2
- data/lib/puppet/module_tool/tar/mini.rb +2 -0
- data/lib/puppet/module_tool/tar/solaris.rb +2 -5
- data/lib/puppet/network/authconfig.rb +0 -2
- data/lib/puppet/network/authentication.rb +1 -1
- data/lib/puppet/network/authstore.rb +6 -7
- data/lib/puppet/network/format.rb +2 -3
- data/lib/puppet/network/format_handler.rb +16 -11
- data/lib/puppet/network/format_support.rb +14 -0
- data/lib/puppet/network/formats.rb +26 -0
- data/lib/puppet/network/http/connection.rb +8 -41
- data/lib/puppet/network/http/handler.rb +28 -32
- data/lib/puppet/network/http/webrick.rb +15 -22
- data/lib/puppet/network/http_pool.rb +43 -9
- data/lib/puppet/network/rights.rb +0 -0
- data/lib/puppet/node.rb +24 -8
- data/lib/puppet/node/environment.rb +18 -20
- data/lib/puppet/node/facts.rb +23 -6
- data/lib/puppet/parameter.rb +15 -2
- data/lib/puppet/parameter/boolean.rb +5 -0
- data/lib/puppet/parameter/value_collection.rb +6 -4
- data/lib/puppet/parser/ast/resourceparam.rb +2 -1
- data/lib/puppet/parser/compiler.rb +25 -9
- data/lib/puppet/parser/files.rb +1 -1
- data/lib/puppet/parser/functions.rb +12 -21
- data/lib/puppet/parser/functions/collect.rb +6 -35
- data/lib/puppet/parser/functions/contain.rb +26 -0
- data/lib/puppet/parser/functions/create_resources.rb +5 -0
- data/lib/puppet/parser/functions/extlookup.rb +2 -2
- data/lib/puppet/parser/functions/file.rb +1 -1
- data/lib/puppet/parser/functions/{reject.rb → filter.rb} +13 -12
- data/lib/puppet/parser/functions/fqdn_rand.rb +13 -5
- data/lib/puppet/parser/functions/include.rb +18 -1
- data/lib/puppet/parser/functions/map.rb +44 -0
- data/lib/puppet/parser/functions/select.rb +6 -38
- data/lib/puppet/parser/lexer.rb +1 -1
- data/lib/puppet/parser/parser_support.rb +1 -1
- data/lib/puppet/parser/resource.rb +6 -45
- data/lib/puppet/parser/scope.rb +33 -2
- data/lib/puppet/parser/type_loader.rb +4 -60
- data/lib/puppet/pops/binder/bindings_loader.rb +1 -1
- data/lib/puppet/pops/binder/config/binder_config.rb +3 -3
- data/lib/puppet/pops/binder/hiera2/bindings_provider.rb +1 -1
- data/lib/puppet/pops/binder/scheme_handler/confdir_hiera_scheme.rb +1 -1
- data/lib/puppet/pops/binder/scheme_handler/module_hiera_scheme.rb +2 -2
- data/lib/puppet/pops/issues.rb +4 -0
- data/lib/puppet/pops/model/ast_transformer.rb +4 -1
- data/lib/puppet/pops/model/model_label_provider.rb +1 -1
- data/lib/puppet/pops/parser/egrammar.ra +5 -24
- data/lib/puppet/pops/parser/eparser.rb +859 -902
- data/lib/puppet/pops/parser/lexer.rb +48 -30
- data/lib/puppet/pops/parser/parser_support.rb +1 -1
- data/lib/puppet/pops/patterns.rb +4 -4
- data/lib/puppet/pops/utils.rb +1 -1
- data/lib/puppet/pops/validation/checker3_1.rb +25 -20
- data/lib/puppet/provider.rb +23 -6
- data/lib/puppet/provider/aixobject.rb +0 -0
- data/lib/puppet/provider/augeas/augeas.rb +21 -5
- data/lib/puppet/provider/confine.rb +5 -79
- data/lib/puppet/provider/cron/crontab.rb +0 -0
- data/lib/puppet/provider/exec.rb +9 -7
- data/lib/puppet/provider/exec/posix.rb +10 -1
- data/lib/puppet/provider/exec/windows.rb +1 -1
- data/lib/puppet/provider/file/posix.rb +1 -0
- data/lib/puppet/provider/file/windows.rb +16 -5
- data/lib/puppet/provider/group/aix.rb +0 -0
- data/lib/puppet/provider/group/windows_adsi.rb +33 -1
- data/lib/puppet/provider/macauthorization/macauthorization.rb +1 -1
- data/lib/puppet/provider/mailalias/aliases.rb +0 -0
- data/lib/puppet/provider/maillist/mailman.rb +0 -0
- data/lib/puppet/provider/mount/parsed.rb +0 -0
- data/lib/puppet/provider/nameservice/directoryservice.rb +3 -3
- data/lib/puppet/provider/package/appdmg.rb +1 -1
- data/lib/puppet/provider/package/apple.rb +1 -1
- data/lib/puppet/provider/package/apt.rb +1 -1
- data/lib/puppet/provider/package/aptitude.rb +0 -0
- data/lib/puppet/provider/package/blastwave.rb +1 -1
- data/lib/puppet/provider/package/dpkg.rb +1 -1
- data/lib/puppet/provider/package/fink.rb +1 -1
- data/lib/puppet/provider/package/freebsd.rb +0 -0
- data/lib/puppet/provider/package/gem.rb +0 -0
- data/lib/puppet/provider/package/macports.rb +0 -0
- data/lib/puppet/provider/package/msi.rb +4 -10
- data/lib/puppet/provider/package/nim.rb +8 -8
- data/lib/puppet/provider/package/openbsd.rb +1 -1
- data/lib/puppet/provider/package/opkg.rb +0 -0
- data/lib/puppet/provider/package/pacman.rb +2 -2
- data/lib/puppet/provider/package/pkgdmg.rb +1 -1
- data/lib/puppet/provider/package/pkgutil.rb +1 -1
- data/lib/puppet/provider/package/ports.rb +0 -0
- data/lib/puppet/provider/package/rpm.rb +39 -3
- data/lib/puppet/provider/package/sun.rb +3 -3
- data/lib/puppet/provider/package/sunfreeware.rb +0 -0
- data/lib/puppet/provider/package/windows.rb +12 -19
- data/lib/puppet/provider/package/windows/package.rb +1 -1
- data/lib/puppet/provider/package/yum.rb +2 -2
- data/lib/puppet/provider/parsedfile.rb +0 -0
- data/lib/puppet/provider/port/parsed.rb +0 -0
- data/lib/puppet/provider/service/base.rb +0 -0
- data/lib/puppet/provider/service/bsd.rb +3 -3
- data/lib/puppet/provider/service/daemontools.rb +8 -8
- data/lib/puppet/provider/service/debian.rb +0 -0
- data/lib/puppet/provider/service/freebsd.rb +3 -3
- data/lib/puppet/provider/service/init.rb +5 -4
- data/lib/puppet/provider/service/launchd.rb +35 -24
- data/lib/puppet/provider/service/openbsd.rb +23 -0
- data/lib/puppet/provider/service/redhat.rb +0 -0
- data/lib/puppet/provider/service/runit.rb +3 -3
- data/lib/puppet/provider/service/smf.rb +0 -0
- data/lib/puppet/provider/service/src.rb +0 -0
