puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/lib/puppet/network/http/session.rb

@@ -4,10 +4,11 @@
 # @api private
 #
 class Puppet::Network::HTTP::Session
-  attr_reader :connection
+  attr_reader :connection, :verifier
 
-  def initialize(connection, expiration_time)
+  def initialize(connection, verifier, expiration_time)
     @connection = connection
+    @verifier = verifier
     @expiration_time = expiration_time
   end
 

data/lib/puppet/network/http_pool.rb

@@ -28,6 +28,7 @@ module Puppet::Network::HttpPool
   # @param verify_peer [Boolean] Whether to verify the peer credentials, if possible. Verification will not take place if the CA certificate is missing.
   # @return [Puppet::Network::HTTP::Connection]
   #
+  # @deprecated Use {#http_connection} instead.
   # @api public
   #
   def self.http_instance(host, port, use_ssl = true, verify_peer = true)
@@ -51,6 +52,7 @@ module Puppet::Network::HttpPool
   #   verification on a Net::HTTP instance and report any errors and the certificates used.
   # @return [Puppet::Network::HTTP::Connection]
   #
+  # @deprecated Use {#http_connection} instead.
   # @api public
   #
   def self.http_ssl_instance(host, port, verifier = Puppet::SSL::Validator.default_validator())
@@ -58,4 +60,34 @@ module Puppet::Network::HttpPool
                             :use_ssl => true,
                             :verify => verifier)
   end
+
+  # Retrieve a connection for the given host and port.
+  #
+  # @param host [String] The host to connect to
+  # @param port [Integer] The port to connect to
+  # @param use_ssl [Boolean] Whether to use SSL, defaults to `true`.
+  # @param ssl_context [Puppet::SSL:SSLContext, nil] The ssl context to use
+  #   when making HTTPS connections. Required when `use_ssl` is `true`.
+  # @return [Puppet::Network::HTTP::Connection]
+  #
+  # @api public
+  #
+  def self.connection(host, port, use_ssl: true, ssl_context: nil)
+    if use_ssl
+      unless ssl_context
+        # TRANSLATORS 'ssl_context' is an argument and should not be translated
+        raise ArgumentError, _("An ssl_context is required when connecting to 'https://%{host}:%{port}'") % { host: host, port: port }
+      end
+
+      verifier = Puppet::SSL::Verifier.new(host, ssl_context)
+      http_client_class.new(host, port, use_ssl: true, verifier: verifier)
+    else
+      if ssl_context
+        # TRANSLATORS 'ssl_context' is an argument and should not be translated
+        Puppet.warning(_("An ssl_context is unnecessary when connecting to 'http://%{host}:%{port}' and will be ignored") % { host: host, port: port })
+      end
+
+      http_client_class.new(host, port, use_ssl: false)
+    end
+  end
 end

data/lib/puppet/pops/loader/generic_plan_instantiator.rb

@@ -0,0 +1,28 @@
+module Puppet::Pops
+module Loader
+# The GenericPlanInstantiator dispatches to either PuppetPlanInstantiator or a
+# yaml_plan_instantiator injected through the Puppet context, depending on
+# the type of the plan.
+#
+class GenericPlanInstantiator
+  def self.create(loader, typed_name, source_refs)
+    if source_refs.length > 1
+      raise ArgumentError, _("Found multiple files for plan '%{plan_name}' but only one is allowed") % { plan_name: typed_name.name }
+    end
+
+    source_ref = source_refs[0]
+    code_string = Puppet::FileSystem.read(source_ref, :encoding => 'utf-8')
+
+    instantiator = if source_ref.end_with?('.pp')
+                     Puppet::Pops::Loader::PuppetPlanInstantiator
+                   else
+                     Puppet.lookup(:yaml_plan_instantiator) do
+                       raise Puppet::DevError, _("No instantiator is available to load plan from %{source_ref}") % { source_ref: source_ref }
+                     end
+                   end
+
+    instantiator.create(loader, typed_name, source_ref, code_string)
+  end
+end
+end
+end

data/lib/puppet/pops/loader/loader_paths.rb

@@ -29,7 +29,7 @@ module LoaderPaths
           result << FunctionPath3x.new(loader)
         end
     when :plan
-      result << PlanPathPP.new(loader)
+      result << PlanPath.new(loader)
     when :task
       result << TaskPath.new(loader) if Puppet[:tasks] && loader.loadables.include?(:task)
     when :type
@@ -312,27 +312,51 @@ module LoaderPaths
     end
   end
 
