puppet 3.3.2 → 3.4.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- data/CONTRIBUTING.md +22 -0
- data/Gemfile +11 -2
- data/README.md +13 -17
- data/README_DEVELOPER.md +1 -1
- data/Rakefile +1 -1
- data/examples/hiera/README.md +4 -4
- data/ext/debian/puppetmaster.init +1 -0
- data/ext/debian/rules +2 -5
- data/ext/nagios/check_puppet.rb +7 -7
- data/ext/osx/file_mapping.yaml +1 -1
- data/ext/osx/preflight.erb +34 -19
- data/ext/rack/{files/config.ru → config.ru} +0 -0
- data/ext/rack/{files/apache2.conf → example-passenger-vhost.conf} +6 -0
- data/ext/redhat/puppet.spec.erb +20 -2
- data/ext/systemd/{puppetagent.service → puppet.service} +0 -0
- data/lib/hiera_puppet.rb +2 -2
- data/lib/puppet/agent.rb +1 -6
- data/lib/puppet/application.rb +15 -2
- data/lib/puppet/application/agent.rb +2 -7
- data/lib/puppet/application/apply.rb +8 -13
- data/lib/puppet/application/cert.rb +47 -7
- data/lib/puppet/application/device.rb +1 -6
- data/lib/puppet/application/face_base.rb +1 -1
- data/lib/puppet/application/filebucket.rb +1 -1
- data/lib/puppet/application/inspect.rb +3 -12
- data/lib/puppet/application/master.rb +1 -6
- data/lib/puppet/application/queue.rb +1 -6
- data/lib/puppet/application/resource.rb +2 -6
- data/lib/puppet/coercion.rb +11 -0
- data/lib/puppet/configurer.rb +5 -3
- data/lib/puppet/configurer/downloader.rb +3 -1
- data/lib/puppet/configurer/plugin_handler.rb +10 -0
- data/lib/puppet/confine.rb +80 -0
- data/lib/puppet/{provider/confine → confine}/exists.rb +3 -3
- data/lib/puppet/{provider/confine → confine}/false.rb +2 -2
- data/lib/puppet/{provider/confine → confine}/feature.rb +2 -2
- data/lib/puppet/{provider/confine → confine}/true.rb +2 -2
- data/lib/puppet/{provider/confine → confine}/variable.rb +2 -2
- data/lib/puppet/{provider/confine_collection.rb → confine_collection.rb} +4 -4
- data/lib/puppet/{provider/confiner.rb → confiner.rb} +4 -4
- data/lib/puppet/daemon.rb +2 -6
- data/lib/puppet/data_binding.rb +2 -30
- data/lib/puppet/defaults.rb +283 -174
- data/lib/puppet/error.rb +1 -0
- data/lib/puppet/external/nagios.rb +0 -2
- data/lib/puppet/external/nagios/base.rb +4 -3
- data/lib/puppet/external/nagios/grammar.ry +173 -112
- data/lib/puppet/external/nagios/parser.rb +233 -184
- data/lib/puppet/face/file/store.rb +1 -1
- data/lib/puppet/face/module/generate.rb +5 -7
- data/lib/puppet/face/parser.rb +12 -2
- data/lib/puppet/face/plugin.rb +6 -0
- data/lib/puppet/feature/base.rb +16 -0
- data/lib/puppet/feature/external_facts.rb +5 -0
- data/lib/puppet/feature/libuser.rb +1 -1
- data/lib/puppet/feature/msgpack.rb +1 -0
- data/lib/puppet/feature/rails.rb +2 -2
- data/lib/puppet/file_bucket/dipper.rb +8 -6
- data/lib/puppet/file_bucket/file.rb +17 -1
- data/lib/puppet/file_serving/base.rb +21 -10
- data/lib/puppet/file_serving/configuration.rb +5 -7
- data/lib/puppet/file_serving/configuration/parser.rb +1 -1
- data/lib/puppet/file_serving/content.rb +1 -1
- data/lib/puppet/file_serving/fileset.rb +3 -3
- data/lib/puppet/file_serving/metadata.rb +22 -18
- data/lib/puppet/file_serving/mount/file.rb +1 -1
- data/lib/puppet/file_serving/mount/pluginfacts.rb +35 -0
- data/lib/puppet/file_system.rb +3 -0
- data/lib/puppet/file_system/file.rb +261 -0
- data/lib/puppet/file_system/file18.rb +5 -0
- data/lib/puppet/file_system/file19.rb +5 -0
- data/lib/puppet/file_system/file19windows.rb +113 -0
- data/lib/puppet/file_system/memory_file.rb +31 -0
- data/lib/puppet/file_system/tempfile.rb +20 -0
- data/lib/puppet/indirector/active_record.rb +1 -0
- data/lib/puppet/indirector/catalog/compiler.rb +28 -0
- data/lib/puppet/indirector/certificate_request/memory.rb +6 -0
- data/lib/puppet/indirector/data_binding/hiera.rb +46 -2
- data/lib/puppet/indirector/direct_file_server.rb +2 -2
- data/lib/puppet/indirector/facts/facter.rb +25 -0
- data/lib/puppet/indirector/file_bucket_file/file.rb +60 -74
- data/lib/puppet/indirector/indirection.rb +5 -1
- data/lib/puppet/indirector/json.rb +1 -1
- data/lib/puppet/indirector/key/ca.rb +4 -0
- data/lib/puppet/indirector/key/file.rb +7 -3
- data/lib/puppet/indirector/key/memory.rb +6 -0
- data/lib/puppet/indirector/node/write_only_yaml.rb +2 -2
- data/lib/puppet/indirector/request.rb +17 -11
- data/lib/puppet/indirector/resource/ral.rb +5 -0
- data/lib/puppet/indirector/resource/rest.rb +1 -0
- data/lib/puppet/indirector/resource/store_configs.rb +4 -0
- data/lib/puppet/indirector/rest.rb +2 -1
- data/lib/puppet/indirector/ssl_file.rb +7 -7
- data/lib/puppet/indirector/terminus.rb +4 -0
- data/lib/puppet/indirector/yaml.rb +3 -3
- data/lib/puppet/interface/documentation.rb +4 -11
- data/lib/puppet/module.rb +19 -6
- data/lib/puppet/module_tool/applications/builder.rb +1 -1
- data/lib/puppet/module_tool/applications/installer.rb +1 -1
- data/lib/puppet/module_tool/checksums.rb +1 -1
- data/lib/puppet/module_tool/dependency.rb +7 -3
- data/lib/puppet/module_tool/metadata.rb +6 -2
- data/lib/puppet/module_tool/tar.rb +2 -1
- data/lib/puppet/module_tool/tar/gnu.rb +6 -2
- data/lib/puppet/module_tool/tar/mini.rb +2 -0
- data/lib/puppet/module_tool/tar/solaris.rb +2 -5
- data/lib/puppet/network/authconfig.rb +0 -2
- data/lib/puppet/network/authentication.rb +1 -1
- data/lib/puppet/network/authstore.rb +6 -7
- data/lib/puppet/network/format.rb +2 -3
- data/lib/puppet/network/format_handler.rb +16 -11
- data/lib/puppet/network/format_support.rb +14 -0
- data/lib/puppet/network/formats.rb +26 -0
- data/lib/puppet/network/http/connection.rb +8 -41
- data/lib/puppet/network/http/handler.rb +28 -32
- data/lib/puppet/network/http/webrick.rb +15 -22
- data/lib/puppet/network/http_pool.rb +43 -9
- data/lib/puppet/network/rights.rb +0 -0
- data/lib/puppet/node.rb +24 -8
- data/lib/puppet/node/environment.rb +18 -20
- data/lib/puppet/node/facts.rb +23 -6
- data/lib/puppet/parameter.rb +15 -2
- data/lib/puppet/parameter/boolean.rb +5 -0
- data/lib/puppet/parameter/value_collection.rb +6 -4
- data/lib/puppet/parser/ast/resourceparam.rb +2 -1
- data/lib/puppet/parser/compiler.rb +25 -9
- data/lib/puppet/parser/files.rb +1 -1
- data/lib/puppet/parser/functions.rb +12 -21
- data/lib/puppet/parser/functions/collect.rb +6 -35
- data/lib/puppet/parser/functions/contain.rb +26 -0
- data/lib/puppet/parser/functions/create_resources.rb +5 -0
- data/lib/puppet/parser/functions/extlookup.rb +2 -2
- data/lib/puppet/parser/functions/file.rb +1 -1
- data/lib/puppet/parser/functions/{reject.rb → filter.rb} +13 -12
- data/lib/puppet/parser/functions/fqdn_rand.rb +13 -5
- data/lib/puppet/parser/functions/include.rb +18 -1
- data/lib/puppet/parser/functions/map.rb +44 -0
- data/lib/puppet/parser/functions/select.rb +6 -38
- data/lib/puppet/parser/lexer.rb +1 -1
- data/lib/puppet/parser/parser_support.rb +1 -1
- data/lib/puppet/parser/resource.rb +6 -45
- data/lib/puppet/parser/scope.rb +33 -2
- data/lib/puppet/parser/type_loader.rb +4 -60
- data/lib/puppet/pops/binder/bindings_loader.rb +1 -1
- data/lib/puppet/pops/binder/config/binder_config.rb +3 -3
- data/lib/puppet/pops/binder/hiera2/bindings_provider.rb +1 -1
- data/lib/puppet/pops/binder/scheme_handler/confdir_hiera_scheme.rb +1 -1
- data/lib/puppet/pops/binder/scheme_handler/module_hiera_scheme.rb +2 -2
- data/lib/puppet/pops/issues.rb +4 -0
- data/lib/puppet/pops/model/ast_transformer.rb +4 -1
- data/lib/puppet/pops/model/model_label_provider.rb +1 -1
- data/lib/puppet/pops/parser/egrammar.ra +5 -24
- data/lib/puppet/pops/parser/eparser.rb +859 -902
- data/lib/puppet/pops/parser/lexer.rb +48 -30
- data/lib/puppet/pops/parser/parser_support.rb +1 -1
- data/lib/puppet/pops/patterns.rb +4 -4
- data/lib/puppet/pops/utils.rb +1 -1
- data/lib/puppet/pops/validation/checker3_1.rb +25 -20
- data/lib/puppet/provider.rb +23 -6
- data/lib/puppet/provider/aixobject.rb +0 -0
- data/lib/puppet/provider/augeas/augeas.rb +21 -5
- data/lib/puppet/provider/confine.rb +5 -79
- data/lib/puppet/provider/cron/crontab.rb +0 -0
- data/lib/puppet/provider/exec.rb +9 -7
- data/lib/puppet/provider/exec/posix.rb +10 -1
- data/lib/puppet/provider/exec/windows.rb +1 -1
- data/lib/puppet/provider/file/posix.rb +1 -0
- data/lib/puppet/provider/file/windows.rb +16 -5
- data/lib/puppet/provider/group/aix.rb +0 -0
- data/lib/puppet/provider/group/windows_adsi.rb +33 -1
- data/lib/puppet/provider/macauthorization/macauthorization.rb +1 -1
- data/lib/puppet/provider/mailalias/aliases.rb +0 -0
- data/lib/puppet/provider/maillist/mailman.rb +0 -0
- data/lib/puppet/provider/mount/parsed.rb +0 -0
- data/lib/puppet/provider/nameservice/directoryservice.rb +3 -3
- data/lib/puppet/provider/package/appdmg.rb +1 -1
- data/lib/puppet/provider/package/apple.rb +1 -1
- data/lib/puppet/provider/package/apt.rb +1 -1
- data/lib/puppet/provider/package/aptitude.rb +0 -0
- data/lib/puppet/provider/package/blastwave.rb +1 -1
- data/lib/puppet/provider/package/dpkg.rb +1 -1
- data/lib/puppet/provider/package/fink.rb +1 -1
- data/lib/puppet/provider/package/freebsd.rb +0 -0
- data/lib/puppet/provider/package/gem.rb +0 -0
- data/lib/puppet/provider/package/macports.rb +0 -0
- data/lib/puppet/provider/package/msi.rb +4 -10
- data/lib/puppet/provider/package/nim.rb +8 -8
- data/lib/puppet/provider/package/openbsd.rb +1 -1
- data/lib/puppet/provider/package/opkg.rb +0 -0
- data/lib/puppet/provider/package/pacman.rb +2 -2
- data/lib/puppet/provider/package/pkgdmg.rb +1 -1
- data/lib/puppet/provider/package/pkgutil.rb +1 -1
- data/lib/puppet/provider/package/ports.rb +0 -0
- data/lib/puppet/provider/package/rpm.rb +39 -3
- data/lib/puppet/provider/package/sun.rb +3 -3
- data/lib/puppet/provider/package/sunfreeware.rb +0 -0
- data/lib/puppet/provider/package/windows.rb +12 -19
- data/lib/puppet/provider/package/windows/package.rb +1 -1
- data/lib/puppet/provider/package/yum.rb +2 -2
- data/lib/puppet/provider/parsedfile.rb +0 -0
- data/lib/puppet/provider/port/parsed.rb +0 -0
- data/lib/puppet/provider/service/base.rb +0 -0
- data/lib/puppet/provider/service/bsd.rb +3 -3
- data/lib/puppet/provider/service/daemontools.rb +8 -8
- data/lib/puppet/provider/service/debian.rb +0 -0
- data/lib/puppet/provider/service/freebsd.rb +3 -3
- data/lib/puppet/provider/service/init.rb +5 -4
- data/lib/puppet/provider/service/launchd.rb +35 -24
- data/lib/puppet/provider/service/openbsd.rb +23 -0
- data/lib/puppet/provider/service/redhat.rb +0 -0
- data/lib/puppet/provider/service/runit.rb +3 -3
- data/lib/puppet/provider/service/smf.rb +0 -0
- data/lib/puppet/provider/service/src.rb +0 -0
- data/lib/puppet/provider/service/systemd.rb +0 -0
- data/lib/puppet/provider/service/upstart.rb +3 -3
- data/lib/puppet/provider/ssh_authorized_key/parsed.rb +2 -2
- data/lib/puppet/provider/sshkey/parsed.rb +0 -0
- data/lib/puppet/provider/user/aix.rb +0 -0
- data/lib/puppet/provider/user/directoryservice.rb +1 -1
- data/lib/puppet/provider/user/useradd.rb +1 -1
- data/lib/puppet/provider/zone/solaris.rb +1 -1
- data/lib/puppet/rails/benchmark.rb +1 -1
- data/lib/puppet/reference/configuration.rb +1 -2
- data/lib/puppet/reference/indirection.rb +12 -14
- data/lib/puppet/relationship.rb +7 -4
- data/lib/puppet/reports.rb +2 -2
- data/lib/puppet/reports/rrdgraph.rb +1 -1
- data/lib/puppet/reports/store.rb +3 -3
- data/lib/puppet/reports/tagmail.rb +2 -2
- data/lib/puppet/resource.rb +66 -8
- data/lib/puppet/resource/catalog.rb +18 -25
- data/lib/puppet/resource/status.rb +10 -4
- data/lib/puppet/run.rb +6 -2
- data/lib/puppet/settings.rb +39 -119
- data/lib/puppet/settings/base_setting.rb +8 -9
- data/lib/puppet/settings/directory_setting.rb +8 -0
- data/lib/puppet/settings/file_setting.rb +35 -1
- data/lib/puppet/settings/priority_setting.rb +42 -0
- data/lib/puppet/ssl.rb +4 -0
- data/lib/puppet/ssl/certificate.rb +18 -0
- data/lib/puppet/ssl/certificate_authority.rb +101 -72
- data/lib/puppet/ssl/certificate_authority/autosign_command.rb +44 -0
- data/lib/puppet/ssl/certificate_authority/interface.rb +21 -17
- data/lib/puppet/ssl/certificate_factory.rb +38 -12
- data/lib/puppet/ssl/certificate_request.rb +201 -47
- data/lib/puppet/ssl/certificate_request_attributes.rb +34 -0
- data/lib/puppet/ssl/certificate_revocation_list.rb +2 -2
- data/lib/puppet/ssl/host.rb +21 -10
- data/lib/puppet/ssl/inventory.rb +6 -10
- data/lib/puppet/ssl/key.rb +1 -1
- data/lib/puppet/ssl/oids.rb +78 -0
- data/lib/puppet/ssl/validator.rb +41 -97
- data/lib/puppet/ssl/validator/default_validator.rb +153 -0
- data/lib/puppet/ssl/validator/no_validator.rb +17 -0
- data/lib/puppet/status.rb +4 -0
- data/lib/puppet/test/test_helper.rb +5 -0
- data/lib/puppet/transaction.rb +13 -0
- data/lib/puppet/transaction/event.rb +8 -3
- data/lib/puppet/transaction/report.rb +6 -2
- data/lib/puppet/transaction/resource_harness.rb +173 -115
- data/lib/puppet/type.rb +30 -13
- data/lib/puppet/type/augeas.rb +12 -46
- data/lib/puppet/type/component.rb +1 -7
- data/lib/puppet/type/cron.rb +0 -0
- data/lib/puppet/type/exec.rb +13 -1
- data/lib/puppet/type/file.rb +19 -10
- data/lib/puppet/type/file/checksum.rb +0 -0
- data/lib/puppet/type/file/content.rb +3 -0
- data/lib/puppet/type/file/ensure.rb +33 -15
- data/lib/puppet/type/file/group.rb +0 -0
- data/lib/puppet/type/file/mode.rb +6 -2
- data/lib/puppet/type/file/owner.rb +0 -0
- data/lib/puppet/type/file/source.rb +65 -14
- data/lib/puppet/type/file/target.rb +6 -6
- data/lib/puppet/type/file/type.rb +0 -0
- data/lib/puppet/type/filebucket.rb +0 -0
- data/lib/puppet/type/group.rb +18 -0
- data/lib/puppet/type/host.rb +0 -0
- data/lib/puppet/type/k5login.rb +4 -4
- data/lib/puppet/type/mailalias.rb +0 -0
- data/lib/puppet/type/maillist.rb +0 -0
- data/lib/puppet/type/mount.rb +15 -1
- data/lib/puppet/type/package.rb +7 -1
- data/lib/puppet/type/port.rb +0 -0
- data/lib/puppet/type/schedule.rb +9 -4
- data/lib/puppet/type/service.rb +1 -1
- data/lib/puppet/type/sshkey.rb +0 -0
- data/lib/puppet/type/tidy.rb +1 -1
- data/lib/puppet/type/user.rb +3 -0
- data/lib/puppet/type/yumrepo.rb +8 -6
- data/lib/puppet/type/zpool.rb +0 -0
- data/lib/puppet/util.rb +4 -31
- data/lib/puppet/util/adsi.rb +73 -17
- data/lib/puppet/util/autoload.rb +3 -3
- data/lib/puppet/util/backups.rb +4 -4
- data/lib/puppet/util/cacher.rb +7 -13
- data/lib/puppet/util/checksums.rb +2 -2
- data/lib/puppet/util/classgen.rb +3 -1
- data/lib/puppet/util/colors.rb +1 -0
- data/lib/puppet/util/command_line.rb +5 -0
- data/lib/puppet/util/docs.rb +33 -27
- data/lib/puppet/util/execution.rb +42 -18
- data/lib/puppet/util/filetype.rb +3 -3
- data/lib/puppet/util/instance_loader.rb +2 -2
- data/lib/puppet/util/instrumentation.rb +23 -42
- data/lib/puppet/util/instrumentation/data.rb +11 -4
- data/lib/puppet/util/instrumentation/indirection_probe.rb +11 -4
- data/lib/puppet/util/instrumentation/instrumentable.rb +7 -14
- data/lib/puppet/util/instrumentation/listener.rb +15 -8
- data/lib/puppet/util/instrumentation/listeners/log.rb +4 -10
- data/lib/puppet/util/instrumentation/listeners/performance.rb +8 -14
- data/lib/puppet/util/limits.rb +12 -0
- data/lib/puppet/util/lockfile.rb +2 -2
- data/lib/puppet/util/log.rb +14 -6
- data/lib/puppet/util/log/destinations.rb +23 -1
- data/lib/puppet/util/metric.rb +9 -3
- data/lib/puppet/util/monkey_patches.rb +7 -2
- data/lib/puppet/util/network_device/config.rb +1 -1
- data/lib/puppet/util/plugins.rb +1 -1
- data/lib/puppet/util/posix.rb +0 -0
- data/lib/puppet/util/profiler.rb +7 -2
- data/lib/puppet/util/provider_features.rb +2 -2
- data/lib/puppet/util/rdoc.rb +28 -30
- data/lib/puppet/util/rdoc/code_objects.rb +75 -25
- data/lib/puppet/util/rdoc/generators/puppet_generator.rb +1 -1
- data/lib/puppet/util/rdoc/parser.rb +12 -487
- data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb +477 -0
- data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc1.rb +19 -0
- data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc2.rb +14 -0
- data/lib/puppet/util/reference.rb +1 -1
- data/lib/puppet/util/resource_template.rb +1 -1
- data/lib/puppet/util/selinux.rb +1 -1
- data/lib/puppet/util/storage.rb +2 -2
- data/lib/puppet/util/suidmanager.rb +1 -1
- data/lib/puppet/util/tag_set.rb +29 -0
- data/lib/puppet/util/tagging.rb +8 -24
- data/lib/puppet/util/watched_file.rb +1 -1
- data/lib/puppet/util/watcher.rb +1 -1
- data/lib/puppet/util/windows.rb +3 -0
- data/lib/puppet/util/windows/access_control_entry.rb +84 -0
- data/lib/puppet/util/windows/access_control_list.rb +106 -0
- data/lib/puppet/util/windows/file.rb +213 -0
- data/lib/puppet/util/windows/process.rb +199 -0
- data/lib/puppet/util/windows/root_certs.rb +52 -37
- data/lib/puppet/util/windows/security.rb +270 -245
- data/lib/puppet/util/windows/security_descriptor.rb +62 -0
- data/lib/puppet/util/windows/sid.rb +26 -4
- data/lib/puppet/version.rb +2 -2
- data/spec/fixtures/releases/jamtur01-apache/lib/puppet/provider/a2mod/debian.rb +1 -1
- data/spec/fixtures/unit/indirector/{hiera → data_binding/hiera}/global.yaml +0 -0
- data/spec/fixtures/unit/indirector/data_binding/hiera/invalid.yaml +1 -0
- data/spec/fixtures/unit/module/trailing-comma.json +24 -0
- data/spec/fixtures/unit/util/monkey_patches/x509.pem +32 -0
- data/spec/integration/application/apply_spec.rb +1 -1
- data/spec/integration/application/doc_spec.rb +1 -1
- data/spec/integration/configurer_spec.rb +4 -2
- data/spec/integration/data_binding.rb +100 -0
- data/spec/integration/indirector/catalog/compiler_spec.rb +16 -13
- data/spec/integration/indirector/direct_file_server_spec.rb +3 -5
- data/spec/integration/indirector/file_content/file_server_spec.rb +2 -2
- data/spec/integration/node/facts_spec.rb +1 -1
- data/spec/integration/node_spec.rb +1 -1
- data/spec/integration/parser/compiler_spec.rb +90 -0
- data/spec/integration/parser/parser_spec.rb +2 -2
- data/spec/integration/provider/cron/crontab_spec.rb +3 -5
- data/spec/integration/resource/catalog_spec.rb +1 -1
- data/spec/integration/ssl/autosign_spec.rb +90 -0
- data/spec/integration/ssl/certificate_authority_spec.rb +62 -69
- data/spec/integration/ssl/certificate_revocation_list_spec.rb +1 -1
- data/spec/integration/ssl/host_spec.rb +1 -1
- data/spec/integration/transaction_spec.rb +13 -13
- data/spec/integration/type/exec_spec.rb +2 -2
- data/spec/integration/type/file_spec.rb +287 -45
- data/spec/integration/type/tidy_spec.rb +3 -3
- data/spec/integration/util/rdoc/parser_spec.rb +236 -35
- data/spec/integration/util/settings_spec.rb +1 -1
- data/spec/integration/util/windows/process_spec.rb +22 -0
- data/spec/integration/util/windows/security_spec.rb +316 -106
- data/spec/lib/matchers/containment_matchers.rb +52 -0
- data/spec/lib/puppet_spec/compiler.rb +6 -0
- data/spec/lib/puppet_spec/files.rb +20 -21
- data/spec/shared_behaviours/documentation_on_faces.rb +3 -3
- data/spec/shared_behaviours/file_server_terminus.rb +2 -2
- data/spec/shared_contexts/platform.rb +1 -0
- data/spec/spec_helper.rb +13 -1
- data/spec/unit/agent_spec.rb +0 -12
- data/spec/unit/application/agent_spec.rb +4 -4
- data/spec/unit/application/apply_spec.rb +18 -2
- data/spec/unit/application/cert_spec.rb +8 -6
- data/spec/unit/application/device_spec.rb +1 -1
- data/spec/unit/application/filebucket_spec.rb +1 -1
- data/spec/unit/application/inspect_spec.rb +1 -1
- data/spec/unit/application_spec.rb +24 -0
- data/spec/unit/configurer/downloader_spec.rb +8 -7
- data/spec/unit/configurer/fact_handler_spec.rb +23 -0
- data/spec/unit/configurer/plugin_handler_spec.rb +7 -2
- data/spec/unit/configurer_spec.rb +15 -5
- data/spec/unit/{provider/confine → confine}/exists_spec.rb +12 -12
- data/spec/unit/{provider/confine → confine}/false_spec.rb +9 -9
- data/spec/unit/{provider/confine → confine}/feature_spec.rb +10 -10
- data/spec/unit/{provider/confine → confine}/true_spec.rb +7 -7
- data/spec/unit/{provider/confine → confine}/variable_spec.rb +16 -16
- data/spec/unit/{provider/confine_collection_spec.rb → confine_collection_spec.rb} +30 -30
- data/spec/unit/{provider/confine_spec.rb → confine_spec.rb} +11 -11
- data/spec/unit/{provider/confiner_spec.rb → confiner_spec.rb} +4 -4
- data/spec/unit/face/parser_spec.rb +54 -0
- data/spec/unit/file_bucket/dipper_spec.rb +2 -2
- data/spec/unit/file_serving/base_spec.rb +32 -9
- data/spec/unit/file_serving/configuration_spec.rb +7 -7
- data/spec/unit/file_serving/content_spec.rb +12 -7
- data/spec/unit/file_serving/fileset_spec.rb +57 -27
- data/spec/unit/file_serving/metadata_spec.rb +74 -12
- data/spec/unit/file_serving/mount/file_spec.rb +10 -10
- data/spec/unit/file_serving/mount/pluginfacts_spec.rb +73 -0
- data/spec/unit/file_system/file_spec.rb +486 -0
- data/spec/unit/file_system/tempfile_spec.rb +48 -0
- data/spec/unit/graph/relationship_graph_spec.rb +0 -6
- data/spec/unit/hiera_puppet_spec.rb +2 -2
- data/spec/unit/indirector/catalog/compiler_spec.rb +15 -19
- data/spec/unit/indirector/certificate_status/file_spec.rb +30 -40
- data/spec/unit/indirector/data_binding/hiera_spec.rb +95 -2
- data/spec/unit/indirector/direct_file_server_spec.rb +6 -6
- data/spec/unit/indirector/facts/facter_spec.rb +33 -0
- data/spec/unit/indirector/file_bucket_file/file_spec.rb +61 -52
- data/spec/unit/indirector/file_metadata/file_spec.rb +2 -2
- data/spec/unit/indirector/file_server_spec.rb +4 -4
- data/spec/unit/indirector/json_spec.rb +4 -4
- data/spec/unit/indirector/key/file_spec.rb +13 -14
- data/spec/unit/indirector/resource/ral_spec.rb +7 -0
- data/spec/unit/indirector/resource/store_configs_spec.rb +11 -0
- data/spec/unit/indirector/rest_spec.rb +7 -3
- data/spec/unit/indirector/ssl_file_spec.rb +14 -17
- data/spec/unit/indirector/yaml_spec.rb +4 -4
- data/spec/unit/module_spec.rb +43 -15
- data/spec/unit/module_tool/tar/gnu_spec.rb +2 -2
- data/spec/unit/module_tool/tar/solaris_spec.rb +2 -2
- data/spec/unit/module_tool/tar_spec.rb +45 -0
- data/spec/unit/network/authconfig_spec.rb +2 -1
- data/spec/unit/network/authentication_spec.rb +2 -2
- data/spec/unit/network/format_handler_spec.rb +2 -2
- data/spec/unit/network/formats_spec.rb +24 -0
- data/spec/unit/network/http/connection_spec.rb +76 -199
- data/spec/unit/network/http/handler_spec.rb +33 -34
- data/spec/unit/network/http_pool_spec.rb +8 -5
- data/spec/unit/node/environment_spec.rb +76 -90
- data/spec/unit/node/facts_spec.rb +20 -3
- data/spec/unit/node_spec.rb +43 -0
- data/spec/unit/parameter/boolean_spec.rb +22 -12
- data/spec/unit/parser/ast/resourceparam_spec.rb +51 -0
- data/spec/unit/parser/compiler_spec.rb +103 -35
- data/spec/unit/parser/eparser_adapter_spec.rb +12 -12
- data/spec/unit/parser/files_spec.rb +11 -11
- data/spec/unit/parser/functions/contain_spec.rb +185 -0
- data/spec/unit/parser/functions/create_resources_spec.rb +13 -5
- data/spec/unit/parser/functions/generate_spec.rb +1 -1
- data/spec/unit/parser/functions_spec.rb +2 -2
- data/spec/unit/parser/lexer_spec.rb +1 -1
- data/spec/unit/parser/methods/each_spec.rb +1 -1
- data/spec/unit/parser/methods/{select_spec.rb → filter_spec.rb} +11 -11
- data/spec/unit/parser/methods/map_spec.rb +95 -0
- data/spec/unit/parser/methods/reduce_spec.rb +12 -11
- data/spec/unit/parser/methods/shared.rb +5 -5
- data/spec/unit/parser/methods/slice_spec.rb +13 -13
- data/spec/unit/parser/parser_spec.rb +1 -1
- data/spec/unit/parser/resource/param_spec.rb +44 -0
- data/spec/unit/parser/resource_spec.rb +16 -15
- data/spec/unit/pops/model/ast_transformer_spec.rb +18 -4
- data/spec/unit/pops/parser/lexer_spec.rb +22 -5
- data/spec/unit/pops/parser/parse_calls_spec.rb +5 -5
- data/spec/unit/pops/transformer/transform_calls_spec.rb +6 -6
- data/spec/unit/pops/transformer/transform_containers_spec.rb +2 -2
- data/spec/unit/pops/validator/validator_spec.rb +31 -0
- data/spec/unit/provider/augeas/augeas_spec.rb +57 -2
- data/spec/unit/provider/exec/posix_spec.rb +8 -3
- data/spec/unit/provider/file/posix_spec.rb +2 -2
- data/spec/unit/provider/group/windows_adsi_spec.rb +70 -3
- data/spec/unit/provider/nameservice/directoryservice_spec.rb +3 -3
- data/spec/unit/provider/package/apt_spec.rb +1 -1
- data/spec/unit/provider/package/msi_spec.rb +15 -42
- data/spec/unit/provider/package/openbsd_spec.rb +3 -3
- data/spec/unit/provider/package/rpm_spec.rb +56 -13
- data/spec/unit/provider/package/windows_spec.rb +15 -19
- data/spec/unit/provider/service/base_spec.rb +1 -1
- data/spec/unit/provider/service/daemontools_spec.rb +18 -8
- data/spec/unit/provider/service/freebsd_spec.rb +3 -3
- data/spec/unit/provider/service/gentoo_spec.rb +5 -2
- data/spec/unit/provider/service/init_spec.rb +17 -17
- data/spec/unit/provider/service/launchd_spec.rb +76 -23
- data/spec/unit/provider/service/openbsd_spec.rb +125 -0
- data/spec/unit/provider/service/openwrt_spec.rb +1 -1
- data/spec/unit/provider/service/runit_spec.rb +12 -5
- data/spec/unit/provider/service/upstart_spec.rb +4 -4
- data/spec/unit/provider/ssh_authorized_key/parsed_spec.rb +5 -5
- data/spec/unit/provider/user/directoryservice_spec.rb +4 -4
- data/spec/unit/provider/zone/solaris_spec.rb +1 -1
- data/spec/unit/provider_spec.rb +2 -2
- data/spec/unit/reports/http_spec.rb +19 -34
- data/spec/unit/reports/store_spec.rb +2 -2
- data/spec/unit/resource/catalog_spec.rb +81 -11
- data/spec/unit/resource/status_spec.rb +11 -1
- data/spec/unit/resource/type_spec.rb +30 -1
- data/spec/unit/resource_spec.rb +40 -4
- data/spec/unit/settings/file_setting_spec.rb +2 -2
- data/spec/unit/settings/path_setting_spec.rb +2 -2
- data/spec/unit/settings/priority_setting_spec.rb +66 -0
- data/spec/unit/settings_spec.rb +16 -31
- data/spec/unit/ssl/certificate_authority/autosign_command_spec.rb +30 -0
- data/spec/unit/ssl/certificate_authority_spec.rb +129 -134
- data/spec/unit/ssl/certificate_factory_spec.rb +18 -0
- data/spec/unit/ssl/certificate_request_attributes_spec.rb +61 -0
- data/spec/unit/ssl/certificate_request_spec.rb +103 -0
- data/spec/unit/ssl/certificate_spec.rb +31 -18
- data/spec/unit/ssl/host_spec.rb +34 -8
- data/spec/unit/ssl/inventory_spec.rb +27 -62
- data/spec/unit/ssl/key_spec.rb +4 -4
- data/spec/unit/ssl/oids_spec.rb +48 -0
- data/spec/unit/ssl/validator_spec.rb +49 -6
- data/spec/unit/status_spec.rb +9 -0
- data/spec/unit/transaction/event_spec.rb +1 -9
- data/spec/unit/transaction/report_spec.rb +20 -1
- data/spec/unit/transaction/resource_harness_spec.rb +60 -210
- data/spec/unit/transaction_spec.rb +54 -8
- data/spec/unit/type/component_spec.rb +2 -2
- data/spec/unit/type/exec_spec.rb +14 -7
- data/spec/unit/type/file/content_spec.rb +13 -2
- data/spec/unit/type/file/ctime_spec.rb +1 -1
- data/spec/unit/type/file/mode_spec.rb +48 -2
- data/spec/unit/type/file/mtime_spec.rb +1 -1
- data/spec/unit/type/file/source_spec.rb +177 -7
- data/spec/unit/type/file_spec.rb +63 -71
- data/spec/unit/type/group_spec.rb +20 -0
- data/spec/unit/type/k5login_spec.rb +3 -3
- data/spec/unit/type/mount_spec.rb +53 -0
- data/spec/unit/type/nagios_spec.rb +216 -0
- data/spec/unit/type/package_spec.rb +7 -1
- data/spec/unit/type/schedule_spec.rb +6 -0
- data/spec/unit/type/service_spec.rb +3 -3
- data/spec/unit/type/tidy_spec.rb +14 -14
- data/spec/unit/type/user_spec.rb +9 -0
- data/spec/unit/type_spec.rb +86 -4
- data/spec/unit/util/adsi_spec.rb +120 -12
- data/spec/unit/util/autoload_spec.rb +14 -14
- data/spec/unit/util/backups_spec.rb +29 -21
- data/spec/unit/util/checksums_spec.rb +2 -1
- data/spec/unit/util/command_line_spec.rb +41 -0
- data/spec/unit/util/docs_spec.rb +91 -0
- data/spec/unit/util/execution_spec.rb +26 -2
- data/spec/unit/util/filetype_spec.rb +7 -7
- data/spec/unit/util/lockfile_spec.rb +2 -2
- data/spec/unit/util/log/destinations_spec.rb +32 -0
- data/spec/unit/util/monkey_patches_spec.rb +41 -0
- data/spec/unit/util/pidlock_spec.rb +6 -6
- data/spec/unit/util/rdoc/parser_spec.rb +15 -13
- data/spec/unit/util/rdoc_spec.rb +18 -24
- data/spec/unit/util/resource_template_spec.rb +3 -3
- data/spec/unit/util/selinux_spec.rb +4 -2
- data/spec/unit/util/storage_spec.rb +4 -4
- data/spec/unit/util/suidmanager_spec.rb +7 -0
- data/spec/unit/util/tag_set_spec.rb +46 -0
- data/spec/unit/util/tagging_spec.rb +82 -45
- data/spec/unit/util/watcher_spec.rb +4 -1
- data/spec/unit/util/windows/access_control_entry_spec.rb +67 -0
- data/spec/unit/util/windows/access_control_list_spec.rb +133 -0
- data/spec/unit/util/windows/root_certs_spec.rb +10 -8
- data/spec/unit/util/windows/security_descriptor_spec.rb +117 -0
- data/spec/unit/util/windows/sid_spec.rb +69 -0
- data/spec/unit/util_spec.rb +7 -7
- data/tasks/ci.rake +17 -36
- metadata +2811 -2746
- checksums.yaml +0 -7
- data/examples/mac_automount.pp +0 -16
- data/examples/mcx_dock_absent.pp +0 -4
- data/examples/mcx_dock_default.pp +0 -118
- data/examples/mcx_dock_full.pp +0 -125
- data/examples/mcx_dock_invalid.pp +0 -9
- data/examples/mcx_nogroup.pp +0 -118
- data/examples/mcx_notexists_absent.pp +0 -4
- data/ext/rack/README +0 -58
- data/ext/rack/manifest.pp +0 -59
- data/lib/puppet/external/lock.rb +0 -63
- data/lib/puppet/indirector/hiera.rb +0 -39
- data/lib/puppet/parser/functions/foreach.rb +0 -95
- data/spec/integration/network/server/webrick_spec.rb +0 -76
- data/spec/integration/parser/functions_spec.rb +0 -16
- data/spec/unit/indirector/hiera_spec.rb +0 -154
- data/spec/unit/parser/methods/collect_spec.rb +0 -153
- data/spec/unit/parser/methods/foreach_spec.rb +0 -91
- data/spec/unit/parser/methods/reject_spec.rb +0 -73
- data/spec/unit/resource/resource_type.json +0 -34
data/lib/puppet/ssl/inventory.rb
CHANGED
@@ -8,11 +8,7 @@ class Puppet::SSL::Inventory
|
|
8
8
|
# Add a certificate to our inventory.
|
9
9
|
def add(cert)
|
10
10
|
cert = cert.content if cert.is_a?(Puppet::SSL::Certificate)
|
11
|
-
|
12
|
-
# Create our file, if one does not already exist.
|
13
|
-
rebuild unless FileTest.exist?(@path)
|
14
|
-
|
15
|
-
Puppet.settings.write(:cert_inventory, "a") do |f|
|
11
|
+
Puppet.settings.setting(:cert_inventory).open("a") do |f|
|
16
12
|
f.print format(cert)
|
17
13
|
end
|
18
14
|
end
|
@@ -32,16 +28,16 @@ class Puppet::SSL::Inventory
|
|
32
28
|
def rebuild
|
33
29
|
Puppet.notice "Rebuilding inventory file"
|
34
30
|
|
35
|
-
Puppet.settings.
|
36
|
-
|
31
|
+
Puppet.settings.setting(:cert_inventory).open('w') do |f|
|
32
|
+
Puppet::SSL::Certificate.indirection.search("*").each do |cert|
|
33
|
+
f.print format(cert.content)
|
34
|
+
end
|
37
35
|
end
|
38
|
-
|
39
|
-
Puppet::SSL::Certificate.indirection.search("*").each { |cert| add(cert) }
|
40
36
|
end
|
41
37
|
|
42
38
|
# Find the serial number for a given certificate.
|
43
39
|
def serial(name)
|
44
|
-
return nil unless
|
40
|
+
return nil unless Puppet::FileSystem::File.exist?(@path)
|
45
41
|
|
46
42
|
File.readlines(@path).each do |line|
|
47
43
|
next unless line =~ /^(\S+).+\/CN=#{name}$/
|
data/lib/puppet/ssl/key.rb
CHANGED
@@ -0,0 +1,78 @@
|
|
1
|
+
require 'puppet/ssl'
|
2
|
+
|
3
|
+
# This module defines OIDs for use within Puppet.
|
4
|
+
#
|
5
|
+
# == ASN.1 Definition
|
6
|
+
#
|
7
|
+
# The following is the formal definition of OIDs specified in this file.
|
8
|
+
#
|
9
|
+
# puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
|
10
|
+
# dod(6) internet(1) private(4) enterprise(1) 34380 1}
|
11
|
+
#
|
12
|
+
# -- the tree under registeredExtensions 'belongs' to puppetlabs
|
13
|
+
# -- privateExtensions can be extended by enterprises to suit their own needs
|
14
|
+
# registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 }
|
15
|
+
# privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 }
|
16
|
+
#
|
17
|
+
# -- subtree of common registered extensions
|
18
|
+
# -- The short names for these OIDs are intentionally lowercased and formatted
|
19
|
+
# -- since they may be exposed inside the Puppet DSL as variables.
|
20
|
+
# pp_uuid OBJECT IDENTIFIER ::= { registeredExtensions 1 }
|
21
|
+
# pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 }
|
22
|
+
# pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 }
|
23
|
+
# pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 }
|
24
|
+
#
|
25
|
+
# @api private
|
26
|
+
module Puppet::SSL::Oids
|
27
|
+
|
28
|
+
PUPPET_OIDS = [
|
29
|
+
["1.3.6.1.4.1.34380", 'puppetlabs', 'Puppet Labs'],
|
30
|
+
["1.3.6.1.4.1.34380.1", 'ppCertExt', 'Puppet Certificate Extension'],
|
31
|
+
|
32
|
+
["1.3.6.1.4.1.34380.1.1", 'ppRegCertExt', 'Puppet Registered Certificate Extension'],
|
33
|
+
|
34
|
+
["1.3.6.1.4.1.34380.1.1.1", 'pp_uuid', 'Puppet Node UUID'],
|
35
|
+
["1.3.6.1.4.1.34380.1.1.2", 'pp_instance_id', 'Puppet Node Instance ID'],
|
36
|
+
["1.3.6.1.4.1.34380.1.1.3", 'pp_image_name', 'Puppet Node Image Name'],
|
37
|
+
["1.3.6.1.4.1.34380.1.1.4", 'pp_preshared_key', 'Puppet Node Preshared Key'],
|
38
|
+
|
39
|
+
["1.3.6.1.4.1.34380.1.2", 'ppPrivCertExt', 'Puppet Private Certificate Extension'],
|
40
|
+
]
|
41
|
+
|
42
|
+
PUPPET_OIDS.each do |oid_defn|
|
43
|
+
OpenSSL::ASN1::ObjectId.register(*oid_defn)
|
44
|
+
end
|
45
|
+
|
46
|
+
# Determine if the first OID contains the second OID
|
47
|
+
#
|
48
|
+
# @param first [String] The containing OID, in dotted form or as the short name
|
49
|
+
# @param second [String] The contained OID, in dotted form or as the short name
|
50
|
+
# @param exclusive [true, false] If an OID should not be considered as a subtree of itself
|
51
|
+
#
|
52
|
+
# @example Comparing two dotted OIDs
|
53
|
+
# Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true
|
54
|
+
# Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false
|
55
|
+
#
|
56
|
+
# @example Comparing an OID short name with a dotted OID
|
57
|
+
# Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true
|
58
|
+
# Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true
|
59
|
+
#
|
60
|
+
# @example Comparing an OID against itself
|
61
|
+
# Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true
|
62
|
+
# Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false
|
63
|
+
#
|
64
|
+
# @return [true, false]
|
65
|
+
def self.subtree_of?(first, second, exclusive = false)
|
66
|
+
first_oid = OpenSSL::ASN1::ObjectId.new(first).oid
|
67
|
+
second_oid = OpenSSL::ASN1::ObjectId.new(second).oid
|
68
|
+
|
69
|
+
|
70
|
+
if exclusive and first_oid == second_oid
|
71
|
+
false
|
72
|
+
else
|
73
|
+
second_oid.index(first_oid) == 0
|
74
|
+
end
|
75
|
+
rescue OpenSSL::ASN1::ASN1Error
|
76
|
+
false
|
77
|
+
end
|
78
|
+
end
|
data/lib/puppet/ssl/validator.rb
CHANGED
@@ -1,116 +1,60 @@
|
|
1
|
-
require 'puppet/ssl'
|
2
1
|
require 'openssl'
|
3
|
-
module Puppet
|
4
|
-
module SSL
|
5
|
-
class Validator
|
6
|
-
attr_reader :peer_certs
|
7
|
-
attr_reader :verify_errors
|
8
|
-
attr_reader :ssl_configuration
|
9
2
|
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
# authorizing the peer certificate chain.
|
15
|
-
def initialize(opts = {})
|
16
|
-
reset!
|
17
|
-
@ssl_configuration = opts[:ssl_configuration] or raise ArgumentError, ":ssl_configuration is required"
|
18
|
-
end
|
3
|
+
# API for certificate verification
|
4
|
+
#
|
5
|
+
# @api public
|
6
|
+
class Puppet::SSL::Validator
|
19
7
|
|
20
|
-
|
21
|
-
#
|
22
|
-
|
23
|
-
|
24
|
-
|
8
|
+
# Factory method for creating an instance of a null/no validator.
|
9
|
+
# This method does not have to be implemented by concrete implementations of this API.
|
10
|
+
#
|
11
|
+
# @return [Puppet::SSL::Validator] produces a validator that performs no validation
|
12
|
+
#
|
13
|
+
# @api public
|
14
|
+
#
|
15
|
+
def self.no_validator()
|
16
|
+
@@no_validator_cache ||= Puppet::SSL::Validator::NoValidator.new()
|
25
17
|
end
|
26
18
|
|
27
|
-
|
28
|
-
#
|
29
|
-
# certificates for use in constructing the error message if the verification
|
30
|
-
# failed. This callback will be executed once for each certificate in a
|
31
|
-
# chain being verified.
|
19
|
+
# Factory method for creating an instance of the default Puppet validator.
|
20
|
+
# This method does not have to be implemented by concrete implementations of this API.
|
32
21
|
#
|
33
|
-
#
|
34
|
-
# documentation](http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html):
|
35
|
-
# The `verify_callback` function is used to control the behaviour when the
|
36
|
-
# SSL_VERIFY_PEER flag is set. It must be supplied by the application and
|
37
|
-
# receives two arguments: preverify_ok indicates, whether the verification of
|
38
|
-
# the certificate in question was passed (preverify_ok=1) or not
|
39
|
-
# (preverify_ok=0). x509_ctx is a pointer to the complete context used for
|
40
|
-
# the certificate chain verification.
|
22
|
+
# @return [Puppet::SSL::Validator] produces a validator that performs no validation
|
41
23
|
#
|
42
|
-
#
|
43
|
-
# class is intended to be used.
|
24
|
+
# @api public
|
44
25
|
#
|
45
|
-
|
46
|
-
|
47
|
-
# @param [OpenSSL::SSL::SSLContext] ssl_context holds the SSLContext for the
|
48
|
-
# chain being verified.
|
49
|
-
#
|
50
|
-
# @return [Boolean] false if the peer is invalid, true otherwise.
|
51
|
-
def call(preverify_ok, ssl_context)
|
52
|
-
# We must make a copy since the scope of the ssl_context will be lost
|
53
|
-
# across invocations of this method.
|
54
|
-
current_cert = ssl_context.current_cert
|
55
|
-
@peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
|
56
|
-
|
57
|
-
if preverify_ok
|
58
|
-
# If we've copied all of the certs in the chain out of the SSL library
|
59
|
-
if @peer_certs.length == ssl_context.chain.length
|
60
|
-
# (#20027) The peer cert must be issued by a specific authority
|
61
|
-
preverify_ok = valid_peer?
|
62
|
-
end
|
63
|
-
else
|
64
|
-
if ssl_context.error_string
|
65
|
-
@verify_errors << "#{ssl_context.error_string} for #{current_cert.subject}"
|
66
|
-
end
|
67
|
-
end
|
68
|
-
preverify_ok
|
69
|
-
rescue => ex
|
70
|
-
@verify_errors << ex.message
|
71
|
-
false
|
26
|
+
def self.default_validator()
|
27
|
+
Puppet::SSL::Validator::DefaultValidator.new()
|
72
28
|
end
|
73
29
|
|
74
|
-
|
75
|
-
#
|
30
|
+
# Array of peer certificates
|
31
|
+
# @return [Array<Puppet::SSL::Certificate>] peer certificates
|
76
32
|
#
|
77
|
-
# @
|
33
|
+
# @api public
|
78
34
|
#
|
79
|
-
|
80
|
-
|
81
|
-
connection.verify_callback = self
|
35
|
+
def peer_certs
|
36
|
+
raise NotImplementedError, "Concrete class should have implemented this method"
|
82
37
|
end
|
83
38
|
|
84
|
-
|
85
|
-
#
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
msg = "The server presented a SSL certificate chain which does not include a " <<
|
92
|
-
"CA listed in the ssl_client_ca_auth file. "
|
93
|
-
msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')} " <<
|
94
|
-
"Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
|
95
|
-
@verify_errors << msg
|
96
|
-
false
|
97
|
-
else
|
98
|
-
true
|
99
|
-
end
|
39
|
+
# Contains the result of validation
|
40
|
+
# @return [Array<String>, nil] nil, empty Array, or Array with messages
|
41
|
+
#
|
42
|
+
# @api public
|
43
|
+
#
|
44
|
+
def verify_errors
|
45
|
+
raise NotImplementedError, "Concrete class should have implemented this method"
|
100
46
|
end
|
101
47
|
|
102
|
-
|
103
|
-
#
|
104
|
-
#
|
48
|
+
# Registers the connection to validate.
|
49
|
+
#
|
50
|
+
# @param [Net::HTTP] connection The connection to validate
|
51
|
+
#
|
52
|
+
# @return [void]
|
105
53
|
#
|
106
|
-
# @
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
peer_cert.verify(authz_cert.public_key)
|
111
|
-
end
|
112
|
-
end
|
54
|
+
# @api public
|
55
|
+
#
|
56
|
+
def setup_connection(connection)
|
57
|
+
raise NotImplementedError, "Concrete class should have implemented this method"
|
113
58
|
end
|
114
59
|
end
|
115
|
-
|
116
|
-
end
|
60
|
+
|
@@ -0,0 +1,153 @@
|
|
1
|
+
require 'openssl'
|
2
|
+
|
3
|
+
# Perform peer certificate verification against the known CA.
|
4
|
+
# If there is no CA information known, then no verification is performed
|
5
|
+
#
|
6
|
+
# @api private
|
7
|
+
#
|
8
|
+
class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
|
9
|
+
attr_reader :peer_certs
|
10
|
+
attr_reader :verify_errors
|
11
|
+
attr_reader :ssl_configuration
|
12
|
+
|
13
|
+
# Creates a new DefaultValidator, optionally with an SSL Configuration and SSL Host.
|
14
|
+
#
|
15
|
+
# @param [Puppet::SSL::Configuration] (a default configuration) ssl_configuration the SSL configuration to use
|
16
|
+
# @param [Puppet::SSL::Host] (Puppet::SSL::Host.localhost) the SSL host to use
|
17
|
+
#
|
18
|
+
# @api private
|
19
|
+
#
|
20
|
+
def initialize(
|
21
|
+
ssl_configuration = Puppet::SSL::Configuration.new(
|
22
|
+
Puppet[:localcacert], {
|
23
|
+
:ca_chain_file => Puppet[:ssl_client_ca_chain],
|
24
|
+
:ca_auth_file => Puppet[:ssl_client_ca_auth]
|
25
|
+
}),
|
26
|
+
ssl_host = Puppet::SSL::Host.localhost)
|
27
|
+
|
28
|
+
reset!
|
29
|
+
@ssl_configuration = ssl_configuration
|
30
|
+
@ssl_host = ssl_host
|
31
|
+
end
|
32
|
+
|
33
|
+
|
34
|
+
# Resets this validator to its initial validation state. The ssl configuration is not changed.
|
35
|
+
#
|
36
|
+
# @api private
|
37
|
+
#
|
38
|
+
def reset!
|
39
|
+
@peer_certs = []
|
40
|
+
@verify_errors = []
|
41
|
+
end
|
42
|
+
|
43
|
+
# Performs verification of the SSL connection and collection of the
|
44
|
+
# certificates for use in constructing the error message if the verification
|
45
|
+
# failed. This callback will be executed once for each certificate in a
|
46
|
+
# chain being verified.
|
47
|
+
#
|
48
|
+
# From the [OpenSSL
|
49
|
+
# documentation](http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html):
|
50
|
+
# The `verify_callback` function is used to control the behaviour when the
|
51
|
+
# SSL_VERIFY_PEER flag is set. It must be supplied by the application and
|
52
|
+
# receives two arguments: preverify_ok indicates, whether the verification of
|
53
|
+
# the certificate in question was passed (preverify_ok=1) or not
|
54
|
+
# (preverify_ok=0). x509_ctx is a pointer to the complete context used for
|
55
|
+
# the certificate chain verification.
|
56
|
+
#
|
57
|
+
# See {Puppet::Network::HTTP::Connection} for more information and where this
|
58
|
+
# class is intended to be used.
|
59
|
+
#
|
60
|
+
# @param [Boolean] preverify_ok indicates whether the verification of the
|
61
|
+
# certificate in question was passed (preverify_ok=true)
|
62
|
+
# @param [OpenSSL::SSL::SSLContext] ssl_context holds the SSLContext for the
|
63
|
+
# chain being verified.
|
64
|
+
#
|
65
|
+
# @return [Boolean] false if the peer is invalid, true otherwise.
|
66
|
+
#
|
67
|
+
# @api private
|
68
|
+
#
|
69
|
+
def call(preverify_ok, ssl_context)
|
70
|
+
# We must make a copy since the scope of the ssl_context will be lost
|
71
|
+
# across invocations of this method.
|
72
|
+
current_cert = ssl_context.current_cert
|
73
|
+
@peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
|
74
|
+
|
75
|
+
if preverify_ok
|
76
|
+
# If we've copied all of the certs in the chain out of the SSL library
|
77
|
+
if @peer_certs.length == ssl_context.chain.length
|
78
|
+
# (#20027) The peer cert must be issued by a specific authority
|
79
|
+
preverify_ok = valid_peer?
|
80
|
+
end
|
81
|
+
else
|
82
|
+
if ssl_context.error_string
|
83
|
+
@verify_errors << "#{ssl_context.error_string} for #{current_cert.subject}"
|
84
|
+
end
|
85
|
+
end
|
86
|
+
preverify_ok
|
87
|
+
rescue => ex
|
88
|
+
@verify_errors << ex.message
|
89
|
+
false
|
90
|
+
end
|
91
|
+
|
92
|
+
# Registers the instance's call method with the connection.
|
93
|
+
#
|
94
|
+
# @param [Net::HTTP] connection The connection to validate
|
95
|
+
#
|
96
|
+
# @return [void]
|
97
|
+
#
|
98
|
+
# @api private
|
99
|
+
#
|
100
|
+
def setup_connection(connection)
|
101
|
+
if ssl_certificates_are_present?
|
102
|
+
connection.cert_store = @ssl_host.ssl_store
|
103
|
+
connection.ca_file = @ssl_configuration.ca_auth_file
|
104
|
+
connection.cert = @ssl_host.certificate.content
|
105
|
+
connection.key = @ssl_host.key.content
|
106
|
+
connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
107
|
+
connection.verify_callback = self
|
108
|
+
else
|
109
|
+
connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
110
|
+
end
|
111
|
+
end
|
112
|
+
|
113
|
+
# Validates the peer certificates against the authorized certificates.
|
114
|
+
#
|
115
|
+
# @api private
|
116
|
+
#
|
117
|
+
def valid_peer?
|
118
|
+
descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
|
119
|
+
authz_ca_certs = ssl_configuration.ca_auth_certificates
|
120
|
+
|
121
|
+
if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
|
122
|
+
msg = "The server presented a SSL certificate chain which does not include a " <<
|
123
|
+
"CA listed in the ssl_client_ca_auth file. "
|
124
|
+
msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')} " <<
|
125
|
+
"Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
|
126
|
+
@verify_errors << msg
|
127
|
+
false
|
128
|
+
else
|
129
|
+
true
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
# Checks if the set of peer_certs contains at least one certificate issued
|
134
|
+
# by a certificate listed in authz_certs
|
135
|
+
#
|
136
|
+
# @return [Boolean]
|
137
|
+
#
|
138
|
+
# @api private
|
139
|
+
#
|
140
|
+
def has_authz_peer_cert(peer_certs, authz_certs)
|
141
|
+
peer_certs.any? do |peer_cert|
|
142
|
+
authz_certs.any? do |authz_cert|
|
143
|
+
peer_cert.verify(authz_cert.public_key)
|
144
|
+
end
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
# @api private
|
149
|
+
#
|
150
|
+
def ssl_certificates_are_present?
|
151
|
+
Puppet::FileSystem::File.exist?(Puppet[:hostcert]) && Puppet::FileSystem::File.exist?(@ssl_configuration.ca_auth_file)
|
152
|
+
end
|
153
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# Performs no SSL verification
|
2
|
+
# @api private
|
3
|
+
#
|
4
|
+
class Puppet::SSL::Validator::NoValidator < Puppet::SSL::Validator
|
5
|
+
|
6
|
+
def setup_connection(connection)
|
7
|
+
connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
8
|
+
end
|
9
|
+
|
10
|
+
def peer_certs
|
11
|
+
[]
|
12
|
+
end
|
13
|
+
|
14
|
+
def verify_errors
|
15
|
+
[]
|
16
|
+
end
|
17
|
+
end
|