puppet 6.4.5-x64-mingw32 → 6.5.0-x64-mingw32

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (329) hide show
  1. checksums.yaml +4 -4
  2. data/CODEOWNERS +10 -10
  3. data/Gemfile +6 -6
  4. data/Gemfile.lock +46 -52
  5. data/ext/build_defaults.yaml +0 -1
  6. data/ext/project_data.yaml +3 -3
  7. data/ext/regexp_nodes/regexp_nodes.rb +4 -4
  8. data/ext/solaris/smf/puppet.xml +0 -2
  9. data/ext/windows/eventlog/Rakefile +32 -0
  10. data/ext/windows/eventlog/puppetres.dll +0 -0
  11. data/ext/windows/eventlog/puppetres.mc +18 -0
  12. data/ext/windows/service/daemon.rb +8 -38
  13. data/install.rb +24 -6
  14. data/lib/puppet.rb +3 -1
  15. data/lib/puppet/application.rb +1 -1
  16. data/lib/puppet/application/agent.rb +11 -34
  17. data/lib/puppet/application/apply.rb +6 -6
  18. data/lib/puppet/application/describe.rb +9 -3
  19. data/lib/puppet/application/device.rb +4 -14
  20. data/lib/puppet/application/doc.rb +1 -1
  21. data/lib/puppet/application/lookup.rb +2 -2
  22. data/lib/puppet/application/resource.rb +4 -4
  23. data/lib/puppet/application/script.rb +2 -2
  24. data/lib/puppet/application/ssl.rb +10 -9
  25. data/lib/puppet/configurer.rb +30 -86
  26. data/lib/puppet/configurer/downloader.rb +6 -2
  27. data/lib/puppet/defaults.rb +50 -44
  28. data/lib/puppet/error.rb +14 -9
  29. data/lib/puppet/face/catalog.rb +20 -1
  30. data/lib/puppet/face/config.rb +48 -10
  31. data/lib/puppet/face/facts.rb +1 -1
  32. data/lib/puppet/face/help.rb +1 -1
  33. data/lib/puppet/face/module/list.rb +5 -5
  34. data/lib/puppet/face/module/search.rb +1 -1
  35. data/lib/puppet/face/module/uninstall.rb +1 -1
  36. data/lib/puppet/face/module/upgrade.rb +1 -1
  37. data/lib/puppet/face/parser.rb +48 -9
  38. data/lib/puppet/face/plugin.rb +2 -9
  39. data/lib/puppet/file_serving/http_metadata.rb +1 -1
  40. data/lib/puppet/file_system.rb +12 -2
  41. data/lib/puppet/file_system/file_impl.rb +6 -3
  42. data/lib/puppet/file_system/memory_file.rb +1 -1
  43. data/lib/puppet/file_system/posix.rb +2 -3
  44. data/lib/puppet/forge.rb +3 -3
  45. data/lib/puppet/functions.rb +2 -1
  46. data/lib/puppet/functions/camelcase.rb +2 -2
  47. data/lib/puppet/functions/epp.rb +4 -4
  48. data/lib/puppet/functions/find_file.rb +9 -9
  49. data/lib/puppet/functions/inline_epp.rb +5 -5
  50. data/lib/puppet/functions/regsubst.rb +6 -8
  51. data/lib/puppet/gettext/module_translations.rb +1 -1
  52. data/lib/puppet/graph/rb_tree_map.rb +2 -2
  53. data/lib/puppet/graph/simple_graph.rb +3 -4
  54. data/lib/puppet/indirector/catalog/compiler.rb +5 -11
  55. data/lib/puppet/indirector/file_bucket_file/file.rb +1 -1
  56. data/lib/puppet/indirector/hiera.rb +0 -2
  57. data/lib/puppet/indirector/resource/ral.rb +3 -1
  58. data/lib/puppet/indirector/resource/validator.rb +1 -1
  59. data/lib/puppet/interface.rb +1 -2
  60. data/lib/puppet/loaders.rb +1 -0
  61. data/lib/puppet/metatype/manager.rb +1 -1
  62. data/lib/puppet/module.rb +1 -1
  63. data/lib/puppet/module/task.rb +4 -20
  64. data/lib/puppet/module_tool/applications/installer.rb +1 -1
  65. data/lib/puppet/module_tool/applications/uninstaller.rb +3 -3
  66. data/lib/puppet/module_tool/metadata.rb +1 -1
  67. data/lib/puppet/module_tool/shared_behaviors.rb +4 -4
  68. data/lib/puppet/module_tool/tar/mini.rb +2 -12
  69. data/lib/puppet/network/http/api/indirected_routes.rb +11 -12
  70. data/lib/puppet/network/http/connection.rb +12 -10
  71. data/lib/puppet/network/http/factory.rb +11 -1
  72. data/lib/puppet/network/http/pool.rb +0 -2
  73. data/lib/puppet/network/http/site.rb +1 -1
  74. data/lib/puppet/network/resolver.rb +2 -2
  75. data/lib/puppet/node/environment.rb +2 -4
  76. data/lib/puppet/pal/pal_impl.rb +2 -2
  77. data/lib/puppet/parser/ast.rb +1 -1
  78. data/lib/puppet/parser/ast/resourceparam.rb +1 -1
  79. data/lib/puppet/parser/functions.rb +1 -1
  80. data/lib/puppet/parser/functions/epp.rb +3 -3
  81. data/lib/puppet/parser/functions/fail.rb +8 -1
  82. data/lib/puppet/parser/functions/inline_epp.rb +5 -5
  83. data/lib/puppet/parser/scope.rb +7 -8
  84. data/lib/puppet/pops/evaluator/collectors/catalog_collector.rb +1 -1
  85. data/lib/puppet/pops/evaluator/collectors/exported_collector.rb +1 -1
  86. data/lib/puppet/pops/evaluator/external_syntax_support.rb +2 -3
  87. data/lib/puppet/pops/evaluator/runtime3_support.rb +4 -4
  88. data/lib/puppet/pops/loader/null_loader.rb +60 -0
  89. data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +6 -4
  90. data/lib/puppet/pops/loader/task_instantiator.rb +0 -4
  91. data/lib/puppet/pops/loaders.rb +1 -1
  92. data/lib/puppet/pops/lookup/hiera_config.rb +0 -1
  93. data/lib/puppet/pops/lookup/sub_lookup.rb +1 -1
  94. data/lib/puppet/pops/merge_strategy.rb +18 -22
  95. data/lib/puppet/pops/parser/heredoc_support.rb +1 -1
  96. data/lib/puppet/pops/parser/interpolation_support.rb +4 -4
  97. data/lib/puppet/pops/parser/locator.rb +1 -1
  98. data/lib/puppet/pops/parser/pn_parser.rb +16 -17
  99. data/lib/puppet/pops/puppet_stack.rb +49 -51
  100. data/lib/puppet/pops/types/p_sensitive_type.rb +1 -1
  101. data/lib/puppet/pops/types/string_converter.rb +10 -10
  102. data/lib/puppet/pops/types/types.rb +6 -5
  103. data/lib/puppet/property.rb +1 -1
  104. data/lib/puppet/property/ensure.rb +1 -1
  105. data/lib/puppet/provider/exec.rb +2 -6
  106. data/lib/puppet/provider/file/posix.rb +0 -5
  107. data/lib/puppet/provider/nameservice.rb +3 -10
  108. data/lib/puppet/provider/nameservice/directoryservice.rb +1 -1
  109. data/lib/puppet/provider/nameservice/pw.rb +2 -2
  110. data/lib/puppet/provider/package.rb +0 -2
  111. data/lib/puppet/provider/package/apt.rb +1 -5
  112. data/lib/puppet/provider/package/dnf.rb +1 -1
