puppet 6.19.1-universal-darwin → 7.0.0-universal-darwin

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (440) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +1 -1
  3. data/Gemfile.lock +19 -20
  4. data/README.md +1 -1
  5. data/conf/fileserver.conf +5 -10
  6. data/ext/build_defaults.yaml +1 -1
  7. data/ext/osx/file_mapping.yaml +0 -5
  8. data/ext/project_data.yaml +1 -14
  9. data/ext/redhat/puppet.spec.erb +0 -1
  10. data/ext/windows/service/daemon.rb +6 -5
  11. data/install.rb +21 -17
  12. data/lib/puppet.rb +11 -20
  13. data/lib/puppet/application.rb +172 -98
  14. data/lib/puppet/application/device.rb +100 -104
  15. data/lib/puppet/application/filebucket.rb +15 -11
  16. data/lib/puppet/application/ssl.rb +1 -1
  17. data/lib/puppet/configurer.rb +28 -33
  18. data/lib/puppet/configurer/plugin_handler.rb +21 -19
  19. data/lib/puppet/defaults.rb +95 -159
  20. data/lib/puppet/environments.rb +10 -25
  21. data/lib/puppet/face/config.rb +10 -0
  22. data/lib/puppet/face/epp.rb +12 -2
  23. data/lib/puppet/face/facts.rb +66 -6
  24. data/lib/puppet/face/help.rb +1 -1
  25. data/lib/puppet/face/plugin.rb +5 -8
  26. data/lib/puppet/ffi/windows.rb +12 -0
  27. data/lib/puppet/ffi/windows/api_types.rb +311 -0
  28. data/lib/puppet/ffi/windows/constants.rb +404 -0
  29. data/lib/puppet/ffi/windows/functions.rb +628 -0
  30. data/lib/puppet/ffi/windows/structs.rb +338 -0
  31. data/lib/puppet/file_serving/configuration.rb +0 -5
  32. data/lib/puppet/file_serving/configuration/parser.rb +3 -32
  33. data/lib/puppet/file_serving/http_metadata.rb +1 -1
  34. data/lib/puppet/file_serving/mount.rb +1 -2
  35. data/lib/puppet/forge/repository.rb +0 -1
  36. data/lib/puppet/functions/epp.rb +1 -0
  37. data/lib/puppet/functions/inline_epp.rb +1 -0
  38. data/lib/puppet/generate/models/type/type.rb +4 -1
  39. data/lib/puppet/http.rb +22 -13
  40. data/lib/puppet/http/client.rb +164 -114
  41. data/lib/puppet/{network/resolver.rb → http/dns.rb} +2 -2
  42. data/lib/puppet/http/errors.rb +16 -0
  43. data/lib/puppet/http/external_client.rb +5 -7
  44. data/lib/puppet/{network/http → http}/factory.rb +8 -11
  45. data/lib/puppet/{network/http → http}/pool.rb +61 -26
  46. data/lib/puppet/{network/http/session.rb → http/pool_entry.rb} +2 -3
  47. data/lib/puppet/http/proxy.rb +137 -0
  48. data/lib/puppet/http/redirector.rb +4 -12
  49. data/lib/puppet/http/resolver.rb +5 -15
  50. data/lib/puppet/http/resolver/server_list.rb +6 -10
  51. data/lib/puppet/http/resolver/settings.rb +4 -7
  52. data/lib/puppet/http/resolver/srv.rb +7 -11
  53. data/lib/puppet/http/response.rb +36 -54
  54. data/lib/puppet/http/response_converter.rb +24 -0
  55. data/lib/puppet/http/response_net_http.rb +42 -0
  56. data/lib/puppet/http/retry_after_handler.rb +4 -13
  57. data/lib/puppet/http/service.rb +12 -26
  58. data/lib/puppet/http/service/ca.rb +11 -22
  59. data/lib/puppet/http/service/compiler.rb +22 -69
  60. data/lib/puppet/http/service/file_server.rb +18 -27
  61. data/lib/puppet/http/service/puppetserver.rb +26 -12
  62. data/lib/puppet/http/service/report.rb +8 -10
  63. data/lib/puppet/http/session.rb +11 -20
  64. data/lib/puppet/{network/http → http}/site.rb +1 -2
  65. data/lib/puppet/indirector/catalog/rest.rb +2 -4
  66. data/lib/puppet/indirector/fact_search.rb +60 -0
  67. data/lib/puppet/indirector/facts/facter.rb +24 -3
  68. data/lib/puppet/indirector/facts/json.rb +27 -0
  69. data/lib/puppet/indirector/facts/rest.rb +3 -22
  70. data/lib/puppet/indirector/facts/yaml.rb +3 -58
  71. data/lib/puppet/indirector/file_bucket_file/rest.rb +3 -9
  72. data/lib/puppet/indirector/file_content/rest.rb +2 -6
  73. data/lib/puppet/indirector/file_metadata/rest.rb +3 -9
  74. data/lib/puppet/indirector/file_server.rb +1 -8
  75. data/lib/puppet/indirector/generic_http.rb +0 -11
  76. data/lib/puppet/indirector/json.rb +5 -1
  77. data/lib/puppet/indirector/node/json.rb +8 -0
  78. data/lib/puppet/indirector/node/rest.rb +2 -4
  79. data/lib/puppet/indirector/report/json.rb +34 -0
  80. data/lib/puppet/indirector/report/rest.rb +3 -8
  81. data/lib/puppet/indirector/request.rb +0 -101
  82. data/lib/puppet/indirector/rest.rb +12 -263
  83. data/lib/puppet/module_tool/applications.rb +0 -1
  84. data/lib/puppet/network/authconfig.rb +2 -96
  85. data/lib/puppet/network/authorization.rb +13 -35
  86. data/lib/puppet/network/formats.rb +2 -1
  87. data/lib/puppet/network/http.rb +3 -3
  88. data/lib/puppet/network/http/api/indirected_routes.rb +2 -20
  89. data/lib/puppet/network/http/api/master/v3.rb +11 -13
  90. data/lib/puppet/network/http/connection.rb +247 -316
  91. data/lib/puppet/network/http/handler.rb +0 -1
  92. data/lib/puppet/network/http_pool.rb +16 -34
  93. data/lib/puppet/node.rb +1 -30
  94. data/lib/puppet/pal/json_catalog_encoder.rb +4 -0
  95. data/lib/puppet/pal/pal_impl.rb +73 -18
  96. data/lib/puppet/parser/ast/pops_bridge.rb +0 -38
  97. data/lib/puppet/parser/compiler.rb +0 -198
  98. data/lib/puppet/parser/compiler/catalog_validator/relationship_validator.rb +14 -39
  99. data/lib/puppet/parser/resource.rb +0 -69
  100. data/lib/puppet/pops/evaluator/evaluator_impl.rb +22 -8
  101. data/lib/puppet/pops/evaluator/runtime3_resource_support.rb +3 -3
  102. data/lib/puppet/pops/evaluator/runtime3_support.rb +1 -1
  103. data/lib/puppet/pops/issues.rb +0 -5
  104. data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +6 -8
  105. data/lib/puppet/pops/model/ast.pp +0 -42
  106. data/lib/puppet/pops/model/ast.rb +0 -290
  107. data/lib/puppet/pops/model/factory.rb +0 -45
  108. data/lib/puppet/pops/model/model_label_provider.rb +0 -5
  109. data/lib/puppet/pops/model/model_tree_dumper.rb +0 -22
  110. data/lib/puppet/pops/model/pn_transformer.rb +0 -16
  111. data/lib/puppet/pops/parser/egrammar.ra +0 -56
  112. data/lib/puppet/pops/parser/eparser.rb +1520 -1712
  113. data/lib/puppet/pops/parser/lexer2.rb +4 -4
  114. data/lib/puppet/pops/parser/parser_support.rb +0 -5
  115. data/lib/puppet/pops/resource/resource_type_impl.rb +2 -24
  116. data/lib/puppet/pops/types/type_calculator.rb +0 -7
  117. data/lib/puppet/pops/types/type_parser.rb +0 -4
  118. data/lib/puppet/pops/types/types.rb +0 -1
  119. data/lib/puppet/pops/validation/checker4_0.rb +9 -37
  120. data/lib/puppet/pops/validation/tasks_checker.rb +0 -12
  121. data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -2
  122. data/lib/puppet/provider.rb +0 -13
  123. data/lib/puppet/provider/nameservice.rb +0 -18
  124. data/lib/puppet/provider/package/dpkg.rb +0 -10
  125. data/lib/puppet/provider/package/gem.rb +23 -3
  126. data/lib/puppet/provider/package/pip.rb +0 -1
  127. data/lib/puppet/provider/package/pkg.rb +0 -4
  128. data/lib/puppet/provider/package/portage.rb +1 -1
  129. data/lib/puppet/provider/package/puppet_gem.rb +1 -4
  130. data/lib/puppet/provider/service/smf.rb +191 -73
  131. data/lib/puppet/provider/user/directoryservice.rb +0 -10
  132. data/lib/puppet/reference/configuration.rb +2 -0
  133. data/lib/puppet/reference/indirection.rb +1 -1
  134. data/lib/puppet/resource.rb +1 -89
  135. data/lib/puppet/resource/catalog.rb +1 -14
  136. data/lib/puppet/resource/type.rb +3 -119
  137. data/lib/puppet/resource/type_collection.rb +3 -48
  138. data/lib/puppet/runtime.rb +1 -2
  139. data/lib/puppet/settings.rb +45 -33
  140. data/lib/puppet/settings/base_setting.rb +26 -2
  141. data/lib/puppet/settings/integer_setting.rb +17 -0
  142. data/lib/puppet/settings/port_setting.rb +15 -0
  143. data/lib/puppet/settings/priority_setting.rb +5 -4
  144. data/lib/puppet/ssl.rb +10 -6
  145. data/lib/puppet/ssl/base.rb +3 -5
  146. data/lib/puppet/ssl/certificate.rb +0 -6
  147. data/lib/puppet/ssl/certificate_request.rb +1 -12
  148. data/lib/puppet/ssl/certificate_signer.rb +6 -0
  149. data/lib/puppet/ssl/oids.rb +3 -1
  150. data/lib/puppet/ssl/ssl_provider.rb +17 -0
  151. data/lib/puppet/ssl/state_machine.rb +3 -1
  152. data/lib/puppet/ssl/verifier.rb +2 -0
  153. data/lib/puppet/test/test_helper.rb +1 -3
  154. data/lib/puppet/transaction.rb +1 -7
  155. data/lib/puppet/transaction/report.rb +2 -4
  156. data/lib/puppet/type.rb +0 -76
  157. data/lib/puppet/type/file.rb +5 -7
  158. data/lib/puppet/type/file/checksum.rb +1 -1
  159. data/lib/puppet/type/file/source.rb +1 -1
  160. data/lib/puppet/type/filebucket.rb +3 -3
  161. data/lib/puppet/type/package.rb +5 -13
  162. data/lib/puppet/util/execution.rb +0 -11
  163. data/lib/puppet/util/http_proxy.rb +2 -215
  164. data/lib/puppet/util/monkey_patches.rb +0 -46
  165. data/lib/puppet/util/rdoc.rb +0 -7
  166. data/lib/puppet/util/retry_action.rb +1 -1
  167. data/lib/puppet/util/rubygems.rb +5 -1
  168. data/lib/puppet/util/run_mode.rb +9 -1
  169. data/lib/puppet/util/windows.rb +3 -8
  170. data/lib/puppet/util/windows/daemon.rb +360 -0
  171. data/lib/puppet/util/windows/error.rb +1 -0
  172. data/lib/puppet/util/windows/eventlog.rb +4 -9
  173. data/lib/puppet/util/windows/file.rb +8 -242
  174. data/lib/puppet/util/windows/monkey_patches/process.rb +414 -0
  175. data/lib/puppet/util/windows/process.rb +4 -226
  176. data/lib/puppet/util/windows/service.rb +9 -460
  177. data/lib/puppet/util/windows/string.rb +12 -13
  178. data/lib/puppet/util/yaml.rb +0 -22
  179. data/lib/puppet/vendor/require_vendored.rb +0 -1
  180. data/lib/puppet/version.rb +1 -1
  181. data/lib/puppet/x509.rb +5 -1
  182. data/lib/puppet/x509/cert_provider.rb +29 -1
  183. data/locales/puppet.pot +531 -1232
  184. data/man/man5/puppet.conf.5 +37 -97
  185. data/man/man8/puppet-agent.8 +1 -1
  186. data/man/man8/puppet-apply.8 +1 -1
  187. data/man/man8/puppet-catalog.8 +1 -1
  188. data/man/man8/puppet-config.8 +1 -1
  189. data/man/man8/puppet-describe.8 +1 -1
  190. data/man/man8/puppet-device.8 +1 -1
  191. data/man/man8/puppet-doc.8 +1 -1
  192. data/man/man8/puppet-epp.8 +1 -1
  193. data/man/man8/puppet-facts.8 +55 -9
  194. data/man/man8/puppet-filebucket.8 +6 -6
  195. data/man/man8/puppet-generate.8 +1 -1
  196. data/man/man8/puppet-help.8 +1 -1
  197. data/man/man8/puppet-lookup.8 +1 -1
  198. data/man/man8/puppet-module.8 +1 -58
  199. data/man/man8/puppet-node.8 +4 -1
  200. data/man/man8/puppet-parser.8 +1 -1
  201. data/man/man8/puppet-plugin.8 +1 -1
  202. data/man/man8/puppet-report.8 +4 -1
  203. data/man/man8/puppet-resource.8 +1 -1
  204. data/man/man8/puppet-script.8 +1 -1
  205. data/man/man8/puppet-ssl.8 +1 -1
  206. data/man/man8/puppet.8 +2 -2
  207. data/spec/fixtures/unit/provider/service/smf/{svcs.out → svcs_instances.out} +0 -0
  208. data/spec/integration/application/agent_spec.rb +24 -11
  209. data/spec/integration/application/apply_spec.rb +1 -1
  210. data/spec/integration/application/filebucket_spec.rb +16 -16
  211. data/spec/integration/application/help_spec.rb +2 -0
  212. data/spec/integration/application/plugin_spec.rb +23 -1
  213. data/spec/integration/defaults_spec.rb +7 -3
  214. data/spec/integration/environments/setting_hooks_spec.rb +1 -1
  215. data/spec/integration/network/http_pool_spec.rb +3 -21
  216. data/spec/integration/parser/catalog_spec.rb +0 -38
  217. data/spec/integration/parser/node_spec.rb +0 -9
  218. data/spec/integration/parser/pcore_resource_spec.rb +0 -37
  219. data/spec/integration/type/file_spec.rb +5 -4
  220. data/spec/integration/util/windows/monkey_patches/process_spec.rb +231 -0
  221. data/spec/integration/util/windows/security_spec.rb +1 -1
  222. data/spec/lib/puppet_spec/puppetserver.rb +1 -1
  223. data/spec/lib/puppet_spec/settings.rb +7 -1
  224. data/spec/spec_helper.rb +2 -0
  225. data/spec/unit/agent_spec.rb +0 -2
  226. data/spec/unit/application/config_spec.rb +224 -4
  227. data/spec/unit/application/facts_spec.rb +35 -0
  228. data/spec/unit/application/filebucket_spec.rb +41 -39
  229. data/spec/unit/application/ssl_spec.rb +2 -2
  230. data/spec/unit/certificate_factory_spec.rb +1 -1
  231. data/spec/unit/configurer/downloader_spec.rb +6 -2
  232. data/spec/unit/configurer/plugin_handler_spec.rb +56 -18
  233. data/spec/unit/configurer_spec.rb +12 -9
  234. data/spec/unit/context/trusted_information_spec.rb +2 -6
  235. data/spec/unit/defaults_spec.rb +77 -28
  236. data/spec/unit/environments_spec.rb +0 -3
  237. data/spec/unit/face/config_spec.rb +27 -32
  238. data/spec/unit/face/facts_spec.rb +4 -0
  239. data/spec/unit/face/plugin_spec.rb +73 -33
  240. data/spec/unit/file_bucket/file_spec.rb +1 -1
  241. data/spec/unit/file_serving/configuration/parser_spec.rb +14 -18
  242. data/spec/unit/file_serving/configuration_spec.rb +6 -12
  243. data/spec/unit/functions/camelcase_spec.rb +1 -1
  244. data/spec/unit/functions/capitalize_spec.rb +1 -1
  245. data/spec/unit/functions/downcase_spec.rb +1 -1
  246. data/spec/unit/functions/inline_epp_spec.rb +26 -1
  247. data/spec/unit/functions/upcase_spec.rb +1 -1
  248. data/spec/unit/http/client_spec.rb +7 -8
  249. data/spec/unit/{network/resolver_spec.rb → http/dns_spec.rb} +3 -3
  250. data/spec/unit/http/external_client_spec.rb +4 -4
  251. data/spec/unit/{network/http → http}/factory_spec.rb +5 -11
  252. data/spec/unit/{network/http/session_spec.rb → http/pool_entry_spec.rb} +3 -3
  253. data/spec/unit/{network/http → http}/pool_spec.rb +12 -17
  254. data/spec/unit/{util/http_proxy_spec.rb → http/proxy_spec.rb} +2 -69
  255. data/spec/unit/http/resolver_spec.rb +13 -13
  256. data/spec/unit/http/service/compiler_spec.rb +49 -62
  257. data/spec/unit/http/service/file_server_spec.rb +3 -3
  258. data/spec/unit/http/service/puppetserver_spec.rb +34 -4
  259. data/spec/unit/http/service_spec.rb +1 -2
  260. data/spec/unit/http/session_spec.rb +16 -14
  261. data/spec/unit/{network/http → http}/site_spec.rb +3 -3
  262. data/spec/unit/indirector/facts/facter_spec.rb +97 -0
  263. data/spec/unit/indirector/facts/json_spec.rb +255 -0
  264. data/spec/unit/indirector/file_bucket_file/file_spec.rb +5 -3
  265. data/spec/unit/indirector/file_content/rest_spec.rb +0 -4
  266. data/spec/unit/indirector/file_metadata/rest_spec.rb +0 -4
  267. data/spec/unit/indirector/file_server_spec.rb +1 -15
  268. data/spec/unit/indirector/node/json_spec.rb +33 -0
  269. data/spec/{integration/indirector/report/yaml.rb → unit/indirector/report/json_spec.rb} +13 -24
  270. data/spec/unit/indirector/report/rest_spec.rb +2 -17
  271. data/spec/unit/indirector/report/yaml_spec.rb +72 -8
  272. data/spec/unit/indirector/request_spec.rb +0 -264
  273. data/spec/unit/indirector/rest_spec.rb +98 -752
  274. data/spec/unit/network/authconfig_spec.rb +2 -132
  275. data/spec/unit/network/authorization_spec.rb +2 -55
  276. data/spec/unit/network/formats_spec.rb +4 -4
  277. data/spec/unit/network/http/api/indirected_routes_spec.rb +1 -97
  278. data/spec/unit/network/http/api/master/v3_spec.rb +28 -7
  279. data/spec/unit/network/http/api_spec.rb +10 -0
  280. data/spec/unit/network/http/connection_spec.rb +19 -41
  281. data/spec/unit/network/http/handler_spec.rb +0 -6
  282. data/spec/unit/network/http_pool_spec.rb +0 -4
  283. data/spec/unit/node/environment_spec.rb +33 -21
  284. data/spec/unit/node_spec.rb +2 -54
  285. data/spec/unit/parser/functions/create_resources_spec.rb +2 -20
  286. data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +4 -7
  287. data/spec/unit/pops/loaders/loaders_spec.rb +6 -21
  288. data/spec/unit/pops/parser/parse_application_spec.rb +4 -22
  289. data/spec/unit/pops/parser/parse_basic_expressions_spec.rb +0 -1
  290. data/spec/unit/pops/parser/parse_capabilities_spec.rb +8 -21
  291. data/spec/unit/pops/parser/parse_site_spec.rb +20 -24
  292. data/spec/unit/pops/resource/resource_type_impl_spec.rb +0 -71
  293. data/spec/unit/pops/serialization/to_from_hr_spec.rb +1 -1
  294. data/spec/unit/pops/types/type_calculator_spec.rb +6 -6
  295. data/spec/unit/pops/types/type_factory_spec.rb +1 -1
  296. data/spec/unit/pops/validator/validator_spec.rb +61 -46
  297. data/spec/unit/pops/visitor_spec.rb +1 -1
  298. data/spec/unit/provider/nameservice_spec.rb +0 -57
  299. data/spec/unit/provider/package/dpkg_spec.rb +0 -48
  300. data/spec/unit/provider/package/gem_spec.rb +32 -0
  301. data/spec/unit/provider/package/puppet_gem_spec.rb +3 -2
  302. data/spec/unit/provider/service/smf_spec.rb +401 -165
  303. data/spec/unit/provider/service/windows_spec.rb +0 -1
  304. data/spec/unit/provider_spec.rb +0 -12
  305. data/spec/unit/puppet_pal_catalog_spec.rb +45 -0
  306. data/spec/unit/resource/type_collection_spec.rb +2 -22
  307. data/spec/unit/resource_spec.rb +0 -56
  308. data/spec/unit/settings/http_extra_headers_spec.rb +2 -4
  309. data/spec/unit/settings/integer_setting_spec.rb +42 -0
  310. data/spec/unit/settings/port_setting_spec.rb +31 -0
  311. data/spec/unit/settings/priority_setting_spec.rb +4 -4
  312. data/spec/unit/settings_spec.rb +423 -236
  313. data/spec/unit/ssl/base_spec.rb +36 -3
  314. data/spec/unit/ssl/certificate_request_spec.rb +15 -45
  315. data/spec/unit/ssl/certificate_spec.rb +2 -11
  316. data/spec/unit/ssl/ssl_provider_spec.rb +11 -8
  317. data/spec/unit/ssl/state_machine_spec.rb +0 -1
  318. data/spec/unit/ssl/verifier_spec.rb +0 -21
  319. data/spec/unit/transaction/report_spec.rb +0 -2
  320. data/spec/unit/transaction/resource_harness_spec.rb +2 -2
  321. data/spec/unit/transaction_spec.rb +45 -79
  322. data/spec/unit/type/file/checksum_spec.rb +6 -6
  323. data/spec/unit/type/file/content_spec.rb +1 -1
  324. data/spec/unit/type/file/ensure_spec.rb +1 -1
  325. data/spec/unit/type/file/mode_spec.rb +1 -1
  326. data/spec/unit/type/file/source_spec.rb +0 -1
  327. data/spec/unit/type/file_spec.rb +12 -6
  328. data/spec/unit/type/package_spec.rb +1 -1
  329. data/spec/unit/type_spec.rb +20 -0
  330. data/spec/unit/util/backups_spec.rb +0 -2
  331. data/spec/unit/util/execution_spec.rb +0 -29
  332. data/spec/unit/util/monkey_patches_spec.rb +0 -6
  333. data/spec/unit/util/rubygems_spec.rb +2 -2
  334. data/spec/unit/util/run_mode_spec.rb +21 -121
  335. data/spec/unit/util/windows/string_spec.rb +1 -3
