puppet 6.27.0 → 6.29.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile.lock +116 -44
- data/ext/project_data.yaml +1 -1
- data/lib/puppet/agent.rb +47 -11
- data/lib/puppet/application/agent.rb +2 -12
- data/lib/puppet/http/client.rb +22 -2
- data/lib/puppet/provider/package/puppetserver_gem.rb +7 -16
- data/lib/puppet/provider/package/windows/exe_package.rb +30 -1
- data/lib/puppet/provider/package/windows/package.rb +2 -1
- data/lib/puppet/provider/package/windows.rb +14 -1
- data/lib/puppet/provider/user/directoryservice.rb +5 -0
- data/lib/puppet/ssl/ssl_provider.rb +65 -12
- data/lib/puppet/ssl/state_machine.rb +13 -17
- data/lib/puppet/type/user.rb +3 -0
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet.rb +1 -14
- data/man/man5/puppet.conf.5 +2 -2
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/integration/application/agent_spec.rb +108 -0
- data/spec/integration/http/client_spec.rb +27 -10
- data/spec/lib/puppet_spec/https.rb +1 -1
- data/spec/lib/puppet_spec/puppetserver.rb +39 -2
- data/spec/unit/agent_spec.rb +28 -2
- data/spec/unit/application/agent_spec.rb +26 -16
- data/spec/unit/daemon_spec.rb +2 -11
- data/spec/unit/http/client_spec.rb +18 -0
- data/spec/unit/provider/package/puppetserver_gem_spec.rb +2 -2
- data/spec/unit/provider/package/windows/exe_package_spec.rb +17 -0
- data/spec/unit/ssl/ssl_provider_spec.rb +75 -1
- data/spec/unit/ssl/state_machine_spec.rb +1 -0
- data/tasks/generate_cert_fixtures.rake +5 -4
- metadata +9 -3
@@ -42,15 +42,18 @@ class Puppet::SSL::SSLProvider
|
|
42
42
|
# refers to the cacerts bundle in the puppet-agent package.
|
43
43
|
#
|
44
44
|
# Connections made from the returned context will authenticate the server,
|
45
|
-
# i.e. `VERIFY_PEER`, but will not use a client certificate
|
46
|
-
# perform revocation checking.
|
45
|
+
# i.e. `VERIFY_PEER`, but will not use a client certificate (unless requested)
|
46
|
+
# and will not perform revocation checking.
|
47
47
|
#
|
48
48
|
# @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
|
49
49
|
# @param path [String, nil] A file containing additional trusted CA certs.
|
50
|
+
# @param include_client_cert [true, false] If true, the client cert will be added to the context
|
51
|
+
# allowing mutual TLS authentication. The default is false. If the client cert doesn't exist
|
52
|
+
# then the option will be ignored.
|
50
53
|
# @return [Puppet::SSL::SSLContext] A context to use to create connections
|
51
54
|
# @raise (see #create_context)
|
52
55
|
# @api private
|
53
|
-
def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
|
56
|
+
def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_client_cert: false)
|
54
57
|
store = create_x509_store(cacerts, [], false, include_system_store: true)
|
55
58
|
|
56
59
|
if path
|
@@ -71,6 +74,29 @@ class Puppet::SSL::SSLProvider
|
|
71
74
|
end
|
72
75
|
end
|
73
76
|
|
77
|
+
if include_client_cert
|
78
|
+
cert_provider = Puppet::X509::CertProvider.new
|
79
|
+
private_key = cert_provider.load_private_key(Puppet[:certname], required: false)
|
80
|
+
unless private_key
|
81
|
+
Puppet.warning("Private key for '#{Puppet[:certname]}' does not exist")
|
82
|
+
end
|
83
|
+
|
84
|
+
client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
|
85
|
+
unless client_cert
|
86
|
+
Puppet.warning("Client certificate for '#{Puppet[:certname]}' does not exist")
|
87
|
+
end
|
88
|
+
|
89
|
+
if private_key && client_cert
|
90
|
+
client_chain = resolve_client_chain(store, client_cert, private_key)
|
91
|
+
|
92
|
+
return Puppet::SSL::SSLContext.new(
|
93
|
+
store: store, cacerts: cacerts, crls: [],
|
94
|
+
private_key: private_key, client_cert: client_cert, client_chain: client_chain,
|
95
|
+
revocation: false
|
96
|
+
).freeze
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
74
100
|
Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
|
75
101
|
end
|
76
102
|
|
@@ -107,15 +133,7 @@ class Puppet::SSL::SSLProvider
|
|
107
133
|
raise ArgumentError, _("Client cert is missing") unless client_cert
|
108
134
|
|
109
135
|
store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
|
110
|
-
client_chain =
|
111
|
-
|
112
|
-
if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
|
113
|
-
raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
|
114
|
-
end
|
115
|
-
|
116
|
-
unless client_cert.check_private_key(private_key)
|
117
|
-
raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
|
118
|
-
end
|
136
|
+
client_chain = resolve_client_chain(store, client_cert, private_key)
|
119
137
|
|
120
138
|
Puppet::SSL::SSLContext.new(
|
121
139
|
store: store, cacerts: cacerts, crls: crls,
|
@@ -174,6 +192,27 @@ class Puppet::SSL::SSLProvider
|
|
174
192
|
csr
|
175
193
|
end
|
176
194
|
|
195
|
+
def print(ssl_context, alg = 'SHA256')
|
196
|
+
if Puppet::Util::Log.sendlevel?(:debug)
|
197
|
+
chain = ssl_context.client_chain
|
198
|
+
# print from root to client
|
199
|
+
chain.reverse.each_with_index do |cert, i|
|
200
|
+
digest = Puppet::SSL::Digest.new(alg, cert.to_der)
|
201
|
+
if i == chain.length - 1
|
202
|
+
Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
|
203
|
+
else
|
204
|
+
Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
|
205
|
+
end
|
206
|
+
end
|
207
|
+
ssl_context.crls.each do |crl|
|
208
|
+
oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
|
209
|
+
crlNumber = oid_values['crlNumber'] || 'unknown'
|
210
|
+
authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
|
211
|
+
Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
|
212
|
+
end
|
213
|
+
end
|
214
|
+
end
|
215
|
+
|
177
216
|
private
|
178
217
|
|
179
218
|
def default_flags
|
@@ -220,6 +259,20 @@ class Puppet::SSL::SSLProvider
|
|
220
259
|
end
|
221
260
|
end
|
222
261
|
|
262
|
+
def resolve_client_chain(store, client_cert, private_key)
|
263
|
+
client_chain = verify_cert_with_store(store, client_cert)
|
264
|
+
|
265
|
+
if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
|
266
|
+
raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
|
267
|
+
end
|
268
|
+
|
269
|
+
unless client_cert.check_private_key(private_key)
|
270
|
+
raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
|
271
|
+
end
|
272
|
+
|
273
|
+
client_chain
|
274
|
+
end
|
275
|
+
|
223
276
|
def verify_cert_with_store(store, cert)
|
224
277
|
# StoreContext#initialize accepts a chain argument, but it's set to [] because
|
225
278
|
# puppet requires any intermediate CA certs needed to complete the client's
|
@@ -27,6 +27,15 @@ class Puppet::SSL::StateMachine
|
|
27
27
|
detail.set_backtrace(cause.backtrace)
|
28
28
|
Error.new(@machine, message, detail)
|
29
29
|
end
|
30
|
+
|
31
|
+
def log_error(message)
|
32
|
+
# When running daemonized we set stdout to /dev/null, so write to the log instead
|
33
|
+
if Puppet[:daemonize]
|
34
|
+
Puppet.err(message)
|
35
|
+
else
|
36
|
+
$stdout.puts(message)
|
37
|
+
end
|
38
|
+
end
|
30
39
|
end
|
31
40
|
|
32
41
|
# Load existing CA certs or download them. Transition to NeedCRLs.
|
@@ -270,15 +279,15 @@ class Puppet::SSL::StateMachine
|
|
270
279
|
def next_state
|
271
280
|
time = @machine.waitforcert
|
272
281
|
if time < 1
|
273
|
-
|
282
|
+
log_error(_("Exiting now because the waitforcert setting is set to 0."))
