puppet 8.0.1-universal-darwin → 8.2.0-universal-darwin

data/lib/puppet/ssl/state_machine.rb

@@ -50,14 +50,25 @@ class Puppet::SSL::StateMachine
     def next_state
       Puppet.debug("Loading CA certs")
 
+      force_crl_refresh = false
+
       cacerts = @cert_provider.load_cacerts
       if cacerts
         next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
+
+        now = Time.now
+        last_update = @cert_provider.ca_last_update
+        if needs_refresh?(now, last_update)
+          # If we refresh the CA, then we need to force the CRL to be refreshed too,
+          # since if there is a new CA in the chain, then we need its CRL to check
+          # the full chain for revocation status.
+          next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update)
+        end
       else
         route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
         _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
         if @machine.ca_fingerprint
-          actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
+          actual_digest = @machine.digest_as_hex(pem)
           expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
           if actual_digest == expected_digest
             Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
@@ -74,7 +85,7 @@ class Puppet::SSL::StateMachine
         @cert_provider.save_cacerts(cacerts)
       end
 
-      NeedCRLs.new(@machine, next_ctx)
+      NeedCRLs.new(@machine, next_ctx, force_crl_refresh)
     rescue OpenSSL::X509::CertificateError => e
       Error.new(@machine, e.message, e)
     rescue Puppet::HTTP::ResponseError => e
@@ -84,6 +95,56 @@ class Puppet::SSL::StateMachine
         to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
       end
     end
+
+    private
+
+    def needs_refresh?(now, last_update)
+      return true if last_update.nil?
+
+      ca_ttl = Puppet[:ca_refresh_interval]
+      return false unless ca_ttl
+
+      now.to_i > last_update.to_i + ca_ttl
+    end
+
+    def refresh_ca(ssl_ctx, last_update)
+      Puppet.info(_("Refreshing CA certificate"))
+
+      # return the next_ctx containing the updated ca
+      next_ctx = [download_ca(ssl_ctx, last_update), true]
+
+      # After a successful refresh, update ca_last_update
+      @cert_provider.ca_last_update = Time.now
+
+      next_ctx
+    rescue Puppet::HTTP::ResponseError => e
+      if e.response.code == 304
+        Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
+      else
+        Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
+      end
+
+      # return the original ssl_ctx
+      [ssl_ctx, false]
+    rescue Puppet::HTTP::HTTPError => e
+      Puppet.warning(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
+
+      # return the original ssl_ctx
+      [ssl_ctx, false]
+    end
+
+    def download_ca(ssl_ctx, last_update)
+      route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
+      _, pem = route.get_certificate(Puppet::SSL::CA_NAME, if_modified_since: last_update, ssl_context: ssl_ctx)
+      cacerts = @cert_provider.load_cacerts_from_pem(pem)
+      # verify cacerts before saving
+      next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
+      @cert_provider.save_cacerts(cacerts)
+
+      Puppet.info("Refreshed CA certificate: #{@machine.digest_as_hex(pem)}")
+
+      next_ctx
+    end
   end
 
   # If revocation is enabled, load CRLs or download them, using the CA bundle
@@ -93,6 +154,13 @@ class Puppet::SSL::StateMachine
   # for which we don't have a CRL
   #
   class NeedCRLs < SSLState
+    attr_reader :force_crl_refresh
+
+    def initialize(machine, ssl_context, force_crl_refresh = false)
+      super(machine, ssl_context)
+      @force_crl_refresh = force_crl_refresh
+    end
+
     def next_state
       Puppet.debug("Loading CRLs")
 
@@ -102,15 +170,10 @@ class Puppet::SSL::StateMachine
         if crls
           next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
 
-          crl_ttl = Puppet[:crl_refresh_interval]
-          if crl_ttl
-            last_update = @cert_provider.crl_last_update
-            now = Time.now
-            if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
-              # set last updated time first, then make a best effort to refresh
-              @cert_provider.crl_last_update = now
-              next_ctx = refresh_crl(next_ctx, last_update)
-            end
+          now = Time.now
+          last_update = @cert_provider.crl_last_update
+          if needs_refresh?(now, last_update)
+            next_ctx = refresh_crl(next_ctx, last_update)
           end
         else
           next_ctx = download_crl(@ssl_context, nil)
@@ -133,11 +196,25 @@ class Puppet::SSL::StateMachine
 
     private
 
+    def needs_refresh?(now, last_update)
+      return true if @force_crl_refresh || last_update.nil?
+
+      crl_ttl = Puppet[:crl_refresh_interval]
+      return false unless crl_ttl
+
+      now.to_i > last_update.to_i + crl_ttl
+    end
+
     def refresh_crl(ssl_ctx, last_update)
       Puppet.info(_("Refreshing CRL"))
 
       # return the next_ctx containing the updated crl
-      download_crl(ssl_ctx, last_update)
+      next_ctx = download_crl(ssl_ctx, last_update)
+
+      # After a successful refresh, update crl_last_update
+      @cert_provider.crl_last_update = Time.now
+
+      next_ctx
     rescue Puppet::HTTP::ResponseError => e
       if e.response.code == 304
         Puppet.info(_("CRL is unmodified, using existing CRL"))
@@ -162,6 +239,8 @@ class Puppet::SSL::StateMachine
       next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
       @cert_provider.save_crls(crls)
 
