Merge branch 'PUP-2478/3.6.1/security_fixes' into stable

* PUP-2478/3.6.1/security_fixes:
  (PUP-2683) Fix fact terminus to load facts without '.' on the load path.
  (packaging) Update PUPPETVERSION to 3.6.2
  (PUP-2533) Insert SSLCARevocationCheck on upgrade
  (maint) extract initial Passenger configuration
  (PUP-2533) Apache 2.4 requires explicit CRL configuration
  (PUP-2478) Remove current directory from Ruby load path.

bin/puppet

@@ -1,4 +1,8 @@
 #!/usr/bin/env ruby
 
+# For security reasons, ensure that '.' is not on the load path
+# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
+$LOAD_PATH.delete '.'
+
 require 'puppet/util/command_line'
 Puppet::Util::CommandLine.new.execute

ext/debian/puppetmaster-passenger.postinst

@@ -3,6 +3,7 @@
 set -e
 
 sitename="puppetmaster"
+apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
 
 # The debian provided a2* utils in Apache 2.4 uses "site name" as
 # argument, while the version in Apache 2.2 uses "file name".
@@ -14,7 +15,6 @@ sitename="puppetmaster"
 # This will end in tears…
 # Can be removed when we only support apache >= 2.4
 apache2_puppetmaster_sitename() {
-    apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
     if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
         echo "${sitename}.conf"
     else
@@ -49,6 +49,91 @@ update_vhost_for_passenger4() {
     fi
 }
 
+# In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
+# directives were specified then the specified file(s) would be checked when
+# establishing an SSL connection. Apache 2.4+ the SSLCARevocationCheck directive
+# was added to control how CRLs were checked when verifying a connection and had
+# a default value of none.  This means that Apache defaults to ignoring CRLs even
+# if paths are specified to CRL files.
+#
+# This function automatically uncomments the SSLCARevocationCheck directive when
+# the currently installed version of Apache is 2.4.
+update_vhost_for_apache24() {
+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
+        sed -r -i \
+            -e "/# SSLCARevocationCheck/s/# //" \
+        $tempfile
+    fi
+}
+
+# Update an existing vhost definition with the SSLCARevocationCheck directive
+# on Apache 2.4+. This scans an existing vhost file for the SSLCARevocationCheck
+# directive and adds it to the file after the SSLCARevocationFile directive.
+#
+# See https://tickets.puppetlabs.com/browse/PUP-2533 for more information.
+update_vhost_for_apache24_upgrade() {
+    APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
+
+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
+        if ! grep -q "^[[:space:]]*SSLCARevocationCheck" $APACHE2_SITE_FILE ; then
+            tempfile=$(mktemp)
+            sed -r \
+                -e "/SSLCARevocationFile/a\\        SSLCARevocationCheck chain" \
+                $APACHE2_SITE_FILE > $tempfile
+            mv $tempfile $APACHE2_SITE_FILE
+        fi
+    fi
+}
+
+
+create_initial_puppetmaster_vhost() {
+    # Check that puppet master --configprint works properly
+    # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
+    if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
+        echo "Puppet config print not working properly, exiting"
+        exit 1
+    fi
+
+    # Initialize puppetmaster CA and generate the master certificate
+    # only if the host doesn't already have any puppet ssl certificate.
+    # The ssl key and cert need to be available (eg generated) before
+    # apache2 is configured and started since apache2 ssl configuration
+    # uses the puppetmaster ssl files.
+    if [ ! -e "$(puppet master --configprint hostcert)" ]; then
+        puppet cert generate $(puppet master --configprint certname)
+    fi
+
+    # Setup apache2 configuration files
+    APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
+    if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
+        tempfile=$(mktemp)
+        sed -r \
+            -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
+            -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
+            -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
+            -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
+            -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
+            -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
+            -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
+            /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
+        update_vhost_for_passenger4
+        update_vhost_for_apache24
+        mv $tempfile "${APACHE2_SITE_FILE}"
+    fi
+
+    # Enable needed modules
+    a2enmod ssl
+    a2enmod headers
+    a2ensite ${sitename}
+    restart_apache2
+}
+
+update_existing_puppetmaster_vhost() {
+    if dpkg --compare-versions "${1}" lt "3.6.2~"; then
+        update_vhost_for_apache24_upgrade
+    fi
+}
+
 if [ "$1" = "configure" ]; then
 
     # Change the owner of the rack config.ru to be the puppet user
@@ -57,47 +142,12 @@ if [ "$1" = "configure" ]; then
     then
         dpkg-statoverride --update --add puppet puppet 0644 /usr/share/puppet/rack/puppetmasterd/config.ru
     fi
-    # Setup passenger configuration
-    if [ "$2" = "" ]; then
 
-        # Check that puppet master --configprint works properly
-        # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
-        if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
-            echo "Puppet config print not working properly, exiting"
-            exit 1
-        fi
-
-        # Initialize puppetmaster CA and generate the master certificate
-        # only if the host doesn't already have any puppet ssl certificate.
-        # The ssl key and cert need to be available (eg generated) before
-        # apache2 is configured and started since apache2 ssl configuration
-        # uses the puppetmaster ssl files.
-        if [ ! -e "$(puppet master --configprint hostcert)" ]; then
-            puppet cert generate $(puppet master --configprint certname)
-        fi
-
-        # Setup apache2 configuration files
-        APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
-        if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
-            tempfile=$(mktemp)
-            sed -r \
-                -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
-                -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
-                -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
-                -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
-                -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
-                -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
-                -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
-                /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
-            update_vhost_for_passenger4
-            mv $tempfile "${APACHE2_SITE_FILE}"
-        fi
-
-        # Enable needed modules
-        a2enmod ssl
-        a2enmod headers
-        a2ensite ${sitename}
-        restart_apache2
+    # Setup puppetmaster passenger vhost
+    if [ "$2" = "" ]; then
+        create_initial_puppetmaster_vhost
+    else
+        update_existing_puppetmaster_vhost $2
     fi
 
     # Fix CRL file on upgrade to use the CA crl file instead of the host crl.

ext/rack/example-passenger-vhost.conf

@@ -29,6 +29,10 @@ Listen 8140
         # If Apache complains about invalid signatures on the CRL, you can try disabling
         # CRL checking by commenting the next line, but this is not recommended.
         SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
+        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
+        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
+        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
+        # SSLCARevocationCheck chain
         SSLVerifyClient optional
         SSLVerifyDepth  1
         # The `ExportCertData` option is needed for agent certificate expiration warnings

lib/puppet/indirector/facts/facter.rb

@@ -55,7 +55,7 @@ def self.load_facts_in_dir(dir)
         begin
           Puppet.info "Loading facts in #{fqfile}"
           ::Timeout::timeout(Puppet[:configtimeout]) do
-            load file
+            load File.join('.', file)
           end
         rescue SystemExit,NoMemoryError
           raise

spec/unit/indirector/facts/facter_spec.rb

@@ -140,8 +140,8 @@ module PuppetNodeFactsFacter
 
     Dir.expects(:glob).with("*.rb").returns %w{a.rb b.rb}
 
-    Puppet::Node::Facts::Facter.expects(:load).with("a.rb")
-    Puppet::Node::Facts::Facter.expects(:load).with("b.rb")
+    Puppet::Node::Facts::Facter.expects(:load).with File.join('.', 'a.rb')
+    Puppet::Node::Facts::Facter.expects(:load).with File.join('.', 'b.rb')
 
     Puppet::Node::Facts::Facter.load_facts_in_dir("mydir")
   end