|
274
283
|
exit(1)
|
275
284
|
elsif Time.now.to_i > @machine.wait_deadline
|
276
|
-
|
285
|
+
log_error(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] })
|
277
286
|
exit(1)
|
278
287
|
else
|
279
288
|
Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
|
280
289
|
|
281
|
-
# close
|
290
|
+
# close http/tls and session state before sleeping
|
282
291
|
Puppet.runtime[:http].close
|
283
292
|
@machine.session = Puppet.runtime[:http].create_session
|
284
293
|
|
@@ -417,20 +426,7 @@ class Puppet::SSL::StateMachine
|
|
417
426
|
def ensure_client_certificate
|
418
427
|
final_state = run_machine(NeedLock.new(self), Done)
|
419
428
|
ssl_context = final_state.ssl_context
|
420
|
-
|
421
|
-
if Puppet::Util::Log.sendlevel?(:debug)
|
422
|
-
chain = ssl_context.client_chain
|
423
|
-
# print from root to client
|
424
|
-
chain.reverse.each_with_index do |cert, i|
|
425
|
-
digest = Puppet::SSL::Digest.new(@digest, cert.to_der)
|
426
|
-
if i == chain.length - 1
|
427
|
-
Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
|
428
|
-
else
|
429
|
-
Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
|
430
|
-
end
|
431
|
-
end
|
432
|
-
end
|
433
|
-
|
429
|
+
@ssl_provider.print(ssl_context, @digest)
|
434
430
|
ssl_context
|
435
431
|
end
|
436
432
|
|
data/lib/puppet/type/user.rb
CHANGED
@@ -227,6 +227,9 @@ module Puppet
|
|
227
227
|
* OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
|
228
228
|
on these systems, the `salt` and `iterations` attributes need to be specified as
|
229
229
|
well as the password.
|
230
|
+
* macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user
|
231
|
+
resource requires the value to be hex encoded, the length of the salt's
|
232
|
+
string must be 64.
|
230
233
|
* Windows passwords can be managed only in cleartext, because there is no Windows
|
231
234
|
API for setting the password hash.
|
232
235
|
|
data/lib/puppet/version.rb
CHANGED
data/lib/puppet.rb
CHANGED
@@ -242,20 +242,7 @@ module Puppet
|
|
242
242
|
{
|
243
243
|
:environments => Puppet::Environments::Cached.new(Puppet::Environments::Combined.new(*loaders)),
|
244
244
|
:http_pool => proc { Puppet.runtime[:http].pool },
|
245
|
-
:ssl_context => proc {
|
246
|
-
begin
|
247
|
-
cert = Puppet::X509::CertProvider.new
|
248
|
-
password = cert.load_private_key_password
|
249
|
-
ssl = Puppet::SSL::SSLProvider.new
|
250
|
-
ssl.load_context(certname: Puppet[:certname], password: password)
|
251
|
-
rescue => e
|
252
|
-
# TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
|
253
|
-
Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
|
254
|
-
# TRANSLATORS: `puppet agent -t` is a command and should not be translated
|
255
|
-
Puppet.err(_("Run `puppet agent -t`"))
|
256
|
-
raise e
|
257
|
-
end
|
258
|
-
},
|
245
|
+
:ssl_context => proc { Puppet.runtime[:http].default_ssl_context },
|
259
246
|
:ssl_host => proc { Puppet::SSL::Host.localhost(true) },
|
260
247
|
:http_session => proc { Puppet.runtime[:http].create_session },
|
261
248
|
:plugins => proc { Puppet::Plugins::Configuration.load_plugins },
|
data/man/man5/puppet.conf.5
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPETCONF" "5" "
|
4
|
+
.TH "PUPPETCONF" "5" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
\fBThis page is autogenerated; any changes will get overwritten\fR
|
6
6
|
.