-  class PlanPathPP < PuppetSmartPath
-    PLAN_PATH_PP = File.join('plans')
+  class PlanPath < PuppetSmartPath
+    PLAN_PATH = File.join('plans')
+    PP_EXT = '.pp'.freeze
+    YAML_EXT = '.yaml'.freeze
+
+    def initialize(loader)
+      super
+
+      if Puppet.lookup(:yaml_plan_instantiator) { nil }
+        @extensions = [PP_EXT, YAML_EXT]
+      else
+        @extensions = [PP_EXT]
+      end
+      @init_filenames = @extensions.map { |ext| "init#{ext}" }
+    end
+
+    def extension
+      EMPTY_STRING
+    end
 
     def relative_path
-      PLAN_PATH_PP
+      PLAN_PATH
     end
 
     def instantiator()
-      Puppet::Pops::Loader::PuppetPlanInstantiator
+      Puppet::Pops::Loader::GenericPlanInstantiator
+    end
+
+    def fuzzy_matching?
+      true
+    end
+
+    def valid_path?(path)
+      @extensions.any? { |ext| path.end_with?(ext) } && path.start_with?(generic_path)
     end
 
     def typed_name(type, name_authority, relative_path, module_name)
-      if relative_path == 'init.pp' && !(module_name.nil? || module_name.empty?)
+      if @init_filenames.include?(relative_path) && !(module_name.nil? || module_name.empty?)
         TypedName.new(type, module_name, name_authority)
       else
         n = ''
         n << module_name unless module_name.nil?
-        unless extension.empty?
-          # Remove extension
-          relative_path = relative_path[0..-(extension.length+1)]
-        end
+        ext = @extensions.find { |extension| relative_path.end_with?(extension) }
+        relative_path = relative_path[0..-(ext.length+1)]
+
         relative_path.split('/').each do |segment|
           n << '::' if n.size > 0
           n << segment
@@ -340,6 +364,18 @@ module LoaderPaths
         TypedName.new(type, n, name_authority)
       end
     end
+
+    def effective_path(typed_name, start_index_in_name)
+      # Puppet name to path always skips the name-space as that is part of the generic path
+      # i.e. <module>/mymodule/functions/foo.pp is the function mymodule::foo
+      parts = typed_name.name_parts
+      if start_index_in_name > 0
+        return nil if start_index_in_name >= parts.size
+        parts = parts[start_index_in_name..-1]
+      end
+      basename = File.join(generic_path, parts)
+      @extensions.map { |ext| "#{basename}#{ext}" }
+    end
   end
 
   # SmartPaths

data/lib/puppet/pops/loader/module_loaders.rb

@@ -407,9 +407,16 @@ module ModuleLoaders
         origin = sp.effective_path(typed_name, is_global ? 0 : 1)
         unless origin.nil?
           if sp.fuzzy_matching?
-            # Find all paths that might be related to origin
-            origins = candidate_paths(origin)
-            return [origins, sp] unless origins.empty?
+            # If there are multiple *specific* paths for the file, find
+            # whichever ones exist. Otherwise, find all paths that *might* be
+            # related to origin
+            if origin.is_a?(Array)
+              origins = origin.map { |ori| existing_path(ori) }.compact
+              return [origins, sp] unless origins.empty?
+            else
+              origins = candidate_paths(origin)
+              return [origins, sp] unless origins.empty?
+            end
           else
             existing = existing_path(origin)
             return [origin, sp] unless existing.nil?

