puppet 6.0.2-x86-mingw32 → 6.0.3-x86-mingw32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/Gemfile.lock +11 -11
- data/lib/puppet/application.rb +5 -0
- data/lib/puppet/application/apply.rb +1 -0
- data/lib/puppet/application/script.rb +1 -1
- data/lib/puppet/application/ssl.rb +119 -49
- data/lib/puppet/defaults.rb +9 -27
- data/lib/puppet/face/node/clean.rb +0 -1
- data/lib/puppet/feature/base.rb +1 -1
- data/lib/puppet/file_serving/fileset.rb +1 -1
- data/lib/puppet/pops/validation/checker4_0.rb +4 -2
- data/lib/puppet/provider/package/windows.rb +2 -2
- data/lib/puppet/provider/package/windows/exe_package.rb +3 -10
- data/lib/puppet/provider/service/windows.rb +11 -3
- data/lib/puppet/provider/user/useradd.rb +2 -10
- data/lib/puppet/resource/catalog.rb +1 -5
- data/lib/puppet/ssl/host.rb +7 -9
- data/lib/puppet/transaction/persistence.rb +1 -1
- data/lib/puppet/type/package.rb +1 -1
- data/lib/puppet/type/user.rb +4 -1
- data/lib/puppet/util.rb +7 -3
- data/lib/puppet/util/execution.rb +1 -0
- data/lib/puppet/util/logging.rb +3 -2
- data/lib/puppet/util/windows/process.rb +6 -2
- data/lib/puppet/util/windows/security.rb +14 -0
- data/lib/puppet/util/windows/service.rb +217 -74
- data/lib/puppet/util/windows/user.rb +3 -5
- data/lib/puppet/version.rb +1 -1
- data/locales/ja/puppet.po +505 -276
- data/locales/puppet.pot +250 -111
- data/man/man5/puppet.conf.5 +8 -1
- data/man/man8/puppet-ssl.8 +22 -2
- data/man/man8/puppet.8 +1 -1
- data/spec/integration/parser/collection_spec.rb +4 -8
- data/spec/integration/type/file_spec.rb +6 -6
- data/spec/integration/util/windows/security_spec.rb +10 -7
- data/spec/integration/util/windows/user_spec.rb +37 -17
- data/spec/lib/puppet/test_ca.rb +1 -1
- data/spec/unit/agent_spec.rb +2 -2
- data/spec/unit/application/apply_spec.rb +41 -2
- data/spec/unit/application/face_base_spec.rb +1 -1
- data/spec/unit/application/ssl_spec.rb +160 -110
- data/spec/unit/application_spec.rb +29 -11
- data/spec/unit/configurer/downloader_spec.rb +1 -1
- data/spec/unit/configurer_spec.rb +5 -5
- data/spec/unit/face/node_spec.rb +1 -3
- data/spec/unit/file_serving/fileset_spec.rb +11 -11
- data/spec/unit/network/http/connection_spec.rb +2 -2
- data/spec/unit/pops/validator/validator_spec.rb +24 -10
- data/spec/unit/provider/package/windows/exe_package_spec.rb +3 -3
- data/spec/unit/provider/package/windows_spec.rb +4 -4
- data/spec/unit/provider/service/windows_spec.rb +21 -3
- data/spec/unit/provider/user/useradd_spec.rb +2 -2
- data/spec/unit/resource/catalog_spec.rb +2 -2
- data/spec/unit/ssl/host_spec.rb +1 -1
- data/spec/unit/transaction/persistence_spec.rb +4 -4
- data/spec/unit/util/execution_spec.rb +19 -1
- data/spec/unit/util/logging_spec.rb +58 -0
- data/spec/unit/util/windows/service_spec.rb +344 -191
- metadata +2 -2
    
        checksums.yaml
    CHANGED
    
    | @@ -1,7 +1,7 @@ | |
| 1 1 | 
             
            ---
         | 
| 2 2 | 
             
            SHA256:
         | 
| 3 | 
            -
              metadata.gz:  | 
| 4 | 
            -
              data.tar.gz:  | 
| 3 | 
            +
              metadata.gz: 3c027a67a06e90c28b99cc8ccaba07553ca8e073826aa6e2cbc6df0888d0e01e
         | 
| 4 | 
            +
              data.tar.gz: 74b3b2ee968e518cd9e86765bae45fd74b0e570f0aa04f5e068a45285dffbc29
         | 
| 5 5 | 
             
            SHA512:
         | 
| 6 | 
            -
              metadata.gz:  | 
| 7 | 
            -
              data.tar.gz:  | 
| 6 | 
            +
              metadata.gz: 6e13e52e19a5bd6cd7e89355bc865ec226a7bca2a451394beb29682b208eefd63ba4d93ceb51ce5063803d57cc612aa8acdcbaaddf9761892bc2e6a23db77792
         | 
| 7 | 
            +
              data.tar.gz: 389df41f106eb96aa51294d751b01192089e582724ec59d3ba4a8628f70ee777c65eba500d4a5f6402f04bf8c5ed7531bb0a12d20094738b6c42d0458bd3d7ee
         | 
    
        data/Gemfile
    CHANGED
    
    | @@ -31,13 +31,13 @@ group(:features) do | |
| 31 31 | 
             
              # gem 'ruby-augeas', require: false, platforms: [:ruby]
         | 
| 32 32 | 
             
              # requires native ldap headers/libs
         | 
| 33 33 | 
             
              # gem 'ruby-ldap', '~> 0.9', require: false, platforms: [:ruby]
         | 
| 34 | 
            -
              gem 'puppetserver-ca', '~>  | 
| 34 | 
            +
              gem 'puppetserver-ca', '~> 1.1', require: false
         | 
| 35 35 | 
             
            end
         | 
| 36 36 |  | 
| 37 37 | 
             
            group(:test) do
         | 
| 38 38 | 
             
              gem "json-schema", "~> 2.0", require: false
         | 
| 39 39 | 
             
              gem "mocha", '~> 1.5.0', require: false
         | 
| 40 | 
            -
              gem "rake", '~> 12.2 | 
| 40 | 
            +
              gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 12.2')
         | 
| 41 41 | 
             
              gem "rspec", "~> 3.1", require: false
         | 
| 42 42 | 
             
              gem "rspec-its", "~> 1.1", require: false
         | 
| 43 43 | 
             
              gem "rspec-collection_matchers", "~> 1.1", require: false
         | 
    
        data/Gemfile.lock
    CHANGED
    
    | @@ -1,7 +1,7 @@ | |
| 1 1 | 
             
            PATH
         | 
| 2 2 | 
             
              remote: .
         | 
| 3 3 | 
             
              specs:
         | 
| 4 | 
            -
                puppet (6.0. | 
| 4 | 
            +
                puppet (6.0.3)
         | 
| 5 5 | 
             
                  CFPropertyList (~> 2.2)
         | 
| 6 6 | 
             
                  facter (>= 2.0.1, < 4)
         | 
| 7 7 | 
             
                  fast_gettext (~> 1.1.2)
         | 
| @@ -41,10 +41,10 @@ GEM | |
| 41 41 | 
             
                hocon (1.2.5)
         | 
| 42 42 | 
             
                hpricot (0.8.6)
         | 
| 43 43 | 
             
                httpclient (2.8.3)
         | 
| 44 | 
            -
                json-schema (2.8. | 
| 44 | 
            +
                json-schema (2.8.1)
         | 
| 45 45 | 
             
                  addressable (>= 2.4)
         | 
| 46 46 | 
             
                locale (2.1.2)
         | 
| 47 | 
            -
                memory_profiler (0.9. | 
| 47 | 
            +
                memory_profiler (0.9.12)
         | 
| 48 48 | 
             
                metaclass (0.0.4)
         | 
| 49 49 | 
             
                method_source (0.9.0)
         | 
| 50 50 | 
             
                minitar (0.6.1)
         | 
| @@ -52,10 +52,10 @@ GEM | |
| 52 52 | 
             
                  metaclass (~> 0.0.1)
         | 
| 53 53 | 
             
                msgpack (1.2.4)
         | 
| 54 54 | 
             
                multi_json (1.13.1)
         | 
| 55 | 
            -
                mustache (1.0 | 
| 56 | 
            -
                packaging (0.99. | 
| 55 | 
            +
                mustache (1.1.0)
         | 
| 56 | 
            +
                packaging (0.99.16)
         | 
| 57 57 | 
             
                  artifactory
         | 
| 58 | 
            -
                  rake (~> 12. | 
| 58 | 
            +
                  rake (~> 12.3)
         | 
| 59 59 | 
             
                parallel (1.12.1)
         | 
| 60 60 | 
             
                parser (2.5.1.2)
         | 
| 61 61 | 
             
                  ast (~> 2.4.0)
         | 
| @@ -66,12 +66,12 @@ GEM | |
| 66 66 | 
             
                public_suffix (3.0.3)
         | 
| 67 67 | 
             
                puppet-resource_api (1.6.0)
         | 
| 68 68 | 
             
                  hocon (>= 1.0)
         | 
| 69 | 
            -
                puppetserver-ca ( | 
| 69 | 
            +
                puppetserver-ca (1.1.1)
         | 
| 70 70 | 
             
                  facter (>= 2.0.1, < 4)
         | 
| 71 71 | 
             
                racc (1.4.9)
         | 
| 72 72 | 
             
                rainbow (2.2.2)
         | 
| 73 73 | 
             
                  rake
         | 
| 74 | 
            -
                rake (12. | 
| 74 | 
            +
                rake (12.3.1)
         | 
| 75 75 | 
             
                rdiscount (2.2.0.1)
         | 
| 76 76 | 
             
                rdoc (6.0.4)
         | 
| 77 77 | 
             
                ronn (0.7.3)
         | 
| @@ -86,7 +86,7 @@ GEM | |
| 86 86 | 
             
                  rspec-expectations (>= 2.99.0.beta1)
         | 
| 87 87 | 
             
                rspec-core (3.8.0)
         | 
| 88 88 | 
             
                  rspec-support (~> 3.8.0)
         | 
| 89 | 
            -
                rspec-expectations (3.8. | 
| 89 | 
            +
                rspec-expectations (3.8.2)
         | 
| 90 90 | 
             
                  diff-lcs (>= 1.2.0, < 2.0)
         | 
| 91 91 | 
             
                  rspec-support (~> 3.8.0)
         | 
| 92 92 | 
             
                rspec-its (1.2.0)
         | 
| @@ -136,9 +136,9 @@ DEPENDENCIES | |
| 136 136 | 
             
              pry
         | 
| 137 137 | 
             
              puppet!
         | 
| 138 138 | 
             
              puppet-resource_api (~> 1.5)
         | 
| 139 | 
            -
              puppetserver-ca (~>  | 
| 139 | 
            +
              puppetserver-ca (~> 1.1)
         | 
| 140 140 | 
             
              racc (= 1.4.9)
         | 
| 141 | 
            -
              rake (~> 12.2 | 
| 141 | 
            +
              rake (~> 12.2)
         | 
| 142 142 | 
             
              rdoc (~> 6.0)
         | 
| 143 143 | 
             
              ronn (~> 0.7.3)
         | 
| 144 144 | 
             
              rspec (~> 3.1)
         | 
    
        data/lib/puppet/application.rb
    CHANGED
    
    | @@ -395,6 +395,8 @@ class Application | |
| 395 395 | 
             
              end
         | 
| 396 396 |  | 
| 397 397 | 
             
              def setup_logs
         | 
| 398 | 
            +
                handle_logdest_arg(Puppet[:logdest])
         | 
| 399 | 
            +
             | 
| 398 400 | 
             
                unless options[:setdest]
         | 
| 399 401 | 
             
                  if options[:debug] || options[:verbose]
         | 
| 400 402 | 
             
                    Puppet::Util::Log.newdestination(:console)
         | 
| @@ -416,7 +418,10 @@ class Application | |
| 416 418 | 
             
              end
         | 
| 417 419 |  | 
| 418 420 | 
             
              def handle_logdest_arg(arg)
         | 
| 421 | 
            +
                return if options[:setdest] || arg.nil?
         | 
| 422 | 
            +
             | 
| 419 423 | 
             
                begin
         | 
| 424 | 
            +
                  Puppet[:logdest] = arg
         | 
| 420 425 | 
             
                  Puppet::Util::Log.newdestination(arg)
         | 
| 421 426 | 
             
                  options[:setdest] = true
         | 
| 422 427 | 
             
                rescue => detail
         | 
| @@ -283,6 +283,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License | |
| 283 283 |  | 
| 284 284 | 
             
                exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
         | 
| 285 285 |  | 
| 286 | 
            +
                handle_logdest_arg(Puppet[:logdest])
         | 
| 286 287 | 
             
                Puppet::Util::Log.newdestination(:console) unless options[:setdest]
         | 
| 287 288 |  | 
| 288 289 | 
             
                Signal.trap(:INT) do
         | 
| @@ -229,9 +229,9 @@ Copyright (c) 2017 Puppet Inc., LLC Licensed under the Apache 2.0 License | |
| 229 229 | 
             
              end
         | 
| 230 230 |  | 
| 231 231 | 
             
              def setup
         | 
| 232 | 
            -
             | 
| 233 232 | 
             
                exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
         | 
| 234 233 |  | 
| 234 | 
            +
                handle_logdest_arg(Puppet[:logdest])
         | 
| 235 235 | 
             
                Puppet::Util::Log.newdestination(:console) unless options[:setdest]
         | 
| 236 236 |  | 
| 237 237 | 
             
                Signal.trap(:INT) do
         | 
| @@ -2,6 +2,9 @@ require 'puppet/application' | |
| 2 2 | 
             
            require 'puppet/ssl/oids'
         | 
| 3 3 |  | 
| 4 4 | 
             
            class Puppet::Application::Ssl < Puppet::Application
         | 
| 5 | 
            +
             | 
| 6 | 
            +
              run_mode :agent
         | 
| 7 | 
            +
             | 
| 5 8 | 
             
              def summary
         | 
| 6 9 | 
             
                _("Manage SSL keys and certificates for puppet SSL clients")
         | 
| 7 10 | 
             
              end
         | 
| @@ -13,41 +16,68 @@ puppet-ssl(8) -- #{summary} | |
| 13 16 |  | 
| 14 17 | 
             
            SYNOPSIS
         | 
| 15 18 | 
             
            --------
         | 
| 16 | 
            -
            Manage SSL keys and certificates for  | 
| 19 | 
            +
            Manage SSL keys and certificates for SSL clients needing
         | 
| 17 20 | 
             
            to communicate with a puppet infrastructure.
         | 
| 18 21 |  | 
| 19 22 | 
             
            USAGE
         | 
| 20 23 | 
             
            -----
         | 
| 21 | 
            -
            puppet ssl <action> [ | 
| 24 | 
            +
            puppet ssl <action> [-h|--help] [-v|--verbose] [-d|--debug] [--localca]
         | 
| 25 | 
            +
             | 
| 26 | 
            +
             | 
| 27 | 
            +
            OPTIONS
         | 
| 28 | 
            +
            -------
         | 
| 29 | 
            +
             | 
| 30 | 
            +
            * --help:
         | 
| 31 | 
            +
              Print this help messsge.
         | 
| 32 | 
            +
             | 
| 33 | 
            +
            * --verbose:
         | 
| 34 | 
            +
              Print extra information.
         | 
| 35 | 
            +
             | 
| 36 | 
            +
            * --debug:
         | 
| 37 | 
            +
              Enable full debugging.
         | 
| 38 | 
            +
             | 
| 39 | 
            +
            * --localca
         | 
| 40 | 
            +
              Also clean the local CA certificate and CRL.
         | 
| 41 | 
            +
             | 
| 22 42 |  | 
| 23 43 | 
             
            ACTIONS
         | 
| 24 44 | 
             
            -------
         | 
| 25 45 |  | 
| 26 46 | 
             
            * submit_request:
         | 
| 27 | 
            -
              Generate a certificate signing request (CSR) and submit it to the CA. If | 
| 28 | 
            -
              public key pair already exist, they will be used to generate | 
| 29 | 
            -
              key pair will be generated. If a CSR has already | 
| 30 | 
            -
              then the operation will fail.
         | 
| 47 | 
            +
              Generate a certificate signing request (CSR) and submit it to the CA. If
         | 
| 48 | 
            +
              a private and public key pair already exist, they will be used to generate
         | 
| 49 | 
            +
              the CSR. Otherwise a new key pair will be generated. If a CSR has already
         | 
| 50 | 
            +
              been submitted with the given `certname`, then the operation will fail.
         | 
| 31 51 |  | 
| 32 52 | 
             
            * download_cert:
         | 
| 33 | 
            -
              Download a certificate for this host. If the current private key matches | 
| 34 | 
            -
              certificate, then the certificate will be saved and used | 
| 35 | 
            -
              there is already an existing certificate, it | 
| 53 | 
            +
              Download a certificate for this host. If the current private key matches
         | 
| 54 | 
            +
              the downloaded certificate, then the certificate will be saved and used
         | 
| 55 | 
            +
              for subsequent requests. If there is already an existing certificate, it
         | 
| 56 | 
            +
              will be overwritten.
         | 
| 36 57 |  | 
| 37 58 | 
             
            * verify:
         | 
| 38 | 
            -
              Verify the private key and certificate are present and match, verify the | 
| 39 | 
            -
              issued by a trusted CA, and check revocation status.
         | 
| 59 | 
            +
              Verify the private key and certificate are present and match, verify the
         | 
| 60 | 
            +
              certificate is issued by a trusted CA, and check revocation status.
         | 
| 61 | 
            +
             | 
| 62 | 
            +
            * clean:
         | 
| 63 | 
            +
              Remove the private key and certificate related files for this host. If
         | 
| 64 | 
            +
              `--localca` is specified, then also remove this host's local copy of the
         | 
| 65 | 
            +
              CA certificate(s) and CRL bundle.
         | 
| 40 66 | 
             
            HELP
         | 
| 41 67 | 
             
              end
         | 
| 42 68 |  | 
| 43 | 
            -
              option('-- | 
| 44 | 
            -
             | 
| 69 | 
            +
              option('--localca')
         | 
| 70 | 
            +
              option('--verbose', '-v')
         | 
| 71 | 
            +
              option('--debug', '-d')
         | 
| 72 | 
            +
             | 
| 73 | 
            +
              def setup_logs
         | 
| 74 | 
            +
                set_log_level(options)
         | 
| 75 | 
            +
                Puppet::Util::Log.newdestination(:console)
         | 
| 45 76 | 
             
              end
         | 
| 46 77 |  | 
| 47 78 | 
             
              def main
         | 
| 48 79 | 
             
                if command_line.args.empty?
         | 
| 49 | 
            -
                   | 
| 50 | 
            -
                  exit(1)
         | 
| 80 | 
            +
                  raise Puppet::Error, _("An action must be specified.")
         | 
| 51 81 | 
             
                end
         | 
| 52 82 |  | 
| 53 83 | 
             
                Puppet.settings.use(:main, :agent)
         | 
| @@ -57,77 +87,117 @@ HELP | |
| 57 87 | 
             
                case action
         | 
| 58 88 | 
             
                when 'submit_request'
         | 
| 59 89 | 
             
                  submit_request(host)
         | 
| 60 | 
            -
                  download_cert(host)
         | 
| 90 | 
            +
                  cert = download_cert(host)
         | 
| 91 | 
            +
                  unless cert
         | 
| 92 | 
            +
                    Puppet.info _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
         | 
| 93 | 
            +
                  end
         | 
| 61 94 | 
             
                when 'download_cert'
         | 
| 62 | 
            -
                  download_cert(host)
         | 
| 95 | 
            +
                  cert = download_cert(host)
         | 
| 96 | 
            +
                  unless cert
         | 
| 97 | 
            +
                    raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
         | 
| 98 | 
            +
                  end
         | 
| 63 99 | 
             
                when 'verify'
         | 
| 64 100 | 
             
                  verify(host)
         | 
| 101 | 
            +
                when 'clean'
         | 
| 102 | 
            +
                  clean(host)
         | 
| 65 103 | 
             
                else
         | 
| 66 | 
            -
                   | 
| 67 | 
            -
                  exit(1)
         | 
| 104 | 
            +
                  raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
         | 
| 68 105 | 
             
                end
         | 
| 69 | 
            -
             | 
| 70 | 
            -
                exit(0)
         | 
| 71 106 | 
             
              end
         | 
| 72 107 |  | 
| 73 108 | 
             
              def submit_request(host)
         | 
| 74 109 | 
             
                host.ensure_ca_certificate
         | 
| 75 110 |  | 
| 76 111 | 
             
                host.submit_request
         | 
| 77 | 
            -
                 | 
| 112 | 
            +
                Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
         | 
| 113 | 
            +
                  name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
         | 
| 114 | 
            +
                }
         | 
| 78 115 | 
             
              rescue => e
         | 
| 79 | 
            -
                 | 
| 80 | 
            -
                exit(1)
         | 
| 116 | 
            +
                raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
         | 
| 81 117 | 
             
              end
         | 
| 82 118 |  | 
| 83 119 | 
             
              def download_cert(host)
         | 
| 84 120 | 
             
                host.ensure_ca_certificate
         | 
| 85 121 |  | 
| 86 | 
            -
                 | 
| 87 | 
            -
             | 
| 88 | 
            -
             | 
| 89 | 
            -
                 | 
| 90 | 
            -
             | 
| 91 | 
            -
             | 
| 122 | 
            +
                Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
         | 
| 123 | 
            +
                  name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
         | 
| 124 | 
            +
                }
         | 
| 125 | 
            +
                cert = host.download_host_certificate
         | 
| 126 | 
            +
                return unless cert
         | 
| 127 | 
            +
             | 
| 128 | 
            +
                Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
         | 
| 129 | 
            +
                  name: host.name, fingerprint: cert.fingerprint
         | 
| 130 | 
            +
                }
         | 
| 131 | 
            +
                cert
         | 
| 92 132 | 
             
              rescue => e
         | 
| 93 | 
            -
                 | 
| 94 | 
            -
                exit(1)
         | 
| 133 | 
            +
                raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
         | 
| 95 134 | 
             
              end
         | 
| 96 135 |  | 
| 97 136 | 
             
              def verify(host)
         | 
| 98 137 | 
             
                host.ensure_ca_certificate
         | 
| 99 138 |  | 
| 100 139 | 
             
                key = host.key
         | 
| 101 | 
            -
                unless key
         | 
| 102 | 
            -
                  puts "The host's private key is missing"
         | 
| 103 | 
            -
                  exit(1)
         | 
| 104 | 
            -
                end
         | 
| 140 | 
            +
                raise _("The host's private key is missing") unless key
         | 
| 105 141 |  | 
| 106 142 | 
             
                cert = host.check_for_certificate_on_disk(host.name)
         | 
| 107 | 
            -
                unless cert
         | 
| 108 | 
            -
                  puts "The host's certificate is missing"
         | 
| 109 | 
            -
                  exit(1)
         | 
| 110 | 
            -
                end
         | 
| 143 | 
            +
                raise _("The host's certificate is missing") unless cert
         | 
| 111 144 |  | 
| 112 145 | 
             
                if cert.content.public_key.to_pem != key.content.public_key.to_pem
         | 
| 113 | 
            -
                   | 
| 114 | 
            -
                  exit(1)
         | 
| 146 | 
            +
                  raise _("The host's key does not match the certificate")
         | 
| 115 147 | 
             
                end
         | 
| 116 148 |  | 
| 117 149 | 
             
                store = host.ssl_store
         | 
| 118 150 | 
             
                unless store.verify(cert.content)
         | 
| 119 | 
            -
                   | 
| 120 | 
            -
             | 
| 151 | 
            +
                  raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
         | 
| 152 | 
            +
                    name: host.name, message: store.error_string, error: store.error
         | 
| 153 | 
            +
                  }
         | 
| 121 154 | 
             
                end
         | 
| 122 155 |  | 
| 123 | 
            -
                 | 
| 156 | 
            +
                Puppet.notice _("Verified certificate '%{name}'") % {
         | 
| 157 | 
            +
                  name: host.name
         | 
| 158 | 
            +
                }
         | 
| 124 159 | 
             
                # store.chain.reverse.each_with_index do |issuer, i|
         | 
| 125 160 | 
             
                #   indent = "  " * (i+1)
         | 
| 126 | 
            -
                #    | 
| 161 | 
            +
                #   Puppet.notice "#{indent}#{issuer.subject.to_s}"
         | 
| 127 162 | 
             
