puppet 8.1.0-universal-darwin → 8.3.0-universal-darwin

Sign up to get free protection for your applications and to get access to all the features.
Files changed (149) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +1 -1
  3. data/Gemfile.lock +30 -30
  4. data/ext/project_data.yaml +2 -2
  5. data/lib/puppet/application/doc.rb +1 -1
  6. data/lib/puppet/application/ssl.rb +42 -7
  7. data/lib/puppet/application.rb +5 -1
  8. data/lib/puppet/defaults.rb +17 -5
  9. data/lib/puppet/face/config.rb +1 -1
  10. data/lib/puppet/face/epp.rb +2 -2
  11. data/lib/puppet/face/module/list.rb +2 -2
  12. data/lib/puppet/face/parser.rb +1 -1
  13. data/lib/puppet/functions/split.rb +28 -1
  14. data/lib/puppet/http/client.rb +12 -5
  15. data/lib/puppet/http/service/ca.rb +25 -0
  16. data/lib/puppet/indirector/facts/facter.rb +1 -1
  17. data/lib/puppet/indirector/file_bucket_file/file.rb +1 -1
  18. data/lib/puppet/indirector/indirection.rb +1 -1
  19. data/lib/puppet/info_service/task_information_service.rb +1 -1
  20. data/lib/puppet/module_tool.rb +1 -1
  21. data/lib/puppet/network/formats.rb +3 -3
  22. data/lib/puppet/network/http/memory_response.rb +1 -1
  23. data/lib/puppet/node/environment.rb +6 -4
  24. data/lib/puppet/parameter/value_collection.rb +1 -1
  25. data/lib/puppet/parser/files.rb +4 -3
  26. data/lib/puppet/parser/functions.rb +1 -1
  27. data/lib/puppet/pops/evaluator/deferred_resolver.rb +20 -3
  28. data/lib/puppet/pops/loader/loader_paths.rb +4 -4
  29. data/lib/puppet/pops/lookup/explainer.rb +1 -1
  30. data/lib/puppet/pops/lookup/hiera_config.rb +1 -1
  31. data/lib/puppet/pops/model/factory.rb +1 -1
  32. data/lib/puppet/pops/model/tree_dumper.rb +1 -1
  33. data/lib/puppet/pops/parser/epp_support.rb +1 -1
  34. data/lib/puppet/pops/parser/evaluating_parser.rb +1 -1
  35. data/lib/puppet/pops/parser/pn_parser.rb +1 -1
  36. data/lib/puppet/pops/pn.rb +1 -1
  37. data/lib/puppet/pops/serialization/json_path.rb +1 -1
  38. data/lib/puppet/pops/time/timespan.rb +4 -4
  39. data/lib/puppet/pops/types/ruby_generator.rb +2 -2
  40. data/lib/puppet/pops/types/string_converter.rb +6 -6
  41. data/lib/puppet/pops/types/type_formatter.rb +2 -2
  42. data/lib/puppet/pops/types/types.rb +1 -1
  43. data/lib/puppet/provider/nameservice/directoryservice.rb +2 -2
  44. data/lib/puppet/provider/package/apt.rb +1 -1
  45. data/lib/puppet/provider/package/dnf.rb +1 -1
  46. data/lib/puppet/provider/package/yum.rb +1 -1
  47. data/lib/puppet/provider/user/directoryservice.rb +1 -1
  48. data/lib/puppet/reference/configuration.rb +1 -1
  49. data/lib/puppet/reference/indirection.rb +1 -1
  50. data/lib/puppet/reports.rb +1 -1
  51. data/lib/puppet/ssl/oids.rb +2 -0
  52. data/lib/puppet/ssl/ssl_provider.rb +1 -1
  53. data/lib/puppet/ssl/state_machine.rb +60 -9
  54. data/lib/puppet/transaction/report.rb +1 -1
  55. data/lib/puppet/type/filebucket.rb +1 -1
  56. data/lib/puppet/util/diff.rb +1 -1
  57. data/lib/puppet/util/execution.rb +9 -4
  58. data/lib/puppet/util/inifile.rb +2 -2
  59. data/lib/puppet/util/monkey_patches.rb +18 -0
  60. data/lib/puppet/util/package/version/rpm.rb +1 -1
  61. data/lib/puppet/util/provider_features.rb +1 -1
  62. data/lib/puppet/util/selinux.rb +1 -1
  63. data/lib/puppet/util/windows/access_control_entry.rb +1 -1
  64. data/lib/puppet/util/windows/access_control_list.rb +1 -1
  65. data/lib/puppet/util/windows/adsi.rb +9 -2
  66. data/lib/puppet/util/windows/error.rb +1 -1
  67. data/lib/puppet/util/windows/file.rb +2 -2
  68. data/lib/puppet/util/windows/process.rb +1 -1
  69. data/lib/puppet/util/windows/sid.rb +4 -2
  70. data/lib/puppet/util.rb +2 -3
  71. data/lib/puppet/version.rb +1 -1
  72. data/lib/puppet/x509/cert_provider.rb +13 -2
  73. data/locales/puppet.pot +106 -74
  74. data/man/man5/puppet.conf.5 +16 -2
  75. data/man/man8/puppet-agent.8 +1 -1
  76. data/man/man8/puppet-apply.8 +1 -1
  77. data/man/man8/puppet-catalog.8 +1 -1
  78. data/man/man8/puppet-config.8 +1 -1
  79. data/man/man8/puppet-describe.8 +1 -1
  80. data/man/man8/puppet-device.8 +1 -1
  81. data/man/man8/puppet-doc.8 +1 -1
  82. data/man/man8/puppet-epp.8 +1 -1
  83. data/man/man8/puppet-facts.8 +1 -1
  84. data/man/man8/puppet-filebucket.8 +1 -1
  85. data/man/man8/puppet-generate.8 +1 -1
