puppet 7.15.0 → 7.16.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +10 -10
- data/lib/puppet/ssl/ssl_provider.rb +10 -7
- data/lib/puppet/version.rb +1 -1
- data/man/man5/puppet.conf.5 +1 -1
- data/man/man8/puppet.8 +1 -1
- data/spec/integration/http/client_spec.rb +30 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f6c615fd23b0479166d4063106734f192102c181ea31befcb2c9dd4355b00f9b
|
|
4
|
+
data.tar.gz: 25dd46d4c27898d532d918d058d744a992959cda11d79ae5a12d902f26c4360f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 86e905440fa92e3bc3092cf27cb4d1d928afcd41cf77ed34e6dd171b08d1e25beb7680fbbd847c7f3acdc672e8d385be61b5d916f045c76105c34afc06801f75
|
|
7
|
+
data.tar.gz: 0e5329faafcac9f60da50eb37f6a3cf6b3637bb09adb8f48d6a190a20ecec1f3047102dfb780124a27ee1906f5e9ce84c5aa49458109cba017808974b131c5b8
|
data/Gemfile.lock
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
GIT
|
|
2
2
|
remote: https://github.com/puppetlabs/packaging
|
|
3
|
-
revision:
|
|
3
|
+
revision: 0b07772b72c5e4076e145bab3d56d42331ec342b
|
|
4
4
|
branch: 1.0.x
|
|
5
5
|
specs:
|
|
6
|
-
packaging (0.106.
|
|
6
|
+
packaging (0.106.1)
|
|
7
7
|
apt_stage_artifacts
|
|
8
8
|
artifactory (~> 3)
|
|
9
9
|
csv (= 3.1.5)
|
|
@@ -13,7 +13,7 @@ GIT
|
|
|
13
13
|
PATH
|
|
14
14
|
remote: .
|
|
15
15
|
specs:
|
|
16
|
-
puppet (7.
|
|
16
|
+
puppet (7.16.0)
|
|
17
17
|
CFPropertyList (~> 2.2)
|
|
18
18
|
concurrent-ruby (~> 1.0)
|
|
19
19
|
deep_merge (~> 1.0)
|
|
@@ -36,14 +36,14 @@ GEM
|
|
|
36
36
|
artifactory (3.0.15)
|
|
37
37
|
ast (2.4.2)
|
|
38
38
|
coderay (1.1.3)
|
|
39
|
-
concurrent-ruby (1.1.
|
|
39
|
+
concurrent-ruby (1.1.10)
|
|
40
40
|
crack (0.4.5)
|
|
41
41
|
rexml
|
|
42
42
|
csv (3.1.5)
|
|
43
43
|
deep_merge (1.2.2)
|
|
44
44
|
diff-lcs (1.5.0)
|
|
45
45
|
docopt (0.6.1)
|
|
46
|
-
facter (4.2.
|
|
46
|
+
facter (4.2.9)
|
|
47
47
|
hocon (~> 1.3)
|
|
48
48
|
thor (>= 1.0.1, < 2.0)
|
|
49
49
|
fast_gettext (1.1.2)
|
|
@@ -69,18 +69,18 @@ GEM
|
|
|
69
69
|
memory_profiler (1.0.0)
|
|
70
70
|
method_source (1.0.0)
|
|
71
71
|
minitar (0.9)
|
|
72
|
-
msgpack (1.
|
|
72
|
+
msgpack (1.5.1)
|
|
73
73
|
multi_json (1.15.0)
|
|
74
74
|
mustache (1.1.1)
|
|
75
75
|
optimist (3.0.1)
|
|
76
|
-
parallel (1.
|
|
76
|
+
parallel (1.22.1)
|
|
77
77
|
parser (2.7.2.0)
|
|
78
78
|
ast (~> 2.4.1)
|
|
79
79
|
powerpack (0.1.3)
|
|
80
80
|
pry (0.14.1)
|
|
81
81
|
coderay (~> 1.1)
|
|
82
82
|
method_source (~> 1.0)
|
|
83
|
-
public_suffix (4.0.
