puppet 6.4.5-x64-mingw32 → 6.5.0-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CODEOWNERS +10 -10
- data/Gemfile +6 -6
- data/Gemfile.lock +46 -52
- data/ext/build_defaults.yaml +0 -1
- data/ext/project_data.yaml +3 -3
- data/ext/regexp_nodes/regexp_nodes.rb +4 -4
- data/ext/solaris/smf/puppet.xml +0 -2
- data/ext/windows/eventlog/Rakefile +32 -0
- data/ext/windows/eventlog/puppetres.dll +0 -0
- data/ext/windows/eventlog/puppetres.mc +18 -0
- data/ext/windows/service/daemon.rb +8 -38
- data/install.rb +24 -6
- data/lib/puppet.rb +3 -1
- data/lib/puppet/application.rb +1 -1
- data/lib/puppet/application/agent.rb +11 -34
- data/lib/puppet/application/apply.rb +6 -6
- data/lib/puppet/application/describe.rb +9 -3
- data/lib/puppet/application/device.rb +4 -14
- data/lib/puppet/application/doc.rb +1 -1
- data/lib/puppet/application/lookup.rb +2 -2
- data/lib/puppet/application/resource.rb +4 -4
- data/lib/puppet/application/script.rb +2 -2
- data/lib/puppet/application/ssl.rb +10 -9
- data/lib/puppet/configurer.rb +30 -86
- data/lib/puppet/configurer/downloader.rb +6 -2
- data/lib/puppet/defaults.rb +50 -44
- data/lib/puppet/error.rb +14 -9
- data/lib/puppet/face/catalog.rb +20 -1
- data/lib/puppet/face/config.rb +48 -10
- data/lib/puppet/face/facts.rb +1 -1
- data/lib/puppet/face/help.rb +1 -1
- data/lib/puppet/face/module/list.rb +5 -5
- data/lib/puppet/face/module/search.rb +1 -1
- data/lib/puppet/face/module/uninstall.rb +1 -1
- data/lib/puppet/face/module/upgrade.rb +1 -1
- data/lib/puppet/face/parser.rb +48 -9
- data/lib/puppet/face/plugin.rb +2 -9
- data/lib/puppet/file_serving/http_metadata.rb +1 -1
- data/lib/puppet/file_system.rb +12 -2
- data/lib/puppet/file_system/file_impl.rb +6 -3
- data/lib/puppet/file_system/memory_file.rb +1 -1
- data/lib/puppet/file_system/posix.rb +2 -3
- data/lib/puppet/forge.rb +3 -3
- data/lib/puppet/functions.rb +2 -1
- data/lib/puppet/functions/camelcase.rb +2 -2
- data/lib/puppet/functions/epp.rb +4 -4
- data/lib/puppet/functions/find_file.rb +9 -9
- data/lib/puppet/functions/inline_epp.rb +5 -5
- data/lib/puppet/functions/regsubst.rb +6 -8
- data/lib/puppet/gettext/module_translations.rb +1 -1
- data/lib/puppet/graph/rb_tree_map.rb +2 -2
- data/lib/puppet/graph/simple_graph.rb +3 -4
- data/lib/puppet/indirector/catalog/compiler.rb +5 -11
- data/lib/puppet/indirector/file_bucket_file/file.rb +1 -1
- data/lib/puppet/indirector/hiera.rb +0 -2
- data/lib/puppet/indirector/resource/ral.rb +3 -1
- data/lib/puppet/indirector/resource/validator.rb +1 -1
- data/lib/puppet/interface.rb +1 -2
- data/lib/puppet/loaders.rb +1 -0
- data/lib/puppet/metatype/manager.rb +1 -1
- data/lib/puppet/module.rb +1 -1
- data/lib/puppet/module/task.rb +4 -20
- data/lib/puppet/module_tool/applications/installer.rb +1 -1
- data/lib/puppet/module_tool/applications/uninstaller.rb +3 -3
- data/lib/puppet/module_tool/metadata.rb +1 -1
- data/lib/puppet/module_tool/shared_behaviors.rb +4 -4
- data/lib/puppet/module_tool/tar/mini.rb +2 -12
- data/lib/puppet/network/http/api/indirected_routes.rb +11 -12
- data/lib/puppet/network/http/connection.rb +12 -10
- data/lib/puppet/network/http/factory.rb +11 -1
- data/lib/puppet/network/http/pool.rb +0 -2
- data/lib/puppet/network/http/site.rb +1 -1
- data/lib/puppet/network/resolver.rb +2 -2
- data/lib/puppet/node/environment.rb +2 -4
- data/lib/puppet/pal/pal_impl.rb +2 -2
- data/lib/puppet/parser/ast.rb +1 -1
- data/lib/puppet/parser/ast/resourceparam.rb +1 -1
- data/lib/puppet/parser/functions.rb +1 -1
- data/lib/puppet/parser/functions/epp.rb +3 -3
- data/lib/puppet/parser/functions/fail.rb +8 -1
- data/lib/puppet/parser/functions/inline_epp.rb +5 -5
- data/lib/puppet/parser/scope.rb +7 -8
- data/lib/puppet/pops/evaluator/collectors/catalog_collector.rb +1 -1
- data/lib/puppet/pops/evaluator/collectors/exported_collector.rb +1 -1
- data/lib/puppet/pops/evaluator/external_syntax_support.rb +2 -3
- data/lib/puppet/pops/evaluator/runtime3_support.rb +4 -4
- data/lib/puppet/pops/loader/null_loader.rb +60 -0
- data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +6 -4
- data/lib/puppet/pops/loader/task_instantiator.rb +0 -4
- data/lib/puppet/pops/loaders.rb +1 -1
- data/lib/puppet/pops/lookup/hiera_config.rb +0 -1
- data/lib/puppet/pops/lookup/sub_lookup.rb +1 -1
- data/lib/puppet/pops/merge_strategy.rb +18 -22
- data/lib/puppet/pops/parser/heredoc_support.rb +1 -1
- data/lib/puppet/pops/parser/interpolation_support.rb +4 -4
- data/lib/puppet/pops/parser/locator.rb +1 -1
- data/lib/puppet/pops/parser/pn_parser.rb +16 -17
- data/lib/puppet/pops/puppet_stack.rb +49 -51
- data/lib/puppet/pops/types/p_sensitive_type.rb +1 -1
- data/lib/puppet/pops/types/string_converter.rb +10 -10
- data/lib/puppet/pops/types/types.rb +6 -5
- data/lib/puppet/property.rb +1 -1
- data/lib/puppet/property/ensure.rb +1 -1
- data/lib/puppet/provider/exec.rb +2 -6
- data/lib/puppet/provider/file/posix.rb +0 -5
- data/lib/puppet/provider/nameservice.rb +3 -10
- data/lib/puppet/provider/nameservice/directoryservice.rb +1 -1
- data/lib/puppet/provider/nameservice/pw.rb +2 -2
- data/lib/puppet/provider/package.rb +0 -2
- data/lib/puppet/provider/package/apt.rb +1 -5
- data/lib/puppet/provider/package/dnf.rb +1 -1
- data/lib/puppet/provider/package/dpkg.rb +18 -34
- data/lib/puppet/provider/package/openbsd.rb +1 -1
- data/lib/puppet/provider/package/pip.rb +13 -37
- data/lib/puppet/provider/package/portage.rb +4 -4
- data/lib/puppet/provider/package/puppet_gem.rb +1 -1
- data/lib/puppet/provider/package/rpm.rb +18 -56
- data/lib/puppet/provider/package/windows/package.rb +1 -1
- data/lib/puppet/provider/package/yum.rb +5 -9
- data/lib/puppet/provider/package_targetable.rb +4 -7
- data/lib/puppet/provider/parsedfile.rb +1 -1
- data/lib/puppet/provider/service/daemontools.rb +9 -9
- data/lib/puppet/provider/service/launchd.rb +5 -20
- data/lib/puppet/provider/service/openbsd.rb +1 -1
- data/lib/puppet/provider/service/rcng.rb +2 -2
- data/lib/puppet/provider/service/runit.rb +8 -2
- data/lib/puppet/provider/service/systemd.rb +19 -14
- data/lib/puppet/provider/service/windows.rb +0 -8
- data/lib/puppet/provider/user/directoryservice.rb +1 -1
- data/lib/puppet/provider/user/hpux.rb +1 -1
- data/lib/puppet/provider/user/pw.rb +3 -12
- data/lib/puppet/provider/user/user_role_add.rb +1 -5
- data/lib/puppet/provider/user/useradd.rb +20 -45
- data/lib/puppet/provider/user/windows_adsi.rb +5 -4
- data/lib/puppet/reference/configuration.rb +3 -3
- data/lib/puppet/reference/indirection.rb +2 -2
- data/lib/puppet/reference/metaparameter.rb +3 -1
- data/lib/puppet/reference/providers.rb +3 -1
- data/lib/puppet/reference/type.rb +9 -3
- data/lib/puppet/reports.rb +1 -1
- data/lib/puppet/resource.rb +1 -18
- data/lib/puppet/resource/catalog.rb +1 -1
- data/lib/puppet/rest/routes.rb +30 -17
- data/lib/puppet/settings.rb +3 -43
- data/lib/puppet/settings/environment_conf.rb +0 -1
- data/lib/puppet/ssl/certificate_request.rb +12 -2
- data/lib/puppet/ssl/host.rb +2 -2
- data/lib/puppet/ssl/oids.rb +1 -1
- data/lib/puppet/ssl/ssl_provider.rb +11 -5
- data/lib/puppet/ssl/state_machine.rb +102 -98
- data/lib/puppet/test/test_helper.rb +1 -0
- data/lib/puppet/transaction.rb +11 -33
- data/lib/puppet/transaction/report.rb +1 -1
- data/lib/puppet/type.rb +4 -2
- data/lib/puppet/type/exec.rb +17 -23
- data/lib/puppet/type/file.rb +39 -11
- data/lib/puppet/type/file/data_sync.rb +1 -5
- data/lib/puppet/type/group.rb +2 -4
- data/lib/puppet/type/notify.rb +3 -4
- data/lib/puppet/type/package.rb +3 -20
- data/lib/puppet/type/schedule.rb +1 -1
- data/lib/puppet/type/service.rb +3 -8
- data/lib/puppet/type/user.rb +2 -4
- data/lib/puppet/util.rb +29 -39
- data/lib/puppet/util/command_line/trollop.rb +1 -1
- data/lib/puppet/util/execution.rb +3 -4
- data/lib/puppet/util/http_proxy.rb +19 -27
- data/lib/puppet/util/log.rb +2 -2
- data/lib/puppet/util/log/destinations.rb +2 -2
- data/lib/puppet/util/logging.rb +20 -32
- data/lib/puppet/util/metric.rb +2 -2
- data/lib/puppet/util/monkey_patches.rb +33 -0
- data/lib/puppet/util/pidlock.rb +2 -3
- data/lib/puppet/util/provider_features.rb +4 -2
- data/lib/puppet/util/rdoc.rb +1 -1
- data/lib/puppet/util/reference.rb +1 -1
- data/lib/puppet/util/resource_template.rb +1 -1
- data/lib/puppet/util/selinux.rb +2 -8
- data/lib/puppet/util/skip_tags.rb +4 -0
- data/lib/puppet/util/windows/adsi.rb +18 -48
- data/lib/puppet/util/windows/process.rb +8 -8
- data/lib/puppet/util/windows/registry.rb +5 -7
- data/lib/puppet/util/windows/security.rb +0 -2
- data/lib/puppet/util/windows/service.rb +4 -149
- data/lib/puppet/util/windows/sid.rb +0 -1
- data/lib/puppet/vendor.rb +1 -1
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509/cert_provider.rb +81 -24
- data/locales/puppet.pot +462 -482
- data/man/man5/puppet.conf.5 +43 -44
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +3 -3
- data/man/man8/puppet-catalog.8 +31 -3
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +3 -3
- data/spec/fixtures/ssl/127.0.0.1-key.pem +56 -56
- data/spec/fixtures/ssl/127.0.0.1.pem +27 -27
- data/spec/fixtures/ssl/bad-basic-constraints.pem +32 -32
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +30 -30
- data/spec/fixtures/ssl/ca.pem +30 -30
- data/spec/fixtures/ssl/crl.pem +15 -15
- data/spec/fixtures/ssl/ec-key.pem +18 -0
- data/spec/fixtures/ssl/ec.pem +40 -0
- data/spec/fixtures/ssl/encrypted-ec-key.pem +21 -0
- data/spec/fixtures/ssl/encrypted-key.pem +57 -57
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +16 -16
- data/spec/fixtures/ssl/intermediate-agent.pem +33 -33
- data/spec/fixtures/ssl/intermediate-crl.pem +17 -17
- data/spec/fixtures/ssl/intermediate.pem +31 -31
- data/spec/fixtures/ssl/pluto-key.pem +56 -56
- data/spec/fixtures/ssl/pluto.pem +28 -28
- data/spec/fixtures/ssl/request-key.pem +56 -56
- data/spec/fixtures/ssl/request.pem +24 -24
- data/spec/fixtures/ssl/revoked-key.pem +56 -56
- data/spec/fixtures/ssl/revoked.pem +25 -25
- data/spec/fixtures/ssl/signed-key.pem +56 -56
- data/spec/fixtures/ssl/signed.pem +25 -25
- data/spec/fixtures/ssl/tampered-cert.pem +27 -27
- data/spec/fixtures/ssl/tampered-csr.pem +24 -24
- data/spec/fixtures/unit/pops/loaders/loaders/mix_4x_and_3x_functions/usee/lib/puppet/parser/functions/func_with_syntax_error.rb +9 -0
- data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_get/should_yield_to_the_block.yml +24 -0
- data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_head/should_yield_to_the_block.yml +24 -0
- data/spec/fixtures/vcr/cassettes/Puppet_Network_HTTP_Connection/when_handling_requests/_request_post/should_yield_to_the_block.yml +24 -0
- data/spec/integration/configurer_spec.rb +0 -52
- data/spec/integration/provider/service/init_spec.rb +1 -0
- data/spec/integration/provider/service/systemd_spec.rb +5 -8
- data/spec/integration/type/file_spec.rb +38 -28
- data/spec/integration/util/execution_spec.rb +0 -27
- data/spec/lib/puppet/certificate_factory.rb +2 -2
- data/spec/lib/puppet/test_ca.rb +17 -4
- data/spec/lib/puppet_spec/fixtures.rb +4 -0
- data/spec/spec_helper.rb +0 -28
- data/spec/unit/application/agent_spec.rb +34 -67
- data/spec/unit/application/device_spec.rb +1 -27
- data/spec/unit/application/ssl_spec.rb +60 -35
- data/spec/unit/configurer_spec.rb +399 -395
- data/spec/unit/defaults_spec.rb +4 -4
- data/spec/unit/face/facts_spec.rb +0 -9
- data/spec/unit/face/parser_spec.rb +69 -22
- data/spec/unit/face/plugin_spec.rb +0 -8
- data/spec/unit/file_system_spec.rb +30 -1
- data/spec/unit/forge/forge_spec.rb +3 -1
- data/spec/unit/forge/repository_spec.rb +3 -1
- data/spec/unit/indirector/catalog/compiler_spec.rb +5 -62
- data/spec/unit/indirector/resource/ral_spec.rb +4 -4
- data/spec/unit/module_tool/tar/mini_spec.rb +1 -1
- data/spec/unit/network/http/api/indirected_routes_spec.rb +10 -25
- data/spec/unit/network/http/connection_spec.rb +145 -119
- data/spec/unit/network/http/factory_spec.rb +5 -27
- data/spec/unit/parser/scope_spec.rb +0 -10
- data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +3 -8
- data/spec/unit/pops/loaders/loaders_spec.rb +4 -0
- data/spec/unit/pops/loaders/module_loaders_spec.rb +0 -37
- data/spec/unit/pops/types/types_spec.rb +27 -0
- data/spec/unit/provider/exec_spec.rb +0 -209
- data/spec/unit/provider/package/aptrpm_spec.rb +1 -1
- data/spec/unit/provider/package/dnf_spec.rb +0 -7
- data/spec/unit/provider/package/dpkg_spec.rb +80 -240