                # end
         | 
| 128 | 
            -
                exit(0)
         | 
| 129 163 | 
             
              rescue => e
         | 
| 130 | 
            -
                 | 
| 131 | 
            -
             | 
| 164 | 
            +
                raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
         | 
| 165 | 
            +
              end
         | 
| 166 | 
            +
             | 
| 167 | 
            +
              def clean(host)
         | 
| 168 | 
            +
                # make sure cert has been removed from the CA
         | 
| 169 | 
            +
                if Puppet[:certname] == Puppet[:ca_server]
         | 
| 170 | 
            +
                  cert =
         | 
| 171 | 
            +
                    begin
         | 
| 172 | 
            +
                      host.download_certificate_from_ca(Puppet[:certname])
         | 
| 173 | 
            +
                    rescue => e
         | 
| 174 | 
            +
                      raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: Puppet[:certname] }, e)
         | 
| 175 | 
            +
                    end
         | 
| 176 | 
            +
             | 
| 177 | 
            +
                  if cert
         | 
| 178 | 
            +
                    raise Puppet::Error, _(<<END) % { certname: Puppet[:certname] }
         | 
| 179 | 
            +
            The certificate %{certname} must be cleaned from the CA first. To fix this,
         | 
| 180 | 
            +
            run the following commands on the CA:
         | 
| 181 | 
            +
              puppetserver ca clean --certname %{certname}
         | 
| 182 | 
            +
              puppet ssl clean
         | 
| 183 | 
            +
            END
         | 
| 184 | 
            +
                  end
         | 
| 185 | 
            +
                end
         | 
| 186 | 
            +
             | 
| 187 | 
            +
                settings = {
         | 
| 188 | 
            +
                  hostprivkey: 'private key',
         | 
| 189 | 
            +
                  hostpubkey: 'public key',
         | 
| 190 | 
            +
                  hostcsr: 'certificate request',
         | 
| 191 | 
            +
                  hostcert: 'certificate',
         | 
| 192 | 
            +
                  passfile: 'private key password file'
         | 
| 193 | 
            +
                }
         | 
| 194 | 
            +
                settings.merge!(localcacert: 'local CA certificate', hostcrl: 'local CRL') if options[:localca]
         | 
| 195 | 
            +
                settings.each_pair do |setting, label|
         | 
| 196 | 
            +
                  path = Puppet[setting]
         | 
| 197 | 
            +
                  if Puppet::FileSystem.exist?(path)
         | 
| 198 | 
            +
                    Puppet::FileSystem.unlink(path)
         | 
| 199 | 
            +
                    Puppet.notice _("Removed %{label} %{path}") % { label: label, path: path }
         | 
| 200 | 
            +
                  end
         | 
| 201 | 
            +
                end
         | 
| 132 202 | 
             
              end
         | 
| 133 203 | 
             
            end
         | 
    
        data/lib/puppet/defaults.rb
    CHANGED
    
    | @@ -963,6 +963,15 @@ EOT | |
| 963 963 | 
             
                      }
         | 
| 964 964 | 
             
                    end
         | 
| 965 965 | 
             
                  end
         | 
| 966 | 
            +
                },
         | 
| 967 | 
            +
                :logdest => {
         | 
| 968 | 
            +
                  :type      => :string,
         | 
| 969 | 
            +
                  :desc      => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
         | 
| 970 | 
            +
                  service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
         | 
| 971 | 
            +
                  file."
         | 
| 972 | 
            +
                  # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
         | 
| 973 | 
            +
                  # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
         | 
| 974 | 
            +
                  # settings are initialized as they test what gets logged during settings initialization.
         | 
| 966 975 | 
             
                }
         | 
| 967 976 | 
             
              )
         | 
| 968 977 |  | 
| @@ -975,65 +984,41 @@ EOT | |
| 975 984 | 
             
                :cadir => {
         | 
| 976 985 | 
             
                  :default => "$ssldir/ca",
         | 
| 977 986 | 
             
                  :type => :directory,
         | 
| 978 | 
            -
                  :owner => "service",
         | 
| 979 | 
            -
                  :group => "service",
         | 
| 980 | 
            -
                  :mode => "0755",
         | 
| 981 987 | 
             
                  :desc => "The root directory for the certificate authority.",
         | 
| 982 988 | 
             
                },
         | 
| 983 989 | 
             
                :cacert => {
         | 
| 984 990 | 
             
                  :default => "$cadir/ca_crt.pem",
         | 
| 985 991 | 
             
                  :type => :file,
         | 
| 986 | 
            -
                  :owner => "service",
         | 
| 987 | 
            -
                  :group => "service",
         | 
| 988 | 
            -
                  :mode => "0644",
         | 
| 989 992 | 
             
                  :desc => "The CA certificate.",
         | 
| 990 993 | 
             
                },
         | 
| 991 994 | 
             
                :cakey => {
         | 
| 992 995 | 
             
                  :default => "$cadir/ca_key.pem",
         | 
| 993 996 | 
             
                  :type => :file,
         | 
| 994 | 
            -
                  :owner => "service",
         | 
| 995 | 
            -
                  :group => "service",
         | 
| 996 | 
            -
                  :mode => "0640",
         | 
| 997 997 | 
             
                  :desc => "The CA private key.",
         | 
| 998 998 | 
             
                },
         | 
| 999 999 | 
             
                :capub => {
         | 
| 1000 1000 | 
             
                  :default => "$cadir/ca_pub.pem",
         | 
| 1001 1001 | 
             
                  :type => :file,
         | 
| 1002 | 
            -
                  :owner => "service",
         | 
| 1003 | 
            -
                  :group => "service",
         | 
| 1004 | 
            -
                  :mode => "0644",
         | 
| 1005 1002 | 
             
                  :desc => "The CA public key.",
         | 
| 1006 1003 | 
             
                },
         | 
| 1007 1004 | 
             
                :cacrl => {
         | 
| 1008 1005 | 
             
                  :default => "$cadir/ca_crl.pem",
         | 
| 1009 1006 | 
             
                  :type => :file,
         | 
| 1010 | 
            -
                  :owner => "service",
         | 
| 1011 | 
            -
                  :group => "service",
         | 
| 1012 | 
            -
                  :mode => "0644",
         | 
| 1013 1007 | 
             
                  :desc => "The certificate revocation list (CRL) for the CA.",
         | 
| 1014 1008 | 
             
                },
         | 
| 1015 1009 | 
             
                :csrdir => {
         | 
| 1016 1010 | 
             
                  :default => "$cadir/requests",
         | 
| 1017 1011 | 
             
                  :type => :directory,
         | 
| 1018 | 
            -
                  :owner => "service",
         | 
| 1019 | 
            -
                  :group => "service",
         | 
| 1020 | 
            -
                  :mode  => "0755",
         | 
| 1021 1012 | 
             
                  :desc => "Where the CA stores certificate requests.",
         | 
| 1022 1013 | 
             
                },
         | 
| 1023 1014 | 
             
                :signeddir => {
         | 
| 1024 1015 | 
             
                  :default => "$cadir/signed",
         | 
| 1025 1016 | 
             
                  :type => :directory,
         | 
| 1026 | 
            -
                  :owner => "service",
         | 
| 1027 | 
            -
                  :group => "service",
         | 
| 1028 | 
            -
                  :mode => "0755",
         | 
| 1029 1017 | 
             
                  :desc => "Where the CA stores signed certificates.",
         | 
| 1030 1018 | 
             
                },
         | 
| 1031 1019 | 
             
                :serial => {
         | 
| 1032 1020 | 
             
                  :default => "$cadir/serial",
         | 
| 1033 1021 | 
             
                  :type => :file,
         | 
| 1034 | 
            -
                  :owner => "service",
         | 
| 1035 | 
            -
                  :group => "service",
         | 
| 1036 | 
            -
                  :mode => "0644",
         | 
| 1037 1022 | 
             
                  :desc => "Where the serial number for certificates is stored.",
         | 
| 1038 1023 | 
             
                },
         | 
| 1039 1024 | 
             
                :autosign => {
         | 
| @@ -1082,9 +1067,6 @@ EOT | |
| 1082 1067 | 
             
                :cert_inventory => {
         | 
| 1083 1068 | 
             
                  :default => "$cadir/inventory.txt",
         | 
| 1084 1069 | 
             
                  :type => :file,
         | 
| 1085 | 
            -
                  :mode => "0644",
         | 
| 1086 | 
            -
                  :owner => "service",
         | 
| 1087 | 
            -
                  :group => "service",
         | 
| 1088 1070 | 
             
                  :desc => "The inventory file. This is a text file to which the CA writes a
         | 
| 1089 1071 | 
             
                    complete listing of all certificates.",
         | 
| 1090 1072 | 
             
                }
         |