puppet 7.15.0 → 7.16.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 236ffe679e7475017af27237b3584914e21fdc4c40640f1068b4f25a683b2b3c
4
- data.tar.gz: e0ab738928ad2ff627eb22060064b02016fce0aa742eb0bd995d3cfbffd7ed2a
3
+ metadata.gz: f6c615fd23b0479166d4063106734f192102c181ea31befcb2c9dd4355b00f9b
4
+ data.tar.gz: 25dd46d4c27898d532d918d058d744a992959cda11d79ae5a12d902f26c4360f
5
5
  SHA512:
6
- metadata.gz: a011343c68d88f25ec0ea67c2a47c74c826a67b1c354365c8d51d39ab3a08c622cc0f9ed631670b13fea35485467757be5aee34e1e94fcc4f579e862ec3040f1
7
- data.tar.gz: 8b300a0eb554107049cf1d5fb2bc73c76e6bb4ebc24500c138da1b8dd4b0b945906231e8e3a3f97ee4f9dd8ce4913b5b944eae14dcd87296aafd05e126a950f1
6
+ metadata.gz: 86e905440fa92e3bc3092cf27cb4d1d928afcd41cf77ed34e6dd171b08d1e25beb7680fbbd847c7f3acdc672e8d385be61b5d916f045c76105c34afc06801f75
7
+ data.tar.gz: 0e5329faafcac9f60da50eb37f6a3cf6b3637bb09adb8f48d6a190a20ecec1f3047102dfb780124a27ee1906f5e9ce84c5aa49458109cba017808974b131c5b8
data/Gemfile.lock CHANGED
@@ -1,9 +1,9 @@
1
1
  GIT
2
2
  remote: https://github.com/puppetlabs/packaging
3
- revision: 478623dd22de2de32bbb7b7c340a8d80c269c9f4
3
+ revision: 0b07772b72c5e4076e145bab3d56d42331ec342b
4
4
  branch: 1.0.x
5
5
  specs:
6
- packaging (0.106.0.20.g478623d)
6
+ packaging (0.106.1)
7
7
  apt_stage_artifacts
8
8
  artifactory (~> 3)
9
9
  csv (= 3.1.5)
@@ -13,7 +13,7 @@ GIT
13
13
  PATH
14
14
  remote: .
15
15
  specs:
16
- puppet (7.15.0)
16
+ puppet (7.16.0)
17
17
  CFPropertyList (~> 2.2)
18
18
  concurrent-ruby (~> 1.0)
19
19
  deep_merge (~> 1.0)
@@ -36,14 +36,14 @@ GEM
36
36
  artifactory (3.0.15)
37
37
  ast (2.4.2)
38
38
  coderay (1.1.3)
39
- concurrent-ruby (1.1.9)
39
+ concurrent-ruby (1.1.10)
40
40
  crack (0.4.5)
41
41
  rexml
42
42
  csv (3.1.5)
43
43
  deep_merge (1.2.2)
44
44
  diff-lcs (1.5.0)
45
45
  docopt (0.6.1)
46
- facter (4.2.7)
46
+ facter (4.2.9)
47
47
  hocon (~> 1.3)
48
48
  thor (>= 1.0.1, < 2.0)
49
49
  fast_gettext (1.1.2)
@@ -69,18 +69,18 @@ GEM
69
69
  memory_profiler (1.0.0)
70
70
  method_source (1.0.0)
71
71
  minitar (0.9)
72
- msgpack (1.4.5)
72
+ msgpack (1.5.1)
73
73
  multi_json (1.15.0)
74
74
  mustache (1.1.1)
75
75
  optimist (3.0.1)
76
- parallel (1.21.0)
76
+ parallel (1.22.1)
77
77
  parser (2.7.2.0)
78
78
  ast (~> 2.4.1)
79
79
  powerpack (0.1.3)
80
80
  pry (0.14.1)
81
81
  coderay (~> 1.1)
82
82
  method_source (~> 1.0)
83
- public_suffix (4.0.6)
83
+ public_suffix (4.0.7)
84
84
  puppet-resource_api (1.8.14)
85
85
  hocon (>= 1.0)
86
86
  puppetserver-ca (2.3.6)
@@ -111,7 +111,7 @@ GEM
111
111
  rspec-its (1.3.0)
112
112
  rspec-core (>= 3.0.0)
113
113
  rspec-expectations (>= 3.0.0)
114
- rspec-mocks (3.11.0)
114
+ rspec-mocks (3.11.1)
115
115
  diff-lcs (>= 1.2.0, < 2.0)
116
116
  rspec-support (~> 3.11.0)
117
117
  rspec-support (3.11.0)
@@ -174,4 +174,4 @@ DEPENDENCIES
174
174
  yard
175
175
 
176
176
  BUNDLED WITH
177
- 2.3.8
177
+ 2.3.10
@@ -68,8 +68,7 @@ class Puppet::SSL::SSLProvider
68
68
  # @raise (see #create_context)
69
69
  # @api private
70
70
  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
71
- store = create_x509_store(cacerts, [], false)
72
- store.set_default_paths
71
+ store = create_x509_store(cacerts, [], false, include_system_store: true)
73
72
 