- data/spec/unit/provider/package/pip_spec.rb +8 -61
- data/spec/unit/provider/package/portage_spec.rb +4 -4
- data/spec/unit/provider/package/rpm_spec.rb +16 -150
- data/spec/unit/provider/package/yum_spec.rb +0 -7
- data/spec/unit/provider/service/daemontools_spec.rb +0 -24
- data/spec/unit/provider/service/launchd_spec.rb +0 -28
- data/spec/unit/provider/service/runit_spec.rb +0 -24
- data/spec/unit/provider/service/systemd_spec.rb +25 -39
- data/spec/unit/provider/service/windows_spec.rb +0 -20
- data/spec/unit/provider/user/hpux_spec.rb +2 -2
- data/spec/unit/provider/user/pw_spec.rb +0 -37
- data/spec/unit/provider/user/useradd_spec.rb +0 -88
- data/spec/unit/resource_spec.rb +1 -26
- data/spec/unit/ssl/host_spec.rb +5 -0
- data/spec/unit/ssl/ssl_provider_spec.rb +36 -11
- data/spec/unit/ssl/state_machine_spec.rb +233 -158
- data/spec/unit/transaction_spec.rb +0 -64
- data/spec/unit/type/exec_spec.rb +12 -15
- data/spec/unit/type/file/content_spec.rb +3 -9
- data/spec/unit/type/file/source_spec.rb +4 -4
- data/spec/unit/type/file_spec.rb +15 -11
- data/spec/unit/type/package_spec.rb +0 -5
- data/spec/unit/type/schedule_spec.rb +1 -3
- data/spec/unit/type/service_spec.rb +0 -16
- data/spec/unit/util/execution_spec.rb +0 -16
- data/spec/unit/util/http_proxy_spec.rb +21 -151
- data/spec/unit/util/ldap/manager_spec.rb +0 -15
- data/spec/unit/util/log/destinations_spec.rb +3 -7
- data/spec/unit/util/log_spec.rb +138 -0
- data/spec/unit/util/logging_spec.rb +0 -200
- data/spec/unit/util/pidlock_spec.rb +0 -26
- data/spec/unit/util/skip_tags_spec.rb +14 -0
- data/spec/unit/util/windows/adsi_spec.rb +0 -51
- data/spec/unit/util/windows/service_spec.rb +0 -9
- data/spec/unit/util_spec.rb +10 -0
- data/spec/unit/x509/cert_provider_spec.rb +82 -43
- data/tasks/generate_cert_fixtures.rake +13 -1
- data/tasks/manpages.rake +0 -1
- metadata +28 -22
- data/ext/cert_inspector +0 -140
- data/ext/envpuppet +0 -139
- data/ext/envpuppet.bat +0 -14
- data/ext/puppet-test +0 -476
- data/ext/pure_ruby_dsl/dsl_test.rb +0 -7
- data/ext/upload_facts.rb +0 -119
- data/lib/puppet/provider/package/dnfmodule.rb +0 -87
- data/spec/fixtures/unit/provider/package/dnfmodule/dnf-module-list-installed.txt +0 -11
- data/spec/integration/type/notify_spec.rb +0 -46
- data/spec/unit/provider/package/dnfmodule_spec.rb +0 -186
- data/spec/unit/provider/package_targetable_spec.rb +0 -60
data/lib/puppet/settings.rb
CHANGED
@@ -84,46 +84,6 @@ class Puppet::Settings
|
|
84
84
|
"puppet.conf"
|
85
85
|
end
|
86
86
|
|
87
|
-
def stringify_settings(section, settings = :all)
|
88
|
-
values_from_the_selected_section =
|
89
|
-
values(nil, section.to_sym)
|
90
|
-
|
91
|
-
loader_settings = {
|
92
|
-
:environmentpath => values_from_the_selected_section.interpolate(:environmentpath),
|
93
|
-
:basemodulepath => values_from_the_selected_section.interpolate(:basemodulepath),
|
94
|
-
}
|
95
|
-
|
96
|
-
Puppet.override(Puppet.base_context(loader_settings),
|
97
|
-
_("New environment loaders generated from the requested section.")) do
|
98
|
-
# And now we can lookup values that include those from environments configured from
|
99
|
-
# the requested section
|
100
|
-
values = values(Puppet[:environment].to_sym, section.to_sym)
|
101
|
-
|
102
|
-
to_be_rendered = {}
|
103
|
-
settings = Puppet.settings.to_a.collect(&:first) if settings == :all
|
104
|
-
settings.sort.each do |setting_name|
|
105
|
-
to_be_rendered[setting_name] = values.print(setting_name.to_sym)
|
106
|
-
end
|
107
|
-
|
108
|
-
stringifyhash(to_be_rendered)
|
109
|
-
end
|
110
|
-
end
|
111
|
-
|
112
|
-
def stringifyhash(hash)
|
113
|
-
newhash = {}
|
114
|
-
hash.each do |key, val|
|
115
|
-
key = key.to_s
|
116
|
-
if val.is_a? Hash
|
117
|
-
newhash[key] = stringifyhash(val)
|
118
|
-
elsif val.is_a? Symbol
|
119
|
-
newhash[key] = val.to_s
|
120
|
-
else
|
121
|
-
newhash[key] = val
|
122
|
-
end
|
123
|
-
end
|
124
|
-
newhash
|
125
|
-
end
|
126
|
-
|
127
87
|
# Create a new collection of config settings.
|
128
88
|
def initialize
|
129
89
|
@config = {}
|
@@ -1229,10 +1189,10 @@ Generated on #{Time.now}.