  336. data/spec/unit/util/yaml_spec.rb +0 -54
  337. data/spec/unit/util_spec.rb +0 -18
  338. metadata +50 -176
  339. data/conf/auth.conf +0 -150
  340. data/lib/puppet/application/cert.rb +0 -76
  341. data/lib/puppet/application/key.rb +0 -4
  342. data/lib/puppet/application/man.rb +0 -4
  343. data/lib/puppet/application/status.rb +0 -4
  344. data/lib/puppet/face/key.rb +0 -16
  345. data/lib/puppet/face/man.rb +0 -145
  346. data/lib/puppet/face/module/build.rb +0 -14
  347. data/lib/puppet/face/module/generate.rb +0 -14
  348. data/lib/puppet/face/module/search.rb +0 -103
  349. data/lib/puppet/face/status.rb +0 -51
  350. data/lib/puppet/indirector/certificate/file.rb +0 -9
  351. data/lib/puppet/indirector/certificate/rest.rb +0 -18
  352. data/lib/puppet/indirector/certificate_request/file.rb +0 -9
  353. data/lib/puppet/indirector/certificate_request/memory.rb +0 -7
  354. data/lib/puppet/indirector/certificate_request/rest.rb +0 -11
  355. data/lib/puppet/indirector/file_content/http.rb +0 -22
  356. data/lib/puppet/indirector/key/file.rb +0 -46
  357. data/lib/puppet/indirector/key/memory.rb +0 -7
  358. data/lib/puppet/indirector/ssl_file.rb +0 -162
  359. data/lib/puppet/indirector/status.rb +0 -3
  360. data/lib/puppet/indirector/status/local.rb +0 -12
  361. data/lib/puppet/indirector/status/rest.rb +0 -27
  362. data/lib/puppet/module_tool/applications/searcher.rb +0 -29
  363. data/lib/puppet/network/auth_config_parser.rb +0 -90
  364. data/lib/puppet/network/authstore.rb +0 -283
  365. data/lib/puppet/network/http/api/master/v3/authorization.rb +0 -18
  366. data/lib/puppet/network/http/api/master/v3/environment.rb +0 -88
  367. data/lib/puppet/network/http/base_pool.rb +0 -36
  368. data/lib/puppet/network/http/compression.rb +0 -127
  369. data/lib/puppet/network/http/connection_adapter.rb +0 -184
  370. data/lib/puppet/network/http/nocache_pool.rb +0 -28
  371. data/lib/puppet/network/rest_controller.rb +0 -2
  372. data/lib/puppet/network/rights.rb +0 -210
  373. data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +0 -66
  374. data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +0 -22
  375. data/lib/puppet/parser/environment_compiler.rb +0 -202
  376. data/lib/puppet/pops/types/enumeration.rb +0 -16
  377. data/lib/puppet/resource/capability_finder.rb +0 -154
  378. data/lib/puppet/rest/errors.rb +0 -15
  379. data/lib/puppet/rest/response.rb +0 -35
  380. data/lib/puppet/rest/route.rb +0 -85
  381. data/lib/puppet/rest/routes.rb +0 -135
  382. data/lib/puppet/ssl/host.rb +0 -505
  383. data/lib/puppet/ssl/key.rb +0 -61
  384. data/lib/puppet/ssl/validator.rb +0 -61
  385. data/lib/puppet/ssl/validator/default_validator.rb +0 -209
  386. data/lib/puppet/ssl/validator/no_validator.rb +0 -22
  387. data/lib/puppet/ssl/verifier_adapter.rb +0 -58
  388. data/lib/puppet/status.rb +0 -40
  389. data/lib/puppet/util/connection.rb +0 -88
  390. data/lib/puppet/util/ssl.rb +0 -83
  391. data/lib/puppet/util/windows/api_types.rb +0 -309
  392. data/lib/puppet/util/windows/monkey_patches/dir.rb +0 -40
  393. data/lib/puppet/vendor/load_pathspec.rb +0 -1
  394. data/lib/puppet/vendor/pathspec/CHANGELOG.md +0 -2
  395. data/lib/puppet/vendor/pathspec/LICENSE +0 -201
  396. data/lib/puppet/vendor/pathspec/PUPPET_README.md +0 -6
  397. data/lib/puppet/vendor/pathspec/README.md +0 -53
  398. data/lib/puppet/vendor/pathspec/lib/pathspec.rb +0 -122
  399. data/lib/puppet/vendor/pathspec/lib/pathspec/gitignorespec.rb +0 -275
  400. data/lib/puppet/vendor/pathspec/lib/pathspec/regexspec.rb +0 -17
  401. data/lib/puppet/vendor/pathspec/lib/pathspec/spec.rb +0 -14
  402. data/man/man8/puppet-key.8 +0 -126
  403. data/man/man8/puppet-man.8 +0 -76
  404. data/man/man8/puppet-status.8 +0 -108
  405. data/spec/integration/application/config_spec.rb +0 -74
  406. data/spec/integration/network/authconfig_spec.rb +0 -256
  407. data/spec/integration/util/windows/monkey_patches/dir_spec.rb +0 -11
  408. data/spec/unit/application/man_spec.rb +0 -52
  409. data/spec/unit/capability_spec.rb +0 -414
  410. data/spec/unit/face/catalog_spec.rb +0 -6
  411. data/spec/unit/face/key_spec.rb +0 -9
  412. data/spec/unit/face/module/search_spec.rb +0 -231
  413. data/spec/unit/face/module_spec.rb +0 -3
  414. data/spec/unit/face/status_spec.rb +0 -9
  415. data/spec/unit/indirector/certificate/file_spec.rb +0 -14
  416. data/spec/unit/indirector/certificate/rest_spec.rb +0 -61
  417. data/spec/unit/indirector/certificate_request/file_spec.rb +0 -14
  418. data/spec/unit/indirector/certificate_request/rest_spec.rb +0 -25
  419. data/spec/unit/indirector/key/file_spec.rb +0 -79
  420. data/spec/unit/indirector/ssl_file_spec.rb +0 -305
  421. data/spec/unit/indirector/status/local_spec.rb +0 -10
  422. data/spec/unit/indirector/status/rest_spec.rb +0 -50
  423. data/spec/unit/module_tool/applications/searcher_spec.rb +0 -38
  424. data/spec/unit/network/auth_config_parser_spec.rb +0 -115
  425. data/spec/unit/network/authstore_spec.rb +0 -422
  426. data/spec/unit/network/http/api/master/v3/authorization_spec.rb +0 -57
  427. data/spec/unit/network/http/api/master/v3/environment_spec.rb +0 -185
  428. data/spec/unit/network/http/compression_spec.rb +0 -240
  429. data/spec/unit/network/http/nocache_pool_spec.rb +0 -64
  430. data/spec/unit/network/http_spec.rb +0 -9
  431. data/spec/unit/network/rights_spec.rb +0 -439
  432. data/spec/unit/parser/environment_compiler_spec.rb +0 -730
  433. data/spec/unit/pops/types/enumeration_spec.rb +0 -51
  434. data/spec/unit/resource/capability_finder_spec.rb +0 -143
  435. data/spec/unit/rest/route_spec.rb +0 -132
  436. data/spec/unit/ssl/host_spec.rb +0 -650
  437. data/spec/unit/ssl/key_spec.rb +0 -173
  438. data/spec/unit/ssl/validator_spec.rb +0 -278
  439. data/spec/unit/status_spec.rb +0 -45
  440. data/spec/unit/util/ssl_spec.rb +0 -91
@@ -1,85 +0,0 @@
1
- require 'uri'
2
- require 'puppet/util/connection'
3
-
4
- # @deprecated Use {Puppet::HTTP::Client} instead.
5
- module Puppet::Rest
6
- class Route
7
- attr_reader :server
8
-
9
- # Create a Route containing information for querying the given API,
10
- # hosted at a server determined either by SRV service or by the
11
- # fallback server on the fallback port.
12
- # @param [String] api the path leading to the root of the API. Must
13
- # contain a trailing slash for proper endpoint path
14
- # construction
15
- # @param [Symbol] server_setting the setting to check for special
16
- # server configuration
17
- # @param [Symbol] port_setting the setting to check for special
18
- # port configuration
19
- # @param [Symbol] srv_service the name of the service when using SRV
20
- # records
21
- def initialize(api:, server_setting: :server, port_setting: :serverport, srv_service: :puppet)
22
- @api = api
23
- @default_server = Puppet::Util::Connection.determine_server(server_setting)
24
- @default_port = Puppet::Util::Connection.determine_port(port_setting, server_setting)
25
- @srv_service = srv_service
26
- end
27
-
28
- # Select a server and port to create a base URL for the API specified by this
29
- # route. If the connection fails and SRV records are in use, the next suitable
30
- # server will be tried. If SRV records are not in use or no successful connection
31
- # could be made, fall back to the configured server and port for this API, taking
32
- # into account failover settings.
33
- # @parma [Puppet::Network::Resolver] dns_resolver the DNS resolver to use to check
34
- # SRV records
35
- # @yield [URI] supply a base URL to make a request with
36
- # @raise [Puppet::Error] if connection to selected server and port fails, and SRV
37
- # records are not in use
38
- def with_base_url(dns_resolver)
39
- if @server && @port
40
- # First try connecting to the previously selected server and port.
41
- begin
42
- return yield(base_url)
43
- rescue SystemCallError => e
44
- if Puppet[:use_srv_records]
45
- Puppet.debug "Connection to cached server and port #{@server}:#{@port} failed, reselecting."
46
- else
47
- raise Puppet::Error, _("Connection to cached server and port %{server}:%{port} failed: %{message}") %
48
- { server: @server, port: @port, message: e.message }
49
- end
50
- end
51
- end
52
-
53
- if Puppet[:use_srv_records]
54
- dns_resolver.each_srv_record(Puppet[:srv_domain], @srv_service) do |srv_server, srv_port|
55
- # Try each of the servers for this service in weighted order
56
- # until a working one is found.
57
- begin
58
- @server = srv_server
59
- @port = srv_port
60
- return yield(base_url)
61
- rescue SystemCallError
62
- Puppet.debug "Connection to selected server and port #{@server}:#{@port} failed. Trying next cached SRV record."
63
- @server = nil
64
- @port = nil
65
- end
66
- end
67
- end
68
-
69
- # If not using SRV records, fall back to the defaults calculated above
70
- @server = @default_server
71
- @port = @default_port
72
-
73
- Puppet.debug "No more servers in SRV record, falling back to #{@server}:#{@port}" if Puppet[:use_srv_records]
74
- return yield(base_url)
75
- end
76
-
77
- private
78
-
79
- # Returns a URI built from the information stored by this route,
80
- # e.g. 'https://myserver.com:555/myapi/v1/'
81
- def base_url
82
- URI::HTTPS.build(host: @server, port: @port, path: @api)
83
- end
84
- end
85
- end
@@ -1,135 +0,0 @@
1
- require 'time'
2
- require 'puppet/rest/route'
3
- require 'puppet/network/http_pool'
4
- require 'puppet/network/http/compression'
5
-
6
- # @deprecated Use {Puppet::HTTP::Client} instead.
7
- module Puppet::Rest
8
- module Routes
9
- extend Puppet::Network::HTTP::Compression.module
10
-
11
- ACCEPT_ENCODING = 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3'
12
-
13
- def self.ca
14
- Puppet.deprecation_warning("Puppet::Rest::Routes is deprecated, use Puppet::HTTP::Client instead")
15
-
16
- @ca ||= Route.new(api: '/puppet-ca/v1/',
17
- server_setting: :ca_server,
18
- port_setting: :ca_port,
19
- srv_service: :ca)
20
- end
21
-
22
- def self.clear
23
- @ca = nil
24
- end
25
-
26
- # Make an HTTP request to fetch the named certificate.
27
- #
28
- # @param name [String] the name of the certificate to fetch
29
- # @param ssl_context [Puppet::SSL::SSLContext] the ssl content to use when making the request
30
- # @raise [Puppet::Rest::ResponseError] if the response status is not OK
31
- # @return [String] the PEM-encoded certificate or certificate bundle
32
- def self.get_certificate(name, ssl_context)
33
- ca.with_base_url(Puppet::Network::Resolver.new) do |url|
34
- header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
35
- url.path += "certificate/#{name}"
36
-
37
- use_ssl = url.is_a? URI::HTTPS
38
-
39
- client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
40
-
41
- response = client.get(url.request_uri, header)
42
- unless response.code.to_i == 200
43
- raise Puppet::Rest::ResponseError.new(response.message, response)
44
- end
45
-
46
- Puppet.info _("Downloaded certificate for %{name} from %{server}") % { name: name, server: ca.server }
47
-
48
- uncompress_body(response)
49
- end
50
- end
51
-
52
- # Make an HTTP request to fetch the named crl.
53
- #
54
- # @param name [String] name of the crl to fetch
55
- # @param ssl_context [Puppet::SSL::SSLContext] the ssl content to use when making the request
56
- # @param if_modified_since [Time, nil] If non-nil, then only download the CRL if it has been
57
- # modified since the specified time.
58
- # @raise [Puppet::Rest::ResponseError] if the response status is not OK
59
- # @return [String] the PEM-encoded crl
60
- def self.get_crls(name, ssl_context, if_modified_since: nil)
61
- ca.with_base_url(Puppet::Network::Resolver.new) do |url|
62
- header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
63
- header['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
64
-
65
- url.path += "certificate_revocation_list/#{name}"
66
-
67
- use_ssl = url.is_a? URI::HTTPS
68
-
69
- client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
70
-
71
- response = client.get(url.request_uri, header)
72
- unless response.code.to_i == 200
73
- raise Puppet::Rest::ResponseError.new(response.message, response)
74
- end
75
-
76
- Puppet.info _("Downloaded certificate revocation list for %{name} from %{server}") % { name: name, server: ca.server }
77
-
78
- uncompress_body(response)
79
- end
80
- end
81
-
82
- # Make an HTTP request to send the named CSR.
83
- #
84
- # @param csr_pem [String] the contents of the CSR to sent to the CA
85
- # @param name [String] the name of the host whose CSR is being submitted
86
- # @param ssl_context [Puppet::SSL::SSLContext] the ssl content to use when making the request
87
- # @raise [Puppet::Rest::ResponseError] if the response status is not OK
88
- def self.put_certificate_request(csr_pem, name, ssl_context)
89
- ca.with_base_url(Puppet::Network::Resolver.new) do |url|
90
- header = { 'Accept' => 'text/plain',
91
- 'Accept-Encoding' => ACCEPT_ENCODING,
92
- 'Content-Type' => 'text/plain' }
93
- url.path += "certificate_request/#{name}"
94
-
95
- use_ssl = url.is_a? URI::HTTPS
96
-
97
- client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
98
-
99
- response = client.put(url.request_uri, csr_pem, header)
100
- if response.code.to_i == 200
101
- Puppet.debug "Submitted certificate request to server."
102
- else
103
- raise Puppet::Rest::ResponseError.new(response.message, response)
104
- end
105
- end
106
- end
107
-
108
- # Make an HTTP request to get the named CSR.
109
- #
110
- # @param name [String] the name of the host whose CSR is being queried
111
- # @param ssl_context [Puppet::SSL::SSLContext] the ssl content to use when making the request
112
- # @raise [Puppet::Rest::ResponseError] if the response status is not OK
113
- # @return [String] the PEM encoded certificate request
114
- # @deprecated
115
- def self.get_certificate_request(name, ssl_context)
116
- ca.with_base_url(Puppet::Network::Resolver.new) do |url|
117
- header = { 'Accept' => 'text/plain', 'Accept-Encoding' => ACCEPT_ENCODING }
118
- url.path += "certificate_request/#{name}"
119
-
120
- use_ssl = url.is_a? URI::HTTPS
121
-
122
- client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
123
-
124
- response = client.get(url.request_uri, header)
125
- unless response.code.to_i == 200
126
- raise Puppet::Rest::ResponseError.new(response.message, response)
127
- end
128
-
129
- Puppet.debug _("Downloaded existing certificate request for %{name} from %{server}") % { name: name, server: ca.server }
130
-
131
- uncompress_body(response)
132
- end
133
- end
134
- end
135
- end
@@ -1,505 +0,0 @@
1
- require 'puppet/ssl'
2
- require 'puppet/ssl/key'
3
- require 'puppet/ssl/certificate'
4
- require 'puppet/ssl/certificate_request'
5
- require 'puppet/ssl/certificate_request_attributes'
6
- require 'puppet/ssl/state_machine'
7
- require 'puppet/rest/errors'
8
- require 'puppet/rest/routes'
9
-
10
- # The class that manages all aspects of our SSL certificates --
11
- # private keys, public keys, requests, etc.
12
- #
13
- # @deprecated Use {Puppet::SSL::SSLProvider} instead.
14
- class Puppet::SSL::Host
15
- # Yay, ruby's strange constant lookups.
16
- Key = Puppet::SSL::Key
17
- CA_NAME = Puppet::SSL::CA_NAME
18
- Certificate = Puppet::SSL::Certificate
19
- CertificateRequest = Puppet::SSL::CertificateRequest
20
-
21
- attr_reader :name, :device, :crl_path
22
-
23
- attr_writer :key, :certificate, :certificate_request, :crl_usage
24
-
25
- def self.localhost(suppress_warning = false)
26
- return @localhost if @localhost
27
- @localhost = new(nil, false, suppress_warning)
28
- @localhost.generate unless @localhost.certificate
29
- @localhost.key
30
- @localhost
31
- end
32
-
33
- def self.reset
34
- @localhost = nil
35
- end
36
-
37
- # Configure how our various classes interact with their various terminuses.
38
- def self.configure_indirection(terminus, cache = nil)
39
- Certificate.indirection.terminus_class = terminus
40
- CertificateRequest.indirection.terminus_class = terminus
41
-
42
- if cache
43
- # This is weird; we don't actually cache our keys, we
44
- # use what would otherwise be the cache as our normal
45
- # terminus.
46
- Key.indirection.terminus_class = cache
47
- else
48
- Key.indirection.terminus_class = terminus
49
- end
50
-
51
- if cache
52
- Certificate.indirection.cache_class = cache
53
- CertificateRequest.indirection.cache_class = cache
54
- else
55
- # Make sure we have no cache configured. puppet master
56
- # switches the configurations around a bit, so it's important
57
- # that we specify the configs for absolutely everything, every
58
- # time.
59
- Certificate.indirection.cache_class = nil
60
- CertificateRequest.indirection.cache_class = nil
61
- end
62
- end
63
-
64
- def self.from_data_hash(data)
65
- instance = new(data["name"])
66
- if data["desired_state"]
67
- instance.desired_state = data["desired_state"]
68
- end
69
- instance
70
- end
71
-
72
- def key
73
- @key ||= Key.indirection.find(name)
74
- end
75
-
76
- # This is the private key; we can create it from scratch
77
- # with no inputs.
78
- def generate_key
79
- @key = Key.new(name)
80
- @key.generate
81
- begin
82
- Key.indirection.save(@key)
83
- rescue
84
- @key = nil
85
- raise
86
- end
87
- true
88
- end
89
-
90
- # Our certificate request requires the key but that's all.
91
- def generate_certificate_request(options = {})
92
- generate_key unless key
93
-
94
- # If this CSR is for the current machine...
95
- if name == Puppet[:certname].downcase
96
- # ...add our configured dns_alt_names
97
- if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
98
- options[:dns_alt_names] ||= Puppet[:dns_alt_names]
99
- end
100
- end
101
-
102
- csr_attributes = Puppet::SSL::CertificateRequestAttributes.new(Puppet[:csr_attributes])
103
- if csr_attributes.load
104
- options[:csr_attributes] = csr_attributes.custom_attributes
105
- options[:extension_requests] = csr_attributes.extension_requests
106
- end
107
-
108
- @certificate_request = CertificateRequest.new(name)
109
- @certificate_request.generate(key.content, options)
110
- begin
111
- submit_certificate_request(@certificate_request)
112
- save_certificate_request(@certificate_request)
113
- rescue
114
- @certificate_request = nil
115
- raise
116
- end
117
-
118
- true
119
- end
120
-
121
- def certificate
122
- unless @certificate
123
- generate_key unless key
124
-
125
- # get CA and optional CRL
126
- sm = Puppet::SSL::StateMachine.new(onetime: true)
127
- sm.ensure_ca_certificates
128
-
129
- cert = get_host_certificate
130
- return nil unless cert
131
-
132
- validate_certificate_with_key(cert)
133
- @certificate = cert
134
- end
135
- @certificate
136
- end
137
-
138
- # The puppet parameters for commands output by the validate_ methods depend
139
- # upon whether this is an agent or a device.
