puppet 6.3.0-x64-mingw32 → 6.4.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1409e1a2589b1602bc907da7acbf070eddb735e96048111165be8cf55fd34f9
-  data.tar.gz: d58f649f1e89e0afdde47133154930a2bd9f2012abb6011581930a54411212ab
+  metadata.gz: dbebbec89063e9a6f60b083f250071d28009dda65c477e7d9c9453f5720736b2
+  data.tar.gz: 91a67c15664400162afe08b10aadc1bd2f7c7b517164ab91bcacfb17b9911909
 SHA512:
-  metadata.gz: 0c746f7f6f360ea9e6f23f119d21c6e8dbb41fd2041289fd375bc0b177d26304dba56e32b06215ce7b35d37b8e236c4eb86cc570545f3e95772cfade845042b3
-  data.tar.gz: e491809320b0fe59b6de6bda6f04b44894bdee6c2731dfdd60250010c187c801ed0fefcc13579b397f0a9c627ca685dde7bbad1092b4910b0e32b368c6e714c7
+  metadata.gz: b61bf8afe41c9f2a254d9d32bf054b0a03e9904dbd885d43c345cd9a3fc8d7922141f008ccbffc3799d0fe50626758f4194eb06614f3819489ec898b863e3223
+  data.tar.gz: 82b0829f5c8b8aa499bf9ed3609096892302d66a04ccce676bca30e72c9183f7ab332e94215fd1e64c4ab7eb0ae506084fdb5ee2eca2ebebbe0a41ab9c762060

data/CODEOWNERS

@@ -0,0 +1,30 @@
+# default to platform-core
+* @puppetlabs/platform-core
+
+# platform-os
+/lib/puppet/type/group @puppetlabs/platform-os
+/lib/puppet/type/package @puppetlabs/platform-os
+/lib/puppet/type/service @puppetlabs/platform-os
+/lib/puppet/type/user @puppetlabs/platform-os
+/lib/puppet/provider/group @puppetlabs/platform-os
+/lib/puppet/provider/package @puppetlabs/platform-os
+/lib/puppet/provider/service @puppetlabs/platform-os
+/lib/puppet/provider/user @puppetlabs/platform-os
+
+# language
+/lib/puppet/datatypes @puppetlabs/language
+/lib/puppet/functions @puppetlabs/language
+/lib/puppet/pal @puppetlabs/language
+/lib/puppet/parser @puppetlabs/language
+/lib/puppet/pops @puppetlabs/language
+/lib/puppet/syntax_checkers @puppetlabs/language
+
+# puppet device
+/lib/puppet/application/device.rb @puppetlabs/networking
+/lib/puppet/util/network_device @puppetlabs/networking
+
+# puppet module
+/lib/puppet/application/module.rb @puppetlabs/pdk
+/lib/puppet/face/module @puppetlabs/pdk
+/lib/puppet/forge @puppetlabs/pdk
+/lib/puppet/module_tool @puppetlabs/pdk

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    puppet (6.3.0)
+    puppet (6.4.0)
       CFPropertyList (~> 2.2)
       facter (>= 2.4.0, < 4)
       fast_gettext (~> 1.1.2)
@@ -50,24 +50,24 @@ GEM
     minitar (0.8)
     mocha (1.5.0)
       metaclass (~> 0.0.1)
-    msgpack (1.2.6)
+    msgpack (1.2.9)
     multi_json (1.13.1)
     mustache (1.1.0)
     optimist (3.0.0)
-    packaging (0.99.23)
+    packaging (0.99.24)
       artifactory (~> 2)
       rake (~> 12.3)
-    parallel (1.13.0)
-    parser (2.6.0.0)
+    parallel (1.14.0)
+    parser (2.6.2.0)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
     public_suffix (3.0.3)
-    puppet-resource_api (1.6.2)
+    puppet-resource_api (1.8.1)
       hocon (>= 1.0)
-    puppetserver-ca (1.3.0)
+    puppetserver-ca (1.3.1)
       facter (>= 2.0.1, < 4)
     racc (1.4.9)
     rainbow (2.2.2)
@@ -108,10 +108,10 @@ GEM
       rubocop (~> 0.49.0)
     ruby-prof (0.17.0)
     ruby-progressbar (1.10.0)
-    safe_yaml (1.0.4)
+    safe_yaml (1.0.5)
     semantic_puppet (1.0.2)
     text (1.3.1)
-    unicode-display_width (1.4.1)
+    unicode-display_width (1.5.0)
     vcr (2.9.3)
     webmock (1.24.6)
       addressable (>= 2.3.6)