data/lib/puppet/provider/file/windows.rb

@@ -71,7 +71,9 @@ Puppet::Type.type(:file).provide :windows do
 
   def mode=(value)
     begin
-      set_mode(value.to_i(8), resource[:path])
+      managing_owner = !resource[:owner].nil?
+      managing_group = !resource[:group].nil?
+      set_mode(value.to_i(8), resource[:path], true, managing_owner, managing_group)
     rescue => detail
       error = Puppet::Error.new(_("failed to set mode %{mode} on %{path}: %{message}") % { mode: mode, path: resource[:path], message: detail.message })
       error.set_backtrace detail.backtrace
@@ -86,6 +88,52 @@ Puppet::Type.type(:file).provide :windows do
     end
   end
 
+  # munge the windows group permissions if the user or group are set to SYSTEM
+  #
+  # when SYSTEM user is the group or user and the resoure is not managing them then treat
+  # the resource as insync if System has FullControl access.
+  #
+  # @param [String] current - the current mode returned by the resource
+  # @param [String] should  - what the mode should be
+  #
+  # @return [String, nil] munged mode or nil if the resource should be out of sync
+  def munge_windows_system_group(current, should)
+    [
+      {
+        'type'        => 'group',
+        'resource'    => resource[:group],
+        'set_to_user' => group,
+        'fullcontrol' => "070".to_i(8),
+        'remove_mask' => "707".to_i(8),
+        'should_mask' => (should[0].to_i(8) & "070".to_i(8)),
+      },
+      {
+        'type'        => 'owner',
+        'resource'    => resource[:owner],
+        'set_to_user' => owner,
+        'fullcontrol' => "700".to_i(8),
+        'remove_mask' => "077".to_i(8),
+        'should_mask' => (should[0].to_i(8) & "700".to_i(8)),
+      }
+    ].each do |mode_part|
+      if mode_part['resource'].nil? && (mode_part['set_to_user'] == Puppet::Util::Windows::SID::LocalSystem)
+        if (current.to_i(8) & mode_part['fullcontrol']) == mode_part['fullcontrol']
+          # Since the group is LocalSystem, and the permissions are FullControl,
+          # replace the value returned with the value expected. This will treat
+          # this specific situation as "insync"
+          current = ( (current.to_i(8) & mode_part['remove_mask']) | mode_part['should_mask'] ).to_s(8).rjust(4, '0')
+        else
+          # If the SYSTEM account does _not_ have FullControl in this scenario, we should
+          # force the resource out of sync no matter what.
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("%{resource_name}: %{mode_part_type} set to SYSTEM. SYSTEM permissions cannot be set below FullControl ('7')") % { resource_name: resource[:name], mode_part_type: mode_part['type']}
+          return nil
+        end
+      end
+    end
+    current
+  end
+
   attr_reader :file
   private
   def file

data/lib/puppet/provider/package/windows.rb

@@ -63,7 +63,11 @@ Puppet::Type.type(:package).provide(:windows, :parent => Puppet::Provider::Packa
     installer = Puppet::Provider::Package::Windows::Package.installer_class(resource)
 
     command = [installer.install_command(resource), install_options].flatten.compact.join(' ')
-    output = execute(command, :failonfail => false, :combine => true, :cwd => File.dirname(resource[:source]), :suppress_window => true)
+    working_dir = File.dirname(resource[:source])
+    if !Puppet::FileSystem.exist?(working_dir) && resource[:source] =~ /\.msi"?\Z/i
+      working_dir = nil
+    end
+    output = execute(command, :failonfail => false, :combine => true, :cwd => working_dir, :suppress_window => true)
 
     check_result(output.exitstatus)
   end

data/lib/puppet/reports/http.rb

@@ -28,7 +28,8 @@ Puppet::Reports.register_report(:http) do
       }
     end
     use_ssl = url.scheme == 'https'
-    conn = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl)
+    ssl_context = use_ssl ? Puppet.lookup(:ssl_context) : nil
+    conn = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
     response = conn.post(url.path, self.to_yaml, headers, options)
     unless response.kind_of?(Net::HTTPSuccess)
       Puppet.err _("Unable to submit report to %{url} [%{code}] %{message}") % { url: Puppet[:reporturl].to_s, code: response.code, message: response.msg }

data/lib/puppet/rest/client.rb

@@ -10,7 +10,7 @@ module Puppet::Rest
     attr_reader :dns_resolver
 
     # Create a new HTTP client for querying the given API.
-    # @param [Puppet::Rest::SSLContext] ssl_context the SSL configuration for this client
+    # @param [Puppet::SSL::SSLContext] ssl_context the SSL configuration for this client
     # @param [Integer] receive_timeout how long in seconds this client will wait
     #                  for a response after making a request
     # @param [HTTPClient] client the third-party HTTP client wrapped by this
@@ -76,8 +76,12 @@ module Puppet::Rest
 
     def configure_verify_mode(ssl_context)
       @client.ssl_config.verify_callback = @verifier
-      @client.ssl_config.cert_store = ssl_context.cert_store
-      @client.ssl_config.verify_mode = ssl_context.verify_mode
+      @client.ssl_config.cert_store = ssl_context[:store]
+      @client.ssl_config.verify_mode = if !ssl_context[:verify_peer]
+                                         OpenSSL::SSL::VERIFY_NONE
+                                       else
+                                         OpenSSL::SSL::VERIFY_PEER
+                                       end
     end
   end
 end

data/lib/puppet/rest/routes.rb

@@ -18,7 +18,7 @@ module Puppet::Rest
 
     # Make an HTTP request to fetch the named certificate
     # @param [String] name the name of the certificate to fetch
-    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
+    # @param [Puppet::SSL::SSLContext] ssl_context the ssl content to use when making the request
     # @raise [Puppet::Rest::ResponseError] if the response status is not OK
     # @return [String] the PEM-encoded certificate or certificate bundle
     def self.get_certificate(name, ssl_context)
@@ -28,21 +28,7 @@ module Puppet::Rest
 
         use_ssl = url.is_a? URI::HTTPS
 
-        # Deeper levels of the code assume that if we have any number of
-        # certificate related files, we have all of the certificate related
-        # files. This assumption caused us to download the certificate twice.
-        # We have to hard code `verify_mode=false` so we don't attempt to
-        # download the certificate so that we can download the certificate.
-        #
-        # This is related to PUP-9094. We won't have so many issues with this
-        # once we are using the httpclient gem to handle this work. We were
-        # unable to get this work completed in time for Puppet 6.0.0, so we had
-        # to switch back to using Puppet::Network::HttpPool, which has
-        # unfortunate limitations (i.e., an all or nothing approach to cert
-        # verification).
-        verify_mode = false
-
-        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+        client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
 
         response = client.get(url.request_uri, header)
         unless response.code.to_i == 200
@@ -57,7 +43,7 @@ module Puppet::Rest
 
     # Make an HTTP request to fetch the named crl
     # @param [String] name the crl to fetch
-    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
+    # @param [Puppet::SSL::SSLContext] ssl_context the ssl content to use when making the request
     # @raise [Puppet::Rest::ResponseError] if the response status is not OK
     # @return [String] the PEM-encoded crl
     def self.get_crls(name, ssl_context)
@@ -67,28 +53,14 @@ module Puppet::Rest
 
         use_ssl = url.is_a? URI::HTTPS
 
-        # Deeper levels of the code assume that if we have any number of
-        # certificate related files, we have all of the certificate related
-        # files. Unfortunately, this causes us to get stuck in an infinite loop,
-        # so we have to hard code `verify_mode=false` so we don't attempt to use
-        # files that do not exist yet in order to download those files.
-        #
-        # This is related to PUP-9094. We won't have so many issues with this
-        # once we are using the httpclient gem to handle this work. We were
-        # unable to get this work completed in time for Puppet 6.0.0, so we had
-        # to switch back to using Puppet::Network::HttpPool, which has
-        # unfortunate limitations (i.e., an all or nothing approach to cert
-        # verification).
-        verify_mode = false
-
-        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+        client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
 
         response = client.get(url.request_uri, header)
         unless response.code.to_i == 200
           raise Puppet::Rest::ResponseError.new(response.message, response)
         end
 