140
-
141
- def clean_params
142
- @device ? "--target #{Puppet[:certname]}" : ''
143
- end
144
-
145
- def puppet_params
146
- @device ? "device -v --target #{Puppet[:certname]}" : 'agent -t'
147
- end
148
-
149
- # Validate that our private key matches the specified certificate.
150
- #
151
- # @param [Puppet::SSL::Certificate] cert the certificate to check
152
- # @raises [Puppet::Error] if the private key does not match
153
- def validate_certificate_with_key(cert)
154
- raise Puppet::Error, _("No certificate to validate.") unless cert
155
- raise Puppet::Error, _("No private key with which to validate certificate with fingerprint: %{fingerprint}") % { fingerprint: cert.fingerprint } unless key
156
- unless cert.content.check_private_key(key.content)
157
- raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: cert.fingerprint, cert_name: Puppet[:certname], clean_params: clean_params, puppet_params: puppet_params }
158
- The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
159
- Certificate fingerprint: %{fingerprint}
160
- To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
161
- On the master:
162
- puppetserver ca clean --certname %{cert_name}
163
- On the agent:
164
- 1. puppet ssl clean %{clean_params}
165
- 2. puppet %{puppet_params}
166
- ERROR_STRING
167
- end
168
- end
169
-
170
- def download_host_certificate
171
- cert = download_certificate_from_ca(name)
172
- return nil unless cert
173
-
174
- validate_certificate_with_key(cert)
175
- save_host_certificate(cert)
176
- cert
177
- end
178
-
179
- # Search for an existing CSR for this host either cached on
180
- # disk or stored by the CA. Returns nil if no request exists.
181
- # @return [Puppet::SSL::CertificateRequest, nil]
182
- def certificate_request
183
- unless @certificate_request
184
- csr = load_certificate_request_from_file
185
- if csr
186
- @certificate_request = csr
187
- else
188
- csr = download_csr_from_ca
189
- if csr
190
- @certificate_request = csr
191
- end
192
- end
193
- end
194
- @certificate_request
195
- end
196
-
197
- # Generate all necessary parts of our ssl host.
198
- def generate
199
- generate_key unless key
200
-
201
- existing_request = certificate_request
202
-
203
- # if CSR downloaded from master, but the local keypair was just generated and
204
- # does not match the public key in the CSR, fail hard
205
- validate_csr_with_key(existing_request, key) if existing_request
206
-
207
- generate_certificate_request unless existing_request
208
- end
209
-
210
- def validate_csr_with_key(csr, key)
211
- if key.content.public_key.to_s != csr.content.public_key.to_s
212
- raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], clean_params: clean_params, puppet_params: puppet_params }
213
- The CSR retrieved from the master does not match the agent's public key.
214
- CSR fingerprint: %{fingerprint}
215
- CSR public key: %{csr_public_key}
216
- Agent public key: %{agent_public_key}
217
- To fix this, remove the CSR from both the master and the agent and then start a puppet run, which will automatically regenerate a CSR.
218
- On the master:
219
- puppetserver ca clean --certname %{cert_name}
220
- On the agent:
221
- 1. puppet ssl clean %{clean_params}
222
- 2. puppet %{puppet_params}
223
- ERROR_STRING
224
- end
225
- end
226
- private :validate_csr_with_key
227
-
228
- def initialize(name = nil, device = false, suppress_warning = false)
229
- @name = (name || Puppet[:certname]).downcase
230
- @device = device
231
- Puppet::SSL::Base.validate_certname(@name)
232
- @key = @certificate = @certificate_request = nil
233
- @crl_usage = Puppet.settings[:certificate_revocation]
234
- @crl_path = Puppet.settings[:hostcrl]
235
- Puppet.deprecation_warning(_("Puppet::SSL::Host is deprecated and will be removed in a future release of Puppet.")) unless suppress_warning
236
- end
237
-
238
- # Extract the public key from the private key.
239
- def public_key
240
- key.content.public_key
241
- end
242
-
243
- def use_crl?
244
- !!@crl_usage
245
- end
246
-
247
- def use_crl_chain?
248
- @crl_usage == true || @crl_usage == :chain
249
- end
250
-
251
- # Create/return a store that uses our SSL info to validate
252
- # connections.
253
- def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY)
254
- if @ssl_store.nil?
255
- @ssl_store = build_ssl_store(purpose)
256
- end
257
- @ssl_store
258
- end
259
-
260
- # Attempt to retrieve a cert, if we don't already have one.
261
- def wait_for_cert(time)
262
- begin
263
- return if certificate
264
- generate
265
- return if certificate
266
- rescue StandardError => detail
267
- Puppet.log_exception(detail, _("Could not request certificate: %{message}") % { message: detail.message })
268
- if time < 1
269
- puts _("Exiting; failed to retrieve certificate and waitforcert is disabled")
270
- exit(1)
271
- else
272
- sleep(time)
273
- end
274
- retry
275
- end
276
-
277
- if time < 1
278
- puts _("Exiting; no certificate found and waitforcert is disabled")
279
- exit(1)
280
- end
281
-
282
- loop do
283
- sleep time
284
- begin
285
- break if certificate
286
- Puppet.notice _("Did not receive certificate")
287
- rescue StandardError => detail
288
- Puppet.log_exception(detail, _("Could not request certificate: %{message}") % { message: detail.message })
289
- end
290
- end
291
- end
292
-
293
- # Saves the given certificate to disc, at a location determined by this
294
- # host's configuration.
295
- # @param [Puppet::SSL::Certificate] cert the cert to save
296
- def save_host_certificate(cert)
297
- file_path = certificate_location(name)
298
- Puppet::Util.replace_file(file_path, 0644) do |f|
299
- f.write(cert.to_s)
300
- end
301
- end
302
-
303
- private
304
-
305
- # Load a previously generated CSR from disk
306
- # @return [Puppet::SSL::CertificateRequest, nil]
307
- def load_certificate_request_from_file
308
- request_path = certificate_request_location(name)
309
- if Puppet::FileSystem.exist?(request_path)
310
- Puppet::SSL::CertificateRequest.from_s(Puppet::FileSystem.read(request_path))
311
- end
312
- end
313
-
314
- # Download the CSR for this host from the CA. Returns nil if the CA
315
- # has no saved CSR for this host.
316
- # @raises [Puppet::Error] if the response from the server is not a valid
317
- # CSR or an error occurs while fetching.
318
- # @return [Puppet::SSL::CertificateRequest, nil]
319
- def download_csr_from_ca
320
- begin
321
- body = Puppet::Rest::Routes.get_certificate_request(
322
- name, Puppet::SSL::SSLContext.new(store: ssl_store))
323
- begin
324
- Puppet::SSL::CertificateRequest.from_s(body)
325
- rescue OpenSSL::X509::RequestError => e
326
- raise Puppet::Error, _("Response from the CA did not contain a valid certificate request: %{message}") % { message: e.message }
327
- end
328
- rescue Puppet::Rest::ResponseError => e
329
- if e.response.code.to_i == 404
330
- nil
331
- else
332
- raise Puppet::Error, _('Could not download certificate request: %{message}') % { message: e.message }
333
- end
334
- end
335
- end
336
- # Submit the CSR to the CA via an HTTP PUT request.
