puppet 8.0.1-universal-darwin → 8.1.0-universal-darwin

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 545167c442d15f2c52faa2e1cc7248b2530205b053a0b25f5d165198f496a318
4
- data.tar.gz: 11fc8d36afbc752431421b696c6fbcae16aa4f28ab064cf004336d4748f1d938
3
+ metadata.gz: 7eea5fdf57cadd5d893dc4324a16144079bfb11686d4fe50ba34b0c8b9206ffd
4
+ data.tar.gz: 1186f83bde61e09ef1bbbfca662481e474896fe61550df9bdb9546fac8d9f524
5
5
  SHA512:
6
- metadata.gz: da5d3000b9022268b25de9d3b87de65d26e5307b5206291ca68941868b8281890a6afafa1f4c30217fe68c1e3d1615b4e86d16ecff0d510082a59ab61615c329
7
- data.tar.gz: 528c25dc7f81fc6603722b36f2c908a0687eb94ac59953e6a9c1b7e7846be375c90dff7cac3bff8f5e5d72e9cb5657f07a884dec443aa46b0a2d41ecd212d8e9
6
+ metadata.gz: 3ec9291458052ad337ff5d91808694a842152be78fef074fa50b9345dab18bfefc557d8b879295ad0d6f063b970f48e8bae0726950e6e5a9b8beaf068d2f3fb5
7
+ data.tar.gz: 58f214114d5d8d0e7f4bace9a31618a5c9b44da188a4ab8f753295c743287f35c4f28baa82abd8c858a01f0cdb7a175fa019e4b1459bb8e88a1b3d394944f4a9
data/CODEOWNERS CHANGED
@@ -1,11 +1,11 @@
1
1
  # defaults
2
- * @puppetlabs/phoenix @puppetlabs/puppetserver-maintainers
2
+ * @puppetlabs/phoenix
3
3
 
4
4
  # PAL
5
5
  /lib/puppet/pal @puppetlabs/bolt
6
6
 
7
7
  # puppet module
8
- /lib/puppet/application/module.rb @puppetlabs/pdk
9
- /lib/puppet/face/module @puppetlabs/pdk
10
- /lib/puppet/forge @puppetlabs/pdk
11
- /lib/puppet/module_tool @puppetlabs/pdk
8
+ /lib/puppet/application/module.rb @puppetlabs/modules
9
+ /lib/puppet/face/module @puppetlabs/modules
10
+ /lib/puppet/forge @puppetlabs/modules
11
+ /lib/puppet/module_tool @puppetlabs/modules
data/Gemfile.lock CHANGED
@@ -1,9 +1,23 @@
1
+ GIT
2
+ remote: https://github.com/puppetlabs/packaging
3
+ revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
4
+ branch: 1.0.x
5
+ specs:
6
+ packaging (0)
7
+ apt_stage_artifacts
8
+ artifactory (~> 3)
9
+ csv (>= 3.1.5)
10
+ google-cloud-storage
11
+ googleauth
12
+ rake (>= 12.3)
13
+ release-metrics
14
+
1
15
  PATH
2
16
  remote: .
3
17
  specs:
4
- puppet (8.0.1)
18
+ puppet (8.1.0)
5
19
  CFPropertyList (~> 2.2)
6
- concurrent-ruby (~> 1.0, < 1.2.0)
20
+ concurrent-ruby (~> 1.0)
7
21
  deep_merge (~> 1.0)
8
22
  facter (>= 4.3.0, < 5)
9
23
  fast_gettext (>= 2.1, < 3)
@@ -14,7 +28,7 @@ PATH
14
28
  semantic_puppet (~> 1.0)
15
29
 
16
30
  GEM
17
- remote: https://rubygems.org/
31
+ remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
18
32
  specs:
19
33
  CFPropertyList (2.3.6)
20
34
  addressable (2.8.4)
@@ -24,7 +38,7 @@ GEM
24
38
  artifactory (3.0.15)
25
39
  ast (2.4.2)
26
40
  coderay (1.1.3)
27
- concurrent-ruby (1.1.10)
41
+ concurrent-ruby (1.2.2)
28
42
  crack (0.4.5)
29
43
  rexml
30
44
  csv (3.2.6)
@@ -38,17 +52,18 @@ GEM
38
52
  facter (4.4.0)
39
53
  hocon (~> 1.3)
40
54
  thor (>= 1.0.1, < 2.0)
41
- faraday (2.7.4)
55
+ faraday (2.7.6)
42
56
  faraday-net_http (>= 2.0, < 3.1)
43
57
  ruby2_keywords (>= 0.0.4)
44
58
  faraday-net_http (3.0.2)
45
59
  fast_gettext (2.3.0)
46
60
  ffi (1.15.5)
47
61
  forwardable (1.3.3)
48
- gettext (3.4.3)
62
+ gettext (3.4.4)
49
63
  erubi
50
64
  locale (>= 2.0.5)
51
65
  prime
66
+ racc
52
67
  text (>= 1.3.0)
53
68
  gettext-setup (1.1.0)
54
69
  fast_gettext (~> 2.1)
@@ -89,7 +104,7 @@ GEM
89
104
  os (>= 0.9, < 2.0)
90
105
  signet (>= 0.16, < 2.a)
91
106
  hashdiff (1.0.1)
92
- hiera-eyaml (3.3.0)
107
+ hiera-eyaml (3.4.0)
93
108
  highline
94
109
  optimist
95
110
  highline (2.1.0)
@@ -98,29 +113,22 @@ GEM
98
113
  httpclient (2.8.3)
99
114
  json-schema (2.8.1)
100
115
  addressable (>= 2.4)
101
- jwt (2.7.0)
116
+ jwt (2.7.1)
102
117
  locale (2.1.3)
103
118
  memoist (0.16.2)
104
119
  memory_profiler (1.0.1)
105
120
  method_source (1.0.0)
106
121
  mini_mime (1.1.2)
107
122
  minitar (0.9)
108
- msgpack (1.7.0)
123
+ msgpack (1.7.1)
109
124
  multi_json (1.15.0)
110
125
  mustache (1.1.1)
111
126
  optimist (3.0.1)
112
127
  os (1.1.4)
113
- packaging (0.109.7)
114
- apt_stage_artifacts
115
- artifactory (~> 3)
116
- csv (>= 3.1.5)
117
- google-cloud-storage
118
- googleauth
119
- rake (>= 12.3)
120
- release-metrics
121
128
  parallel (1.23.0)
122
- parser (3.2.2.1)
129
+ parser (3.2.2.3)
123
130
  ast (~> 2.4.1)
131
+ racc
124
132
  prime (0.1.2)
125
133
  forwardable
126
134
  singleton
@@ -130,14 +138,14 @@ GEM
130
138
  public_suffix (5.0.1)
131
139
  puppet-resource_api (1.8.14)
132
140
  hocon (>= 1.0)
133
- puppetserver-ca (2.5.0)
141
+ puppetserver-ca (2.6.0)
134
142
  facter (>= 2.0.1, < 5)
135
143
  racc (1.5.2)
136
144
  rainbow (3.1.1)
137
145
  rake (13.0.6)
138
146
  rdiscount (2.2.7)
139
147
  rdoc (6.3.3)
140
- regexp_parser (2.8.0)
148
+ regexp_parser (2.8.1)
141
149
  release-metrics (1.1.0)
142
150
  csv
143
151
  docopt
@@ -176,7 +184,7 @@ GEM
176
184
  rubocop-ast (>= 1.17.0, < 2.0)
177
185
  ruby-progressbar (~> 1.7)
178
186
  unicode-display_width (>= 1.4.0, < 3.0)
179
- rubocop-ast (1.28.0)
187
+ rubocop-ast (1.29.0)
180
188
  parser (>= 3.2.1.0)
181
189
  rubocop-i18n (3.0.0)
182
190
  rubocop (~> 1.0)
@@ -192,7 +200,7 @@ GEM
192
200
  multi_json (~> 1.10)
193
201
  singleton (0.1.1)
194
202
  text (1.3.1)
195
- thor (1.2.1)
203
+ thor (1.2.2)
196
204
  trailblazer-option (0.1.2)
197
205
  uber (0.1.0)
198
206
  unicode-display_width (2.4.2)
@@ -218,7 +226,7 @@ DEPENDENCIES
218
226
  memory_profiler
219
227
  minitar (~> 0.9)
220
228
  msgpack (~> 1.2)
221
- packaging (~> 0.99)
229
+ packaging!
222
230
  pry
223
231
  puppet!
224
232
  puppet-resource_api (~> 1.5)
@@ -240,4 +248,4 @@ DEPENDENCIES
240
248
  yard
241
249
 
242
250
  BUNDLED WITH
243
- 2.3.22
251
+ 2.4.12
@@ -24,7 +24,7 @@ gem_runtime_dependencies:
24
24
  locale: '~> 2.1'
25
25
  multi_json: '~> 1.13'
26
26
  puppet-resource_api: '~>1.5'
27
- concurrent-ruby: ["~> 1.0", "< 1.2.0"]
27
+ concurrent-ruby: "~> 1.0"
28
28
  deep_merge: '~> 1.0'
29
29
  scanf: '~> 1.0'
30
30
  gem_rdoc_options:
@@ -1212,6 +1212,24 @@ EOT
1212
1212
  :desc => "The default TTL for new certificates.
1213
1213
  #{AS_DURATION}",
1214
1214
  },
1215
+ :ca_refresh_interval => {
1216
+ :default => "1d",
1217
+ :type => :duration,
1218
+ :desc => "How often the Puppet agent refreshes its local CA certs. By
1219
+ default the CA certs are refreshed once every 24 hours. If a different
1220
+ duration is specified, then the agent will refresh its CA certs whenever
1221
+ it next runs and the elapsed time since the certs were last refreshed
1222
+ exceeds the duration.
1223
+
1224
+ In general, the duration should be greater than the `runinterval`.
1225
+ Setting it to 0 or an equal or lesser value than `runinterval`,
1226
+ will cause the CA certs to be refreshed on every run.
1227
+
1228
+ If the agent downloads new CA certs, the agent will use it for subsequent
1229
+ network requests. If the refresh request fails or if the CA certs are
1230
+ unchanged on the server, then the agent run will continue using the
1231
+ local CA certs it already has. #{AS_DURATION}",
1232
+ },
1215
1233
  :crl_refresh_interval => {
1216
1234
  :default => "1d",
1217
1235
  :type => :duration,
@@ -1222,8 +1240,8 @@ EOT
1222
1240
  exceeds the duration.
1223
1241
 
1224
1242
  In general, the duration should be greater than the `runinterval`.
1225
- Setting it to an equal or lesser value will cause the CRL to be
1226
- refreshed on every run.
1243
+ Setting it to 0 or an equal or lesser value than `runinterval`,
1244
+ will cause the CRL to be refreshed on every run.
1227
1245
 
1228
1246
  If the agent downloads a new CRL, the agent will use it for subsequent
1229
1247
  network requests. If the refresh request fails or if the CRL is
@@ -28,16 +28,21 @@ class Puppet::HTTP::Service::Ca < Puppet::HTTP::Service
28
28
  # Submit a GET request to retrieve the named certificate from the server.
29
29
  #
30
30
  # @param [String] name name of the certificate to request
31
+ # @param [Time] if_modified_since If not nil, only download the cert if it has
32
+ # been modified since the specified time.
31
33
  # @param [Puppet::SSL::SSLContext] ssl_context
32
34
  #
33
35
  # @return [Array<Puppet::HTTP::Response, String>] An array containing the
34
36
  # request response and the stringified body of the request response
35
37
  #
36
38
  # @api public
37
- def get_certificate(name, ssl_context: nil)
39
+ def get_certificate(name, if_modified_since: nil, ssl_context: nil)
40
+ headers = add_puppet_headers(HEADERS)
41
+ headers['If-Modified-Since'] = if_modified_since.httpdate if if_modified_since
42
+
38
43
  response = @client.get(
39
44
  with_base_url("/certificate/#{name}"),
40
- headers: add_puppet_headers(HEADERS),
45
+ headers: headers,
41
46
  options: {ssl_context: ssl_context}
42
47
  )
43
48
 
