RubyGems - puppet - Versions diffs - 7.15.0-universal-darwin → 7.16.0-universal-darwin - Mend

puppet 7.15.0-universal-darwin → 7.16.0-universal-darwin

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/Gemfile.lock +10 -10
data/lib/puppet/ssl/ssl_provider.rb +10 -7
data/lib/puppet/version.rb +1 -1
data/man/man5/puppet.conf.5 +1 -1
data/man/man8/puppet.8 +1 -1
data/spec/integration/http/client_spec.rb +30 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 62e9789fe00c21adcac08463a71792955f75e510669e36be4d008b6d1472ecde
-  data.tar.gz: e0ab738928ad2ff627eb22060064b02016fce0aa742eb0bd995d3cfbffd7ed2a
+  metadata.gz: cd799c6f43bc760ac90b228ebad0819067875e24ca9a734dcd29b722d9c5af85
+  data.tar.gz: 25dd46d4c27898d532d918d058d744a992959cda11d79ae5a12d902f26c4360f
 SHA512:
-  metadata.gz: c8c4d8f31256d4258c4fa239d267ec3d68b0e7fdc2e7aa7831bdd4d22035a7687a9eb7347b27f4cb322d88f7d29a296f0d9cf53f9d66374c72e7bfbc80cca683
-  data.tar.gz: 8b300a0eb554107049cf1d5fb2bc73c76e6bb4ebc24500c138da1b8dd4b0b945906231e8e3a3f97ee4f9dd8ce4913b5b944eae14dcd87296aafd05e126a950f1
+  metadata.gz: 0de6ad89ce2240c8f2013c0fe29d3ab9a215727a205e032a3af0f3b76ad0993e4c9580e4644740be599a701c5e64bd7f2f3c2b10ac4744e663ad03bae7452c42
+  data.tar.gz: 0e5329faafcac9f60da50eb37f6a3cf6b3637bb09adb8f48d6a190a20ecec1f3047102dfb780124a27ee1906f5e9ce84c5aa49458109cba017808974b131c5b8

data/Gemfile.lock CHANGED Viewed

@@ -1,9 +1,9 @@
 GIT
   remote: https://github.com/puppetlabs/packaging
-  revision: 478623dd22de2de32bbb7b7c340a8d80c269c9f4
+  revision: 0b07772b72c5e4076e145bab3d56d42331ec342b
   branch: 1.0.x
   specs:
-    packaging (0.106.0.20.g478623d)
+    packaging (0.106.1)
       apt_stage_artifacts
       artifactory (~> 3)
       csv (= 3.1.5)
@@ -13,7 +13,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.15.0)
+    puppet (7.16.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -36,14 +36,14 @@ GEM
     artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.1.10)
     crack (0.4.5)
       rexml
     csv (3.1.5)
     deep_merge (1.2.2)
     diff-lcs (1.5.0)
     docopt (0.6.1)
-    facter (4.2.7)
+    facter (4.2.9)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
     fast_gettext (1.1.2)
@@ -69,18 +69,18 @@ GEM
     memory_profiler (1.0.0)
     method_source (1.0.0)
     minitar (0.9)
-    msgpack (1.4.5)
+    msgpack (1.5.1)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
-    parallel (1.21.0)
+    parallel (1.22.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
     powerpack (0.1.3)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.6)
+    public_suffix (4.0.7)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
     puppetserver-ca (2.3.6)
@@ -111,7 +111,7 @@ GEM
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.11.0)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.11.0)
     rspec-support (3.11.0)
@@ -174,4 +174,4 @@ DEPENDENCIES
   yard
 BUNDLED WITH
-   2.3.8
+   2.3.10

data/lib/puppet/ssl/ssl_provider.rb CHANGED Viewed

@@ -68,8 +68,7 @@ class Puppet::SSL::SSLProvider
   # @raise (see #create_context)
   # @api private
   def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
-    store = create_x509_store(cacerts, [], false)
-    store.set_default_paths
+    store = create_x509_store(cacerts, [], false, include_system_store: true)
     if path
       stat = Puppet::FileSystem.stat(path)
@@ -111,19 +110,20 @@ class Puppet::SSL::SSLProvider
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::SSL::SSLError] There was an issue with the
   #   `private_key`.
   # @api private
-  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
+  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
     raise ArgumentError, _("CA certs are missing") unless cacerts
     raise ArgumentError, _("CRLs are missing") unless crls
     raise ArgumentError, _("Private key is missing") unless private_key
     raise ArgumentError, _("Client cert is missing") unless client_cert
-    store = create_x509_store(cacerts, crls, revocation)
+    store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
     client_chain = verify_cert_with_store(store, client_cert)
     if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
@@ -151,12 +151,13 @@ class Puppet::SSL::SSLProvider
   # @param password [String, nil] If the private key is encrypted, decrypt
   #   it using the password. If the key is encrypted, but a password is
   #   not specified, then the key cannot be loaded.
+  # @param include_system_store [true, false] Also trust system CA
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise [Puppet::SSL::CertVerifyError] There was an issue with
   #   one of the certs or CRLs.
   # @raise [Puppet::Error] There was an issue with one of the required components.
   # @api private
-  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
+  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
     cert = Puppet::X509::CertProvider.new
     cacerts = cert.load_cacerts(required: true)
     crls = case revocation
@@ -168,7 +169,7 @@ class Puppet::SSL::SSLProvider
     private_key = cert.load_private_key(certname, required: true, password: password)
     client_cert = cert.load_client_cert(certname, required: true)
-    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation)
+    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
   rescue OpenSSL::PKey::PKeyError => e
     raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
   end
@@ -203,7 +204,7 @@ class Puppet::SSL::SSLProvider
     end
   end
-  def create_x509_store(roots, crls, revocation)
+  def create_x509_store(roots, crls, revocation, include_system_store: false)
     store = OpenSSL::X509::Store.new
     store.purpose = OpenSSL::X509::PURPOSE_ANY
     store.flags = default_flags | revocation_mode(revocation)
@@ -211,6 +212,8 @@ class Puppet::SSL::SSLProvider
     roots.each { |cert| store.add_cert(cert) }
     crls.each { |crl| store.add_crl(crl) }
+    store.set_default_paths if include_system_store
     store
   end

data/lib/puppet/version.rb CHANGED Viewed

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 module Puppet
-  PUPPETVERSION = '7.15.0'
+  PUPPETVERSION = '7.16.0'
   ##
   # version is a public API method intended to always provide a fast and

data/man/man5/puppet.conf.5 CHANGED Viewed

@@ -929,7 +929,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: \fBPuppet/7\.15\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
+\fIDefault\fR: \fBPuppet/7\.16\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
 .
 .IP "" 0
 .

data/man/man8/puppet.8 CHANGED Viewed

@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.15\.0
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.16\.0

data/spec/integration/http/client_spec.rb CHANGED Viewed

@@ -77,6 +77,12 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
       }
     }
+    let(:systemstore) do
+      res = tmpfile('systemstore')
+      File.write(res, https_server.ca_cert)
+      res
+    end
     it "mutually authenticates the connection" do
       client_context = ssl_provider.create_context(
         cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
@@ -88,6 +94,30 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
         expect(res).to be_success
       end
     end
+    it "connects when the server's CA is in the system store and the connection is mutually authenticated using create_context" do
+      Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
+        client_context = ssl_provider.create_context(
+          cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
+          client_cert: https_server.server_cert, private_key: https_server.server_key,
+          revocation: false, include_system_store: true
+        )
+        https_server.start_server(ctx_proc: ctx_proc) do |port|
+          res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
+          expect(res).to be_success
+        end
+      end
+    end
+    it "connects when the server's CA is in the system store and the connection is mutually authenticated uning load_context" do
+      Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
+        client_context = ssl_provider.load_context(revocation: false, include_system_store: true)
+        https_server.start_server(ctx_proc: ctx_proc) do |port|
+          res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
+          expect(res).to be_success
+        end
+      end
+    end
   end
   context "with a system trust store" do

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 7.15.0
+  version: 7.16.0
 platform: universal-darwin
 authors:
 - Puppet Labs
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-17 00:00:00.000000000 Z
+date: 2022-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter