puppet 8.0.1-x86-mingw32 → 8.2.0-x86-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CODEOWNERS +5 -5
- data/Gemfile.lock +47 -39
- data/ext/project_data.yaml +1 -1
- data/lib/puppet/defaults.rb +37 -7
- data/lib/puppet/http/client.rb +12 -5
- data/lib/puppet/http/service/ca.rb +32 -2
- data/lib/puppet/node/environment.rb +6 -4
- data/lib/puppet/pops/evaluator/deferred_resolver.rb +20 -3
- data/lib/puppet/ssl/oids.rb +2 -0
- data/lib/puppet/ssl/ssl_provider.rb +1 -1
- data/lib/puppet/ssl/state_machine.rb +143 -14
- data/lib/puppet/thread_local.rb +1 -4
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509/cert_provider.rb +29 -0
- data/locales/puppet.pot +2346 -2310
- data/man/man5/puppet.conf.5 +31 -3
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -107
- data/spec/fixtures/ssl/127.0.0.1.pem +52 -51
- data/spec/fixtures/ssl/bad-basic-constraints.pem +56 -56
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +53 -53
- data/spec/fixtures/ssl/ca.pem +54 -54
- data/spec/fixtures/ssl/crl.pem +26 -26
- data/spec/fixtures/ssl/ec-key.pem +11 -11
- data/spec/fixtures/ssl/ec.pem +33 -32
- data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
- data/spec/fixtures/ssl/encrypted-key.pem +108 -108
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +26 -26
- data/spec/fixtures/ssl/intermediate-agent.pem +56 -56
- data/spec/fixtures/ssl/intermediate-crl.pem +29 -29
- data/spec/fixtures/ssl/intermediate.pem +53 -53
- data/spec/fixtures/ssl/oid-key.pem +107 -107
- data/spec/fixtures/ssl/oid.pem +51 -50
- data/spec/fixtures/ssl/pluto-key.pem +107 -107
- data/spec/fixtures/ssl/pluto.pem +52 -51
- data/spec/fixtures/ssl/renewed.pem +67 -0
- data/spec/fixtures/ssl/request-key.pem +107 -107
- data/spec/fixtures/ssl/request.pem +50 -48
- data/spec/fixtures/ssl/revoked-key.pem +107 -107
- data/spec/fixtures/ssl/revoked.pem +51 -50
- data/spec/fixtures/ssl/signed-key.pem +107 -107
- data/spec/fixtures/ssl/signed.pem +49 -48
- data/spec/fixtures/ssl/tampered-cert.pem +51 -50
- data/spec/fixtures/ssl/tampered-csr.pem +50 -48
- data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -107
- data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -49
- data/spec/fixtures/ssl/unknown-ca-key.pem +107 -107
- data/spec/fixtures/ssl/unknown-ca.pem +54 -54
- data/spec/integration/application/agent_spec.rb +63 -13
- data/spec/integration/application/apply_spec.rb +14 -0
- data/spec/integration/http/client_spec.rb +16 -0
- data/spec/lib/puppet/test_ca.rb +3 -10
- data/spec/unit/application/lookup_spec.rb +1 -0
- data/spec/unit/defaults_spec.rb +2 -40
- data/spec/unit/file_system/path_pattern_spec.rb +15 -0
- data/spec/unit/http/service/ca_spec.rb +83 -0
- data/spec/unit/ssl/ssl_provider_spec.rb +20 -0
- data/spec/unit/ssl/state_machine_spec.rb +143 -3
- data/spec/unit/x509/cert_provider_spec.rb +49 -0