|
|
83
|
+
public_suffix (4.0.7)
|
|
84
84
|
puppet-resource_api (1.8.14)
|
|
85
85
|
hocon (>= 1.0)
|
|
86
86
|
puppetserver-ca (2.3.6)
|
|
@@ -111,7 +111,7 @@ GEM
|
|
|
111
111
|
rspec-its (1.3.0)
|
|
112
112
|
rspec-core (>= 3.0.0)
|
|
113
113
|
rspec-expectations (>= 3.0.0)
|
|
114
|
-
rspec-mocks (3.11.
|
|
114
|
+
rspec-mocks (3.11.1)
|
|
115
115
|
diff-lcs (>= 1.2.0, < 2.0)
|
|
116
116
|
rspec-support (~> 3.11.0)
|
|
117
117
|
rspec-support (3.11.0)
|
|
@@ -174,4 +174,4 @@ DEPENDENCIES
|
|
|
174
174
|
yard
|
|
175
175
|
|
|
176
176
|
BUNDLED WITH
|
|
177
|
-
2.3.
|
|
177
|
+
2.3.10
|
|
@@ -68,8 +68,7 @@ class Puppet::SSL::SSLProvider
|
|
|
68
68
|
# @raise (see #create_context)
|
|
69
69
|
# @api private
|
|
70
70
|
def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
|
|
71
|
-
store = create_x509_store(cacerts, [], false)
|
|
72
|
-
store.set_default_paths
|
|
71
|
+
store = create_x509_store(cacerts, [], false, include_system_store: true)
|
|
73
72
|
|
|
74
73
|
if path
|
|
75
74
|
stat = Puppet::FileSystem.stat(path)
|
|
@@ -111,19 +110,20 @@ class Puppet::SSL::SSLProvider
|
|
|
111
110
|
# @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
|
|
112
111
|
# key matches the `private_key`
|
|
113
112
|
# @param revocation [:chain, :leaf, false] revocation mode
|
|
113
|
+
# @param include_system_store [true, false] Also trust system CA
|
|
114
114
|
# @return [Puppet::SSL::SSLContext] A context to use to create connections
|
|
115
115
|
# @raise [Puppet::SSL::CertVerifyError] There was an issue with
|
|
116
116
|
# one of the certs or CRLs.
|
|
117
117
|
# @raise [Puppet::SSL::SSLError] There was an issue with the
|
|
118
118
|
# `private_key`.
|
|
119
119
|
# @api private
|
|
120
|
-
def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
|
|
120
|
+
def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
|
|
121
121
|
raise ArgumentError, _("CA certs are missing") unless cacerts
|
|
122
122
|
raise ArgumentError, _("CRLs are missing") unless crls
|
|
123
123
|
raise ArgumentError, _("Private key is missing") unless private_key
|
|
124
124
|
raise ArgumentError, _("Client cert is missing") unless client_cert
|
|
125
125
|
|
|
126
|
-
store = create_x509_store(cacerts, crls, revocation)
|
|
126
|
+
store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
|
|
127
127
|
client_chain = verify_cert_with_store(store, client_cert)
