puppet 6.3.0 → 6.4.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (147) hide show
  1. checksums.yaml +4 -4
  2. data/CODEOWNERS +30 -0
  3. data/Gemfile.lock +9 -9
  4. data/lib/puppet.rb +13 -0
  5. data/lib/puppet/application/agent.rb +8 -12
  6. data/lib/puppet/application/device.rb +2 -3
  7. data/lib/puppet/application/filebucket.rb +6 -1
  8. data/lib/puppet/application/ssl.rb +102 -55
  9. data/lib/puppet/configurer.rb +8 -7
  10. data/lib/puppet/defaults.rb +3 -1
  11. data/lib/puppet/file_system.rb +24 -4
  12. data/lib/puppet/file_system/file_impl.rb +25 -0
  13. data/lib/puppet/file_system/jruby.rb +23 -0
  14. data/lib/puppet/file_system/windows.rb +84 -0
  15. data/lib/puppet/indirector/rest.rb +4 -2
  16. data/lib/puppet/loaders.rb +1 -0
  17. data/lib/puppet/network/http.rb +1 -0
  18. data/lib/puppet/network/http/base_pool.rb +18 -0
  19. data/lib/puppet/network/http/connection.rb +49 -17
  20. data/lib/puppet/network/http/nocache_pool.rb +9 -4
  21. data/lib/puppet/network/http/pool.rb +10 -11
  22. data/lib/puppet/network/http/session.rb +3 -2
  23. data/lib/puppet/network/http_pool.rb +32 -0
  24. data/lib/puppet/pops/loader/generic_plan_instantiator.rb +28 -0
  25. data/lib/puppet/pops/loader/loader_paths.rb +46 -10
  26. data/lib/puppet/pops/loader/module_loaders.rb +10 -3
  27. data/lib/puppet/provider/file/windows.rb +49 -1
  28. data/lib/puppet/provider/package/windows.rb +5 -1
  29. data/lib/puppet/reports/http.rb +2 -1
  30. data/lib/puppet/rest/client.rb +7 -3
  31. data/lib/puppet/rest/routes.rb +9 -44
  32. data/lib/puppet/ssl.rb +6 -0
  33. data/lib/puppet/ssl/error.rb +26 -0
  34. data/lib/puppet/ssl/host.rb +9 -92
  35. data/lib/puppet/ssl/ssl_context.rb +30 -0
  36. data/lib/puppet/ssl/ssl_provider.rb +232 -0
  37. data/lib/puppet/ssl/state_machine.rb +261 -0
  38. data/lib/puppet/ssl/validator.rb +1 -0
  39. data/lib/puppet/ssl/validator/default_validator.rb +1 -0
  40. data/lib/puppet/ssl/validator/no_validator.rb +2 -0
  41. data/lib/puppet/ssl/verifier.rb +134 -0
  42. data/lib/puppet/ssl/verifier_adapter.rb +48 -0
  43. data/lib/puppet/test/test_helper.rb +2 -1
  44. data/lib/puppet/type/exec.rb +30 -6
  45. data/lib/puppet/type/file/mode.rb +6 -1
  46. data/lib/puppet/type/file/source.rb +2 -2
  47. data/lib/puppet/type/filebucket.rb +12 -8
  48. data/lib/puppet/type/user.rb +14 -1
  49. data/lib/puppet/util/connection.rb +10 -5
  50. data/lib/puppet/util/feature.rb +11 -2
  51. data/lib/puppet/util/http_proxy.rb +3 -2
  52. data/lib/puppet/util/pidlock.rb +1 -1
  53. data/lib/puppet/util/ssl.rb +1 -10
  54. data/lib/puppet/util/windows/security.rb +29 -8
  55. data/lib/puppet/version.rb +1 -1
  56. data/lib/puppet/x509.rb +7 -0
  57. data/lib/puppet/x509/cert_provider.rb +286 -0
  58. data/lib/puppet/x509/pem_store.rb +55 -0
  59. data/locales/ja/puppet.po +740 -590
  60. data/locales/puppet.pot +433 -208
  61. data/man/man5/puppet.conf.5 +6 -3
  62. data/man/man8/puppet-agent.8 +1 -1
  63. data/man/man8/puppet-apply.8 +1 -1
  64. data/man/man8/puppet-catalog.8 +1 -1
  65. data/man/man8/puppet-config.8 +1 -1
  66. data/man/man8/puppet-describe.8 +1 -1
  67. data/man/man8/puppet-device.8 +1 -1
  68. data/man/man8/puppet-doc.8 +1 -1
  69. data/man/man8/puppet-epp.8 +1 -1
  70. data/man/man8/puppet-facts.8 +1 -1
  71. data/man/man8/puppet-filebucket.8 +6 -2
  72. data/man/man8/puppet-generate.8 +1 -1
  73. data/man/man8/puppet-help.8 +1 -1
  74. data/man/man8/puppet-key.8 +1 -1
  75. data/man/man8/puppet-lookup.8 +1 -1
  76. data/man/man8/puppet-man.8 +1 -1
  77. data/man/man8/puppet-module.8 +1 -1
  78. data/man/man8/puppet-node.8 +1 -1
  79. data/man/man8/puppet-parser.8 +1 -1
  80. data/man/man8/puppet-plugin.8 +1 -1
  81. data/man/man8/puppet-report.8 +1 -1
  82. data/man/man8/puppet-resource.8 +1 -1
  83. data/man/man8/puppet-script.8 +1 -1
  84. data/man/man8/puppet-ssl.8 +5 -1
  85. data/man/man8/puppet-status.8 +1 -1
  86. data/man/man8/puppet.8 +2 -2
  87. data/spec/fixtures/ssl/127.0.0.1-key.pem +67 -0
  88. data/spec/fixtures/ssl/127.0.0.1.pem +48 -0
  89. data/spec/fixtures/ssl/bad-basic-constraints.pem +59 -0
  90. data/spec/fixtures/ssl/bad-int-basic-constraints.pem +59 -0
  91. data/spec/fixtures/ssl/ca.pem +59 -0
  92. data/spec/fixtures/ssl/crl.pem +30 -0
  93. data/spec/fixtures/ssl/encrypted-key.pem +70 -0
  94. data/spec/fixtures/ssl/intermediate-agent-crl.pem +31 -0
  95. data/spec/fixtures/ssl/intermediate-agent.pem +60 -0
  96. data/spec/fixtures/ssl/intermediate-crl.pem +36 -0
  97. data/spec/fixtures/ssl/intermediate.pem +60 -0
  98. data/spec/fixtures/ssl/netlock-arany-utf8.pem +23 -0
  99. data/spec/fixtures/ssl/pluto-key.pem +67 -0
  100. data/spec/fixtures/ssl/pluto.pem +44 -0
  101. data/spec/fixtures/ssl/request-key.pem +67 -0
  102. data/spec/fixtures/ssl/request.pem +39 -0
  103. data/spec/fixtures/ssl/revoked-key.pem +67 -0
  104. data/spec/fixtures/ssl/revoked.pem +44 -0
  105. data/spec/fixtures/ssl/signed-key.pem +67 -0
  106. data/spec/fixtures/ssl/signed.pem +44 -0
  107. data/spec/fixtures/ssl/tampered-cert.pem +44 -0
  108. data/spec/fixtures/ssl/tampered-csr.pem +39 -0
  109. data/spec/integration/network/http_pool_spec.rb +222 -0
  110. data/spec/integration/provider/file/windows_spec.rb +162 -0
  111. data/spec/integration/rest/client_spec.rb +73 -0
  112. data/spec/integration/type/file_spec.rb +0 -19
  113. data/spec/lib/puppet/test_ca.rb +87 -50
  114. data/spec/lib/puppet_spec/fixtures.rb +20 -0
  115. data/spec/lib/puppet_spec/https.rb +84 -0
  116. data/spec/unit/application/agent_spec.rb +29 -30
  117. data/spec/unit/application/device_spec.rb +12 -49
  118. data/spec/unit/application/ssl_spec.rb +24 -38
  119. data/spec/unit/configurer_spec.rb +11 -11
  120. data/spec/unit/file_system/uniquefile_spec.rb +6 -0
  121. data/spec/unit/file_system_spec.rb +214 -0
  122. data/spec/unit/indirector/rest_spec.rb +3 -3
  123. data/spec/unit/network/http/connection_spec.rb +30 -90
  124. data/spec/unit/network/http/factory_spec.rb +1 -0
  125. data/spec/unit/network/http/nocache_pool_spec.rb +8 -8
  126. data/spec/unit/network/http/pool_spec.rb +63 -33
  127. data/spec/unit/network/http/session_spec.rb +8 -1
  128. data/spec/unit/network/http_pool_spec.rb +36 -0
  129. data/spec/unit/pops/loaders/loader_spec.rb +26 -1
  130. data/spec/unit/provider/package/windows_spec.rb +12 -1
  131. data/spec/unit/reports/http_spec.rb +7 -7
  132. data/spec/unit/rest/client_spec.rb +4 -6
  133. data/spec/unit/ssl/host_spec.rb +39 -33
  134. data/spec/unit/ssl/ssl_provider_spec.rb +428 -0
  135. data/spec/unit/ssl/state_machine_spec.rb +502 -0
  136. data/spec/unit/ssl/verifier_spec.rb +123 -0
  137. data/spec/unit/type/exec_spec.rb +63 -0
  138. data/spec/unit/type/file/source_spec.rb +5 -5
  139. data/spec/unit/type/filebucket_spec.rb +8 -6
  140. data/spec/unit/util/feature_spec.rb +2 -2
  141. data/spec/unit/util/storage_spec.rb +19 -19
  142. data/spec/unit/x509/cert_provider_spec.rb +527 -0
  143. data/spec/unit/x509/pem_store_spec.rb +160 -0
  144. data/tasks/generate_cert_fixtures.rake +158 -0
  145. metadata +78 -4
  146. data/MAINTAINERS +0 -47
  147. data/lib/puppet/rest/ssl_context.rb +0 -13
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a9880189407af4c0ace86139b5cbb0da597873fdb66155deee5f604ce2a43ee1
4
- data.tar.gz: e3938eeb5d96ee1fd7b2ac1abfc27fa96d622f77f5b4fa6bff963491d792df94
3
+ metadata.gz: 9d65e23247a1ba8d6c4d268237ac3d3872c86529c562cf2976269c76a1af3320
4
+ data.tar.gz: 2fe21394c6757add0a82e2fb37914b9686f02f76872ace02b3e7985aee98239b
5
5
  SHA512:
6
- metadata.gz: 559443d6f08e45af8c7b69c12baefc2293f8723508d491a14e48f9f3f29f6ba9f5b07f1c008ef205d6e848652e7aba86fdba5185b05a4eab685486bfb1bf22bd
7
- data.tar.gz: 15c37e7dde7033a80280e30d9eaa1cd9b5c2a0fa53fc8ea8d6de47ebbbe10d2372e2515d4268356f9daedc693592325f544e8bf15553ec0d93d0063a092d5260
6
+ metadata.gz: b6b4fed6595ea060efcf8aceae0869a4badd1d52977dc2cf9e4dbc9583c95255d7890f2fbc133c2b77b8aed20243d404e5e39aa0782c23eed54831d68e2366cb
7
+ data.tar.gz: 37bebced6a48006406201435c4034b55c1506d8d03c9244c0ed32cc3ccee7c146d0dfb53a1eca69955168d78e6629e61777354a02eafbc7f15704e32a889fe1d
@@ -0,0 +1,30 @@
1
+ # default to platform-core
2
+ * @puppetlabs/platform-core
3
+
4
+ # platform-os
5
+ /lib/puppet/type/group @puppetlabs/platform-os
6
+ /lib/puppet/type/package @puppetlabs/platform-os
7
+ /lib/puppet/type/service @puppetlabs/platform-os
8
+ /lib/puppet/type/user @puppetlabs/platform-os
9
+ /lib/puppet/provider/group @puppetlabs/platform-os
10
+ /lib/puppet/provider/package @puppetlabs/platform-os
11
+ /lib/puppet/provider/service @puppetlabs/platform-os
12
+ /lib/puppet/provider/user @puppetlabs/platform-os
13
+
14
+ # language
15
+ /lib/puppet/datatypes @puppetlabs/language
16
+ /lib/puppet/functions @puppetlabs/language
17
+ /lib/puppet/pal @puppetlabs/language
18
+ /lib/puppet/parser @puppetlabs/language
19
+ /lib/puppet/pops @puppetlabs/language
20
+ /lib/puppet/syntax_checkers @puppetlabs/language
21
+
22
+ # puppet device
23
+ /lib/puppet/application/device.rb @puppetlabs/networking
24
+ /lib/puppet/util/network_device @puppetlabs/networking
25
+
26
+ # puppet module
27
+ /lib/puppet/application/module.rb @puppetlabs/pdk
28
+ /lib/puppet/face/module @puppetlabs/pdk
29
+ /lib/puppet/forge @puppetlabs/pdk
30
+ /lib/puppet/module_tool @puppetlabs/pdk
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- puppet (6.3.0)
4
+ puppet (6.4.0)
5
5
  CFPropertyList (~> 2.2)
6
6
  facter (>= 2.4.0, < 4)
7
7
  fast_gettext (~> 1.1.2)
@@ -50,24 +50,24 @@ GEM
50
50
  minitar (0.8)
51
51
  mocha (1.5.0)
52
52
  metaclass (~> 0.0.1)
53
- msgpack (1.2.6)
53
+ msgpack (1.2.9)
54
54
  multi_json (1.13.1)
55
55
  mustache (1.1.0)
56
56
  optimist (3.0.0)
57
- packaging (0.99.23)
57
+ packaging (0.99.24)
58
58
  artifactory (~> 2)
59
59
  rake (~> 12.3)
60
- parallel (1.13.0)
61
- parser (2.6.0.0)
60
+ parallel (1.14.0)
61
+ parser (2.6.2.0)
62
62
  ast (~> 2.4.0)
63
63
  powerpack (0.1.2)
64
64
  pry (0.12.2)
65
65
  coderay (~> 1.1.0)
66
66
  method_source (~> 0.9.0)
67
67
  public_suffix (3.0.3)
68
- puppet-resource_api (1.6.2)
68
+ puppet-resource_api (1.8.1)
69
69
  hocon (>= 1.0)
70
- puppetserver-ca (1.3.0)
70
+ puppetserver-ca (1.3.1)
71
71
  facter (>= 2.0.1, < 4)
72
72
  racc (1.4.9)
73
73
  rainbow (2.2.2)
@@ -108,10 +108,10 @@ GEM
108
108
  rubocop (~> 0.49.0)
109
109
  ruby-prof (0.17.0)
110
110
  ruby-progressbar (1.10.0)
111
- safe_yaml (1.0.4)
111
+ safe_yaml (1.0.5)
112
112
  semantic_puppet (1.0.2)
113
113
  text (1.3.1)
114
- unicode-display_width (1.4.1)
114
+ unicode-display_width (1.5.0)
115
115
  vcr (2.9.3)
116
116
  webmock (1.24.6)
117
117
  addressable (>= 2.3.6)
@@ -207,6 +207,18 @@ module Puppet
207
207
  require 'puppet/network/http'
208
208
  Puppet::Network::HTTP::NoCachePool.new
209
209
  },
210
+ :ssl_context => proc {
211
+ begin
212
+ ssl = Puppet::SSL::SSLProvider.new
213
+ ssl.load_context(certname: Puppet[:certname])
214
+ rescue => e
215
+ # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
216
+ Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
217
+ # TRANSLATORS: `puppet agent -t` is a command and should not be translated
218
+ Puppet.err(_("Run `puppet agent -t`"))
219
+ raise e
220
+ end
221
+ },
210
222
  :ssl_host => proc { Puppet::SSL::Host.localhost },
211
223
  :plugins => proc { Puppet::Plugins::Configuration.load_plugins },
212
224
  :rich_data => false
@@ -290,6 +302,7 @@ require 'puppet/type'
290
302
  require 'puppet/resource'
291
303
  require 'puppet/parser'
292
304
  require 'puppet/network'
305
+ require 'puppet/x509'
293
306
  require 'puppet/ssl'
294
307
  require 'puppet/module'
295
308
  require 'puppet/data_binding'
@@ -358,16 +358,12 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
358
358
  end
359
359
 