- data/tasks/generate_cert_fixtures.rake +4 -0
- metadata +5 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cb262f46be9104598978c3941387c9df75d721c635fe403e7c4426efacb87f4f
|
4
|
+
data.tar.gz: ae6866634e1e346ef8a28a964cfa1552c02f8afe21ca4894682cc850656afb1c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5b33b9646dd7bafea8dbb994abf35c838fb708ff9032ff6a9da22ef79da52c10460e8387f18b7c32dc7b9ce2fe1820c5d5cde04463665d35e06ecbdee34568ca
|
7
|
+
data.tar.gz: d826de6788fbe4fb802c2ff1be076783669a6c257ba2332ceca5d3e2bae64a576a4a5f8bcccab1f23f983b5b0bd4b2624106de27e6f35199d2beff79e5c6e94d
|
data/CODEOWNERS
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
# defaults
|
2
|
-
* @puppetlabs/phoenix
|
2
|
+
* @puppetlabs/phoenix
|
3
3
|
|
4
4
|
# PAL
|
5
5
|
/lib/puppet/pal @puppetlabs/bolt
|
6
6
|
|
7
7
|
# puppet module
|
8
|
-
/lib/puppet/application/module.rb @puppetlabs/
|
9
|
-
/lib/puppet/face/module @puppetlabs/
|
10
|
-
/lib/puppet/forge @puppetlabs/
|
11
|
-
/lib/puppet/module_tool @puppetlabs/
|
8
|
+
/lib/puppet/application/module.rb @puppetlabs/modules
|
9
|
+
/lib/puppet/face/module @puppetlabs/modules
|
10
|
+
/lib/puppet/forge @puppetlabs/modules
|
11
|
+
/lib/puppet/module_tool @puppetlabs/modules
|
data/Gemfile.lock
CHANGED
@@ -1,9 +1,23 @@
|
|
1
|
+
GIT
|
2
|
+
remote: https://github.com/puppetlabs/packaging
|
3
|
+
revision: affecba5dfacc5862fc7199895ccf11b69153570
|
4
|
+
branch: 1.0.x
|
5
|
+
specs:
|
6
|
+
packaging (0)
|
7
|
+
apt_stage_artifacts
|
8
|
+
artifactory (~> 3)
|
9
|
+
csv (>= 3.1.5)
|
10
|
+
google-cloud-storage
|
11
|
+
googleauth
|
12
|
+
rake (>= 12.3)
|
13
|
+
release-metrics
|
14
|
+
|
1
15
|
PATH
|
2
16
|
remote: .
|
3
17
|
specs:
|
4
|
-
puppet (8.0
|
18
|
+
puppet (8.2.0)
|
5
19
|
CFPropertyList (~> 2.2)
|
6
|
-
concurrent-ruby (~> 1.0
|
20
|
+
concurrent-ruby (~> 1.0)
|
7
21
|
deep_merge (~> 1.0)
|
8
22
|
facter (>= 4.3.0, < 5)
|
9
23
|
fast_gettext (>= 2.1, < 3)
|
@@ -14,47 +28,48 @@ PATH
|
|
14
28
|
semantic_puppet (~> 1.0)
|
15
29
|
|
16
30
|
GEM
|
17
|
-
remote: https://
|
31
|
+
remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
|
18
32
|
specs:
|
19
33
|
CFPropertyList (2.3.6)
|
20
|
-
addressable (2.8.
|
34
|
+
addressable (2.8.5)
|
21
35
|
public_suffix (>= 2.0.2, < 6.0)
|
22
36
|
apt_stage_artifacts (0.11.0)
|
23
37
|
docopt
|
24
38
|
artifactory (3.0.15)
|
25
39
|
ast (2.4.2)
|
26
40
|
coderay (1.1.3)
|
27
|
-
concurrent-ruby (1.
|
41
|
+
concurrent-ruby (1.2.2)
|
28
42
|
crack (0.4.5)
|
29
43
|
rexml
|
30
|
-
csv (3.2.
|
44
|
+
csv (3.2.7)
|
31
45
|
declarative (0.0.20)
|
32
46
|
deep_merge (1.2.2)
|
33
47
|
diff-lcs (1.5.0)
|
34
|
-
digest-crc (0.6.
|
48
|
+
digest-crc (0.6.5)
|
35
49
|
rake (>= 12.0.0, < 14.0.0)
|
36
50
|
docopt (0.6.1)
|
37
51
|
erubi (1.12.0)
|
38
|
-
facter (4.4.
|
52
|
+
facter (4.4.2)
|
39
53
|
hocon (~> 1.3)
|
40
54
|
thor (>= 1.0.1, < 2.0)
|
41
|
-
faraday (2.7.
|
55
|
+
faraday (2.7.10)
|
42
56
|
faraday-net_http (>= 2.0, < 3.1)
|
43
57
|
ruby2_keywords (>= 0.0.4)
|
44
58
|
faraday-net_http (3.0.2)
|
45
59
|
fast_gettext (2.3.0)
|
46
60
|
ffi (1.15.5)
|
47
61
|
forwardable (1.3.3)
|
48
|
-
gettext (3.4.
|
62
|
+
gettext (3.4.7)
|
49
63
|
erubi
|
50
64
|
locale (>= 2.0.5)
|
51
65
|
prime
|
66
|
+
racc
|
52
67
|
text (>= 1.3.0)
|
53
68
|
gettext-setup (1.1.0)
|
54
69
|
fast_gettext (~> 2.1)
|
55
70
|
gettext (~> 3.4)
|
56
71
|
locale
|
57
|
-
google-apis-core (0.11.
|
72
|
+
google-apis-core (0.11.1)
|
58
73
|
addressable (~> 2.5, >= 2.5.1)
|
59
74
|
googleauth (>= 0.16.2, < 2.a)
|
60
75
|
httpclient (>= 2.8.1, < 3.a)
|
@@ -81,7 +96,7 @@ GEM
|
|
81
96
|
google-cloud-core (~> 1.6)
|
82
97
|
googleauth (>= 0.16.2, < 2.a)
|
83
98
|
mini_mime (~> 1.0)
|
84
|
-
googleauth (1.
|
99
|
+
googleauth (1.7.0)
|
85
100
|
faraday (>= 0.17.3, < 3.a)
|
86
101
|
jwt (>= 1.4, < 3.0)
|
87
102
|
memoist (~> 0.16)
|
@@ -89,7 +104,7 @@ GEM
|
|
89
104
|
os (>= 0.9, < 2.0)
|
90
105
|
signet (>= 0.16, < 2.a)
|
91
106
|
hashdiff (1.0.1)
|
92
|
-
hiera-eyaml (3.
|
107
|
+
hiera-eyaml (3.4.0)
|
93
108
|
highline
|
94
109
|
optimist
|
95
110
|
highline (2.1.0)
|
@@ -98,46 +113,39 @@ GEM
|
|
98
113
|
httpclient (2.8.3)
|
99
114
|
json-schema (2.8.1)
|
100
115
|
addressable (>= 2.4)
|
101
|
-
jwt (2.7.
|
116
|
+
jwt (2.7.1)
|
102
117
|
locale (2.1.3)
|
103
118
|
memoist (0.16.2)
|
104
119
|
memory_profiler (1.0.1)
|
105
120
|
method_source (1.0.0)
|
106
|
-
mini_mime (1.1.
|
121
|
+
mini_mime (1.1.5)
|
107
122
|
minitar (0.9)
|
108
|
-
msgpack (1.7.
|
123
|
+
msgpack (1.7.2)
|
109
124
|
multi_json (1.15.0)
|
110
125
|
mustache (1.1.1)
|
111
|
-
optimist (3.0
|
126
|
+
optimist (3.1.0)
|
112
127
|
os (1.1.4)
|
113
|
-
packaging (0.109.7)
|
114
|
-
apt_stage_artifacts
|
115
|
-
artifactory (~> 3)
|
116
|
-
csv (>= 3.1.5)
|
117
|
-
google-cloud-storage
|
118
|
-
googleauth
|
119
|
-
rake (>= 12.3)
|
120
|
-
release-metrics
|
121
128
|
parallel (1.23.0)
|
122
|
-
parser (3.2.2.