data/lib/puppet.rb

@@ -207,6 +207,18 @@ module Puppet
         require 'puppet/network/http'
         Puppet::Network::HTTP::NoCachePool.new
       },
+      :ssl_context => proc {
+        begin
+          ssl = Puppet::SSL::SSLProvider.new
+          ssl.load_context(certname: Puppet[:certname])
+        rescue => e
+          # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
+          Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
+          # TRANSLATORS: `puppet agent -t` is a command and should not be translated
+          Puppet.err(_("Run `puppet agent -t`"))
+          raise e
+        end
+      },
       :ssl_host => proc { Puppet::SSL::Host.localhost },
       :plugins => proc { Puppet::Plugins::Configuration.load_plugins },
       :rich_data => false
@@ -290,6 +302,7 @@ require 'puppet/type'
 require 'puppet/resource'
 require 'puppet/parser'
 require 'puppet/network'
+require 'puppet/x509'
 require 'puppet/ssl'
 require 'puppet/module'
 require 'puppet/data_binding'

data/lib/puppet/application/agent.rb

@@ -358,16 +358,12 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def fingerprint
-    host = Puppet::SSL::Host.new
-    unless cert = host.certificate || host.certificate_request
-      $stderr.puts _("Fingerprint asked but no certificate nor certificate request have yet been issued")
-      exit(1)
-      return
-    end
-    unless digest = cert.digest(options[:digest].to_s)
-      raise ArgumentError, _("Could not get fingerprint for digest '%{digest}'") % { digest: options[:digest] }
-    end
-    puts digest.to_s
+    sm = Puppet::SSL::StateMachine.new(onetime: true)
+    ssl_context = sm.ensure_client_certificate
+    puts Puppet::SSL::Digest.new(options[:digest].to_s, ssl_context.client_cert.to_der).to_s
+  rescue
+    $stderr.puts _("Fingerprint asked but no certificate nor certificate request have yet been issued")
+    exit(1)
   end
 
   def onetime(daemon)
@@ -465,8 +461,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def wait_for_certificates
-    host = Puppet::SSL::Host.new
     waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
-    host.wait_for_cert(waitforcert)
+    sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert)
+    sm.ensure_client_certificate
   end
 end

data/lib/puppet/application/device.rb

@@ -338,7 +338,6 @@ Licensed under the Apache 2.0 License
           Puppet[:vardir] = vardir
           Puppet[:confdir] = confdir
           Puppet[:certname] = certname
-          Puppet::SSL::Host.reset
         end
       end
     end
@@ -374,9 +373,9 @@ Licensed under the Apache 2.0 License
   end
 
   def setup_host(name)
-    @host = Puppet::SSL::Host.new(name, true)
     waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
-    @host.wait_for_cert(waitforcert)
+    sm = Puppet::SSL::StateMachine.new(certname: name, waitforcert: waitforcert)
+    sm.ensure_client_certificate
   end
 
   def setup

data/lib/puppet/application/filebucket.rb

@@ -107,8 +107,13 @@ configuration options can also be generated by running puppet with
   information and the bucket located at the '$bucketdir' setting
   by default.
 
+* --server_list:
+  A list of comma seperated servers; only the first entry is used for file storage.
+  This setting takes precidence over `server`.
+
 * --server:
-  The server to send the file to, instead of locally.
+  The server to use for file storage. This setting is only used if `server_list`
+  is not set.
 
 * --todate:
   (list only) Select bucket files until 'todate'.

data/lib/puppet/application/ssl.rb

@@ -45,6 +45,14 @@ OPTIONS
 ACTIONS
 -------
 
+* bootstrap:
+  Perform all of the steps necessary to request and download a client
+  certificate. If autosigning is disabled, then puppet will wait every
+  `waitforcert` seconds for its certificate to be signed. To only attempt
+  once and never wait, specify a time of 0. Since `waitforcert` is a
+  Puppet setting, it can be specified as a time interval, such as 30s,
+  5m, 1h.
+
 * submit_request:
   Generate a certificate signing request (CSR) and submit it to the CA. If
   a private and public key pair already exist, they will be used to generate
@@ -76,6 +84,14 @@ HELP
   option('--verbose', '-v')
   option('--debug', '-d')
 
+  def initialize(command_line = Puppet::Util::CommandLine.new)
+    super(command_line)
+
+    @cert_provider = Puppet::X509::CertProvider.new
+    @ssl_provider = Puppet::SSL::SSLProvider.new
+    @machine = Puppet::SSL::StateMachine.new
+  end
+
   def setup_logs
     set_log_level(options)
     Puppet::Util::Log.newdestination(:console)
@@ -91,106 +107,131 @@ HELP
       Puppet[:certname] = options[:target]
       Puppet[:confdir]  = File.join(Puppet[:devicedir], Puppet[:certname])
       Puppet[:vardir]   = File.join(Puppet[:devicedir], Puppet[:certname])
-      host = Puppet::SSL::Host.new(Puppet[:certname], true)
       Puppet.settings.use(:main, :agent, :device)
     else
-      host = Puppet::SSL::Host.new(Puppet[:certname])
       Puppet.settings.use(:main, :agent)
     end
 
+    certname = Puppet[:certname]
     action = command_line.args.first
     case action
     when 'submit_request'
-      submit_request(host)
-      cert = download_cert(host)
-      unless cert
-        Puppet.info _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
+      ssl_context = @machine.ensure_ca_certificates
+      if submit_request(ssl_context)
+        cert = download_cert(ssl_context)
+        unless cert
+          Puppet.info(_("The certificate for '%{name}' has not yet been signed") % { name: certname })
+        end
       end
     when 'download_cert'
-      cert = download_cert(host)
+      ssl_context = @machine.ensure_ca_certificates
+      cert = download_cert(ssl_context)
       unless cert
-        raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
+        raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
     when 'verify'
-      verify(host)
+      verify(certname)
     when 'clean'
-      clean(host)
+      clean(certname)
+    when 'bootstrap'
+      if !Puppet::Util::Log.sendlevel?(:info)
+        Puppet::Util::Log.level = :info
+      end
+      @machine.ensure_client_certificate
+      Puppet.notice(_("Completed SSL initialization"))
     else
       raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
     end
   end
 
-  def submit_request(host)
-    host.ensure_ca_certificate
+  def submit_request(ssl_context)
+    key = @cert_provider.load_private_key(Puppet[:certname])
+    unless key
+      Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
+      key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+      @cert_provider.save_private_key(Puppet[:certname], key)
+    end
 
-    host.submit_request
+    csr = @cert_provider.create_request(Puppet[:certname], key)
+    Puppet::Rest::Routes.put_certificate_request(csr.to_pem, Puppet[:certname], ssl_context)
+    @cert_provider.save_request(Puppet[:certname], csr)
     Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
-      name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
+      name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
     }
+  rescue Puppet::Rest::ResponseError => e
+    if e.response.code.to_i == 400
+      raise Puppet::Error.new(_("Could not submit certificate request for '%{name}' to https://%{server}:%{port} due to a conflict on the server") % { name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port] })
+    else
+      raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
+    end
   rescue => e
     raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
-  def download_cert(host)
-    host.ensure_ca_certificate
+  def download_cert(ssl_context)
+    key = @cert_provider.load_private_key(Puppet[:certname])
 
     Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
-      name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
+      name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
     }
-    cert = host.download_host_certificate
-    return unless cert
+
+    # try to download cert
+    x509 = Puppet::Rest::Routes.get_certificate(Puppet[:certname], ssl_context)
+    cert = OpenSSL::X509::Certificate.new(x509)
+    Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: Puppet[:certname], fingerprint: fingerprint(cert) }
+    # verify client cert before saving
+    @ssl_provider.create_context(
+      cacerts: ssl_context.cacerts, crls: ssl_context.crls, private_key: key, client_cert: cert
+    )
+    @cert_provider.save_client_cert(Puppet[:certname], cert)
+    @cert_provider.delete_request(Puppet[:certname])
 
     Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
-      name: host.name, fingerprint: cert.fingerprint
+      name: Puppet[:certname], fingerprint: fingerprint(cert)
     }
     cert
+  rescue Puppet::Rest::ResponseError => e
+    if e.response.code.to_i == 404
+      return nil
+    else
+      raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
+    end
   rescue => e
     raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
   end
 
-  def verify(host)
-    host.ensure_ca_certificate
+  def verify(certname)
+    ssl_context = @ssl_provider.load_context(certname: certname)
 
-    key = host.key
-    raise _("The host's private key is missing") unless key
-
-    cert = host.check_for_certificate_on_disk(host.name)
-    raise _("The host's certificate is missing") unless cert
-
-    if cert.content.public_key.to_pem != key.content.public_key.to_pem
-      raise _("The host's key does not match the certificate")
-    end
-
-    store = host.ssl_store
-    unless store.verify(cert.content)
-      raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
-        name: host.name, message: store.error_string, error: store.error
-      }
+    # print from root to client
+    ssl_context.client_chain.reverse.each_with_index do |cert, i|
+      digest = Puppet::SSL::Digest.new('SHA256', cert.to_der)
+      if i == ssl_context.client_chain.length - 1
+        Puppet.notice("Verified client certificate '#{cert.subject.to_s}' fingerprint #{digest}")
+      else
+        Puppet.notice("Verified CA certificate '#{cert.subject.to_s}' fingerprint #{digest}")
+      end
     end
-
-    Puppet.notice _("Verified certificate '%{name}'") % {
-      name: host.name
-    }
-    # store.chain.reverse.each_with_index do |issuer, i|
-    #   indent = "  " * (i+1)
-    #   Puppet.notice "#{indent}#{issuer.subject.to_s}"
-    # end
-  rescue => e
-    raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
   end
 
-  def clean(host)
+  def clean(certname)
     # make sure cert has been removed from the CA
-    if host.name == Puppet[:ca_server]
-      cert =
-        begin
-          host.download_certificate_from_ca(host.name)
-        rescue => e
-          raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: host.name }, e)
+    if certname == Puppet[:ca_server]
+      cert = nil
+
+      begin
+        ssl_context = @machine.ensure_ca_certificates
+        cert = Puppet::Rest::Routes.get_certificate(certname, ssl_context)
+      rescue Puppet::Rest::ResponseError => e
+        if e.response.code.to_i != 404
+          raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
         end
+      rescue => e
+        raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
+      end
 
       if cert
-        raise Puppet::Error, _(<<END) % { certname: host.name }
+        raise Puppet::Error, _(<<END) % { certname: certname }
 The certificate %{certname} must be cleaned from the CA first. To fix this,
 run the following commands on the CA:
   puppetserver ca clean --certname %{certname}
@@ -214,4 +255,10 @@ END
       end
     end
   end
+
+  private
+
+  def fingerprint(cert)
+    Puppet::SSL::Digest.new(nil, cert.to_der)
+  end
 end

data/lib/puppet/configurer.rb

@@ -226,13 +226,13 @@ class Puppet::Configurer
         # mode. We shouldn't try to do any failover in that case.
         if options[:catalog].nil? && do_failover
           server, port = find_functional_server
+          if server.nil?
+            raise Puppet::Error, _("Could not select a functional puppet master from server_list: '%{server_list}'") % { server_list: Puppet[:server_list] }
+          else
+            Puppet.debug _("Selected puppet server: %{server}:%{port}") % { server: server, port: port }
+            report.master_used = "#{server}:#{port}"
+          end
           Puppet.override(server: server, serverport: port) do
-            if server
-              Puppet.debug _("Selected puppet server: %{server}:%{port}") % { server: server, port: port }
-              report.master_used = "#{server}:#{port}"
-            else
-              Puppet.warning _("Could not select a functional puppet server")
-            end
             completed = run_internal(options)
           end
         else
@@ -395,7 +395,8 @@ class Puppet::Configurer
       host = server[0]
       port = server[1] || Puppet[:masterport]
       begin
-        http = Puppet::Network::HttpPool.http_ssl_instance(host, port)
+        ssl_context = Puppet.lookup(:ssl_context)
+        http = Puppet::Network::HttpPool.connection(host, port.to_i, ssl_context: ssl_context)
         response = http.get('/status/v1/simple/master')
         return [host, port] if response.is_a?(Net::HTTPOK)