- data/lib/puppet/provider/service/systemd.rb +0 -0
- data/lib/puppet/provider/service/upstart.rb +3 -3
- data/lib/puppet/provider/ssh_authorized_key/parsed.rb +2 -2
- data/lib/puppet/provider/sshkey/parsed.rb +0 -0
- data/lib/puppet/provider/user/aix.rb +0 -0
- data/lib/puppet/provider/user/directoryservice.rb +1 -1
- data/lib/puppet/provider/user/useradd.rb +1 -1
- data/lib/puppet/provider/zone/solaris.rb +1 -1
- data/lib/puppet/rails/benchmark.rb +1 -1
- data/lib/puppet/reference/configuration.rb +1 -2
- data/lib/puppet/reference/indirection.rb +12 -14
- data/lib/puppet/relationship.rb +7 -4
- data/lib/puppet/reports.rb +2 -2
- data/lib/puppet/reports/rrdgraph.rb +1 -1
- data/lib/puppet/reports/store.rb +3 -3
- data/lib/puppet/reports/tagmail.rb +2 -2
- data/lib/puppet/resource.rb +66 -8
- data/lib/puppet/resource/catalog.rb +18 -25
- data/lib/puppet/resource/status.rb +10 -4
- data/lib/puppet/run.rb +6 -2
- data/lib/puppet/settings.rb +39 -119
- data/lib/puppet/settings/base_setting.rb +8 -9
- data/lib/puppet/settings/directory_setting.rb +8 -0
- data/lib/puppet/settings/file_setting.rb +35 -1
- data/lib/puppet/settings/priority_setting.rb +42 -0
- data/lib/puppet/ssl.rb +4 -0
- data/lib/puppet/ssl/certificate.rb +18 -0
- data/lib/puppet/ssl/certificate_authority.rb +101 -72
- data/lib/puppet/ssl/certificate_authority/autosign_command.rb +44 -0
- data/lib/puppet/ssl/certificate_authority/interface.rb +21 -17
- data/lib/puppet/ssl/certificate_factory.rb +38 -12
- data/lib/puppet/ssl/certificate_request.rb +201 -47
- data/lib/puppet/ssl/certificate_request_attributes.rb +34 -0
- data/lib/puppet/ssl/certificate_revocation_list.rb +2 -2
- data/lib/puppet/ssl/host.rb +21 -10
- data/lib/puppet/ssl/inventory.rb +6 -10
- data/lib/puppet/ssl/key.rb +1 -1
- data/lib/puppet/ssl/oids.rb +78 -0
- data/lib/puppet/ssl/validator.rb +41 -97
- data/lib/puppet/ssl/validator/default_validator.rb +153 -0
- data/lib/puppet/ssl/validator/no_validator.rb +17 -0
- data/lib/puppet/status.rb +4 -0
- data/lib/puppet/test/test_helper.rb +5 -0
- data/lib/puppet/transaction.rb +13 -0
- data/lib/puppet/transaction/event.rb +8 -3
- data/lib/puppet/transaction/report.rb +6 -2
- data/lib/puppet/transaction/resource_harness.rb +173 -115
- data/lib/puppet/type.rb +30 -13
- data/lib/puppet/type/augeas.rb +12 -46
- data/lib/puppet/type/component.rb +1 -7
- data/lib/puppet/type/cron.rb +0 -0
- data/lib/puppet/type/exec.rb +13 -1
- data/lib/puppet/type/file.rb +19 -10
- data/lib/puppet/type/file/checksum.rb +0 -0
- data/lib/puppet/type/file/content.rb +3 -0
- data/lib/puppet/type/file/ensure.rb +33 -15
- data/lib/puppet/type/file/group.rb +0 -0
- data/lib/puppet/type/file/mode.rb +6 -2
- data/lib/puppet/type/file/owner.rb +0 -0
- data/lib/puppet/type/file/source.rb +65 -14
- data/lib/puppet/type/file/target.rb +6 -6
- data/lib/puppet/type/file/type.rb +0 -0
- data/lib/puppet/type/filebucket.rb +0 -0
- data/lib/puppet/type/group.rb +18 -0
- data/lib/puppet/type/host.rb +0 -0
- data/lib/puppet/type/k5login.rb +4 -4
- data/lib/puppet/type/mailalias.rb +0 -0
- data/lib/puppet/type/maillist.rb +0 -0
- data/lib/puppet/type/mount.rb +15 -1
- data/lib/puppet/type/package.rb +7 -1
- data/lib/puppet/type/port.rb +0 -0
- data/lib/puppet/type/schedule.rb +9 -4
- data/lib/puppet/type/service.rb +1 -1
- data/lib/puppet/type/sshkey.rb +0 -0
- data/lib/puppet/type/tidy.rb +1 -1
- data/lib/puppet/type/user.rb +3 -0
- data/lib/puppet/type/yumrepo.rb +8 -6
- data/lib/puppet/type/zpool.rb +0 -0
- data/lib/puppet/util.rb +4 -31
- data/lib/puppet/util/adsi.rb +73 -17
- data/lib/puppet/util/autoload.rb +3 -3
- data/lib/puppet/util/backups.rb +4 -4
- data/lib/puppet/util/cacher.rb +7 -13
- data/lib/puppet/util/checksums.rb +2 -2
- data/lib/puppet/util/classgen.rb +3 -1
- data/lib/puppet/util/colors.rb +1 -0
- data/lib/puppet/util/command_line.rb +5 -0
- data/lib/puppet/util/docs.rb +33 -27
- data/lib/puppet/util/execution.rb +42 -18
- data/lib/puppet/util/filetype.rb +3 -3
- data/lib/puppet/util/instance_loader.rb +2 -2
- data/lib/puppet/util/instrumentation.rb +23 -42
- data/lib/puppet/util/instrumentation/data.rb +11 -4
- data/lib/puppet/util/instrumentation/indirection_probe.rb +11 -4
- data/lib/puppet/util/instrumentation/instrumentable.rb +7 -14
- data/lib/puppet/util/instrumentation/listener.rb +15 -8
- data/lib/puppet/util/instrumentation/listeners/log.rb +4 -10
- data/lib/puppet/util/instrumentation/listeners/performance.rb +8 -14
- data/lib/puppet/util/limits.rb +12 -0
- data/lib/puppet/util/lockfile.rb +2 -2
- data/lib/puppet/util/log.rb +14 -6
- data/lib/puppet/util/log/destinations.rb +23 -1
- data/lib/puppet/util/metric.rb +9 -3
- data/lib/puppet/util/monkey_patches.rb +7 -2
- data/lib/puppet/util/network_device/config.rb +1 -1
- data/lib/puppet/util/plugins.rb +1 -1
- data/lib/puppet/util/posix.rb +0 -0
- data/lib/puppet/util/profiler.rb +7 -2
- data/lib/puppet/util/provider_features.rb +2 -2
- data/lib/puppet/util/rdoc.rb +28 -30
- data/lib/puppet/util/rdoc/code_objects.rb +75 -25
- data/lib/puppet/util/rdoc/generators/puppet_generator.rb +1 -1
- data/lib/puppet/util/rdoc/parser.rb +12 -487
- data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb +477 -0
- data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc1.rb +19 -0
- data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc2.rb +14 -0
- data/lib/puppet/util/reference.rb +1 -1
- data/lib/puppet/util/resource_template.rb +1 -1