-        Puppet.debug _("Downloaded certificate revocation list for %{name} from %{server}") % { name: name, server: ca.server }
+        Puppet.info _("Downloaded certificate revocation list for %{name} from %{server}") % { name: name, server: ca.server }
 
         uncompress_body(response)
       end
@@ -97,7 +69,7 @@ module Puppet::Rest
     # Make an HTTP request to send the named CSR
     # @param [String] csr_pem the contents of the CSR to sent to the CA
     # @param [String] name the name of the host whose CSR is being submitted
-    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
+    # @param [Puppet::SSL::SSLContext] ssl_context the ssl content to use when making the request
     # @rasies [Puppet::Rest::ResponseError] if the response status is not OK
     def self.put_certificate_request(csr_pem, name, ssl_context)
       ca.with_base_url(Puppet::Network::Resolver.new) do |url|
@@ -108,10 +80,7 @@ module Puppet::Rest
 
         use_ssl = url.is_a? URI::HTTPS
 
-        # See notes above as to why verify_mode is hardcoded to false
-        verify_mode = false
-
-        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
+        client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
 
         response = client.put(url.request_uri, csr_pem, header)
         if response.code.to_i == 200
@@ -124,7 +93,7 @@ module Puppet::Rest
 
     # Make an HTTP request to get the named CSR
     # @param [String] name the name of the host whose CSR is being queried
-    # @param [Puppet::Rest::SSLContext] ssl_context the ssl content to use when making the request
+    # @param [Puppet::SSL::SSLContext] ssl_context the ssl content to use when making the request
     # @rasies [Puppet::Rest::ResponseError] if the response status is not OK
     # @return [String] the PEM encoded certificate request
     def self.get_certificate_request(name, ssl_context)
@@ -134,11 +103,7 @@ module Puppet::Rest
 
         use_ssl = url.is_a? URI::HTTPS
 
-        # See notes above as to why verify_mode is hardcoded to false
-        verify_mode = false
-
-        client = Puppet::Network::HttpPool.http_instance(url.host, url.port, use_ssl, verify_mode)
-
+        client = Puppet::Network::HttpPool.connection(url.host, url.port, use_ssl: use_ssl, ssl_context: ssl_context)
 
         response = client.get(url.request_uri, header)
         unless response.code.to_i == 200

data/lib/puppet/ssl.rb

@@ -9,4 +9,10 @@ module Puppet::SSL # :nodoc:
   require 'puppet/ssl/validator'
   require 'puppet/ssl/validator/no_validator'
   require 'puppet/ssl/validator/default_validator'
+  require 'puppet/ssl/error'
+  require 'puppet/ssl/ssl_context'
+  require 'puppet/ssl/verifier'
+  require 'puppet/ssl/verifier_adapter'
+  require 'puppet/ssl/ssl_provider'
+  require 'puppet/ssl/state_machine'
 end

data/lib/puppet/ssl/error.rb

@@ -0,0 +1,26 @@
+module Puppet::SSL
+  class SSLError < Puppet::Error; end
+
+  class CertVerifyError < Puppet::SSL::SSLError
+    attr_reader :code, :cert
+    def initialize(message, code, cert)
+      super(message)
+      @code = code
+      @cert = cert
+    end
+  end
+
+  class CertMismatchError < Puppet::SSL::SSLError
+    def initialize(peer_cert, host)
+      valid_certnames = [peer_cert.subject.to_s.sub(/.*=/, ''),
+                         *Puppet::SSL::Certificate.subject_alt_names_for(peer_cert)].uniq
+      if valid_certnames.size > 1
+        expected_certnames = _("expected one of %{certnames}") % { certnames: valid_certnames.join(', ') }
+      else
+        expected_certnames = _("expected %{certname}") % { certname: valid_certnames.first }
+      end
+
+      super(_("Server hostname '%{host}' did not match server certificate; %{expected_certnames}") % { host: host, expected_certnames: expected_certnames })
+    end
+  end
+end