  86. data/man/man8/puppet-help.8 +1 -1
  87. data/man/man8/puppet-lookup.8 +1 -1
  88. data/man/man8/puppet-module.8 +1 -1
  89. data/man/man8/puppet-node.8 +1 -1
  90. data/man/man8/puppet-parser.8 +1 -1
  91. data/man/man8/puppet-plugin.8 +1 -1
  92. data/man/man8/puppet-report.8 +1 -1
  93. data/man/man8/puppet-resource.8 +1 -1
  94. data/man/man8/puppet-script.8 +1 -1
  95. data/man/man8/puppet-ssl.8 +5 -1
  96. data/man/man8/puppet.8 +2 -2
  97. data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -107
  98. data/spec/fixtures/ssl/127.0.0.1.pem +52 -51
  99. data/spec/fixtures/ssl/bad-basic-constraints.pem +56 -56
  100. data/spec/fixtures/ssl/bad-int-basic-constraints.pem +53 -53
  101. data/spec/fixtures/ssl/ca.pem +54 -54
  102. data/spec/fixtures/ssl/crl.pem +26 -26
  103. data/spec/fixtures/ssl/ec-key.pem +11 -11
  104. data/spec/fixtures/ssl/ec.pem +33 -32
  105. data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
  106. data/spec/fixtures/ssl/encrypted-key.pem +108 -108
  107. data/spec/fixtures/ssl/intermediate-agent-crl.pem +26 -26
  108. data/spec/fixtures/ssl/intermediate-agent.pem +56 -56
  109. data/spec/fixtures/ssl/intermediate-crl.pem +29 -29
  110. data/spec/fixtures/ssl/intermediate.pem +53 -53
  111. data/spec/fixtures/ssl/oid-key.pem +107 -107
  112. data/spec/fixtures/ssl/oid.pem +51 -50
  113. data/spec/fixtures/ssl/pluto-key.pem +107 -107
  114. data/spec/fixtures/ssl/pluto.pem +52 -51
  115. data/spec/fixtures/ssl/renewed.pem +67 -0
  116. data/spec/fixtures/ssl/request-key.pem +107 -107
  117. data/spec/fixtures/ssl/request.pem +50 -48
  118. data/spec/fixtures/ssl/revoked-key.pem +107 -107
  119. data/spec/fixtures/ssl/revoked.pem +51 -50
  120. data/spec/fixtures/ssl/signed-key.pem +107 -107
  121. data/spec/fixtures/ssl/signed.pem +49 -48
  122. data/spec/fixtures/ssl/tampered-cert.pem +51 -50
  123. data/spec/fixtures/ssl/tampered-csr.pem +50 -48
  124. data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -107
  125. data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -49
  126. data/spec/fixtures/ssl/unknown-ca-key.pem +107 -107
  127. data/spec/fixtures/ssl/unknown-ca.pem +54 -54
  128. data/spec/integration/application/agent_spec.rb +27 -27
  129. data/spec/integration/application/apply_spec.rb +14 -0
  130. data/spec/integration/http/client_spec.rb +16 -0
  131. data/spec/integration/type/exec_spec.rb +13 -0
  132. data/spec/lib/puppet/test_ca.rb +3 -10
  133. data/spec/lib/puppet_spec/verbose.rb +10 -1
  134. data/spec/unit/agent_spec.rb +2 -9
  135. data/spec/unit/application/ssl_spec.rb +49 -0
  136. data/spec/unit/defaults_spec.rb +2 -40
  137. data/spec/unit/file_system/path_pattern_spec.rb +15 -0
  138. data/spec/unit/functions/split_spec.rb +6 -0
  139. data/spec/unit/http/service/ca_spec.rb +71 -0
  140. data/spec/unit/info_service_spec.rb +1 -1
  141. data/spec/unit/ssl/certificate_signer_spec.rb +17 -0
  142. data/spec/unit/ssl/ssl_provider_spec.rb +21 -1
  143. data/spec/unit/ssl/state_machine_spec.rb +75 -3
  144. data/spec/unit/util/execution_spec.rb +1 -0
  145. data/spec/unit/util/monkey_patches_spec.rb +42 -0
  146. data/spec/unit/util/windows/adsi_spec.rb +25 -0
  147. data/spec/unit/x509/cert_provider_spec.rb +23 -0
  148. data/tasks/generate_cert_fixtures.rake +4 -0
  149. metadata +7 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7eea5fdf57cadd5d893dc4324a16144079bfb11686d4fe50ba34b0c8b9206ffd
4
- data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
3
+ metadata.gz: db1b5937c3dc9521057bf9a30727206eac33b35b26d5d76b95b1657be5080159
4
+ data.tar.gz: b24126f5caad879cd67b9218be6920a3f00cf8c7037d6897909ea6fcbf67a809
5
5
  SHA512:
6
- metadata.gz: 3ec9291458052ad337ff5d91808694a842152be78fef074fa50b9345dab18bfefc557d8b879295ad0d6f063b970f48e8bae0726950e6e5a9b8beaf068d2f3fb5
7
- data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9
6
+ metadata.gz: '09671187cf733cda589e02a649051b71a8db0c7d44252ebf9d8fcb6ee241fc7fdeb165b2344fedbb9d30aa91306ede75a5969ce4bf461fd49e27ae3949c8a91a'
7
+ data.tar.gz: ff847955208a64f5860e557a41d43e73cf7ca5fa87769e396235a3f314baa456d9481dd78524b440ea8f36cada20a306547eabae0c6c67ca852e4373f651612a
data/Gemfile CHANGED
@@ -36,7 +36,7 @@ group(:features) do
36
36
  end
37
37
 
38
38
  group(:test) do
39
- gem "ffi", require: false
39
+ gem "ffi", '1.15.5', require: false
40
40
  gem "json-schema", "~> 2.0", require: false
41
41
  gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
42
42
  gem "rspec", "~> 3.1", require: false
data/Gemfile.lock CHANGED
@@ -1,6 +1,6 @@
1
1
  GIT
2
2
  remote: https://github.com/puppetlabs/packaging
3
- revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
3
+ revision: 8adf33f59cc443c311c5d5d70c6ba2084625ceea
4
4
  branch: 1.0.x
5
5
  specs:
6
6
  packaging (0)
@@ -15,7 +15,7 @@ GIT
15
15
  PATH
16
16
  remote: .
17
17
  specs:
18
- puppet (8.1.0)
18
+ puppet (8.3.0)
19
19
  CFPropertyList (~> 2.2)
20
20
  concurrent-ruby (~> 1.0)
21
21
  deep_merge (~> 1.0)
@@ -31,35 +31,37 @@ GEM
31
31
  remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
32
32
  specs:
33
33
  CFPropertyList (2.3.6)
34
- addressable (2.8.4)
34
+ addressable (2.8.5)
35
35
  public_suffix (>= 2.0.2, < 6.0)
36
36
  apt_stage_artifacts (0.11.0)
37
37
  docopt
38
38
  artifactory (3.0.15)
39
39
  ast (2.4.2)
40
+ base64 (0.1.1)
40
41
  coderay (1.1.3)
41
42
  concurrent-ruby (1.2.2)
42
43
  crack (0.4.5)
43
44
  rexml
44
- csv (3.2.6)
45
+ csv (3.2.7)
45
46
  declarative (0.0.20)
46
47
  deep_merge (1.2.2)
47
48
  diff-lcs (1.5.0)
48
- digest-crc (0.6.4)
49
+ digest-crc (0.6.5)
49
50
  rake (>= 12.0.0, < 14.0.0)
50
51
  docopt (0.6.1)
51
52
  erubi (1.12.0)
52
- facter (4.4.0)
53
+ facter (4.5.0)
53
54
  hocon (~> 1.3)
54
55
  thor (>= 1.0.1, < 2.0)
55
- faraday (2.7.6)
56
+ faraday (2.7.11)
57
+ base64
56
58
  faraday-net_http (>= 2.0, < 3.1)
57
59
  ruby2_keywords (>= 0.0.4)
58
60
  faraday-net_http (3.0.2)
59
61
  fast_gettext (2.3.0)
60
62
  ffi (1.15.5)
61
63
  forwardable (1.3.3)
62
- gettext (3.4.4)
64
+ gettext (3.4.9)
63
65
  erubi
64
66
  locale (>= 2.0.5)
65
67
  prime
@@ -69,7 +71,7 @@ GEM
69
71
  fast_gettext (~> 2.1)
70
72
  gettext (~> 3.4)
71
73
  locale
72
- google-apis-core (0.11.0)
74
+ google-apis-core (0.11.1)
73
75
  addressable (~> 2.5, >= 2.5.1)
74
76
  googleauth (>= 0.16.2, < 2.a)
75
77
  httpclient (>= 2.8.1, < 3.a)
@@ -96,10 +98,9 @@ GEM
96
98
  google-cloud-core (~> 1.6)
97
99
  googleauth (>= 0.16.2, < 2.a)
98
100
  mini_mime (~> 1.0)
99
- googleauth (1.5.2)
101
+ googleauth (1.8.1)
100
102
  faraday (>= 0.17.3, < 3.a)
101
103
  jwt (>= 1.4, < 3.0)
102
- memoist (~> 0.16)
103
104
  multi_json (~> 1.11)
104
105
  os (>= 0.9, < 2.0)
105
106
  signet (>= 0.16, < 2.a)
@@ -115,18 +116,17 @@ GEM
115
116
  addressable (>= 2.4)
116
117
  jwt (2.7.1)
117
118
  locale (2.1.3)
118
- memoist (0.16.2)
119
119
  memory_profiler (1.0.1)
120
120
  method_source (1.0.0)
121
- mini_mime (1.1.2)
121
+ mini_mime (1.1.5)
122
122
  minitar (0.9)
123
- msgpack (1.7.1)
123
+ msgpack (1.7.2)
124
124
  multi_json (1.15.0)
125
125
  mustache (1.1.1)
126
- optimist (3.0.1)
126
+ optimist (3.1.0)
127
127
  os (1.1.4)
128
128
  parallel (1.23.0)
129
- parser (3.2.2.3)
129
+ parser (3.2.2.4)
130
130
  ast (~> 2.4.1)
131
131
  racc
132
132
  prime (0.1.2)
@@ -135,17 +135,17 @@ GEM
135
135
  pry (0.14.2)
136
136
  coderay (~> 1.1)
137
137
  method_source (~> 1.0)
138
- public_suffix (5.0.1)
139
- puppet-resource_api (1.8.14)
138
+ public_suffix (5.0.3)
139
+ puppet-resource_api (1.9.0)
140
140
  hocon (>= 1.0)
141
141
  puppetserver-ca (2.6.0)
142
142
  facter (>= 2.0.1, < 5)
143
143
  racc (1.5.2)
144
144
  rainbow (3.1.1)
145
145
  rake (13.0.6)
146
- rdiscount (2.2.7)
146
+ rdiscount (2.2.7.1)
147
147
  rdoc (6.3.3)
148
- regexp_parser (2.8.1)
148
+ regexp_parser (2.8.2)
149
149
  release-metrics (1.1.0)
150
150
  csv
151
151
  docopt
@@ -154,7 +154,7 @@ GEM
154
154
  trailblazer-option (>= 0.1.1, < 0.2.0)
155
155
  uber (< 0.2.0)
156
156
  retriable (3.1.2)
157
- rexml (3.2.5)
157
+ rexml (3.2.6)
158
158
  ronn (0.7.3)
159
159
  hpricot (>= 0.8.2)
160
160
  mustache (>= 0.7.0)
@@ -171,10 +171,10 @@ GEM
171
171
  rspec-its (1.3.0)
172
172
  rspec-core (>= 3.0.0)
173
173
  rspec-expectations (>= 3.0.0)
174
- rspec-mocks (3.12.5)
174
+ rspec-mocks (3.12.6)
175
175
  diff-lcs (>= 1.2.0, < 2.0)
176
176
  rspec-support (~> 3.12.0)
177
- rspec-support (3.12.0)
177
+ rspec-support (3.12.1)
178
178
  rubocop (1.28.0)
179
179
  parallel (~> 1.10)
180
180
  parser (>= 3.1.0.0)
@@ -193,19 +193,19 @@ GEM
193
193
  ruby2_keywords (0.0.5)
194
194
  scanf (1.0.0)
195
195
  semantic_puppet (1.1.0)
196
- signet (0.17.0)
196
+ signet (0.18.0)
197
197
  addressable (~> 2.8)
198
198
  faraday (>= 0.17.5, < 3.a)
199
199
  jwt (>= 1.5, < 3.0)
200
200
  multi_json (~> 1.10)
201
201
  singleton (0.1.1)
202
202
  text (1.3.1)
203
- thor (1.2.2)
203
+ thor (1.3.0)
204
204
  trailblazer-option (0.1.2)
205
205
  uber (0.1.0)
206
- unicode-display_width (2.4.2)
207
- vcr (6.1.0)
208
- webmock (3.18.1)
206
+ unicode-display_width (2.5.0)
207
+ vcr (6.2.0)
208
+ webmock (3.19.1)
209
209
  addressable (>= 2.8.0)
210
210
  crack (>= 0.3.2)
211
211
  hashdiff (>= 0.4.0, < 2.0.0)
@@ -218,7 +218,7 @@ PLATFORMS
218
218
  DEPENDENCIES
219
219
  diff-lcs (~> 1.3)
220
220
  facter (~> 4.3)
221
- ffi
221
+ ffi (= 1.15.5)
222
222
  gettext-setup (~> 1.0)
223
223
  hiera-eyaml
224
224
  hocon (~> 1.0)
@@ -248,4 +248,4 @@ DEPENDENCIES
248
248
  yard
249
249
 
250
250
  BUNDLED WITH
251
- 2.4.12
251
+ 2.4.20
@@ -39,11 +39,11 @@ gem_platform_dependencies:
39
39
  CFPropertyList: '~> 2.2'
40
40
  x86-mingw32:
41
41
  gem_runtime_dependencies:
42
- ffi: ['> 1.9.24', '< 2']
42
+ ffi: '1.15.5'
43
43
  minitar: '~> 0.9'
44
44
  x64-mingw32:
45
45
  gem_runtime_dependencies:
46
- ffi: ['> 1.9.24', '< 2']
46
+ ffi: '1.15.5'
47
47
  minitar: '~> 0.9'
48
48
  bundle_platforms:
49
49
  universal-darwin: all
@@ -152,7 +152,7 @@ HELP
152
152
  end
153
153
 
154
154
  def other
155
- text = String.new
155
+ text = ''.dup
156
156
  with_contents = options[:references].length <= 1
157
157
  exit_code = 0
158
158
  require_relative '../../puppet/util/reference'
@@ -60,6 +60,11 @@ ACTIONS
60
60
  the CSR. Otherwise a new key pair will be generated. If a CSR has already
61
61
  been submitted with the given `certname`, then the operation will fail.
62
62
 
63
+ * generate_request:
64
+ Generate a certificate signing request (CSR). If
65
+ a private and public key pair already exist, they will be used to generate
66
+ the CSR. Otherwise a new key pair will be generated.
67
+
63
68
  * download_cert:
64
69
  Download a certificate for this host. If the current private key matches
65
70
  the downloaded certificate, then the certificate will be saved and used
@@ -137,9 +142,21 @@ HELP
137
142
  unless cert
138
143
  raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
139
144
  end
145
+ when 'generate_request'
146
+ generate_request(certname)
140
147
  when 'verify'
141
148
  verify(certname)
142
149
  when 'clean'
150
+ possible_extra_args = command_line.args.drop(1)
151
+ unless possible_extra_args.empty?
152
+ raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
153
+ Extra arguments detected: %{args}
154
+ Did you mean to run:
155
+ puppetserver ca clean --certname <name>
156
+ Or:
157
+ puppet ssl clean --target <name>
158
+ END
159
+ end
143
160
  clean(certname)
144
161
  when 'bootstrap'
145
162
  if !Puppet::Util::Log.sendlevel?(:info)
@@ -163,13 +180,7 @@ HELP
163
180
  def submit_request(ssl_context)
164
181
  key = @cert_provider.load_private_key(Puppet[:certname])
165
182
  unless key
166
- if Puppet[:key_type] == 'ec'
167
- Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
168
- key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
169
- else
170
- Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
171
- key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
172
- end
183
+ key = create_key(Puppet[:certname])
173
184
  @cert_provider.save_private_key(Puppet[:certname], key)
174
185
  end
175
186
 
@@ -188,6 +199,20 @@ HELP
188
199
  raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
189
200
  end
190
201
 
202
+ def generate_request(certname)
203
+ key = @cert_provider.load_private_key(certname)
204
+ unless key
205
+ key = create_key(certname)
206
+ @cert_provider.save_private_key(certname, key)
207
+ end
208
+
209
+ csr = @cert_provider.create_request(certname, key)
210
+ @cert_provider.save_request(certname, csr)
211
+ Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
212
+ rescue => e
213
+ raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
214
+ end
215
+
191
216
  def download_cert(ssl_context)
192
217
  key = @cert_provider.load_private_key(Puppet[:certname])
193
218
 
@@ -286,4 +311,14 @@ END
286
311
  def create_route(ssl_context)
287
312
  @session.route_to(:ca, ssl_context: ssl_context)
288
313
  end
314
+
315
+ def create_key(certname)
316
+ if Puppet[:key_type] == 'ec'
317
+ Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
318
+ OpenSSL::PKey::EC.generate(Puppet[:named_curve])
319
+ else
320
+ Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
321
+ OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
322
+ end
323
+ end
289
324
  end
@@ -504,8 +504,12 @@ class Application
504
504
  runtime_info = {
505
505
  'puppet_version' => Puppet.version,
506
506
  'ruby_version' => RUBY_VERSION,
507
- 'run_mode' => self.class.run_mode.name,
507
+ 'run_mode' => self.class.run_mode.name
508
508
  }
509
+ unless Puppet::Util::Platform.jruby_fips?
510
+ runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
511
+ runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
512
+ end
509
513
  runtime_info['default_encoding'] = Encoding.default_external
510
514
  runtime_info.merge!(extra_info) unless extra_info.nil?
511
515
 
@@ -4,11 +4,7 @@ require_relative '../puppet/util/platform'
4
4
  module Puppet
5
5
 
6
6
  def self.default_diffargs
7
- if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
8
- ""
9
- else
10
- "-u"
11
- end
7
+ '-u'
12
8
  end
13
9
 
14
10
  def self.default_digest_algorithm
@@ -1248,6 +1244,22 @@ EOT
1248
1244
  unchanged on the server, then the agent run will continue using the
1249
1245
  local CRL it already has.#{AS_DURATION}",
1250
1246
  },
1247
+ :hostcert_renewal_interval => {
1248
+ :default => "30d",
1249
+ :type => :duration,
1250
+ :desc => "When the Puppet agent refreshes its client certificate.
1251
+ By default the client certificate will refresh 30 days before the certificate
1252
+ expires. If a different duration is specified, then the agent will refresh its
1253
+ client certificate whenever it next runs and if the client certificate expires
1254
+ within the duration specified.
1255
+
1256
+ In general, the duration should be greater than the `runinterval`.
1257
+ Setting it to 0 will disable automatic renewal.
1258
+
1259
+ If the agent downloads a new certificate, the agent will use it for subsequent
1260
+ network requests. If the refresh request fails, then the agent run will continue using the
1261
+ certificate it already has. #{AS_DURATION}",
1262
+ },
1251
1263
  :keylength => {
1252
1264
  :default => 4096,
1253
1265
  :type => :integer,
@@ -82,7 +82,7 @@ Puppet::Face.define(:config, '0.0.1') do
82
82
  end
83
83
 
84
84
  when_rendering :console do |to_be_rendered|
85
- output = String.new
85
+ output = ''.dup
86
86
  if to_be_rendered.keys.length > 1
87
87
  to_be_rendered.keys.sort.each do |setting|
88
88
  output << "#{setting} = #{to_be_rendered[setting]}\n"
@@ -367,7 +367,7 @@ Puppet::Face.define(:epp, '0.0.1') do
367
367
  end
368
368
 
369
369
  def dump_parse(source, filename, options, show_filename = true)
370
- output = String.new
370
+ output = ''.dup
371
371
  evaluating_parser = Puppet::Pops::Parser::EvaluatingParser::EvaluatingEppParser.new
372
372
  begin
373
373
  if options[:validate]
@@ -451,7 +451,7 @@ Puppet::Face.define(:epp, '0.0.1') do
451
451
 
452
452
  def render_file(epp_template_name, compiler, options, show_filename, file_nbr)
453
453
  template_args = get_values(compiler, options)
454
- output = String.new
454
+ output = ''.dup
455
455
  begin
456
456
  if show_filename && options[:header]
457
457
  output << "\n" unless file_nbr == 1
@@ -74,7 +74,7 @@ Puppet::Face.define(:module, '1.0.0') do
74
74
  environment = result[:environment]
75
75
  modules_by_path = result[:modules_by_path]
76
76
 
77
- output = String.new
77
+ output = ''.dup
78
78
 
79
79
  warn_unmet_dependencies(environment)
80
80
 
@@ -248,7 +248,7 @@ Puppet::Face.define(:module, '1.0.0') do
248
248
  # Returns a Hash
249
249
  #
250
250
  def list_build_node(mod, parent, params)
251
- str = String.new
251
+ str = ''.dup
252
252
  str << (mod.forge_name ? mod.forge_name.tr('/', '-') : mod.name)
253
253
  str << ' (' + colorize(:cyan, mod.version ? "v#{mod.version}" : '???') + ')'
254
254
 
@@ -174,7 +174,7 @@ Puppet::Face.define(:parser, '0.0.1') do
174
174
  end
175
175
 
176
176
  def dump_parse(source, filename, options, show_filename = true)
177
- output = String.new
177
+ output = ''.dup
178
178
  evaluating_parser = Puppet::Pops::Parser::EvaluatingParser.new
179
179
  begin
180
180
  if options[:validate]
@@ -36,6 +36,21 @@ Puppet::Functions.create_function(:split) do
36
36
  param 'Type[Regexp]', :pattern
37
37
  end
38
38
 
39
+ dispatch :split_String_sensitive do
40
+ param 'Sensitive[String]', :sensitive
41
+ param 'String', :pattern
42
+ end
43
+
44
+ dispatch :split_Regexp_sensitive do
45
+ param 'Sensitive[String]', :sensitive
46
+ param 'Regexp', :pattern
47
+ end
48
+
49
+ dispatch :split_RegexpType_sensitive do
50
+ param 'Sensitive[String]', :sensitive
51
+ param 'Type[Regexp]', :pattern
52
+ end
53
+
39
54
  def split_String(str, pattern)
40
55
  str.split(Regexp.compile(pattern))
41
56
  end
@@ -47,4 +62,16 @@ Puppet::Functions.create_function(:split) do
47
62
  def split_RegexpType(str, pattern)
48
63
  str.split(pattern.regexp)
49
64
  end
50
- end
65
+
66
+ def split_String_sensitive(sensitive, pattern)
67
+ Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
68
+ end
69
+
70
+ def split_Regexp_sensitive(sensitive, pattern)
71
+ Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
72
+ end
73
+
74
+ def split_RegexpType_sensitive(sensitive, pattern)
75
+ Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
76
+ end
77
+ end
@@ -368,6 +368,7 @@ class Puppet::HTTP::Client
368
368
  apply_auth(request, basic_auth) if redirects.zero?
369
369
 
370
370
  # don't call return within the `request` block
371
+ close_and_sleep = nil
371
372
  http.request(request) do |nethttp|
372
373
  response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
373
374
  begin
@@ -381,12 +382,14 @@ class Puppet::HTTP::Client
381
382
  interval = @retry_after_handler.retry_after_interval(request, response, retries)
382
383
  retries += 1
383
384
  if interval
384
- if http.started?
385
- Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
386
- http.finish
385
+ close_and_sleep = proc do
386
+ if http.started?
387
+ Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
388
+ http.finish
389
+ end
390
+ Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
391
+ ::Kernel.sleep(interval)
387
392
  end
388
- Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
389
- ::Kernel.sleep(interval)
390
393
  next
391
394
  end
392
395
  end
@@ -405,6 +408,10 @@ class Puppet::HTTP::Client
405
408
 
406
409
  done = true
407
410
  end
411
+ ensure
412
+ # If a server responded with a retry, make sure the connection is closed and then
413
+ # sleep the specified time.
414
+ close_and_sleep.call if close_and_sleep
408
415
  end
409
416
  end
410
417
 
@@ -104,4 +104,29 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
104
104
 
105
105
  response
106
106
  end
107
+
108
+ # Submit a POST request to send a certificate renewal request to the server
109
+ #
110
+ # @param [Puppet::SSL::SSLContext] ssl_context
111
+ #
112
+ # @return [Array<Puppet::HTTP::Response, String>] The request response
113
+ #
114
+ # @api public
115
+ def post_certificate_renewal(ssl_context)
116
+ headers = add_puppet_headers(HEADERS)
117
+ headers['Content-Type'] = 'text/plain'
118
+
119
+ response = @client.post(
120
+ with_base_url('/certificate_renewal'),
121
+ '', # Puppet::HTTP::Client.post requires a body, the API endpoint does not
122
+ headers: headers,
123
+ options: {ssl_context: ssl_context}
124
+ )
125
+
126
+ raise ArgumentError.new(_('SSL context must contain a client certificate.')) unless ssl_context.client_cert
127
+
128
+ process_response(response)
129
+
130
+ [response, response.body.to_s]
131
+ end
107
132
  end
@@ -105,7 +105,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
105
105
 
106
106
  def find_with_options(request)
107
107
  options = request.options
108
- options_for_facter = String.new
108
+ options_for_facter = ''.dup
109
109
  options_for_facter += options[:user_query].join(' ')
110
110
  options_for_facter += " --config #{options[:config_file]}" if options[:config_file]
111
111
  options_for_facter += " --show-legacy" if options[:show_legacy]
@@ -58,7 +58,7 @@ module Puppet::FileBucketFile
58
58
  end
59
59
  # Setting hash's default value to [], needed by the following loop
60
60
  bucket = Hash.new {[]}
61
- msg = String.new
61
+ msg = ''.dup
62
62
  # Get all files with mtime between 'from' and 'to'
63
63
  Pathname.new(request.options[:bucket_path]).find { |item|
64
64
  if item.file? and item.basename.to_s == "paths"
@@ -81,7 +81,7 @@ class Puppet::Indirector::Indirection
81
81
 
82
82
  # Generate the full doc string.
83
83
  def doc
84
- text = String.new
84
+ text = ''.dup
85
85
 
86
86
  text << scrub(@doc) << "\n\n" if @doc
87
87
 
@@ -13,7 +13,7 @@ class Puppet::InfoService::TaskInformationService
13
13
  task.validate
14
14
  {:module => {:name => task.module.name}, :name => task.name, :metadata => task.metadata}
15
15
  rescue Puppet::Module::Task::Error => err
16
- Puppet.log_exception(err, 'Failed to validate task')
16
+ Puppet.log_exception(err)
17
17
  nil
18
18
  end
19
19
  end
@@ -70,7 +70,7 @@ module Puppet
70
70
  # Builds a formatted tree from a list of node hashes containing +:text+
71
71
  # and +:dependencies+ keys.
72
72
  def self.format_tree(nodes, level = 0)
73
- str = String.new
73
+ str = ''.dup
74
74
  nodes.each_with_index do |node, i|
75
75
  last_node = nodes.length - 1 == i
76
76
  deps = node[:dependencies] || []
@@ -156,7 +156,7 @@ Puppet::Network::FormatHandler.create(:console,
156
156
 
157
157
  # Simple hash to table
158
158
  if datum.is_a?(Hash) && datum.keys.all? { |x| x.is_a?(String) || x.is_a?(Numeric) }
159
- output = String.new
159
+ output = ''.dup
160
160
  column_a = datum.empty? ? 2 : datum.map{ |k,v| k.to_s.length }.max + 2
161
161
  datum.sort_by { |k,v| k.to_s } .each do |key, value|
162
162
  output << key.to_s.ljust(column_a)
@@ -169,7 +169,7 @@ Puppet::Network::FormatHandler.create(:console,
169
169
 
170
170
  # Print one item per line for arrays
171
171
  if datum.is_a? Array
172
- output = String.new
172
+ output = ''.dup
173
173
  datum.each do |item|
174
174
  output << item.to_s
175
175
  output << "\n"
@@ -227,7 +227,7 @@ Puppet::Network::FormatHandler.create(:flat,
227
227
  end
228
228
 
229
229
  def construct_output(data)
230
- output = String.new
230
+ output = ''.dup
231
231
  data.each do |key, value|
232
232
  output << "#{key}=#{value}"
233
233
  output << "\n"
@@ -3,7 +3,7 @@ class Puppet::Network::HTTP::MemoryResponse
3
3
  attr_reader :code, :type, :body
4
4
 
5
5
  def initialize
6
- @body = String.new
6
+ @body = ''.dup
7
7
  end
8
8
 
9
9
  def respond_with(code, type, body)
@@ -592,10 +592,12 @@ class Puppet::Node::Environment
592
592
  if file == NO_MANIFEST
593
593
  empty_parse_result
594
594
  elsif File.directory?(file)
595
- parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
596
- parser.file = file_to_parse
597
- parser.parse
598
- end
595
+ # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
596
+ # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
597
+ parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
598
+ parser.file = file_to_parse
599
+ parser.parse
600
+ end
599
601
  # Use a parser type specific merger to concatenate the results
600
602
  Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
601
603
  else
@@ -31,7 +31,7 @@ class Puppet::Parameter::ValueCollection
31
31
  #
32
32
  def doc
33
33
  unless defined?(@doc)
34
- @doc = String.new
34
+ @doc = ''.dup
35
35
  unless values.empty?
36
36
  @doc << "Valid values are "
37
37
  @doc << @strings.collect do |value|
@@ -29,9 +29,10 @@ module Puppet::Parser::Files
29
29
  # * modulename/filename selector: a file is found in the file directory
30
30
  # of the named module.
31
31
  #
32
- # In the second case a nil is returned if there isn't a file found. In the
33
- # first case (absolute path), there is no existence check done and so the
34
- # path will be returned even if there isn't a file available.
32
+ # The check for file existence is performed on the node compiling the
33
+ # manifest. A node running "puppet apply" compiles its own manifest, but
34
+ # a node running "puppet agent" depends on the configured puppetserver
35
+ # for compiling. In either case, a nil is returned if no file is found.
35
36
  #
36
37
  # @param template [String] the file selector
37
38
  # @param environment [Puppet::Node::Environment] the environment in which to search