@@ -50,14 +50,28 @@ class Puppet::SSL::StateMachine
50
50
  def next_state
51
51
  Puppet.debug("Loading CA certs")
52
52
 
53
+ force_crl_refresh = false
54
+
53
55
  cacerts = @cert_provider.load_cacerts
54
56
  if cacerts
55
57
  next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
58
+
59
+ now = Time.now
60
+ last_update = @cert_provider.ca_last_update
61
+ if needs_refresh?(now, last_update)
62
+ # set last updated time first, then make a best effort to refresh
63
+ @cert_provider.ca_last_update = now
64
+
65
+ # If we refresh the CA, then we need to force the CRL to be refreshed too,
66
+ # since if there is a new CA in the chain, then we need its CRL to check
67
+ # the full chain for revocation status.
68
+ next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update)
69
+ end
56
70
  else
57
71
  route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
58
72
  _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
59
73
  if @machine.ca_fingerprint
60
- actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
74
+ actual_digest = @machine.digest_as_hex(pem)
61
75
  expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
62
76
  if actual_digest == expected_digest
63
77
  Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
@@ -74,7 +88,7 @@ class Puppet::SSL::StateMachine
74
88
  @cert_provider.save_cacerts(cacerts)
75
89
  end
76
90
 
77
- NeedCRLs.new(@machine, next_ctx)
91
+ NeedCRLs.new(@machine, next_ctx, force_crl_refresh)
78
92
  rescue OpenSSL::X509::CertificateError => e
79
93
  Error.new(@machine, e.message, e)
80
94
  rescue Puppet::HTTP::ResponseError => e
@@ -84,6 +98,51 @@ class Puppet::SSL::StateMachine
84
98
  to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
85
99
  end
86
100
  end
101
+
102
+ private
103
+
104
+ def needs_refresh?(now, last_update)
105
+ return true if last_update.nil?
106
+
107
+ ca_ttl = Puppet[:ca_refresh_interval]
108
+ return false unless ca_ttl
109
+
110
+ now.to_i > last_update.to_i + ca_ttl
111
+ end
112
+
113
+ def refresh_ca(ssl_ctx, last_update)
114
+ Puppet.info(_("Refreshing CA certificate"))
115
+
116
+ # return the next_ctx containing the updated ca
117
+ [download_ca(ssl_ctx, last_update), true]
118
+ rescue Puppet::HTTP::ResponseError => e
119
+ if e.response.code == 304
120
+ Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
121
+ else
122
+ Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
123
+ end
124
+
125
+ # return the original ssl_ctx
126
+ [ssl_ctx, false]
127
+ rescue Puppet::HTTP::HTTPError => e
128
+ Puppet.warning(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % {message: e.message})
129
+
130
+ # return the original ssl_ctx
131
+ [ssl_ctx, false]
132
+ end
133
+
134
+ def download_ca(ssl_ctx, last_update)
135
+ route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
136
+ _, pem = route.get_certificate(Puppet::SSL::CA_NAME, if_modified_since: last_update, ssl_context: ssl_ctx)
137
+ cacerts = @cert_provider.load_cacerts_from_pem(pem)
138
+ # verify cacerts before saving
139
+ next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
140
+ @cert_provider.save_cacerts(cacerts)
141
+
142
+ Puppet.info("Refreshed CA certificate: #{@machine.digest_as_hex(pem)}")
143
+
144
+ next_ctx
145
+ end
87
146
  end
88
147
 
89
148
  # If revocation is enabled, load CRLs or download them, using the CA bundle
@@ -93,6 +152,13 @@ class Puppet::SSL::StateMachine
93
152
  # for which we don't have a CRL
94
153
  #
95
154
  class NeedCRLs < SSLState
155
+ attr_reader :force_crl_refresh
156
+
157
+ def initialize(machine, ssl_context, force_crl_refresh = false)
158
+ super(machine, ssl_context)
159
+ @force_crl_refresh = force_crl_refresh
160
+ end
161
+
96
162
  def next_state
97
163
  Puppet.debug("Loading CRLs")
98
164
 
@@ -102,15 +168,12 @@ class Puppet::SSL::StateMachine
102
168
  if crls
103
169
  next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
104
170
 
105
- crl_ttl = Puppet[:crl_refresh_interval]
106
- if crl_ttl
107
- last_update = @cert_provider.crl_last_update
108
- now = Time.now
109
- if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
110
- # set last updated time first, then make a best effort to refresh
111
- @cert_provider.crl_last_update = now
112
- next_ctx = refresh_crl(next_ctx, last_update)
113
- end
171
+ now = Time.now
172
+ last_update = @cert_provider.crl_last_update
173
+ if needs_refresh?(now, last_update)
174
+ # set last updated time first, then make a best effort to refresh
175
+ @cert_provider.crl_last_update = now
176
+ next_ctx = refresh_crl(next_ctx, last_update)
114
177
  end
115
178
  else
116
179
  next_ctx = download_crl(@ssl_context, nil)
@@ -133,6 +196,15 @@ class Puppet::SSL::StateMachine
133
196
 
134
197
  private
135
198
 
199
+ def needs_refresh?(now, last_update)
200
+ return true if @force_crl_refresh || last_update.nil?
201
+
202
+ crl_ttl = Puppet[:crl_refresh_interval]
203
+ return false unless crl_ttl
204
+
205
+ now.to_i > last_update.to_i + crl_ttl
206
+ end
207
+
136
208
  def refresh_crl(ssl_ctx, last_update)
137
209
  Puppet.info(_("Refreshing CRL"))
138
210
 
@@ -162,6 +234,8 @@ class Puppet::SSL::StateMachine
162
234
  next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
163
235
  @cert_provider.save_crls(crls)
164
236
 
237
+ Puppet.info("Refreshed CRL: #{@machine.digest_as_hex(pem)}")
238
+
165
239
  next_ctx
166
240
  end
167
241
  end
@@ -441,6 +515,10 @@ class Puppet::SSL::StateMachine
441
515
  @lockfile.unlock
442
516
  end
443
517
 
518
+ def digest_as_hex(str)
519
+ Puppet::SSL::Digest.new(digest, str).to_hex
520
+ end
521
+
444
522
  private
445
523
 
446
524
  def run_machine(state, stop)
@@ -1,8 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
  require 'concurrent'
3
3
 
4
- # We want to use the pure Ruby implementation even on JRuby. If we use the Java
5
- # implementation of ThreadLocal, we end up leaking references to JRuby instances
6
- # and preventing them from being garbage collected.
7
- class Puppet::ThreadLocal < Concurrent::RubyThreadLocalVar
4
+ class Puppet::ThreadLocal < Concurrent::ThreadLocalVar
8
5
  end
@@ -7,7 +7,7 @@
7
7
  # Raketasks and such to set the version based on the output of `git describe`
8
8
 
9
9
  module Puppet
10
- PUPPETVERSION = '8.0.1'
10
+ PUPPETVERSION = '8.1.0'
11
11
 
12
12
  ##
13
13
  # version is a public API method intended to always provide a fast and
@@ -147,6 +147,28 @@ class Puppet::X509::CertProvider
147
147
  Puppet::FileSystem.touch(@crlpath, mtime: time)
148
148
  end
149
149
 
150
+ # Return the time when the CA bundle was last updated.
151
+ #
152
+ # @return [Time, nil] Time when the CA bundle was last updated, or nil if we don't
153
+ # have a CA bundle
154
+ #
155
+ # @api private
156
+ def ca_last_update
157
+ stat = Puppet::FileSystem.stat(@capath)
158
+ Time.at(stat.mtime)
159
+ rescue Errno::ENOENT
160
+ nil
161
+ end
162
+
163
+ # Set the CA bundle last updated time.
164
+ #
165
+ # @param time [Time] The last updated time
166
+ #
167
+ # @api private
168
+ def ca_last_update=(time)
169
+ Puppet::FileSystem.touch(@capath, mtime: time)
170
+ end
171
+
150
172
  # Save named private key in the configured `privatekeydir`. For
151
173
  # historical reasons, names are case insensitive.
152
174
  #