|
|
128
128
|
|
|
129
129
|
if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
|
|
@@ -151,12 +151,13 @@ class Puppet::SSL::SSLProvider
|
|
|
151
151
|
# @param password [String, nil] If the private key is encrypted, decrypt
|
|
152
152
|
# it using the password. If the key is encrypted, but a password is
|
|
153
153
|
# not specified, then the key cannot be loaded.
|
|
154
|
+
# @param include_system_store [true, false] Also trust system CA
|
|
154
155
|
# @return [Puppet::SSL::SSLContext] A context to use to create connections
|
|
155
156
|
# @raise [Puppet::SSL::CertVerifyError] There was an issue with
|
|
156
157
|
# one of the certs or CRLs.
|
|
157
158
|
# @raise [Puppet::Error] There was an issue with one of the required components.
|
|
158
159
|
# @api private
|
|
159
|
-
def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
|
|
160
|
+
def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
|
|
160
161
|
cert = Puppet::X509::CertProvider.new
|
|
161
162
|
cacerts = cert.load_cacerts(required: true)
|
|
162
163
|
crls = case revocation
|
|
@@ -168,7 +169,7 @@ class Puppet::SSL::SSLProvider
|
|
|
168
169
|
private_key = cert.load_private_key(certname, required: true, password: password)
|
|
169
170
|
client_cert = cert.load_client_cert(certname, required: true)
|
|
170
171
|
|
|
171
|
-
create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation)
|
|
172
|
+
create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
|
|
172
173
|
rescue OpenSSL::PKey::PKeyError => e
|
|
173
174
|
raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
|
|
174
175
|
end
|
|
@@ -203,7 +204,7 @@ class Puppet::SSL::SSLProvider
|
|
|
203
204
|
end
|
|
204
205
|
end
|
|
205
206
|
|
|
206
|
-
def create_x509_store(roots, crls, revocation)
|
|
207
|
+
def create_x509_store(roots, crls, revocation, include_system_store: false)
|
|
207
208
|
store = OpenSSL::X509::Store.new
|
|
208
209
|
store.purpose = OpenSSL::X509::PURPOSE_ANY
|
|
209
210
|
store.flags = default_flags | revocation_mode(revocation)
|
|
@@ -211,6 +212,8 @@ class Puppet::SSL::SSLProvider
|
|
|
211
212
|
roots.each { |cert| store.add_cert(cert) }
|
|
212
213
|
crls.each { |crl| store.add_crl(crl) }
|
|
213
214
|
|
|
215
|
+
store.set_default_paths if include_system_store
|
|
216
|
+
|
|
214
217
|
store
|
|
215
218
|
end
|
|
216
219
|
|
data/lib/puppet/version.rb
CHANGED
data/man/man5/puppet.conf.5
CHANGED
|
@@ -929,7 +929,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
|
|
|
929
929
|
The HTTP User\-Agent string to send when making network requests\.
|
|
930
930
|
.
|
|
931
931
|
.IP "\(bu" 4
|
|
932
|
-
\fIDefault\fR: \fBPuppet/7\.
|
|
932
|
+
\fIDefault\fR: \fBPuppet/7\.16\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
|
|
933
933
|
.
|
|
934
934
|
.IP "" 0
|
|
935
935
|
.
|
data/man/man8/puppet.8
CHANGED
|
@@ -25,4 +25,4 @@ Specialized:
|
|
|
25
25
|
catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
|
|
26
26
|
.
|
|
27
27
|
.P
|
|
28
|
-
See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.
|
|
28
|
+
See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.16\.0
|
|
@@ -77,6 +77,12 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
|
|
|
77
77
|
}
|
|
78
78
|
}
|
|
79
79
|
|
|
80
|
+
let(:systemstore) do
|
|
81
|
+
res = tmpfile('systemstore')
|
|
82
|
+
File.write(res, https_server.ca_cert)
|
|
83
|
+
res
|
|
84
|
+
end
|
|
85
|
+
|
|
80
86
|
it "mutually authenticates the connection" do
|
|
81
87
|
client_context = ssl_provider.create_context(
|
|
82
88
|
cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
|
|
@@ -88,6 +94,30 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
|
|
|
88
94
|
expect(res).to be_success
|
|
89
95
|
end
|
|
90
96
|
end
|
|
97
|
+
|
|
98
|
+
it "connects when the server's CA is in the system store and the connection is mutually authenticated using create_context" do
|
|
99
|
+
Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
|
|
100
|
+
client_context = ssl_provider.create_context(
|
|
101
|
+
cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
|
|
102
|
+
client_cert: https_server.server_cert, private_key: https_server.server_key,
|
|
103
|
+
revocation: false, include_system_store: true
|
|
104
|
+
)
|
|
105
|
+
https_server.start_server(ctx_proc: ctx_proc) do |port|
|
|
106
|
+
res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
|
|
107
|
+
expect(res).to be_success
|
|
108
|
+
end
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
it "connects when the server's CA is in the system store and the connection is mutually authenticated uning load_context" do
|
|
113
|
+
Puppet::Util.withenv("SSL_CERT_FILE" => systemstore) do
|
|
114
|
+
client_context = ssl_provider.load_context(revocation: false, include_system_store: true)
|
|
115
|
+
https_server.start_server(ctx_proc: ctx_proc) do |port|
|
|
116
|
+
res = client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: client_context})
|
|
117
|
+
expect(res).to be_success
|
|
118
|
+
end
|
|
119
|
+
end
|
|
120
|
+
end
|
|
91
121
|
end
|
|
92
122
|
|
|
93
123
|
context "with a system trust store" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppet
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.
|
|
4
|
+
version: 7.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet Labs
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-04-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|