puppet 6.3.0 → 6.4.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CODEOWNERS +30 -0
- data/Gemfile.lock +9 -9
- data/lib/puppet.rb +13 -0
- data/lib/puppet/application/agent.rb +8 -12
- data/lib/puppet/application/device.rb +2 -3
- data/lib/puppet/application/filebucket.rb +6 -1
- data/lib/puppet/application/ssl.rb +102 -55
- data/lib/puppet/configurer.rb +8 -7
- data/lib/puppet/defaults.rb +3 -1
- data/lib/puppet/file_system.rb +24 -4
- data/lib/puppet/file_system/file_impl.rb +25 -0
- data/lib/puppet/file_system/jruby.rb +23 -0
- data/lib/puppet/file_system/windows.rb +84 -0
- data/lib/puppet/indirector/rest.rb +4 -2
- data/lib/puppet/loaders.rb +1 -0
- data/lib/puppet/network/http.rb +1 -0
- data/lib/puppet/network/http/base_pool.rb +18 -0
- data/lib/puppet/network/http/connection.rb +49 -17
- data/lib/puppet/network/http/nocache_pool.rb +9 -4
- data/lib/puppet/network/http/pool.rb +10 -11
- data/lib/puppet/network/http/session.rb +3 -2
- data/lib/puppet/network/http_pool.rb +32 -0
- data/lib/puppet/pops/loader/generic_plan_instantiator.rb +28 -0
- data/lib/puppet/pops/loader/loader_paths.rb +46 -10
- data/lib/puppet/pops/loader/module_loaders.rb +10 -3
- data/lib/puppet/provider/file/windows.rb +49 -1
- data/lib/puppet/provider/package/windows.rb +5 -1
- data/lib/puppet/reports/http.rb +2 -1
- data/lib/puppet/rest/client.rb +7 -3
- data/lib/puppet/rest/routes.rb +9 -44
- data/lib/puppet/ssl.rb +6 -0
- data/lib/puppet/ssl/error.rb +26 -0
- data/lib/puppet/ssl/host.rb +9 -92
- data/lib/puppet/ssl/ssl_context.rb +30 -0
- data/lib/puppet/ssl/ssl_provider.rb +232 -0
- data/lib/puppet/ssl/state_machine.rb +261 -0
- data/lib/puppet/ssl/validator.rb +1 -0
- data/lib/puppet/ssl/validator/default_validator.rb +1 -0
- data/lib/puppet/ssl/validator/no_validator.rb +2 -0
- data/lib/puppet/ssl/verifier.rb +134 -0
- data/lib/puppet/ssl/verifier_adapter.rb +48 -0
- data/lib/puppet/test/test_helper.rb +2 -1
- data/lib/puppet/type/exec.rb +30 -6
- data/lib/puppet/type/file/mode.rb +6 -1
- data/lib/puppet/type/file/source.rb +2 -2
- data/lib/puppet/type/filebucket.rb +12 -8
- data/lib/puppet/type/user.rb +14 -1
- data/lib/puppet/util/connection.rb +10 -5
- data/lib/puppet/util/feature.rb +11 -2
- data/lib/puppet/util/http_proxy.rb +3 -2
- data/lib/puppet/util/pidlock.rb +1 -1
- data/lib/puppet/util/ssl.rb +1 -10
- data/lib/puppet/util/windows/security.rb +29 -8
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509.rb +7 -0
- data/lib/puppet/x509/cert_provider.rb +286 -0
- data/lib/puppet/x509/pem_store.rb +55 -0
- data/locales/ja/puppet.po +740 -590
- data/locales/puppet.pot +433 -208
- data/man/man5/puppet.conf.5 +6 -3
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +6 -2
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +5 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/ssl/127.0.0.1-key.pem +67 -0
- data/spec/fixtures/ssl/127.0.0.1.pem +48 -0
- data/spec/fixtures/ssl/bad-basic-constraints.pem +59 -0
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +59 -0
- data/spec/fixtures/ssl/ca.pem +59 -0
- data/spec/fixtures/ssl/crl.pem +30 -0
- data/spec/fixtures/ssl/encrypted-key.pem +70 -0
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +31 -0
- data/spec/fixtures/ssl/intermediate-agent.pem +60 -0
- data/spec/fixtures/ssl/intermediate-crl.pem +36 -0
- data/spec/fixtures/ssl/intermediate.pem +60 -0
- data/spec/fixtures/ssl/netlock-arany-utf8.pem +23 -0
- data/spec/fixtures/ssl/pluto-key.pem +67 -0
- data/spec/fixtures/ssl/pluto.pem +44 -0
- data/spec/fixtures/ssl/request-key.pem +67 -0
- data/spec/fixtures/ssl/request.pem +39 -0
- data/spec/fixtures/ssl/revoked-key.pem +67 -0
- data/spec/fixtures/ssl/revoked.pem +44 -0
- data/spec/fixtures/ssl/signed-key.pem +67 -0
- data/spec/fixtures/ssl/signed.pem +44 -0
- data/spec/fixtures/ssl/tampered-cert.pem +44 -0
- data/spec/fixtures/ssl/tampered-csr.pem +39 -0
- data/spec/integration/network/http_pool_spec.rb +222 -0
- data/spec/integration/provider/file/windows_spec.rb +162 -0
- data/spec/integration/rest/client_spec.rb +73 -0
- data/spec/integration/type/file_spec.rb +0 -19
- data/spec/lib/puppet/test_ca.rb +87 -50
- data/spec/lib/puppet_spec/fixtures.rb +20 -0
- data/spec/lib/puppet_spec/https.rb +84 -0
- data/spec/unit/application/agent_spec.rb +29 -30
- data/spec/unit/application/device_spec.rb +12 -49
- data/spec/unit/application/ssl_spec.rb +24 -38
- data/spec/unit/configurer_spec.rb +11 -11
- data/spec/unit/file_system/uniquefile_spec.rb +6 -0
- data/spec/unit/file_system_spec.rb +214 -0
- data/spec/unit/indirector/rest_spec.rb +3 -3
- data/spec/unit/network/http/connection_spec.rb +30 -90
- data/spec/unit/network/http/factory_spec.rb +1 -0
- data/spec/unit/network/http/nocache_pool_spec.rb +8 -8
- data/spec/unit/network/http/pool_spec.rb +63 -33
- data/spec/unit/network/http/session_spec.rb +8 -1
- data/spec/unit/network/http_pool_spec.rb +36 -0
- data/spec/unit/pops/loaders/loader_spec.rb +26 -1
- data/spec/unit/provider/package/windows_spec.rb +12 -1
- data/spec/unit/reports/http_spec.rb +7 -7
- data/spec/unit/rest/client_spec.rb +4 -6
- data/spec/unit/ssl/host_spec.rb +39 -33
- data/spec/unit/ssl/ssl_provider_spec.rb +428 -0
- data/spec/unit/ssl/state_machine_spec.rb +502 -0
- data/spec/unit/ssl/verifier_spec.rb +123 -0
- data/spec/unit/type/exec_spec.rb +63 -0
- data/spec/unit/type/file/source_spec.rb +5 -5
- data/spec/unit/type/filebucket_spec.rb +8 -6
- data/spec/unit/util/feature_spec.rb +2 -2
- data/spec/unit/util/storage_spec.rb +19 -19
- data/spec/unit/x509/cert_provider_spec.rb +527 -0
- data/spec/unit/x509/pem_store_spec.rb +160 -0
- data/tasks/generate_cert_fixtures.rake +158 -0
- metadata +78 -4
- data/MAINTAINERS +0 -47
- data/lib/puppet/rest/ssl_context.rb +0 -13
@@ -0,0 +1,160 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
require 'puppet/x509'
|
4
|
+
|
5
|
+
class Puppet::X509::TestPemStore
|
6
|
+
include Puppet::X509::PemStore
|
7
|
+
end
|
8
|
+
|
9
|
+
describe Puppet::X509::PemStore do
|
10
|
+
include PuppetSpec::Files
|
11
|
+
|
12
|
+
let(:subject) { Puppet::X509::TestPemStore.new }
|
13
|
+
|
14
|
+
def with_unreadable_file
|
15
|
+
path = tmpfile('pem_store')
|
16
|
+
Puppet::FileSystem.touch(path)
|
17
|
+
Puppet::FileSystem.chmod(0, path)
|
18
|
+
yield path
|
19
|
+
ensure
|
20
|
+
Puppet::FileSystem.chmod(0600, path)
|
21
|
+
end
|
22
|
+
|
23
|
+
def with_unwritable_file(&block)
|
24
|
+
if Puppet::Util::Platform.windows?
|
25
|
+
with_unwritable_file_win32(&block)
|
26
|
+
else
|
27
|
+
with_unwritable_file_posix(&block)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
def with_unwritable_file_win32
|
32
|
+
dir = tmpdir('pem_store')
|
33
|
+
path = File.join(dir, 'unwritable')
|
34
|
+
|
35
|
+
# if file handle is open, then file can't be written by other processes
|
36
|
+
File.open(path, 'w') do |f|
|
37
|
+
yield path
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
def with_unwritable_file_posix
|
42
|
+
dir = tmpdir('pem_store')
|
43
|
+
path = File.join(dir, 'unwritable')
|
44
|
+
# if directory is not executable/traverseable, then file can't be written to
|
45
|
+
Puppet::FileSystem.chmod(0, dir)
|
46
|
+
begin
|
47
|
+
yield path
|
48
|
+
ensure
|
49
|
+
Puppet::FileSystem.chmod(0700, dir)
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
let(:cert_path) { File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'netlock-arany-utf8.pem') }
|
54
|
+
|
55
|
+
context 'loading' do
|
56
|
+
it 'returns nil if it does not exist' do
|
57
|
+
expect(subject.load_pem('/does/not/exist')).to be_nil
|
58
|
+
end
|
59
|
+
|
60
|
+
it 'returns the file content as UTF-8' do
|
61
|
+
expect(
|
62
|
+
subject.load_pem(cert_path)
|
63
|
+
).to match(/\ANetLock Arany \(Class Gold\) Főtanúsítvány/)
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'raises EACCES if the file is unreadable' do
|
67
|
+
with_unreadable_file do |path|
|
68
|
+
expect {
|
69
|
+
subject.load_pem(path)
|
70
|
+
}.to raise_error(Errno::EACCES, /Permission denied/)
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
context 'saving' do
|
76
|
+
let(:path) { tmpfile('pem_store') }
|
77
|
+
|
78
|
+
it 'writes the file content as UTF-8' do
|
79
|
+
# read the file directly to preserve the comments
|
80
|
+
utf8 = File.read(cert_path, encoding: 'UTF-8')
|
81
|
+
|
82
|
+
subject.save_pem(utf8, path)
|
83
|
+
|
84
|
+
expect(
|
85
|
+
File.read(path, :encoding => 'UTF-8')
|
86
|
+
).to match(/\ANetLock Arany \(Class Gold\) Főtanúsítvány/)
|
87
|
+
end
|
88
|
+
|
89
|
+
it 'never changes the owner and group on Windows', if: Puppet::Util::Platform.windows? do
|
90
|
+
FileUtils.expects(:chown).never
|
91
|
+
|
92
|
+
subject.save_pem('PEM', path, owner: 'Administrator', group: 'None')
|
93
|
+
end
|
94
|
+
|
95
|
+
it 'changes the owner and group when running as root', unless: Puppet::Util::Platform.windows? do
|
96
|
+
Puppet.features.stubs(:root?).returns(true)
|
97
|
+
FileUtils.expects(:chown).with('root', 'root', path)
|
98
|
+
|
99
|
+
subject.save_pem('PEM', path, owner: 'root', group: 'root')
|
100
|
+
end
|
101
|
+
|
102
|
+
it 'does not change owner and group when running not as roo', unless: Puppet::Util::Platform.windows? do
|
103
|
+
Puppet.features.stubs(:root?).returns(false)
|
104
|
+
FileUtils.expects(:chown).never
|
105
|
+
|
106
|
+
subject.save_pem('PEM', path, owner: 'root', group: 'root')
|
107
|
+
end
|
108
|
+
|
109
|
+
it 'allows a mode of 0600 to be specified', unless: Puppet::Util::Platform.windows? do
|
110
|
+
subject.save_pem('PEM', path, mode: 0600)
|
111
|
+
|
112
|
+
expect(File.stat(path).mode & 0777).to eq(0600)
|
113
|
+
end
|
114
|
+
|
115
|
+
it 'defaults the mode to 0644' do
|
116
|
+
subject.save_pem('PEM', path)
|
117
|
+
|
118
|
+
expect(File.stat(path).mode & 0777).to eq(0644)
|
119
|
+
end
|
120
|
+
|
121
|
+
it 'raises EACCES if the file is unwritable' do
|
122
|
+
with_unwritable_file do |path|
|
123
|
+
expect {
|
124
|
+
subject.save_pem('', path)
|
125
|
+
}.to raise_error(Errno::EACCES, /Permission denied/)
|
126
|
+
end
|
127
|
+
end
|
128
|
+
|
129
|
+
it 'raises if the directory does not exist' do
|
130
|
+
dir = tmpdir('pem_store')
|
131
|
+
Dir.unlink(dir)
|
132
|
+
|
133
|
+
expect {
|
134
|
+
subject.save_pem('', File.join(dir, 'something'))
|
135
|
+
}.to raise_error(Errno::ENOENT, /No such file or directory/)
|
136
|
+
end
|
137
|
+
end
|
138
|
+
|
139
|
+
context 'deleting' do
|
140
|
+
it 'returns false if the file does not exist' do
|
141
|
+
expect(subject.delete_pem('/does/not/exist')).to eq(false)
|
142
|
+
end
|
143
|
+
|
144
|
+
it 'returns true if the file exists' do
|
145
|
+
path = tmpfile('pem_store')
|
146
|
+
FileUtils.touch(path)
|
147
|
+
|
148
|
+
expect(subject.delete_pem(path)).to eq(true)
|
149
|
+
expect(File).to_not be_exist(path)
|
150
|
+
end
|
151
|
+
|
152
|
+
it 'raises EACCES if the file is undeletable' do
|
153
|
+
with_unwritable_file do |path|
|
154
|
+
expect {
|
155
|
+
subject.delete_pem(path)
|
156
|
+
}.to raise_error(Errno::EACCES, /Permission denied/)
|
157
|
+
end
|
158
|
+
end
|
159
|
+
end
|
160
|
+
end
|
@@ -0,0 +1,158 @@
|
|
1
|
+
# Run this rake task to generate cert fixtures used in unit tests. This should
|
2
|
+
# be run whenever new fixtures are required that derive from the existing ones
|
3
|
+
# such as to add an extension to client certs, change expiration, etc. All
|
4
|
+
# regenerated fixtures should be committed together.
|
5
|
+
desc "Generate cert test fixtures"
|
6
|
+
task(:gen_cert_fixtures) do
|
7
|
+
$LOAD_PATH << File.expand_path(File.join(File.dirname(__FILE__), '../spec/lib'))
|
8
|
+
require 'puppet/test_ca'
|
9
|
+
|
10
|
+
def save(dir, name, x509)
|
11
|
+
path = File.join(dir, name)
|
12
|
+
puts "Generating #{path}"
|
13
|
+
File.open(path, 'w') do |f|
|
14
|
+
f.write(x509.to_text)
|
15
|
+
text = if block_given?
|
16
|
+
yield x509
|
17
|
+
else
|
18
|
+
x509.to_pem
|
19
|
+
end
|
20
|
+
|
21
|
+
f.write(text)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
# This task generates a PKI consisting of a root CA, intermediate CA and
|
26
|
+
# several leaf certs. A CRL is generated for each CA. The root CA CRL is
|
27
|
+
# empty, while the intermediate CA CRL contains the revoked cert's serial
|
28
|
+
# number. A textual representation of each X509 object is included in the
|
29
|
+
# fixture as a comment.
|
30
|
+
#
|
31
|
+
# Certs
|
32
|
+
# =====
|
33
|
+
#
|
34
|
+
# ca.pem /CN=Test CA
|
35
|
+
# |
|
36
|
+
# intermediate.pem +- /CN=Test CA Subauthority
|
37
|
+
# | |
|
38
|
+
# signed.pem | +- /CN=signed
|
39
|
+
# revoked.pem | +- /CN=revoked
|
40
|
+
# 127.0.0.1.pem | +- /CN=127.0.0.1 (with dns alt names)
|
41
|
+
# tampered.pem | +- /CN=signed (with different public key)
|
42
|
+
# |
|
43
|
+
# + /CN=Test CA Agent Subauthority
|
44
|
+
# | |
|
45
|
+
# pluto.pem | +- /CN=pluto
|
46
|
+
# |
|
47
|
+
# bad-int-basic-constraints.pem +- /CN=Test CA Subauthority (bad isCA constraint)
|
48
|
+
#
|
49
|
+
# bad-basic-constraints.pem /CN=Test CA (bad isCA constraint)
|
50
|
+
#
|
51
|
+
# Keys
|
52
|
+
# ====
|
53
|
+
#
|
54
|
+
# The RSA private key for each leaf cert is also generated. In addition,
|
55
|
+
# `encrypted-key.pem` contains the private key for the `signed` cert.
|
56
|
+
#
|
57
|
+
# Requests
|
58
|
+
# ========
|
59
|
+
#
|
60
|
+
# `request.pem` contains a valid CSR for /CN=pending, while `tampered_csr.pem`
|
61
|
+
# is the same as `request.pem`, but it's public key has been replaced.
|
62
|
+
#
|
63
|
+
ca = Puppet::TestCa.new
|
64
|
+
dir = File.join(RAKE_ROOT, 'spec/fixtures/ssl')
|
65
|
+
|
66
|
+
# Create Test CA & CRL
|
67
|
+
save(dir, 'ca.pem', ca.ca_cert)
|
68
|
+
save(dir, 'crl.pem', ca.ca_crl)
|
69
|
+
|
70
|
+
# Create Intermediate CA & CRL "Test CA Subauthority" issued by "Test CA"
|
71
|
+
inter = ca.create_intermediate_cert('Test CA Subauthority', ca.ca_cert, ca.key)
|
72
|
+
save(dir, 'intermediate.pem', inter[:cert])
|
73
|
+
inter_crl = ca.create_crl(inter[:cert], inter[:private_key])
|
74
|
+
|
75
|
+
# Create a leaf/entity key and cert for host "signed" and issued by "Test CA Subauthority"
|
76
|
+
signed = ca.create_cert('signed', inter[:cert], inter[:private_key])
|
77
|
+
save(dir, 'signed.pem', signed[:cert])
|
78
|
+
save(dir, 'signed-key.pem', signed[:private_key])
|
79
|
+
|
80
|
+
# Create an encrypted version of the above private key for host "signed"
|
81
|
+
save(dir, 'encrypted-key.pem', signed[:private_key]) do |x509|
|
82
|
+
# private key password was chosen at random
|
83
|
+
x509.to_pem(OpenSSL::Cipher::AES.new(128, :CBC), '74695716c8b6')
|
84
|
+
end
|
85
|
+
|
86
|
+
# Create an SSL cert for 127.0.0.1 with dns_alt_names
|
87
|
+
signed = ca.create_cert('127.0.0.1', ca.ca_cert, ca.key, subject_alt_names: 'DNS:127.0.0.1,DNS:127.0.0.2')
|
88
|
+
save(dir, '127.0.0.1.pem', signed[:cert])
|
89
|
+
save(dir, '127.0.0.1-key.pem', signed[:private_key])
|
90
|
+
|
91
|
+
# Create a leaf/entity key and cert for host "revoked", issued by "Test CA Subauthority"
|
92
|
+
# and revoke the cert
|
93
|
+
revoked = ca.create_cert('revoked', inter[:cert], inter[:private_key])
|
94
|
+
ca.revoke(revoked[:cert], inter_crl, inter[:private_key])
|
95
|
+
save(dir, 'revoked.pem', revoked[:cert])
|
96
|
+
save(dir, 'revoked-key.pem', revoked[:private_key])
|
97
|
+
|
98
|
+
# Update intermediate CRL now that we've revoked
|
99
|
+
save(dir, 'intermediate-crl.pem', inter_crl)
|
100
|
+
|
101
|
+
# Create a pending request (CSR) and private key for host "pending"
|
102
|
+
request = ca.create_request('pending')
|
103
|
+
save(dir, 'request.pem', request[:csr])
|
104
|
+
save(dir, 'request-key.pem', request[:private_key])
|
105
|
+
|
106
|
+
# Create an intermediate for agent certs
|
107
|
+
inter_agent = ca.create_intermediate_cert('Test CA Agent Subauthority', ca.ca_cert, ca.key)
|
108
|
+
save(dir, 'intermediate-agent.pem', inter_agent[:cert])
|
109
|
+
inter_agent_crl = ca.create_crl(inter_agent[:cert], inter_agent[:private_key])
|
110
|
+
save(dir, 'intermediate-agent-crl.pem', inter_agent_crl)
|
111
|
+
|
112
|
+
# Create a leaf/entity key and cert for host "pluto" and issued by "Test CA Agent Subauthority"
|
113
|
+
pluto = ca.create_cert('pluto', inter_agent[:cert], inter_agent[:private_key])
|
114
|
+
save(dir, 'pluto.pem', pluto[:cert])
|
115
|
+
save(dir, 'pluto-key.pem', pluto[:private_key])
|
116
|
+
|
117
|
+
# Create a new root CA cert, but change the "isCA" basic constraint.
|
118
|
+
# It should not be trusted to act as a CA.
|
119
|
+
badconstraints = ca.create_cacert('Test CA')[:cert]
|
120
|
+
badconstraints.public_key = ca.ca_cert.public_key
|
121
|
+
badconstraints.extensions = []
|
122
|
+
ca.ca_cert.extensions.each do |ext|
|
123
|
+
if ext.oid == 'basicConstraints'
|
124
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
125
|
+
badconstraints.add_extension(ef.create_extension("basicConstraints","CA:FALSE", true))
|
126
|
+
else
|
127
|
+
badconstraints.add_extension(ext)
|
128
|
+
end
|
129
|
+
end
|
130
|
+
badconstraints.sign(ca.key, OpenSSL::Digest::SHA256.new)
|
131
|
+
save(dir, 'bad-basic-constraints.pem', badconstraints)
|
132
|
+
|
133
|
+
# Same as above, but create a new intermediate CA
|
134
|
+
badintconstraints = inter[:cert].dup
|
135
|
+
badintconstraints.public_key = inter[:cert].public_key
|
136
|
+
badintconstraints.extensions = []
|
137
|
+
inter[:cert].extensions.each do |ext|
|
138
|
+
if ext.oid == 'basicConstraints'
|
139
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
140
|
+
badintconstraints.add_extension(ef.create_extension("basicConstraints","CA:FALSE", true))
|
141
|
+
else
|
142
|
+
badintconstraints.add_extension(ext)
|
143
|
+
end
|
144
|
+
end
|
145
|
+
badintconstraints.sign(ca.key, OpenSSL::Digest::SHA256.new)
|
146
|
+
save(dir, 'bad-int-basic-constraints.pem', badintconstraints)
|
147
|
+
|
148
|
+
# Create a request, but replace its public key after it's signed
|
149
|
+
tampered_csr = ca.create_request('signed')[:csr]
|
150
|
+
tampered_csr.public_key = OpenSSL::PKey::RSA.new(1024).public_key
|
151
|
+
save(dir, 'tampered-csr.pem', tampered_csr)
|
152
|
+
|
153
|
+
# Create a cert issued from the real intermediate CA, but replace its
|
154
|
+
# public key
|
155
|
+
tampered_cert = ca.create_cert('signed', inter[:cert], inter[:private_key])[:cert]
|
156
|
+
tampered_cert.public_key = OpenSSL::PKey::RSA.new(1024).public_key
|
157
|
+
save(dir, 'tampered-cert.pem', tampered_cert)
|
158
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppet
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet Labs
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-03-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -141,6 +141,7 @@ executables:
|
|
141
141
|
extensions: []
|
142
142
|
extra_rdoc_files: []
|
143
143
|
files:
|
144
|
+
- CODEOWNERS
|
144
145
|
- CODE_OF_CONDUCT.md
|
145
146
|
- COMMITTERS.md
|
146
147
|
- CONTRIBUTING.md
|
@@ -148,7 +149,6 @@ files:
|
|
148
149
|
- Gemfile.lock
|
149
150
|
- Guardfile.example
|
150
151
|
- LICENSE
|
151
|
-
- MAINTAINERS
|
152
152
|
- README.md
|
153
153
|
- Rakefile
|
154
154
|
- bin/puppet
|
@@ -422,6 +422,7 @@ files:
|
|
422
422
|
- lib/puppet/file_serving/terminus_selector.rb
|
423
423
|
- lib/puppet/file_system.rb
|
424
424
|
- lib/puppet/file_system/file_impl.rb
|
425
|
+
- lib/puppet/file_system/jruby.rb
|
425
426
|
- lib/puppet/file_system/memory_file.rb
|
426
427
|
- lib/puppet/file_system/memory_impl.rb
|
427
428
|
- lib/puppet/file_system/path_pattern.rb
|
@@ -670,6 +671,7 @@ files:
|
|
670
671
|
- lib/puppet/network/http/api/master/v3/authorization.rb
|
671
672
|
- lib/puppet/network/http/api/master/v3/environment.rb
|
672
673
|
- lib/puppet/network/http/api/master/v3/environments.rb
|
674
|
+
- lib/puppet/network/http/base_pool.rb
|
673
675
|
- lib/puppet/network/http/compression.rb
|
674
676
|
- lib/puppet/network/http/connection.rb
|
675
677
|
- lib/puppet/network/http/error.rb
|
@@ -824,6 +826,7 @@ files:
|
|
824
826
|
- lib/puppet/pops/loader/base_loader.rb
|
825
827
|
- lib/puppet/pops/loader/dependency_loader.rb
|
826
828
|
- lib/puppet/pops/loader/gem_support.rb
|
829
|
+
- lib/puppet/pops/loader/generic_plan_instantiator.rb
|
827
830
|
- lib/puppet/pops/loader/loader.rb
|
828
831
|
- lib/puppet/pops/loader/loader_paths.rb
|
829
832
|
- lib/puppet/pops/loader/module_loaders.rb
|
@@ -1081,7 +1084,6 @@ files:
|
|
1081
1084
|
- lib/puppet/rest/response.rb
|
1082
1085
|
- lib/puppet/rest/route.rb
|
1083
1086
|
- lib/puppet/rest/routes.rb
|
1084
|
-
- lib/puppet/rest/ssl_context.rb
|
1085
1087
|
- lib/puppet/scheduler.rb
|
1086
1088
|
- lib/puppet/scheduler/job.rb
|
1087
1089
|
- lib/puppet/scheduler/scheduler.rb
|
@@ -1117,12 +1119,18 @@ files:
|
|
1117
1119
|
- lib/puppet/ssl/certificate_request_attributes.rb
|
1118
1120
|
- lib/puppet/ssl/certificate_signer.rb
|
1119
1121
|
- lib/puppet/ssl/digest.rb
|
1122
|
+
- lib/puppet/ssl/error.rb
|
1120
1123
|
- lib/puppet/ssl/host.rb
|
1121
1124
|
- lib/puppet/ssl/key.rb
|
1122
1125
|
- lib/puppet/ssl/oids.rb
|
1126
|
+
- lib/puppet/ssl/ssl_context.rb
|
1127
|
+
- lib/puppet/ssl/ssl_provider.rb
|
1128
|
+
- lib/puppet/ssl/state_machine.rb
|
1123
1129
|
- lib/puppet/ssl/validator.rb
|
1124
1130
|
- lib/puppet/ssl/validator/default_validator.rb
|
1125
1131
|
- lib/puppet/ssl/validator/no_validator.rb
|
1132
|
+
- lib/puppet/ssl/verifier.rb
|
1133
|
+
- lib/puppet/ssl/verifier_adapter.rb
|
1126
1134
|
- lib/puppet/status.rb
|
1127
1135
|
- lib/puppet/syntax_checkers.rb
|
1128
1136
|
- lib/puppet/syntax_checkers/base64.rb
|
@@ -1303,6 +1311,9 @@ files:
|
|
1303
1311
|
- lib/puppet/vendor/pathspec/lib/pathspec/spec.rb
|
1304
1312
|
- lib/puppet/vendor/require_vendored.rb
|
1305
1313
|
- lib/puppet/version.rb
|
1314
|
+
- lib/puppet/x509.rb
|
1315
|
+
- lib/puppet/x509/cert_provider.rb
|
1316
|
+
- lib/puppet/x509/pem_store.rb
|
1306
1317
|
- lib/puppet_pal.rb
|
1307
1318
|
- lib/puppet_x.rb
|
1308
1319
|
- locales/config.yaml
|
@@ -1367,6 +1378,28 @@ files:
|
|
1367
1378
|
- spec/fixtures/releases/jamtur01-apache/tests/php.pp
|
1368
1379
|
- spec/fixtures/releases/jamtur01-apache/tests/ssl.pp
|
1369
1380
|
- spec/fixtures/releases/jamtur01-apache/tests/vhost.pp
|
1381
|
+
- spec/fixtures/ssl/127.0.0.1-key.pem
|
1382
|
+
- spec/fixtures/ssl/127.0.0.1.pem
|
1383
|
+
- spec/fixtures/ssl/bad-basic-constraints.pem
|
1384
|
+
- spec/fixtures/ssl/bad-int-basic-constraints.pem
|
1385
|
+
- spec/fixtures/ssl/ca.pem
|
1386
|
+
- spec/fixtures/ssl/crl.pem
|
1387
|
+
- spec/fixtures/ssl/encrypted-key.pem
|
1388
|
+
- spec/fixtures/ssl/intermediate-agent-crl.pem
|
1389
|
+
- spec/fixtures/ssl/intermediate-agent.pem
|
1390
|
+
- spec/fixtures/ssl/intermediate-crl.pem
|
1391
|
+
- spec/fixtures/ssl/intermediate.pem
|
1392
|
+
- spec/fixtures/ssl/netlock-arany-utf8.pem
|
1393
|
+
- spec/fixtures/ssl/pluto-key.pem
|
1394
|
+
- spec/fixtures/ssl/pluto.pem
|
1395
|
+
- spec/fixtures/ssl/request-key.pem
|
1396
|
+
- spec/fixtures/ssl/request.pem
|
1397
|
+
- spec/fixtures/ssl/revoked-key.pem
|
1398
|
+
- spec/fixtures/ssl/revoked.pem
|
1399
|
+
- spec/fixtures/ssl/signed-key.pem
|
1400
|
+
- spec/fixtures/ssl/signed.pem
|
1401
|
+
- spec/fixtures/ssl/tampered-cert.pem
|
1402
|
+
- spec/fixtures/ssl/tampered-csr.pem
|
1370
1403
|
- spec/fixtures/stdlib.tgz
|
1371
1404
|
- spec/fixtures/unit/application/environments/production/data/common.yaml
|
1372
1405
|
- spec/fixtures/unit/application/environments/production/environment.conf
|
@@ -1726,6 +1759,7 @@ files:
|
|
1726
1759
|
- spec/integration/network/authconfig_spec.rb
|
1727
1760
|
- spec/integration/network/formats_spec.rb
|
1728
1761
|
- spec/integration/network/http/api/indirected_routes_spec.rb
|
1762
|
+
- spec/integration/network/http_pool_spec.rb
|
1729
1763
|
- spec/integration/node/environment_spec.rb
|
1730
1764
|
- spec/integration/node/facts_spec.rb
|
1731
1765
|
- spec/integration/node_spec.rb
|
@@ -1743,6 +1777,7 @@ files:
|
|
1743
1777
|
- spec/integration/parser/scope_spec.rb
|
1744
1778
|
- spec/integration/parser/script_compiler_spec.rb
|
1745
1779
|
- spec/integration/parser/undef_param_spec.rb
|
1780
|
+
- spec/integration/provider/file/windows_spec.rb
|
1746
1781
|
- spec/integration/provider/service/init_spec.rb
|
1747
1782
|
- spec/integration/provider/service/systemd_spec.rb
|
1748
1783
|
- spec/integration/provider/service/windows_spec.rb
|
@@ -1750,6 +1785,7 @@ files:
|
|
1750
1785
|
- spec/integration/reports_spec.rb
|
1751
1786
|
- spec/integration/resource/catalog_spec.rb
|
1752
1787
|
- spec/integration/resource/type_collection_spec.rb
|
1788
|
+
- spec/integration/rest/client_spec.rb
|
1753
1789
|
- spec/integration/ssl/certificate_request_spec.rb
|
1754
1790
|
- spec/integration/ssl/host_spec.rb
|
1755
1791
|
- spec/integration/ssl/key_spec.rb
|
@@ -1798,6 +1834,7 @@ files:
|
|
1798
1834
|
- spec/lib/puppet_spec/files.rb
|
1799
1835
|
- spec/lib/puppet_spec/fixtures.rb
|
1800
1836
|
- spec/lib/puppet_spec/handler.rb
|
1837
|
+
- spec/lib/puppet_spec/https.rb
|
1801
1838
|
- spec/lib/puppet_spec/language.rb
|
1802
1839
|
- spec/lib/puppet_spec/matchers.rb
|
1803
1840
|
- spec/lib/puppet_spec/module_tool/shared_functions.rb
|
@@ -2388,7 +2425,10 @@ files:
|
|
2388
2425
|
- spec/unit/ssl/host_spec.rb
|
2389
2426
|
- spec/unit/ssl/key_spec.rb
|
2390
2427
|
- spec/unit/ssl/oids_spec.rb
|
2428
|
+
- spec/unit/ssl/ssl_provider_spec.rb
|
2429
|
+
- spec/unit/ssl/state_machine_spec.rb
|
2391
2430
|
- spec/unit/ssl/validator_spec.rb
|
2431
|
+
- spec/unit/ssl/verifier_spec.rb
|
2392
2432
|
- spec/unit/status_spec.rb
|
2393
2433
|
- spec/unit/task_spec.rb
|
2394
2434
|
- spec/unit/transaction/additional_resource_generator_spec.rb
|
@@ -2503,10 +2543,13 @@ files:
|
|
2503
2543
|
- spec/unit/util/yaml_spec.rb
|
2504
2544
|
- spec/unit/util_spec.rb
|
2505
2545
|
- spec/unit/version_spec.rb
|
2546
|
+
- spec/unit/x509/cert_provider_spec.rb
|
2547
|
+
- spec/unit/x509/pem_store_spec.rb
|
2506
2548
|
- tasks/benchmark.rake
|
2507
2549
|
- tasks/cfpropertylist.rake
|
2508
2550
|
- tasks/ci.rake
|
2509
2551
|
- tasks/generate_ast_model.rake
|
2552
|
+
- tasks/generate_cert_fixtures.rake
|
2510
2553
|
- tasks/manpages.rake
|
2511
2554
|
- tasks/memwalk.rake
|
2512
2555
|
- tasks/parallel.rake
|
@@ -2573,6 +2616,28 @@ test_files:
|
|
2573
2616
|
- spec/fixtures/releases/jamtur01-apache/tests/php.pp
|
2574
2617
|
- spec/fixtures/releases/jamtur01-apache/tests/ssl.pp
|
2575
2618
|
- spec/fixtures/releases/jamtur01-apache/tests/vhost.pp
|
2619
|
+
- spec/fixtures/ssl/127.0.0.1-key.pem
|
2620
|
+
- spec/fixtures/ssl/127.0.0.1.pem
|
2621
|
+
- spec/fixtures/ssl/bad-basic-constraints.pem
|
2622
|
+
- spec/fixtures/ssl/bad-int-basic-constraints.pem
|
2623
|
+
- spec/fixtures/ssl/ca.pem
|
2624
|
+
- spec/fixtures/ssl/crl.pem
|
2625
|
+
- spec/fixtures/ssl/encrypted-key.pem
|
2626
|
+
- spec/fixtures/ssl/intermediate-agent-crl.pem
|
2627
|
+
- spec/fixtures/ssl/intermediate-agent.pem
|
2628
|
+
- spec/fixtures/ssl/intermediate-crl.pem
|
2629
|
+
- spec/fixtures/ssl/intermediate.pem
|
2630
|
+
- spec/fixtures/ssl/netlock-arany-utf8.pem
|
2631
|
+
- spec/fixtures/ssl/pluto-key.pem
|
2632
|
+
- spec/fixtures/ssl/pluto.pem
|
2633
|
+
- spec/fixtures/ssl/request-key.pem
|
2634
|
+
- spec/fixtures/ssl/request.pem
|
2635
|
+
- spec/fixtures/ssl/revoked-key.pem
|
2636
|
+
- spec/fixtures/ssl/revoked.pem
|
2637
|
+
- spec/fixtures/ssl/signed-key.pem
|
2638
|
+
- spec/fixtures/ssl/signed.pem
|
2639
|
+
- spec/fixtures/ssl/tampered-cert.pem
|
2640
|
+
- spec/fixtures/ssl/tampered-csr.pem
|
2576
2641
|
- spec/fixtures/stdlib.tgz
|
2577
2642
|
- spec/fixtures/unit/application/environments/production/data/common.yaml
|
2578
2643
|
- spec/fixtures/unit/application/environments/production/environment.conf
|
@@ -2932,6 +2997,7 @@ test_files:
|
|
2932
2997
|
- spec/integration/network/authconfig_spec.rb
|
2933
2998
|
- spec/integration/network/formats_spec.rb
|
2934
2999
|
- spec/integration/network/http/api/indirected_routes_spec.rb
|
3000
|
+
- spec/integration/network/http_pool_spec.rb
|
2935
3001
|
- spec/integration/node/environment_spec.rb
|
2936
3002
|
- spec/integration/node/facts_spec.rb
|
2937
3003
|
- spec/integration/node_spec.rb
|
@@ -2949,6 +3015,7 @@ test_files:
|
|
2949
3015
|
- spec/integration/parser/scope_spec.rb
|
2950
3016
|
- spec/integration/parser/script_compiler_spec.rb
|
2951
3017
|
- spec/integration/parser/undef_param_spec.rb
|
3018
|
+
- spec/integration/provider/file/windows_spec.rb
|
2952
3019
|
- spec/integration/provider/service/init_spec.rb
|
2953
3020
|
- spec/integration/provider/service/systemd_spec.rb
|
2954
3021
|
- spec/integration/provider/service/windows_spec.rb
|
@@ -2956,6 +3023,7 @@ test_files:
|
|
2956
3023
|
- spec/integration/reports_spec.rb
|
2957
3024
|
- spec/integration/resource/catalog_spec.rb
|
2958
3025
|
- spec/integration/resource/type_collection_spec.rb
|
3026
|
+
- spec/integration/rest/client_spec.rb
|
2959
3027
|
- spec/integration/ssl/certificate_request_spec.rb
|
2960
3028
|
- spec/integration/ssl/host_spec.rb
|
2961
3029
|
- spec/integration/ssl/key_spec.rb
|
@@ -3004,6 +3072,7 @@ test_files:
|
|
3004
3072
|
- spec/lib/puppet_spec/files.rb
|
3005
3073
|
- spec/lib/puppet_spec/fixtures.rb
|
3006
3074
|
- spec/lib/puppet_spec/handler.rb
|
3075
|
+
- spec/lib/puppet_spec/https.rb
|
3007
3076
|
- spec/lib/puppet_spec/language.rb
|
3008
3077
|
- spec/lib/puppet_spec/matchers.rb
|
3009
3078
|
- spec/lib/puppet_spec/module_tool/shared_functions.rb
|
@@ -3594,7 +3663,10 @@ test_files:
|
|
3594
3663
|
- spec/unit/ssl/host_spec.rb
|
3595
3664
|
- spec/unit/ssl/key_spec.rb
|
3596
3665
|
- spec/unit/ssl/oids_spec.rb
|
3666
|
+
- spec/unit/ssl/ssl_provider_spec.rb
|
3667
|
+
- spec/unit/ssl/state_machine_spec.rb
|
3597
3668
|
- spec/unit/ssl/validator_spec.rb
|
3669
|
+
- spec/unit/ssl/verifier_spec.rb
|
3598
3670
|
- spec/unit/status_spec.rb
|
3599
3671
|
- spec/unit/task_spec.rb
|
3600
3672
|
- spec/unit/transaction/additional_resource_generator_spec.rb
|
@@ -3709,3 +3781,5 @@ test_files:
|
|
3709
3781
|
- spec/unit/util/yaml_spec.rb
|
3710
3782
|
- spec/unit/util_spec.rb
|
3711
3783
|
- spec/unit/version_spec.rb
|
3784
|
+
- spec/unit/x509/cert_provider_spec.rb
|
3785
|
+
- spec/unit/x509/pem_store_spec.rb
|