puppet 8.0.1-universal-darwin → 8.2.0-universal-darwin

data/spec/unit/defaults_spec.rb

@@ -3,46 +3,8 @@ require 'puppet/settings'
 
 describe "Defaults" do
   describe ".default_diffargs" do
-    describe "on AIX" do
-      before(:each) do
-        allow(Facter).to receive(:value).with(:kernel).and_return("AIX")
-      end
-
-      describe "on 5.3" do
-        before(:each) do
-          allow(Facter).to receive(:value).with(:kernelmajversion).and_return("5300")
-        end
-
-        it "should be empty" do
-          expect(Puppet.default_diffargs).to eq("")
-        end
-      end
-
-      [ "",
-        nil,
-        "6300",
-        "7300",
-      ].each do |kernel_version|
-        describe "on kernel version #{kernel_version.inspect}" do
-          before(:each) do
-            allow(Facter).to receive(:value).with(:kernelmajversion).and_return(kernel_version)
-          end
-
-          it "should be '-u'" do
-            expect(Puppet.default_diffargs).to eq("-u")
-          end
-        end
-      end
-    end
-
-    describe "on everything else" do
-      before(:each) do
-        allow(Facter).to receive(:value).with(:kernel).and_return("NOT_AIX")
-      end
-
-      it "should be '-u'" do
-        expect(Puppet.default_diffargs).to eq("-u")
-      end
+    it "should be '-u'" do
+      expect(Puppet.default_diffargs).to eq("-u")
     end
   end
 

data/spec/unit/file_system/path_pattern_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'puppet_spec/files'
 require 'puppet/file_system'
+require 'puppet/util'
 
 describe Puppet::FileSystem::PathPattern do
   include PuppetSpec::Files
@@ -132,6 +133,20 @@ describe Puppet::FileSystem::PathPattern do
                                          File.join(dir, "found_two")])
   end
 
+  it 'globs wildcard patterns properly' do
+    # See PUP-11788 and https://github.com/jruby/jruby/issues/7836.
+    pending 'JRuby does not properly handle Dir.glob' if Puppet::Util::Platform.jruby?
+
+    dir = tmpdir('globtest')
+    create_file_in(dir, 'foo.pp')
+    create_file_in(dir, 'foo.pp.pp')
+
+    pattern = Puppet::FileSystem::PathPattern.absolute(File.join(dir, '**/*.pp'))
+
+    expect(pattern.glob).to match_array([File.join(dir, 'foo.pp'),
+                                         File.join(dir, 'foo.pp.pp')])
+  end
+
   def create_file_in(dir, name)
     File.open(File.join(dir, name), "w") { |f| f.puts "data" }
   end

data/spec/unit/http/service/ca_spec.rb

@@ -95,6 +95,18 @@ describe Puppet::HTTP::Service::Ca do
         expect(err.response.code).to eq(404)
       end
     end
+
+    it 'raises a 304 response error if it is unmodified' do
+      stub_request(:get, url).to_return(status: [304, 'Not Modified'])
+
+      expect {
+        subject.get_certificate('ca', if_modified_since: Time.now)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Modified")
+        expect(err.response.code).to eq(304)
+      end
+    end
   end
 
   context 'when getting CRLs' do
@@ -195,4 +207,75 @@ describe Puppet::HTTP::Service::Ca do
       end
     end
   end
+
+  context 'when getting certificates' do
+    let(:cert) { cert_fixture('signed.pem') }
+    let(:pem) { cert.to_pem }
+    let(:url) { "https://www.example.com/puppet-ca/v1/certificate_renewal" }
+    let(:cert_context) { Puppet::SSL::SSLContext.new(client_cert: pem) }
+    let(:client) { Puppet::HTTP::Client.new(ssl_context: cert_context) }
+    let(:session) { Puppet::HTTP::Session.new(client, []) }
+    let(:subject) { client.create_session.route_to(:ca) }
+
+    it "gets a certificate from the 'certificate_renewal' endpoint" do
+      stub_request(:post, url).to_return(body: pem)
+
+      _, body = subject.post_certificate_renewal(cert_context)
+      expect(body).to eq(pem)
+    end
+
+    it 'returns the request response' do
+      stub_request(:post, url).to_return(body: 'pem')
+
+      resp, _ = subject.post_certificate_renewal(cert_context)
+      expect(resp).to be_a(Puppet::HTTP::Response)
+    end
+
+    it 'accepts text/plain responses' do
+      stub_request(:post, url).with(headers: {'Accept' => 'text/plain'})
+
+      subject.post_certificate_renewal(cert_context)
+    end
+
+    it 'raises an ArgumentError if the SSL context does not contain a client cert' do
+      stub_request(:post, url)
+      expect { subject.post_certificate_renewal(ssl_context) }.to raise_error(ArgumentError, 'SSL context must contain a client certificate.')
+    end
+
+    it 'raises response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [400, 'Bad Request'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq('Bad Request')
+        expect(err.response.code).to eq(400)
+      end
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [404, 'Not Found'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Not Found")
+        expect(err.response.code).to eq(404)
+      end
+    end
+
+    it 'raises a response error if unsuccessful' do
+      stub_request(:post, url).to_return(status: [404, 'Forbidden'])
+
+      expect {
+        subject.post_certificate_renewal(cert_context)
+      }.to raise_error do |err|
+        expect(err).to be_an_instance_of(Puppet::HTTP::ResponseError)
+        expect(err.message).to eq("Forbidden")
+        expect(err.response.code).to eq(404)
+      end
+    end
+  end
 end

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -634,4 +634,24 @@ describe Puppet::SSL::SSLProvider do
                        "The CSR for host 'CN=signed' does not match the public key")
     end
   end
+
+  context 'printing' do
+    let(:client_cert) { cert_fixture('signed.pem') }
+    let(:private_key) { key_fixture('signed-key.pem') }
+    let(:config) { { cacerts: global_cacerts, crls: global_crls, client_cert: client_cert, private_key: private_key } }
+
+    it 'prints in debug' do
+      Puppet[:log_level] = 'debug'
+
+      ctx = subject.create_context(**config)
+      subject.print(ctx)
+      expect(@logs.map(&:message)).to include(
+        /Verified CA certificate 'CN=Test CA' fingerprint/,
+        /Verified CA certificate 'CN=Test CA Subauthority' fingerprint/,
+        /Verified client certificate 'CN=signed' fingerprint/,
+        /Using CRL 'CN=Test CA' authorityKeyIdentifier '(keyid:)?[A-Z0-9:]{59}' crlNumber '0'/,
+        /Using CRL 'CN=Test CA Subauthority' authorityKeyIdentifier '(keyid:)?[A-Z0-9:]{59}' crlNumber '0'/
+      )
+    end
+  end
 end

data/spec/unit/ssl/state_machine_spec.rb

@@ -30,7 +30,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     Puppet[:daemonize] = false
     Puppet[:ssl_lockfile] = tmpfile('ssllock')
     allow(Kernel).to receive(:sleep)
-    allow_any_instance_of(Puppet::X509::CertProvider).to receive(:crl_last_update).and_return(Time.now + (5 * 60))
+    future = Time.now + (5 * 60)
+    allow_any_instance_of(Puppet::X509::CertProvider).to receive(:crl_last_update).and_return(future)
+    allow_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update).and_return(future)
   end
 
   def expected_digest(name, content)
@@ -396,6 +398,16 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       expect(File).to_not exist(Puppet[:localcacert])
     end
 
+    it 'skips CA refresh if it has not expired' do
+      Puppet[:ca_refresh_interval] = '1y'
+      Puppet::FileSystem.touch(Puppet[:localcacert], mtime: Time.now)
+
+      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(cacerts)
+
+      # we're expecting a net/http request to never be made
+      state.next_state
+    end
+
     context 'when verifying CA cert bundle' do
       before :each do
         allow(cert_provider).to receive(:load_cacerts).and_return(nil)
@@ -436,6 +448,69 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         expect(st.message).to eq("CA bundle with digest (SHA256) #{fingerprint} did not match expected digest WR:ON:G!")
       end
     end
+
+    context 'when refreshing a CA bundle' do
+      before :each do
+        Puppet[:ca_refresh_interval] = '1s'
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(cacerts)
+
+        yesterday = Time.now - (24 * 60 * 60)
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update).and_return(yesterday)
+      end
+
+      let(:new_ca_bundle) do
+        # add 'unknown' cert to the bundle
+        [cacert, cert_fixture('intermediate.pem'), cert_fixture('unknown-ca.pem')].map(&:to_pem)
+      end
+
+      it 'uses the local CA if it has not been modified' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 304)
+
+        expect(state.next_state.ssl_context.cacerts).to eq(cacerts)
+      end
+
+      it 'uses the local CA if refreshing fails in HTTP layer' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 503)
+
+        expect(state.next_state.ssl_context.cacerts).to eq(cacerts)
+      end
+
+      it 'uses the local CA if refreshing fails in TCP layer' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_raise(Errno::ECONNREFUSED)
+
+        expect(state.next_state.ssl_context.cacerts).to eq(cacerts)
+      end
+
+      it 'uses the updated crl for the future requests' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: new_ca_bundle.join)
+
+        expect(state.next_state.ssl_context.cacerts.map(&:to_pem)).to eq(new_ca_bundle)
+      end
+
+      it 'updates the `last_update` time on successful CA refresh' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: new_ca_bundle.join)
+
+        expect_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update=).with(be_within(60).of(Time.now))
+
+        state.next_state
+      end
+
+      it "does not update the `last_update` time when CA refresh fails" do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_raise(Errno::ECONNREFUSED)
+
+        expect_any_instance_of(Puppet::X509::CertProvider).to receive(:ca_last_update=).never
+
+        state.next_state
+      end
+
+      it 'forces the NeedCRLs to refresh' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: new_ca_bundle.join)
+
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::NeedCRLs)
+        expect(st.force_crl_refresh).to eq(true)
+      end
+    end
   end
 
   context 'NeedCRLs' do
@@ -533,6 +608,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
 
       allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(crls)
 
+      # we're expecting a net/http request to never be made
       state.next_state
     end
 
@@ -669,6 +745,26 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
           state.next_state
         }.to raise_error(OpenSSL::PKey::RSAError)
       end
+
+      it "transitions to Done if current time plus renewal interval is less than cert's \"NotAfter\" time" do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
+
+        st = state.next_state
+        expect(st).to be_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it "returns NeedRenewedCert if current time plus renewal interval is greater than cert's \"NotAfter\" time" do
+        client_cert.not_after=(Time.now + 300)
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
+
+        ssl_context = Puppet::SSL::SSLContext.new(cacerts: [cacert], client_cert: client_cert, crls: [crl])
+        state = Puppet::SSL::StateMachine::NeedKey.new(machine, ssl_context)
+
+        st = state.next_state
+        expect(st).to be_instance_of(Puppet::SSL::StateMachine::NeedRenewedCert)
+      end
     end
 
     context 'in state NeedSubmitCSR' do
@@ -710,7 +806,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         state.next_state
       end
 
-      it 'includes CSR attributes' do
+      it 'includes CSR attributes', :unless => RUBY_PLATFORM == 'java' do
         Puppet[:csr_attributes] = write_csr_attributes(
           'custom_attributes' => {
               '1.3.6.1.4.1.34380.1.2.1' => 'CSR specific info',
@@ -724,7 +820,8 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
             csr.custom_attributes
           ).to contain_exactly(
                  {'oid' => '1.3.6.1.4.1.34380.1.2.1', 'value' => 'CSR specific info'},
-                 {'oid' => '1.3.6.1.4.1.34380.1.2.2', 'value' => 'more CSR specific info'}
+                 {'oid' => '1.3.6.1.4.1.34380.1.2.2', 'value' => 'more CSR specific info'},
+                 {'oid' => 'pp_auth_auto_renew', 'value' => 'true'}
                )
         end.to_return(status: 200)
 
@@ -973,5 +1070,48 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::LockFailure)
       end
     end
+
+    context 'in state NeedRenewedCert' do
+      before :each do
+        client_cert.not_after=(Time.now + 300)
+      end
+
+      let(:ssl_context) { Puppet::SSL::SSLContext.new(cacerts: cacerts, client_cert: client_cert, crls: crls,)}
+      let(:state) { Puppet::SSL::StateMachine::NeedRenewedCert.new(machine, ssl_context, private_key) }
+      let(:renewed_cert) { cert_fixture('renewed.pem') }
+
+      it 'returns Done with renewed cert when successful' do
+        allow(cert_provider).to receive(:save_client_cert)
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 200, body: renewed_cert.to_pem)
+
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+        expect(st.ssl_context[:client_cert]).to eq(renewed_cert)
+      end
+
+      it 'logs a warning message when failing with a non-404 status' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 400, body: 'Failed to automatically renew certificate: 400 Bad request')
+
+        expect(Puppet).to receive(:warning).with(/Failed to automatically renew certificate/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it 'logs an info message when failing with 404' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_return(status: 404, body: 'Certificate autorenewal has not been enabled on the server.')
+
+        expect(Puppet).to receive(:info).with('Certificate autorenewal has not been enabled on the server.')
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+
+      it 'logs a warning message when failing with no HTTP status' do
+        stub_request(:post, %r{puppet-ca/v1/certificate_renewal}).to_raise(Errno::ECONNREFUSED)
+
+        expect(Puppet).to receive(:warning).with(/Unable to automatically renew certificate:/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
+      end
+    end
   end
 end

data/spec/unit/x509/cert_provider_spec.rb

@@ -586,6 +586,55 @@ describe Puppet::X509::CertProvider do
     end
   end
 
+  context 'when creating', :unless => RUBY_PLATFORM == 'java' do
+    context 'requests' do
+      let(:name) { 'tom' }
+      let(:requestdir) { tmpdir('cert_provider') }
+      let(:provider) { create_provider(requestdir: requestdir) }
+      let(:key) { OpenSSL::PKey::RSA.new(Puppet[:keylength]) }
+
+      it 'has the auto-renew attribute by default for agents that support automatic renewal' do
+        csr = provider.create_request(name, key)
+        # need to create CertificateRequest instance from csr in order to view CSR attributes
+        wrapped_csr = Puppet::SSL::CertificateRequest.from_instance csr
+        expect(wrapped_csr.custom_attributes).to include('oid' => 'pp_auth_auto_renew', 'value' => 'true')
+      end
+
+      it 'does not have the auto-renew attribute for agents that do not support automatic renewal' do
+        Puppet[:hostcert_renewal_interval] = 0
+        csr = provider.create_request(name, key)
+        wrapped_csr = Puppet::SSL::CertificateRequest.from_instance csr
+        expect(wrapped_csr.custom_attributes.length).to eq(0)
+      end
+    end
+  end
+
+  context 'CA last update time' do
+    let(:ca_path) { tmpfile('pem_ca') }
+
+    it 'returns nil if the CA does not exist' do
+      provider = create_provider(capath: '/does/not/exist')
+
+      expect(provider.ca_last_update).to be_nil
+    end
+
+    it 'returns the last update time' do
+      time = Time.now - 30
+      Puppet::FileSystem.touch(ca_path, mtime: time)
+      provider = create_provider(capath: ca_path)
+
+      expect(provider.ca_last_update).to be_within(1).of(time)
+    end
+
+    it 'sets the last update time' do
+      time = Time.now - 30
+      provider = create_provider(capath: ca_path)
+      provider.ca_last_update = time
+
+      expect(Puppet::FileSystem.stat(ca_path).mtime).to be_within(1).of(time)
+    end
+  end
+
   context 'CRL last update time' do
     let(:crl_path) { tmpfile('pem_crls') }
 

data/tasks/generate_cert_fixtures.rake

@@ -94,6 +94,10 @@ task(:gen_cert_fixtures) do
   save(dir, 'signed.pem', signed[:cert])
   save(dir, 'signed-key.pem', signed[:private_key])
 
+  # Create a cert for host "renewed" and issued by "Test CA Subauthority"
+  renewed = ca.create_cert('renewed', inter[:cert], inter[:private_key], reuse_key: signed[:private_key])
+  save(dir, 'renewed.pem', renewed[:cert])
+
   # Create an encrypted version of the above private key for host "signed"
   save(dir, 'encrypted-key.pem', signed[:private_key]) do |x509|
     # private key password was chosen at random

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 8.0.1
+  version: 8.2.0
 platform: universal-darwin
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-26 00:00:00.000000000 Z
+date: 2023-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -113,9 +113,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 1.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -123,9 +120,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: deep_merge
   requirement: !ruby/object:Gem::Requirement
@@ -1346,6 +1340,7 @@ files:
 - spec/fixtures/ssl/oid.pem
 - spec/fixtures/ssl/pluto-key.pem
 - spec/fixtures/ssl/pluto.pem
+- spec/fixtures/ssl/renewed.pem
 - spec/fixtures/ssl/request-key.pem
 - spec/fixtures/ssl/request.pem
 - spec/fixtures/ssl/revoked-key.pem
@@ -2537,7 +2532,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.12
 signing_key: 
 specification_version: 4
 summary: Puppet, an automated configuration management tool
@@ -2609,6 +2604,7 @@ test_files:
 - spec/fixtures/ssl/oid.pem
 - spec/fixtures/ssl/pluto-key.pem
 - spec/fixtures/ssl/pluto.pem
+- spec/fixtures/ssl/renewed.pem
 - spec/fixtures/ssl/request-key.pem
 - spec/fixtures/ssl/request.pem
 - spec/fixtures/ssl/revoked-key.pem