|
|
1229
1189
|
if !Puppet::FileSystem.symlink?(configured_environment_path)
|
1230
1190
|
parameters = { :ensure => 'directory' }
|
1231
1191
|
unless Puppet::FileSystem.exist?(configured_environment_path)
|
1232
|
-
parameters
|
1192
|
+
parameters.merge!(:mode => '0750')
|
1233
1193
|
if Puppet.features.root?
|
1234
|
-
parameters
|
1235
|
-
parameters
|
1194
|
+
parameters.merge!(:owner => Puppet[:user]) if service_user_available?
|
1195
|
+
parameters.merge!(:group => Puppet[:group]) if service_group_available?
|
1236
1196
|
end
|
1237
1197
|
end
|
1238
1198
|
catalog.add_resource(Puppet::Resource.new(:file, configured_environment_path, :parameters => parameters))
|
@@ -75,7 +75,17 @@ DOC
|
|
75
75
|
csr = OpenSSL::X509::Request.new
|
76
76
|
csr.version = 0
|
77
77
|
csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
|
78
|
-
|
78
|
+
|
79
|
+
csr.public_key = if key.is_a?(OpenSSL::PKey::EC)
|
80
|
+
# EC#public_key doesn't follow the PKey API,
|
81
|
+
# see https://github.com/ruby/openssl/issues/29
|
82
|
+
point = key.public_key
|
83
|
+
pubkey = OpenSSL::PKey::EC.new(point.group)
|
84
|
+
pubkey.public_key = point
|
85
|
+
pubkey
|
86
|
+
else
|
87
|
+
key.public_key
|
88
|
+
end
|
79
89
|
|
80
90
|
if options[:csr_attributes]
|
81
91
|
add_csr_attributes(csr, options[:csr_attributes])
|
@@ -88,7 +98,7 @@ DOC
|
|
88
98
|
signer = Puppet::SSL::CertificateSigner.new
|
89
99
|
signer.sign(csr, key)
|
90
100
|
|
91
|
-
raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(
|
101
|
+
raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(csr.public_key)
|
92
102
|
|
93
103
|
@content = csr
|
94
104
|
|
data/lib/puppet/ssl/host.rb
CHANGED
@@ -121,7 +121,7 @@ class Puppet::SSL::Host
|
|
121
121
|
generate_key unless key
|
122
122
|
|
123
123
|
# get CA and optional CRL
|
124
|
-
sm = Puppet::SSL::StateMachine.new
|
124
|
+
sm = Puppet::SSL::StateMachine.new
|
125
125
|
sm.ensure_ca_certificates
|
126
126
|
|
127
127
|
cert = get_host_certificate
|
@@ -272,7 +272,7 @@ ERROR_STRING
|
|
272
272
|
exit(1)
|
273
273
|
end
|
274
274
|
|
275
|
-
|
275
|
+
while true
|
276
276
|
sleep time
|
277
277
|
begin
|
278
278
|
break if certificate
|
data/lib/puppet/ssl/oids.rb
CHANGED
@@ -101,7 +101,7 @@ module Puppet::SSL::Oids
|
|
101
101
|
# shortname: 'myothershortname'
|
102
102
|
# longname: 'Other Long name'
|
103
103
|
def self.parse_custom_oid_file(custom_oid_file, map_key='oid_mapping')
|
104
|
-
if File.
|
104
|
+
if File.exists?(custom_oid_file) && File.readable?(custom_oid_file)
|
105
105
|
mapping = nil
|
106
106
|
begin
|
107
107
|
mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol])
|
@@ -51,7 +51,7 @@ class Puppet::SSL::SSLProvider
|
|
51
51
|
#
|
52
52
|
# @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
|
53
53
|
# @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
|
54
|
-
# @param private_key [OpenSSL::PKey::RSA] client's private key
|
54
|
+
# @param private_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] client's private key
|
55
55
|
# @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
|
56
56
|
# key matches the `private_key`
|
57
57
|
# @param revocation [:chain, :leaf, false] revocation mode
|
@@ -70,7 +70,7 @@ class Puppet::SSL::SSLProvider
|
|
70
70
|
store = create_x509_store(cacerts, crls, revocation)
|
71
71
|
client_chain = verify_cert_with_store(store, client_cert)
|
72
72
|
|
73
|
-
|
73
|
+
if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
|
74
74
|
raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
|
75
75
|
end
|
76
76
|
|
@@ -90,13 +90,17 @@ class Puppet::SSL::SSLProvider
|
|
90
90
|
# and private key. Connections made from the returned context will be mutually
|
91
91
|
# authenticated.
|
92
92
|
#
|
93
|
+
# @param certname [String] Which cert & key to load
|
93
94
|
# @param revocation [:chain, :leaf, false] revocation mode
|
95
|
+
# @param password [String, nil] If the private key is encrypted, decrypt
|
96
|
+
# it using the password. If the key is encrypted, but a password is
|
97
|
+
# not specified, then the key cannot be loaded.
|
94
98
|
# @return [Puppet::SSL::SSLContext] A context to use to create connections
|
95
99
|
# @raise [Puppet::SSL::CertVerifyError] There was an issue with
|
96
100
|
# one of the certs or CRLs.
|
97
101
|
# @raise [Puppet::Error] There was an issue with one of the required components.
|
98
102
|
# @api private
|
99
|
-
def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation])
|
103
|
+
def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
|
100
104
|
cert = Puppet::X509::CertProvider.new
|
101
105
|
cacerts = cert.load_cacerts(required: true)
|
102
106
|
crls = case revocation
|
@@ -105,10 +109,12 @@ class Puppet::SSL::SSLProvider
|
|
105
109
|
else
|
106
110
|
[]
|
107
111
|
end
|
108
|
-
private_key = cert.load_private_key(certname, required: true)
|
112
|
+
private_key = cert.load_private_key(certname, required: true, password: password)
|
109
113
|
client_cert = cert.load_client_cert(certname, required: true)
|
110
114
|
|
111
115
|
create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation)
|
116
|
+
rescue OpenSSL::PKey::PKeyError => e
|
117
|
+
raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
|
112
118
|
end
|
113
119
|
|
114
120
|
# Verify the `csr` was signed with a private key corresponding to the
|
@@ -116,7 +122,7 @@ class Puppet::SSL::SSLProvider
|
|
116
122
|
# of the private key, and that it hasn't been tampered with since.
|
117
123
|
#
|
118
124
|
# @param csr [OpenSSL::X509::Request] certificate signing request
|
119
|
-
# @param public_key [OpenSSL::PKey::RSA] public key
|
125
|
+
# @param public_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] public key
|
120
126
|
# @raise [Puppet::SSL:SSLError] The private_key for the given `public_key` was
|
121
127
|
# not used to sign the CSR.
|
122
128
|
# @api private
|
@@ -1,4 +1,5 @@
|
|
1
1
|
require 'puppet/ssl'
|
2
|
+
require 'puppet/util/pidlock'
|
2
3
|
|
3
4
|
# This class implements a state machine for bootstrapping a host's CA and CRL
|
4
5
|
# bundles, private key and signed client certificate. Each state has a frozen
|
@@ -20,12 +21,6 @@ class Puppet::SSL::StateMachine
|
|
20
21
|
@cert_provider = machine.cert_provider
|
21
22
|
@ssl_provider = machine.ssl_provider
|
22
23
|
end
|
23
|
-
|
24
|
-
def to_error(message, cause)
|
25
|
-
detail = Puppet::Error.new(message)
|
26
|
-
detail.set_backtrace(cause.backtrace)
|
27
|
-
Error.new(@machine, message, detail)
|
28
|
-
end
|
29
24
|
end
|
30
25
|
|
31
26
|
# Load existing CA certs or download them. Transition to NeedCRLs.
|
@@ -51,13 +46,11 @@ class Puppet::SSL::StateMachine
|
|
51
46
|
end
|
52
47
|
|
53
48
|
NeedCRLs.new(@machine, next_ctx)
|
54
|
-
rescue OpenSSL::X509::CertificateError => e
|
55
|
-
Error.new(@machine, e.message, e)
|
56
49
|
rescue Puppet::Rest::ResponseError => e
|
57
50
|
if e.response.code.to_i == 404
|
58
|
-
|
51
|
+
raise Puppet::Error.new(_('CA certificate is missing from the server'))
|
59
52
|
else
|
60
|
-
|
53
|
+
raise Puppet::Error.new(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
|
61
54
|
end
|
62
55
|
end
|
63
56
|
end
|
@@ -77,12 +70,19 @@ class Puppet::SSL::StateMachine
|
|
77
70
|
crls = @cert_provider.load_crls
|
78
71
|
if crls
|
79
72
|
next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
|
73
|
+
|
74
|
+
crl_ttl = Puppet[:crl_refresh_interval]
|
75
|
+
if crl_ttl
|
76
|
+
last_update = @cert_provider.crl_last_update
|
77
|
+
now = Time.now
|
78
|
+
if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
|
79
|
+
# set last updated time first, then make a best effort to refresh
|
80
|
+
@cert_provider.crl_last_update = now
|
81
|
+
next_ctx = refresh_crl(next_ctx, last_update)
|
82
|
+
end
|
83
|
+
end
|
80
84
|
else
|
81
|
-
|
82
|
-
crls = @cert_provider.load_crls_from_pem(pem)
|
83
|
-
# verify crls before saving
|
84
|
-
next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
|
85
|
-
@cert_provider.save_crls(crls)
|
85
|
+
next_ctx = download_crl(@ssl_context, nil)
|
86
86
|
end
|
87
87
|
else
|
88
88
|
Puppet.info("Certificate revocation is disabled, skipping CRL download")
|
@@ -90,14 +90,45 @@ class Puppet::SSL::StateMachine
|
|
90
90
|
end
|
91
91
|
|
92
92
|
NeedKey.new(@machine, next_ctx)
|
93
|
-
rescue OpenSSL::X509::CRLError => e
|
94
|
-
Error.new(@machine, e.message, e)
|
95
93
|
rescue Puppet::Rest::ResponseError => e
|
96
94
|
if e.response.code.to_i == 404
|
97
|
-
|
95
|
+
raise Puppet::Error.new(_('CRL is missing from the server'))
|
96
|
+
else
|
97
|
+
raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
private
|
102
|
+
|
103
|
+
def refresh_crl(ssl_ctx, last_update)
|
104
|
+
Puppet.info(_("Refreshing CRL"))
|
105
|
+
|
106
|
+
# return the next_ctx containing the updated crl
|
107
|
+
download_crl(ssl_ctx, last_update)
|
108
|
+
rescue Puppet::Rest::ResponseError => e
|
109
|
+
if e.response.code.to_i == 304
|
110
|
+
Puppet.info(_("CRL is unmodified, using existing CRL"))
|
98
111
|
else
|
99
|
-
|
112
|
+
Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
|
100
113
|
end
|
114
|
+
|
115
|
+
# return the original ssl_ctx
|
116
|
+
ssl_ctx
|
117
|
+
rescue SystemCallError => e
|
118
|
+
Puppet.warning(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
|
119
|
+
|
120
|
+
# return the original ssl_ctx
|
121
|
+
ssl_ctx
|
122
|
+
end
|
123
|
+
|
124
|
+
def download_crl(ssl_ctx, last_update)
|
125
|
+
pem = Puppet::Rest::Routes.get_crls(Puppet::SSL::CA_NAME, ssl_ctx, if_modified_since: last_update)
|
126
|
+
crls = @cert_provider.load_crls_from_pem(pem)
|
127
|
+
# verify crls before saving
|
128
|
+
next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
|
129
|
+
@cert_provider.save_crls(crls)
|
130
|
+
|
131
|
+
next_ctx
|
101
132
|
end
|
102
133
|
end
|
103
134
|
|
@@ -110,7 +141,8 @@ class Puppet::SSL::StateMachine
|
|
110
141
|
def next_state
|
111
142
|
Puppet.debug(_("Loading/generating private key"))
|
112
143
|
|
113
|
-
|
144
|
+
password = @cert_provider.load_private_key_password
|
145
|
+
key = @cert_provider.load_private_key(Puppet[:certname], password: password)
|
114
146
|
if key
|
115
147
|
cert = @cert_provider.load_client_cert(Puppet[:certname])
|
116
148
|
if cert
|
@@ -120,9 +152,15 @@ class Puppet::SSL::StateMachine
|
|
120
152
|
return Done.new(@machine, next_ctx)
|
121
153
|
end
|
122
154
|
else
|
123
|
-
|
124
|
-
|
125
|
-
|
155
|
+
if Puppet[:key_type] == 'ec'
|
156
|
+
Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
|
157
|
+
key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
|
158
|
+
else
|
159
|
+
Puppet.info _("Creating a new RSA SSL key for %{name}") % { name: Puppet[:certname] }
|
160
|
+
key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
|
161
|
+
end
|
162
|
+
|
163
|
+
@cert_provider.save_private_key(Puppet[:certname], key, password: password)
|
126
164
|
end
|
127
165
|
|
128
166
|
NeedSubmitCSR.new(@machine, @ssl_context, key)
|
@@ -155,11 +193,11 @@ class Puppet::SSL::StateMachine
|
|
155
193
|
@cert_provider.save_request(Puppet[:certname], csr)
|
156
194
|
NeedCert.new(@machine, @ssl_context, @private_key)
|
157
195
|
rescue Puppet::Rest::ResponseError => e
|
158
|
-
if e.response.code.to_i
|
159
|
-
|
160
|
-
else
|
161
|
-
to_error(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
|
196
|
+
if e.response.code.to_i != 400
|
197
|
+
raise Puppet::SSL::SSLError.new(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
|
162
198
|
end
|
199
|
+
|
200
|
+
NeedCert.new(@machine, @ssl_context, @private_key)
|
163
201
|
end
|
164
202
|
end
|
165
203
|
|
@@ -180,37 +218,37 @@ class Puppet::SSL::StateMachine
|
|
180
218
|
@cert_provider.delete_request(Puppet[:certname])
|
181
219
|
Done.new(@machine, next_ctx)
|
182
220
|
rescue Puppet::SSL::SSLError => e
|
183
|
-
|
221
|
+
Puppet.log_exception(e)
|
222
|
+
Wait.new(@machine, @ssl_context)
|
184
223
|
rescue OpenSSL::X509::CertificateError => e
|
185
|
-
|
224
|
+
Puppet.log_exception(e, _("Failed to parse certificate: %{message}") % {message: e.message})
|
225
|
+
Wait.new(@machine, @ssl_context)
|
186
226
|
rescue Puppet::Rest::ResponseError => e
|
187
227
|
if e.response.code.to_i == 404
|
188
228
|
Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
|
189
|
-
$stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
|
190
|
-
Wait.new(@machine)
|
191
229
|
else
|
192
|
-
|
193
|
-
|
230
|
+
Puppet.log_exception(e, _("Failed to retrieve certificate for %{certname}: %{message}") %
|
231
|
+
{certname: Puppet[:certname], message: e.response.message})
|
194
232
|
end
|
233
|
+
Wait.new(@machine, @ssl_context)
|
195
234
|
end
|
196
235
|
end
|
197
236
|
|
198
|
-
# We cannot make progress, so wait if allowed to do so, or
|
237
|
+
# We cannot make progress, so wait if allowed to do so, or error.
|
199
238
|
#
|
200
239
|
class Wait < SSLState
|
201
|
-
def initialize(machine)
|
202
|
-
super(machine, nil)
|
203
|
-
end
|
204
|
-
|
205
240
|
def next_state
|
206
241
|
time = @machine.waitforcert
|
207
242
|
if time < 1
|
208
|
-
puts _("Exiting now because the waitforcert setting is set to 0.")
|
243
|
+
puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0.") % { name: Puppet[:certname] }
|
244
|
+
exit(1)
|
245
|
+
elsif Time.now.to_i > @machine.wait_deadline
|
246
|
+
puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
|
209
247
|
exit(1)
|
210
248
|
else
|
211
|
-
Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
|
249
|
+
Puppet.info(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds.") % {name: Puppet[:certname], time: time})
|
212
250
|
|
213
|
-
|
251
|
+
sleep(time)
|
214
252
|
|
215
253
|
# our ssl directory may have been cleaned while we were
|
216
254
|
# sleeping, start over from the top
|
@@ -219,68 +257,36 @@ class Puppet::SSL::StateMachine
|
|
219
257
|
end
|
220
258
|
end
|
221
259
|
|
222
|
-
# We cannot make progress due to an error.
|
223
|
-
#
|
224
|
-
class Error < SSLState
|
225
|
-
attr_reader :message, :error
|
226
|
-
|
227
|
-
def initialize(machine, message, error)
|
228
|
-
super(machine, nil)
|
229
|
-
@message = message
|
230
|
-
@error = error
|
231
|
-
end
|
232
|
-
|
233
|
-
def next_state
|
234
|
-
Puppet.log_exception(@error, @message)
|
235
|
-
Wait.new(@machine)
|
236
|
-
end
|
237
|
-
end
|
238
|
-
|
239
260
|
# We have a CA bundle, optional CRL bundle, a private key and matching cert
|
240
261
|
# that chains to one of the root certs in our bundle.
|
241
262
|
#
|
242
263
|
class Done < SSLState; end
|
243
264
|
|
244
|
-
attr_reader :waitforcert,
|
265
|
+
attr_reader :waitforcert, :wait_deadline, :cert_provider, :ssl_provider
|
245
266
|
|
246
|
-
# Construct a state machine to manage the SSL initialization process. By
|
247
|
-
# default, if the state machine encounters an exception, it will log the
|
248
|
-
# exception and wait for `waitforcert` seconds and retry, restarting from the
|
249
|
-
# beginning of the state machine.
|
250
|
-
#
|
251
|
-
# However, if `onetime` is true, then the state machine will raise the first
|
252
|
-
# error it encounters, instead of waiting. Otherwise, if `waitforcert` is 0,
|
253
|
-
# then then state machine will exit instead of wait.
|
254
|
-
#
|
255
|
-
# @param waitforcert [Integer] how many seconds to wait between attempts
|
256
|
-
# @param onetime [Boolean] whether to run onetime
|
257
|
-
# @param cert_provider [Puppet::X509::CertProvider] cert provider to use
|
258
|
-
# to load and save X509 objects.
|
259
|
-
# @param ssl_provider [Puppet::SSL::SSLProvider] ssl provider to use
|
260
|
-
# to construct ssl contexts.
|
261
267
|
def initialize(waitforcert: Puppet[:waitforcert],
|
262
|
-
|
268
|
+
maxwaitforcert: Puppet[:maxwaitforcert],
|
263
269
|
cert_provider: Puppet::X509::CertProvider.new,
|
264
|
-
ssl_provider: Puppet::SSL::SSLProvider.new
|
270
|
+
ssl_provider: Puppet::SSL::SSLProvider.new,
|
271
|
+
lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]))
|
265
272
|
@waitforcert = waitforcert
|
266
|
-
@
|
273
|
+
@wait_deadline = Time.now.to_i + maxwaitforcert
|
267
274
|
@cert_provider = cert_provider
|
268
275
|
@ssl_provider = ssl_provider
|
276
|
+
@lockfile = lockfile
|
269
277
|
end
|
270
278
|
|
271
|
-
# Run the state machine for CA certs and CRLs
|
279
|
+
# Run the state machine for CA certs and CRLs
|
272
280
|
#
|
273
281
|
# @return [Puppet::SSL::SSLContext] initialized SSLContext
|
274
|
-
# @raise [Puppet::Error] If we fail to generate an SSLContext
|
275
282
|
def ensure_ca_certificates
|
276
283
|
final_state = run_machine(NeedCACerts.new(self), NeedKey)
|
277
284
|
final_state.ssl_context
|
278
285
|
end
|
279
286
|
|
280
|
-
# Run the state machine for CA certs and CRLs
|
287
|
+
# Run the state machine for CA certs and CRLs
|
281
288
|
#
|
282
289
|
# @return [Puppet::SSL::SSLContext] initialized SSLContext
|
283
|
-
# @raise [Puppet::Error] If we fail to generate an SSLContext
|
284
290
|
def ensure_client_certificate
|
285
291
|
final_state = run_machine(NeedCACerts.new(self), Done)
|
286
292
|
ssl_context = final_state.ssl_context
|
@@ -304,28 +310,26 @@ class Puppet::SSL::StateMachine
|
|
304
310
|
private
|
305
311
|
|
306
312
|
def run_machine(state, stop)
|
307
|
-
|
308
|
-
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
break
|
313
|
-
when Error
|
314
|
-
if @onetime
|
315
|
-
Puppet.log_exception(state.error)
|
316
|
-
raise state.error
|
317
|
-
end
|
318
|
-
else
|
319
|
-
# fall through
|
313
|
+
with_lock do
|
314
|
+
loop do
|
315
|
+
state = state.next_state
|
316
|
+
|
317
|
+
break if state.is_a?(stop)
|
320
318
|
end
|
321
319
|
end
|
322
320
|
|
323
321
|
state
|
324
322
|
end
|
325
323
|
|
326
|
-
def
|
327
|
-
|
328
|
-
|
329
|
-
|
324
|
+
def with_lock
|
325
|
+
if @lockfile.lock
|
326
|
+
begin
|
327
|
+
yield
|
328
|
+
ensure
|
329
|
+
@lockfile.unlock
|
330
|
+
end
|
331
|
+
else
|
332
|
+
raise Puppet::Error, _('Another puppet instance is already running; exiting')
|
333
|
+
end
|
330
334
|
end
|
331
335
|
end
|