74
73
  if path
75
74
  stat = Puppet::FileSystem.stat(path)
@@ -111,19 +110,20 @@ class Puppet::SSL::SSLProvider
111
110
  # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
112
111
  # key matches the `private_key`
113
112
  # @param revocation [:chain, :leaf, false] revocation mode
113
+ # @param include_system_store [true, false] Also trust system CA
114
114
  # @return [Puppet::SSL::SSLContext] A context to use to create connections
115
115
  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
116
116
  # one of the certs or CRLs.
117
117
  # @raise [Puppet::SSL::SSLError] There was an issue with the
118
118
  # `private_key`.
119
119
  # @api private
120
- def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
120
+ def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
121
121
  raise ArgumentError, _("CA certs are missing") unless cacerts
122
122
  raise ArgumentError, _("CRLs are missing") unless crls
123
123
  raise ArgumentError, _("Private key is missing") unless private_key
124
124
  raise ArgumentError, _("Client cert is missing") unless client_cert
125
125
 
126
- store = create_x509_store(cacerts, crls, revocation)
126
+ store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
127
127
  client_chain = verify_cert_with_store(store, client_cert)
128
128
 
129
129
  if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
@@ -151,12 +151,13 @@ class Puppet::SSL::SSLProvider
151
151
  # @param password [String, nil] If the private key is encrypted, decrypt
152
152
  # it using the password. If the key is encrypted, but a password is
153
153
  # not specified, then the key cannot be loaded.
154
+ # @param include_system_store [true, false] Also trust system CA
154
155
  # @return [Puppet::SSL::SSLContext] A context to use to create connections
155
156
  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
156
157
  # one of the certs or CRLs.
157
158
  # @raise [Puppet::Error] There was an issue with one of the required components.
158
159
  # @api private
159
- def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
160
+ def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
160
161
  cert = Puppet::X509::CertProvider.new
161
162
  cacerts = cert.load_cacerts(required: true)
162
163
  crls = case revocation
@@ -168,7 +169,7 @@ class Puppet::SSL::SSLProvider
168
169
  private_key = cert.load_private_key(certname, required: true, password: password)
169
170
  client_cert = cert.load_client_cert(certname, required: true)
170
171
 
171
- create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation)
172
+ create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
172
173
  rescue OpenSSL::PKey::PKeyError => e
173
174
  raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
174
175
  end
@@ -203,7 +204,7 @@ class Puppet::SSL::SSLProvider
203
204
  end
204
205
  end
205
206
 
206
- def create_x509_store(roots, crls, revocation)
207
+ def create_x509_store(roots, crls, revocation, include_system_store: false)
207
208
  store = OpenSSL::X509::Store.new
208
209
  store.purpose = OpenSSL::X509::PURPOSE_ANY
209
210
  store.flags = default_flags | revocation_mode(revocation)
@@ -211,6 +212,8 @@ class Puppet::SSL::SSLProvider
211
212
  roots.each { |cert| store.add_cert(cert) }
212
213
  crls.each { |crl| store.add_crl(crl) }
213
214
 
215
+ store.set_default_paths if include_system_store
216
+
214
217
  store
215
218
  end
216
219
 
@@ -6,7 +6,7 @@
6
6
  # Raketasks and such to set the version based on the output of `git describe`
7
7
 
8
8
  module Puppet
9
- PUPPETVERSION = '7.15.0'
9
+ PUPPETVERSION = '7.16.0'
10
10
 
11
11
  ##
12
12
  # version is a public API method intended to always provide a fast and
@@ -929,7 +929,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
929
929
  The HTTP User\-Agent string to send when making network requests\.
930
930
  .
931
931
  .IP "\(bu" 4
932
- \fIDefault\fR: \fBPuppet/7\.15\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
932
+ \fIDefault\fR: \fBPuppet/7\.16\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
933
933
  .
934
934
  .IP "" 0
935
935
  .
data/man/man8/puppet.8 CHANGED
@@ -25,4 +25,4 @@ Specialized:
25
25
  catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
26
26
  .
27
27
  .P
28
- See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.15\.0
28
+ See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.16\.0
@@ -77,6 +77,12 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
77
77
  }
78
78
  }
79
79
 
80
+ let(:systemstore) do
81
+ res = tmpfile('systemstore')
82
+ File.write(res, https_server.ca_cert)
83
+ res
84
+ end
85
+
80
86
  it "mutually authenticates the connection" do
81
87
  client_context = ssl_provider.create_context(
82
88
  cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
@@ -88,6 +94,30 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
88
94
  expect(res).to be_success
89
95
  end
90
96
  end
97
+
98
+ it "connects when the server's CA is in the system store and the connection is mutually authenticated using create_context" do
99
+ Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
100
+ client_context = ssl_provider.create_context(
101
+ cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
102
+ client_cert: https_server.server_cert, private_key: https_server.server_key,
103
+ revocation: false, include_system_store: true
104
+ )
105
+ https_server.start_server(ctx_proc: ctx_proc) do |port|
106
+ res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
107
+ expect(res).to be_success
108
+ end
109
+ end
110
+ end
111
+
112
+ it "connects when the server's CA is in the system store and the connection is mutually authenticated uning load_context" do
113
+ Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
114
+ client_context = ssl_provider.load_context(revocation: false, include_system_store: true)
115
+ https_server.start_server(ctx_proc: ctx_proc) do |port|
116
+ res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
117
+ expect(res).to be_success
118
+ end
119
+ end
120
+ end
91
121
  end
92
122
 
93
123
  context "with a system trust store" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppet
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.15.0
4
+ version: 7.16.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet Labs
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-17 00:00:00.000000000 Z
11
+ date: 2022-04-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter