puppet 6.3.0-x64-mingw32 → 6.4.0-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CODEOWNERS +30 -0
- data/Gemfile.lock +9 -9
- data/lib/puppet.rb +13 -0
- data/lib/puppet/application/agent.rb +8 -12
- data/lib/puppet/application/device.rb +2 -3
- data/lib/puppet/application/filebucket.rb +6 -1
- data/lib/puppet/application/ssl.rb +102 -55
- data/lib/puppet/configurer.rb +8 -7
- data/lib/puppet/defaults.rb +3 -1
- data/lib/puppet/file_system.rb +24 -4
- data/lib/puppet/file_system/file_impl.rb +25 -0
- data/lib/puppet/file_system/jruby.rb +23 -0
- data/lib/puppet/file_system/windows.rb +84 -0
- data/lib/puppet/indirector/rest.rb +4 -2
- data/lib/puppet/loaders.rb +1 -0
- data/lib/puppet/network/http.rb +1 -0
- data/lib/puppet/network/http/base_pool.rb +18 -0
- data/lib/puppet/network/http/connection.rb +49 -17
- data/lib/puppet/network/http/nocache_pool.rb +9 -4
- data/lib/puppet/network/http/pool.rb +10 -11
- data/lib/puppet/network/http/session.rb +3 -2
- data/lib/puppet/network/http_pool.rb +32 -0
- data/lib/puppet/pops/loader/generic_plan_instantiator.rb +28 -0
- data/lib/puppet/pops/loader/loader_paths.rb +46 -10
- data/lib/puppet/pops/loader/module_loaders.rb +10 -3
- data/lib/puppet/provider/file/windows.rb +49 -1
- data/lib/puppet/provider/package/windows.rb +5 -1
- data/lib/puppet/reports/http.rb +2 -1
- data/lib/puppet/rest/client.rb +7 -3
- data/lib/puppet/rest/routes.rb +9 -44
- data/lib/puppet/ssl.rb +6 -0
- data/lib/puppet/ssl/error.rb +26 -0
- data/lib/puppet/ssl/host.rb +9 -92
- data/lib/puppet/ssl/ssl_context.rb +30 -0
- data/lib/puppet/ssl/ssl_provider.rb +232 -0
- data/lib/puppet/ssl/state_machine.rb +261 -0
- data/lib/puppet/ssl/validator.rb +1 -0
- data/lib/puppet/ssl/validator/default_validator.rb +1 -0
- data/lib/puppet/ssl/validator/no_validator.rb +2 -0
- data/lib/puppet/ssl/verifier.rb +134 -0
- data/lib/puppet/ssl/verifier_adapter.rb +48 -0
- data/lib/puppet/test/test_helper.rb +2 -1
- data/lib/puppet/type/exec.rb +30 -6
- data/lib/puppet/type/file/mode.rb +6 -1
- data/lib/puppet/type/file/source.rb +2 -2
- data/lib/puppet/type/filebucket.rb +12 -8
- data/lib/puppet/type/user.rb +14 -1
- data/lib/puppet/util/connection.rb +10 -5
- data/lib/puppet/util/feature.rb +11 -2
- data/lib/puppet/util/http_proxy.rb +3 -2
- data/lib/puppet/util/pidlock.rb +1 -1
- data/lib/puppet/util/ssl.rb +1 -10
- data/lib/puppet/util/windows/security.rb +29 -8
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509.rb +7 -0
- data/lib/puppet/x509/cert_provider.rb +286 -0
- data/lib/puppet/x509/pem_store.rb +55 -0
- data/locales/ja/puppet.po +740 -590
- data/locales/puppet.pot +433 -208
- data/man/man5/puppet.conf.5 +6 -3
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +6 -2
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +5 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/ssl/127.0.0.1-key.pem +67 -0
- data/spec/fixtures/ssl/127.0.0.1.pem +48 -0
- data/spec/fixtures/ssl/bad-basic-constraints.pem +59 -0
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +59 -0
- data/spec/fixtures/ssl/ca.pem +59 -0
- data/spec/fixtures/ssl/crl.pem +30 -0
- data/spec/fixtures/ssl/encrypted-key.pem +70 -0
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +31 -0
- data/spec/fixtures/ssl/intermediate-agent.pem +60 -0
- data/spec/fixtures/ssl/intermediate-crl.pem +36 -0
- data/spec/fixtures/ssl/intermediate.pem +60 -0
- data/spec/fixtures/ssl/netlock-arany-utf8.pem +23 -0
- data/spec/fixtures/ssl/pluto-key.pem +67 -0
- data/spec/fixtures/ssl/pluto.pem +44 -0
- data/spec/fixtures/ssl/request-key.pem +67 -0
- data/spec/fixtures/ssl/request.pem +39 -0
- data/spec/fixtures/ssl/revoked-key.pem +67 -0
- data/spec/fixtures/ssl/revoked.pem +44 -0
- data/spec/fixtures/ssl/signed-key.pem +67 -0
- data/spec/fixtures/ssl/signed.pem +44 -0
- data/spec/fixtures/ssl/tampered-cert.pem +44 -0
- data/spec/fixtures/ssl/tampered-csr.pem +39 -0
- data/spec/integration/network/http_pool_spec.rb +222 -0
- data/spec/integration/provider/file/windows_spec.rb +162 -0
- data/spec/integration/rest/client_spec.rb +73 -0
- data/spec/integration/type/file_spec.rb +0 -19
- data/spec/lib/puppet/test_ca.rb +87 -50
- data/spec/lib/puppet_spec/fixtures.rb +20 -0
- data/spec/lib/puppet_spec/https.rb +84 -0
- data/spec/unit/application/agent_spec.rb +29 -30
- data/spec/unit/application/device_spec.rb +12 -49
- data/spec/unit/application/ssl_spec.rb +24 -38
- data/spec/unit/configurer_spec.rb +11 -11
- data/spec/unit/file_system/uniquefile_spec.rb +6 -0
- data/spec/unit/file_system_spec.rb +214 -0
- data/spec/unit/indirector/rest_spec.rb +3 -3
- data/spec/unit/network/http/connection_spec.rb +30 -90
- data/spec/unit/network/http/factory_spec.rb +1 -0
- data/spec/unit/network/http/nocache_pool_spec.rb +8 -8
- data/spec/unit/network/http/pool_spec.rb +63 -33
- data/spec/unit/network/http/session_spec.rb +8 -1
- data/spec/unit/network/http_pool_spec.rb +36 -0
- data/spec/unit/pops/loaders/loader_spec.rb +26 -1
- data/spec/unit/provider/package/windows_spec.rb +12 -1
- data/spec/unit/reports/http_spec.rb +7 -7
- data/spec/unit/rest/client_spec.rb +4 -6
- data/spec/unit/ssl/host_spec.rb +39 -33
- data/spec/unit/ssl/ssl_provider_spec.rb +428 -0
- data/spec/unit/ssl/state_machine_spec.rb +502 -0
- data/spec/unit/ssl/verifier_spec.rb +123 -0
- data/spec/unit/type/exec_spec.rb +63 -0
- data/spec/unit/type/file/source_spec.rb +5 -5
- data/spec/unit/type/filebucket_spec.rb +8 -6
- data/spec/unit/util/feature_spec.rb +2 -2
- data/spec/unit/util/storage_spec.rb +19 -19
- data/spec/unit/x509/cert_provider_spec.rb +527 -0
- data/spec/unit/x509/pem_store_spec.rb +160 -0
- data/tasks/generate_cert_fixtures.rake +158 -0
- metadata +78 -4
- data/MAINTAINERS +0 -47
- data/lib/puppet/rest/ssl_context.rb +0 -13
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dbebbec89063e9a6f60b083f250071d28009dda65c477e7d9c9453f5720736b2
|
4
|
+
data.tar.gz: 91a67c15664400162afe08b10aadc1bd2f7c7b517164ab91bcacfb17b9911909
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b61bf8afe41c9f2a254d9d32bf054b0a03e9904dbd885d43c345cd9a3fc8d7922141f008ccbffc3799d0fe50626758f4194eb06614f3819489ec898b863e3223
|
7
|
+
data.tar.gz: 82b0829f5c8b8aa499bf9ed3609096892302d66a04ccce676bca30e72c9183f7ab332e94215fd1e64c4ab7eb0ae506084fdb5ee2eca2ebebbe0a41ab9c762060
|
data/CODEOWNERS
ADDED
@@ -0,0 +1,30 @@
|
|
1
|
+
# default to platform-core
|
2
|
+
* @puppetlabs/platform-core
|
3
|
+
|
4
|
+
# platform-os
|
5
|
+
/lib/puppet/type/group @puppetlabs/platform-os
|
6
|
+
/lib/puppet/type/package @puppetlabs/platform-os
|
7
|
+
/lib/puppet/type/service @puppetlabs/platform-os
|
8
|
+
/lib/puppet/type/user @puppetlabs/platform-os
|
9
|
+
/lib/puppet/provider/group @puppetlabs/platform-os
|
10
|
+
/lib/puppet/provider/package @puppetlabs/platform-os
|
11
|
+
/lib/puppet/provider/service @puppetlabs/platform-os
|
12
|
+
/lib/puppet/provider/user @puppetlabs/platform-os
|
13
|
+
|
14
|
+
# language
|
15
|
+
/lib/puppet/datatypes @puppetlabs/language
|
16
|
+
/lib/puppet/functions @puppetlabs/language
|
17
|
+
/lib/puppet/pal @puppetlabs/language
|
18
|
+
/lib/puppet/parser @puppetlabs/language
|
19
|
+
/lib/puppet/pops @puppetlabs/language
|
20
|
+
/lib/puppet/syntax_checkers @puppetlabs/language
|
21
|
+
|
22
|
+
# puppet device
|
23
|
+
/lib/puppet/application/device.rb @puppetlabs/networking
|
24
|
+
/lib/puppet/util/network_device @puppetlabs/networking
|
25
|
+
|
26
|
+
# puppet module
|
27
|
+
/lib/puppet/application/module.rb @puppetlabs/pdk
|
28
|
+
/lib/puppet/face/module @puppetlabs/pdk
|
29
|
+
/lib/puppet/forge @puppetlabs/pdk
|
30
|
+
/lib/puppet/module_tool @puppetlabs/pdk
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
puppet (6.
|
4
|
+
puppet (6.4.0)
|
5
5
|
CFPropertyList (~> 2.2)
|
6
6
|
facter (>= 2.4.0, < 4)
|
7
7
|
fast_gettext (~> 1.1.2)
|
@@ -50,24 +50,24 @@ GEM
|
|
50
50
|
minitar (0.8)
|
51
51
|
mocha (1.5.0)
|
52
52
|
metaclass (~> 0.0.1)
|
53
|
-
msgpack (1.2.
|
53
|
+
msgpack (1.2.9)
|
54
54
|
multi_json (1.13.1)
|
55
55
|
mustache (1.1.0)
|
56
56
|
optimist (3.0.0)
|
57
|
-
packaging (0.99.
|
57
|
+
packaging (0.99.24)
|
58
58
|
artifactory (~> 2)
|
59
59
|
rake (~> 12.3)
|
60
|
-
parallel (1.
|
61
|
-
parser (2.6.
|
60
|
+
parallel (1.14.0)
|
61
|
+
parser (2.6.2.0)
|
62
62
|
ast (~> 2.4.0)
|
63
63
|
powerpack (0.1.2)
|
64
64
|
pry (0.12.2)
|
65
65
|
coderay (~> 1.1.0)
|
66
66
|
method_source (~> 0.9.0)
|
67
67
|
public_suffix (3.0.3)
|
68
|
-
puppet-resource_api (1.
|
68
|
+
puppet-resource_api (1.8.1)
|
69
69
|
hocon (>= 1.0)
|
70
|
-
puppetserver-ca (1.3.
|
70
|
+
puppetserver-ca (1.3.1)
|
71
71
|
facter (>= 2.0.1, < 4)
|
72
72
|
racc (1.4.9)
|
73
73
|
rainbow (2.2.2)
|
@@ -108,10 +108,10 @@ GEM
|
|
108
108
|
rubocop (~> 0.49.0)
|
109
109
|
ruby-prof (0.17.0)
|
110
110
|
ruby-progressbar (1.10.0)
|
111
|
-
safe_yaml (1.0.
|
111
|
+
safe_yaml (1.0.5)
|
112
112
|
semantic_puppet (1.0.2)
|
113
113
|
text (1.3.1)
|
114
|
-
unicode-display_width (1.
|
114
|
+
unicode-display_width (1.5.0)
|
115
115
|
vcr (2.9.3)
|
116
116
|
webmock (1.24.6)
|
117
117
|
addressable (>= 2.3.6)
|
data/lib/puppet.rb
CHANGED
@@ -207,6 +207,18 @@ module Puppet
|
|
207
207
|
require 'puppet/network/http'
|
208
208
|
Puppet::Network::HTTP::NoCachePool.new
|
209
209
|
},
|
210
|
+
:ssl_context => proc {
|
211
|
+
begin
|
212
|
+
ssl = Puppet::SSL::SSLProvider.new
|
213
|
+
ssl.load_context(certname: Puppet[:certname])
|
214
|
+
rescue => e
|
215
|
+
# TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
|
216
|
+
Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
|
217
|
+
# TRANSLATORS: `puppet agent -t` is a command and should not be translated
|
218
|
+
Puppet.err(_("Run `puppet agent -t`"))
|
219
|
+
raise e
|
220
|
+
end
|
221
|
+
},
|
210
222
|
:ssl_host => proc { Puppet::SSL::Host.localhost },
|
211
223
|
:plugins => proc { Puppet::Plugins::Configuration.load_plugins },
|
212
224
|
:rich_data => false
|
@@ -290,6 +302,7 @@ require 'puppet/type'
|
|
290
302
|
require 'puppet/resource'
|
291
303
|
require 'puppet/parser'
|
292
304
|
require 'puppet/network'
|
305
|
+
require 'puppet/x509'
|
293
306
|
require 'puppet/ssl'
|
294
307
|
require 'puppet/module'
|
295
308
|
require 'puppet/data_binding'
|
@@ -358,16 +358,12 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
|
|
358
358
|
end
|
359
359
|
|
360
360
|
def fingerprint
|
361
|
-
|
362
|
-
|
363
|
-
|
364
|
-
|
365
|
-
|
366
|
-
|
367
|
-
unless digest = cert.digest(options[:digest].to_s)
|
368
|
-
raise ArgumentError, _("Could not get fingerprint for digest '%{digest}'") % { digest: options[:digest] }
|
369
|
-
end
|
370
|
-
puts digest.to_s
|
361
|
+
sm = Puppet::SSL::StateMachine.new(onetime: true)
|
362
|
+
ssl_context = sm.ensure_client_certificate
|
363
|
+
puts Puppet::SSL::Digest.new(options[:digest].to_s, ssl_context.client_cert.to_der).to_s
|
364
|
+
rescue
|
365
|
+
$stderr.puts _("Fingerprint asked but no certificate nor certificate request have yet been issued")
|
366
|
+
exit(1)
|
371
367
|
end
|
372
368
|
|
373
369
|
def onetime(daemon)
|
@@ -465,8 +461,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
|
|
465
461
|
end
|
466
462
|
|
467
463
|
def wait_for_certificates
|
468
|
-
host = Puppet::SSL::Host.new
|
469
464
|
waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
|
470
|
-
|
465
|
+
sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert)
|
466
|
+
sm.ensure_client_certificate
|
471
467
|
end
|
472
468
|
end
|
@@ -338,7 +338,6 @@ Licensed under the Apache 2.0 License
|
|
338
338
|
Puppet[:vardir] = vardir
|
339
339
|
Puppet[:confdir] = confdir
|
340
340
|
Puppet[:certname] = certname
|
341
|
-
Puppet::SSL::Host.reset
|
342
341
|
end
|
343
342
|
end
|
344
343
|
end
|
@@ -374,9 +373,9 @@ Licensed under the Apache 2.0 License
|
|
374
373
|
end
|
375
374
|
|
376
375
|
def setup_host(name)
|
377
|
-
@host = Puppet::SSL::Host.new(name, true)
|
378
376
|
waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
|
379
|
-
|
377
|
+
sm = Puppet::SSL::StateMachine.new(certname: name, waitforcert: waitforcert)
|
378
|
+
sm.ensure_client_certificate
|
380
379
|
end
|
381
380
|
|
382
381
|
def setup
|
@@ -107,8 +107,13 @@ configuration options can also be generated by running puppet with
|
|
107
107
|
information and the bucket located at the '$bucketdir' setting
|
108
108
|
by default.
|
109
109
|
|
110
|
+
* --server_list:
|
111
|
+
A list of comma seperated servers; only the first entry is used for file storage.
|
112
|
+
This setting takes precidence over `server`.
|
113
|
+
|
110
114
|
* --server:
|
111
|
-
The server to
|
115
|
+
The server to use for file storage. This setting is only used if `server_list`
|
116
|
+
is not set.
|
112
117
|
|
113
118
|
* --todate:
|
114
119
|
(list only) Select bucket files until 'todate'.
|
@@ -45,6 +45,14 @@ OPTIONS
|
|
45
45
|
ACTIONS
|
46
46
|
-------
|
47
47
|
|
48
|
+
* bootstrap:
|
49
|
+
Perform all of the steps necessary to request and download a client
|
50
|
+
certificate. If autosigning is disabled, then puppet will wait every
|
51
|
+
`waitforcert` seconds for its certificate to be signed. To only attempt
|
52
|
+
once and never wait, specify a time of 0. Since `waitforcert` is a
|
53
|
+
Puppet setting, it can be specified as a time interval, such as 30s,
|
54
|
+
5m, 1h.
|
55
|
+
|
48
56
|
* submit_request:
|
49
57
|
Generate a certificate signing request (CSR) and submit it to the CA. If
|
50
58
|
a private and public key pair already exist, they will be used to generate
|
@@ -76,6 +84,14 @@ HELP
|
|
76
84
|
option('--verbose', '-v')
|
77
85
|
option('--debug', '-d')
|
78
86
|
|
87
|
+
def initialize(command_line = Puppet::Util::CommandLine.new)
|
88
|
+
super(command_line)
|
89
|
+
|
90
|
+
@cert_provider = Puppet::X509::CertProvider.new
|
91
|
+
@ssl_provider = Puppet::SSL::SSLProvider.new
|
92
|
+
@machine = Puppet::SSL::StateMachine.new
|
93
|
+
end
|
94
|
+
|
79
95
|
def setup_logs
|
80
96
|
set_log_level(options)
|
81
97
|
Puppet::Util::Log.newdestination(:console)
|
@@ -91,106 +107,131 @@ HELP
|
|
91
107
|
Puppet[:certname] = options[:target]
|
92
108
|
Puppet[:confdir] = File.join(Puppet[:devicedir], Puppet[:certname])
|
93
109
|
Puppet[:vardir] = File.join(Puppet[:devicedir], Puppet[:certname])
|
94
|
-
host = Puppet::SSL::Host.new(Puppet[:certname], true)
|
95
110
|
Puppet.settings.use(:main, :agent, :device)
|
96
111
|
else
|
97
|
-
host = Puppet::SSL::Host.new(Puppet[:certname])
|
98
112
|
Puppet.settings.use(:main, :agent)
|
99
113
|
end
|
100
114
|
|
115
|
+
certname = Puppet[:certname]
|
101
116
|
action = command_line.args.first
|
102
117
|
case action
|
103
118
|
when 'submit_request'
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
119
|
+
ssl_context = @machine.ensure_ca_certificates
|
120
|
+
if submit_request(ssl_context)
|
121
|
+
cert = download_cert(ssl_context)
|
122
|
+
unless cert
|
123
|
+
Puppet.info(_("The certificate for '%{name}' has not yet been signed") % { name: certname })
|
124
|
+
end
|
108
125
|
end
|
109
126
|
when 'download_cert'
|
110
|
-
|
127
|
+
ssl_context = @machine.ensure_ca_certificates
|
128
|
+
cert = download_cert(ssl_context)
|
111
129
|
unless cert
|
112
|
-
raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name:
|
130
|
+
raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
|
113
131
|
end
|
114
132
|
when 'verify'
|
115
|
-
verify(
|
133
|
+
verify(certname)
|
116
134
|
when 'clean'
|
117
|
-
clean(
|
135
|
+
clean(certname)
|
136
|
+
when 'bootstrap'
|
137
|
+
if !Puppet::Util::Log.sendlevel?(:info)
|
138
|
+
Puppet::Util::Log.level = :info
|
139
|
+
end
|
140
|
+
@machine.ensure_client_certificate
|
141
|
+
Puppet.notice(_("Completed SSL initialization"))
|
118
142
|
else
|
119
143
|
raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
|
120
144
|
end
|
121
145
|
end
|
122
146
|
|
123
|
-
def submit_request(
|
124
|
-
|
147
|
+
def submit_request(ssl_context)
|
148
|
+
key = @cert_provider.load_private_key(Puppet[:certname])
|
149
|
+
unless key
|
150
|
+
Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
|
151
|
+
key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
|
152
|
+
@cert_provider.save_private_key(Puppet[:certname], key)
|
153
|
+
end
|
125
154
|
|
126
|
-
|
155
|
+
csr = @cert_provider.create_request(Puppet[:certname], key)
|
156
|
+
Puppet::Rest::Routes.put_certificate_request(csr.to_pem, Puppet[:certname], ssl_context)
|
157
|
+
@cert_provider.save_request(Puppet[:certname], csr)
|
127
158
|
Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
|
128
|
-
name:
|
159
|
+
name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
|
129
160
|
}
|
161
|
+
rescue Puppet::Rest::ResponseError => e
|
162
|
+
if e.response.code.to_i == 400
|
163
|
+
raise Puppet::Error.new(_("Could not submit certificate request for '%{name}' to https://%{server}:%{port} due to a conflict on the server") % { name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port] })
|
164
|
+
else
|
165
|
+
raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
|
166
|
+
end
|
130
167
|
rescue => e
|
131
168
|
raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
|
132
169
|
end
|
133
170
|
|
134
|
-
def download_cert(
|
135
|
-
|
171
|
+
def download_cert(ssl_context)
|
172
|
+
key = @cert_provider.load_private_key(Puppet[:certname])
|
136
173
|
|
137
174
|
Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
|
138
|
-
name:
|
175
|
+
name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
|
139
176
|
}
|
140
|
-
|
141
|
-
|
177
|
+
|
178
|
+
# try to download cert
|
179
|
+
x509 = Puppet::Rest::Routes.get_certificate(Puppet[:certname], ssl_context)
|
180
|
+
cert = OpenSSL::X509::Certificate.new(x509)
|
181
|
+
Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: Puppet[:certname], fingerprint: fingerprint(cert) }
|
182
|
+
# verify client cert before saving
|
183
|
+
@ssl_provider.create_context(
|
184
|
+
cacerts: ssl_context.cacerts, crls: ssl_context.crls, private_key: key, client_cert: cert
|
185
|
+
)
|
186
|
+
@cert_provider.save_client_cert(Puppet[:certname], cert)
|
187
|
+
@cert_provider.delete_request(Puppet[:certname])
|
142
188
|
|
143
189
|
Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
|
144
|
-
name:
|
190
|
+
name: Puppet[:certname], fingerprint: fingerprint(cert)
|
145
191
|
}
|
146
192
|
cert
|
193
|
+
rescue Puppet::Rest::ResponseError => e
|
194
|
+
if e.response.code.to_i == 404
|
195
|
+
return nil
|
196
|
+
else
|
197
|
+
raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
|
198
|
+
end
|
147
199
|
rescue => e
|
148
200
|
raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
|
149
201
|
end
|
150
202
|
|
151
|
-
def verify(
|
152
|
-
|
203
|
+
def verify(certname)
|
204
|
+
ssl_context = @ssl_provider.load_context(certname: certname)
|
153
205
|
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
end
|
163
|
-
|
164
|
-
store = host.ssl_store
|
165
|
-
unless store.verify(cert.content)
|
166
|
-
raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
|
167
|
-
name: host.name, message: store.error_string, error: store.error
|
168
|
-
}
|
206
|
+
# print from root to client
|
207
|
+
ssl_context.client_chain.reverse.each_with_index do |cert, i|
|
208
|
+
digest = Puppet::SSL::Digest.new('SHA256', cert.to_der)
|
209
|
+
if i == ssl_context.client_chain.length - 1
|
210
|
+
Puppet.notice("Verified client certificate '#{cert.subject.to_s}' fingerprint #{digest}")
|
211
|
+
else
|
212
|
+
Puppet.notice("Verified CA certificate '#{cert.subject.to_s}' fingerprint #{digest}")
|
213
|
+
end
|
169
214
|
end
|
170
|
-
|
171
|
-
Puppet.notice _("Verified certificate '%{name}'") % {
|
172
|
-
name: host.name
|
173
|
-
}
|
174
|
-
# store.chain.reverse.each_with_index do |issuer, i|
|
175
|
-
# indent = " " * (i+1)
|
176
|
-
# Puppet.notice "#{indent}#{issuer.subject.to_s}"
|
177
|
-
# end
|
178
|
-
rescue => e
|
179
|
-
raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
|
180
215
|
end
|
181
216
|
|
182
|
-
def clean(
|
217
|
+
def clean(certname)
|
183
218
|
# make sure cert has been removed from the CA
|
184
|
-
if
|
185
|
-
cert =
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
219
|
+
if certname == Puppet[:ca_server]
|
220
|
+
cert = nil
|
221
|
+
|
222
|
+
begin
|
223
|
+
ssl_context = @machine.ensure_ca_certificates
|
224
|
+
cert = Puppet::Rest::Routes.get_certificate(certname, ssl_context)
|
225
|
+
rescue Puppet::Rest::ResponseError => e
|
226
|
+
if e.response.code.to_i != 404
|
227
|
+
raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
|
190
228
|
end
|
229
|
+
rescue => e
|
230
|
+
raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
|
231
|
+
end
|
191
232
|
|
192
233
|
if cert
|
193
|
-
raise Puppet::Error, _(<<END) % { certname:
|
234
|
+
raise Puppet::Error, _(<<END) % { certname: certname }
|
194
235
|
The certificate %{certname} must be cleaned from the CA first. To fix this,
|
195
236
|
run the following commands on the CA:
|
196
237
|
puppetserver ca clean --certname %{certname}
|
@@ -214,4 +255,10 @@ END
|
|
214
255
|
end
|
215
256
|
end
|
216
257
|
end
|
258
|
+
|
259
|
+
private
|
260
|
+
|
261
|
+
def fingerprint(cert)
|
262
|
+
Puppet::SSL::Digest.new(nil, cert.to_der)
|
263
|
+
end
|
217
264
|
end
|
data/lib/puppet/configurer.rb
CHANGED
@@ -226,13 +226,13 @@ class Puppet::Configurer
|
|
226
226
|
# mode. We shouldn't try to do any failover in that case.
|
227
227
|
if options[:catalog].nil? && do_failover
|
228
228
|
server, port = find_functional_server
|
229
|
+
if server.nil?
|
230
|
+
raise Puppet::Error, _("Could not select a functional puppet master from server_list: '%{server_list}'") % { server_list: Puppet[:server_list] }
|
231
|
+
else
|
232
|
+
Puppet.debug _("Selected puppet server: %{server}:%{port}") % { server: server, port: port }
|
233
|
+
report.master_used = "#{server}:#{port}"
|
234
|
+
end
|
229
235
|
Puppet.override(server: server, serverport: port) do
|
230
|
-
if server
|
231
|
-
Puppet.debug _("Selected puppet server: %{server}:%{port}") % { server: server, port: port }
|
232
|
-
report.master_used = "#{server}:#{port}"
|
233
|
-
else
|
234
|
-
Puppet.warning _("Could not select a functional puppet server")
|
235
|
-
end
|
236
236
|
completed = run_internal(options)
|
237
237
|
end
|
238
238
|
else
|
@@ -395,7 +395,8 @@ class Puppet::Configurer
|
|
395
395
|
host = server[0]
|
396
396
|
port = server[1] || Puppet[:masterport]
|
397
397
|
begin
|
398
|
-
|
398
|
+
ssl_context = Puppet.lookup(:ssl_context)
|
399
|
+
http = Puppet::Network::HttpPool.connection(host, port.to_i, ssl_context: ssl_context)
|
399
400
|
response = http.get('/status/v1/simple/master')
|
400
401
|
return [host, port] if response.is_a?(Net::HTTPOK)
|
401
402
|
|