- data/lib/puppet/util/selinux.rb +1 -1
- data/lib/puppet/util/storage.rb +2 -2
- data/lib/puppet/util/suidmanager.rb +1 -1
- data/lib/puppet/util/tag_set.rb +29 -0
- data/lib/puppet/util/tagging.rb +8 -24
- data/lib/puppet/util/watched_file.rb +1 -1
- data/lib/puppet/util/watcher.rb +1 -1
- data/lib/puppet/util/windows.rb +3 -0
- data/lib/puppet/util/windows/access_control_entry.rb +84 -0
- data/lib/puppet/util/windows/access_control_list.rb +106 -0
- data/lib/puppet/util/windows/file.rb +213 -0
- data/lib/puppet/util/windows/process.rb +199 -0
- data/lib/puppet/util/windows/root_certs.rb +52 -37
- data/lib/puppet/util/windows/security.rb +270 -245
- data/lib/puppet/util/windows/security_descriptor.rb +62 -0
- data/lib/puppet/util/windows/sid.rb +26 -4
- data/lib/puppet/version.rb +2 -2
- data/spec/fixtures/releases/jamtur01-apache/lib/puppet/provider/a2mod/debian.rb +1 -1
- data/spec/fixtures/unit/indirector/{hiera → data_binding/hiera}/global.yaml +0 -0
- data/spec/fixtures/unit/indirector/data_binding/hiera/invalid.yaml +1 -0
- data/spec/fixtures/unit/module/trailing-comma.json +24 -0
- data/spec/fixtures/unit/util/monkey_patches/x509.pem +32 -0
- data/spec/integration/application/apply_spec.rb +1 -1
- data/spec/integration/application/doc_spec.rb +1 -1
- data/spec/integration/configurer_spec.rb +4 -2
- data/spec/integration/data_binding.rb +100 -0
- data/spec/integration/indirector/catalog/compiler_spec.rb +16 -13
- data/spec/integration/indirector/direct_file_server_spec.rb +3 -5
- data/spec/integration/indirector/file_content/file_server_spec.rb +2 -2
- data/spec/integration/node/facts_spec.rb +1 -1
- data/spec/integration/node_spec.rb +1 -1
- data/spec/integration/parser/compiler_spec.rb +90 -0
- data/spec/integration/parser/parser_spec.rb +2 -2
- data/spec/integration/provider/cron/crontab_spec.rb +3 -5
- data/spec/integration/resource/catalog_spec.rb +1 -1
- data/spec/integration/ssl/autosign_spec.rb +90 -0
- data/spec/integration/ssl/certificate_authority_spec.rb +62 -69
- data/spec/integration/ssl/certificate_revocation_list_spec.rb +1 -1
- data/spec/integration/ssl/host_spec.rb +1 -1
- data/spec/integration/transaction_spec.rb +13 -13
- data/spec/integration/type/exec_spec.rb +2 -2
- data/spec/integration/type/file_spec.rb +287 -45
- data/spec/integration/type/tidy_spec.rb +3 -3
- data/spec/integration/util/rdoc/parser_spec.rb +236 -35
- data/spec/integration/util/settings_spec.rb +1 -1
- data/spec/integration/util/windows/process_spec.rb +22 -0
- data/spec/integration/util/windows/security_spec.rb +316 -106
- data/spec/lib/matchers/containment_matchers.rb +52 -0
- data/spec/lib/puppet_spec/compiler.rb +6 -0
- data/spec/lib/puppet_spec/files.rb +20 -21
- data/spec/shared_behaviours/documentation_on_faces.rb +3 -3
- data/spec/shared_behaviours/file_server_terminus.rb +2 -2
- data/spec/shared_contexts/platform.rb +1 -0
- data/spec/spec_helper.rb +13 -1
- data/spec/unit/agent_spec.rb +0 -12
- data/spec/unit/application/agent_spec.rb +4 -4
- data/spec/unit/application/apply_spec.rb +18 -2
- data/spec/unit/application/cert_spec.rb +8 -6
- data/spec/unit/application/device_spec.rb +1 -1
- data/spec/unit/application/filebucket_spec.rb +1 -1
- data/spec/unit/application/inspect_spec.rb +1 -1
- data/spec/unit/application_spec.rb +24 -0
- data/spec/unit/configurer/downloader_spec.rb +8 -7
- data/spec/unit/configurer/fact_handler_spec.rb +23 -0
- data/spec/unit/configurer/plugin_handler_spec.rb +7 -2
- data/spec/unit/configurer_spec.rb +15 -5
- data/spec/unit/{provider/confine → confine}/exists_spec.rb +12 -12
- data/spec/unit/{provider/confine → confine}/false_spec.rb +9 -9
- data/spec/unit/{provider/confine → confine}/feature_spec.rb +10 -10
- data/spec/unit/{provider/confine → confine}/true_spec.rb +7 -7
- data/spec/unit/{provider/confine → confine}/variable_spec.rb +16 -16
- data/spec/unit/{provider/confine_collection_spec.rb → confine_collection_spec.rb} +30 -30
- data/spec/unit/{provider/confine_spec.rb → confine_spec.rb} +11 -11
- data/spec/unit/{provider/confiner_spec.rb → confiner_spec.rb} +4 -4
- data/spec/unit/face/parser_spec.rb +54 -0
- data/spec/unit/file_bucket/dipper_spec.rb +2 -2
- data/spec/unit/file_serving/base_spec.rb +32 -9
- data/spec/unit/file_serving/configuration_spec.rb +7 -7
- data/spec/unit/file_serving/content_spec.rb +12 -7
- data/spec/unit/file_serving/fileset_spec.rb +57 -27
- data/spec/unit/file_serving/metadata_spec.rb +74 -12
- data/spec/unit/file_serving/mount/file_spec.rb +10 -10
- data/spec/unit/file_serving/mount/pluginfacts_spec.rb +73 -0
- data/spec/unit/file_system/file_spec.rb +486 -0
- data/spec/unit/file_system/tempfile_spec.rb +48 -0
- data/spec/unit/graph/relationship_graph_spec.rb +0 -6
- data/spec/unit/hiera_puppet_spec.rb +2 -2
- data/spec/unit/indirector/catalog/compiler_spec.rb +15 -19
- data/spec/unit/indirector/certificate_status/file_spec.rb +30 -40
- data/spec/unit/indirector/data_binding/hiera_spec.rb +95 -2
- data/spec/unit/indirector/direct_file_server_spec.rb +6 -6
- data/spec/unit/indirector/facts/facter_spec.rb +33 -0
- data/spec/unit/indirector/file_bucket_file/file_spec.rb +61 -52
- data/spec/unit/indirector/file_metadata/file_spec.rb +2 -2
- data/spec/unit/indirector/file_server_spec.rb +4 -4
- data/spec/unit/indirector/json_spec.rb +4 -4
- data/spec/unit/indirector/key/file_spec.rb +13 -14
- data/spec/unit/indirector/resource/ral_spec.rb +7 -0
- data/spec/unit/indirector/resource/store_configs_spec.rb +11 -0
- data/spec/unit/indirector/rest_spec.rb +7 -3
- data/spec/unit/indirector/ssl_file_spec.rb +14 -17
- data/spec/unit/indirector/yaml_spec.rb +4 -4
- data/spec/unit/module_spec.rb +43 -15
- data/spec/unit/module_tool/tar/gnu_spec.rb +2 -2
- data/spec/unit/module_tool/tar/solaris_spec.rb +2 -2
- data/spec/unit/module_tool/tar_spec.rb +45 -0
- data/spec/unit/network/authconfig_spec.rb +2 -1
- data/spec/unit/network/authentication_spec.rb +2 -2
- data/spec/unit/network/format_handler_spec.rb +2 -2
- data/spec/unit/network/formats_spec.rb +24 -0
- data/spec/unit/network/http/connection_spec.rb +76 -199
- data/spec/unit/network/http/handler_spec.rb +33 -34
- data/spec/unit/network/http_pool_spec.rb +8 -5
- data/spec/unit/node/environment_spec.rb +76 -90
- data/spec/unit/node/facts_spec.rb +20 -3
- data/spec/unit/node_spec.rb +43 -0
- data/spec/unit/parameter/boolean_spec.rb +22 -12
- data/spec/unit/parser/ast/resourceparam_spec.rb +51 -0
- data/spec/unit/parser/compiler_spec.rb +103 -35
- data/spec/unit/parser/eparser_adapter_spec.rb +12 -12
- data/spec/unit/parser/files_spec.rb +11 -11
- data/spec/unit/parser/functions/contain_spec.rb +185 -0
- data/spec/unit/parser/functions/create_resources_spec.rb +13 -5
- data/spec/unit/parser/functions/generate_spec.rb +1 -1
- data/spec/unit/parser/functions_spec.rb +2 -2
- data/spec/unit/parser/lexer_spec.rb +1 -1
- data/spec/unit/parser/methods/each_spec.rb +1 -1
- data/spec/unit/parser/methods/{select_spec.rb → filter_spec.rb} +11 -11
- data/spec/unit/parser/methods/map_spec.rb +95 -0
- data/spec/unit/parser/methods/reduce_spec.rb +12 -11
- data/spec/unit/parser/methods/shared.rb +5 -5
- data/spec/unit/parser/methods/slice_spec.rb +13 -13
- data/spec/unit/parser/parser_spec.rb +1 -1
- data/spec/unit/parser/resource/param_spec.rb +44 -0
- data/spec/unit/parser/resource_spec.rb +16 -15
- data/spec/unit/pops/model/ast_transformer_spec.rb +18 -4
- data/spec/unit/pops/parser/lexer_spec.rb +22 -5
- data/spec/unit/pops/parser/parse_calls_spec.rb +5 -5
- data/spec/unit/pops/transformer/transform_calls_spec.rb +6 -6
- data/spec/unit/pops/transformer/transform_containers_spec.rb +2 -2
- data/spec/unit/pops/validator/validator_spec.rb +31 -0
- data/spec/unit/provider/augeas/augeas_spec.rb +57 -2
- data/spec/unit/provider/exec/posix_spec.rb +8 -3
- data/spec/unit/provider/file/posix_spec.rb +2 -2
- data/spec/unit/provider/group/windows_adsi_spec.rb +70 -3
- data/spec/unit/provider/nameservice/directoryservice_spec.rb +3 -3
- data/spec/unit/provider/package/apt_spec.rb +1 -1
- data/spec/unit/provider/package/msi_spec.rb +15 -42
- data/spec/unit/provider/package/openbsd_spec.rb +3 -3
- data/spec/unit/provider/package/rpm_spec.rb +56 -13
- data/spec/unit/provider/package/windows_spec.rb +15 -19
- data/spec/unit/provider/service/base_spec.rb +1 -1
- data/spec/unit/provider/service/daemontools_spec.rb +18 -8
- data/spec/unit/provider/service/freebsd_spec.rb +3 -3
- data/spec/unit/provider/service/gentoo_spec.rb +5 -2
- data/spec/unit/provider/service/init_spec.rb +17 -17
- data/spec/unit/provider/service/launchd_spec.rb +76 -23
- data/spec/unit/provider/service/openbsd_spec.rb +125 -0
- data/spec/unit/provider/service/openwrt_spec.rb +1 -1
- data/spec/unit/provider/service/runit_spec.rb +12 -5
- data/spec/unit/provider/service/upstart_spec.rb +4 -4
- data/spec/unit/provider/ssh_authorized_key/parsed_spec.rb +5 -5
- data/spec/unit/provider/user/directoryservice_spec.rb +4 -4
- data/spec/unit/provider/zone/solaris_spec.rb +1 -1
- data/spec/unit/provider_spec.rb +2 -2
- data/spec/unit/reports/http_spec.rb +19 -34
- data/spec/unit/reports/store_spec.rb +2 -2
- data/spec/unit/resource/catalog_spec.rb +81 -11
- data/spec/unit/resource/status_spec.rb +11 -1
- data/spec/unit/resource/type_spec.rb +30 -1
- data/spec/unit/resource_spec.rb +40 -4
- data/spec/unit/settings/file_setting_spec.rb +2 -2
- data/spec/unit/settings/path_setting_spec.rb +2 -2
- data/spec/unit/settings/priority_setting_spec.rb +66 -0
- data/spec/unit/settings_spec.rb +16 -31
- data/spec/unit/ssl/certificate_authority/autosign_command_spec.rb +30 -0
- data/spec/unit/ssl/certificate_authority_spec.rb +129 -134
- data/spec/unit/ssl/certificate_factory_spec.rb +18 -0
- data/spec/unit/ssl/certificate_request_attributes_spec.rb +61 -0
- data/spec/unit/ssl/certificate_request_spec.rb +103 -0
- data/spec/unit/ssl/certificate_spec.rb +31 -18
- data/spec/unit/ssl/host_spec.rb +34 -8
- data/spec/unit/ssl/inventory_spec.rb +27 -62
- data/spec/unit/ssl/key_spec.rb +4 -4
- data/spec/unit/ssl/oids_spec.rb +48 -0
- data/spec/unit/ssl/validator_spec.rb +49 -6
- data/spec/unit/status_spec.rb +9 -0
- data/spec/unit/transaction/event_spec.rb +1 -9
- data/spec/unit/transaction/report_spec.rb +20 -1
- data/spec/unit/transaction/resource_harness_spec.rb +60 -210
- data/spec/unit/transaction_spec.rb +54 -8
- data/spec/unit/type/component_spec.rb +2 -2
- data/spec/unit/type/exec_spec.rb +14 -7
- data/spec/unit/type/file/content_spec.rb +13 -2
- data/spec/unit/type/file/ctime_spec.rb +1 -1
- data/spec/unit/type/file/mode_spec.rb +48 -2
- data/spec/unit/type/file/mtime_spec.rb +1 -1
- data/spec/unit/type/file/source_spec.rb +177 -7
- data/spec/unit/type/file_spec.rb +63 -71
- data/spec/unit/type/group_spec.rb +20 -0
- data/spec/unit/type/k5login_spec.rb +3 -3
- data/spec/unit/type/mount_spec.rb +53 -0
- data/spec/unit/type/nagios_spec.rb +216 -0
- data/spec/unit/type/package_spec.rb +7 -1
- data/spec/unit/type/schedule_spec.rb +6 -0
- data/spec/unit/type/service_spec.rb +3 -3
- data/spec/unit/type/tidy_spec.rb +14 -14
- data/spec/unit/type/user_spec.rb +9 -0
- data/spec/unit/type_spec.rb +86 -4
- data/spec/unit/util/adsi_spec.rb +120 -12
- data/spec/unit/util/autoload_spec.rb +14 -14
- data/spec/unit/util/backups_spec.rb +29 -21
- data/spec/unit/util/checksums_spec.rb +2 -1
- data/spec/unit/util/command_line_spec.rb +41 -0
- data/spec/unit/util/docs_spec.rb +91 -0
- data/spec/unit/util/execution_spec.rb +26 -2
- data/spec/unit/util/filetype_spec.rb +7 -7
- data/spec/unit/util/lockfile_spec.rb +2 -2
- data/spec/unit/util/log/destinations_spec.rb +32 -0
- data/spec/unit/util/monkey_patches_spec.rb +41 -0
- data/spec/unit/util/pidlock_spec.rb +6 -6
- data/spec/unit/util/rdoc/parser_spec.rb +15 -13
- data/spec/unit/util/rdoc_spec.rb +18 -24
- data/spec/unit/util/resource_template_spec.rb +3 -3
- data/spec/unit/util/selinux_spec.rb +4 -2
- data/spec/unit/util/storage_spec.rb +4 -4
- data/spec/unit/util/suidmanager_spec.rb +7 -0
- data/spec/unit/util/tag_set_spec.rb +46 -0
- data/spec/unit/util/tagging_spec.rb +82 -45
- data/spec/unit/util/watcher_spec.rb +4 -1
- data/spec/unit/util/windows/access_control_entry_spec.rb +67 -0
- data/spec/unit/util/windows/access_control_list_spec.rb +133 -0
- data/spec/unit/util/windows/root_certs_spec.rb +10 -8
- data/spec/unit/util/windows/security_descriptor_spec.rb +117 -0
- data/spec/unit/util/windows/sid_spec.rb +69 -0
- data/spec/unit/util_spec.rb +7 -7
- data/tasks/ci.rake +17 -36
- metadata +2811 -2746
- checksums.yaml +0 -7
- data/examples/mac_automount.pp +0 -16
- data/examples/mcx_dock_absent.pp +0 -4
- data/examples/mcx_dock_default.pp +0 -118
- data/examples/mcx_dock_full.pp +0 -125
- data/examples/mcx_dock_invalid.pp +0 -9
- data/examples/mcx_nogroup.pp +0 -118
- data/examples/mcx_notexists_absent.pp +0 -4
- data/ext/rack/README +0 -58
- data/ext/rack/manifest.pp +0 -59
- data/lib/puppet/external/lock.rb +0 -63
- data/lib/puppet/indirector/hiera.rb +0 -39
- data/lib/puppet/parser/functions/foreach.rb +0 -95
- data/spec/integration/network/server/webrick_spec.rb +0 -76
- data/spec/integration/parser/functions_spec.rb +0 -16
- data/spec/unit/indirector/hiera_spec.rb +0 -154
- data/spec/unit/parser/methods/collect_spec.rb +0 -153
- data/spec/unit/parser/methods/foreach_spec.rb +0 -91
- data/spec/unit/parser/methods/reject_spec.rb +0 -73
- data/spec/unit/resource/resource_type.json +0 -34
|
@@ -66,17 +66,7 @@ module Puppet::SSL::CertificateFactory
|
|
|
66
66
|
inject({}) {|ret, val| ret.merge(val) }
|
|
67
67
|
|
|
68
68
|
cert.extensions = exts.map do |oid, val|
|
|
69
|
-
|
|
70
|
-
val = val.join(', ') unless val.is_a? String
|
|
71
|
-
|
|
72
|
-
# Enforce the X509v3 rules about subjectAltName being critical:
|
|
73
|
-
# specifically, it SHOULD NOT be critical if we have a subject, which we
|
|
74
|
-
# always do. --daniel 2011-10-18
|
|
75
|
-
crit = false if oid == "subjectAltName"
|
|
76
|
-
|
|
77
|
-
# val can be either a string, or [string, critical], and this does the
|
|
78
|
-
# right thing regardless of what we get passed.
|
|
79
|
-
ef.create_ext(oid, val, crit)
|
|
69
|
+
generate_extension(ef, oid, *val)
|
|
80
70
|
end
|
|
81
71
|
end
|
|
82
72
|
|
|
@@ -144,5 +134,41 @@ module Puppet::SSL::CertificateFactory
|
|
|
144
134
|
"nsCertType" => "client,email",
|
|
145
135
|
}
|
|
146
136
|
end
|
|
147
|
-
end
|
|
148
137
|
|
|
138
|
+
# Generate an extension with the given OID, value, and critical state
|
|
139
|
+
#
|
|
140
|
+
# @param oid [String] The numeric value or short name of a given OID. X509v3
|
|
141
|
+
# extensions must be passed by short name or long name, while custom
|
|
142
|
+
# extensions may be passed by short name, long name, oid numeric OID.
|
|
143
|
+
# @param ef [OpenSSL::X509::ExtensionFactory] The extension factory to use
|
|
144
|
+
# when generating the extension.
|
|
145
|
+
# @param val [String, Array<String>] The extension value.
|
|
146
|
+
# @param crit [true, false] Whether the given extension is critical, defaults
|
|
147
|
+
# to false.
|
|
148
|
+
#
|
|
149
|
+
# @return [OpenSSL::X509::Extension]
|
|
150
|
+
#
|
|
151
|
+
# @api private
|
|
152
|
+
def self.generate_extension(ef, oid, val, crit = false)
|
|
153
|
+
|
|
154
|
+
val = val.join(', ') unless val.is_a? String
|
|
155
|
+
|
|
156
|
+
# Enforce the X509v3 rules about subjectAltName being critical:
|
|
157
|
+
# specifically, it SHOULD NOT be critical if we have a subject, which we
|
|
158
|
+
# always do. --daniel 2011-10-18
|
|
159
|
+
crit = false if oid == "subjectAltName"
|
|
160
|
+
|
|
161
|
+
if Puppet::SSL::Oids.subtree_of?('id-ce', oid) or Puppet::SSL::Oids.subtree_of?('id-pkix', oid)
|
|
162
|
+
# Attempt to create a X509v3 certificate extension. Standard certificate
|
|
163
|
+
# extensions may need access to the associated subject certificate and
|
|
164
|
+
# issuing certificate, so must be created by the OpenSSL::X509::ExtensionFactory
|
|
165
|
+
# which provides that context.
|
|
166
|
+
ef.create_ext(oid, val, crit)
|
|
167
|
+
else
|
|
168
|
+
# This is not an X509v3 extension which means that the extension
|
|
169
|
+
# factory cannot generate it. We need to generate the extension
|
|
170
|
+
# manually.
|
|
171
|
+
OpenSSL::X509::Extension.new(oid, val, crit)
|
|
172
|
+
end
|
|
173
|
+
end
|
|
174
|
+
end
|
|
@@ -1,7 +1,30 @@
|
|
|
1
1
|
require 'puppet/ssl/base'
|
|
2
2
|
require 'puppet/ssl/certificate_signer'
|
|
3
3
|
|
|
4
|
-
#
|
|
4
|
+
# This class creates and manages X509 certificate signing requests.
|
|
5
|
+
#
|
|
6
|
+
# ## CSR attributes
|
|
7
|
+
#
|
|
8
|
+
# CSRs may contain a set of attributes that includes supplementary information
|
|
9
|
+
# about the CSR or information for the signed certificate.
|
|
10
|
+
#
|
|
11
|
+
# PKCS#9/RFC 2985 section 5.4 formally defines the "Challenge password",
|
|
12
|
+
# "Extension request", and "Extended-certificate attributes", but this
|
|
13
|
+
# implementation only handles the "Extension request" attribute. Other
|
|
14
|
+
# attributes may be defined on a CSR, but the RFC doesn't define behavior for
|
|
15
|
+
# any other attributes so we treat them as only informational.
|
|
16
|
+
#
|
|
17
|
+
# ## CSR Extension request attribute
|
|
18
|
+
#
|
|
19
|
+
# CSRs may contain an optional set of extension requests, which allow CSRs to
|
|
20
|
+
# include additional information that may be included in the signed
|
|
21
|
+
# certificate. Any additional information that should be copied from the CSR
|
|
22
|
+
# to the signed certificate MUST be included in this attribute.
|
|
23
|
+
#
|
|
24
|
+
# This behavior is dictated by PKCS#9/RFC 2985 section 5.4.2.
|
|
25
|
+
#
|
|
26
|
+
# @see http://tools.ietf.org/html/rfc2985 "RFC 2985 Section 5.4.2 Extension request"
|
|
27
|
+
#
|
|
5
28
|
class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
|
|
6
29
|
wraps OpenSSL::X509::Request
|
|
7
30
|
|
|
@@ -14,7 +37,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
|
|
|
14
37
|
|
|
15
38
|
# Try to autosign the CSR.
|
|
16
39
|
if ca = Puppet::SSL::CertificateAuthority.instance
|
|
17
|
-
ca.autosign
|
|
40
|
+
ca.autosign(instance)
|
|
18
41
|
end
|
|
19
42
|
end
|
|
20
43
|
end
|
|
@@ -34,7 +57,22 @@ DOC
|
|
|
34
57
|
@ef ||= OpenSSL::X509::ExtensionFactory.new
|
|
35
58
|
end
|
|
36
59
|
|
|
37
|
-
#
|
|
60
|
+
# Create a certificate request with our system settings.
|
|
61
|
+
#
|
|
62
|
+
# @param key [OpenSSL::X509::Key, Puppet::SSL::Key] The key pair associated
|
|
63
|
+
# with this CSR.
|
|
64
|
+
# @param opts [Hash]
|
|
65
|
+
# @options opts [String] :dns_alt_names A comma separated list of
|
|
66
|
+
# Subject Alternative Names to include in the CSR extension request.
|
|
67
|
+
# @options opts [Hash<String, String, Array<String>>] :csr_attributes A hash
|
|
68
|
+
# of OIDs and values that are either a string or array of strings.
|
|
69
|
+
# @options opts [Array<String, String>] :extension_requests A hash of
|
|
70
|
+
# certificate extensions to add to the CSR extReq attribute, excluding
|
|
71
|
+
# the Subject Alternative Names extension.
|
|
72
|
+
#
|
|
73
|
+
# @raise [Puppet::Error] If the generated CSR signature couldn't be verified
|
|
74
|
+
#
|
|
75
|
+
# @return [OpenSSL::X509::Request] The generated CSR
|
|
38
76
|
def generate(key, options = {})
|
|
39
77
|
Puppet.info "Creating a new SSL certificate request for #{name}"
|
|
40
78
|
|
|
@@ -51,16 +89,12 @@ DOC
|
|
|
51
89
|
csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
|
|
52
90
|
csr.public_key = key.public_key
|
|
53
91
|
|
|
54
|
-
if options[:
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
names = extension_factory.create_extension("subjectAltName", names, false)
|
|
58
|
-
|
|
59
|
-
extReq = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence([names])])
|
|
92
|
+
if options[:csr_attributes]
|
|
93
|
+
add_csr_attributes(csr, options[:csr_attributes])
|
|
94
|
+
end
|
|
60
95
|
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", extReq))
|
|
96
|
+
if (ext_req_attribute = extension_request_attribute(options))
|
|
97
|
+
csr.add_attribute(ext_req_attribute)
|
|
64
98
|
end
|
|
65
99
|
|
|
66
100
|
signer = Puppet::SSL::CertificateSigner.new
|
|
@@ -74,72 +108,192 @@ DOC
|
|
|
74
108
|
end
|
|
75
109
|
|
|
76
110
|
# Return the set of extensions requested on this CSR, in a form designed to
|
|
77
|
-
# be useful to Ruby:
|
|
111
|
+
# be useful to Ruby: an array of hashes. Which, not coincidentally, you can pass
|
|
78
112
|
# successfully to the OpenSSL constructor later, if you want.
|
|
113
|
+
#
|
|
114
|
+
# @return [Array<Hash{String => String}>] An array of two or three element
|
|
115
|
+
# hashes, with key/value pairs for the extension's oid, its value, and
|
|
116
|
+
# optionally its critical state.
|
|
79
117
|
def request_extensions
|
|
80
118
|
raise Puppet::Error, "CSR needs content to extract fields" unless @content
|
|
81
119
|
|
|
82
120
|
# Prefer the standard extReq, but accept the Microsoft specific version as
|
|
83
121
|
# a fallback, if the standard version isn't found.
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
return [] unless
|
|
87
|
-
|
|
88
|
-
# Assert the structure and extract the names into an array of arrays.
|
|
89
|
-
unless ext.value.is_a? OpenSSL::ASN1::Set
|
|
90
|
-
raise Puppet::Error, "In #{ext.oid}, expected Set but found #{ext.value.class}"
|
|
91
|
-
end
|
|
92
|
-
|
|
93
|
-
unless ext.value.value.is_a? Array
|
|
94
|
-
raise Puppet::Error, "In #{ext.oid}, expected Set[Array] but found #{ext.value.value.class}"
|
|
95
|
-
end
|
|
96
|
-
|
|
97
|
-
unless ext.value.value.length == 1
|
|
98
|
-
raise Puppet::Error, "In #{ext.oid}, expected Set[Array[...]], but found #{ext.value.value.length} items in the array"
|
|
99
|
-
end
|
|
122
|
+
attribute = @content.attributes.find {|x| x.oid == "extReq" }
|
|
123
|
+
attribute ||= @content.attributes.find {|x| x.oid == "msExtReq" }
|
|
124
|
+
return [] unless attribute
|
|
100
125
|
|
|
101
|
-
|
|
102
|
-
unless san.is_a? OpenSSL::ASN1::Sequence
|
|
103
|
-
raise Puppet::Error, "In #{ext.oid}, expected Set[Array[Sequence[...]]], but found #{san.class}"
|
|
104
|
-
end
|
|
105
|
-
san = san.value
|
|
126
|
+
extensions = unpack_extension_request(attribute)
|
|
106
127
|
|
|
107
|
-
# OK, now san should be the array of items, validate that...
|
|
108
128
|
index = -1
|
|
109
|
-
|
|
129
|
+
extensions.map do |ext_values|
|
|
110
130
|
index += 1
|
|
111
|
-
|
|
112
|
-
unless name.is_a? OpenSSL::ASN1::Sequence
|
|
113
|
-
raise Puppet::Error, "In #{ext.oid}, expected request extension record #{index} to be a Sequence, but found #{name.class}"
|
|
114
|
-
end
|
|
115
|
-
name = name.value
|
|
131
|
+
context = "#{attribute.oid} extension index #{index}"
|
|
116
132
|
|
|
117
133
|
# OK, turn that into an extension, to unpack the content. Lovely that
|
|
118
134
|
# we have to swap the order of arguments to the underlying method, or
|
|
119
135
|
# perhaps that the ASN.1 representation chose to pack them in a
|
|
120
136
|
# strange order where the optional component comes *earlier* than the
|
|
121
137
|
# fixed component in the sequence.
|
|
122
|
-
case
|
|
138
|
+
case ext_values.length
|
|
123
139
|
when 2
|
|
124
|
-
ev = OpenSSL::X509::Extension.new(
|
|
140
|
+
ev = OpenSSL::X509::Extension.new(ext_values[0].value, ext_values[1].value)
|
|
125
141
|
{ "oid" => ev.oid, "value" => ev.value }
|
|
126
142
|
|
|
127
143
|
when 3
|
|
128
|
-
ev = OpenSSL::X509::Extension.new(
|
|
144
|
+
ev = OpenSSL::X509::Extension.new(ext_values[0].value, ext_values[2].value, ext_values[1].value)
|
|
129
145
|
{ "oid" => ev.oid, "value" => ev.value, "critical" => ev.critical? }
|
|
130
146
|
|
|
131
147
|
else
|
|
132
|
-
raise Puppet::Error, "In #{
|
|
148
|
+
raise Puppet::Error, "In #{attribute.oid}, expected extension record #{index} to have two or three items, but found #{ext_values.length}"
|
|
133
149
|
end
|
|
134
|
-
end
|
|
150
|
+
end
|
|
135
151
|
end
|
|
136
152
|
|
|
137
153
|
def subject_alt_names
|
|
138
154
|
@subject_alt_names ||= request_extensions.