360
360
  def fingerprint
361
- host = Puppet::SSL::Host.new
362
- unless cert = host.certificate || host.certificate_request
363
- $stderr.puts _("Fingerprint asked but no certificate nor certificate request have yet been issued")
364
- exit(1)
365
- return
366
- end
367
- unless digest = cert.digest(options[:digest].to_s)
368
- raise ArgumentError, _("Could not get fingerprint for digest '%{digest}'") % { digest: options[:digest] }
369
- end
370
- puts digest.to_s
361
+ sm = Puppet::SSL::StateMachine.new(onetime: true)
362
+ ssl_context = sm.ensure_client_certificate
363
+ puts Puppet::SSL::Digest.new(options[:digest].to_s, ssl_context.client_cert.to_der).to_s
364
+ rescue
365
+ $stderr.puts _("Fingerprint asked but no certificate nor certificate request have yet been issued")
366
+ exit(1)
371
367
  end
372
368
 
373
369
  def onetime(daemon)
@@ -465,8 +461,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
465
461
  end
466
462
 
467
463
  def wait_for_certificates
468
- host = Puppet::SSL::Host.new
469
464
  waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
470
- host.wait_for_cert(waitforcert)
465
+ sm = Puppet::SSL::StateMachine.new(waitforcert: waitforcert)
466
+ sm.ensure_client_certificate
471
467
  end
472
468
  end
@@ -338,7 +338,6 @@ Licensed under the Apache 2.0 License
338
338
  Puppet[:vardir] = vardir
339
339
  Puppet[:confdir] = confdir
340
340
  Puppet[:certname] = certname
341
- Puppet::SSL::Host.reset
342
341
  end
343
342
  end
344
343
  end
@@ -374,9 +373,9 @@ Licensed under the Apache 2.0 License
374
373
  end
375
374
 
376
375
  def setup_host(name)
377
- @host = Puppet::SSL::Host.new(name, true)
378
376
  waitforcert = options[:waitforcert] || (Puppet[:onetime] ? 0 : Puppet[:waitforcert])
379
- @host.wait_for_cert(waitforcert)
377
+ sm = Puppet::SSL::StateMachine.new(certname: name, waitforcert: waitforcert)
378
+ sm.ensure_client_certificate
380
379
  end
381
380
 
382
381
  def setup
@@ -107,8 +107,13 @@ configuration options can also be generated by running puppet with
107
107
  information and the bucket located at the '$bucketdir' setting
108
108
  by default.
109
109
 
110
+ * --server_list:
111
+ A list of comma seperated servers; only the first entry is used for file storage.
112
+ This setting takes precidence over `server`.
113
+
110
114
  * --server:
111
- The server to send the file to, instead of locally.
115
+ The server to use for file storage. This setting is only used if `server_list`
116
+ is not set.
112
117
 
113
118
  * --todate:
114
119
  (list only) Select bucket files until 'todate'.
@@ -45,6 +45,14 @@ OPTIONS
45
45
  ACTIONS
46
46
  -------
47
47
 
48
+ * bootstrap:
49
+ Perform all of the steps necessary to request and download a client
50
+ certificate. If autosigning is disabled, then puppet will wait every
51
+ `waitforcert` seconds for its certificate to be signed. To only attempt
52
+ once and never wait, specify a time of 0. Since `waitforcert` is a
53
+ Puppet setting, it can be specified as a time interval, such as 30s,
54
+ 5m, 1h.
55
+
48
56
  * submit_request:
49
57
  Generate a certificate signing request (CSR) and submit it to the CA. If
50
58
  a private and public key pair already exist, they will be used to generate
@@ -76,6 +84,14 @@ HELP
76
84
  option('--verbose', '-v')
77
85
  option('--debug', '-d')
78
86
 
87
+ def initialize(command_line = Puppet::Util::CommandLine.new)
88
+ super(command_line)
89
+
90
+ @cert_provider = Puppet::X509::CertProvider.new
91
+ @ssl_provider = Puppet::SSL::SSLProvider.new
92
+ @machine = Puppet::SSL::StateMachine.new
93
+ end
94
+
79
95
  def setup_logs
80
96
  set_log_level(options)
81
97
  Puppet::Util::Log.newdestination(:console)
@@ -91,106 +107,131 @@ HELP
91
107
  Puppet[:certname] = options[:target]
92
108
  Puppet[:confdir] = File.join(Puppet[:devicedir], Puppet[:certname])
93
109
  Puppet[:vardir] = File.join(Puppet[:devicedir], Puppet[:certname])
94
- host = Puppet::SSL::Host.new(Puppet[:certname], true)
95
110
  Puppet.settings.use(:main, :agent, :device)
96
111
  else
97
- host = Puppet::SSL::Host.new(Puppet[:certname])
98
112
  Puppet.settings.use(:main, :agent)
99
113
  end
100
114
 
115
+ certname = Puppet[:certname]
101
116
  action = command_line.args.first
102
117
  case action
103
118
  when 'submit_request'
104
- submit_request(host)
105
- cert = download_cert(host)
106
- unless cert
107
- Puppet.info _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
119
+ ssl_context = @machine.ensure_ca_certificates
120
+ if submit_request(ssl_context)
121
+ cert = download_cert(ssl_context)
122
+ unless cert
123
+ Puppet.info(_("The certificate for '%{name}' has not yet been signed") % { name: certname })
124
+ end
108
125
  end
109
126
  when 'download_cert'
110
- cert = download_cert(host)
127
+ ssl_context = @machine.ensure_ca_certificates
128
+ cert = download_cert(ssl_context)
111
129
  unless cert
112
- raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
130
+ raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
113
131
  end
114
132
  when 'verify'
115
- verify(host)
133
+ verify(certname)
116
134
  when 'clean'
117
- clean(host)
135
+ clean(certname)
136
+ when 'bootstrap'
137
+ if !Puppet::Util::Log.sendlevel?(:info)
138
+ Puppet::Util::Log.level = :info
139
+ end
140
+ @machine.ensure_client_certificate
141
+ Puppet.notice(_("Completed SSL initialization"))
118
142
  else
119
143
  raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
120
144
  end
121
145
  end
122
146
 
123
- def submit_request(host)
124
- host.ensure_ca_certificate
147
+ def submit_request(ssl_context)
148
+ key = @cert_provider.load_private_key(Puppet[:certname])
149
+ unless key
150
+ Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
151
+ key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
152
+ @cert_provider.save_private_key(Puppet[:certname], key)
153
+ end
125
154
 
126
- host.submit_request
155
+ csr = @cert_provider.create_request(Puppet[:certname], key)
156
+ Puppet::Rest::Routes.put_certificate_request(csr.to_pem, Puppet[:certname], ssl_context)
157
+ @cert_provider.save_request(Puppet[:certname], csr)
127
158
  Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
128
- name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
159
+ name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
129
160
  }
161
+ rescue Puppet::Rest::ResponseError => e
162
+ if e.response.code.to_i == 400
163
+ raise Puppet::Error.new(_("Could not submit certificate request for '%{name}' to https://%{server}:%{port} due to a conflict on the server") % { name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port] })
164
+ else
165
+ raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
166
+ end
130
167
  rescue => e
131
168
  raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
132
169
  end
133
170
 
134
- def download_cert(host)
135
- host.ensure_ca_certificate
171
+ def download_cert(ssl_context)
172
+ key = @cert_provider.load_private_key(Puppet[:certname])
136
173
 
137
174
  Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
138
- name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
175
+ name: Puppet[:certname], server: Puppet[:ca_server], port: Puppet[:ca_port]
139
176
  }
140
- cert = host.download_host_certificate
141
- return unless cert
177
+
178
+ # try to download cert
179
+ x509 = Puppet::Rest::Routes.get_certificate(Puppet[:certname], ssl_context)
180
+ cert = OpenSSL::X509::Certificate.new(x509)
181
+ Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: Puppet[:certname], fingerprint: fingerprint(cert) }
182
+ # verify client cert before saving
183
+ @ssl_provider.create_context(
184
+ cacerts: ssl_context.cacerts, crls: ssl_context.crls, private_key: key, client_cert: cert
185
+ )
186
+ @cert_provider.save_client_cert(Puppet[:certname], cert)
187
+ @cert_provider.delete_request(Puppet[:certname])
142
188
 
143
189
  Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
144
- name: host.name, fingerprint: cert.fingerprint
190
+ name: Puppet[:certname], fingerprint: fingerprint(cert)
145
191
  }
146
192
  cert
193
+ rescue Puppet::Rest::ResponseError => e
194
+ if e.response.code.to_i == 404
195
+ return nil
196
+ else
197
+ raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
198
+ end
147
199
  rescue => e
148
200
  raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
149
201
  end
150
202
 
151
- def verify(host)
152
- host.ensure_ca_certificate
203
+ def verify(certname)
204
+ ssl_context = @ssl_provider.load_context(certname: certname)
153
205
 
154
- key = host.key
155
- raise _("The host's private key is missing") unless key
156
-
157
- cert = host.check_for_certificate_on_disk(host.name)
158
- raise _("The host's certificate is missing") unless cert
159
-
160
- if cert.content.public_key.to_pem != key.content.public_key.to_pem
161
- raise _("The host's key does not match the certificate")
162
- end
163
-
164
- store = host.ssl_store
165
- unless store.verify(cert.content)
166
- raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
167
- name: host.name, message: store.error_string, error: store.error
168
- }
206
+ # print from root to client
207
+ ssl_context.client_chain.reverse.each_with_index do |cert, i|
208
+ digest = Puppet::SSL::Digest.new('SHA256', cert.to_der)
209
+ if i == ssl_context.client_chain.length - 1
210
+ Puppet.notice("Verified client certificate '#{cert.subject.to_s}' fingerprint #{digest}")
211
+ else
212
+ Puppet.notice("Verified CA certificate '#{cert.subject.to_s}' fingerprint #{digest}")
213
+ end
169
214
  end
170
-
171
- Puppet.notice _("Verified certificate '%{name}'") % {
172
- name: host.name
173
- }
174
- # store.chain.reverse.each_with_index do |issuer, i|
175
- # indent = " " * (i+1)
176
- # Puppet.notice "#{indent}#{issuer.subject.to_s}"
177
- # end
178
- rescue => e
179
- raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
180
215
  end
181
216
 
182
- def clean(host)
217
+ def clean(certname)
183
218
  # make sure cert has been removed from the CA
184
- if host.name == Puppet[:ca_server]
185
- cert =
186
- begin
187
- host.download_certificate_from_ca(host.name)
188
- rescue => e
189
- raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: host.name }, e)
219
+ if certname == Puppet[:ca_server]
220
+ cert = nil
221
+
222
+ begin
223
+ ssl_context = @machine.ensure_ca_certificates
224
+ cert = Puppet::Rest::Routes.get_certificate(certname, ssl_context)
225
+ rescue Puppet::Rest::ResponseError => e
226
+ if e.response.code.to_i != 404
227
+ raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
190
228
  end
229
+ rescue => e
230
+ raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: certname }, e)
231
+ end
191
232
 
192
233
  if cert
193
- raise Puppet::Error, _(<<END) % { certname: host.name }
234
+ raise Puppet::Error, _(<<END) % { certname: certname }
194
235
  The certificate %{certname} must be cleaned from the CA first. To fix this,
195
236
  run the following commands on the CA:
196
237
  puppetserver ca clean --certname %{certname}
@@ -214,4 +255,10 @@ END
214
255
  end
215
256
  end
216
257
  end
258
+
259
+ private
260
+
261
+ def fingerprint(cert)
262
+ Puppet::SSL::Digest.new(nil, cert.to_der)
263
+ end
217
264
  end
@@ -226,13 +226,13 @@ class Puppet::Configurer
226
226
  # mode. We shouldn't try to do any failover in that case.
227
227
  if options[:catalog].nil? && do_failover
228
228
  server, port = find_functional_server
229
+ if server.nil?
230
+ raise Puppet::Error, _("Could not select a functional puppet master from server_list: '%{server_list}'") % { server_list: Puppet[:server_list] }
231
+ else
232
+ Puppet.debug _("Selected puppet server: %{server}:%{port}") % { server: server, port: port }
233
+ report.master_used = "#{server}:#{port}"
234
+ end
229
235
  Puppet.override(server: server, serverport: port) do
230
- if server
231
- Puppet.debug _("Selected puppet server: %{server}:%{port}") % { server: server, port: port }
232
- report.master_used = "#{server}:#{port}"
233
- else
234
- Puppet.warning _("Could not select a functional puppet server")
235
- end
236
236
  completed = run_internal(options)
237
237
  end
238
238
  else
@@ -395,7 +395,8 @@ class Puppet::Configurer
395
395
  host = server[0]
396
396
  port = server[1] || Puppet[:masterport]
397
397
  begin
398
- http = Puppet::Network::HttpPool.http_ssl_instance(host, port)
398
+ ssl_context = Puppet.lookup(:ssl_context)
399
+ http = Puppet::Network::HttpPool.connection(host, port.to_i, ssl_context: ssl_context)
399
400
  response = http.get('/status/v1/simple/master')
400
401
  return [host, port] if response.is_a?(Net::HTTPOK)
401
402