337
- # @param [Puppet::SSL::CertificateRequest] csr the request to submit
338
- def submit_certificate_request(csr)
339
- Puppet::Rest::Routes.put_certificate_request(
340
- csr.render, name, Puppet::SSL::SSLContext.new(store: ssl_store))
341
- end
342
-
343
- def save_certificate_request(csr)
344
- Puppet::Util.replace_file(certificate_request_location(name), 0644) do |file|
345
- file.write(csr.render)
346
- end
347
- end
348
-
349
- # @param crl_string [String] CRLs read from disk or obtained from server
350
- # @return [Array<OpenSSL::X509::CRL>] CRLs from chain
351
- # @raise [Puppet::Error<OpenSSL::X509::CRLError>] if the CRL chain is malformed
352
- def process_crl_string(crl_string)
353
- delimiters = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
354
- crl_string.scan(delimiters).map do |crl|
355
- begin
356
- OpenSSL::X509::CRL.new(crl)
357
- rescue OpenSSL::X509::CRLError => e
358
- raise Puppet::Error.new(
359
- _("Failed attempting to load CRL from %{crl_path}! The CRL below caused the error '%{error}':\n%{crl}" % {crl_path: crl_path, error: e.message, crl: crl}),
360
- e)
361
- end
362
- end
363
- end
364
-
365
- # @param path [String] Path to CRL Chain
366
- # @return [Array<OpenSSL::X509::CRL>] CRLs from chain
367
- # @raise [Puppet::Error<OpenSSL::X509::CRLError>] if the CRL chain is malformed
368
- def load_crls(path)
369
- crls_pems = Puppet::FileSystem.read(path, encoding: Encoding::UTF_8)
370
- process_crl_string(crls_pems)
371
- end
372
-
373
- # Fetches and saves the crl bundle from the CA server without validating
374
- # its contents. Takes an optional store to use with the http_client,
375
- # necessary for initial download of the CRL because `build_ssl_store`
376
- # calls this `download_and_save_crl_bundle`. If there is an error during
377
- # this downloading process, the file should not be replaced at all. This
378
- # streams the file directly to disk to avoid loading the entire CRL in memory.
379
- # @param [OpenSSL::X509::Store] store optional ssl_store to use with http_client
380
- # @raise [Puppet::Error<Puppet::Rest::ResponseError>] if bad response from server
381
- # @return nil
382
- def download_and_save_crl_bundle(store=nil)
383
- begin
384
- # If no SSL store was supplied, use this host's SSL store
385
- store ||= ssl_store
386
- Puppet::Util.replace_file(crl_path, 0644) do |file|
387
- result = Puppet::Rest::Routes.get_crls(CA_NAME, Puppet::SSL::SSLContext.new(store: store))
388
- file.write(result)
389
- end
390
- rescue Puppet::Rest::ResponseError => e
391
- raise Puppet::Error, _('Could not download CRLs: %{message}') % { message: e.message }
392
- end
393
- end
394
-
395
- # Attempts to load or fetch this host's certificate. Returns nil if
396
- # no certificate could be found.
397
- # @return [Puppet::SSL::Certificate, nil]
398
- def get_host_certificate
399
- cert = check_for_certificate_on_disk(name)
400
- if cert
401
- return cert
402
- else
403
- cert = download_certificate_from_ca(name)
404
- if cert
405
- save_host_certificate(cert)
406
- return cert
407
- else
408
- return nil
409
- end
410
- end
411
- end
412
-
413
- # Checks for the requested certificate on disc, at a location
414
- # determined by this host's configuration.
415
- # @name [String] name the name of the cert to look for
416
- # @raise [Puppet::Error] if contents of certificate file is invalid
417
- # and could not be loaded
418
- # @return [Puppet::SSL::Certificate, nil]
419
- def check_for_certificate_on_disk(cert_name)
420
- file_path = certificate_location(cert_name)
421
- if Puppet::FileSystem.exist?(file_path)
422
- begin
423
- Puppet::SSL::Certificate.from_s(Puppet::FileSystem.read(file_path))
424
- rescue OpenSSL::X509::CertificateError
425
- raise Puppet::Error, _("The certificate at %{file_path} is invalid. Could not load.") % { file_path: file_path }
426
- end
427
- end
428
- end
429
- public :check_for_certificate_on_disk
430
-
431
- # Attempts to download this host's certificate from the CA server.
432
- # Returns nil if the CA does not yet have a signed cert for this host.
433
- # @param [String] name then name of the cert to fetch
434
- # @raise [Puppet::Error] if response from the CA does not contain a valid
435
- # certificate
436
- # @return [Puppet::SSL::Certificate, nil]
437
- def download_certificate_from_ca(cert_name)
438
- begin
439
- cert = Puppet::Rest::Routes.get_certificate(
440
- cert_name,
441
- Puppet::SSL::SSLContext.new(store: ssl_store)
442
- )
443
- begin
444
- Puppet::SSL::Certificate.from_s(cert)
445
- rescue OpenSSL::X509::CertificateError
446
- raise Puppet::Error, _("Response from the CA did not contain a valid certificate for %{cert_name}.") % { cert_name: cert_name }
447
- end
448
- rescue Puppet::Rest::ResponseError => e
449
- if e.response.code.to_i == 404
450
- Puppet.debug _("No certificate for %{cert_name} on CA") % { cert_name: cert_name }
451
- nil
452
- else
453
- raise Puppet::Rest::ResponseError, _("Could not download host certificate: %{message}") % { message: e.message }
454
- end
455
- end
456
- end
457
- public :download_certificate_from_ca
458
-
459
- # Returns the file path for the named certificate, based on this host's
460
- # configuration.
461
- # @param [String] name the name of the cert to find
462
- # @return [String] file path to the cert's location
463
- def certificate_location(cert_name)
464
- cert_name == CA_NAME ? Puppet[:localcacert] : File.join(Puppet[:certdir], "#{cert_name}.pem")
465
- end
466
-
467
- # Returns the file path for the named CSR, based on this host's configuration.
468
- # @param [String] name the name of the CSR to find
469
- # @return [String] file path to the CSR's location
470
- def certificate_request_location(cert_name)
471
- File.join(Puppet[:requestdir], "#{cert_name}.pem")
472
- end
473
-
474
- # @param [OpenSSL::X509::PURPOSE_*] constant defining the kinds of certs
475
- # this store can verify
476
- # @return [OpenSSL::X509::Store]
477
- # @raise [OpenSSL::X509::StoreError] if localcacert is malformed or non-existant
478
- # @raise [Puppet::Error] if the CRL chain is malformed
479
- # @raise [Errno::ENOENT] if the CRL does not exist on disk but use_crl? is true
480
- def build_ssl_store(purpose=OpenSSL::X509::PURPOSE_ANY)
481
- store = OpenSSL::X509::Store.new
482
- store.purpose = purpose
483
-
484
- # Use the file path here, because we don't want to cause
485
- # a lookup in the middle of setting our ssl connection.
486
- store.add_file(Puppet.settings[:localcacert])
487
-
488
- if use_crl?
489
- if !Puppet::FileSystem.exist?(crl_path)
490
- download_and_save_crl_bundle(store)
491
- end
492
-
493
- crls = load_crls(crl_path)
494
-
495
- flags = OpenSSL::X509::V_FLAG_CRL_CHECK
496
- if use_crl_chain?
497
- flags |= OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
498
- end
499
-
500
- store.flags = flags
501
- crls.each {|crl| store.add_crl(crl) }
502
- end
503
- store
504
- end
505
- end