puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/lib/puppet/util/http_proxy.rb

@@ -182,6 +182,7 @@ module Puppet::Util::HttpProxy
       end
 
       response = proxy.send(:head, current_uri.path, headers)
+      Puppet.debug("HTTP HEAD request to #{current_uri} returned #{response.code} #{response.message}")
 
       if [301, 302, 307].include?(response.code.to_i)
         # handle the redirection
@@ -195,9 +196,9 @@ module Puppet::Util::HttpProxy
         else
           response = proxy.send(method, current_uri.path, headers)
         end
-      end
 
-      Puppet.debug("HTTP #{method.to_s.upcase} request to #{current_uri} returned #{response.code} #{response.message}")
+        Puppet.debug("HTTP #{method.to_s.upcase} request to #{current_uri} returned #{response.code} #{response.message}")
+      end
 
       return response
     end

data/lib/puppet/util/pidlock.rb

@@ -62,7 +62,7 @@ class Puppet::Util::Pidlock
     # POSIX and Windows platforms (PUP-9247).
     if Puppet.features.posix?
       procname = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "comm="]).strip
-      @lockfile.unlock unless procname =~ /puppet$/
+      @lockfile.unlock unless procname =~ /puppet(-.*)?$/
     elsif Puppet.features.microsoft_windows?
       # On Windows, we're checking if the filesystem path name of the running
       # process is our vendored ruby:

data/lib/puppet/util/ssl.rb

@@ -75,16 +75,7 @@ module Puppet::Util::SSL
       msg << ": [" + verifier.verify_errors.join('; ') + "]"
       raise Puppet::Error, msg, error.backtrace
     elsif peer_cert && !OpenSSL::SSL.verify_certificate_identity(peer_cert, host)
-      valid_certnames = [peer_cert.subject.to_s.sub(/.*=/, ''),
-                         *Puppet::SSL::Certificate.subject_alt_names_for(peer_cert)].uniq
-      if valid_certnames.size > 1
-        expected_certnames = _("expected one of %{certnames}") % { certnames: valid_certnames.join(', ') }
-      else
-        expected_certnames = _("expected %{certname}") % { certname: valid_certnames.first }
-      end
-
-      msg = _("Server hostname '%{host}' did not match server certificate; %{expected_certnames}") % { host: host, expected_certnames: expected_certnames }
-      raise Puppet::Error, msg, error.backtrace
+      raise Puppet::SSL::CertMismatchError.new(peer_cert, host)
     else
       raise error
     end

data/lib/puppet/util/windows/security.rb

@@ -274,7 +274,7 @@ module Puppet::Util::Windows::Security
   # mode. Only a user with the SE_BACKUP_NAME and SE_RESTORE_NAME
   # privileges in their process token can change the mode for objects
   # that they do not have read and write access to.
-  def set_mode(mode, path, protected = true)
+  def set_mode(mode, path, protected = true, managing_owner = false, managing_group = false)
     sd = get_security_descriptor(path)
     well_known_world_sid = Puppet::Util::Windows::SID::Everyone
     well_known_nobody_sid = Puppet::Util::Windows::SID::Nobody
@@ -319,6 +319,8 @@ module Puppet::Util::Windows::Security
       nobody_allow |= FILE::FILE_APPEND_DATA;
     end
 
+    isownergroup = sd.owner == sd.group
+
     # caller is NOT managing SYSTEM by using group or owner, so set to FULL
     if ! [sd.owner, sd.group].include? well_known_system_sid
       # we don't check S_ISYSTEM_MISSING bit, but automatically carry over existing SYSTEM perms
@@ -328,15 +330,35 @@ module Puppet::Util::Windows::Security
       # It is possible to set SYSTEM with a mode other than Full Control (7) however this makes no sense and in practical terms
       # should not be done.  We can trap these instances and correct them before being applied.
       if (sd.owner == well_known_system_sid) && (owner_allow != FILE::FILE_ALL_ACCESS)
-        #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-        Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
-        owner_allow = FILE::FILE_ALL_ACCESS
+        # If owner and group are both SYSTEM but group is unmanaged the control rights of system will be set to FullControl by
+        # the unmanaged group, so there is no need for the warning
+        if managing_owner && (!isownergroup || managing_group)
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.warning _("Setting control rights for %{path} owner SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
+        elsif managing_owner && isownergroup
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but group is not managed directly: SYSTEM user rights will be set to FullControl by group") % { path: path }
+        else
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the owner, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          owner_allow = FILE::FILE_ALL_ACCESS
+        end
       end
 
       if (sd.group == well_known_system_sid) && (group_allow != FILE::FILE_ALL_ACCESS)
-        #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
-        Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
-        group_allow = FILE::FILE_ALL_ACCESS
+        # If owner and group are both SYSTEM but owner is unmanaged the control rights of system will be set to FullControl by
+        # the unmanaged owner, so there is no need for the warning.
+        if managing_group && (!isownergroup || managing_owner)
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.warning _("Setting control rights for %{path} group SYSTEM to less than Full Control rights. Setting SYSTEM rights to less than Full Control may have unintented consequences for operations on this file") % { path: path }
+        elsif managing_group && isownergroup
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("%{path} owner and group both set to user SYSTEM, but owner is not managed directly: SYSTEM user rights will be set to FullControl by owner") % { path: path }
+        else
+          #TRANSLATORS 'SYSTEM' is a Windows name and should not be translated
+          Puppet.debug _("An attempt to set mode %{mode} on item %{path} would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control") % { mode: mode.to_s(8), path: path }
+          group_allow = FILE::FILE_ALL_ACCESS
+        end
       end
     end
 
@@ -353,7 +375,6 @@ module Puppet::Util::Windows::Security
     end
 
     # if owner and group the same, then map group permissions to the one owner ACE
-    isownergroup = sd.owner == sd.group
     if isownergroup
       owner_allow |= group_allow
     end

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.3.0'
+  PUPPETVERSION = '6.4.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509.rb

@@ -0,0 +1,7 @@
+require 'puppet'
+require 'openssl'
+
+module Puppet::X509 # :nodoc:
+  require 'puppet/x509/pem_store'
+  require 'puppet/x509/cert_provider'
+end

data/lib/puppet/x509/cert_provider.rb

@@ -0,0 +1,286 @@
+require 'puppet/x509'
+
+# Class for loading and saving cert related objects.
+#
+# @api private
+class Puppet::X509::CertProvider
+  include Puppet::X509::PemStore
+
+  # Only allow printing ascii characters, excluding /
+  VALID_CERTNAME = /\A[ -.0-~]+\Z/
+  CERT_DELIMITERS = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
+  CRL_DELIMITERS = /-----BEGIN X509 CRL-----.*?-----END X509 CRL-----/m
+
+  def initialize(capath: Puppet[:localcacert],
+                 crlpath: Puppet[:hostcrl],
+                 privatekeydir: Puppet[:privatekeydir],
+                 certdir: Puppet[:certdir],
+                 requestdir: Puppet[:requestdir])
+    @capath = capath
+    @crlpath = crlpath
+    @privatekeydir = privatekeydir
+    @certdir = certdir
+    @requestdir = requestdir
+  end
+
+  # Save `certs` to the configured `capath`.
+  #
+  # @param certs [Array<OpenSSL::X509::Certificate>] Array of CA certs to save
+  # @raise [Puppet::Error] if the certs cannot be saved
+  # @api private
+  def save_cacerts(certs)
+    save_pem(certs.map(&:to_pem).join, @capath, **permissions_for_setting(:localcacert))
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to save CA certificates to '%{capath}'") % {capath: @capath}, e)
+  end
+
+  # Load CA certs from the configured `capath`.
+  #
+  # @param required [Boolean] If true, raise if they are missing
+  # @return (see #load_cacerts_from_pem)
+  # @raise (see #load_cacerts_from_pem)
+  # @raise [Puppet::Error] if the certs cannot be loaded
+  # @api private
+  def load_cacerts(required: false)
+    pem = load_pem(@capath)
+    if !pem && required
+      raise Puppet::Error, _("The CA certificates are missing from '%{path}'") % { path: @capath }
+    end
+    pem ? load_cacerts_from_pem(pem) : nil
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to load CA certificates from '%{capath}'") % {capath: @capath}, e)
+  end
+
+  # Load PEM encoded CA certificates.
+  #
+  # @param pem [String] PEM encoded certificate(s)
+  # @return [Array<OpenSSL::X509::Certificate>] Array of CA certs
+  # @raise [OpenSSL::X509::CertificateError] The `pem` text does not contain a valid cert
+  # @api private
+  def load_cacerts_from_pem(pem)
+    # TRANSLATORS 'PEM' is an acronym and shouldn't be translated
+    raise OpenSSL::X509::CertificateError, _("Failed to parse CA certificates as PEM") if pem !~ CERT_DELIMITERS
+
+    pem.scan(CERT_DELIMITERS).map do |text|
+      OpenSSL::X509::Certificate.new(text)
+    end
+  end
+
+  # Save `crls` to the configured `crlpath`.
+  #
+  # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs to save
+  # @raise [Puppet::Error] if the CRLs cannot be saved
+  # @api private
+  def save_crls(crls)
+    save_pem(crls.map(&:to_pem).join, @crlpath, **permissions_for_setting(:hostcrl))
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to save CRLs to '%{crlpath}'") % {crlpath: @crlpath}, e)
+  end
+
+  # Load CRLs from the configured `crlpath` path.
+  #
+  # @param required [Boolean] If true, raise if they are missing
+  # @return (see #load_crls_from_pem)
+  # @raise (see #load_crls_from_pem)
+  # @raise [Puppet::Error] if the CRLs cannot be loaded
+  # @api private
+  def load_crls(required: false)
+    pem = load_pem(@crlpath)
+    if !pem && required
+      raise Puppet::Error, _("The CRL is missing from '%{path}'") % { path: @crlpath }
+    end
+    pem ? load_crls_from_pem(pem) : nil
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to load CRLs from '%{crlpath}'") % {crlpath: @crlpath}, e)
+  end
+
+  # Load PEM encoded CRL(s).
+  #
+  # @param pem [String] PEM encoded CRL(s)
+  # @return [Array<OpenSSL::X509::CRL>] Array of CRLs
+  # @raise [OpenSSL::X509::CRLError] The `pem` text does not contain a valid CRL
+  # @api private
+  def load_crls_from_pem(pem)
+    # TRANSLATORS 'PEM' is an acronym and shouldn't be translated
+    raise OpenSSL::X509::CRLError, _("Failed to parse CRLs as PEM") if pem !~ CRL_DELIMITERS
+
+    pem.scan(CRL_DELIMITERS).map do |text|
+      OpenSSL::X509::CRL.new(text)
+    end
+  end
+
+  # Save named private key in the configured `privatekeydir`. For
+  # historical reasons, names are case insensitive.
+  #
+  # @param name [String] The private key identity
+  # @param key [OpenSSL::PKey::RSA] private key
+  # @raise [Puppet::Error] if the private key cannot be saved
+  # @api private
+  def save_private_key(name, key)
+    path = to_path(@privatekeydir, name)
+    save_pem(key.to_pem, path, **permissions_for_setting(:hostprivkey))
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to save private key for '%{name}'") % {name: name}, e)
+  end
+
+  # Load a private key from the configured `privatekeydir`. For
+  # historical reasons, names are case-insensitive.
+  #
+  # @param name [String] The private key identity
+  # @param required [Boolean] If true, raise if it is missing
+  # @return (see #load_private_key_from_pem)
+  # @raise (see #load_private_key_from_pem)
+  # @raise [Puppet::Error] if the private key cannot be loaded
+  # @api private
+  def load_private_key(name, required: false)
+    path = to_path(@privatekeydir, name)
+    pem = load_pem(path)
+    if !pem && required
+      raise Puppet::Error, _("The private key is missing from '%{path}'") % { path: path }
+    end
+    pem ? load_private_key_from_pem(pem) : nil
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to load private key for '%{name}'") % {name: name}, e)
+  end
+
+  # Load a PEM encoded private key.
+  #
+  # @param pem [String] PEM encoded private key
+  # @return [OpenSSL::PKey::RSA] The private key
+  # @raise [OpenSSL::PKey::RSAError] The `pem` text does not contain a valid key
+  # @api private
+  def load_private_key_from_pem(pem)
+    # set a non-nil passphrase to ensure openssl doesn't prompt
+    # but ruby 2.4.0 & 2.4.1 require at least 4 bytes, see
+    # https://github.com/ruby/ruby/commit/f012932218fd609f75f9268812df61fb26e2d0f1#diff-40e4270ec386990ac60d7ab5ff8045a4
+    OpenSSL::PKey::RSA.new(pem, '    ')
+  end
+
+  # Save a named client cert to the configured `certdir`.
+  #
+  # @param name [String] The client cert identity
+  # @param cert [OpenSSL::X509::Certificate] The cert to save
+  # @raise [Puppet::Error] if the client cert cannot be saved
+  # @api private
+  def save_client_cert(name, cert)
+    path = to_path(@certdir, name)
+    save_pem(cert.to_pem, path, **permissions_for_setting(:hostcert))
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to save client certificate for '%{name}'") % {name: name}, e)
+  end
+
+  # Load a named client cert from the configured `certdir`.
+  #
+  # @param name [String] The client cert identity
+  # @param required [Boolean] If true, raise it is missing
+  # @return (see #load_request_from_pem)
+  # @raise (see #load_client_cert_from_pem)
+  # @raise [Puppet::Error] if the client cert cannot be loaded
+  # @api private
+  def load_client_cert(name, required: false)
+    path = to_path(@certdir, name)
+    pem = load_pem(path)
+    if !pem && required
+      raise Puppet::Error, _("The client certificate is missing from '%{path}'") % { path: path }
+    end
+    pem ? load_client_cert_from_pem(pem) : nil
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to load client certificate for '%{name}'") % {name: name}, e)
+  end
+
+  # Load a PEM encoded certificate.
+  #
+  # @param pem [String] PEM encoded cert
+  # @return [OpenSSL::X509::Certificate] the certificate
+  # @raise [OpenSSL::X509::CertificateError] The `pem` text does not contain a valid cert
+  # @api private
+  def load_client_cert_from_pem(pem)
+    OpenSSL::X509::Certificate.new(pem)
+  end
+
+  # Create a certificate signing request (CSR).
+  #
+  # @param name [String] the request identity
+  # @param private_key [OpenSSL::PKey::RSA] private key
+  # @return [Puppet::X509::Request] The request
+  #
+  def create_request(name, private_key)
+    options = {}
+
+    if Puppet[:dns_alt_names] && Puppet[:dns_alt_names] != ''
+      options[:dns_alt_names] = Puppet[:dns_alt_names]
+    end
+
+    csr_attributes = Puppet::SSL::CertificateRequestAttributes.new(Puppet[:csr_attributes])
+    if csr_attributes.load
+      options[:csr_attributes] = csr_attributes.custom_attributes
+      options[:extension_requests] = csr_attributes.extension_requests
+    end
+
+    csr = Puppet::SSL::CertificateRequest.new(name)
+    csr.generate(private_key, options)
+  end
+
+  # Save a certificate signing request (CSR) to the configured `requestdir`.
+  #
+  # @param name [String] the request identity
+  # @param csr [OpenSSL::X509::Request] the request
+  # @raise [Puppet::Error] if the cert request cannot be saved
+  # @api private
+  def save_request(name, csr)
+    path = to_path(@requestdir, name)
+    save_pem(csr.to_pem, path, **permissions_for_setting(:hostcsr))
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to save certificate request for '%{name}'") % {name: name}, e)
+  end
+
+  # Load a named certificate signing request (CSR) from the configured `requestdir`.
+  #
+  # @param name [String] The request identity
+  # @return (see #load_request_from_pem)
+  # @raise (see #load_request_from_pem)
+  # @raise [Puppet::Error] if the cert request cannot be saved
+  # @api private
+  def load_request(name)
+    path = to_path(@requestdir, name)
+    pem = load_pem(path)
+    pem ? load_request_from_pem(pem) : nil
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to load certificate request for '%{name}'") % {name: name}, e)
+  end
+
+  # Delete a named certificate signing request (CSR) from the configured `requestdir`.
+  #
+  # @param name [String] The request identity
+  # @return [Boolean] true if the CSR was deleted
+  def delete_request(name)
+    path = to_path(@requestdir, name)
+    delete_pem(path)
+  rescue SystemCallError => e
+    raise Puppet::Error.new(_("Failed to delete certificate request for '%{name}'") % {name: name}, e)
+  end
+
+  # Load a PEM encoded certificate signing request (CSR).
+  #
+  # @param pem [String] PEM encoded request
+  # @return [OpenSSL::X509::Request] the request
+  # @raise [OpenSSL::X509::RequestError] The `pem` text does not contain a valid request
+  # @api private
+  def load_request_from_pem(pem)
+    OpenSSL::X509::Request.new(pem)
+  end
+
+  private
+
+  def to_path(base, name)
+    raise _("Certname %{name} must not contain unprintable or non-ASCII characters") % { name: name.inspect } unless name =~ VALID_CERTNAME
+    File.join(base, "#{name.downcase}.pem")
+  end
+
+  def permissions_for_setting(name)
+    setting = Puppet.settings.setting(name)
+    perm = { mode: setting.mode.to_i(8) }
+    perm.merge!(owner: setting.owner, group: setting.group) if Puppet.features.root? && !Puppet::Util::Platform.windows?
+    perm
+  end
+end

data/lib/puppet/x509/pem_store.rb

@@ -0,0 +1,55 @@
+require 'puppet/x509'
+
+# Methods for managing PEM encoded files. While PEM encoded strings are
+# always ASCII, the files may contain user specified comments, so they are
+# UTF-8 encoded.
+#
+# @api private
+module Puppet::X509::PemStore
+  # Load a pem encoded object.
+  #
+  # @param path [String] file path
+  # @return [String, nil] The PEM encoded object or nil if the
+  #  path does not exist
+  # @raise [Errno::EACCES] if permission is denied
+  # @api private
+  def load_pem(path)
+    Puppet::FileSystem.read(path, encoding: 'UTF-8')
+  rescue Errno::ENOENT
+    nil
+  end
+
+  # Save pem encoded content to a file. If the file doesn't exist, it
+  # will be created. Otherwise, the file will be overwritten. In both
+  # cases the contents will be overwritten atomically so other
+  # processes don't see a partially written file.
+  #
+  # @param pem [String] The PEM encoded object to write
+  # @param path [String] The file path to write to
+  # @raise [Errno::EACCES] if permission is denied
+  # @raise [Errno::EPERM] if the operation cannot be completed
+  # @api private
+  def save_pem(pem, path, owner: nil, group: nil, mode: 0644)
+    Puppet::FileSystem.replace_file(path, mode) do |f|
+      f.set_encoding('UTF-8')
+      f.write(pem.encode('UTF-8'))
+    end
+
+    if !Puppet::Util::Platform.windows? && Puppet.features.root? && (owner || group)
+      FileUtils.chown(owner, group, path)
+    end
+  end
+
+  # Delete a pem encoded object, if it exists.
+  #
+  # @param path [String] The file path to delete
+  # @return [Boolean] Returns true if the file was deleted, false otherwise
+  # @raise [Errno::EACCES] if permission is denied
+  # @api private
+  def delete_pem(path)
+    Puppet::FileSystem.unlink(path)
+    true
+  rescue Errno::ENOENT
+    false
+  end
+end