puppet 8.0.1 → 8.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c2712dbb0c625bbd48ae15db10408b408e1b8c1e6c213f1ab83d0b35839a47fb
4
- data.tar.gz: 11fc8d36afbc752431421b696c6fbcae16aa4f28ab064cf004336d4748f1d938
3
+ metadata.gz: 165d97e08b1afaa120800e044085a208b7386dcf5f6a4b6b730a077858d7d8ea
4
+ data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
5
5
  SHA512:
6
- metadata.gz: 1d4117a7624fdd751604f1abbf048b228208ee3ba622fe228478e0c22febcccc25eeecaf68850fa23b2ddb3222f15cc4d076712148664f0b122939c4533faa8b
7
- data.tar.gz: 528c25dc7f81fc6603722b36f2c908a0687eb94ac59953e6a9c1b7e7846be375c90dff7cac3bff8f5e5d72e9cb5657f07a884dec443aa46b0a2d41ecd212d8e9
6
+ metadata.gz: b1633c2e8e5ac301e9f96e3aa64d7636a911a8d65d16d547e86395f00fff6d4179fbe0f6508699470971680d54ca6d55c6ae4e16364623e651167337ff2e7b1a
7
+ data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9
data/CODEOWNERS CHANGED
@@ -1,11 +1,11 @@
1
1
  # defaults
2
- * @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
2
+ * @puppetlabs/phoenix
3
3
 
4
4
  # PAL
5
5
  /lib/puppet/pal @puppetlabs/bolt
6
6
 
7
7
  # puppet module
8
- /lib/puppet/application/module.rb @puppetlabs/pdk
9
- /lib/puppet/face/module @puppetlabs/pdk
10
- /lib/puppet/forge @puppetlabs/pdk
11
- /lib/puppet/module_tool @puppetlabs/pdk
8
+ /lib/puppet/application/module.rb @puppetlabs/modules
9
+ /lib/puppet/face/module @puppetlabs/modules
10
+ /lib/puppet/forge @puppetlabs/modules
11
+ /lib/puppet/module_tool @puppetlabs/modules
data/Gemfile.lock CHANGED
@@ -1,9 +1,23 @@
1
+ GIT
2
+ remote: https://github.com/puppetlabs/packaging
3
+ revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
4
+ branch: 1.0.x
5
+ specs:
6
+ packaging (0)
7
+ apt_stage_artifacts
8
+ artifactory (~> 3)
9
+ csv (>= 3.1.5)
10
+ google-cloud-storage
11
+ googleauth
12
+ rake (>= 12.3)
13
+ release-metrics
14
+
1
15
  PATH
2
16
  remote: .
3
17
  specs:
4
- puppet (8.0.1)
18
+ puppet (8.1.0)
5
19
  CFPropertyList (~> 2.2)
6
- concurrent-ruby (~> 1.0, < 1.2.0)
20
+ concurrent-ruby (~> 1.0)
7
21
  deep_merge (~> 1.0)
8
22
  facter (>= 4.3.0, < 5)
9
23
  fast_gettext (>= 2.1, < 3)
@@ -14,7 +28,7 @@ PATH
14
28
  semantic_puppet (~> 1.0)
15
29
 
16
30
  GEM
17
- remote: https://rubygems.org/
31
+ remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
18
32
  specs:
19
33
  CFPropertyList (2.3.6)
20
34
  addressable (2.8.4)
@@ -24,7 +38,7 @@ GEM
24
38
  artifactory (3.0.15)
25
39
  ast (2.4.2)
26
40
  coderay (1.1.3)
27
- concurrent-ruby (1.1.10)
41
+ concurrent-ruby (1.2.2)
28
42
  crack (0.4.5)
29
43
  rexml
30
44
  csv (3.2.6)
@@ -38,17 +52,18 @@ GEM
38
52
  facter (4.4.0)
39
53
  hocon (~> 1.3)
40
54
  thor (>= 1.0.1, < 2.0)
41
- faraday (2.7.4)
55
+ faraday (2.7.6)
42
56
  faraday-net_http (>= 2.0, < 3.1)
43
57
  ruby2_keywords (>= 0.0.4)
44
58
  faraday-net_http (3.0.2)
45
59
  fast_gettext (2.3.0)
46
60
  ffi (1.15.5)
47
61
  forwardable (1.3.3)
48
- gettext (3.4.3)
62
+ gettext (3.4.4)
49
63
  erubi
50
64
  locale (>= 2.0.5)
51
65
  prime
66
+ racc
52
67
  text (>= 1.3.0)
53
68
  gettext-setup (1.1.0)
54
69
  fast_gettext (~> 2.1)
@@ -89,7 +104,7 @@ GEM
89
104
  os (>= 0.9, < 2.0)
90
105
  signet (>= 0.16, < 2.a)
91
106
  hashdiff (1.0.1)
92
- hiera-eyaml (3.3.0)
107
+ hiera-eyaml (3.4.0)
93
108
  highline
94
109
  optimist
95
110
  highline (2.1.0)
@@ -98,29 +113,22 @@ GEM
98
113
  httpclient (2.8.3)
99
114
  json-schema (2.8.1)
100
115
  addressable (>= 2.4)
101
- jwt (2.7.0)
116
+ jwt (2.7.1)
102
117
  locale (2.1.3)
103
118
  memoist (0.16.2)
104
119
  memory_profiler (1.0.1)
105
120
  method_source (1.0.0)
106
121
  mini_mime (1.1.2)
107
122
  minitar (0.9)
108
- msgpack (1.7.0)
123
+ msgpack (1.7.1)
109
124
  multi_json (1.15.0)
110
125
  mustache (1.1.1)
111
126
  optimist (3.0.1)
112
127
  os (1.1.4)
113
- packaging (0.109.7)
114
- apt_stage_artifacts
115
- artifactory (~> 3)
116
- csv (>= 3.1.5)
117
- google-cloud-storage
118
- googleauth
119
- rake (>= 12.3)
120
- release-metrics
121
128
  parallel (1.23.0)
122
- parser (3.2.2.1)
129
+ parser (3.2.2.3)
123
130
  ast (~> 2.4.1)
131
+ racc
124
132
  prime (0.1.2)
125
133
  forwardable
126
134
  singleton
@@ -130,14 +138,14 @@ GEM
130
138
  public_suffix (5.0.1)
131
139
  puppet-resource_api (1.8.14)
132
140
  hocon (>= 1.0)
133
- puppetserver-ca (2.5.0)
141
+ puppetserver-ca (2.6.0)
134
142
  facter (>= 2.0.1, < 5)
135
143
  racc (1.5.2)
136
144
  rainbow (3.1.1)
137
145
  rake (13.0.6)
138
146
  rdiscount (2.2.7)
139
147
  rdoc (6.3.3)
140
- regexp_parser (2.8.0)
148
+ regexp_parser (2.8.1)
141
149
  release-metrics (1.1.0)
142
150
  csv
143
151
  docopt
@@ -176,7 +184,7 @@ GEM
176
184
  rubocop-ast (>= 1.17.0, < 2.0)
177
185
  ruby-progressbar (~> 1.7)
178
186
  unicode-display_width (>= 1.4.0, < 3.0)
179
- rubocop-ast (1.28.0)
187
+ rubocop-ast (1.29.0)
180
188
  parser (>= 3.2.1.0)
181
189
  rubocop-i18n (3.0.0)
182
190
  rubocop (~> 1.0)
@@ -192,7 +200,7 @@ GEM
192
200
  multi_json (~> 1.10)
193
201
  singleton (0.1.1)
194
202
  text (1.3.1)
195
- thor (1.2.1)
203
+ thor (1.2.2)
196
204
  trailblazer-option (0.1.2)
197
205
  uber (0.1.0)
198
206
  unicode-display_width (2.4.2)
@@ -218,7 +226,7 @@ DEPENDENCIES
218
226
  memory_profiler
219
227
  minitar (~> 0.9)
220
228
  msgpack (~> 1.2)
221
- packaging (~> 0.99)
229
+ packaging!
222
230
  pry
223
231
  puppet!
224
232
  puppet-resource_api (~> 1.5)
@@ -240,4 +248,4 @@ DEPENDENCIES
240
248
  yard
241
249
 
242
250
  BUNDLED WITH
243
- 2.3.22
251
+ 2.4.12
@@ -24,7 +24,7 @@ gem_runtime_dependencies:
24
24
  locale: '~> 2.1'
25
25
  multi_json: '~> 1.13'
26
26
  puppet-resource_api: '~>1.5'
27
- concurrent-ruby: ["~> 1.0", "< 1.2.0"]
27
+ concurrent-ruby: "~> 1.0"
28
28
  deep_merge: '~> 1.0'
29
29
  scanf: '~> 1.0'
30
30
  gem_rdoc_options:
@@ -1212,6 +1212,24 @@ EOT
1212
1212
  :desc => "The default TTL for new certificates.
1213
1213
  #{AS_DURATION}",
1214
1214
  },
1215
+ :ca_refresh_interval => {
1216
+ :default => "1d",
1217
+ :type => :duration,
1218
+ :desc => "How often the Puppet agent refreshes its local CA certs. By
1219
+ default the CA certs are refreshed once every 24 hours. If a different
1220
+ duration is specified, then the agent will refresh its CA certs whenever
1221
+ it next runs and the elapsed time since the certs were last refreshed
1222
+ exceeds the duration.
1223
+
1224
+ In general, the duration should be greater than the `runinterval`.
1225
+ Setting it to 0 or an equal or lesser value than `runinterval`,
1226
+ will cause the CA certs to be refreshed on every run.
1227
+
1228
+ If the agent downloads new CA certs, the agent will use it for subsequent
1229
+ network requests. If the refresh request fails or if the CA certs are
1230
+ unchanged on the server, then the agent run will continue using the
1231
+ local CA certs it already has. #{AS_DURATION}",
1232
+ },
1215
1233
  :crl_refresh_interval => {
1216
1234
  :default => "1d",
1217
1235
  :type => :duration,
@@ -1222,8 +1240,8 @@ EOT
1222
1240
  exceeds the duration.
1223
1241
 
1224
1242
  In general, the duration should be greater than the `runinterval`.
1225
- Setting it to an equal or lesser value will cause the CRL to be
1226
- refreshed on every run.
1243
+ Setting it to 0 or an equal or lesser value than `runinterval`,
1244
+ will cause the CRL to be refreshed on every run.
1227
1245
 
1228
1246
  If the agent downloads a new CRL, the agent will use it for subsequent
1229
1247
  network requests. If the refresh request fails or if the CRL is
@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
28
28
  # Submit a GET request to retrieve the named certificate from the server.
29
29
  #
30
30
  # @param [String] name name of the certificate to request
31
+ # @param [Time] if_modified_since If not nil, only download the cert if it has
32
+ # been modified since the specified time.
31
33
  # @param [Puppet::SSL::SSLContext] ssl_context
32
34
  #
33
35
  # @return [Array<Puppet::HTTP::Response, String>] An array containing the
34
36
  # request response and the stringified body of the request response
35
37
  #
36
38
  # @api public
37
- def get_certificate(name, ssl_context: nil)
39
+ def get_certificate(name, if_modified_since: nil, ssl_context: nil)
40
+ headers = add_puppet_headers(HEADERS)
41
+ headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
42
+
38
43
  response = @client.get(
39
44
  with_base_url("/certificate/#{name}"),
40
- headers: add_puppet_headers(HEADERS),
45
+ headers: headers,
41
46
  options: {ssl_context: ssl_context}
42
47
  )
43
48
 
@@ -50,14 +50,28 @@ class Puppet::SSL::StateMachine
50
50
  def next_state
51
51
  Puppet.debug("Loading CA certs")
52
52
 
53
+ force_crl_refresh = false
54
+
53
55
  cacerts = @cert_provider.load_cacerts
54
56
  if cacerts
55
57
  next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
58
+
59
+ now = Time.now
60
+ last_update = @cert_provider.ca_last_update
61
+ if needs_refresh?(now, last_update)
62
+ # set last updated time first, then make a best effort to refresh
63
+ @cert_provider.ca_last_update = now
64
+
65
+ # If we refresh the CA, then we need to force the CRL to be refreshed too,
66
+ # since if there is a new CA in the chain, then we need its CRL to check
67
+ # the full chain for revocation status.
68
+ next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update)
69
+ end
56
70
  else
57
71
  route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
58
72
  _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
59
73
  if @machine.ca_fingerprint
60
- actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
74
+ actual_digest = @machine.digest_as_hex(pem)
61
75
  expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
62
76
  if actual_digest == expected_digest
63
77
  Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
@@ -74,7 +88,7 @@ class Puppet::SSL::StateMachine
74
88
  @cert_provider.save_cacerts(cacerts)
75
89
  end
76
90
 
77
- NeedCRLs.new(@machine, next_ctx)
91
+ NeedCRLs.new(@machine, next_ctx, force_crl_refresh)
78
92
  rescue OpenSSL::X509::CertificateError => e
79
93
  Error.new(@machine, e.message, e)
80
94
  rescue Puppet::HTTP::ResponseError => e
@@ -84,6 +98,51 @@ class Puppet::SSL::StateMachine
84
98
  to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
85
99
  end
86
100
  end
101
+
102
+ private
103
+
104
+ def needs_refresh?(now, last_update)
105
+ return true if last_update.nil?
106
+
107
+ ca_ttl = Puppet[:ca_refresh_interval]
108
+ return false unless ca_ttl
109
+
110
+ now.to_i > last_update.to_i + ca_ttl
111
+ end
112
+
113
+ def refresh_ca(ssl_ctx, last_update)
114
+ Puppet.info(_("Refreshing CA certificate"))
115
+
116
+ # return the next_ctx containing the updated ca
117
+ [download_ca(ssl_ctx, last_update), true]
118
+ rescue Puppet::HTTP::ResponseError => e
119
+ if e.response.code == 304
120
+ Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
121
+ else
122
+ Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
123
+ end
124
+
125
+ # return the original ssl_ctx
126
+ [ssl_ctx, false]
127
+ rescue Puppet::HTTP::HTTPError => e
128
+ Puppet.warning(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
129
+
130
+ # return the original ssl_ctx
131
+ [ssl_ctx, false]
132
+ end
133
+
134
+ def download_ca(ssl_ctx, last_update)
135
+ route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
136
+ _, pem = route.get_certificate(Puppet::SSL::CA_NAME, if_modified_since: last_update, ssl_context: ssl_ctx)
137
+ cacerts = @cert_provider.load_cacerts_from_pem(pem)
138
+ # verify cacerts before saving
139
+ next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
140
+ @cert_provider.save_cacerts(cacerts)
141
+
142
+ Puppet.info("Refreshed CA certificate: #{@machine.digest_as_hex(pem)}")
143
+
144
+ next_ctx
145
+ end
87
146
  end
88
147
 
89
148
  # If revocation is enabled, load CRLs or download them, using the CA bundle
@@ -93,6 +152,13 @@ class Puppet::SSL::StateMachine
93
152
  # for which we don't have a CRL
94
153
  #
95
154
  class NeedCRLs < SSLState
155
+ attr_reader :force_crl_refresh
156
+
157
+ def initialize(machine, ssl_context, force_crl_refresh = false)
158
+ super(machine, ssl_context)
159
+ @force_crl_refresh = force_crl_refresh
160
+ end
161
+
96
162
  def next_state
97
163
  Puppet.debug("Loading CRLs")
98
164
 
@@ -102,15 +168,12 @@ class Puppet::SSL::StateMachine
102
168
  if crls
103
169
  next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
104
170
 
105
- crl_ttl = Puppet[:crl_refresh_interval]
106
- if crl_ttl
107
- last_update = @cert_provider.crl_last_update
108
- now = Time.now
109
- if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
110
- # set last updated time first, then make a best effort to refresh
111
- @cert_provider.crl_last_update = now
112
- next_ctx = refresh_crl(next_ctx, last_update)
113
- end
171
+ now = Time.now
172
+ last_update = @cert_provider.crl_last_update
173
+ if needs_refresh?(now, last_update)
174
+ # set last updated time first, then make a best effort to refresh
175
+ @cert_provider.crl_last_update = now
176
+ next_ctx = refresh_crl(next_ctx, last_update)
114
177
  end
115
178
  else
116
179
  next_ctx = download_crl(@ssl_context, nil)
@@ -133,6 +196,15 @@ class Puppet::SSL::StateMachine
133
196
 
134
197
  private
135
198
 
199
+ def needs_refresh?(now, last_update)
200
+ return true if @force_crl_refresh || last_update.nil?
201
+
202
+ crl_ttl = Puppet[:crl_refresh_interval]
203
+ return false unless crl_ttl
204
+
205
+ now.to_i > last_update.to_i + crl_ttl
206
+ end
207
+
136
208
  def refresh_crl(ssl_ctx, last_update)
137
209
  Puppet.info(_("Refreshing CRL"))
138
210
 
@@ -162,6 +234,8 @@ class Puppet::SSL::StateMachine
162
234
  next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
163
235
  @cert_provider.save_crls(crls)
164
236
 
237
+ Puppet.info("Refreshed CRL: #{@machine.digest_as_hex(pem)}")
238
+
165
239
  next_ctx
166
240
  end
167
241
  end
@@ -441,6 +515,10 @@ class Puppet::SSL::StateMachine
441
515
  @lockfile.unlock
442
516
  end
443
517
 
518
+ def digest_as_hex(str)
519
+ Puppet::SSL::Digest.new(digest, str).to_hex
520
+ end
521
+
444
522
  private
445
523
 
446
524
  def run_machine(state, stop)
@@ -1,8 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
  require 'concurrent'
3
3
 
4
- # We want to use the pure Ruby implementation even on JRuby. If we use the Java
5
- # implementation of ThreadLocal, we end up leaking references to JRuby instances
6
- # and preventing them from being garbage collected.
7
- class Puppet::ThreadLocal < Concurrent::RubyThreadLocalVar
4
+ class Puppet::ThreadLocal < Concurrent::ThreadLocalVar
8
5
  end
@@ -7,7 +7,7 @@
7
7
  # Raketasks and such to set the version based on the output of `git describe`
8
8
 
9
9
  module Puppet
10
- PUPPETVERSION = '8.0.1'
10
+ PUPPETVERSION = '8.1.0'
11
11
 
12
12
  ##
13
13
  # version is a public API method intended to always provide a fast and
@@ -147,6 +147,28 @@ class Puppet::X509::CertProvider
147
147
  Puppet::FileSystem.touch(@crlpath, mtime: time)
148
148
  end
149
149
 
150
+ # Return the time when the CA bundle was last updated.
151
+ #
152
+ # @return [Time, nil] Time when the CA bundle was last updated, or nil if we don't
153
+ # have a CA bundle
154
+ #
155
+ # @api private
156
+ def ca_last_update
157
+ stat = Puppet::FileSystem.stat(@capath)
158
+ Time.at(stat.mtime)
159
+ rescue Errno::ENOENT
160
+ nil
161
+ end
162
+
163
+ # Set the CA bundle last updated time.
164
+ #
165
+ # @param time [Time] The last updated time
166
+ #
167
+ # @api private
168
+ def ca_last_update=(time)
169
+ Puppet::FileSystem.touch(@capath, mtime: time)
170
+ end
171
+
150
172
  # Save named private key in the configured `privatekeydir`. For
151
173
  # historical reasons, names are case insensitive.
152
174
  #