|
|
139
|
-
select {|x| x["oid"]
|
|
155
|
+
select {|x| x["oid"] == "subjectAltName" }.
|
|
140
156
|
map {|x| x["value"].split(/\s*,\s*/) }.
|
|
141
157
|
flatten.
|
|
142
158
|
sort.
|
|
143
159
|
uniq
|
|
144
160
|
end
|
|
161
|
+
|
|
162
|
+
# Return all user specified attributes attached to this CSR as a hash. IF an
|
|
163
|
+
# OID has a single value it is returned as a string, otherwise all values are
|
|
164
|
+
# returned as an array.
|
|
165
|
+
#
|
|
166
|
+
# The format of CSR attributes is specified in PKCS#10/RFC 2986
|
|
167
|
+
#
|
|
168
|
+
# @see http://tools.ietf.org/html/rfc2986 "RFC 2986 Certification Request Syntax Specification"
|
|
169
|
+
#
|
|
170
|
+
# @api public
|
|
171
|
+
#
|
|
172
|
+
# @return [Hash<String, String>]
|
|
173
|
+
def custom_attributes
|
|
174
|
+
x509_attributes = @content.attributes.reject do |attr|
|
|
175
|
+
PRIVATE_CSR_ATTRIBUTES.include? attr.oid
|
|
176
|
+
end
|
|
177
|
+
|
|
178
|
+
x509_attributes.map do |attr|
|
|
179
|
+
{"oid" => attr.oid, "value" => attr.value.first.value}
|
|
180
|
+
end
|
|
181
|
+
end
|
|
182
|
+
|
|
183
|
+
private
|
|
184
|
+
|
|
185
|
+
# Exclude OIDs that may conflict with how Puppet creates CSRs.
|
|
186
|
+
#
|
|
187
|
+
# We only have nominal support for Microsoft extension requests, but since we
|
|
188
|
+
# ultimately respect that field when looking for extension requests in a CSR
|
|
189
|
+
# we need to prevent that field from being written to directly.
|
|
190
|
+
PRIVATE_CSR_ATTRIBUTES = [
|
|
191
|
+
'extReq', '1.2.840.113549.1.9.14',
|
|
192
|
+
'msExtReq', '1.3.6.1.4.1.311.2.1.14',
|
|
193
|
+
]
|
|
194
|
+
|
|
195
|
+
def add_csr_attributes(csr, csr_attributes)
|
|
196
|
+
csr_attributes.each do |oid, value|
|
|
197
|
+
begin
|
|
198
|
+
if PRIVATE_CSR_ATTRIBUTES.include? oid
|
|
199
|
+
raise ArgumentError, "Cannot specify CSR attribute #{oid}: conflicts with internally used CSR attribute"
|
|
200
|
+
end
|
|
201
|
+
|
|
202
|
+
encoded = OpenSSL::ASN1::PrintableString.new(value.to_s)
|
|
203
|
+
|
|
204
|
+
attr_set = OpenSSL::ASN1::Set.new([encoded])
|
|
205
|
+
csr.add_attribute(OpenSSL::X509::Attribute.new(oid, attr_set))
|
|
206
|
+
Puppet.debug("Added csr attribute: #{oid} => #{attr_set.inspect}")
|
|
207
|
+
rescue OpenSSL::X509::AttributeError => e
|
|
208
|
+
raise Puppet::Error, "Cannot create CSR with attribute #{oid}: #{e.message}"
|
|
209
|
+
end
|
|
210
|
+
end
|
|
211
|
+
end
|
|
212
|
+
|
|
213
|
+
private
|
|
214
|
+
|
|
215
|
+
PRIVATE_EXTENSIONS = [
|
|
216
|
+
'subjectAltName', '2.5.29.17',
|
|
217
|
+
]
|
|
218
|
+
|
|
219
|
+
# @api private
|
|
220
|
+
def extension_request_attribute(options)
|
|
221
|
+
extensions = []
|
|
222
|
+
|
|
223
|
+
if options[:extension_requests]
|
|
224
|
+
options[:extension_requests].each_pair do |oid, value|
|
|
225
|
+
begin
|
|
226
|
+
if PRIVATE_EXTENSIONS.include? oid
|
|
227
|
+
raise Puppet::Error, "Cannot specify CSR extension request #{oid}: conflicts with internally used extension request"
|
|
228
|
+
end
|
|
229
|
+
|
|
230
|
+
ext = OpenSSL::X509::Extension.new(oid, value.to_s, false)
|
|
231
|
+
extensions << ext
|
|
232
|
+
rescue OpenSSL::X509::ExtensionError => e
|
|
233
|
+
raise Puppet::Error, "Cannot create CSR with extension request #{oid}: #{e.message}"
|
|
234
|
+
end
|
|
235
|
+
end
|
|
236
|
+
end
|
|
237
|
+
|
|
238
|
+
if options[:dns_alt_names]
|
|
239
|
+
names = options[:dns_alt_names].split(/\s*,\s*/).map(&:strip) + [name]
|
|
240
|
+
names = names.sort.uniq.map {|name| "DNS:#{name}" }.join(", ")
|
|
241
|
+
alt_names_ext = extension_factory.create_extension("subjectAltName", names, false)
|
|
242
|
+
|
|
243
|
+
extensions << alt_names_ext
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
unless extensions.empty?
|
|
247
|
+
seq = OpenSSL::ASN1::Sequence(extensions)
|
|
248
|
+
ext_req = OpenSSL::ASN1::Set([seq])
|
|
249
|
+
OpenSSL::X509::Attribute.new("extReq", ext_req)
|
|
250
|
+
end
|
|
251
|
+
end
|
|
252
|
+
|
|
253
|
+
# Unpack the extReq attribute into an array of Extensions.
|
|
254
|
+
#
|
|
255
|
+
# The extension request attribute is structured like
|
|
256
|
+
# `Set[Sequence[Extensions]]` where the outer Set only contains a single
|
|
257
|
+
# sequence.
|
|
258
|
+
#
|
|
259
|
+
# In addition the Ruby implementation of ASN1 requires that all ASN1 values
|
|
260
|
+
# contain a single value, so Sets and Sequence have to contain an array
|
|
261
|
+
# that in turn holds the elements. This is why we have to unpack an array
|
|
262
|
+
# every time we unpack a Set/Seq.
|
|
263
|
+
#
|
|
264
|
+
# @see http://tools.ietf.org/html/rfc2985#ref-10 5.4.2 CSR Extension Request structure
|
|
265
|
+
# @see http://tools.ietf.org/html/rfc5280 4.1 Certificate Extension structure
|
|
266
|
+
#
|
|
267
|
+
# @api private
|
|
268
|
+
#
|
|
269
|
+
# @param attribute [OpenSSL::X509::Attribute] The X509 extension request
|
|
270
|
+
#
|
|
271
|
+
# @return [Array<Array<Object>>] A array of arrays containing the extension
|
|
272
|
+
# OID the critical state if present, and the extension value.
|
|
273
|
+
def unpack_extension_request(attribute)
|
|
274
|
+
|
|
275
|
+
unless attribute.value.is_a? OpenSSL::ASN1::Set
|
|
276
|
+
raise Puppet::Error, "In #{attribute.oid}, expected Set but found #{attribute.value.class}"
|
|
277
|
+
end
|
|
278
|
+
|
|
279
|
+
unless attribute.value.value.is_a? Array
|
|
280
|
+
raise Puppet::Error, "In #{attribute.oid}, expected Set[Array] but found #{attribute.value.value.class}"
|
|
281
|
+
end
|
|
282
|
+
|
|
283
|
+
unless attribute.value.value.size == 1
|
|
284
|
+
raise Puppet::Error, "In #{attribute.oid}, expected Set[Array] with one value but found #{attribute.value.value.size} elements"
|
|
285
|
+
end
|
|
286
|
+
|
|
287
|
+
unless attribute.value.value.first.is_a? OpenSSL::ASN1::Sequence
|
|
288
|
+
raise Puppet::Error, "In #{attribute.oid}, expected Set[Array[Sequence[...]]], but found #{extension.class}"
|
|
289
|
+
end
|
|
290
|
+
|
|
291
|
+
unless attribute.value.value.first.value.is_a? Array
|
|
292
|
+
raise Puppet::Error, "In #{attribute.oid}, expected Set[Array[Sequence[Array[...]]]], but found #{extension.value.class}"
|
|
293
|
+
end
|
|
294
|
+
|
|
295
|
+
extensions = attribute.value.value.first.value
|
|
296
|
+
|
|
297
|
+
extensions.map(&:value)
|
|
298
|
+
end
|
|
145
299
|
end
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
require 'puppet/ssl'
|
|
2
|
+
require 'puppet/util/yaml'
|
|
3
|
+
|
|
4
|
+
# This class transforms simple key/value pairs into the equivalent ASN1
|
|
5
|
+
# structures. Values may be strings or arrays of strings.
|
|
6
|
+
#
|
|
7
|
+
# @api private
|
|
8
|
+
class Puppet::SSL::CertificateRequestAttributes
|
|
9
|
+
|
|
10
|
+
attr_reader :path, :custom_attributes, :extension_requests
|
|
11
|
+
|
|
12
|
+
def initialize(path)
|
|
13
|
+
@path = path
|
|
14
|
+
@custom_attributes = {}
|
|
15
|
+
@extension_requests = {}
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
# Attempt to load a yaml file at the given @path.
|
|
19
|
+
# @return true if we are able to load the file, false otherwise
|
|
20
|
+
# @raise [Puppet::Error] if there are unexpected attribute keys
|
|
21
|
+
def load
|
|
22
|
+
Puppet.info("csr_attributes file loading from #{path}")
|
|
23
|
+
if Puppet::FileSystem::File.exist?(path)
|
|
24
|
+
hash = Puppet::Util::Yaml.load_file(path)
|
|
25
|
+
@custom_attributes = hash.delete('custom_attributes') || {}
|
|
26
|
+
@extension_requests = hash.delete('extension_requests') || {}
|
|
27
|
+
if not hash.keys.empty?
|
|
28
|
+
raise Puppet::Error, "unexpected attributes #{hash.keys.inspect} in #{@path.inspect}"
|
|
29
|
+
end
|
|
30
|
+
return true
|
|
31
|
+
end
|
|
32
|
+
return false
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -49,7 +49,7 @@ DOC
|
|
|
49
49
|
Puppet.notice "Revoked certificate with serial #{serial}"
|
|
50
50
|
time = Time.now
|
|
51
51
|
|
|
52
|
-
|
|
52
|
+
add_certificate_revocation_for(serial, reason, time)
|
|
53
53
|
update_to_next_crl_number
|
|
54
54
|
update_valid_time_range_to_start_at(time)
|
|
55
55
|
sign_with(cakey)
|
|
@@ -69,7 +69,7 @@ private
|
|
|
69
69
|
@content.extensions = [crl_number_of(0)]
|
|
70
70
|
end
|
|
71
71
|
|
|
72
|
-
def
|
|
72
|
+
def add_certificate_revocation_for(serial, reason, time)
|
|
73
73
|
revoked = OpenSSL::X509::Revoked.new
|
|
74
74
|
revoked.serial = serial
|
|
75
75
|
revoked.time = time
|
data/lib/puppet/ssl/host.rb
CHANGED
|
@@ -4,6 +4,7 @@ require 'puppet/ssl/key'
|
|
|
4
4
|
require 'puppet/ssl/certificate'
|
|
5
5
|
require 'puppet/ssl/certificate_request'
|
|
6
6
|
require 'puppet/ssl/certificate_revocation_list'
|
|
7
|
+
require 'puppet/ssl/certificate_request_attributes'
|
|
7
8
|
|
|
8
9
|
# The class that manages all aspects of our SSL certificates --
|
|
9
10
|
# private keys, public keys, requests, etc.
|
|
@@ -173,6 +174,12 @@ DOC
|
|
|
173
174
|
end
|
|
174
175
|
end
|
|
175
176
|
|
|
177
|
+
csr_attributes = Puppet::SSL::CertificateRequestAttributes.new(Puppet[:csr_attributes])
|
|
178
|
+
if csr_attributes.load
|
|
179
|
+
options[:csr_attributes] = csr_attributes.custom_attributes
|
|
180
|
+
options[:extension_requests] = csr_attributes.extension_requests
|
|
181
|
+
end
|
|
182
|
+
|
|
176
183
|
@certificate_request = CertificateRequest.new(name)
|
|
177
184
|
@certificate_request.generate(key.content, options)
|
|
178
185
|
begin
|
|
@@ -264,14 +271,14 @@ ERROR_STRING
|
|
|
264
271
|
@ssl_store
|
|
265
272
|
end
|
|
266
273
|
|
|
267
|
-
def
|
|
274
|
+
def to_data_hash
|
|
268
275
|
my_cert = Puppet::SSL::Certificate.indirection.find(name)
|
|
269
|
-
|
|
276
|
+
result = { :name => name }
|
|
270
277
|
|
|
271
278
|
my_state = state
|
|
272
279
|
|
|
273
|
-
|
|
274
|
-
|
|
280
|
+
result[:state] = my_state
|
|
281
|
+
result[:desired_state] = desired_state if desired_state
|
|
275
282
|
|
|
276
283
|
thing_to_use = (my_state == 'requested') ? certificate_request : my_cert
|
|
277
284
|
|
|
@@ -280,7 +287,7 @@ ERROR_STRING
|
|
|
280
287
|
# pson[:fingerprints][:default]
|
|
281
288
|
# It appears that we have no internal consumers of this api
|
|
282
289
|
# --jeffweiss 30 aug 2012
|
|
283
|
-
|
|
290
|
+
result[:fingerprint] = thing_to_use.fingerprint
|
|
284
291
|
|
|
285
292
|
# The above fingerprint doesn't tell us what message digest algorithm was used
|
|
286
293
|
# No problem, except that the default is changing between 2.7 and 3.0. Also, as
|
|
@@ -289,15 +296,19 @@ ERROR_STRING
|
|
|
289
296
|
# So, when we add the newer fingerprints, we're explicit about the hashing
|
|
290
297
|
# algorithm used.
|
|
291
298
|
# --jeffweiss 31 july 2012
|
|
292
|
-
|
|
293
|
-
|
|
299
|
+
result[:fingerprints] = {}
|
|
300
|
+
result[:fingerprints][:default] = thing_to_use.fingerprint
|
|
294
301
|
|
|
295
302
|
suitable_message_digest_algorithms.each do |md|
|
|
296
|
-
|
|
303
|
+
result[:fingerprints][md] = thing_to_use.fingerprint md
|
|
297
304
|
end
|
|
298
|
-
|
|
305
|
+
result[:dns_alt_names] = thing_to_use.subject_alt_names
|
|
299
306
|
|
|
300
|
-
|
|
307
|
+
result
|
|
308
|
+
end
|
|
309
|
+
|
|
310
|
+
def to_pson(*args)
|
|
311
|
+
to_data_hash.to_pson(*args)
|
|
301
312
|
end
|
|
302
313
|
|
|
303
314
|
# eventually we'll probably want to move this somewhere else or make it
|