puppet 8.0.1-x86-mingw32 → 8.2.0-x86-mingw32

Sign up to get free protection for your applications and to get access to all the features.
Files changed (83) hide show
  1. checksums.yaml +4 -4
  2. data/CODEOWNERS +5 -5
  3. data/Gemfile.lock +47 -39
  4. data/ext/project_data.yaml +1 -1
  5. data/lib/puppet/defaults.rb +37 -7
  6. data/lib/puppet/http/client.rb +12 -5
  7. data/lib/puppet/http/service/ca.rb +32 -2
  8. data/lib/puppet/node/environment.rb +6 -4
  9. data/lib/puppet/pops/evaluator/deferred_resolver.rb +20 -3
  10. data/lib/puppet/ssl/oids.rb +2 -0
  11. data/lib/puppet/ssl/ssl_provider.rb +1 -1
  12. data/lib/puppet/ssl/state_machine.rb +143 -14
  13. data/lib/puppet/thread_local.rb +1 -4
  14. data/lib/puppet/version.rb +1 -1
  15. data/lib/puppet/x509/cert_provider.rb +29 -0
  16. data/locales/puppet.pot +2346 -2310
  17. data/man/man5/puppet.conf.5 +31 -3
  18. data/man/man8/puppet-agent.8 +1 -1
  19. data/man/man8/puppet-apply.8 +1 -1
  20. data/man/man8/puppet-catalog.8 +1 -1
  21. data/man/man8/puppet-config.8 +1 -1
  22. data/man/man8/puppet-describe.8 +1 -1
  23. data/man/man8/puppet-device.8 +1 -1
  24. data/man/man8/puppet-doc.8 +1 -1
  25. data/man/man8/puppet-epp.8 +1 -1
  26. data/man/man8/puppet-facts.8 +1 -1
  27. data/man/man8/puppet-filebucket.8 +1 -1
  28. data/man/man8/puppet-generate.8 +1 -1
  29. data/man/man8/puppet-help.8 +1 -1
  30. data/man/man8/puppet-lookup.8 +1 -1
  31. data/man/man8/puppet-module.8 +1 -1
  32. data/man/man8/puppet-node.8 +1 -1
  33. data/man/man8/puppet-parser.8 +1 -1
  34. data/man/man8/puppet-plugin.8 +1 -1
  35. data/man/man8/puppet-report.8 +1 -1
  36. data/man/man8/puppet-resource.8 +1 -1
  37. data/man/man8/puppet-script.8 +1 -1
  38. data/man/man8/puppet-ssl.8 +1 -1
  39. data/man/man8/puppet.8 +2 -2
  40. data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -107
  41. data/spec/fixtures/ssl/127.0.0.1.pem +52 -51
  42. data/spec/fixtures/ssl/bad-basic-constraints.pem +56 -56
  43. data/spec/fixtures/ssl/bad-int-basic-constraints.pem +53 -53
  44. data/spec/fixtures/ssl/ca.pem +54 -54
  45. data/spec/fixtures/ssl/crl.pem +26 -26
  46. data/spec/fixtures/ssl/ec-key.pem +11 -11
  47. data/spec/fixtures/ssl/ec.pem +33 -32
  48. data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
  49. data/spec/fixtures/ssl/encrypted-key.pem +108 -108
  50. data/spec/fixtures/ssl/intermediate-agent-crl.pem +26 -26
  51. data/spec/fixtures/ssl/intermediate-agent.pem +56 -56
  52. data/spec/fixtures/ssl/intermediate-crl.pem +29 -29
  53. data/spec/fixtures/ssl/intermediate.pem +53 -53
  54. data/spec/fixtures/ssl/oid-key.pem +107 -107
  55. data/spec/fixtures/ssl/oid.pem +51 -50
  56. data/spec/fixtures/ssl/pluto-key.pem +107 -107
  57. data/spec/fixtures/ssl/pluto.pem +52 -51
  58. data/spec/fixtures/ssl/renewed.pem +67 -0
  59. data/spec/fixtures/ssl/request-key.pem +107 -107
  60. data/spec/fixtures/ssl/request.pem +50 -48
  61. data/spec/fixtures/ssl/revoked-key.pem +107 -107
  62. data/spec/fixtures/ssl/revoked.pem +51 -50
  63. data/spec/fixtures/ssl/signed-key.pem +107 -107
  64. data/spec/fixtures/ssl/signed.pem +49 -48
  65. data/spec/fixtures/ssl/tampered-cert.pem +51 -50
  66. data/spec/fixtures/ssl/tampered-csr.pem +50 -48
  67. data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -107
  68. data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -49
  69. data/spec/fixtures/ssl/unknown-ca-key.pem +107 -107
  70. data/spec/fixtures/ssl/unknown-ca.pem +54 -54
  71. data/spec/integration/application/agent_spec.rb +63 -13
  72. data/spec/integration/application/apply_spec.rb +14 -0
  73. data/spec/integration/http/client_spec.rb +16 -0
  74. data/spec/lib/puppet/test_ca.rb +3 -10
  75. data/spec/unit/application/lookup_spec.rb +1 -0
  76. data/spec/unit/defaults_spec.rb +2 -40
  77. data/spec/unit/file_system/path_pattern_spec.rb +15 -0
  78. data/spec/unit/http/service/ca_spec.rb +83 -0
  79. data/spec/unit/ssl/ssl_provider_spec.rb +20 -0
  80. data/spec/unit/ssl/state_machine_spec.rb +143 -3
  81. data/spec/unit/x509/cert_provider_spec.rb +49 -0
  82. data/tasks/generate_cert_fixtures.rake +4 -0
  83. metadata +5 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0aae7b2e9c931345ae31b6d554fd9a61991c425ead1a5fe2d9a11953010dd78c
4
- data.tar.gz: 11fc8d36afbc752431421b696c6fbcae16aa4f28ab064cf004336d4748f1d938
3
+ metadata.gz: cb262f46be9104598978c3941387c9df75d721c635fe403e7c4426efacb87f4f
4
+ data.tar.gz: ae6866634e1e346ef8a28a964cfa1552c02f8afe21ca4894682cc850656afb1c
5
5
  SHA512:
6
- metadata.gz: 8aef1c6af1f239041f090cf03fda08bb27703f3b7b8844fc298bc416ebc159d05b46b1b2fcaa048633bd85194deb96619fffb2d9b15a1549afbc58f3e6c386f2
7
- data.tar.gz: 528c25dc7f81fc6603722b36f2c908a0687eb94ac59953e6a9c1b7e7846be375c90dff7cac3bff8f5e5d72e9cb5657f07a884dec443aa46b0a2d41ecd212d8e9
6
+ metadata.gz: 5b33b9646dd7bafea8dbb994abf35c838fb708ff9032ff6a9da22ef79da52c10460e8387f18b7c32dc7b9ce2fe1820c5d5cde04463665d35e06ecbdee34568ca
7
+ data.tar.gz: d826de6788fbe4fb802c2ff1be076783669a6c257ba2332ceca5d3e2bae64a576a4a5f8bcccab1f23f983b5b0bd4b2624106de27e6f35199d2beff79e5c6e94d
data/CODEOWNERS CHANGED
@@ -1,11 +1,11 @@
1
1
  # defaults
2
- * @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
2
+ * @puppetlabs/phoenix
3
3
 
4
4
  # PAL
5
5
  /lib/puppet/pal @puppetlabs/bolt
6
6
 
7
7
  # puppet module
8
- /lib/puppet/application/module.rb @puppetlabs/pdk
9
- /lib/puppet/face/module @puppetlabs/pdk
10
- /lib/puppet/forge @puppetlabs/pdk
11
- /lib/puppet/module_tool @puppetlabs/pdk
8
+ /lib/puppet/application/module.rb @puppetlabs/modules
9
+ /lib/puppet/face/module @puppetlabs/modules
10
+ /lib/puppet/forge @puppetlabs/modules
11
+ /lib/puppet/module_tool @puppetlabs/modules
data/Gemfile.lock CHANGED
@@ -1,9 +1,23 @@
1
+ GIT
2
+ remote: https://github.com/puppetlabs/packaging
3
+ revision: affecba5dfacc5862fc7199895ccf11b69153570
4
+ branch: 1.0.x
5
+ specs:
6
+ packaging (0)
7
+ apt_stage_artifacts
8
+ artifactory (~> 3)
9
+ csv (>= 3.1.5)
10
+ google-cloud-storage
11
+ googleauth
12
+ rake (>= 12.3)
13
+ release-metrics
14
+
1
15
  PATH
2
16
  remote: .
3
17
  specs:
4
- puppet (8.0.1)
18
+ puppet (8.2.0)
5
19
  CFPropertyList (~> 2.2)
6
- concurrent-ruby (~> 1.0, < 1.2.0)
20
+ concurrent-ruby (~> 1.0)
7
21
  deep_merge (~> 1.0)
8
22
  facter (>= 4.3.0, < 5)
9
23
  fast_gettext (>= 2.1, < 3)
@@ -14,47 +28,48 @@ PATH
14
28
  semantic_puppet (~> 1.0)
15
29
 
16
30
  GEM
17
- remote: https://rubygems.org/
31
+ remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
18
32
  specs:
19
33
  CFPropertyList (2.3.6)
20
- addressable (2.8.4)
34
+ addressable (2.8.5)
21
35
  public_suffix (>= 2.0.2, < 6.0)
22
36
  apt_stage_artifacts (0.11.0)
23
37
  docopt
24
38
  artifactory (3.0.15)
25
39
  ast (2.4.2)
26
40
  coderay (1.1.3)
27
- concurrent-ruby (1.1.10)
41
+ concurrent-ruby (1.2.2)
28
42
  crack (0.4.5)
29
43
  rexml
30
- csv (3.2.6)
44
+ csv (3.2.7)
31
45
  declarative (0.0.20)
32
46
  deep_merge (1.2.2)
33
47
  diff-lcs (1.5.0)
34
- digest-crc (0.6.4)
48
+ digest-crc (0.6.5)
35
49
  rake (>= 12.0.0, < 14.0.0)
36
50
  docopt (0.6.1)
37
51
  erubi (1.12.0)
38
- facter (4.4.0)
52
+ facter (4.4.2)
39
53
  hocon (~> 1.3)
40
54
  thor (>= 1.0.1, < 2.0)
41
- faraday (2.7.4)
55
+ faraday (2.7.10)
42
56
  faraday-net_http (>= 2.0, < 3.1)
43
57
  ruby2_keywords (>= 0.0.4)
44
58
  faraday-net_http (3.0.2)
45
59
  fast_gettext (2.3.0)
46
60
  ffi (1.15.5)
47
61
  forwardable (1.3.3)
48
- gettext (3.4.3)
62
+ gettext (3.4.7)
49
63
  erubi
50
64
  locale (>= 2.0.5)
51
65
  prime
66
+ racc
52
67
  text (>= 1.3.0)
53
68
  gettext-setup (1.1.0)
54
69
  fast_gettext (~> 2.1)
55
70
  gettext (~> 3.4)
56
71
  locale
57
- google-apis-core (0.11.0)
72
+ google-apis-core (0.11.1)
58
73
  addressable (~> 2.5, >= 2.5.1)
59
74
  googleauth (>= 0.16.2, < 2.a)
60
75
  httpclient (>= 2.8.1, < 3.a)
@@ -81,7 +96,7 @@ GEM
81
96
  google-cloud-core (~> 1.6)
82
97
  googleauth (>= 0.16.2, < 2.a)
83
98
  mini_mime (~> 1.0)
84
- googleauth (1.5.2)
99
+ googleauth (1.7.0)
85
100
  faraday (>= 0.17.3, < 3.a)
86
101
  jwt (>= 1.4, < 3.0)
87
102
  memoist (~> 0.16)
@@ -89,7 +104,7 @@ GEM
89
104
  os (>= 0.9, < 2.0)
90
105
  signet (>= 0.16, < 2.a)
91
106
  hashdiff (1.0.1)
92
- hiera-eyaml (3.3.0)
107
+ hiera-eyaml (3.4.0)
93
108
  highline
94
109
  optimist
95
110
  highline (2.1.0)
@@ -98,46 +113,39 @@ GEM
98
113
  httpclient (2.8.3)
99
114
  json-schema (2.8.1)
100
115
  addressable (>= 2.4)
101
- jwt (2.7.0)
116
+ jwt (2.7.1)
102
117
  locale (2.1.3)
103
118
  memoist (0.16.2)
104
119
  memory_profiler (1.0.1)
105
120
  method_source (1.0.0)
106
- mini_mime (1.1.2)
121
+ mini_mime (1.1.5)
107
122
  minitar (0.9)
108
- msgpack (1.7.0)
123
+ msgpack (1.7.2)
109
124
  multi_json (1.15.0)
110
125
  mustache (1.1.1)
111
- optimist (3.0.1)
126
+ optimist (3.1.0)
112
127
  os (1.1.4)
113
- packaging (0.109.7)
114
- apt_stage_artifacts
115
- artifactory (~> 3)
116
- csv (>= 3.1.5)
117
- google-cloud-storage
118
- googleauth
119
- rake (>= 12.3)
120
- release-metrics
121
128
  parallel (1.23.0)
122
- parser (3.2.2.1)
129
+ parser (3.2.2.3)
123
130
  ast (~> 2.4.1)
131
+ racc
124
132
  prime (0.1.2)
125
133
  forwardable
126
134
  singleton
127
135
  pry (0.14.2)
128
136
  coderay (~> 1.1)
129
137
  method_source (~> 1.0)
130
- public_suffix (5.0.1)
131
- puppet-resource_api (1.8.14)
138
+ public_suffix (5.0.3)
139
+ puppet-resource_api (1.9.0)
132
140
  hocon (>= 1.0)
133
- puppetserver-ca (2.5.0)
141
+ puppetserver-ca (2.6.0)
134
142
  facter (>= 2.0.1, < 5)
135
143
  racc (1.5.2)
136
144
  rainbow (3.1.1)
137
145
  rake (13.0.6)
138
- rdiscount (2.2.7)
146
+ rdiscount (2.2.7.1)
139
147
  rdoc (6.3.3)
140
- regexp_parser (2.8.0)
148
+ regexp_parser (2.8.1)
141
149
  release-metrics (1.1.0)
142
150
  csv
143
151
  docopt
@@ -146,7 +154,7 @@ GEM
146
154
  trailblazer-option (>= 0.1.1, < 0.2.0)
147
155
  uber (< 0.2.0)
148
156
  retriable (3.1.2)
149
- rexml (3.2.5)
157
+ rexml (3.2.6)
150
158
  ronn (0.7.3)
151
159
  hpricot (>= 0.8.2)
152
160
  mustache (>= 0.7.0)
@@ -163,10 +171,10 @@ GEM
163
171
  rspec-its (1.3.0)
164
172
  rspec-core (>= 3.0.0)
165
173
  rspec-expectations (>= 3.0.0)
166
- rspec-mocks (3.12.5)
174
+ rspec-mocks (3.12.6)
167
175
  diff-lcs (>= 1.2.0, < 2.0)
168
176
  rspec-support (~> 3.12.0)
169
- rspec-support (3.12.0)
177
+ rspec-support (3.12.1)
170
178
  rubocop (1.28.0)
171
179
  parallel (~> 1.10)
172
180
  parser (>= 3.1.0.0)
@@ -176,7 +184,7 @@ GEM
176
184
  rubocop-ast (>= 1.17.0, < 2.0)
177
185
  ruby-progressbar (~> 1.7)
178
186
  unicode-display_width (>= 1.4.0, < 3.0)
179
- rubocop-ast (1.28.0)
187
+ rubocop-ast (1.29.0)
180
188
  parser (>= 3.2.1.0)
181
189
  rubocop-i18n (3.0.0)
182
190
  rubocop (~> 1.0)
@@ -192,11 +200,11 @@ GEM
192
200
  multi_json (~> 1.10)
193
201
  singleton (0.1.1)
194
202
  text (1.3.1)
195
- thor (1.2.1)
203
+ thor (1.2.2)
196
204
  trailblazer-option (0.1.2)
197
205
  uber (0.1.0)
198
206
  unicode-display_width (2.4.2)
199
- vcr (6.1.0)
207
+ vcr (6.2.0)
200
208
  webmock (3.18.1)
201
209
  addressable (>= 2.8.0)
202
210
  crack (>= 0.3.2)
@@ -218,7 +226,7 @@ DEPENDENCIES
218
226
  memory_profiler
219
227
  minitar (~> 0.9)
220
228
  msgpack (~> 1.2)
221
- packaging (~> 0.99)
229
+ packaging!
222
230
  pry
223
231
  puppet!
224
232
  puppet-resource_api (~> 1.5)
@@ -240,4 +248,4 @@ DEPENDENCIES
240
248
  yard
241
249
 
242
250
  BUNDLED WITH
243
- 2.3.22
251
+ 2.4.12
@@ -24,7 +24,7 @@ gem_runtime_dependencies:
24
24
  locale: '~> 2.1'
25
25
  multi_json: '~> 1.13'
26
26
  puppet-resource_api: '~>1.5'
27
- concurrent-ruby: ["~> 1.0", "< 1.2.0"]
27
+ concurrent-ruby: "~> 1.0"
28
28
  deep_merge: '~> 1.0'
29
29
  scanf: '~> 1.0'
30
30
  gem_rdoc_options:
@@ -4,11 +4,7 @@ require_relative '../puppet/util/platform'
4
4
  module Puppet
5
5
 
6
6
  def self.default_diffargs
7
- if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
8
- ""
9
- else
10
- "-u"
11
- end
7
+ '-u'
12
8
  end
13
9
 
14
10
  def self.default_digest_algorithm
@@ -1212,6 +1208,24 @@ EOT
1212
1208
  :desc => "The default TTL for new certificates.
1213
1209
  #{AS_DURATION}",
1214
1210
  },
1211
+ :ca_refresh_interval => {
1212
+ :default => "1d",
1213
+ :type => :duration,
1214
+ :desc => "How often the Puppet agent refreshes its local CA certs. By
1215
+ default the CA certs are refreshed once every 24 hours. If a different
1216
+ duration is specified, then the agent will refresh its CA certs whenever
1217
+ it next runs and the elapsed time since the certs were last refreshed
1218
+ exceeds the duration.
1219
+
1220
+ In general, the duration should be greater than the `runinterval`.
1221
+ Setting it to 0 or an equal or lesser value than `runinterval`,
1222
+ will cause the CA certs to be refreshed on every run.
1223
+
1224
+ If the agent downloads new CA certs, the agent will use it for subsequent
1225
+ network requests. If the refresh request fails or if the CA certs are
1226
+ unchanged on the server, then the agent run will continue using the
1227
+ local CA certs it already has. #{AS_DURATION}",
1228
+ },
1215
1229
  :crl_refresh_interval => {
1216
1230
  :default => "1d",
1217
1231
  :type => :duration,
@@ -1222,14 +1236,30 @@ EOT
1222
1236
  exceeds the duration.
1223
1237
 
1224
1238
  In general, the duration should be greater than the `runinterval`.
1225
- Setting it to an equal or lesser value will cause the CRL to be
1226
- refreshed on every run.
1239
+ Setting it to 0 or an equal or lesser value than `runinterval`,
1240
+ will cause the CRL to be refreshed on every run.
1227
1241
 
1228
1242
  If the agent downloads a new CRL, the agent will use it for subsequent
1229
1243
  network requests. If the refresh request fails or if the CRL is
1230
1244
  unchanged on the server, then the agent run will continue using the
1231
1245
  local CRL it already has.#{AS_DURATION}",
1232
1246
  },
1247
+ :hostcert_renewal_interval => {
1248
+ :default => "30d",
1249
+ :type => :duration,
1250
+ :desc => "How often the Puppet agent refreshes its client certificate.
1251
+ By default the client certificate is refreshed once every 30 days. If
1252
+ a different duration is specified, then the agent will refresh its
1253
+ client certificate whenever it next runs and the elapsed time since the
1254
+ client certificate was last refreshed exceeds the duration.
1255
+
1256
+ In general, the duration should be greater than the `runinterval`.
1257
+ Setting it to 0 will disable automatic renewal.
1258
+
1259
+ If the agent downloads a new certificate, the agent will use it for subsequent
1260
+ network requests. If the refresh request fails, then the agent run will continue using the
1261
+ certificate it already has. #{AS_DURATION}",
1262
+ },
1233
1263
  :keylength => {
1234
1264
  :default => 4096,
1235
1265
  :type => :integer,
@@ -368,6 +368,7 @@ class Puppet::HTTP::Client
368
368
  apply_auth(request, basic_auth) if redirects.zero?
369
369
 
370
370
  # don't call return within the `request` block
371
+ close_and_sleep = nil
371
372
  http.request(request) do |nethttp|
372
373
  response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
373
374
  begin
@@ -381,12 +382,14 @@ class Puppet::HTTP::Client
381
382
  interval = @retry_after_handler.retry_after_interval(request, response, retries)
382
383
  retries += 1
383
384
  if interval
384
- if http.started?
385
- Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
386
- http.finish
385
+ close_and_sleep = proc do
386
+ if http.started?
387
+ Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
388
+ http.finish
389
+ end
390
+ Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
391
+ ::Kernel.sleep(interval)
387
392
  end
388
- Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
389
- ::Kernel.sleep(interval)
390
393
  next
391
394
  end
392
395
  end
@@ -405,6 +408,10 @@ class Puppet::HTTP::Client
405
408
 
406
409
  done = true
407
410
  end
411
+ ensure
412
+ # If a server responded with a retry, make sure the connection is closed and then
413
+ # sleep the specified time.
414
+ close_and_sleep.call if close_and_sleep
408
415
  end
409
416
  end
410
417
 
@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
28
28
  # Submit a GET request to retrieve the named certificate from the server.
29
29
  #
30
30
  # @param [String] name name of the certificate to request
31
+ # @param [Time] if_modified_since If not nil, only download the cert if it has
32
+ # been modified since the specified time.
31
33
  # @param [Puppet::SSL::SSLContext] ssl_context
32
34
  #
33
35
  # @return [Array<Puppet::HTTP::Response, String>] An array containing the
34
36
  # request response and the stringified body of the request response
35
37
  #
36
38
  # @api public
37
- def get_certificate(name, ssl_context: nil)
39
+ def get_certificate(name, if_modified_since: nil, ssl_context: nil)
40
+ headers = add_puppet_headers(HEADERS)
41
+ headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
42
+
38
43
  response = @client.get(
39
44
  with_base_url("/certificate/#{name}"),
40
- headers: add_puppet_headers(HEADERS),
45
+ headers: headers,
41
46
  options: {ssl_context: ssl_context}
42
47
  )
43
48
 
@@ -99,4 +104,29 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
99
104
 
100
105
  response
101
106
  end
107
+
108
+ # Submit a POST request to send a certificate renewal request to the server
109
+ #
110
+ # @param [Puppet::SSL::SSLContext] ssl_context
111
+ #
112
+ # @return [Array<Puppet::HTTP::Response, String>] The request response
113
+ #
114
+ # @api public
115
+ def post_certificate_renewal(ssl_context)
116
+ headers = add_puppet_headers(HEADERS)
117
+ headers['Content-Type'] = 'text/plain'
118
+
119
+ response = @client.post(
120
+ with_base_url('/certificate_renewal'),
121
+ '', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
122
+ headers: headers,
123
+ options: {ssl_context: ssl_context}
124
+ )
125
+
126
+ raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
127
+
128
+ process_response(response)
129
+
130
+ [response, response.body.to_s]
131
+ end
102
132
  end
@@ -592,10 +592,12 @@ class Puppet::Node::Environment
592
592
  if file == NO_MANIFEST
593
593
  empty_parse_result
594
594
  elsif File.directory?(file)
595
- parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
596
- parser.file = file_to_parse
597
- parser.parse
598
- end
595
+ # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
596
+ # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
597
+ parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
598
+ parser.file = file_to_parse
599
+ parser.parse
600
+ end
599
601
  # Use a parser type specific merger to concatenate the results
600
602
  Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
601
603
  else
@@ -10,7 +10,13 @@ class DeferredValue
10
10
  end
11
11
 
12
12
  def resolve
13
- @proc.call
13
+ val = @proc.call
14
+ # Deferred sensitive values will be marked as such in resolve_futures()
15
+ if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
16
+ val.unwrap
17
+ else
18
+ val
19
+ end
14
20
  end
15
21
  end
16
22
 
@@ -88,8 +94,12 @@ class DeferredResolver
88
94
  #
89
95
  if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
90
96
  resolved = resolved.unwrap
91
- unless r.sensitive_parameters.include?(k.to_sym)
92
- r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
97
+ mark_sensitive_parameters(r, k)
98
+ # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
99
+ # The DeferredValue.resolve method will unwrap it during catalog application
100
+ elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
101
+ if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
102
+ mark_sensitive_parameters(r, k)
93
103
  end
94
104
  end
95
105
  overrides[ k ] = resolved
@@ -98,6 +108,13 @@ class DeferredResolver
98
108
  end
99
109
  end
100
110
 
111
+ def mark_sensitive_parameters(r, k)
112
+ unless r.sensitive_parameters.include?(k.to_sym)
113
+ r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
114
+ end
115
+ end
116
+ private :mark_sensitive_parameters
117
+
101
118
  def resolve(x)
102
119
  if x.class == @deferred_class
103
120
  resolve_future(x)
@@ -71,7 +71,9 @@ module Puppet::SSL::Oids
71
71
  ["1.3.6.1.4.1.34380.1.3", 'ppAuthCertExt', 'Puppet Certificate Authorization Extension'],
72
72
 
73
73
  ["1.3.6.1.4.1.34380.1.3.1", 'pp_authorization', 'Certificate Extension Authorization'],
74
+ ["1.3.6.1.4.1.34380.1.3.2", 'pp_auth_auto_renew', 'Auto-Renew Certificate Attribute'],
74
75
  ["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
76
+ ["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization'],
75
77
  ]
76
78
 
77
79
  @did_register_puppet_oids = false
@@ -225,7 +225,7 @@ class Puppet::SSL::SSLProvider
225
225
  ssl_context.crls.each do |crl|
226
226
  oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
227
227
  crlNumber = oid_values['crlNumber'] || 'unknown'
228
- authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
228
+ authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp
229
229
  Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
230
230
  end
231
231
  end