puppet 7.15.0-x86-mingw32 → 7.16.0-x86-mingw32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +10 -10
  3. data/lib/puppet/ssl/ssl_provider.rb +10 -7
  4. data/lib/puppet/version.rb +1 -1
  5. data/man/man5/puppet.conf.5 +1 -1
  6. data/man/man8/puppet.8 +1 -1
  7. data/spec/integration/http/client_spec.rb +30 -0
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5ee2719e5d4ae082cb3e5f9f0487813acfcf44dc96ddbeb5fed2b009b21f9fad
4
- data.tar.gz: e0ab738928ad2ff627eb22060064b02016fce0aa742eb0bd995d3cfbffd7ed2a
3
+ metadata.gz: 3c10e7868e6e6dc56fca313a8e5736fecbb8782db69c0ae283b5f321324cf3e4
4
+ data.tar.gz: 25dd46d4c27898d532d918d058d744a992959cda11d79ae5a12d902f26c4360f
5
5
  SHA512:
6
- metadata.gz: 1a81c9e28a40988a891ca37893b0d721fa12f42c39890746837737b217bb2ecdf626ea3e822feff557557d7f54afa7b41b54d3122039ae0ddc0e9125083dc4b6
7
- data.tar.gz: 8b300a0eb554107049cf1d5fb2bc73c76e6bb4ebc24500c138da1b8dd4b0b945906231e8e3a3f97ee4f9dd8ce4913b5b944eae14dcd87296aafd05e126a950f1
6
+ metadata.gz: b7e1c72f93d3da27d3bb61cc38682a1095e4a1915f90ae256b7269b5951b2bfb0c2684d31ab2308031089e6ea73f1aa3d4512429bd2a05790344de6693e5b822
7
+ data.tar.gz: 0e5329faafcac9f60da50eb37f6a3cf6b3637bb09adb8f48d6a190a20ecec1f3047102dfb780124a27ee1906f5e9ce84c5aa49458109cba017808974b131c5b8
data/Gemfile.lock CHANGED
@@ -1,9 +1,9 @@
1
1
  GIT
2
2
  remote: https://github.com/puppetlabs/packaging
3
- revision: 478623dd22de2de32bbb7b7c340a8d80c269c9f4
3
+ revision: 0b07772b72c5e4076e145bab3d56d42331ec342b
4
4
  branch: 1.0.x
5
5
  specs:
6
- packaging (0.106.0.20.g478623d)
6
+ packaging (0.106.1)
7
7
  apt_stage_artifacts
8
8
  artifactory (~> 3)
9
9
  csv (= 3.1.5)
@@ -13,7 +13,7 @@ GIT
13
13
  PATH
14
14
  remote: .
15
15
  specs:
16
- puppet (7.15.0)
16
+ puppet (7.16.0)
17
17
  CFPropertyList (~> 2.2)
18
18
  concurrent-ruby (~> 1.0)
19
19
  deep_merge (~> 1.0)
@@ -36,14 +36,14 @@ GEM
36
36
  artifactory (3.0.15)
37
37
  ast (2.4.2)
38
38
  coderay (1.1.3)
39
- concurrent-ruby (1.1.9)
39
+ concurrent-ruby (1.1.10)
40
40
  crack (0.4.5)
41
41
  rexml
42
42
  csv (3.1.5)
43
43
  deep_merge (1.2.2)
44
44
  diff-lcs (1.5.0)
45
45
  docopt (0.6.1)
46
- facter (4.2.7)
46
+ facter (4.2.9)
47
47
  hocon (~> 1.3)
48
48
  thor (>= 1.0.1, < 2.0)
49
49
  fast_gettext (1.1.2)
@@ -69,18 +69,18 @@ GEM
69
69
  memory_profiler (1.0.0)
70
70
  method_source (1.0.0)
71
71
  minitar (0.9)
72
- msgpack (1.4.5)
72
+ msgpack (1.5.1)
73
73
  multi_json (1.15.0)
74
74
  mustache (1.1.1)
75
75
  optimist (3.0.1)
76
- parallel (1.21.0)
76
+ parallel (1.22.1)
77
77
  parser (2.7.2.0)
78
78
  ast (~> 2.4.1)
79
79
  powerpack (0.1.3)
80
80
  pry (0.14.1)
81
81
  coderay (~> 1.1)
82
82
  method_source (~> 1.0)
83
- public_suffix (4.0.6)
83
+ public_suffix (4.0.7)
84
84
  puppet-resource_api (1.8.14)
85
85
  hocon (>= 1.0)
86
86
  puppetserver-ca (2.3.6)
@@ -111,7 +111,7 @@ GEM
111
111
  rspec-its (1.3.0)
112
112
  rspec-core (>= 3.0.0)
113
113
  rspec-expectations (>= 3.0.0)
114
- rspec-mocks (3.11.0)
114
+ rspec-mocks (3.11.1)
115
115
  diff-lcs (>= 1.2.0, < 2.0)
116
116
  rspec-support (~> 3.11.0)
117
117
  rspec-support (3.11.0)
@@ -174,4 +174,4 @@ DEPENDENCIES
174
174
  yard
175
175
 
176
176
  BUNDLED WITH
177
- 2.3.8
177
+ 2.3.10
data/lib/puppet/ssl/ssl_provider.rb CHANGED
@@ -68,8 +68,7 @@ class Puppet::SSL::SSLProvider
68
68
  # @raise (see #create_context)
69
69
  # @api private
70
70
  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
71
- store = create_x509_store(cacerts, [], false)
72
- store.set_default_paths
71
+ store = create_x509_store(cacerts, [], false, include_system_store: true)
73
72
 
74
73
  if path
75
74
  stat = Puppet::FileSystem.stat(path)
@@ -111,19 +110,20 @@ class Puppet::SSL::SSLProvider
111
110
  # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
112
111
  # key matches the `private_key`
113
112
  # @param revocation [:chain, :leaf, false] revocation mode
113
+ # @param include_system_store [true, false] Also trust system CA
114
114
  # @return [Puppet::SSL::SSLContext] A context to use to create connections
115
115
  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
116
116
  # one of the certs or CRLs.
117
117
  # @raise [Puppet::SSL::SSLError] There was an issue with the
118
118
  # `private_key`.
119
119
  # @api private
120
- def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
120
+ def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
121
121
  raise ArgumentError, _("CA certs are missing") unless cacerts
122
122
  raise ArgumentError, _("CRLs are missing") unless crls
123
123
  raise ArgumentError, _("Private key is missing") unless private_key
124
124
  raise ArgumentError, _("Client cert is missing") unless client_cert
125
125
 
126
- store = create_x509_store(cacerts, crls, revocation)
126
+ store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
127
127
  client_chain = verify_cert_with_store(store, client_cert)
128
128
 
129
129
  if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
@@ -151,12 +151,13 @@ class Puppet::SSL::SSLProvider
151
151
  # @param password [String, nil] If the private key is encrypted, decrypt
152
152
  # it using the password. If the key is encrypted, but a password is
153
153
  # not specified, then the key cannot be loaded.
154
+ # @param include_system_store [true, false] Also trust system CA
154
155
  # @return [Puppet::SSL::SSLContext] A context to use to create connections
155
156
  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
156
157
  # one of the certs or CRLs.
157
158
  # @raise [Puppet::Error] There was an issue with one of the required components.
158
159
  # @api private
159
- def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
160
+ def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
160
161
  cert = Puppet::X509::CertProvider.new
161
162
  cacerts = cert.load_cacerts(required: true)
162
163
  crls = case revocation
@@ -168,7 +169,7 @@ class Puppet::SSL::SSLProvider
168
169
  private_key = cert.load_private_key(certname, required: true, password: password)
169
170
  client_cert = cert.load_client_cert(certname, required: true)
170
171
 
171
- create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation)
172
+ create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
172
173
  rescue OpenSSL::PKey::PKeyError => e
173
174
  raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
174
175
  end
@@ -203,7 +204,7 @@ class Puppet::SSL::SSLProvider
203
204
  end
204
205
  end
205
206
 
206
- def create_x509_store(roots, crls, revocation)
207
+ def create_x509_store(roots, crls, revocation, include_system_store: false)
207
208
  store = OpenSSL::X509::Store.new
208
209
  store.purpose = OpenSSL::X509::PURPOSE_ANY
209
210
  store.flags = default_flags | revocation_mode(revocation)
@@ -211,6 +212,8 @@ class Puppet::SSL::SSLProvider
211
212
  roots.each { |cert| store.add_cert(cert) }
212
213
  crls.each { |crl| store.add_crl(crl) }
213
214
 
215
+ store.set_default_paths if include_system_store
216
+
214
217
  store
215
218
  end
216
219
 
data/lib/puppet/version.rb CHANGED
@@ -6,7 +6,7 @@
6
6
  # Raketasks and such to set the version based on the output of `git describe`
7
7
 
8
8
  module Puppet
9
- PUPPETVERSION = '7.15.0'
9
+ PUPPETVERSION = '7.16.0'
10
10
 
11
11
  ##
12
12
  # version is a public API method intended to always provide a fast and
data/man/man5/puppet.conf.5 CHANGED
@@ -929,7 +929,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
929
929
  The HTTP User\-Agent string to send when making network requests\.
930
930
  .
931
931
  .IP "\(bu" 4
932
- \fIDefault\fR: \fBPuppet/7\.15\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
932
+ \fIDefault\fR: \fBPuppet/7\.16\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
933
933
  .
934
934
  .IP "" 0
935
935
  .
data/man/man8/puppet.8 CHANGED
@@ -25,4 +25,4 @@ Specialized:
25
25
  catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
26
26
  .
27
27
  .P
28
- See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.15\.0
28
+ See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.16\.0
data/spec/integration/http/client_spec.rb CHANGED
@@ -77,6 +77,12 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
77
77
  }
78
78
  }
79
79
 
80
+ let(:systemstore) do
81
+ res = tmpfile('systemstore')
82
+ File.write(res, https_server.ca_cert)
83
+ res
84
+ end
85
+
80
86
  it "mutually authenticates the connection" do
81
87
  client_context = ssl_provider.create_context(
82
88
  cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
@@ -88,6 +94,30 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
88
94
  expect(res).to be_success
89
95
  end
90
96
  end
97
+
98
+ it "connects when the server's CA is in the system store and the connection is mutually authenticated using create_context" do
99
+ Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
100
+ client_context = ssl_provider.create_context(
101
+ cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
102
+ client_cert: https_server.server_cert, private_key: https_server.server_key,
103
+ revocation: false, include_system_store: true
104
+ )
105
+ https_server.start_server(ctx_proc: ctx_proc) do |port|
106
+ res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
107
+ expect(res).to be_success
108
+ end
109
+ end
110
+ end
111
+
112
+ it "connects when the server's CA is in the system store and the connection is mutually authenticated uning load_context" do
113
+ Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
114
+ client_context = ssl_provider.load_context(revocation: false, include_system_store: true)
115
+ https_server.start_server(ctx_proc: ctx_proc) do |port|
116
+ res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
117
+ expect(res).to be_success
118
+ end
119
+ end
120
+ end
91
121
  end
92
122
 
93
123
  context "with a system trust store" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppet
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.15.0
4
+ version: 7.16.0
5
5
  platform: x86-mingw32
6
6
  authors:
7
7
  - Puppet Labs
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-17 00:00:00.000000000 Z
11
+ date: 2022-04-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter