puppet 6.0.2-universal-darwin → 6.0.3-universal-darwin

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (61) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +2 -2
  3. data/Gemfile.lock +11 -11
  4. data/lib/puppet/application.rb +5 -0
  5. data/lib/puppet/application/apply.rb +1 -0
  6. data/lib/puppet/application/script.rb +1 -1
  7. data/lib/puppet/application/ssl.rb +119 -49
  8. data/lib/puppet/defaults.rb +9 -27
  9. data/lib/puppet/face/node/clean.rb +0 -1
  10. data/lib/puppet/feature/base.rb +1 -1
  11. data/lib/puppet/file_serving/fileset.rb +1 -1
  12. data/lib/puppet/pops/validation/checker4_0.rb +4 -2
  13. data/lib/puppet/provider/package/windows.rb +2 -2
  14. data/lib/puppet/provider/package/windows/exe_package.rb +3 -10
  15. data/lib/puppet/provider/service/windows.rb +11 -3
  16. data/lib/puppet/provider/user/useradd.rb +2 -10
  17. data/lib/puppet/resource/catalog.rb +1 -5
  18. data/lib/puppet/ssl/host.rb +7 -9
  19. data/lib/puppet/transaction/persistence.rb +1 -1
  20. data/lib/puppet/type/package.rb +1 -1
  21. data/lib/puppet/type/user.rb +4 -1
  22. data/lib/puppet/util.rb +7 -3
  23. data/lib/puppet/util/execution.rb +1 -0
  24. data/lib/puppet/util/logging.rb +3 -2
  25. data/lib/puppet/util/windows/process.rb +6 -2
  26. data/lib/puppet/util/windows/security.rb +14 -0
  27. data/lib/puppet/util/windows/service.rb +217 -74
  28. data/lib/puppet/util/windows/user.rb +3 -5
  29. data/lib/puppet/version.rb +1 -1
  30. data/locales/ja/puppet.po +505 -276
  31. data/locales/puppet.pot +250 -111
  32. data/man/man5/puppet.conf.5 +8 -1
  33. data/man/man8/puppet-ssl.8 +22 -2
  34. data/man/man8/puppet.8 +1 -1
  35. data/spec/integration/parser/collection_spec.rb +4 -8
  36. data/spec/integration/type/file_spec.rb +6 -6
  37. data/spec/integration/util/windows/security_spec.rb +10 -7
  38. data/spec/integration/util/windows/user_spec.rb +37 -17
  39. data/spec/lib/puppet/test_ca.rb +1 -1
  40. data/spec/unit/agent_spec.rb +2 -2
  41. data/spec/unit/application/apply_spec.rb +41 -2
  42. data/spec/unit/application/face_base_spec.rb +1 -1
  43. data/spec/unit/application/ssl_spec.rb +160 -110
  44. data/spec/unit/application_spec.rb +29 -11
  45. data/spec/unit/configurer/downloader_spec.rb +1 -1
  46. data/spec/unit/configurer_spec.rb +5 -5
  47. data/spec/unit/face/node_spec.rb +1 -3
  48. data/spec/unit/file_serving/fileset_spec.rb +11 -11
  49. data/spec/unit/network/http/connection_spec.rb +2 -2
  50. data/spec/unit/pops/validator/validator_spec.rb +24 -10
  51. data/spec/unit/provider/package/windows/exe_package_spec.rb +3 -3
  52. data/spec/unit/provider/package/windows_spec.rb +4 -4
  53. data/spec/unit/provider/service/windows_spec.rb +21 -3
  54. data/spec/unit/provider/user/useradd_spec.rb +2 -2
  55. data/spec/unit/resource/catalog_spec.rb +2 -2
  56. data/spec/unit/ssl/host_spec.rb +1 -1
  57. data/spec/unit/transaction/persistence_spec.rb +4 -4
  58. data/spec/unit/util/execution_spec.rb +19 -1
  59. data/spec/unit/util/logging_spec.rb +58 -0
  60. data/spec/unit/util/windows/service_spec.rb +344 -191
  61. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2d872500577376e33e680f75e05b7aab2236a1b877ea013a4cbfea1c7961425c
4
- data.tar.gz: 1300eeaf12a0b4ded918e64edb8a72b82e05dd168bf6b30d97a94bffd3ebb9d0
3
+ metadata.gz: 461aba1952200572aa6b0e6b875d85dcea71ed1cf376f4b393df225cc1ae14ba
4
+ data.tar.gz: 82b224a2c37d92c4b2ca49cbc2fe9dc639a56d0a64ef13ced257aca124745361
5
5
  SHA512:
6
- metadata.gz: 308cf327703f7ec247914d586ae460a0daf824e46cc024efdffa14880bfbb46284190cf0e2c7a87697186734d7396e2fbd7e48523bdb766dd4012347390415ff
7
- data.tar.gz: a1519b90dbe93f42f60c7bd316c5e02d5d85e3046bf9b28e9cae809fc3847d760e6f0cfe8f443e7ea765d1d15210d8797c47ee166f6c623570870cc4a9738be3
6
+ metadata.gz: dda52705c006cee47a267fdfdeb2827ee0fd2ad914a9630bd23c0d410bd0b2f2ba83a361fac72a4d91259d4cad6942de15e14322278f6354bc3c3cfee26f5728
7
+ data.tar.gz: ee4aea7d4f8b6f877780e8f36bcd89691b4fa6369812b152831559cfb37ce37225971f76443397ad3796fd21a96e5f25bf190a4f91aa971bce3a5bebb338ae37
data/Gemfile CHANGED
@@ -31,13 +31,13 @@ group(:features) do
31
31
  # gem 'ruby-augeas', require: false, platforms: [:ruby]
32
32
  # requires native ldap headers/libs
33
33
  # gem 'ruby-ldap', '~> 0.9', require: false, platforms: [:ruby]
34
- gem 'puppetserver-ca', '~> 0.5', require: false
34
+ gem 'puppetserver-ca', '~> 1.1', require: false
35
35
  end
36
36
 
37
37
  group(:test) do
38
38
  gem "json-schema", "~> 2.0", require: false
39
39
  gem "mocha", '~> 1.5.0', require: false
40
- gem "rake", '~> 12.2.1', require: false
40
+ gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 12.2')
41
41
  gem "rspec", "~> 3.1", require: false
42
42
  gem "rspec-its", "~> 1.1", require: false
43
43
  gem "rspec-collection_matchers", "~> 1.1", require: false
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- puppet (6.0.2)
4
+ puppet (6.0.3)
5
5
  CFPropertyList (~> 2.2)
6
6
  facter (>= 2.0.1, < 4)
7
7
  fast_gettext (~> 1.1.2)
@@ -41,10 +41,10 @@ GEM
41
41
  hocon (1.2.5)
42
42
  hpricot (0.8.6)
43
43
  httpclient (2.8.3)
44
- json-schema (2.8.0)
44
+ json-schema (2.8.1)
45
45
  addressable (>= 2.4)
46
46
  locale (2.1.2)
47
- memory_profiler (0.9.11)
47
+ memory_profiler (0.9.12)
48
48
  metaclass (0.0.4)
49
49
  method_source (0.9.0)
50
50
  minitar (0.6.1)
@@ -52,10 +52,10 @@ GEM
52
52
  metaclass (~> 0.0.1)
53
53
  msgpack (1.2.4)
54
54
  multi_json (1.13.1)
55
- mustache (1.0.5)
56
- packaging (0.99.8)
55
+ mustache (1.1.0)
56
+ packaging (0.99.16)
57
57
  artifactory
58
- rake (~> 12.2.1)
58
+ rake (~> 12.3)
59
59
  parallel (1.12.1)
60
60
  parser (2.5.1.2)
61
61
  ast (~> 2.4.0)
@@ -66,12 +66,12 @@ GEM
66
66
  public_suffix (3.0.3)
67
67
  puppet-resource_api (1.6.0)
68
68
  hocon (>= 1.0)
69
- puppetserver-ca (0.7.0)
69
+ puppetserver-ca (1.1.1)
70
70
  facter (>= 2.0.1, < 4)
71
71
  racc (1.4.9)
72
72
  rainbow (2.2.2)
73
73
  rake
74
- rake (12.2.1)
74
+ rake (12.3.1)
75
75
  rdiscount (2.2.0.1)
76
76
  rdoc (6.0.4)
77
77
  ronn (0.7.3)
@@ -86,7 +86,7 @@ GEM
86
86
  rspec-expectations (>= 2.99.0.beta1)
87
87
  rspec-core (3.8.0)
88
88
  rspec-support (~> 3.8.0)
89
- rspec-expectations (3.8.1)
89
+ rspec-expectations (3.8.2)
90
90
  diff-lcs (>= 1.2.0, < 2.0)
91
91
  rspec-support (~> 3.8.0)
92
92
  rspec-its (1.2.0)
@@ -136,9 +136,9 @@ DEPENDENCIES
136
136
  pry
137
137
  puppet!
138
138
  puppet-resource_api (~> 1.5)
139
- puppetserver-ca (~> 0.5)
139
+ puppetserver-ca (~> 1.1)
140
140
  racc (= 1.4.9)
141
- rake (~> 12.2.1)
141
+ rake (~> 12.2)
142
142
  rdoc (~> 6.0)
143
143
  ronn (~> 0.7.3)
144
144
  rspec (~> 3.1)
@@ -395,6 +395,8 @@ class Application
395
395
  end
396
396
 
397
397
  def setup_logs
398
+ handle_logdest_arg(Puppet[:logdest])
399
+
398
400
  unless options[:setdest]
399
401
  if options[:debug] || options[:verbose]
400
402
  Puppet::Util::Log.newdestination(:console)
@@ -416,7 +418,10 @@ class Application
416
418
  end
417
419
 
418
420
  def handle_logdest_arg(arg)
421
+ return if options[:setdest] || arg.nil?
422
+
419
423
  begin
424
+ Puppet[:logdest] = arg
420
425
  Puppet::Util::Log.newdestination(arg)
421
426
  options[:setdest] = true
422
427
  rescue => detail
@@ -283,6 +283,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
283
283
 
284
284
  exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
285
285
 
286
+ handle_logdest_arg(Puppet[:logdest])
286
287
  Puppet::Util::Log.newdestination(:console) unless options[:setdest]
287
288
 
288
289
  Signal.trap(:INT) do
@@ -229,9 +229,9 @@ Copyright (c) 2017 Puppet Inc., LLC Licensed under the Apache 2.0 License
229
229
  end
230
230
 
231
231
  def setup
232
-
233
232
  exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
234
233
 
234
+ handle_logdest_arg(Puppet[:logdest])
235
235
  Puppet::Util::Log.newdestination(:console) unless options[:setdest]
236
236
 
237
237
  Signal.trap(:INT) do
@@ -2,6 +2,9 @@ require 'puppet/application'
2
2
  require 'puppet/ssl/oids'
3
3
 
4
4
  class Puppet::Application::Ssl < Puppet::Application
5
+
6
+ run_mode :agent
7
+
5
8
  def summary
6
9
  _("Manage SSL keys and certificates for puppet SSL clients")
7
10
  end
@@ -13,41 +16,68 @@ puppet-ssl(8) -- #{summary}
13
16
 
14
17
  SYNOPSIS
15
18
  --------
16
- Manage SSL keys and certificates for an SSL clients needed
19
+ Manage SSL keys and certificates for SSL clients needing
17
20
  to communicate with a puppet infrastructure.
18
21
 
19
22
  USAGE
20
23
  -----
21
- puppet ssl <action> [--certname <NAME>]
24
+ puppet ssl <action> [-h|--help] [-v|--verbose] [-d|--debug] [--localca]
25
+
26
+
27
+ OPTIONS
28
+ -------
29
+
30
+ * --help:
31
+ Print this help messsge.
32
+
33
+ * --verbose:
34
+ Print extra information.
35
+
36
+ * --debug:
37
+ Enable full debugging.
38
+
39
+ * --localca
40
+ Also clean the local CA certificate and CRL.
41
+
22
42
 
23
43
  ACTIONS
24
44
  -------
25
45
 
26
46
  * submit_request:
27
- Generate a certificate signing request (CSR) and submit it to the CA. If a private and
28
- public key pair already exist, they will be used to generate the CSR. Otherwise a new
29
- key pair will be generated. If a CSR has already been submitted with the given `certname`,
30
- then the operation will fail.
47
+ Generate a certificate signing request (CSR) and submit it to the CA. If
48
+ a private and public key pair already exist, they will be used to generate
49
+ the CSR. Otherwise a new key pair will be generated. If a CSR has already
50
+ been submitted with the given `certname`, then the operation will fail.
31
51
 
32
52
  * download_cert:
33
- Download a certificate for this host. If the current private key matches the downloaded
34
- certificate, then the certificate will be saved and used for subsequent requests. If
35
- there is already an existing certificate, it will be overwritten.
53
+ Download a certificate for this host. If the current private key matches
54
+ the downloaded certificate, then the certificate will be saved and used
55
+ for subsequent requests. If there is already an existing certificate, it
56
+ will be overwritten.
36
57
 
37
58
  * verify:
38
- Verify the private key and certificate are present and match, verify the certificate is
39
- issued by a trusted CA, and check revocation status.
59
+ Verify the private key and certificate are present and match, verify the
60
+ certificate is issued by a trusted CA, and check revocation status.
61
+
62
+ * clean:
63
+ Remove the private key and certificate related files for this host. If
64
+ `--localca` is specified, then also remove this host's local copy of the
65
+ CA certificate(s) and CRL bundle.
40
66
  HELP
41
67
  end
42
68
 
43
- option('--certname NAME') do |arg|
44
- options[:certname] = arg
69
+ option('--localca')
70
+ option('--verbose', '-v')
71
+ option('--debug', '-d')
72
+
73
+ def setup_logs
74
+ set_log_level(options)
75
+ Puppet::Util::Log.newdestination(:console)
45
76
  end
46
77
 
47
78
  def main
48
79
  if command_line.args.empty?
49
- puts help
50
- exit(1)
80
+ raise Puppet::Error, _("An action must be specified.")
51
81
  end
52
82
 
53
83
  Puppet.settings.use(:main, :agent)
@@ -57,77 +87,117 @@ HELP
57
87
  case action
58
88
  when 'submit_request'
59
89
  submit_request(host)
60
- download_cert(host)
90
+ cert = download_cert(host)
91
+ unless cert
92
+ Puppet.info _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
93
+ end
61
94
  when 'download_cert'
62
- download_cert(host)
95
+ cert = download_cert(host)
96
+ unless cert
97
+ raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
98
+ end
63
99
  when 'verify'
64
100
  verify(host)
101
+ when 'clean'
102
+ clean(host)
65
103
  else
66
- puts "Unknown action '#{action}'"
67
- exit(1)
104
+ raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
68
105
  end
69
-
70
- exit(0)
71
106
  end
72
107
 
73
108
  def submit_request(host)
74
109
  host.ensure_ca_certificate
75
110
 
76
111
  host.submit_request
77
- puts "Submitted certificate request for '#{host.name}' to https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
112
+ Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
113
+ name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
114
+ }
78
115
  rescue => e
79
- puts "Failed to submit certificate request: #{e.message}"
80
- exit(1)
116
+ raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
81
117
  end
82
118
 
83
119
  def download_cert(host)
84
120
  host.ensure_ca_certificate
85
121
 
86
- puts "Downloading certificate '#{host.name}' from https://#{Puppet[:ca_server]}:#{Puppet[:ca_port]}"
87
- if cert = host.download_host_certificate
88
- puts "Downloaded certificate '#{host.name}' with fingerprint #{cert.fingerprint}"
89
- else
90
- puts "No certificate for '#{host.name}' on CA"
91
- end
122
+ Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
123
+ name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
124
+ }
125
+ cert = host.download_host_certificate
126
+ return unless cert
127
+
128
+ Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
129
+ name: host.name, fingerprint: cert.fingerprint
130
+ }
131
+ cert
92
132
  rescue => e
93
- puts "Failed to download certificate: #{e.message}"
94
- exit(1)
133
+ raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
95
134
  end
96
135
 
97
136
  def verify(host)
98
137
  host.ensure_ca_certificate
99
138
 
100
139
  key = host.key
101
- unless key
102
- puts "The host's private key is missing"
103
- exit(1)
104
- end
140
+ raise _("The host's private key is missing") unless key
105
141
 
106
142
  cert = host.check_for_certificate_on_disk(host.name)
107
- unless cert
108
- puts "The host's certificate is missing"
109
- exit(1)
110
- end
143
+ raise _("The host's certificate is missing") unless cert
111
144
 
112
145
  if cert.content.public_key.to_pem != key.content.public_key.to_pem
113
- puts "The host's key does not match the certificate"
114
- exit(1)
146
+ raise _("The host's key does not match the certificate")
115
147
  end
116
148
 
117
149
  store = host.ssl_store
118
150
  unless store.verify(cert.content)
119
- puts "Failed to verify certificate '#{host.name}': #{store.error_string} (#{store.error})"
120
- exit(1)
151
+ raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
152
+ name: host.name, message: store.error_string, error: store.error
153
+ }
121
154
  end
122
155
 
123
- puts "Verified certificate '#{host.name}'"
156
+ Puppet.notice _("Verified certificate '%{name}'") % {
157
+ name: host.name
158
+ }
124
159
  # store.chain.reverse.each_with_index do |issuer, i|
125
160
  # indent = " " * (i+1)
126
- # puts "#{indent}#{issuer.subject.to_s}"
161
+ # Puppet.notice "#{indent}#{issuer.subject.to_s}"
127
162
  # end
128
- exit(0)
129
163
  rescue => e
130
- puts "Verify failed: #{e.message}"
131
- exit(1)
164
+ raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
165
+ end
166
+
167
+ def clean(host)
168
+ # make sure cert has been removed from the CA
169
+ if Puppet[:certname] == Puppet[:ca_server]
170
+ cert =
171
+ begin
172
+ host.download_certificate_from_ca(Puppet[:certname])
173
+ rescue => e
174
+ raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: Puppet[:certname] }, e)
175
+ end
176
+
177
+ if cert
178
+ raise Puppet::Error, _(<<END) % { certname: Puppet[:certname] }
179
+ The certificate %{certname} must be cleaned from the CA first. To fix this,
180
+ run the following commands on the CA:
181
+ puppetserver ca clean --certname %{certname}
182
+ puppet ssl clean
183
+ END
184
+ end
185
+ end
186
+
187
+ settings = {
188
+ hostprivkey: 'private key',
189
+ hostpubkey: 'public key',
190
+ hostcsr: 'certificate request',
191
+ hostcert: 'certificate',
192
+ passfile: 'private key password file'
193
+ }
194
+ settings.merge!(localcacert: 'local CA certificate', hostcrl: 'local CRL') if options[:localca]
195
+ settings.each_pair do |setting, label|
196
+ path = Puppet[setting]
197
+ if Puppet::FileSystem.exist?(path)
198
+ Puppet::FileSystem.unlink(path)
199
+ Puppet.notice _("Removed %{label} %{path}") % { label: label, path: path }
200
+ end
201
+ end
132
202
  end
133
203
  end
@@ -963,6 +963,15 @@ EOT
963
963
  }
964
964
  end
965
965
  end
966
+ },
967
+ :logdest => {
968
+ :type => :string,
969
+ :desc => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
970
+ service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
971
+ file."
972
+ # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
973
+ # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
974
+ # settings are initialized as they test what gets logged during settings initialization.
966
975
  }
967
976
  )
968
977
 
@@ -975,65 +984,41 @@ EOT
975
984
  :cadir => {
976
985
  :default => "$ssldir/ca",
977
986
  :type => :directory,
978
- :owner => "service",
979
- :group => "service",
980
- :mode => "0755",
981
987
  :desc => "The root directory for the certificate authority.",
982
988
  },
983
989
  :cacert => {
984
990
  :default => "$cadir/ca_crt.pem",
985
991
  :type => :file,
986
- :owner => "service",
987
- :group => "service",
988
- :mode => "0644",
989
992
  :desc => "The CA certificate.",
990
993
  },
991
994
  :cakey => {
992
995
  :default => "$cadir/ca_key.pem",
993
996
  :type => :file,
994
- :owner => "service",
995
- :group => "service",
996
- :mode => "0640",
997
997
  :desc => "The CA private key.",
998
998
  },
999
999
  :capub => {
1000
1000
  :default => "$cadir/ca_pub.pem",
1001
1001
  :type => :file,
1002
- :owner => "service",
1003
- :group => "service",
1004
- :mode => "0644",
1005
1002
  :desc => "The CA public key.",
1006
1003
  },
1007
1004
  :cacrl => {
1008
1005
  :default => "$cadir/ca_crl.pem",
1009
1006
  :type => :file,
1010
- :owner => "service",
1011
- :group => "service",
1012
- :mode => "0644",
1013
1007
  :desc => "The certificate revocation list (CRL) for the CA.",
1014
1008
  },
1015
1009
  :csrdir => {
1016
1010
  :default => "$cadir/requests",
1017
1011
  :type => :directory,
1018
- :owner => "service",
1019
- :group => "service",
1020
- :mode => "0755",
1021
1012
  :desc => "Where the CA stores certificate requests.",
1022
1013
  },
1023
1014
  :signeddir => {
1024
1015
  :default => "$cadir/signed",
1025
1016
  :type => :directory,
1026
- :owner => "service",
1027
- :group => "service",
1028
- :mode => "0755",
1029
1017
  :desc => "Where the CA stores signed certificates.",
1030
1018
  },
1031
1019
  :serial => {
1032
1020
  :default => "$cadir/serial",
1033
1021
  :type => :file,
1034
- :owner => "service",
1035
- :group => "service",
1036
- :mode => "0644",
1037
1022
  :desc => "Where the serial number for certificates is stored.",
1038
1023
  },
1039
1024
  :autosign => {
@@ -1082,9 +1067,6 @@ EOT
1082
1067
  :cert_inventory => {
1083
1068
  :default => "$cadir/inventory.txt",
1084
1069
  :type => :file,
1085
- :mode => "0644",
1086
- :owner => "service",
1087
- :group => "service",
1088
1070
  :desc => "The inventory file. This is a text file to which the CA writes a
1089
1071
  complete listing of all certificates.",
1090
1072
  }