|
7
7
|
.SH "Configuration settings"
|
@@ -945,7 +945,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
|
|
945
945
|
The HTTP User\-Agent string to send when making network requests\.
|
946
946
|
.
|
947
947
|
.IP "\(bu" 4
|
948
|
-
\fIDefault\fR: \fBPuppet/6\.
|
948
|
+
\fIDefault\fR: \fBPuppet/6\.29\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
|
949
949
|
.
|
950
950
|
.IP "" 0
|
951
951
|
.
|
data/man/man8/puppet-agent.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-AGENT" "8" "
|
4
|
+
.TH "PUPPET\-AGENT" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-agent\fR \- The puppet agent daemon
|
data/man/man8/puppet-apply.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-APPLY" "8" "
|
4
|
+
.TH "PUPPET\-APPLY" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-apply\fR \- Apply Puppet manifests locally
|
data/man/man8/puppet-catalog.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-CATALOG" "8" "
|
4
|
+
.TH "PUPPET\-CATALOG" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.
|
data/man/man8/puppet-config.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-CONFIG" "8" "
|
4
|
+
.TH "PUPPET\-CONFIG" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-config\fR \- Interact with Puppet\'s settings\.
|
data/man/man8/puppet-describe.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-DESCRIBE" "8" "
|
4
|
+
.TH "PUPPET\-DESCRIBE" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-describe\fR \- Display help about resource types
|
data/man/man8/puppet-device.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-DEVICE" "8" "
|
4
|
+
.TH "PUPPET\-DEVICE" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-device\fR \- Manage remote network devices
|
data/man/man8/puppet-doc.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-DOC" "8" "
|
4
|
+
.TH "PUPPET\-DOC" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-doc\fR \- Generate Puppet references
|
data/man/man8/puppet-epp.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-EPP" "8" "
|
4
|
+
.TH "PUPPET\-EPP" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.
|
data/man/man8/puppet-facts.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-FACTS" "8" "
|
4
|
+
.TH "PUPPET\-FACTS" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-facts\fR \- Retrieve and store facts\.
|
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-FILEBUCKET" "8" "
|
4
|
+
.TH "PUPPET\-FILEBUCKET" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket
|
data/man/man8/puppet-generate.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-GENERATE" "8" "
|
4
|
+
.TH "PUPPET\-GENERATE" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.
|
data/man/man8/puppet-help.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-HELP" "8" "
|
4
|
+
.TH "PUPPET\-HELP" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-help\fR \- Display Puppet help\.
|
data/man/man8/puppet-key.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-KEY" "8" "
|
4
|
+
.TH "PUPPET\-KEY" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-key\fR \- Create, save, and remove certificate keys\.
|
data/man/man8/puppet-lookup.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-LOOKUP" "8" "
|
4
|
+
.TH "PUPPET\-LOOKUP" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-lookup\fR \- Interactive Hiera lookup
|
data/man/man8/puppet-man.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-MAN" "8" "
|
4
|
+
.TH "PUPPET\-MAN" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-man\fR \- Display Puppet manual pages\.
|
data/man/man8/puppet-module.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-MODULE" "8" "
|
4
|
+
.TH "PUPPET\-MODULE" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.
|
data/man/man8/puppet-node.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-NODE" "8" "
|
4
|
+
.TH "PUPPET\-NODE" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-node\fR \- View and manage node definitions\.
|
data/man/man8/puppet-parser.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-PARSER" "8" "
|
4
|
+
.TH "PUPPET\-PARSER" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-parser\fR \- Interact directly with the parser\.
|
data/man/man8/puppet-plugin.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-PLUGIN" "8" "
|
4
|
+
.TH "PUPPET\-PLUGIN" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.
|
data/man/man8/puppet-report.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-REPORT" "8" "
|
4
|
+
.TH "PUPPET\-REPORT" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-report\fR \- Create, display, and submit reports\.
|
data/man/man8/puppet-resource.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-RESOURCE" "8" "
|
4
|
+
.TH "PUPPET\-RESOURCE" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-resource\fR \- The resource abstraction layer shell
|
data/man/man8/puppet-script.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-SCRIPT" "8" "
|
4
|
+
.TH "PUPPET\-SCRIPT" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog
|
data/man/man8/puppet-ssl.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-SSL" "8" "
|
4
|
+
.TH "PUPPET\-SSL" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients
|
data/man/man8/puppet-status.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-STATUS" "8" "
|
4
|
+
.TH "PUPPET\-STATUS" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-status\fR \- View puppet server status\.
|
data/man/man8/puppet.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET" "8" "
|
4
|
+
.TH "PUPPET" "8" "January 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\fR
|
@@ -25,4 +25,4 @@ Specialized:
|
|
25
25
|
catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
|
26
26
|
.
|
27
27
|
.P
|
28
|
-
See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.
|
28
|
+
See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.29\.0
|
@@ -3,6 +3,7 @@ require 'puppet_spec/files'
|
|
3
3
|
require 'puppet_spec/puppetserver'
|
4
4
|
require 'puppet_spec/compiler'
|
5
5
|
require 'puppet_spec/https'
|
6
|
+
require 'puppet/application/agent'
|
6
7
|
|
7
8
|
describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
|
8
9
|
include PuppetSpec::Files
|
@@ -737,4 +738,111 @@ describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
|
|
737
738
|
end
|
738
739
|
end
|
739
740
|
end
|
741
|
+
|
742
|
+
context "ssl" do
|
743
|
+
context "bootstrapping" do
|
744
|
+
before :each do
|
745
|
+
# reconfigure ssl to non-existent dir and files to force bootstrapping
|
746
|
+
dir = tmpdir('ssl')
|
747
|
+
Puppet[:ssldir] = dir
|
748
|
+
Puppet[:localcacert] = File.join(dir, 'ca.pem')
|
749
|
+
Puppet[:hostcrl] = File.join(dir, 'crl.pem')
|
750
|
+
Puppet[:hostprivkey] = File.join(dir, 'cert.pem')
|
751
|
+
Puppet[:hostcert] = File.join(dir, 'key.pem')
|
752
|
+
|
753
|
+
Puppet[:daemonize] = false
|
754
|
+
Puppet[:logdest] = 'console'
|
755
|
+
Puppet[:log_level] = 'info'
|
756
|
+
end
|
757
|
+
|
758
|
+
it "exits if the agent is not allowed to wait" do
|
759
|
+
Puppet[:waitforcert] = 0
|
760
|
+
|
761
|
+
server.start_server do |port|
|
762
|
+