  113. data/lib/puppet/provider/package/dpkg.rb +18 -34
  114. data/lib/puppet/provider/package/openbsd.rb +1 -1
  115. data/lib/puppet/provider/package/pip.rb +13 -37
  116. data/lib/puppet/provider/package/portage.rb +4 -4
  117. data/lib/puppet/provider/package/puppet_gem.rb +1 -1
  118. data/lib/puppet/provider/package/rpm.rb +18 -56
  119. data/lib/puppet/provider/package/windows/package.rb +1 -1
  120. data/lib/puppet/provider/package/yum.rb +5 -9
  121. data/lib/puppet/provider/package_targetable.rb +4 -7
  122. data/lib/puppet/provider/parsedfile.rb +1 -1
  123. data/lib/puppet/provider/service/daemontools.rb +9 -9
  124. data/lib/puppet/provider/service/launchd.rb +5 -20
  125. data/lib/puppet/provider/service/openbsd.rb +1 -1
  126. data/lib/puppet/provider/service/rcng.rb +2 -2
  127. data/lib/puppet/provider/service/runit.rb +8 -2
  128. data/lib/puppet/provider/service/systemd.rb +19 -14
  129. data/lib/puppet/provider/service/windows.rb +0 -8
  130. data/lib/puppet/provider/user/directoryservice.rb +1 -1
  131. data/lib/puppet/provider/user/hpux.rb +1 -1
  132. data/lib/puppet/provider/user/pw.rb +3 -12
  133. data/lib/puppet/provider/user/user_role_add.rb +1 -5
  134. data/lib/puppet/provider/user/useradd.rb +20 -45
  135. data/lib/puppet/provider/user/windows_adsi.rb +5 -4
  136. data/lib/puppet/reference/configuration.rb +3 -3
  137. data/lib/puppet/reference/indirection.rb +2 -2
  138. data/lib/puppet/reference/metaparameter.rb +3 -1
  139. data/lib/puppet/reference/providers.rb +3 -1
  140. data/lib/puppet/reference/type.rb +9 -3
  141. data/lib/puppet/reports.rb +1 -1
  142. data/lib/puppet/resource.rb +1 -18
  143. data/lib/puppet/resource/catalog.rb +1 -1
  144. data/lib/puppet/rest/routes.rb +30 -17
  145. data/lib/puppet/settings.rb +3 -43
  146. data/lib/puppet/settings/environment_conf.rb +0 -1
  147. data/lib/puppet/ssl/certificate_request.rb +12 -2
  148. data/lib/puppet/ssl/host.rb +2 -2
  149. data/lib/puppet/ssl/oids.rb +1 -1
  150. data/lib/puppet/ssl/ssl_provider.rb +11 -5
  151. data/lib/puppet/ssl/state_machine.rb +102 -98
  152. data/lib/puppet/test/test_helper.rb +1 -0
  153. data/lib/puppet/transaction.rb +11 -33
  154. data/lib/puppet/transaction/report.rb +1 -1
  155. data/lib/puppet/type.rb +4 -2
  156. data/lib/puppet/type/exec.rb +17 -23
  157. data/lib/puppet/type/file.rb +39 -11
  158. data/lib/puppet/type/file/data_sync.rb +1 -5
  159. data/lib/puppet/type/group.rb +2 -4
  160. data/lib/puppet/type/notify.rb +3 -4
  161. data/lib/puppet/type/package.rb +3 -20
  162. data/lib/puppet/type/schedule.rb +1 -1
  163. data/lib/puppet/type/service.rb +3 -8
  164. data/lib/puppet/type/user.rb +2 -4
  165. data/lib/puppet/util.rb +29 -39
  166. data/lib/puppet/util/command_line/trollop.rb +1 -1
  167. data/lib/puppet/util/execution.rb +3 -4
  168. data/lib/puppet/util/http_proxy.rb +19 -27
  169. data/lib/puppet/util/log.rb +2 -2
  170. data/lib/puppet/util/log/destinations.rb +2 -2
  171. data/lib/puppet/util/logging.rb +20 -32
  172. data/lib/puppet/util/metric.rb +2 -2
  173. data/lib/puppet/util/monkey_patches.rb +33 -0
  174. data/lib/puppet/util/pidlock.rb +2 -3
  175. data/lib/puppet/util/provider_features.rb +4 -2
  176. data/lib/puppet/util/rdoc.rb +1 -1
  177. data/lib/puppet/util/reference.rb +1 -1
  178. data/lib/puppet/util/resource_template.rb +1 -1
  179. data/lib/puppet/util/selinux.rb +2 -8
  180. data/lib/puppet/util/skip_tags.rb +4 -0
  181. data/lib/puppet/util/windows/adsi.rb +18 -48
  182. data/lib/puppet/util/windows/process.rb +8 -8
  183. data/lib/puppet/util/windows/registry.rb +5 -7
  184. data/lib/puppet/util/windows/security.rb +0 -2
  185. data/lib/puppet/util/windows/service.rb +4 -149
  186. data/lib/puppet/util/windows/sid.rb +0 -1
  187. data/lib/puppet/vendor.rb +1 -1
  188. data/lib/puppet/version.rb +1 -1
  189. data/lib/puppet/x509/cert_provider.rb +81 -24
  190. data/locales/puppet.pot +462 -482
  191. data/man/man5/puppet.conf.5 +43 -44
  192. data/man/man8/puppet-agent.8 +1 -1
  193. data/man/man8/puppet-apply.8 +3 -3
  194. data/man/man8/puppet-catalog.8 +31 -3
  195. data/man/man8/puppet-config.8 +1 -1
  196. data/man/man8/puppet-describe.8 +1 -1
  197. data/man/man8/puppet-device.8 +1 -1
  198. data/man/man8/puppet-doc.8 +1 -1
  199. data/man/man8/puppet-epp.8 +1 -1
  200. data/man/man8/puppet-facts.8 +1 -1
  201. data/man/man8/puppet-filebucket.8 +1 -1
  202. data/man/man8/puppet-generate.8 +1 -1
  203. data/man/man8/puppet-help.8 +1 -1
  204. data/man/man8/puppet-key.8 +1 -1
  205. data/man/man8/puppet-lookup.8 +1 -1
  206. data/man/man8/puppet-man.8 +1 -1
  207. data/man/man8/puppet-module.8 +1 -1
  208. data/man/man8/puppet-node.8 +1 -1
  209. data/man/man8/puppet-parser.8 +1 -1
  210. data/man/man8/puppet-plugin.8 +1 -1
  211. data/man/man8/puppet-report.8 +1 -1
  212. data/man/man8/puppet-resource.8 +1 -1
  213. data/man/man8/puppet-script.8 +1 -1
  214. data/man/man8/puppet-ssl.8 +1 -1
  215. data/man/man8/puppet-status.8 +1 -1
  216. data/man/man8/puppet.8 +3 -3
  217. data/spec/fixtures/ssl/127.0.0.1-key.pem +56 -56
  218. data/spec/fixtures/ssl/127.0.0.1.pem +27 -27
  219. data/spec/fixtures/ssl/bad-basic-constraints.pem +32 -32
  220. data/spec/fixtures/ssl/bad-int-basic-constraints.pem +30 -30
  221. data/spec/fixtures/ssl/ca.pem +30 -30
  222. data/spec/fixtures/ssl/crl.pem +15 -15
  223. data/spec/fixtures/ssl/ec-key.pem +18 -0
  224. data/spec/fixtures/ssl/ec.pem +40 -0
  225. data/spec/fixtures/ssl/encrypted-ec-key.pem +21 -0
  226. data/spec/fixtures/ssl/encrypted-key.pem +57 -57
  227. data/spec/fixtures/ssl/intermediate-agent-crl.pem +16 -16
  228. data/spec/fixtures/ssl/intermediate-agent.pem +33 -33
  229. data/spec/fixtures/ssl/intermediate-crl.pem +17 -17
  230. data/spec/fixtures/ssl/intermediate.pem +31 -31
  231. data/spec/fixtures/ssl/pluto-key.pem +56 -56
  232. data/spec/fixtures/ssl/pluto.pem +28 -28
  233. data/spec/fixtures/ssl/request-key.pem +56 -56
  234. data/spec/fixtures/ssl/request.pem +24 -24
  235. data/spec/fixtures/ssl/revoked-key.pem +56 -56
  236. data/spec/fixtures/ssl/revoked.pem +25 -25
  237. data/spec/fixtures/ssl/signed-key.pem +56 -56
  238. data/spec/fixtures/ssl/signed.pem +25 -25
  239. data/spec/fixtures/ssl/tampered-cert.pem +27 -27
  240. data/spec/fixtures/ssl/tampered-csr.pem +24 -24
  241. data/spec/fixtures/unit/pops/loaders/loaders/mix_4x_and_3x_functions/usee/lib/puppet/parser/functions/func_with_syntax_error.rb +9 -0
  242. data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_get/should_yield_to_the_block.yml +24 -0
  243. data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_head/should_yield_to_the_block.yml +24 -0
  244. data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_post/should_yield_to_the_block.yml +24 -0
  245. data/spec/integration/configurer_spec.rb +0 -52
  246. data/spec/integration/provider/service/init_spec.rb +1 -0
  247. data/spec/integration/provider/service/systemd_spec.rb +5 -8
  248. data/spec/integration/type/file_spec.rb +38 -28
  249. data/spec/integration/util/execution_spec.rb +0 -27
  250. data/spec/lib/puppet/certificate_factory.rb +2 -2
  251. data/spec/lib/puppet/test_ca.rb +17 -4
  252. data/spec/lib/puppet_spec/fixtures.rb +4 -0
  253. data/spec/spec_helper.rb +0 -28
  254. data/spec/unit/application/agent_spec.rb +34 -67
  255. data/spec/unit/application/device_spec.rb +1 -27
  256. data/spec/unit/application/ssl_spec.rb +60 -35
  257. data/spec/unit/configurer_spec.rb +399 -395
  258. data/spec/unit/defaults_spec.rb +4 -4
  259. data/spec/unit/face/facts_spec.rb +0 -9
  260. data/spec/unit/face/parser_spec.rb +69 -22
  261. data/spec/unit/face/plugin_spec.rb +0 -8
  262. data/spec/unit/file_system_spec.rb +30 -1
  263. data/spec/unit/forge/forge_spec.rb +3 -1
  264. data/spec/unit/forge/repository_spec.rb +3 -1
  265. data/spec/unit/indirector/catalog/compiler_spec.rb +5 -62
  266. data/spec/unit/indirector/resource/ral_spec.rb +4 -4
  267. data/spec/unit/module_tool/tar/mini_spec.rb +1 -1
  268. data/spec/unit/network/http/api/indirected_routes_spec.rb +10 -25
  269. data/spec/unit/network/http/connection_spec.rb +145 -119
  270. data/spec/unit/network/http/factory_spec.rb +5 -27
  271. data/spec/unit/parser/scope_spec.rb +0 -10
  272. data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +3 -8
  273. data/spec/unit/pops/loaders/loaders_spec.rb +4 -0
  274. data/spec/unit/pops/loaders/module_loaders_spec.rb +0 -37
  275. data/spec/unit/pops/types/types_spec.rb +27 -0
  276. data/spec/unit/provider/exec_spec.rb +0 -209
  277. data/spec/unit/provider/package/aptrpm_spec.rb +1 -1
  278. data/spec/unit/provider/package/dnf_spec.rb +0 -7
  279. data/spec/unit/provider/package/dpkg_spec.rb +80 -240
  280. data/spec/unit/provider/package/pip_spec.rb +8 -61
  281. data/spec/unit/provider/package/portage_spec.rb +4 -4
  282. data/spec/unit/provider/package/rpm_spec.rb +16 -150
  283. data/spec/unit/provider/package/yum_spec.rb +0 -7
  284. data/spec/unit/provider/service/daemontools_spec.rb +0 -24
  285. data/spec/unit/provider/service/launchd_spec.rb +0 -28
  286. data/spec/unit/provider/service/runit_spec.rb +0 -24
  287. data/spec/unit/provider/service/systemd_spec.rb +25 -39
  288. data/spec/unit/provider/service/windows_spec.rb +0 -20
  289. data/spec/unit/provider/user/hpux_spec.rb +2 -2
  290. data/spec/unit/provider/user/pw_spec.rb +0 -37
  291. data/spec/unit/provider/user/useradd_spec.rb +0 -88
  292. data/spec/unit/resource_spec.rb +1 -26
  293. data/spec/unit/ssl/host_spec.rb +5 -0
  294. data/spec/unit/ssl/ssl_provider_spec.rb +36 -11
  295. data/spec/unit/ssl/state_machine_spec.rb +233 -158
  296. data/spec/unit/transaction_spec.rb +0 -64
  297. data/spec/unit/type/exec_spec.rb +12 -15
  298. data/spec/unit/type/file/content_spec.rb +3 -9
  299. data/spec/unit/type/file/source_spec.rb +4 -4
  300. data/spec/unit/type/file_spec.rb +15 -11
  301. data/spec/unit/type/package_spec.rb +0 -5
  302. data/spec/unit/type/schedule_spec.rb +1 -3
  303. data/spec/unit/type/service_spec.rb +0 -16
  304. data/spec/unit/util/execution_spec.rb +0 -16
  305. data/spec/unit/util/http_proxy_spec.rb +21 -151
  306. data/spec/unit/util/ldap/manager_spec.rb +0 -15
  307. data/spec/unit/util/log/destinations_spec.rb +3 -7
  308. data/spec/unit/util/log_spec.rb +138 -0
  309. data/spec/unit/util/logging_spec.rb +0 -200
  310. data/spec/unit/util/pidlock_spec.rb +0 -26
  311. data/spec/unit/util/skip_tags_spec.rb +14 -0
  312. data/spec/unit/util/windows/adsi_spec.rb +0 -51
  313. data/spec/unit/util/windows/service_spec.rb +0 -9
  314. data/spec/unit/util_spec.rb +10 -0
  315. data/spec/unit/x509/cert_provider_spec.rb +82 -43
  316. data/tasks/generate_cert_fixtures.rake +13 -1
  317. data/tasks/manpages.rake +0 -1
  318. metadata +28 -22
  319. data/ext/cert_inspector +0 -140
  320. data/ext/envpuppet +0 -139
  321. data/ext/envpuppet.bat +0 -14
  322. data/ext/puppet-test +0 -476
  323. data/ext/pure_ruby_dsl/dsl_test.rb +0 -7
  324. data/ext/upload_facts.rb +0 -119
  325. data/lib/puppet/provider/package/dnfmodule.rb +0 -87
  326. data/spec/fixtures/unit/provider/package/dnfmodule/dnf-module-list-installed.txt +0 -11
  327. data/spec/integration/type/notify_spec.rb +0 -46
  328. data/spec/unit/provider/package/dnfmodule_spec.rb +0 -186
  329. data/spec/unit/provider/package_targetable_spec.rb +0 -60
@@ -84,46 +84,6 @@ class Puppet::Settings
84
84
  "puppet.conf"
85
85
  end
86
86
 
87
- def stringify_settings(section, settings = :all)
88
- values_from_the_selected_section =
89
- values(nil, section.to_sym)
90
-
91
- loader_settings = {
92
- :environmentpath => values_from_the_selected_section.interpolate(:environmentpath),
93
- :basemodulepath => values_from_the_selected_section.interpolate(:basemodulepath),
94
- }
95
-
96
- Puppet.override(Puppet.base_context(loader_settings),
97
- _("New environment loaders generated from the requested section.")) do
98
- # And now we can lookup values that include those from environments configured from
99
- # the requested section
100
- values = values(Puppet[:environment].to_sym, section.to_sym)
101
-
102
- to_be_rendered = {}
103
- settings = Puppet.settings.to_a.collect(&:first) if settings == :all
104
- settings.sort.each do |setting_name|
105
- to_be_rendered[setting_name] = values.print(setting_name.to_sym)
106
- end
107
-
108
- stringifyhash(to_be_rendered)
109
- end
110
- end
111
-
112
- def stringifyhash(hash)
113
- newhash = {}
114
- hash.each do |key, val|
115
- key = key.to_s
116
- if val.is_a? Hash
117
- newhash[key] = stringifyhash(val)
118
- elsif val.is_a? Symbol
119
- newhash[key] = val.to_s
120
- else
121
- newhash[key] = val
122
- end
123
- end
124
- newhash
125
- end
126
-
127
87
  # Create a new collection of config settings.
128
88
  def initialize
129
89
  @config = {}
@@ -1229,10 +1189,10 @@ Generated on #{Time.now}.
1229
1189
  if !Puppet::FileSystem.symlink?(configured_environment_path)
1230
1190
  parameters = { :ensure => 'directory' }
1231
1191
  unless Puppet::FileSystem.exist?(configured_environment_path)
1232
- parameters[:mode] = '0750'
1192
+ parameters.merge!(:mode => '0750')
1233
1193
  if Puppet.features.root?
1234
- parameters[:owner] = Puppet[:user] if service_user_available?
1235
- parameters[:group] = Puppet[:group] if service_group_available?
1194
+ parameters.merge!(:owner => Puppet[:user]) if service_user_available?
1195
+ parameters.merge!(:group => Puppet[:group]) if service_group_available?
1236
1196
  end
1237
1197
  end
1238
1198
  catalog.add_resource(Puppet::Resource.new(:file, configured_environment_path, :parameters => parameters))
@@ -159,7 +159,6 @@ class Puppet::Settings::EnvironmentConf
159
159
 
160
160
  return valid
161
161
  end
162
- private_class_method :validate
163
162
 
164
163
  def get_setting(setting_name, default = nil)
165
164
  value = raw_setting(setting_name)
@@ -75,7 +75,17 @@ DOC
75
75
  csr = OpenSSL::X509::Request.new
76
76
  csr.version = 0
77
77
  csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
78
- csr.public_key = key.public_key
78
+
79
+ csr.public_key = if key.is_a?(OpenSSL::PKey::EC)
80
+ # EC#public_key doesn't follow the PKey API,
81
+ # see https://github.com/ruby/openssl/issues/29
82
+ point = key.public_key
83
+ pubkey = OpenSSL::PKey::EC.new(point.group)
84
+ pubkey.public_key = point
85
+ pubkey
86
+ else
87
+ key.public_key
88
+ end
79
89
 
80
90
  if options[:csr_attributes]
81
91
  add_csr_attributes(csr, options[:csr_attributes])
@@ -88,7 +98,7 @@ DOC
88
98
  signer = Puppet::SSL::CertificateSigner.new
89
99
  signer.sign(csr, key)
90
100
 
91
- raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(key.public_key)
101
+ raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(csr.public_key)
92
102
 
93
103
  @content = csr
94
104
 
@@ -121,7 +121,7 @@ class Puppet::SSL::Host
121
121
  generate_key unless key
122
122
 
123
123
  # get CA and optional CRL
124
- sm = Puppet::SSL::StateMachine.new(onetime: true)
124
+ sm = Puppet::SSL::StateMachine.new
125
125
  sm.ensure_ca_certificates
126
126
 
127
127
  cert = get_host_certificate
@@ -272,7 +272,7 @@ ERROR_STRING
272
272
  exit(1)
273
273
  end
274
274
 