|
129
|
+
parser (3.2.2.3)
|
123
130
|
ast (~> 2.4.1)
|
131
|
+
racc
|
124
132
|
prime (0.1.2)
|
125
133
|
forwardable
|
126
134
|
singleton
|
127
135
|
pry (0.14.2)
|
128
136
|
coderay (~> 1.1)
|
129
137
|
method_source (~> 1.0)
|
130
|
-
public_suffix (5.0.
|
131
|
-
puppet-resource_api (1.
|
138
|
+
public_suffix (5.0.3)
|
139
|
+
puppet-resource_api (1.9.0)
|
132
140
|
hocon (>= 1.0)
|
133
|
-
puppetserver-ca (2.
|
141
|
+
puppetserver-ca (2.6.0)
|
134
142
|
facter (>= 2.0.1, < 5)
|
135
143
|
racc (1.5.2)
|
136
144
|
rainbow (3.1.1)
|
137
145
|
rake (13.0.6)
|
138
|
-
rdiscount (2.2.7)
|
146
|
+
rdiscount (2.2.7.1)
|
139
147
|
rdoc (6.3.3)
|
140
|
-
regexp_parser (2.8.
|
148
|
+
regexp_parser (2.8.1)
|
141
149
|
release-metrics (1.1.0)
|
142
150
|
csv
|
143
151
|
docopt
|
@@ -146,7 +154,7 @@ GEM
|
|
146
154
|
trailblazer-option (>= 0.1.1, < 0.2.0)
|
147
155
|
uber (< 0.2.0)
|
148
156
|
retriable (3.1.2)
|
149
|
-
rexml (3.2.
|
157
|
+
rexml (3.2.6)
|
150
158
|
ronn (0.7.3)
|
151
159
|
hpricot (>= 0.8.2)
|
152
160
|
mustache (>= 0.7.0)
|
@@ -163,10 +171,10 @@ GEM
|
|
163
171
|
rspec-its (1.3.0)
|
164
172
|
rspec-core (>= 3.0.0)
|
165
173
|
rspec-expectations (>= 3.0.0)
|
166
|
-
rspec-mocks (3.12.
|
174
|
+
rspec-mocks (3.12.6)
|
167
175
|
diff-lcs (>= 1.2.0, < 2.0)
|
168
176
|
rspec-support (~> 3.12.0)
|
169
|
-
rspec-support (3.12.
|
177
|
+
rspec-support (3.12.1)
|
170
178
|
rubocop (1.28.0)
|
171
179
|
parallel (~> 1.10)
|
172
180
|
parser (>= 3.1.0.0)
|
@@ -176,7 +184,7 @@ GEM
|
|
176
184
|
rubocop-ast (>= 1.17.0, < 2.0)
|
177
185
|
ruby-progressbar (~> 1.7)
|
178
186
|
unicode-display_width (>= 1.4.0, < 3.0)
|
179
|
-
rubocop-ast (1.
|
187
|
+
rubocop-ast (1.29.0)
|
180
188
|
parser (>= 3.2.1.0)
|
181
189
|
rubocop-i18n (3.0.0)
|
182
190
|
rubocop (~> 1.0)
|
@@ -192,11 +200,11 @@ GEM
|
|
192
200
|
multi_json (~> 1.10)
|
193
201
|
singleton (0.1.1)
|
194
202
|
text (1.3.1)
|
195
|
-
thor (1.2.
|
203
|
+
thor (1.2.2)
|
196
204
|
trailblazer-option (0.1.2)
|
197
205
|
uber (0.1.0)
|
198
206
|
unicode-display_width (2.4.2)
|
199
|
-
vcr (6.
|
207
|
+
vcr (6.2.0)
|
200
208
|
webmock (3.18.1)
|
201
209
|
addressable (>= 2.8.0)
|
202
210
|
crack (>= 0.3.2)
|
@@ -218,7 +226,7 @@ DEPENDENCIES
|
|
218
226
|
memory_profiler
|
219
227
|
minitar (~> 0.9)
|
220
228
|
msgpack (~> 1.2)
|
221
|
-
packaging
|
229
|
+
packaging!
|
222
230
|
pry
|
223
231
|
puppet!
|
224
232
|
puppet-resource_api (~> 1.5)
|
@@ -240,4 +248,4 @@ DEPENDENCIES
|
|
240
248
|
yard
|
241
249
|
|
242
250
|
BUNDLED WITH
|
243
|
-
2.
|
251
|
+
2.4.12
|
data/ext/project_data.yaml
CHANGED
data/lib/puppet/defaults.rb
CHANGED
@@ -4,11 +4,7 @@ require_relative '../puppet/util/platform'
|
|
4
4
|
module Puppet
|
5
5
|
|
6
6
|
def self.default_diffargs
|
7
|
-
|
8
|
-
""
|
9
|
-
else
|
10
|
-
"-u"
|
11
|
-
end
|
7
|
+
'-u'
|
12
8
|
end
|
13
9
|
|
14
10
|
def self.default_digest_algorithm
|
@@ -1212,6 +1208,24 @@ EOT
|
|
1212
1208
|
:desc => "The default TTL for new certificates.
|
1213
1209
|
#{AS_DURATION}",
|
1214
1210
|
},
|
1211
|
+
:ca_refresh_interval => {
|
1212
|
+
:default => "1d",
|
1213
|
+
:type => :duration,
|
1214
|
+
:desc => "How often the Puppet agent refreshes its local CA certs. By
|
1215
|
+
default the CA certs are refreshed once every 24 hours. If a different
|
1216
|
+
duration is specified, then the agent will refresh its CA certs whenever
|
1217
|
+
it next runs and the elapsed time since the certs were last refreshed
|
1218
|
+
exceeds the duration.
|
1219
|
+
|
1220
|
+
In general, the duration should be greater than the `runinterval`.
|
1221
|
+
Setting it to 0 or an equal or lesser value than `runinterval`,
|
1222
|
+
will cause the CA certs to be refreshed on every run.
|
1223
|
+
|
1224
|
+
If the agent downloads new CA certs, the agent will use it for subsequent
|
1225
|
+
network requests. If the refresh request fails or if the CA certs are
|
1226
|
+
unchanged on the server, then the agent run will continue using the
|
1227
|
+
local CA certs it already has. #{AS_DURATION}",
|
1228
|
+
},
|
1215
1229
|
:crl_refresh_interval => {
|
1216
1230
|
:default => "1d",
|
1217
1231
|
:type => :duration,
|
@@ -1222,14 +1236,30 @@ EOT
|
|
1222
1236
|
exceeds the duration.
|
1223
1237
|
|
1224
1238
|
In general, the duration should be greater than the `runinterval`.
|
1225
|
-
Setting it to an equal or lesser value
|
1226
|
-
refreshed on every run.
|
1239
|
+
Setting it to 0 or an equal or lesser value than `runinterval`,
|
1240
|
+
will cause the CRL to be refreshed on every run.
|
1227
1241
|
|
1228
1242
|
If the agent downloads a new CRL, the agent will use it for subsequent
|
1229
1243
|
network requests. If the refresh request fails or if the CRL is
|
1230
1244
|
unchanged on the server, then the agent run will continue using the
|
1231
1245
|
local CRL it already has.#{AS_DURATION}",
|
1232
1246
|
},
|
1247
|
+
:hostcert_renewal_interval => {
|
1248
|
+
:default => "30d",
|
1249
|
+
:type => :duration,
|
1250
|
+
:desc => "How often the Puppet agent refreshes its client certificate.
|
1251
|
+
By default the client certificate is refreshed once every 30 days. If
|
1252
|
+
a different duration is specified, then the agent will refresh its
|
1253
|
+
client certificate whenever it next runs and the elapsed time since the
|
1254
|
+
client certificate was last refreshed exceeds the duration.
|
1255
|
+
|
1256
|
+
In general, the duration should be greater than the `runinterval`.
|
1257
|
+
Setting it to 0 will disable automatic renewal.
|
1258
|
+
|
1259
|
+
If the agent downloads a new certificate, the agent will use it for subsequent
|
1260
|
+
network requests. If the refresh request fails, then the agent run will continue using the
|
1261
|
+
certificate it already has. #{AS_DURATION}",
|
1262
|
+
},
|
1233
1263
|
:keylength => {
|
1234
1264
|
:default => 4096,
|
1235
1265
|
:type => :integer,
|
data/lib/puppet/http/client.rb
CHANGED
@@ -368,6 +368,7 @@ class Puppet::HTTP::Client
|
|
368
368
|
apply_auth(request, basic_auth) if redirects.zero?
|
369
369
|
|
370
370
|
# don't call return within the `request` block
|
371
|
+
close_and_sleep = nil
|
371
372
|
http.request(request) do |nethttp|
|
372
373
|
response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
|
373
374
|
begin
|
@@ -381,12 +382,14 @@ class Puppet::HTTP::Client
|
|
381
382
|
interval = @retry_after_handler.retry_after_interval(request, response, retries)
|
382
383
|
retries += 1
|
383
384
|
if interval
|
384
|
-
|
385
|
-
|
386
|
-
|
385
|
+
close_and_sleep = proc do
|
386
|
+
if http.started?
|
387
|
+
Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
|
388
|
+
http.finish
|
389
|
+
end
|
390
|
+
Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
|
391
|
+
::Kernel.sleep(interval)
|
387
392
|
end
|
388
|
-
Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
|
389
|
-
::Kernel.sleep(interval)
|
390
393
|
next
|
391
394
|
end
|
392
395
|
end
|
@@ -405,6 +408,10 @@ class Puppet::HTTP::Client
|
|
405
408
|
|
406
409
|
done = true
|
407
410
|
end
|
411
|
+
ensure
|
412
|
+
# If a server responded with a retry, make sure the connection is closed and then
|
413
|
+
# sleep the specified time.
|
414
|
+
close_and_sleep.call if close_and_sleep
|
408
415
|
end
|
409
416
|
end
|
410
417
|
|
@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
|
|
28
28
|
# Submit a GET request to retrieve the named certificate from the server.
|
29
29
|
#
|
30
30
|
# @param [String] name name of the certificate to request
|
31
|
+
# @param [Time] if_modified_since If not nil, only download the cert if it has
|
32
|
+
# been modified since the specified time.
|
31
33
|
# @param [Puppet::SSL::SSLContext] ssl_context
|
32
34
|
#
|
33
35
|
# @return [Array<Puppet::HTTP::Response, String>] An array containing the
|
34
36
|
# request response and the stringified body of the request response
|
35
37
|
#
|
36
38
|
# @api public
|
37
|
-
def get_certificate(name, ssl_context: nil)
|
39
|
+
def get_certificate(name, if_modified_since: nil, ssl_context: nil)
|
40
|
+
headers = add_puppet_headers(HEADERS)
|
41
|
+
headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
|
42
|
+
|
38
43
|
response = @client.get(
|
39
44
|
with_base_url("/certificate/#{name}"),
|
40
|
-
headers:
|
45
|
+
headers: headers,
|
41
46
|
options: {ssl_context: ssl_context}
|
42
47
|
)
|
43
48
|
|
@@ -99,4 +104,29 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
|
|
99
104
|
|
100
105
|
response
|
101
106
|
end
|
107
|
+
|
108
|
+
# Submit a POST request to send a certificate renewal request to the server
|
109
|
+
#
|
110
|
+
# @param [Puppet::SSL::SSLContext] ssl_context
|
111
|
+
#
|
112
|
+
# @return [Array<Puppet::HTTP::Response, String>] The request response
|
113
|
+
#
|
114
|
+
# @api public
|
115
|
+
def post_certificate_renewal(ssl_context)
|
116
|
+
headers = add_puppet_headers(HEADERS)
|
117
|
+
headers['Content-Type'] = 'text/plain'
|
118
|
+
|
119
|
+
response = @client.post(
|
120
|
+
with_base_url('/certificate_renewal'),
|
121
|
+
'', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
|
122
|
+
headers: headers,
|
123
|
+
options: {ssl_context: ssl_context}
|
124
|
+
)
|
125
|
+
|
126
|
+
raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
|
127
|
+
|
128
|
+
process_response(response)
|
129
|
+
|
130
|
+
[response, response.body.to_s]
|
131
|
+
end
|
102
132
|
end
|
@@ -592,10 +592,12 @@ class Puppet::Node::Environment
|
|
592
592
|
if file == NO_MANIFEST
|
593
593
|
empty_parse_result
|
594
594
|
elsif File.directory?(file)
|
595
|
-
|
596
|
-
|
597
|
-
|
598
|
-
|
595
|
+
# JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
|
596
|
+
# We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
|
597
|
+
parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
|
598
|
+
parser.file = file_to_parse
|
599
|
+
parser.parse
|
600
|
+
end
|
599
601
|
# Use a parser type specific merger to concatenate the results
|
600
602
|
Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
|
601
603
|
else
|
@@ -10,7 +10,13 @@ class DeferredValue
|
|
10
10
|
end
|
11
11
|
|
12
12
|
def resolve
|
13
|
-
@proc.call
|
13
|
+
val = @proc.call
|
14
|
+
# Deferred sensitive values will be marked as such in resolve_futures()
|
15
|
+
if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
16
|
+
val.unwrap
|
17
|
+
else
|
18
|
+
val
|
19
|
+
end
|
14
20
|
end
|
15
21
|
end
|
16
22
|
|
@@ -88,8 +94,12 @@ class DeferredResolver
|
|
88
94
|
#
|
89
95
|
if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
90
96
|
resolved = resolved.unwrap
|
91
|
-
|
92
|
-
|
97
|
+
mark_sensitive_parameters(r, k)
|
98
|
+
# If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
|
99
|
+
# The DeferredValue.resolve method will unwrap it during catalog application
|
100
|
+
elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
|
101
|
+
if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
|
102
|
+
mark_sensitive_parameters(r, k)
|
93
103
|
end
|
94
104
|
end
|
95
105
|
overrides[ k ] = resolved
|
@@ -98,6 +108,13 @@ class DeferredResolver
|
|
98
108
|
end
|
99
109
|
end
|
100
110
|
|
111
|
+
def mark_sensitive_parameters(r, k)
|
112
|
+
unless r.sensitive_parameters.include?(k.to_sym)
|
113
|
+
r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
|
114
|
+
end
|
115
|
+
end
|
116
|
+
private :mark_sensitive_parameters
|
117
|
+
|
101
118
|
def resolve(x)
|
102
119
|
if x.class == @deferred_class
|
103
120
|
resolve_future(x)
|
data/lib/puppet/ssl/oids.rb
CHANGED
@@ -71,7 +71,9 @@ module Puppet::SSL::Oids
|
|
71
71
|
["1.3.6.1.4.1.34380.1.3", 'ppAuthCertExt', 'Puppet Certificate Authorization Extension'],
|
72
72
|
|
73
73
|
["1.3.6.1.4.1.34380.1.3.1", 'pp_authorization', 'Certificate Extension Authorization'],
|
74
|
+
["1.3.6.1.4.1.34380.1.3.2", 'pp_auth_auto_renew', 'Auto-Renew Certificate Attribute'],
|
74
75
|
["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
|
76
|
+
["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization'],
|
75
77
|
]
|
76
78
|
|
77
79
|
@did_register_puppet_oids = false
|
@@ -225,7 +225,7 @@ class Puppet::SSL::SSLProvider
|
|
225
225
|
ssl_context.crls.each do |crl|
|
226
226
|
oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
|
227
227
|
crlNumber = oid_values['crlNumber'] || 'unknown'
|
228
|
-
authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp
|
228
|
+
authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp
|
229
229
|
Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
|
230
230
|
end
|
231
231
|
end
|