puppet 8.0.1 → 8.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2712dbb0c625bbd48ae15db10408b408e1b8c1e6c213f1ab83d0b35839a47fb
-  data.tar.gz: 11fc8d36afbc752431421b696c6fbcae16aa4f28ab064cf004336d4748f1d938
+  metadata.gz: 165d97e08b1afaa120800e044085a208b7386dcf5f6a4b6b730a077858d7d8ea
+  data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
 SHA512:
-  metadata.gz: 1d4117a7624fdd751604f1abbf048b228208ee3ba622fe228478e0c22febcccc25eeecaf68850fa23b2ddb3222f15cc4d076712148664f0b122939c4533faa8b
-  data.tar.gz: 528c25dc7f81fc6603722b36f2c908a0687eb94ac59953e6a9c1b7e7846be375c90dff7cac3bff8f5e5d72e9cb5657f07a884dec443aa46b0a2d41ecd212d8e9
+  metadata.gz: b1633c2e8e5ac301e9f96e3aa64d7636a911a8d65d16d547e86395f00fff6d4179fbe0f6508699470971680d54ca6d55c6ae4e16364623e651167337ff2e7b1a
+  data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9

data/CODEOWNERS

@@ -1,11 +1,11 @@
 # defaults
-* @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
+* @puppetlabs/phoenix
 
 # PAL
 /lib/puppet/pal @puppetlabs/bolt
 
 # puppet module
-/lib/puppet/application/module.rb @puppetlabs/pdk
-/lib/puppet/face/module @puppetlabs/pdk
-/lib/puppet/forge @puppetlabs/pdk
-/lib/puppet/module_tool @puppetlabs/pdk
+/lib/puppet/application/module.rb @puppetlabs/modules
+/lib/puppet/face/module @puppetlabs/modules
+/lib/puppet/forge @puppetlabs/modules
+/lib/puppet/module_tool @puppetlabs/modules

data/Gemfile.lock

@@ -1,9 +1,23 @@
+GIT
+  remote: https://github.com/puppetlabs/packaging
+  revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
+  branch: 1.0.x
+  specs:
+    packaging (0)
+      apt_stage_artifacts
+      artifactory (~> 3)
+      csv (>= 3.1.5)
+      google-cloud-storage
+      googleauth
+      rake (>= 12.3)
+      release-metrics
+
 PATH
   remote: .
   specs:
-    puppet (8.0.1)
+    puppet (8.1.0)
       CFPropertyList (~> 2.2)
-      concurrent-ruby (~> 1.0, < 1.2.0)
+      concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
       facter (>= 4.3.0, < 5)
       fast_gettext (>= 2.1, < 3)
@@ -14,7 +28,7 @@ PATH
       semantic_puppet (~> 1.0)
 
 GEM
-  remote: https://rubygems.org/
+  remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
   specs:
     CFPropertyList (2.3.6)
     addressable (2.8.4)
@@ -24,7 +38,7 @@ GEM
     artifactory (3.0.15)
     ast (2.4.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     crack (0.4.5)
       rexml
     csv (3.2.6)
@@ -38,17 +52,18 @@ GEM
     facter (4.4.0)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (2.7.4)
+    faraday (2.7.6)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     fast_gettext (2.3.0)
     ffi (1.15.5)
     forwardable (1.3.3)
-    gettext (3.4.3)
+    gettext (3.4.4)
       erubi
       locale (>= 2.0.5)
       prime
+      racc
       text (>= 1.3.0)
     gettext-setup (1.1.0)
       fast_gettext (~> 2.1)
@@ -89,7 +104,7 @@ GEM
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     hashdiff (1.0.1)
-    hiera-eyaml (3.3.0)
+    hiera-eyaml (3.4.0)
       highline
       optimist
     highline (2.1.0)
@@ -98,29 +113,22 @@ GEM
     httpclient (2.8.3)
     json-schema (2.8.1)
       addressable (>= 2.4)
-    jwt (2.7.0)
+    jwt (2.7.1)
     locale (2.1.3)
     memoist (0.16.2)
     memory_profiler (1.0.1)
     method_source (1.0.0)
     mini_mime (1.1.2)
     minitar (0.9)
-    msgpack (1.7.0)
+    msgpack (1.7.1)
     multi_json (1.15.0)
     mustache (1.1.1)
     optimist (3.0.1)
     os (1.1.4)
-    packaging (0.109.7)
-      apt_stage_artifacts
-      artifactory (~> 3)
-      csv (>= 3.1.5)
-      google-cloud-storage
-      googleauth
-      rake (>= 12.3)
-      release-metrics
     parallel (1.23.0)
-    parser (3.2.2.1)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
+      racc
     prime (0.1.2)
       forwardable
       singleton
@@ -130,14 +138,14 @@ GEM
     public_suffix (5.0.1)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
-    puppetserver-ca (2.5.0)
+    puppetserver-ca (2.6.0)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (3.1.1)
     rake (13.0.6)
     rdiscount (2.2.7)
     rdoc (6.3.3)
-    regexp_parser (2.8.0)
+    regexp_parser (2.8.1)
     release-metrics (1.1.0)
       csv
       docopt
@@ -176,7 +184,7 @@ GEM
       rubocop-ast (>= 1.17.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.29.0)
       parser (>= 3.2.1.0)
     rubocop-i18n (3.0.0)
       rubocop (~> 1.0)
@@ -192,7 +200,7 @@ GEM
       multi_json (~> 1.10)
     singleton (0.1.1)
     text (1.3.1)
-    thor (1.2.1)
+    thor (1.2.2)
     trailblazer-option (0.1.2)
     uber (0.1.0)
     unicode-display_width (2.4.2)
@@ -218,7 +226,7 @@ DEPENDENCIES
   memory_profiler
   minitar (~> 0.9)
   msgpack (~> 1.2)
-  packaging (~> 0.99)
+  packaging!
   pry
   puppet!
   puppet-resource_api (~> 1.5)
@@ -240,4 +248,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.3.22
+   2.4.12

data/ext/project_data.yaml

@@ -24,7 +24,7 @@ gem_runtime_dependencies:
   locale: '~> 2.1'
   multi_json: '~> 1.13'
   puppet-resource_api: '~>1.5'
-  concurrent-ruby: ["~> 1.0", "< 1.2.0"]
+  concurrent-ruby: "~> 1.0"
   deep_merge: '~> 1.0'
   scanf: '~> 1.0'
 gem_rdoc_options:

data/lib/puppet/defaults.rb

@@ -1212,6 +1212,24 @@ EOT
       :desc       => "The default TTL for new certificates.
       #{AS_DURATION}",
     },
+    :ca_refresh_interval => {
+      :default    => "1d",
+      :type       => :duration,
+      :desc       => "How often the Puppet agent refreshes its local CA certs. By
+         default the CA certs are refreshed once every 24 hours. If a different
+         duration is specified, then the agent will refresh its CA certs whenever
+         it next runs and the elapsed time since the certs were last refreshed
+         exceeds the duration.
+
+         In general, the duration should be greater than the `runinterval`.
+         Setting it to 0 or an equal or lesser value than `runinterval`,
+         will cause the CA certs to be refreshed on every run.
+
+         If the agent downloads new CA certs, the agent will use it for subsequent
+         network requests. If the refresh request fails or if the CA certs are
+         unchanged on the server, then the agent run will continue using the
+         local CA certs it already has. #{AS_DURATION}",
+    },
     :crl_refresh_interval => {
       :default    => "1d",
       :type       => :duration,
@@ -1222,8 +1240,8 @@ EOT
          exceeds the duration.
 
          In general, the duration should be greater than the `runinterval`.
-         Setting it to an equal or lesser value will cause the CRL to be
-         refreshed on every run.
+         Setting it to 0 or an equal or lesser value than `runinterval`,
+         will cause the CRL to be refreshed on every run.
 
          If the agent downloads a new CRL, the agent will use it for subsequent
          network requests. If the refresh request fails or if the CRL is

data/lib/puppet/http/service/ca.rb

@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
   # Submit a GET request to retrieve the named certificate from the server.
   #
   # @param [String] name name of the certificate to request
+  # @param [Time] if_modified_since If not nil, only download the cert if it has
+  #   been modified since the specified time.
   # @param [Puppet::SSL::SSLContext] ssl_context
   #
   # @return [Array<Puppet::HTTP::Response, String>] An array containing the
   #   request response and the stringified body of the request response
   #
   # @api public
-  def get_certificate(name, ssl_context: nil)
+  def get_certificate(name, if_modified_since: nil, ssl_context: nil)
+    headers = add_puppet_headers(HEADERS)
+    headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
+
     response = @client.get(
       with_base_url("/certificate/#{name}"),
-      headers: add_puppet_headers(HEADERS),
+      headers: headers,
       options: {ssl_context: ssl_context}
     )
 

data/lib/puppet/ssl/state_machine.rb

@@ -50,14 +50,28 @@ class Puppet::SSL::StateMachine
     def next_state
       Puppet.debug("Loading CA certs")
 
+      force_crl_refresh = false
+
       cacerts = @cert_provider.load_cacerts
       if cacerts
         next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
+
+        now = Time.now
+        last_update = @cert_provider.ca_last_update
+        if needs_refresh?(now, last_update)
+          # set last updated time first, then make a best effort to refresh
+          @cert_provider.ca_last_update = now
+
+          # If we refresh the CA, then we need to force the CRL to be refreshed too,
+          # since if there is a new CA in the chain, then we need its CRL to check
+          # the full chain for revocation status.
+          next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update)
+        end
       else
         route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
         _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
         if @machine.ca_fingerprint
-          actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
+          actual_digest = @machine.digest_as_hex(pem)
           expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
           if actual_digest == expected_digest
             Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
@@ -74,7 +88,7 @@ class Puppet::SSL::StateMachine
         @cert_provider.save_cacerts(cacerts)
       end
 
-      NeedCRLs.new(@machine, next_ctx)
+      NeedCRLs.new(@machine, next_ctx, force_crl_refresh)
     rescue OpenSSL::X509::CertificateError => e
       Error.new(@machine, e.message, e)
     rescue Puppet::HTTP::ResponseError => e
@@ -84,6 +98,51 @@ class Puppet::SSL::StateMachine
         to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
       end
     end
+
+    private
+
+    def needs_refresh?(now, last_update)
+      return true if last_update.nil?
+
+      ca_ttl = Puppet[:ca_refresh_interval]
+      return false unless ca_ttl
+
+      now.to_i > last_update.to_i + ca_ttl
+    end
+
+    def refresh_ca(ssl_ctx, last_update)
+      Puppet.info(_("Refreshing CA certificate"))
+
+      # return the next_ctx containing the updated ca
+      [download_ca(ssl_ctx, last_update), true]
+    rescue Puppet::HTTP::ResponseError => e
+      if e.response.code == 304
+        Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
+      else
+        Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
+      end
+
+      # return the original ssl_ctx
+      [ssl_ctx, false]
+    rescue Puppet::HTTP::HTTPError => e
+      Puppet.warning(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
+
+      # return the original ssl_ctx
+      [ssl_ctx, false]
+    end
+
+    def download_ca(ssl_ctx, last_update)
+      route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
+      _, pem = route.get_certificate(Puppet::SSL::CA_NAME, if_modified_since: last_update, ssl_context: ssl_ctx)
+      cacerts = @cert_provider.load_cacerts_from_pem(pem)
+      # verify cacerts before saving
+      next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
+      @cert_provider.save_cacerts(cacerts)
+
+      Puppet.info("Refreshed CA certificate: #{@machine.digest_as_hex(pem)}")
+
+      next_ctx
+    end
   end
 
   # If revocation is enabled, load CRLs or download them, using the CA bundle
@@ -93,6 +152,13 @@ class Puppet::SSL::StateMachine
   # for which we don't have a CRL
   #
   class NeedCRLs < SSLState
+    attr_reader :force_crl_refresh
+
+    def initialize(machine, ssl_context, force_crl_refresh = false)
+      super(machine, ssl_context)
+      @force_crl_refresh = force_crl_refresh
+    end
+
     def next_state
       Puppet.debug("Loading CRLs")
 
@@ -102,15 +168,12 @@ class Puppet::SSL::StateMachine
         if crls
           next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
 
-          crl_ttl = Puppet[:crl_refresh_interval]
-          if crl_ttl
-            last_update = @cert_provider.crl_last_update
-            now = Time.now
-            if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
-              # set last updated time first, then make a best effort to refresh
-              @cert_provider.crl_last_update = now
-              next_ctx = refresh_crl(next_ctx, last_update)
-            end
+          now = Time.now
+          last_update = @cert_provider.crl_last_update
+          if needs_refresh?(now, last_update)
+            # set last updated time first, then make a best effort to refresh
+            @cert_provider.crl_last_update = now
+            next_ctx = refresh_crl(next_ctx, last_update)
           end
         else
           next_ctx = download_crl(@ssl_context, nil)
@@ -133,6 +196,15 @@ class Puppet::SSL::StateMachine
 
     private
 
+    def needs_refresh?(now, last_update)
+      return true if @force_crl_refresh || last_update.nil?
+
+      crl_ttl = Puppet[:crl_refresh_interval]
+      return false unless crl_ttl
+
+      now.to_i > last_update.to_i + crl_ttl
+    end
+
     def refresh_crl(ssl_ctx, last_update)
       Puppet.info(_("Refreshing CRL"))
 
@@ -162,6 +234,8 @@ class Puppet::SSL::StateMachine
       next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
       @cert_provider.save_crls(crls)
 
+      Puppet.info("Refreshed CRL: #{@machine.digest_as_hex(pem)}")
+
       next_ctx
     end
   end
@@ -441,6 +515,10 @@ class Puppet::SSL::StateMachine
     @lockfile.unlock
   end
 
+  def digest_as_hex(str)
+    Puppet::SSL::Digest.new(digest, str).to_hex
+  end
+
   private
 
   def run_machine(state, stop)

data/lib/puppet/thread_local.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 require 'concurrent'
 
-# We want to use the pure Ruby implementation even on JRuby. If we use the Java
-# implementation of ThreadLocal, we end up leaking references to JRuby instances
-# and preventing them from being garbage collected.
-class Puppet::ThreadLocal < Concurrent::RubyThreadLocalVar
+class Puppet::ThreadLocal < Concurrent::ThreadLocalVar
 end

data/lib/puppet/version.rb

@@ -7,7 +7,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '8.0.1'
+  PUPPETVERSION = '8.1.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet/x509/cert_provider.rb

@@ -147,6 +147,28 @@ class Puppet::X509::CertProvider
     Puppet::FileSystem.touch(@crlpath, mtime: time)
   end
 
+  # Return the time when the CA bundle was last updated.
+  #
+  # @return [Time, nil] Time when the CA bundle was last updated, or nil if we don't
+  #   have a CA bundle
+  #
+  # @api private
+  def ca_last_update
+    stat = Puppet::FileSystem.stat(@capath)
+    Time.at(stat.mtime)
+  rescue Errno::ENOENT
+    nil
+  end
+
+  # Set the CA bundle last updated time.
+  #
+  # @param time [Time] The last updated time
+  #
+  # @api private
+  def ca_last_update=(time)
+    Puppet::FileSystem.touch(@capath, mtime: time)
+  end
+
   # Save named private key in the configured `privatekeydir`. For
   # historical reasons, names are case insensitive.
   #