275
- loop do
275
+ while true
276
276
  sleep time
277
277
  begin
278
278
  break if certificate
@@ -101,7 +101,7 @@ module Puppet::SSL::Oids
101
101
  # shortname: 'myothershortname'
102
102
  # longname: 'Other Long name'
103
103
  def self.parse_custom_oid_file(custom_oid_file, map_key='oid_mapping')
104
- if File.exist?(custom_oid_file) && File.readable?(custom_oid_file)
104
+ if File.exists?(custom_oid_file) && File.readable?(custom_oid_file)
105
105
  mapping = nil
106
106
  begin
107
107
  mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol])
@@ -51,7 +51,7 @@ class Puppet::SSL::SSLProvider
51
51
  #
52
52
  # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
53
53
  # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
54
- # @param private_key [OpenSSL::PKey::RSA] client's private key
54
+ # @param private_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] client's private key
55
55
  # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
56
56
  # key matches the `private_key`
57
57
  # @param revocation [:chain, :leaf, false] revocation mode
@@ -70,7 +70,7 @@ class Puppet::SSL::SSLProvider
70
70
  store = create_x509_store(cacerts, crls, revocation)
71
71
  client_chain = verify_cert_with_store(store, client_cert)
72
72
 
73
- unless private_key.is_a?(OpenSSL::PKey::RSA)
73
+ if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
74
74
  raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
75
75
  end
76
76
 
@@ -90,13 +90,17 @@ class Puppet::SSL::SSLProvider
90
90
  # and private key. Connections made from the returned context will be mutually
91
91
  # authenticated.
92
92
  #
93
+ # @param certname [String] Which cert & key to load
93
94
  # @param revocation [:chain, :leaf, false] revocation mode
95
+ # @param password [String, nil] If the private key is encrypted, decrypt
96
+ # it using the password. If the key is encrypted, but a password is
97
+ # not specified, then the key cannot be loaded.
94
98
  # @return [Puppet::SSL::SSLContext] A context to use to create connections
95
99
  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
96
100
  # one of the certs or CRLs.
97
101
  # @raise [Puppet::Error] There was an issue with one of the required components.
98
102
  # @api private
99
- def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation])
103
+ def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
100
104
  cert = Puppet::X509::CertProvider.new
101
105
  cacerts = cert.load_cacerts(required: true)
102
106
  crls = case revocation
@@ -105,10 +109,12 @@ class Puppet::SSL::SSLProvider
105
109
  else
106
110
  []
107
111
  end
108
- private_key = cert.load_private_key(certname, required: true)
112
+ private_key = cert.load_private_key(certname, required: true, password: password)
109
113
  client_cert = cert.load_client_cert(certname, required: true)
110
114
 
111
115
  create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation)
116
+ rescue OpenSSL::PKey::PKeyError => e
117
+ raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
112
118
  end
113
119
 
114
120
  # Verify the `csr` was signed with a private key corresponding to the
@@ -116,7 +122,7 @@ class Puppet::SSL::SSLProvider
116
122
  # of the private key, and that it hasn't been tampered with since.
117
123
  #
118
124
  # @param csr [OpenSSL::X509::Request] certificate signing request
119
- # @param public_key [OpenSSL::PKey::RSA] public key
125
+ # @param public_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] public key
120
126
  # @raise [Puppet::SSL:SSLError] The private_key for the given `public_key` was
121
127
  # not used to sign the CSR.
122
128
  # @api private
@@ -1,4 +1,5 @@
1
1
  require 'puppet/ssl'
2
+ require 'puppet/util/pidlock'
2
3
 
3
4
  # This class implements a state machine for bootstrapping a host's CA and CRL
4
5
  # bundles, private key and signed client certificate. Each state has a frozen
@@ -20,12 +21,6 @@ class Puppet::SSL::StateMachine
20
21
  @cert_provider = machine.cert_provider
21
22
  @ssl_provider = machine.ssl_provider
22
23
  end
23
-
24
- def to_error(message, cause)
25
- detail = Puppet::Error.new(message)
26
- detail.set_backtrace(cause.backtrace)
27
- Error.new(@machine, message, detail)
28
- end
29
24
  end
30
25
 
31
26
  # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -51,13 +46,11 @@ class Puppet::SSL::StateMachine
51
46
  end
52
47
 
53
48
  NeedCRLs.new(@machine, next_ctx)
54
- rescue OpenSSL::X509::CertificateError => e
55
- Error.new(@machine, e.message, e)
56
49
  rescue Puppet::Rest::ResponseError => e
57
50
  if e.response.code.to_i == 404
58
- to_error(_('CA certificate is missing from the server'), e)
51
+ raise Puppet::Error.new(_('CA certificate is missing from the server'))
59
52
  else
60
- to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
53
+ raise Puppet::Error.new(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
61
54
  end
62
55
  end
63
56
  end
@@ -77,12 +70,19 @@ class Puppet::SSL::StateMachine
77
70
  crls = @cert_provider.load_crls
78
71
  if crls
79
72
  next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
73
+
74
+ crl_ttl = Puppet[:crl_refresh_interval]
75
+ if crl_ttl
76
+ last_update = @cert_provider.crl_last_update
77
+ now = Time.now
78
+ if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
79
+ # set last updated time first, then make a best effort to refresh
80
+ @cert_provider.crl_last_update = now
81
+ next_ctx = refresh_crl(next_ctx, last_update)
82
+ end
83
+ end
80
84
  else
81
- pem = Puppet::Rest::Routes.get_crls(Puppet::SSL::CA_NAME, @ssl_context)
82
- crls = @cert_provider.load_crls_from_pem(pem)
83
- # verify crls before saving
84
- next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
85
- @cert_provider.save_crls(crls)
85
+ next_ctx = download_crl(@ssl_context, nil)
86
86
  end
87
87
  else
88
88
  Puppet.info("Certificate revocation is disabled, skipping CRL download")
@@ -90,14 +90,45 @@ class Puppet::SSL::StateMachine
90
90
  end
91
91
 
92
92
  NeedKey.new(@machine, next_ctx)
93
- rescue OpenSSL::X509::CRLError => e
94
- Error.new(@machine, e.message, e)
95
93
  rescue Puppet::Rest::ResponseError => e
96
94
  if e.response.code.to_i == 404
97
- to_error(_('CRL is missing from the server'), e)
95
+ raise Puppet::Error.new(_('CRL is missing from the server'))
96
+ else
97
+ raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
98
+ end
99
+ end
100
+
101
+ private
102
+
103
+ def refresh_crl(ssl_ctx, last_update)
104
+ Puppet.info(_("Refreshing CRL"))
105
+
106
+ # return the next_ctx containing the updated crl
107
+ download_crl(ssl_ctx, last_update)
108
+ rescue Puppet::Rest::ResponseError => e
109
+ if e.response.code.to_i == 304
110
+ Puppet.info(_("CRL is unmodified, using existing CRL"))
98
111
  else
99
- to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
112
+ Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
100
113
  end
114
+
115
+ # return the original ssl_ctx
116
+ ssl_ctx
117
+ rescue SystemCallError => e
118
+ Puppet.warning(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
119
+
120
+ # return the original ssl_ctx
121
+ ssl_ctx
122
+ end
123
+
124
+ def download_crl(ssl_ctx, last_update)
125
+ pem = Puppet::Rest::Routes.get_crls(Puppet::SSL::CA_NAME, ssl_ctx, if_modified_since: last_update)
126
+ crls = @cert_provider.load_crls_from_pem(pem)
127
+ # verify crls before saving
128
+ next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
129
+ @cert_provider.save_crls(crls)
130
+
131
+ next_ctx
101
132
  end
102
133
  end
103
134
 
@@ -110,7 +141,8 @@ class Puppet::SSL::StateMachine
110
141
  def next_state
111
142
  Puppet.debug(_("Loading/generating private key"))
112
143
 
113
- key = @cert_provider.load_private_key(Puppet[:certname])
144
+ password = @cert_provider.load_private_key_password
145
+ key = @cert_provider.load_private_key(Puppet[:certname], password: password)
114
146
  if key
115
147
  cert = @cert_provider.load_client_cert(Puppet[:certname])
116
148
  if cert
@@ -120,9 +152,15 @@ class Puppet::SSL::StateMachine
120
152
  return Done.new(@machine, next_ctx)
121
153
  end
122
154
  else
123
- Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
124
- key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
125
- @cert_provider.save_private_key(Puppet[:certname], key)
155
+ if Puppet[:key_type] == 'ec'
156
+ Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
157
+ key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
158
+ else
159
+ Puppet.info _("Creating a new RSA SSL key for %{name}") % { name: Puppet[:certname] }
160
+ key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
161
+ end
162
+
163
+ @cert_provider.save_private_key(Puppet[:certname], key, password: password)
126
164
  end
127
165
 
128
166
  NeedSubmitCSR.new(@machine, @ssl_context, key)
@@ -155,11 +193,11 @@ class Puppet::SSL::StateMachine
155
193
  @cert_provider.save_request(Puppet[:certname], csr)
156
194
  NeedCert.new(@machine, @ssl_context, @private_key)
157
195
  rescue Puppet::Rest::ResponseError => e
158
- if e.response.code.to_i == 400
159
- NeedCert.new(@machine, @ssl_context, @private_key)
160
- else
161
- to_error(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
196
+ if e.response.code.to_i != 400
197
+ raise Puppet::SSL::SSLError.new(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
162
198
  end
199
+
200
+ NeedCert.new(@machine, @ssl_context, @private_key)
163
201
  end
164
202
  end
165
203
 
@@ -180,37 +218,37 @@ class Puppet::SSL::StateMachine
180
218
  @cert_provider.delete_request(Puppet[:certname])
181
219
  Done.new(@machine, next_ctx)
182
220
  rescue Puppet::SSL::SSLError => e
183
- Error.new(@machine, e.message, e)
221
+ Puppet.log_exception(e)
222
+ Wait.new(@machine, @ssl_context)
184
223
  rescue OpenSSL::X509::CertificateError => e
185
- Error.new(@machine, _("Failed to parse certificate: %{message}") % {message: e.message}, e)
224
+ Puppet.log_exception(e, _("Failed to parse certificate: %{message}") % {message: e.message})
225
+ Wait.new(@machine, @ssl_context)
186
226
  rescue Puppet::Rest::ResponseError => e
187
227
  if e.response.code.to_i == 404
188
228
  Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
189
- $stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
190
- Wait.new(@machine)
191
229
  else
192
- to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
193
- {certname: Puppet[:certname], message: e.response.message}, e)
230
+ Puppet.log_exception(e, _("Failed to retrieve certificate for %{certname}: %{message}") %
231
+ {certname: Puppet[:certname], message: e.response.message})
194
232
  end
233
+ Wait.new(@machine, @ssl_context)
195
234
  end
196
235
  end
197
236
 
198
- # We cannot make progress, so wait if allowed to do so, or exit.
237
+ # We cannot make progress, so wait if allowed to do so, or error.
199
238
  #
200
239
  class Wait < SSLState
201
- def initialize(machine)
202
- super(machine, nil)
203
- end
204
-
205
240
  def next_state
206
241
  time = @machine.waitforcert
207
242
  if time < 1
208
- puts _("Exiting now because the waitforcert setting is set to 0.")
243
+ puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0.") % { name: Puppet[:certname] }
244
+ exit(1)
245
+ elsif Time.now.to_i > @machine.wait_deadline
246
+ puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
209
247
  exit(1)
210
248
  else
211
- Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
249
+ Puppet.info(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds.") % {name: Puppet[:certname], time: time})
212
250
 
213
- Kernel.sleep(time)
251
+ sleep(time)
214
252
 
215
253
  # our ssl directory may have been cleaned while we were
216
254
  # sleeping, start over from the top
@@ -219,68 +257,36 @@ class Puppet::SSL::StateMachine
219
257
  end
220
258
  end
221
259
 
222
- # We cannot make progress due to an error.
223
- #
224
- class Error < SSLState
225
- attr_reader :message, :error
226
-
227
- def initialize(machine, message, error)
228
- super(machine, nil)
229
- @message = message
230
- @error = error
231
- end
232
-
233
- def next_state
234
- Puppet.log_exception(@error, @message)
235
- Wait.new(@machine)
236
- end
237
- end
238
-
239
260
  # We have a CA bundle, optional CRL bundle, a private key and matching cert
240
261
  # that chains to one of the root certs in our bundle.
241
262
  #
242
263
  class Done < SSLState; end
243
264
 
244
- attr_reader :waitforcert, :cert_provider, :ssl_provider
265
+ attr_reader :waitforcert, :wait_deadline, :cert_provider, :ssl_provider
245
266
 
246
- # Construct a state machine to manage the SSL initialization process. By
247
- # default, if the state machine encounters an exception, it will log the
248
- # exception and wait for `waitforcert` seconds and retry, restarting from the
249
- # beginning of the state machine.
250
- #
251
- # However, if `onetime` is true, then the state machine will raise the first
252
- # error it encounters, instead of waiting. Otherwise, if `waitforcert` is 0,
253
- # then then state machine will exit instead of wait.
254
- #
255
- # @param waitforcert [Integer] how many seconds to wait between attempts
256
- # @param onetime [Boolean] whether to run onetime
257
- # @param cert_provider [Puppet::X509::CertProvider] cert provider to use
258
- # to load and save X509 objects.
259
- # @param ssl_provider [Puppet::SSL::SSLProvider] ssl provider to use
260
- # to construct ssl contexts.
261
267
  def initialize(waitforcert: Puppet[:waitforcert],
262
- onetime: Puppet[:onetime],
268
+ maxwaitforcert: Puppet[:maxwaitforcert],
263
269
  cert_provider: Puppet::X509::CertProvider.new,
264
- ssl_provider: Puppet::SSL::SSLProvider.new)
270
+ ssl_provider: Puppet::SSL::SSLProvider.new,
271
+ lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]))
265
272
  @waitforcert = waitforcert
266
- @onetime = onetime
273
+ @wait_deadline = Time.now.to_i + maxwaitforcert
267
274
  @cert_provider = cert_provider
268
275
  @ssl_provider = ssl_provider
276
+ @lockfile = lockfile
269
277
  end
270
278
 
271
- # Run the state machine for CA certs and CRLs.
279
+ # Run the state machine for CA certs and CRLs
272
280
  #
273
281
  # @return [Puppet::SSL::SSLContext] initialized SSLContext
274
- # @raise [Puppet::Error] If we fail to generate an SSLContext
275
282
  def ensure_ca_certificates
276
283
  final_state = run_machine(NeedCACerts.new(self), NeedKey)
277
284
  final_state.ssl_context
278
285
  end
279
286
 
280
- # Run the state machine for CA certs and CRLs.
287
+ # Run the state machine for CA certs and CRLs
281
288
  #
282
289
  # @return [Puppet::SSL::SSLContext] initialized SSLContext
283
- # @raise [Puppet::Error] If we fail to generate an SSLContext
284
290
  def ensure_client_certificate
285
291
  final_state = run_machine(NeedCACerts.new(self), Done)
286
292
  ssl_context = final_state.ssl_context
@@ -304,28 +310,26 @@ class Puppet::SSL::StateMachine
304
310
  private
305
311
 
306
312
  def run_machine(state, stop)
307
- loop do
308
- state = run_step(state)
309
-
310
- case state
311
- when stop
312
- break
313
- when Error
314
- if @onetime
315
- Puppet.log_exception(state.error)
316
- raise state.error
317
- end
318
- else
319
- # fall through
313
+ with_lock do
314
+ loop do
315
+ state = state.next_state
316
+
317
+ break if state.is_a?(stop)
320
318
  end
321
319
  end
322
320
 
323
321
  state
324
322
  end
325
323
 
326
- def run_step(state)
327
- state.next_state
328
- rescue => e
329
- state.to_error(e.message, e)
324
+ def with_lock
325
+ if @lockfile.lock
326
+ begin
327
+ yield
328
+ ensure
329
+ @lockfile.unlock
330
+ end
331
+ else
332
+ raise Puppet::Error, _('Another puppet instance is already running; exiting')
333
+ end
330
334
  end
331
335
  end