puppet 6.4.5-x64-mingw32 → 6.5.0-x64-mingw32

data/lib/puppet/settings.rb

@@ -84,46 +84,6 @@ class Puppet::Settings
     "puppet.conf"
   end
 
-  def stringify_settings(section, settings = :all)
-    values_from_the_selected_section =
-      values(nil, section.to_sym)
-
-    loader_settings = {
-      :environmentpath => values_from_the_selected_section.interpolate(:environmentpath),
-      :basemodulepath => values_from_the_selected_section.interpolate(:basemodulepath),
-    }
-
-    Puppet.override(Puppet.base_context(loader_settings),
-                    _("New environment loaders generated from the requested section.")) do
-      # And now we can lookup values that include those from environments configured from
-      # the requested section
-      values = values(Puppet[:environment].to_sym, section.to_sym)
-
-      to_be_rendered = {}
-      settings = Puppet.settings.to_a.collect(&:first) if settings == :all
-      settings.sort.each do |setting_name|
-        to_be_rendered[setting_name] = values.print(setting_name.to_sym)
-      end
-
-      stringifyhash(to_be_rendered)
-    end
-  end
-
-  def stringifyhash(hash)
-    newhash = {}
-    hash.each do |key, val|
-      key = key.to_s
-      if val.is_a? Hash
-        newhash[key] = stringifyhash(val)
-      elsif val.is_a? Symbol
-        newhash[key] = val.to_s
-      else
-        newhash[key] = val
-      end
-    end
-    newhash
-  end
-
   # Create a new collection of config settings.
   def initialize
     @config = {}
@@ -1229,10 +1189,10 @@ Generated on #{Time.now}.
       if !Puppet::FileSystem.symlink?(configured_environment_path)
         parameters = { :ensure => 'directory' }
         unless Puppet::FileSystem.exist?(configured_environment_path)
-          parameters[:mode] = '0750'
+          parameters.merge!(:mode => '0750')
           if Puppet.features.root?
-            parameters[:owner] = Puppet[:user] if service_user_available?
-            parameters[:group] = Puppet[:group] if service_group_available?
+            parameters.merge!(:owner => Puppet[:user]) if service_user_available?
+            parameters.merge!(:group => Puppet[:group]) if service_group_available?
           end
         end
         catalog.add_resource(Puppet::Resource.new(:file, configured_environment_path, :parameters => parameters))

data/lib/puppet/settings/environment_conf.rb

@@ -159,7 +159,6 @@ class Puppet::Settings::EnvironmentConf
 
     return valid
   end
-  private_class_method :validate
 
   def get_setting(setting_name, default = nil)
     value = raw_setting(setting_name)

data/lib/puppet/ssl/certificate_request.rb

@@ -75,7 +75,17 @@ DOC
     csr = OpenSSL::X509::Request.new
     csr.version = 0
     csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
-    csr.public_key = key.public_key
+
+    csr.public_key = if key.is_a?(OpenSSL::PKey::EC)
+                       # EC#public_key doesn't follow the PKey API,
+                       # see https://github.com/ruby/openssl/issues/29
+                       point = key.public_key
+                       pubkey = OpenSSL::PKey::EC.new(point.group)
+                       pubkey.public_key = point
+                       pubkey
+                     else
+                       key.public_key
+                     end
 
     if options[:csr_attributes]
       add_csr_attributes(csr, options[:csr_attributes])
@@ -88,7 +98,7 @@ DOC
     signer = Puppet::SSL::CertificateSigner.new
     signer.sign(csr, key)
 
-    raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(key.public_key)
+    raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(csr.public_key)
 
     @content = csr
 

data/lib/puppet/ssl/host.rb

@@ -121,7 +121,7 @@ class Puppet::SSL::Host
       generate_key unless key
 
       # get CA and optional CRL
-      sm = Puppet::SSL::StateMachine.new(onetime: true)
+      sm = Puppet::SSL::StateMachine.new
       sm.ensure_ca_certificates
 
       cert = get_host_certificate
@@ -272,7 +272,7 @@ ERROR_STRING
       exit(1)
     end
 
-    loop do
+    while true
       sleep time
       begin
         break if certificate

data/lib/puppet/ssl/oids.rb

@@ -101,7 +101,7 @@ module Puppet::SSL::Oids
   #    shortname: 'myothershortname'
   #    longname: 'Other Long name'
   def self.parse_custom_oid_file(custom_oid_file, map_key='oid_mapping')
-    if File.exist?(custom_oid_file) && File.readable?(custom_oid_file)
+    if File.exists?(custom_oid_file) && File.readable?(custom_oid_file)
       mapping = nil
       begin
         mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol])

data/lib/puppet/ssl/ssl_provider.rb

@@ -51,7 +51,7 @@ class Puppet::SSL::SSLProvider
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
   # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
-  # @param private_key [OpenSSL::PKey::RSA] client's private key
+  # @param private_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] client's private key
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
@@ -70,7 +70,7 @@ class Puppet::SSL::SSLProvider
     store = create_x509_store(cacerts, crls, revocation)
     client_chain = verify_cert_with_store(store, client_cert)
 
-    unless private_key.is_a?(OpenSSL::PKey::RSA)
+    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
       raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
     end
 
@@ -90,13 +90,17 @@ class Puppet::SSL::SSLProvider
   # and private key. Connections made from the returned context will be mutually
   # authenticated.
   #
+  # @param certname [String] Which cert & key to load
   # @param revocation [:chain, :leaf, false] revocation mode
+  # @param password [String, nil] If the private key is encrypted, decrypt
+  #   it using the password. If the key is encrypted, but a password is
+  #   not specified, then the key cannot be loaded.
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::Error] There was an issue with one of the required components.
   # @api private
-  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation])
+  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
     cert = Puppet::X509::CertProvider.new
     cacerts = cert.load_cacerts(required: true)
     crls = case revocation
@@ -105,10 +109,12 @@ class Puppet::SSL::SSLProvider
            else
              []
            end
-    private_key = cert.load_private_key(certname, required: true)
+    private_key = cert.load_private_key(certname, required: true, password: password)
     client_cert = cert.load_client_cert(certname, required: true)
 
     create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation)
+  rescue OpenSSL::PKey::PKeyError => e
+    raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
   end
 
   # Verify the `csr` was signed with a private key corresponding to the
@@ -116,7 +122,7 @@ class Puppet::SSL::SSLProvider
   # of the private key, and that it hasn't been tampered with since.
   #
   # @param csr [OpenSSL::X509::Request] certificate signing request
-  # @param public_key [OpenSSL::PKey::RSA] public key
+  # @param public_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] public key
   # @raise [Puppet::SSL:SSLError] The private_key for the given `public_key` was
   #   not used to sign the CSR.
   # @api private

data/lib/puppet/ssl/state_machine.rb

@@ -1,4 +1,5 @@
 require 'puppet/ssl'
+require 'puppet/util/pidlock'
 
 # This class implements a state machine for bootstrapping a host's CA and CRL
 # bundles, private key and signed client certificate. Each state has a frozen
@@ -20,12 +21,6 @@ class Puppet::SSL::StateMachine
       @cert_provider = machine.cert_provider
       @ssl_provider = machine.ssl_provider
     end
-
-    def to_error(message, cause)
-      detail = Puppet::Error.new(message)
-      detail.set_backtrace(cause.backtrace)
-      Error.new(@machine, message, detail)
-    end
   end
 
   # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -51,13 +46,11 @@ class Puppet::SSL::StateMachine
       end
 
       NeedCRLs.new(@machine, next_ctx)
-    rescue OpenSSL::X509::CertificateError => e
-      Error.new(@machine, e.message, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
-        to_error(_('CA certificate is missing from the server'), e)
+        raise Puppet::Error.new(_('CA certificate is missing from the server'))
       else
-        to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
+        raise Puppet::Error.new(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
       end
     end
   end
@@ -77,12 +70,19 @@ class Puppet::SSL::StateMachine
         crls = @cert_provider.load_crls
         if crls
           next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
+
+          crl_ttl = Puppet[:crl_refresh_interval]
+          if crl_ttl
+            last_update = @cert_provider.crl_last_update
+            now = Time.now
+            if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
+              # set last updated time first, then make a best effort to refresh
+              @cert_provider.crl_last_update = now
+              next_ctx = refresh_crl(next_ctx, last_update)
+            end
+          end
         else
-          pem = Puppet::Rest::Routes.get_crls(Puppet::SSL::CA_NAME, @ssl_context)
-          crls = @cert_provider.load_crls_from_pem(pem)
-          # verify crls before saving
-          next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
-          @cert_provider.save_crls(crls)
+          next_ctx = download_crl(@ssl_context, nil)
         end
       else
         Puppet.info("Certificate revocation is disabled, skipping CRL download")
@@ -90,14 +90,45 @@ class Puppet::SSL::StateMachine
       end
 
       NeedKey.new(@machine, next_ctx)
-    rescue OpenSSL::X509::CRLError => e
-      Error.new(@machine, e.message, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
-        to_error(_('CRL is missing from the server'), e)
+        raise Puppet::Error.new(_('CRL is missing from the server'))
+      else
+        raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
+      end
+    end
+
+    private
+
+    def refresh_crl(ssl_ctx, last_update)
+      Puppet.info(_("Refreshing CRL"))
+
+      # return the next_ctx containing the updated crl
+      download_crl(ssl_ctx, last_update)
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.code.to_i == 304
+        Puppet.info(_("CRL is unmodified, using existing CRL"))
       else
-        to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
+        Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
       end
+
+      # return the original ssl_ctx
+      ssl_ctx
+    rescue SystemCallError => e
+      Puppet.warning(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
+
+      # return the original ssl_ctx
+      ssl_ctx
+    end
+
+    def download_crl(ssl_ctx, last_update)
+      pem = Puppet::Rest::Routes.get_crls(Puppet::SSL::CA_NAME, ssl_ctx, if_modified_since: last_update)
+      crls = @cert_provider.load_crls_from_pem(pem)
+      # verify crls before saving
+      next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
+      @cert_provider.save_crls(crls)
+
+      next_ctx
     end
   end
 
@@ -110,7 +141,8 @@ class Puppet::SSL::StateMachine
     def next_state
       Puppet.debug(_("Loading/generating private key"))
 
-      key = @cert_provider.load_private_key(Puppet[:certname])
+      password = @cert_provider.load_private_key_password
+      key = @cert_provider.load_private_key(Puppet[:certname], password: password)
       if key
         cert = @cert_provider.load_client_cert(Puppet[:certname])
         if cert
@@ -120,9 +152,15 @@ class Puppet::SSL::StateMachine
           return Done.new(@machine, next_ctx)
         end
       else
-        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
-        @cert_provider.save_private_key(Puppet[:certname], key)
+        if Puppet[:key_type] == 'ec'
+          Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
+          key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+        else
+          Puppet.info _("Creating a new RSA SSL key for %{name}") % { name: Puppet[:certname] }
+          key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+        end
+
+        @cert_provider.save_private_key(Puppet[:certname], key, password: password)
       end
 
       NeedSubmitCSR.new(@machine, @ssl_context, key)
@@ -155,11 +193,11 @@ class Puppet::SSL::StateMachine
       @cert_provider.save_request(Puppet[:certname], csr)
       NeedCert.new(@machine, @ssl_context, @private_key)
     rescue Puppet::Rest::ResponseError => e
-      if e.response.code.to_i == 400
-        NeedCert.new(@machine, @ssl_context, @private_key)
-      else
-        to_error(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
+      if e.response.code.to_i != 400
+        raise Puppet::SSL::SSLError.new(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
       end
+
+      NeedCert.new(@machine, @ssl_context, @private_key)
     end
   end
 
@@ -180,37 +218,37 @@ class Puppet::SSL::StateMachine
       @cert_provider.delete_request(Puppet[:certname])
       Done.new(@machine, next_ctx)
     rescue Puppet::SSL::SSLError => e
-      Error.new(@machine, e.message, e)
+      Puppet.log_exception(e)
+      Wait.new(@machine, @ssl_context)
     rescue OpenSSL::X509::CertificateError => e
-      Error.new(@machine, _("Failed to parse certificate: %{message}") % {message: e.message}, e)
+      Puppet.log_exception(e, _("Failed to parse certificate: %{message}") % {message: e.message})
+      Wait.new(@machine, @ssl_context)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
         Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
-        $stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
-        Wait.new(@machine)
       else
-        to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
-                 {certname: Puppet[:certname], message: e.response.message}, e)
+        Puppet.log_exception(e, _("Failed to retrieve certificate for %{certname}: %{message}") %
+                             {certname: Puppet[:certname], message: e.response.message})
       end
+      Wait.new(@machine, @ssl_context)
     end
   end
 
-  # We cannot make progress, so wait if allowed to do so, or exit.
+  # We cannot make progress, so wait if allowed to do so, or error.
   #
   class Wait < SSLState
-    def initialize(machine)
-      super(machine, nil)
-    end
-
     def next_state
       time = @machine.waitforcert
       if time < 1
-        puts _("Exiting now because the waitforcert setting is set to 0.")
+        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0.") % { name: Puppet[:certname] }
+        exit(1)
+      elsif Time.now.to_i > @machine.wait_deadline
+        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
         exit(1)
       else
-        Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
+        Puppet.info(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds.") % {name: Puppet[:certname], time: time})
 
-        Kernel.sleep(time)
+        sleep(time)
 
         # our ssl directory may have been cleaned while we were
         # sleeping, start over from the top
@@ -219,68 +257,36 @@ class Puppet::SSL::StateMachine
     end
   end
 
-  # We cannot make progress due to an error.
-  #
-  class Error < SSLState
-    attr_reader :message, :error
-
-    def initialize(machine, message, error)
-      super(machine, nil)
-      @message = message
-      @error = error
-    end
-
-    def next_state
-      Puppet.log_exception(@error, @message)
-      Wait.new(@machine)
-    end
-  end
-
   # We have a CA bundle, optional CRL bundle, a private key and matching cert
   # that chains to one of the root certs in our bundle.
   #
   class Done < SSLState; end
 
-  attr_reader :waitforcert,  :cert_provider, :ssl_provider
+  attr_reader :waitforcert, :wait_deadline, :cert_provider, :ssl_provider
 
-  # Construct a state machine to manage the SSL initialization process. By
-  # default, if the state machine encounters an exception, it will log the
-  # exception and wait for `waitforcert` seconds and retry, restarting from the
-  # beginning of the state machine.
-  #
-  # However, if `onetime` is true, then the state machine will raise the first
-  # error it encounters, instead of waiting. Otherwise, if `waitforcert` is 0,
-  # then then state machine will exit instead of wait.
-  #
-  # @param waitforcert [Integer] how many seconds to wait between attempts
-  # @param onetime [Boolean] whether to run onetime
-  # @param cert_provider [Puppet::X509::CertProvider] cert provider to use
-  #   to load and save X509 objects.
-  # @param ssl_provider [Puppet::SSL::SSLProvider] ssl provider to use
-  #   to construct ssl contexts.
   def initialize(waitforcert: Puppet[:waitforcert],
-                 onetime: Puppet[:onetime],
+                 maxwaitforcert: Puppet[:maxwaitforcert],
                  cert_provider: Puppet::X509::CertProvider.new,
-                 ssl_provider: Puppet::SSL::SSLProvider.new)
+                 ssl_provider: Puppet::SSL::SSLProvider.new,
+                 lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]))
     @waitforcert = waitforcert
-    @onetime = onetime
+    @wait_deadline = Time.now.to_i + maxwaitforcert
     @cert_provider = cert_provider
     @ssl_provider = ssl_provider
+    @lockfile = lockfile
   end
 
-  # Run the state machine for CA certs and CRLs.
+  # Run the state machine for CA certs and CRLs
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
-  # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_ca_certificates
     final_state = run_machine(NeedCACerts.new(self), NeedKey)
     final_state.ssl_context
   end
 
-  # Run the state machine for CA certs and CRLs.
+  # Run the state machine for CA certs and CRLs
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
-  # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_client_certificate
     final_state = run_machine(NeedCACerts.new(self), Done)
     ssl_context = final_state.ssl_context
@@ -304,28 +310,26 @@ class Puppet::SSL::StateMachine
   private
 
   def run_machine(state, stop)
-    loop do
-      state = run_step(state)
-
-      case state
-      when stop
-        break
-      when Error
-        if @onetime
-          Puppet.log_exception(state.error)
-          raise state.error
-        end
-      else
-        # fall through
+    with_lock do
+      loop do
+        state = state.next_state
+
+        break if state.is_a?(stop)
       end
     end
 
     state
   end
 
-  def run_step(state)
-    state.next_state
-  rescue => e
-    state.to_error(e.message, e)
+  def with_lock
+    if @lockfile.lock
+      begin
+        yield
+      ensure
+        @lockfile.unlock
+      end
+    else
+      raise Puppet::Error, _('Another puppet instance is already running; exiting')
+    end
   end
 end