puppet 6.0.2-x64-mingw32 → 6.0.3-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e053828faf765966e64c51136676ef6ee915dcc269547e8c71c8048f101edfa6
-  data.tar.gz: 195b6fa4e1c290e29ad1f43dabe7d27fc6b0d1fc0a146309876fdbb9a3add254
+  metadata.gz: a67271495eaea48fc89ae4c8cdb8208beacac5c47146d133198e64e0a16a25f0
+  data.tar.gz: 3508f4a5fd1a47cce80bd7512d2482c3c4a4c3fbb905fa5cc307b6ba5cd44495
 SHA512:
-  metadata.gz: 5cc1d052f3b048e9702da1a9fd0191ffb9cf3c8b2fb029aca7bb91581ab49fffdbb39a90c50d8af99d6a7b6801890acd0d446dd8c29450672a4b9eb2a882d3ac
-  data.tar.gz: 22196881676f376bc96ba2cfce9a9d18b8437a49684a78a027551c295700c0e98aa05f8acb9b4dcf43b83ba1bc32fde8d3eab947d888927c596c6e16ac91d534
+  metadata.gz: 315a4715592973a6c29b8b6886693cb4aef2787536286664d29c7fc77d8e68b13f52c4df8d970d329580ccd247aaa178e61fc038a5a180e180f82991fa3d1e5f
+  data.tar.gz: cbf30f9c83d6a736baef4f0b452db5276d8c7493ef6cb557a85b08cd4dba8652dc87116747e8abe4520c5782902c1f165e11f87338865b55daa5e09d7dfbbf9a

data/Gemfile

@@ -31,13 +31,13 @@ group(:features) do
   # gem 'ruby-augeas', require: false, platforms: [:ruby]
   # requires native ldap headers/libs
   # gem 'ruby-ldap', '~> 0.9', require: false, platforms: [:ruby]
-  gem 'puppetserver-ca', '~> 0.5', require: false
+  gem 'puppetserver-ca', '~> 1.1', require: false
 end
 
 group(:test) do
   gem "json-schema", "~> 2.0", require: false
   gem "mocha", '~> 1.5.0', require: false
-  gem "rake", '~> 12.2.1', require: false
+  gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 12.2')
   gem "rspec", "~> 3.1", require: false
   gem "rspec-its", "~> 1.1", require: false
   gem "rspec-collection_matchers", "~> 1.1", require: false

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    puppet (6.0.2)
+    puppet (6.0.3)
       CFPropertyList (~> 2.2)
       facter (>= 2.0.1, < 4)
       fast_gettext (~> 1.1.2)
@@ -41,10 +41,10 @@ GEM
     hocon (1.2.5)
     hpricot (0.8.6)
     httpclient (2.8.3)
-    json-schema (2.8.0)
+    json-schema (2.8.1)
       addressable (>= 2.4)
     locale (2.1.2)
-    memory_profiler (0.9.11)
+    memory_profiler (0.9.12)
     metaclass (0.0.4)
     method_source (0.9.0)
     minitar (0.6.1)
@@ -52,10 +52,10 @@ GEM
       metaclass (~> 0.0.1)
     msgpack (1.2.4)
     multi_json (1.13.1)
-    mustache (1.0.5)
-    packaging (0.99.8)
+    mustache (1.1.0)
+    packaging (0.99.16)
       artifactory
-      rake (~> 12.2.1)
+      rake (~> 12.3)
     parallel (1.12.1)
     parser (2.5.1.2)
       ast (~> 2.4.0)
@@ -66,12 +66,12 @@ GEM
     public_suffix (3.0.3)
     puppet-resource_api (1.6.0)
       hocon (>= 1.0)
-    puppetserver-ca (0.7.0)
+    puppetserver-ca (1.1.1)
       facter (>= 2.0.1, < 4)
     racc (1.4.9)
     rainbow (2.2.2)
       rake
-    rake (12.2.1)
+    rake (12.3.1)
     rdiscount (2.2.0.1)
     rdoc (6.0.4)
     ronn (0.7.3)
@@ -86,7 +86,7 @@ GEM
       rspec-expectations (>= 2.99.0.beta1)
     rspec-core (3.8.0)
       rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.1)
+    rspec-expectations (3.8.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
     rspec-its (1.2.0)
@@ -136,9 +136,9 @@ DEPENDENCIES
   pry
   puppet!
   puppet-resource_api (~> 1.5)
-  puppetserver-ca (~> 0.5)
+  puppetserver-ca (~> 1.1)
   racc (= 1.4.9)
-  rake (~> 12.2.1)
+  rake (~> 12.2)
   rdoc (~> 6.0)
   ronn (~> 0.7.3)
   rspec (~> 3.1)

data/lib/puppet/application.rb

@@ -395,6 +395,8 @@ class Application
   end
 
   def setup_logs
+    handle_logdest_arg(Puppet[:logdest])
+
     unless options[:setdest]
       if options[:debug] || options[:verbose]
         Puppet::Util::Log.newdestination(:console)
@@ -416,7 +418,10 @@ class Application
   end
 
   def handle_logdest_arg(arg)
+    return if options[:setdest] || arg.nil?
+
     begin
+      Puppet[:logdest] = arg
       Puppet::Util::Log.newdestination(arg)
       options[:setdest] = true
     rescue => detail

data/lib/puppet/application/apply.rb

@@ -283,6 +283,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
     exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
 
+    handle_logdest_arg(Puppet[:logdest])
     Puppet::Util::Log.newdestination(:console) unless options[:setdest]
 
     Signal.trap(:INT) do

data/lib/puppet/application/script.rb

@@ -229,9 +229,9 @@ Copyright (c) 2017 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def setup
-
     exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
 
+    handle_logdest_arg(Puppet[:logdest])
     Puppet::Util::Log.newdestination(:console) unless options[:setdest]
 
     Signal.trap(:INT) do

data/lib/puppet/application/ssl.rb

@@ -2,6 +2,9 @@ require 'puppet/application'
 require 'puppet/ssl/oids'
 
 class Puppet::Application::Ssl < Puppet::Application
+
+  run_mode :agent
+
   def summary
     _("Manage SSL keys and certificates for puppet SSL clients")
   end
@@ -13,41 +16,68 @@ puppet-ssl(8) -- #{summary}
 
 SYNOPSIS
 --------
-Manage SSL keys and certificates for an SSL clients needed
+Manage SSL keys and certificates for SSL clients needing
 to communicate with a puppet infrastructure.
 
 USAGE
 -----
-puppet ssl <action> [--certname <NAME>]
+puppet ssl <action> [-h|--help] [-v|--verbose] [-d|--debug] [--localca]
+
+
+OPTIONS
+-------
+
+* --help:
+  Print this help messsge.
+
+* --verbose:
+  Print extra information.
+
+* --debug:
+  Enable full debugging.
+
+* --localca
+  Also clean the local CA certificate and CRL.
+
 
 ACTIONS
 -------
 
 * submit_request:
-  Generate a certificate signing request (CSR) and submit it to the CA. If a private and
-  public key pair already exist, they will be used to generate the CSR. Otherwise a new
-  key pair will be generated. If a CSR has already been submitted with the given `certname`,
-  then the operation will fail.
+  Generate a certificate signing request (CSR) and submit it to the CA. If
+  a private and public key pair already exist, they will be used to generate
+  the CSR. Otherwise a new key pair will be generated. If a CSR has already
+  been submitted with the given `certname`, then the operation will fail.
 
 * download_cert:
-  Download a certificate for this host. If the current private key matches the downloaded
-  certificate, then the certificate will be saved and used for subsequent requests. If
-  there is already an existing certificate, it will be overwritten.
+  Download a certificate for this host. If the current private key matches
+  the downloaded certificate, then the certificate will be saved and used
+  for subsequent requests. If there is already an existing certificate, it
+  will be overwritten.
 
 * verify:
-  Verify the private key and certificate are present and match, verify the certificate is
-  issued by a trusted CA, and check revocation status.
+  Verify the private key and certificate are present and match, verify the
+  certificate is issued by a trusted CA, and check revocation status.
+
+* clean:
+  Remove the private key and certificate related files for this host. If
+  `--localca` is specified, then also remove this host's local copy of the
+  CA certificate(s) and CRL bundle.
 HELP
   end
 
-  option('--certname NAME') do |arg|
-    options[:certname] = arg
+  option('--localca')
+  option('--verbose', '-v')
+  option('--debug', '-d')
+
+  def setup_logs
+    set_log_level(options)
+    Puppet::Util::Log.newdestination(:console)
   end
 
   def main
     if command_line.args.empty?
-      puts help
-      exit(1)
+      raise Puppet::Error, _("An action must be specified.")
     end
 
     Puppet.settings.use(:main, :agent)
@@ -57,77 +87,117 @@ HELP
     case action
     when 'submit_request'
       submit_request(host)
-      download_cert(host)
+      cert = download_cert(host)
+      unless cert
+        Puppet.info _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
+      end
     when 'download_cert'
-      download_cert(host)
+      cert = download_cert(host)
+      unless cert
+        raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
+      end
     when 'verify'
       verify(host)
+    when 'clean'
+      clean(host)
     else
-      puts "Unknown action '#{action}'"
-      exit(1)
+      raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
     end
-
-    exit(0)
   end
 
   def submit_request(host)
     host.ensure_ca_certificate
 
     host.submit_request
-    puts "Submitted certificate request for '#{host.name}' to https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
+    Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
+      name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
+    }
   rescue => e
-    puts "Failed to submit certificate request: #{e.message}"
-    exit(1)
+    raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
   def download_cert(host)
     host.ensure_ca_certificate
 