+      Puppet.info("Refreshed CRL: #{@machine.digest_as_hex(pem)}")
+
       next_ctx
     end
   end
@@ -183,7 +262,11 @@ class Puppet::SSL::StateMachine
           next_ctx = @ssl_provider.create_context(
             cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: key, client_cert: cert
           )
-          return Done.new(@machine, next_ctx)
+          if needs_refresh?(cert)
+            return NeedRenewedCert.new(@machine, next_ctx, key)
+          else
+            return Done.new(@machine, next_ctx)
+          end
         end
       else
         if Puppet[:key_type] == 'ec'
@@ -199,6 +282,15 @@ class Puppet::SSL::StateMachine
 
       NeedSubmitCSR.new(@machine, @ssl_context, key)
     end
+
+    private
+
+    def needs_refresh?(cert)
+      cert_ttl = Puppet[:hostcert_renewal_interval]
+      return false unless cert_ttl
+
+      Time.now.to_i >= (cert.not_after.to_i - cert_ttl)
+    end
   end
 
   # Base class for states with a private key.
@@ -270,6 +362,39 @@ class Puppet::SSL::StateMachine
     end
   end
 
+  # Class to renew a client/host certificate automatically.
+  #
+  class NeedRenewedCert < KeySSLState
+    def next_state
+      Puppet.debug(_("Renewing client certificate"))
+
+      route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
+      cert = OpenSSL::X509::Certificate.new(
+        route.post_certificate_renewal(@ssl_context)[1]
+      )
+
+      # verify client cert before saving
+      next_ctx = @ssl_provider.create_context(
+        cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
+      )
+      @cert_provider.save_client_cert(Puppet[:certname], cert)
+
+      Puppet.info(_("Renewed client certificate: %{cert_digest}, not before '%{not_before}', not after '%{not_after}'") % { cert_digest: @machine.digest_as_hex(cert.to_pem), not_before: cert.not_before, not_after: cert.not_after })
+      
+      Done.new(@machine, next_ctx)
+    rescue Puppet::HTTP::ResponseError => e
+      if e.response.code == 404
+        Puppet.info(_("Certificate autorenewal has not been enabled on the server."))
+      else
+        Puppet.warning(_("Failed to automatically renew certificate: %{code} %{reason}") % { code: e.response.code, reason: e.response.reason })
+      end
+      Done.new(@machine, @ssl_context)
+    rescue => e
+      Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e })
+      Done.new(@machine, @ssl_context)
+    end
+  end
+
   # We cannot make progress, so wait if allowed to do so, or exit.
   #
   class Wait < SSLState
@@ -421,7 +546,7 @@ class Puppet::SSL::StateMachine
     final_state.ssl_context
   end
 
-  # Run the state machine for CA certs and CRLs.
+  # Run the state machine for client certs.
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
   # @raise [Puppet::Error] If we fail to generate an SSLContext
@@ -441,6 +566,10 @@ class Puppet::SSL::StateMachine
     @lockfile.unlock
   end
 
+  def digest_as_hex(str)
+    Puppet::SSL::Digest.new(digest, str).to_hex
+  end
+
   private
 
   def run_machine(state, stop)

data/lib/puppet/thread_local.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 require 'concurrent'
 
-# We want to use the pure Ruby implementation even on JRuby. If we use the Java
-# implementation of ThreadLocal, we end up leaking references to JRuby instances
-# and preventing them from being garbage collected.
-class Puppet::ThreadLocal < Concurrent::RubyThreadLocalVar
+class Puppet::ThreadLocal < Concurrent::ThreadLocalVar
 end

data/lib/puppet/version.rb

@@ -7,7 +7,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '8.0.1'
+  PUPPETVERSION = '8.2.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509/cert_provider.rb

@@ -147,6 +147,28 @@ class Puppet::X509::CertProvider
     Puppet::FileSystem.touch(@crlpath, mtime: time)
   end
 
+  # Return the time when the CA bundle was last updated.
+  #
+  # @return [Time, nil] Time when the CA bundle was last updated, or nil if we don't
+  #   have a CA bundle
+  #
+  # @api private
+  def ca_last_update
+    stat = Puppet::FileSystem.stat(@capath)
+    Time.at(stat.mtime)
+  rescue Errno::ENOENT
+    nil
+  end
+
+  # Set the CA bundle last updated time.
+  #
+  # @param time [Time] The last updated time
+  #
+  # @api private
+  def ca_last_update=(time)
+    Puppet::FileSystem.touch(@capath, mtime: time)
+  end
+
   # Save named private key in the configured `privatekeydir`. For
   # historical reasons, names are case insensitive.
   #
@@ -289,6 +311,13 @@ class Puppet::X509::CertProvider
       options[:extension_requests] = csr_attributes.extension_requests
     end
 
+    # Adds auto-renew attribute to CSR if the agent supports auto-renewal of
+    # certificates
+    if Puppet[:hostcert_renewal_interval] && Puppet[:hostcert_renewal_interval] > 0
+      options[:csr_attributes] ||= {}
+      options[:csr_attributes].merge!({'1.3.6.1.4.1.34380.1.3.2' => 'true'})
+    end
+
     csr = Puppet::SSL::CertificateRequest.new(name)
     csr.generate(private_key, options)
   end