Puppet[:serverport] = port
|
763
|
+
expect {
|
764
|
+
agent.run
|
765
|
+
}.to exit_with(1)
|
766
|
+
.and output(%r{Exiting now because the waitforcert setting is set to 0}).to_stdout
|
767
|
+
.and output(%r{Failed to submit the CSR, HTTP response was 404}).to_stderr
|
768
|
+
end
|
769
|
+
end
|
770
|
+
|
771
|
+
it "exits if the maxwaitforcert time is exceeded" do
|
772
|
+
Puppet[:waitforcert] = 1
|
773
|
+
Puppet[:maxwaitforcert] = 1
|
774
|
+
|
775
|
+
server.start_server do |port|
|
776
|
+
Puppet[:serverport] = port
|
777
|
+
expect {
|
778
|
+
agent.run
|
779
|
+
}.to exit_with(1)
|
780
|
+
.and output(%r{Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(127.0.0.1\). Exiting now because the maxwaitforcert timeout has been exceeded.}).to_stdout
|
781
|
+
.and output(%r{Failed to submit the CSR, HTTP response was 404}).to_stderr
|
782
|
+
end
|
783
|
+
end
|
784
|
+
end
|
785
|
+
|
786
|
+
def copy_fixtures(sources, dest)
|
787
|
+
ssldir = File.join(PuppetSpec::FIXTURE_DIR, 'ssl')
|
788
|
+
File.open(dest, 'w') do |f|
|
789
|
+
sources.each do |s|
|
790
|
+
f.write(File.read(File.join(ssldir, s)))
|
791
|
+
end
|
792
|
+
end
|
793
|
+
end
|
794
|
+
|
795
|
+
it "reloads the CRL between runs" do
|
796
|
+
Puppet[:localcacert] = ca = tmpfile('ca')
|
797
|
+
Puppet[:hostcrl] = crl = tmpfile('crl')
|
798
|
+
Puppet[:hostcert] = cert = tmpfile('cert')
|
799
|
+
Puppet[:hostprivkey] = key = tmpfile('key')
|
800
|
+
|
801
|
+
copy_fixtures(%w[ca.pem intermediate.pem], ca)
|
802
|
+
copy_fixtures(%w[crl.pem intermediate-crl.pem], crl)
|
803
|
+
copy_fixtures(%w[127.0.0.1.pem], cert)
|
804
|
+
copy_fixtures(%w[127.0.0.1-key.pem], key)
|
805
|
+
|
806
|
+
revoked = cert_fixture('revoked.pem')
|
807
|
+
revoked_key = key_fixture('revoked-key.pem')
|
808
|
+
|
809
|
+
mounts = {}
|
810
|
+
mounts[:catalog] = -> (req, res) {
|
811
|
+
catalog = compile_to_catalog(<<~MANIFEST, node)
|
812
|
+
file { '#{cert}':
|
813
|
+
ensure => file,
|
814
|
+
content => '#{revoked}'
|
815
|
+
}
|
816
|
+
file { '#{key}':
|
817
|
+
ensure => file,
|
818
|
+
content => '#{revoked_key}'
|
819
|
+
}
|
820
|
+
MANIFEST
|
821
|
+
|
822
|
+
res.body = formatter.render(catalog)
|
823
|
+
res['Content-Type'] = formatter.mime
|
824
|
+
}
|
825
|
+
|
826
|
+
server.start_server(mounts: mounts) do |port|
|
827
|
+
Puppet[:serverport] = port
|
828
|
+
Puppet[:daemonize] = false
|
829
|
+
Puppet[:runinterval] = 1
|
830
|
+
Puppet[:waitforcert] = 1
|
831
|
+
Puppet[:maxwaitforcert] = 1
|
832
|
+
|
833
|
+
# simulate two runs of the agent, then return so we don't infinite loop
|
834
|
+
allow_any_instance_of(Puppet::Daemon).to receive(:run_event_loop) do |instance|
|
835
|
+
instance.agent.run(splay: false)
|
836
|
+
instance.agent.run(splay: false)
|
837
|
+
end
|
838
|
+
|
839
|
+
agent.command_line.args << '--verbose'
|
840
|
+
expect {
|
841
|
+
agent.run
|
842
|
+
}.to exit_with(1)
|
843
|
+
.and output(%r{Exiting now because the maxwaitforcert timeout has been exceeded}).to_stdout
|
844
|
+
.and output(%r{Certificate 'CN=revoked' is revoked}).to_stderr
|
845
|
+
end
|
846
|
+
end
|
847
|
+
end
|
740
848
|
end
|