-    puts "Downloading certificate '#{host.name}' from https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
-    if cert = host.download_host_certificate
-      puts "Downloaded certificate '#{host.name}' with fingerprint #{cert.fingerprint}"
-    else
-      puts "No certificate for '#{host.name}' on CA"
-    end
+    Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
+      name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
+    }
+    cert = host.download_host_certificate
+    return unless cert
+
+    Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
+      name: host.name, fingerprint: cert.fingerprint
+    }
+    cert
   rescue => e
-    puts "Failed to download certificate: #{e.message}"
-    exit(1)
+    raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
   end
 
   def verify(host)
     host.ensure_ca_certificate
 
     key = host.key
-    unless key
-      puts "The host's private key is missing"
-      exit(1)
-    end
+    raise _("The host's private key is missing") unless key
 
     cert = host.check_for_certificate_on_disk(host.name)
-    unless cert
-      puts "The host's certificate is missing"
-      exit(1)
-    end
+    raise _("The host's certificate is missing") unless cert
 
     if cert.content.public_key.to_pem != key.content.public_key.to_pem
-      puts "The host's key does not match the certificate"
-      exit(1)
+      raise _("The host's key does not match the certificate")
     end
 
     store = host.ssl_store
     unless store.verify(cert.content)
-      puts "Failed to verify certificate '#{host.name}': #{store.error_string} (#{store.error})"
-      exit(1)
+      raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
+        name: host.name, message: store.error_string, error: store.error
+      }
     end
 
-    puts "Verified certificate '#{host.name}'"
+    Puppet.notice _("Verified certificate '%{name}'") % {
+      name: host.name
+    }
     # store.chain.reverse.each_with_index do |issuer, i|
     #   indent = "  " * (i+1)
-    #   puts "#{indent}#{issuer.subject.to_s}"
+    #   Puppet.notice "#{indent}#{issuer.subject.to_s}"
     # end
-    exit(0)
   rescue => e
-    puts "Verify failed: #{e.message}"
-    exit(1)
+    raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
+  end
+
+  def clean(host)
+    # make sure cert has been removed from the CA
+    if Puppet[:certname] == Puppet[:ca_server]
+      cert =
+        begin
+          host.download_certificate_from_ca(Puppet[:certname])
+        rescue => e
+          raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: Puppet[:certname] }, e)
+        end
+
+      if cert
+        raise Puppet::Error, _(<<END) % { certname: Puppet[:certname] }
+The certificate %{certname} must be cleaned from the CA first. To fix this,
+run the following commands on the CA:
+  puppetserver ca clean --certname %{certname}
+  puppet ssl clean
+END
+      end
+    end
+
+    settings = {
+      hostprivkey: 'private key',
+      hostpubkey: 'public key',
+      hostcsr: 'certificate request',
+      hostcert: 'certificate',
+      passfile: 'private key password file'
+    }
+    settings.merge!(localcacert: 'local CA certificate', hostcrl: 'local CRL') if options[:localca]
+    settings.each_pair do |setting, label|
+      path = Puppet[setting]
+      if Puppet::FileSystem.exist?(path)
+        Puppet::FileSystem.unlink(path)
+        Puppet.notice _("Removed %{label} %{path}") % { label: label, path: path }
+      end
+    end
   end
 end

data/lib/puppet/defaults.rb

@@ -963,6 +963,15 @@ EOT
           }
         end
       end
+    },
+    :logdest => {
+      :type      => :string,
+      :desc      => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
+      service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
+      file."
+      # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
+      # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
+      # settings are initialized as they test what gets logged during settings initialization.
     }
   )
 
@@ -975,65 +984,41 @@ EOT
     :cadir => {
       :default => "$ssldir/ca",
       :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode => "0755",
       :desc => "The root directory for the certificate authority.",
     },
     :cacert => {
       :default => "$cadir/ca_crt.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
       :desc => "The CA certificate.",
     },
     :cakey => {
       :default => "$cadir/ca_key.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0640",
       :desc => "The CA private key.",
     },
     :capub => {
       :default => "$cadir/ca_pub.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
       :desc => "The CA public key.",
     },
     :cacrl => {
       :default => "$cadir/ca_crl.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
       :desc => "The certificate revocation list (CRL) for the CA.",
     },
     :csrdir => {
       :default => "$cadir/requests",
       :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode  => "0755",
       :desc => "Where the CA stores certificate requests.",
     },
     :signeddir => {
       :default => "$cadir/signed",
       :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode => "0755",
       :desc => "Where the CA stores signed certificates.",
     },
     :serial => {
       :default => "$cadir/serial",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
       :desc => "Where the serial number for certificates is stored.",
     },
     :autosign => {
@@ -1082,9 +1067,6 @@ EOT
     :cert_inventory => {
       :default => "$cadir/inventory.txt",
       :type => :file,
-      :mode => "0644",
-      :owner => "service",
-      :group => "service",
       :desc => "The inventory file. This is a text file to which the CA writes a
         complete listing of all certificates.",
     }