puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/lib/puppet/ssl/validator.rb

@@ -2,6 +2,7 @@ require 'openssl'
 
 # API for certificate verification
 #
+# @deprecated
 # @api public
 class Puppet::SSL::Validator
 

data/lib/puppet/ssl/validator/default_validator.rb

@@ -4,6 +4,7 @@ require 'puppet/ssl'
 # Perform peer certificate verification against the known CA.
 # If there is no CA information known, then no verification is performed
 #
+# @deprecated
 # @api private
 #
 class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator

data/lib/puppet/ssl/validator/no_validator.rb

@@ -2,6 +2,8 @@ require 'openssl'
 require 'puppet/ssl'
 
 # Performs no SSL verification
+#
+# @deprecated
 # @api private
 #
 class Puppet::SSL::Validator::NoValidator < Puppet::SSL::Validator

data/lib/puppet/ssl/verifier.rb

@@ -0,0 +1,134 @@
+require 'puppet/ssl'
+
+# Verify an SSL connection.
+#
+# @api private
+class Puppet::SSL::Verifier
+
+  FIVE_MINUTES_AS_SECONDS = 5 * 60
+
+  attr_reader :ssl_context
+
+  # Create a verifier using an `ssl_context`.
+  #
+  # @param hostname [String] FQDN of the server we're attempting to connect to
+  # @param ssl_context [Puppet::SSL::SSLContext] ssl_context containing CA certs,
+  #   CRLs, etc needed to verify the server's certificate chain
+  def initialize(hostname, ssl_context)
+    @hostname = hostname
+    @ssl_context = ssl_context
+  end
+
+  # Return true if `self` is reusable with `verifier` meaning they
+  # are using the same `ssl_context`, so there's no loss of security
+  # when using a cached connection.
+  #
+  # @param verifier [Puppet::SSL::Verifier] the verifier to compare against
+  # @return [Boolean] return true if a cached connection can be used, false otherwise
+  def reusable?(verifier)
+    verifier.instance_of?(self.class) &&
+      verifier.ssl_context.object_id == @ssl_context.object_id
+  end
+
+  # Configure the `http` connection based on the current `ssl_context`.
+  #
+  # @param http [Net::HTTP] connection
+  # @api private
+  def setup_connection(http)
+    http.cert_store = @ssl_context[:store]
+    http.cert = @ssl_context[:client_cert]
+    http.key = @ssl_context[:private_key]
+    # default to VERIFY_PEER
+    http.verify_mode = if !@ssl_context[:verify_peer]
+                         OpenSSL::SSL::VERIFY_NONE
+                       else
+                         OpenSSL::SSL::VERIFY_PEER
+                       end
+    http.verify_callback = self
+  end
+
+  # This method is called if `Net::HTTP#start` raises an exception, which
+  # could be a result of an openssl error during cert verification, due
+  # to ruby's `Socket#post_connection_check`, or general SSL connection
+  # error.
+  #
+  # @param http [Net::HTTP] connection
+  # @param error [OpenSSL::SSL::SSLError] connection error
+  # @raise [Puppet::SSL::CertVerifyError] SSL connection failed due to a
+  #   verification error with the server's certificate or chain
+  # @raise [Puppet::Error] server hostname does not match certificate
+  # @raise [OpenSSL::SSL::SSLError] low-level SSL connection failure
+  # @api private
+  def handle_connection_error(http, error)
+    raise @last_error if @last_error
+
+    # ruby can pass SSL validation but fail post_connection_check
+    peer_cert = http.peer_cert
+    if peer_cert && !OpenSSL::SSL.verify_certificate_identity(peer_cert, @hostname)
+      raise Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
+    else
+      raise error
+    end
+  end
+
+  # OpenSSL will call this method with the verification result for each cert in
+  # the server's chain, working from the root CA to the server's cert. If
+  # preverify_ok is `true`, then that cert passed verification. If it's `false`
+  # then the current verification error is contained in `store_context.error`.
+  # and the current cert is in `store_context.current_cert`.
+  #
+  # If this method returns `false`, then verification stops and ruby will raise
+  # an `OpenSSL::SSL::Error` with "certificate verification failed". If this
+  # method returns `true`, then verification continues.
+  #
+  # If this method ignores a verification error, such as the cert's CRL will be
+  # valid within the next 5 minutes, then this method may be called with a
+  # different verification error for the same cert.
+  #
+  # WARNING: If `store_context.error` returns `OpenSSL::X509::V_OK`, don't
+  # assume verification passed. Ruby 2.4+ implements certificate hostname
+  # checking by default, and if the cert doesn't match the hostname, then the
+  # error will be V_OK. Always use `preverify_ok` to determine if verification
+  # succeeded or not.
+  #
+  # @param preverify_ok [Boolean] if `true` the current certificate in `store_context`
+  #   was verified. Otherwise, check for the current error in `store_context.error`
+  # @param store_context [OpenSSL::X509::StoreContext] The context holding the
+  #   verification result for one certificate
+  # @return [Boolean] If `true`, continue verifying the chain, even if that means
+  #   ignoring the current verification error. If `false`, abort the connection.
+  #
+  # @api private
+  def call(preverify_ok, store_context)
+    return true if preverify_ok
+
+    peer_cert = store_context.current_cert
+
+    case store_context.error
+    when OpenSSL::X509::V_OK
+      # chain is from leaf to root, opposite of the order that `call` is invoked
+      chain_cert = store_context.chain.first
+
+      # ruby 2.4 doesn't compare certs based on value, so force to DER byte array
+      if peer_cert && chain_cert && peer_cert.to_der == chain_cert.to_der && !OpenSSL::SSL.verify_certificate_identity(peer_cert, @hostname)
+        @last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
+        return false
+      end
+
+    when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
+      crl = store_context.current_crl
+      if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
+        Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
+        return true
+      end
+    end
+
+    # TRANSLATORS: `error` is an untranslated message from openssl describing why a certificate in the server's chain is invalid, and `subject` is the identity/name of the failed certificate
+    @last_error = Puppet::SSL::CertVerifyError.new(
+      _("certificate verify failed [%{error} for %{subject}]") %
+      { error: store_context.error_string, subject: peer_cert.subject },
+      store_context.error, peer_cert
+    )
+    false
+  end
+end

data/lib/puppet/ssl/verifier_adapter.rb

@@ -0,0 +1,48 @@
+# Allows a `Puppet::SSL::Validator` to be used in situations where a
+# `Verifier` is required, while preserving the legacy validator behavior of:
+#
+# * Loading CA certs from `ssl_client_ca_auth` or `localcacert`
+# * Verifying each cert in the peer's chain is contained in the file
+#   loaded above.
+#
+class Puppet::SSL::VerifierAdapter
+  attr_reader :validator
+
+  def initialize(validator)
+    @validator = validator
+  end
+
+  # Return true if `self` is reusable with `verifier` meaning they
+  # are both using the same class of `Puppet::SSL::Validator`. In this
+  # case we only care the Validator class is the same. We can't require
+  # the same instances, because a new instance is created each time
+  # HttpPool.http_instance is called.
+  #
+  # @param verifier [Puppet::SSL::Verifier] the verifier to compare against
+  # @return [Boolean] return true if a cached connection can be used, false otherwise
+  def reusable?(verifier)
+    verifier.instance_of?(self.class) &&
+      verifier.validator.instance_of?(@validator.class)
+  end
+
+  # Configure the `http` connection based on the current `ssl_context`.
+  #
+  # @param http [Net::HTTP] connection
+  # @api private
+  def setup_connection(http)
+    @validator.setup_connection(http)
+  end
+
+  # Handle an SSL connection error.
+  #
+  # @param http [Net::HTTP] connection
+  # @param error [OpenSSL::SSL::SSLError] connection error
+  # @return (see Puppet::SSL::Verifier#handle_connection_error)
+  # @raise [Puppet::SSL::CertVerifyError] SSL connection failed due to a
+  #   verification error with the server's certificate or chain
+  # @raise [Puppet::Error] server hostname does not match certificate
+  # @raise [OpenSSL::SSL::SSLError] low-level SSL connection failure
+  def handle_connection_error(http, error)
+    Puppet::Util::SSL.handle_connection_error(error, @validator, http.address)
+  end
+end

data/lib/puppet/test/test_helper.rb

@@ -134,8 +134,9 @@ module Puppet::Test
 
       Puppet.push_context(
         {
-          :trusted_information =>
+          trusted_information:
             Puppet::Context::TrustedInformation.new('local', 'testing', {}),
+          ssl_context: Puppet::SSL::SSLContext.new(cacerts: []).freeze
         },
         "Context for specs")
 

data/lib/puppet/type/exec.rb

@@ -198,7 +198,7 @@ module Puppet
 
     newparam(:user) do
       desc "The user to run the command as.
-      
+
         > **Note:** Puppet cannot execute commands as other users on Windows.
 
         Note that if you use this attribute, any error output is not captured
@@ -407,6 +407,8 @@ module Puppet
       # If the file exists, return false (i.e., don't run the command),
       # else return true
       def check(value)
+        #TRANSLATORS 'creates' is a parameter name and should not be translated
+        debug(_("Checking that 'creates' path '%{creates_path}' exists") % { creates_path: value })
         ! Puppet::FileSystem.exist?(value)
       end
     end
@@ -581,7 +583,15 @@ module Puppet
           val = @parameters[check].value
           val = [val] unless val.is_a? Array
           val.each do |value|
-            return false unless @parameters[check].check(value)
+            if !@parameters[check].check(value)
+              # Give a debug message so users can figure out what command would have been
+              # but don't print sensitive commands or parameters in the clear
+              cmdstring = @parameters[:command].sensitive ? "[command redacted]" : @parameters[:command].value
+
+              debug(_("'%{cmd}' won't be executed because of failed check '%{check}'") % { cmd: cmdstring, check: check })
+
+              return false
+            end
           end
         end
       }
@@ -614,11 +624,25 @@ module Puppet
 
     private
     def set_sensitive_parameters(sensitive_parameters)
-      # Respect sensitive commands
-      if sensitive_parameters.include?(:command)
-        sensitive_parameters.delete(:command)
-        parameter(:command).sensitive = true
+      # If any are sensitive, mark all as sensitive
+      sensitive = false
+      parameters_to_check = [:command, :unless, :onlyif]
+
+      parameters_to_check.each do |p| 
+        if sensitive_parameters.include?(p)
+          sensitive_parameters.delete(p)
+          sensitive = true
+        end
       end
+
+      if sensitive
+        parameters_to_check.each do |p|
+          if parameters.include?(p)
+            parameter(p).sensitive = true
+          end
+        end
+      end
+
       super(sensitive_parameters)
     end
   end

data/lib/puppet/type/file/mode.rb

@@ -116,8 +116,13 @@ module Puppet
     # If we're not following links and we're a link, then we just turn
     # off mode management entirely.
     def insync?(currentvalue)
+      if provider.respond_to?(:munge_windows_system_group)
+        munged_mode = provider.munge_windows_system_group(currentvalue, @should)
+        return false if munged_mode.nil?
+        currentvalue = munged_mode
+      end
       if stat = @resource.stat and stat.ftype == "link" and @resource[:links] != :follow
-        self.debug "Not managing symlink mode"
+        self.debug _("Not managing symlink mode")
         return true
       else
         return super(currentvalue)

data/lib/puppet/type/file/source.rb

@@ -302,7 +302,8 @@ module Puppet
       end
 
       request.do_request(:fileserver) do |req|
-        connection = Puppet::Network::HttpPool.http_instance(req.server, req.port)
+        ssl_context = Puppet.lookup(:ssl_context)
+        connection = Puppet::Network::HttpPool.connection(req.server, req.port, ssl_context: ssl_context)
         connection.request_get(Puppet::Network::HTTP::API::IndirectedRoutes.request_to_uri(req), add_accept_encoding({"Accept" => BINARY_MIME_TYPES}), &block)
       end
     end
@@ -320,7 +321,6 @@ module Puppet
       end
     end
 
-
     def chunk_file_from_source
       get_from_source do |response|
         case response.code

data/lib/puppet/type/filebucket.rb

@@ -42,19 +42,23 @@ module Puppet
     end
 
     newparam(:server) do
-      desc "The server providing the remote filebucket service. Defaults to the
-        value of the `server` setting (that is, the currently configured
-        puppet master server).
+      desc "The server providing the remote filebucket service.
 
-        This setting is _only_ consulted if the `path` attribute is set to `false`."
-      defaultto { Puppet[:server] }
+        This setting is _only_ consulted if the `path` attribute is set to `false`.
+
+        If this attribute is not specified, the first entry in the `server_list`
+        configuration setting is used, followed by the value of the `server` setting
+        if `server_list` is not set."
     end
 
     newparam(:port) do
-      desc "The port on which the remote server is listening. Defaults to the
-        value of the `masterport` setting, which is usually %s." % Puppet[:masterport]
+      desc "The port on which the remote server is listening.
+
+        This setting is _only_ consulted if the `path` attribute is set to `false`.
 
-      defaultto { Puppet[:masterport] }
+        If this attribute is not specified, the first entry in the `server_list`
+        configuration setting is used, followed by the value of the `masterport`
+        setting if `server_list` is not set."
     end
 
     newparam(:path) do

data/lib/puppet/type/user.rb

@@ -618,7 +618,20 @@ module Puppet
     end
 
     newproperty(:attributes, :parent => Puppet::Property::KeyValue, :required_features => :manages_aix_lam) do
-      desc "Specify AIX attributes for the user in an array of attribute = value pairs."
+      desc "Specify AIX attributes for the user in an array or hash of attribute = value pairs. 
+      
+      For example:
+      
+      ```
+      ['minage=0', 'maxage=5', 'SYSTEM=compat']
+      ```
+      
+      or 
+    
+     ```
+     attributes => { 'minage' => '0', 'maxage' => '5', 'SYSTEM' => 'compat' }
+     ```
+     "
 
       self.log_only_changed_or_new_keys = true
 

data/lib/puppet/util/connection.rb

@@ -1,7 +1,10 @@
 require 'puppet'
+require 'puppet/util/warnings'
 
 module Puppet::Util
   module Connection
+    extend Puppet::Util::Warnings
+
     # The logic for server and port is kind of gross. In summary:
     # IF an endpoint-specific setting is requested AND that setting has been set by the user
     #    Use that setting.
@@ -26,11 +29,12 @@ module Puppet::Util
       else
         server = Puppet.lookup(:server) do
           if primary_server = Puppet.settings[:server_list][0]
-            Puppet.debug "Dynamically-bound server lookup failed; using first entry"
+            debug_once('Dynamically-bound server lookup failed; using first entry')
             primary_server[0]
           else
             setting ||= :server
-            Puppet.debug "Dynamically-bound server lookup failed, falling back to #{setting} setting"
+            debug_once('Dynamically-bound server lookup failed, falling back to %{setting} setting' %
+                       {setting: setting})
             Puppet.settings[setting]
           end
         end
@@ -47,7 +51,7 @@ module Puppet::Util
     # failover-selected port.
     # @param [Symbol] port_setting The preferred port setting to use
     # @param [Symbol] server_setting The server setting assoicated with this route.
-    # @return [String] the port to use for use in the request
+    # @return [Integer] the port to use for use in the request
     def self.determine_port(port_setting, server_setting)
       if (port_setting && port_setting != :masterport && Puppet.settings.set_by_config?(port_setting)) ||
          (server_setting && server_setting != :server && Puppet.settings.set_by_config?(server_setting))
@@ -55,7 +59,7 @@ module Puppet::Util
       else
         port = Puppet.lookup(:serverport) do
           if primary_server = Puppet.settings[:server_list][0]
-            Puppet.debug "Dynamically-bound port lookup failed; using first entry"
+            debug_once('Dynamically-bound port lookup failed; using first entry')
 
             # Port might not be set, so we want to fallback in that
             # case. We know we don't need to use `setting` here, since
@@ -63,7 +67,8 @@ module Puppet::Util
             (primary_server[1] || Puppet.settings[:masterport])
           else
             port_setting ||= :masterport
-            Puppet.debug "Dynamically-bound port lookup failed; falling back to #{port_setting} setting"
+            debug_once('Dynamically-bound port lookup failed; falling back to %{port_setting} setting' %
+                       {port_setting: port_setting})
             Puppet.settings[port_setting]
           end
         end

data/lib/puppet/util/feature.rb

@@ -1,6 +1,9 @@
 require 'puppet'
+require 'puppet/util/warnings'
 
 class Puppet::Util::Feature
+  include Puppet::Util::Warnings
+
   attr_reader :path
 
   # Create a new feature test. You have to pass the feature name, and it must be
@@ -109,8 +112,14 @@ class Puppet::Util::Feature
     begin
       require lib
       true
-    rescue ScriptError => detail
-      Puppet.debug _("Failed to load library '%{lib}' for feature '%{name}': %{detail}") % { lib: lib, name: name, detail: detail }
+    rescue LoadError
+      # Expected case. Required library insn't installed.
+      debug_once(_("Could not find library '%{lib}' required to enable feature '%{name}'") %
+        {lib: lib, name: name})
+      false
+    rescue StandardError, ScriptError => detail
+      debug_once(_("Exception occurred while loading library '%{lib}' required to enable feature '%{name}': %{detail}") %
+        {lib: lib, name: name, detail: detail})
       false
     end
   end