puppet 6.7.2 → 6.8.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (89) hide show
  1. checksums.yaml +4 -4
  2. data/CODEOWNERS +9 -9
  3. data/Gemfile +1 -1
  4. data/Gemfile.lock +7 -7
  5. data/install.rb +3 -21
  6. data/lib/puppet/application/agent.rb +17 -13
  7. data/lib/puppet/application/device.rb +10 -0
  8. data/lib/puppet/defaults.rb +21 -6
  9. data/lib/puppet/face/facts.rb +1 -1
  10. data/lib/puppet/face/parser.rb +3 -2
  11. data/lib/puppet/forge.rb +19 -4
  12. data/lib/puppet/indirector/certificate/file.rb +1 -0
  13. data/lib/puppet/indirector/certificate/rest.rb +1 -0
  14. data/lib/puppet/indirector/certificate_request/file.rb +1 -0
  15. data/lib/puppet/indirector/certificate_request/memory.rb +1 -0
  16. data/lib/puppet/indirector/certificate_request/rest.rb +1 -0
  17. data/lib/puppet/indirector/key/file.rb +1 -0
  18. data/lib/puppet/indirector/key/memory.rb +1 -0
  19. data/lib/puppet/module_tool/applications/installer.rb +0 -3
  20. data/lib/puppet/network/http/factory.rb +1 -11
  21. data/lib/puppet/pops/lookup.rb +1 -0
  22. data/lib/puppet/pops/lookup/key_recorder.rb +18 -0
  23. data/lib/puppet/pops/lookup/lookup_adapter.rb +7 -0
  24. data/lib/puppet/provider/file/posix.rb +5 -0
  25. data/lib/puppet/provider/nameservice.rb +10 -3
  26. data/lib/puppet/provider/package/apt.rb +1 -1
  27. data/lib/puppet/provider/package/dpkg.rb +17 -3
  28. data/lib/puppet/provider/service/launchd.rb +20 -5
  29. data/lib/puppet/provider/service/systemd.rb +5 -10
  30. data/lib/puppet/provider/user/pw.rb +12 -3
  31. data/lib/puppet/provider/user/user_role_add.rb +4 -0
  32. data/lib/puppet/provider/user/useradd.rb +25 -11
  33. data/lib/puppet/ssl/certificate.rb +2 -0
  34. data/lib/puppet/ssl/host.rb +3 -0
  35. data/lib/puppet/ssl/key.rb +2 -0
  36. data/lib/puppet/util/http_proxy.rb +17 -3
  37. data/lib/puppet/util/monkey_patches.rb +0 -16
  38. data/lib/puppet/util/selinux.rb +5 -1
  39. data/lib/puppet/util/windows/security.rb +2 -0
  40. data/lib/puppet/util/windows/sid.rb +1 -0
  41. data/lib/puppet/version.rb +1 -1
  42. data/lib/puppet/x509/cert_provider.rb +13 -15
  43. data/locales/puppet.pot +77 -65
  44. data/man/man5/puppet.conf.5 +20 -4
  45. data/man/man8/puppet-agent.8 +24 -7
  46. data/man/man8/puppet-apply.8 +1 -1
  47. data/man/man8/puppet-catalog.8 +1 -1
  48. data/man/man8/puppet-config.8 +1 -1
  49. data/man/man8/puppet-describe.8 +1 -1
  50. data/man/man8/puppet-device.8 +1 -1
  51. data/man/man8/puppet-doc.8 +1 -1
  52. data/man/man8/puppet-epp.8 +1 -1
  53. data/man/man8/puppet-facts.8 +1 -1
  54. data/man/man8/puppet-filebucket.8 +1 -1
  55. data/man/man8/puppet-generate.8 +1 -1
  56. data/man/man8/puppet-help.8 +1 -1
  57. data/man/man8/puppet-key.8 +1 -1
  58. data/man/man8/puppet-lookup.8 +1 -1
  59. data/man/man8/puppet-man.8 +1 -1
  60. data/man/man8/puppet-module.8 +1 -1
  61. data/man/man8/puppet-node.8 +1 -1
  62. data/man/man8/puppet-parser.8 +1 -1
  63. data/man/man8/puppet-plugin.8 +1 -1
  64. data/man/man8/puppet-report.8 +1 -1
  65. data/man/man8/puppet-resource.8 +1 -1
  66. data/man/man8/puppet-script.8 +1 -1
  67. data/man/man8/puppet-ssl.8 +1 -1
  68. data/man/man8/puppet-status.8 +1 -1
  69. data/man/man8/puppet.8 +2 -2
  70. data/spec/integration/provider/service/systemd_spec.rb +7 -5
  71. data/spec/integration/type/file_spec.rb +28 -0
  72. data/spec/unit/application/device_spec.rb +26 -0
  73. data/spec/unit/face/facts_spec.rb +9 -0
  74. data/spec/unit/face/parser_spec.rb +17 -5
  75. data/spec/unit/forge/module_release_spec.rb +66 -31
  76. data/spec/unit/module_tool/applications/installer_spec.rb +0 -9
  77. data/spec/unit/network/http/factory_spec.rb +27 -5
  78. data/spec/unit/provider/package/dpkg_spec.rb +84 -4
  79. data/spec/unit/provider/service/launchd_spec.rb +28 -0
  80. data/spec/unit/provider/service/systemd_spec.rb +14 -0
  81. data/spec/unit/provider/user/pw_spec.rb +37 -0
  82. data/spec/unit/provider/user/useradd_spec.rb +42 -0
  83. data/spec/unit/transaction_spec.rb +18 -0
  84. data/spec/unit/util/http_proxy_spec.rb +24 -1
  85. data/spec/unit/x509/cert_provider_spec.rb +1 -1
  86. metadata +4 -7
  87. data/ext/windows/eventlog/Rakefile +0 -32
  88. data/ext/windows/eventlog/puppetres.dll +0 -0
  89. data/ext/windows/eventlog/puppetres.mc +0 -18
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5d3d59e208683953e4535c887504a78de65dfb0db03f7624a98dc5701b600000
4
- data.tar.gz: c2b552ea7c474edf40c19a84a6d03b6590278af5ee606a823d44e17acca27ebd
3
+ metadata.gz: 8c7db647b6d0fddad3fbe82899d306494012181dd255944fdaed7ebf447e41b6
4
+ data.tar.gz: 8cdbfbabd8d01c078a61a3b65727e277c07274fe1c8e5383b7725c32c00713b8
5
5
  SHA512:
6
- metadata.gz: 37fb316f8507f6f8c3f58ea63daa55a24e34b7dcbf9a2e7ba9261d28e4cd653b61fdad67ae99277402c8b05edeba6240f6cbcdfde5fc3e6560b461203052c2d9
7
- data.tar.gz: b0f55d9966b43f82ab4bc32ae5c377a9edecf9253d031fab005da79e336b2537b22d999bc709276a7db9d03265db7c68b6ff433d609b004e670b3406af13ffe6
6
+ metadata.gz: b8d7a0a1bbcdcebd0ea6a3e34099b9450132be6b125266ddbbf4f78bbd3c9af4a2cf40ac9e0c15679f3ed9ecb27618c61cbe3f3f9e3e91621cc2064c36acf2e2
7
+ data.tar.gz: cd86b044ecfdd87e7983aaa6bf18def7fe2546e4b82d676e2b7b5b270eae10bea8895865ad54c71e720162b38eca03a8113eae51120e0ec0d23dafcc463c8d1a
data/CODEOWNERS CHANGED
@@ -1,15 +1,15 @@
1
1
  # default to platform-core
2
2
  * @puppetlabs/platform-core
3
3
 
4
- # platform-os
5
- /lib/puppet/type/group @puppetlabs/platform-os
6
- /lib/puppet/type/package @puppetlabs/platform-os
7
- /lib/puppet/type/service @puppetlabs/platform-os
8
- /lib/puppet/type/user @puppetlabs/platform-os
9
- /lib/puppet/provider/group @puppetlabs/platform-os
10
- /lib/puppet/provider/package @puppetlabs/platform-os
11
- /lib/puppet/provider/service @puppetlabs/platform-os
12
- /lib/puppet/provider/user @puppetlabs/platform-os
4
+ # Night's Watch
5
+ /lib/puppet/type/group @puppetlabs/night-s-watch
6
+ /lib/puppet/type/package @puppetlabs/night-s-watch
7
+ /lib/puppet/type/service @puppetlabs/night-s-watch
8
+ /lib/puppet/type/user @puppetlabs/night-s-watch
9
+ /lib/puppet/provider/group @puppetlabs/night-s-watch
10
+ /lib/puppet/provider/package @puppetlabs/night-s-watch
11
+ /lib/puppet/provider/service @puppetlabs/night-s-watch
12
+ /lib/puppet/provider/user @puppetlabs/night-s-watch
13
13
 
14
14
  # language
15
15
  /lib/puppet/datatypes @puppetlabs/language
data/Gemfile CHANGED
@@ -23,7 +23,7 @@ group(:features) do
23
23
  gem 'hiera-eyaml', require: false
24
24
  gem 'hocon', '~> 1.0', require: false
25
25
  # requires native libshadow headers/libs
26
- # gem 'libshadow', '~> 1.0', require: false, platforms: [:ruby]
26
+ #gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
27
27
  gem 'minitar', '~> 0.6', require: false
28
28
  gem 'msgpack', '~> 1.2', require: false
29
29
  gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- puppet (6.7.2)
4
+ puppet (6.8.0)
5
5
  CFPropertyList (~> 2.2)
6
6
  facter (>= 2.4.0, < 4)
7
7
  fast_gettext (~> 1.1)
@@ -28,7 +28,7 @@ GEM
28
28
  gettext (3.2.9)
29
29
  locale (>= 2.0.5)
30
30
  text (>= 1.3.0)
31
- gettext-setup (0.30)
31
+ gettext-setup (0.31)
32
32
  fast_gettext (~> 1.1.0)
33
33
  gettext (>= 3.0.2)
34
34
  locale
@@ -47,11 +47,11 @@ GEM
47
47
  memory_profiler (0.9.14)
48
48
  method_source (0.9.2)
49
49
  minitar (0.8)
50
- msgpack (1.3.0)
50
+ msgpack (1.3.1)
51
51
  multi_json (1.13.1)
52
52
  mustache (1.1.0)
53
53
  optimist (3.0.0)
54
- packaging (0.99.36)
54
+ packaging (0.99.38)
55
55
  artifactory (~> 2)
56
56
  rake (~> 12.3)
57
57
  parallel (1.17.0)
@@ -64,7 +64,7 @@ GEM
64
64
  public_suffix (3.1.1)
65
65
  puppet-resource_api (1.8.6)
66
66
  hocon (>= 1.0)
67
- puppetserver-ca (1.3.2)
67
+ puppetserver-ca (1.4.0)
68
68
  facter (>= 2.0.1, < 4)
69
69
  racc (1.4.9)
70
70
  rainbow (2.2.2)
@@ -103,7 +103,7 @@ GEM
103
103
  unicode-display_width (~> 1.0, >= 1.0.1)
104
104
  rubocop-i18n (1.2.0)
105
105
  rubocop (~> 0.49.0)
106
- ruby-prof (0.18.0)
106
+ ruby-prof (1.0.0)
107
107
  ruby-progressbar (1.10.1)
108
108
  safe_yaml (1.0.5)
109
109
  semantic_puppet (1.0.2)
@@ -149,4 +149,4 @@ DEPENDENCIES
149
149
  yard
150
150
 
151
151
  BUNDLED WITH
152
- 1.16.5
152
+ 1.17.3
data/install.rb CHANGED
@@ -62,24 +62,6 @@ def do_configs(configs, target, strip = 'conf/')
62
62
  ocf = File.join(InstallOptions.config_dir, cf.gsub(/#{strip}/, ''))
63
63
  FileUtils.install(cf, ocf, {:mode => 0644, :preserve => true, :verbose => true})
64
64
  end
65
-
66
- if $operatingsystem == 'windows'
67
- src_dll = 'ext/windows/eventlog/puppetres.dll'
68
- dst_dll = File.join(InstallOptions.bin_dir, 'puppetres.dll')
69
- FileUtils.install(src_dll, dst_dll, {:mode => 0644, :preserve => true, :verbose => true})
70
-
71
- require 'win32/registry'
72
- include Win32::Registry::Constants
73
-
74
- begin
75
- Win32::Registry::HKEY_LOCAL_MACHINE.create('SYSTEM\CurrentControlSet\services\eventlog\Application\Puppet', KEY_ALL_ACCESS | 0x0100) do |reg|
76
- reg.write_s('EventMessageFile', dst_dll.tr('/', '\\'))
77
- reg.write_i('TypesSupported', 0x7)
78
- end
79
- rescue Win32::Registry::Error => e
80
- warn "Failed to create puppet eventlog registry key: #{e}"
81
- end
82
- end
83
65
  end
84
66
 
85
67
  def do_bins(bins, target, strip = 's?bin/')
@@ -140,12 +122,12 @@ def check_prereqs
140
122
  facter_version = Facter.version.to_f
141
123
  if facter_version < MIN_FACTER_VERSION
142
124
  puts "Facter version: #{facter_version}; minimum required: #{MIN_FACTER_VERSION}; cannot install"
143
- exit -1
125
+ exit (-1)
144
126
  end
145
127
  end
146
128
  rescue LoadError
147
129
  puts "Could not load #{pre}; cannot install"
148
- exit -1
130
+ exit (-1)
149
131
  end
150
132
  }
151
133
  end
@@ -266,7 +248,7 @@ def prepare_installation
266
248
  require 'win32/dir'
267
249
  rescue LoadError => e
268
250
  puts "Cannot run on Microsoft Windows without the win32-process, win32-dir & win32-service gems: #{e}"
269
- exit -1
251
+ exit (-1)
270
252
  end
271
253
  end
272
254
 
@@ -124,31 +124,35 @@ configuration and apply it.
124
124
  USAGE NOTES
125
125
  -----------
126
126
  'puppet agent' does its best to find a compromise between interactive
127
- use and daemon use. Run with no arguments and no configuration, it will
128
- go into the background, attempt to get a signed certificate, and retrieve
129
- and apply its configuration every 30 minutes.
127
+ use and daemon use. If you run it with no arguments and no configuration, it
128
+ goes into the background, attempts to get a signed certificate, and retrieves
129
+ and applies its configuration every 30 minutes.
130
130
 
131
- Some flags are meant specifically for interactive use -- in particular,
131
+ Some flags are meant specifically for interactive use --- in particular,
132
132
  'test', 'tags' and 'fingerprint' are useful.
133
133
 
134
- '--test' does a single run in the foreground with verbose logging, then exits.
135
- It will also exit if it can't get a valid catalog. The exit code after running
136
- with '--test' is 0 if the catalog was successfully applied, and 1 if the run
137
- either failed or wasn't attempted (due to another run already in progress).
134
+ '--test' runs once in the foreground with verbose logging, then exits.
135
+ It also exits if it can't get a valid catalog. `--test` includes the '--detailed-exitcodes' option by default and exits with one of the following exit codes:
136
+
137
+ * 0: The run succeeded with no changes or failures; the system was already in the desired state.
138
+ * 1: The run failed, or wasn't attempted due to another run already in progress.
139
+ * 2: The run succeeded, and some resources were changed.
140
+ * 4: The run succeeded, and some resources failed.
141
+ * 6: The run succeeded, and included both changes and failures.
138
142
 
139
143
  '--tags' allows you to specify what portions of a configuration you want
140
144
  to apply. Puppet elements are tagged with all of the class or definition
141
145
  names that contain them, and you can use the 'tags' flag to specify one
142
146
  of these names, causing only configuration elements contained within
143
147
  that class or definition to be applied. This is very useful when you are
144
- testing new configurations -- for instance, if you are just starting to
148
+ testing new configurations --- for instance, if you are just starting to
145
149
  manage 'ntpd', you would put all of the new elements into an 'ntpd'
146
150
  class, and call puppet with '--tags ntpd', which would only apply that
147
151
  small portion of the configuration during your testing, rather than
148
152
  applying the whole thing.
149
153
 
150
- '--fingerprint' is a one-time flag. In this mode 'puppet agent' will run
151
- once and display on the console (and in the log) the current certificate
154
+ '--fingerprint' is a one-time flag. In this mode 'puppet agent' runs
155
+ once and displays on the console (and in the log) the current certificate
152
156
  (or certificate request) fingerprint. Providing the '--digest' option
153
157
  allows to use a different digest algorithm to generate the fingerprint.
154
158
  The main use is to verify that before signing a certificate request on
@@ -192,8 +196,8 @@ generated by running puppet agent with '--genconfig'.
192
196
  Enable full debugging.
193
197
 
194
198
  * --detailed-exitcodes:
195
- Provide extra information about the run via exit codes; only works if '--test'
196
- or '--onetime' is also specified. If enabled, 'puppet agent' will use the
199
+ Provide extra information about the run via exit codes; works only if '--test'
200
+ or '--onetime' is also specified. If enabled, 'puppet agent' uses the
197
201
  following exit codes:
198
202
 
199
203
  0: The run succeeded with no changes or failures; the system was already in
@@ -238,6 +238,7 @@ Licensed under the Apache 2.0 License
238
238
  libdir = Puppet[:libdir]
239
239
  vardir = Puppet[:vardir]
240
240
  confdir = Puppet[:confdir]
241
+ ssldir = Puppet[:ssldir]
241
242
  certname = Puppet[:certname]
242
243
 
243
244
  env = Puppet::Node::Environment.remote(Puppet[:environment])
@@ -267,15 +268,23 @@ Licensed under the Apache 2.0 License
267
268
  port = ":#{device_url.port}" if device_url.port
268
269
 
269
270
  # override local $vardir and $certname
271
+ Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
270
272
  Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
271
273
  Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
272
274
  Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
273
275
  Puppet[:certname] = device.name
274
276
  ssl_context = nil
275
277
 
278
+ # create device directory under $deviceconfdir
279
+ Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
280
+
276
281
  # this will reload and recompute default settings and create device-specific sub vardir
277
282
  Puppet.settings.use :main, :agent, :ssl
278
283
 
284
+ # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
285
+ optssldir = File.join(Puppet[:confdir], 'ssl')
286
+ Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
287
+
279
288
  unless options[:resource] || options[:facts] || options[:apply]
280
289
  # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
281
290
  # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
@@ -359,6 +368,7 @@ Licensed under the Apache 2.0 License
359
368
  Puppet[:libdir] = libdir
360
369
  Puppet[:vardir] = vardir
361
370
  Puppet[:confdir] = confdir
371
+ Puppet[:ssldir] = ssldir
362
372
  Puppet[:certname] = certname
363
373
  end
364
374
  end
@@ -572,6 +572,10 @@ module Puppet
572
572
  contains any characters with special meanings in URLs (as specified by RFC 3986
573
573
  section 2.2), they must be URL-encoded. (For example, `#` would become `%23`.)",
574
574
  },
575
+ :no_proxy => {
576
+ :default => "localhost, 127.0.0.1",
577
+ :desc => "List of domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value.",
578
+ },
575
579
  :http_keepalive_timeout => {
576
580
  :default => "4s",
577
581
  :type => :duration,
@@ -642,7 +646,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
642
646
 
643
647
  * With Puppet Server, you should refresh environments by calling the
644
648
  `environment-cache` API endpoint. See the docs for the Puppet Server
645
- administrative API.
649
+ [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
646
650
 
647
651
  Any value other than `0` or `unlimited` is deprecated, since most Puppet
648
652
  servers use a pool of Ruby interpreters which all have their own cache
@@ -929,17 +933,20 @@ EOT
929
933
  :desc => "Certificate authorities who issue server certificates. SSL servers will not be
930
934
  considered authentic unless they possess a certificate issued by an authority
931
935
  listed in this file. If this setting has no value then the Puppet master's CA
932
- certificate (localcacert) will be used."
936
+ certificate (localcacert) will be used.",
937
+ :hook => proc do |val|
938
+ Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
939
+ end
933
940
  },
934
941
  :ssl_server_ca_auth => {
935
942
  :type => :file,
936
943
  :mode => "0644",
937
944
  :owner => "service",
938
945
  :group => "service",
939
- :desc => "Certificate authorities who issue client certificates. SSL clients will not be
940
- considered authentic unless they possess a certificate issued by an authority
941
- listed in this file. If this setting has no value then the Puppet master's CA
942
- certificate (localcacert) will be used."
946
+ :deprecated => :completely,
947
+ :desc => "The setting is deprecated and has no effect. Ensure all root and
948
+ intermediate certificate authorities used to issue client certificates are
949
+ contained in the server's `cacert` file on the server."
943
950
  },
944
951
  :hostcrl => {
945
952
  :default => "$ssldir/crl.pem",
@@ -1516,6 +1523,14 @@ EOT
1516
1523
  apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
1517
1524
  or read them online at https://puppet.com/docs/puppet/latest/man/."
1518
1525
  },
1526
+ :deviceconfdir => {
1527
+ :default => "$confdir/devices",
1528
+ :type => :directory,
1529
+ :mode => "0750",
1530
+ :owner => "service",
1531
+ :group => "service",
1532
+ :desc => "The root directory of devices' $confdir.",
1533
+ },
1519
1534
  :server => {
1520
1535
  :default => "puppet",
1521
1536
  :desc => "The puppet master server to which the puppet agent should connect.",
@@ -81,7 +81,7 @@ Puppet::Indirector::Face.define(:facts, '0.0.1') do
81
81
  node: Puppet[:node_name_value],
82
82
  server: server})
83
83
 
84
- Puppet::Node::Facts.indirection.save(facts)
84
+ Puppet::Node::Facts.indirection.save(facts, nil, :environment => Puppet.lookup(:current_environment))
85
85
  end
86
86
  end
87
87
  end
@@ -42,7 +42,8 @@ Puppet::Face.define(:parser, '0.0.1') do
42
42
  if files.empty?
43
43
  if not STDIN.tty?
44
44
  Puppet[:code] = STDIN.read
45
- parse_errors['STDIN'] = validate_manifest(nil)
45
+ error = validate_manifest(nil)
46
+ parse_errors['STDIN'] = error if error
46
47
  else
47
48
  manifest = Puppet.lookup(:current_environment).manifest
48
49
  files << manifest
@@ -88,7 +89,7 @@ Puppet::Face.define(:parser, '0.0.1') do
88
89
  [file, file_errors]
89
90
  end.to_h
90
91
 
91
- puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false), :pretty => true)
92
+ puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false, symbol_as_string: true), :pretty => true)
92
93
 
93
94
  exit(1)
94
95
  end
@@ -172,7 +172,18 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
172
172
  Puppet.warning "#{@metadata['name']} has been deprecated by its author! View module on Puppet Forge for more info." if deprecated?
173
173
 
174
174
  download(@data['file_uri'], tmpfile)
175
- validate_checksum(tmpfile, @data['file_md5'])
175
+ checksum = @data['file_sha256']
176
+ if checksum
177
+ validate_checksum(tmpfile, checksum, Digest::SHA256)
178
+ else
179
+ checksum = @data['file_md5']
180
+ if checksum
181
+ validate_checksum(tmpfile, checksum, Digest::MD5)
182
+ else
183
+ raise _("Forge module is missing SHA256 and MD5 checksums")
184
+ end
185
+ end
186
+
176
187
  unpack(tmpfile, tmpdir)
177
188
 
178
189
  @unpacked_into = Pathname.new(tmpdir)
@@ -201,9 +212,13 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
201
212
  end
202
213
  end
203
214
 
204
- def validate_checksum(file, checksum)
205
- if Digest::MD5.file(file.path).hexdigest != checksum
206
- raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum") % { name: name }
215
+ def validate_checksum(file, checksum, digest_class)
216
+ if Facter.value(:fips_enabled) && digest_class == Digest::MD5
217
+ raise _("Module install using MD5 is prohibited in FIPS mode.")
218
+ end
219
+
220
+ if digest_class.file(file.path).hexdigest != checksum
221
+ raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum %{checksum}") % { name: name, checksum: checksum }
207
222
  end
208
223
  end
209
224
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/indirector/ssl_file'
2
2
  require 'puppet/ssl/certificate'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Certificate::File < Puppet::Indirector::SslFile
5
6
  desc "Manage SSL certificates on disk."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/certificate'
2
2
  require 'puppet/indirector/rest'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Certificate::Rest < Puppet::Indirector::REST
5
6
  desc "Find certificates over HTTP via REST."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/indirector/ssl_file'
2
2
  require 'puppet/ssl/certificate_request'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::CertificateRequest::File < Puppet::Indirector::SslFile
5
6
  desc "Manage the collection of certificate requests on disk."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/certificate_request'
2
2
  require 'puppet/indirector/memory'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::CertificateRequest::Memory < Puppet::Indirector::Memory
5
6
  desc "Store certificate requests in memory. This is used for testing puppet."
6
7
  end
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/certificate_request'
2
2
  require 'puppet/indirector/rest'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::CertificateRequest::Rest < Puppet::Indirector::REST
5
6
  desc "Find and save certificate requests over HTTP via REST."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/indirector/ssl_file'
2
2
  require 'puppet/ssl/key'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Key::File < Puppet::Indirector::SslFile
5
6
  desc "Manage SSL private and public keys on disk."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/key'
2
2
  require 'puppet/indirector/memory'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Key::Memory < Puppet::Indirector::Memory
5
6
  desc "Store keys in memory. This is used for testing puppet."
6
7
  end
@@ -51,9 +51,6 @@ module Puppet::ModuleTool
51
51
  end
52
52
 
53
53
  def run
54
- # Disallow anything that invokes md5 to avoid un-friendly termination due to FIPS
55
- raise _("Module install is prohibited in FIPS mode.") if Facter.value(:fips_enabled)
56
-
57
54
  name = @name.tr('/', '-')
58
55
  version = options[:version] || '>= 0.0.0'
59
56