puppet 2.6.16 → 2.6.17

data/spec/unit/file_serving/{indirection_hooks_spec.rb → terminus_selector_spec.rb}

@@ -5,30 +5,30 @@
 
 require File.dirname(__FILE__) + '/../../spec_helper'
 
-require 'puppet/file_serving/indirection_hooks'
+require 'puppet/file_serving/terminus_selector'
 
-describe Puppet::FileServing::IndirectionHooks do
+describe Puppet::FileServing::TerminusSelector do
   before do
     @object = Object.new
-    @object.extend(Puppet::FileServing::IndirectionHooks)
+    @object.extend(Puppet::FileServing::TerminusSelector)
 
     @request = stub 'request', :key => "mymod/myfile", :options => {:node => "whatever"}, :server => nil, :protocol => nil
   end
 
   describe "when being used to select termini" do
     it "should return :file if the request key is fully qualified" do
-      @request.expects(:key).returns "#{File::SEPARATOR}foo"
-      @object.select_terminus(@request).should == :file
+      @request.expects(:key).returns File.expand_path('/foo')
+      @object.select(@request).should == :file
     end
 
     it "should return :file if the URI protocol is set to 'file'" do
       @request.expects(:protocol).returns "file"
-      @object.select_terminus(@request).should == :file
+      @object.select(@request).should == :file
     end
 
     it "should fail when a protocol other than :puppet or :file is used" do
       @request.stubs(:protocol).returns "http"
-      proc { @object.select_terminus(@request) }.should raise_error(ArgumentError)
+      proc { @object.select(@request) }.should raise_error(ArgumentError)
     end
 
     describe "and the protocol is 'puppet'" do
@@ -39,15 +39,15 @@ describe Puppet::FileServing::IndirectionHooks do
       it "should choose :rest when a server is specified" do
         @request.stubs(:protocol).returns "puppet"
         @request.expects(:server).returns "foo"
-        @object.select_terminus(@request).should == :rest
+        @object.select(@request).should == :rest
       end
 
       # This is so a given file location works when bootstrapping with no server.
       it "should choose :rest when the Settings name isn't 'puppet'" do
         @request.stubs(:protocol).returns "puppet"
-        @request.stubs(:server).returns "foo"
+        # We have to stub this because we can't set name
         Puppet.settings.stubs(:value).with(:name).returns "foo"
-        @object.select_terminus(@request).should == :rest
+        @object.select(@request).should == :rest
       end
 
       it "should choose :file_server when the settings name is 'puppet' and no server is specified" do
@@ -55,8 +55,7 @@ describe Puppet::FileServing::IndirectionHooks do
 
         @request.expects(:protocol).returns "puppet"
         @request.expects(:server).returns nil
-        Puppet.settings.expects(:value).with(:name).returns "puppet"
-        @object.select_terminus(@request).should == :file_server
+        @object.select(@request).should == :file_server
       end
     end
   end

data/spec/unit/indirector/file_bucket_file/selector_spec.rb

@@ -0,0 +1,29 @@
+#!/usr/bin/env rspec
+require 'spec_helper'
+
+require 'puppet/indirector/file_bucket_file/selector'
+require 'puppet/indirector/file_bucket_file/file'
+require 'puppet/indirector/file_bucket_file/rest'
+
+describe Puppet::FileBucketFile::Selector do
+  %w[head find save search destroy].each do |method|
+    describe "##{method}" do
+      it "should proxy to rest terminus for https requests" do
+        request = stub 'request', :protocol => 'https'
+
+        Puppet::FileBucketFile::Rest.any_instance.expects(method).with(request)
+
+        subject.send(method, request)
+      end
+
+      it "should proxy to file terminus for other requests" do
+        request = stub 'request', :protocol => 'file'
+
+        Puppet::FileBucketFile::File.any_instance.expects(method).with(request)
+
+        subject.send(method, request)
+      end
+    end
+  end
+end
+

data/spec/unit/indirector/file_content/selector_spec.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env rspec
+require 'spec_helper'
+
+require 'puppet/indirector/file_content/selector'
+
+describe Puppet::Indirector::FileContent::Selector do
+  include PuppetSpec::Files
+
+  it_should_behave_like "Puppet::FileServing::Files", :file_content
+end

data/spec/unit/indirector/file_metadata/selector_spec.rb

@@ -0,0 +1,11 @@
+#!/usr/bin/env rspec
+require 'spec_helper'
+
+require 'puppet/indirector/file_metadata/selector'
+
+describe Puppet::Indirector::FileMetadata::Selector do
+  include PuppetSpec::Files
+
+  it_should_behave_like "Puppet::FileServing::Files", :file_metadata
+end
+

data/spec/unit/network/handler/ca_spec.rb

@@ -31,6 +31,7 @@ describe Puppet::Network::Handler::CA do
       Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false
 
       csr = OpenSSL::X509::Request.new
+      csr.subject = OpenSSL::X509::Name.new([["CN", "anything"]])
       subject.getcert(csr.to_pem).should == ''
     end
 

data/spec/unit/reports/store_spec.rb

@@ -27,5 +27,19 @@ describe processor do
 
       File.read(File.join(Puppet[:reportdir], @report.host, "201101061200.yaml")).should == @report.to_yaml
     end
+
+    ['..', 'hello/', '/hello', 'he/llo', 'hello/..', '.'].each do |node|
+      it "rejects #{node.inspect}" do
+        @report.host = node
+        expect { @report.process }.to raise_error(ArgumentError, /Invalid node/)
+      end
+    end
+
+    ['.hello', 'hello.', '..hi', 'hi..'].each do |node|
+      it "accepts #{node.inspect}" do
+        @report.host = node
+        @report.process
+      end
+    end
   end
 end

data/spec/unit/ssl/certificate_authority/interface_spec.rb

@@ -212,9 +212,9 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => [])
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint)
-  host2 (fingerprint)
-  host3 (fingerprint)
+  "host1" (fingerprint)
+  "host2" (fingerprint)
+  "host3" (fingerprint)
           OUTPUT
 
           applier.apply(@ca)
@@ -228,12 +228,12 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => :all)
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint)
-  host2 (fingerprint)
-  host3 (fingerprint)
-+ host5 (fingerprint)
-+ host6 (fingerprint)
-- host4 (fingerprint) (certificate revoked)
+  "host1" (fingerprint)
+  "host2" (fingerprint)
+  "host3" (fingerprint)
++ "host5" (fingerprint)
++ "host6" (fingerprint)
+- "host4" (fingerprint) (certificate revoked)
           OUTPUT
 
           applier.apply(@ca)
@@ -245,9 +245,9 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => :signed)
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-+ host4 (fingerprint)
-+ host5 (fingerprint)
-+ host6 (fingerprint)
++ "host4" (fingerprint)
++ "host5" (fingerprint)
++ "host6" (fingerprint)
           OUTPUT
 
           applier.apply(@ca)
@@ -260,7 +260,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => ['host1'])
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint) (alt names: DNS:foo, DNS:bar)
+  "host1" (fingerprint) (alt names: "DNS:foo", "DNS:bar")
           OUTPUT
 
           applier.apply(@ca)
@@ -272,10 +272,10 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => %w{host1 host2 host4 host5})
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint)
-  host2 (fingerprint)
-+ host4 (fingerprint)
-+ host5 (fingerprint)
+  "host1" (fingerprint)
+  "host2" (fingerprint)
++ "host4" (fingerprint)
++ "host5" (fingerprint)
             OUTPUT
 
           applier.apply(@ca)

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -246,7 +246,7 @@ describe Puppet::SSL::CertificateAuthority do
       # Stub out the factory
       Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
 
-      @request_content = stub "request content stub", :subject => @name
+      @request_content = stub "request content stub", :subject => OpenSSL::X509::Name.new([['CN', @name]])
       @request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
 
       # And the inventory
@@ -303,28 +303,28 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should use a certificate type of :ca" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[0] == :ca
+          args[0].should == :ca
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the provided CSR as the CSR" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[1] == @request
+          args[1].should == @request
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should use the provided CSR's content as the issuer" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[2].subject == "myhost"
+          args[2].subject.to_s.should == "/CN=myhost"
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the next serial as the serial number" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[3] == @serial
+          args[3].should == @serial
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
@@ -452,11 +452,76 @@ describe Puppet::SSL::CertificateAuthority do
         @cert.stubs :save
       end
 
+      it "should reject CSRs whose CN doesn't match the name for which we're signing them" do
+        # Shorten this so the test doesn't take too long
+        Puppet[:keylength] = 1024
+        key = Puppet::SSL::Key.new('the_certname')
+        key.generate
+
+        csr = Puppet::SSL::CertificateRequest.new('the_certname')
+        csr.generate(key)
+
+        expect do
+          @ca.check_internal_signing_policies('not_the_certname', csr, false)
+        end.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /common name "the_certname" does not match expected certname "not_the_certname"/
+        )
+      end
+
+      describe "when validating the CN" do
+        before :all do
+          Puppet[:keylength] = 1024
+          @signing_key = Puppet::SSL::Key.new('my_signing_key')
+          @signing_key.generate
+        end
+
+        [
+         'completely_okay',
+         'sure, why not? :)',
+         'so+many(things)-are=allowed.',
+         'this"is#just&madness%you[see]',
+         'and even a (an?) \\!',
+         'waltz, nymph, for quick jigs vex bud.',
+         '{552c04ca-bb1b-11e1-874b-60334b04494e}'
+        ].each do |name|
+          it "should accept #{name.inspect}" do
+            csr = Puppet::SSL::CertificateRequest.new(name)
+            csr.generate(@signing_key)
+
+            @ca.check_internal_signing_policies(name, csr, false)
+          end
+        end
+
+        [
+         'super/bad',
+         "not\neven\tkind\rof",
+         "ding\adong\a",
+         "hidden\b\b\b\b\b\bmessage",
+         "☃ :("
+        ].each do |name|
+          it "should reject #{name.inspect}" do
+            # We aren't even allowed to make objects with these names, so let's
+            # stub that to simulate an invalid one coming from outside Puppet
+            Puppet::SSL::CertificateRequest.stubs(:validate_certname)
+            csr = Puppet::SSL::CertificateRequest.new(name)
+            csr.generate(@signing_key)
+
+            expect do
+              @ca.check_internal_signing_policies(name, csr, false)
+            end.to raise_error(
+              Puppet::SSL::CertificateAuthority::CertificateSigningError,
+              /subject contains unprintable or non-ASCII characters/
+            )
+          end
+        end
+      end
+
       it "should reject a critical extension that isn't on the whitelist" do
         @request.stubs(:request_extensions).returns [{ "oid" => "banana",
                                                        "value" => "yumm",
                                                        "critical" => true }]
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -466,7 +531,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns [{ "oid" => "peach",
                                                        "value" => "meh",
                                                        "critical" => false }]
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -479,7 +544,7 @@ describe Puppet::SSL::CertificateAuthority do
                                                      { "oid" => "subjectAltName",
                                                        "value" => "DNS:foo",
                                                        "critical" => true }]
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -487,7 +552,7 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should reject a subjectAltName for a non-DNS value" do
         @request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
-        expect { @ca.sign(@name, true) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subjectAltName outside the DNS label space/
         )
@@ -497,7 +562,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.content.stubs(:subject).
           returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
 
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies('*.local', @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subject contains a wildcard/
         )
@@ -505,7 +570,7 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should reject a wildcard subjectAltName" do
         @request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
-        expect { @ca.sign(@name, true) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subjectAltName contains a wildcard/
         )

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: puppet
 version: !ruby/object:Gem::Version 
-  hash: 55
+  hash: 53
   prerelease: 
   segments: 
   - 2
   - 6
-  - 16
-  version: 2.6.16
+  - 17
+  version: 2.6.17
 platform: ruby
 authors: 
 - Puppet Labs
@@ -15,10 +15,9 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-04-11 00:00:00 Z
+date: 2012-07-10 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
-  name: facter
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
@@ -32,6 +31,7 @@ dependencies:
         - 1
         version: 1.5.1
   type: :runtime
+  name: facter
   version_requirements: *id001
 description: Puppet, an automated configuration management tool
 email: puppet@puppetlabs.com
@@ -115,7 +115,6 @@ files:
 - lib/puppet/feature/stomp.rb
 - lib/puppet/feature/zlib.rb
 - lib/puppet/file_bucket/dipper.rb
-- lib/puppet/file_bucket/file/indirection_hooks.rb
 - lib/puppet/file_bucket/file.rb
 - lib/puppet/file_bucket.rb
 - lib/puppet/file_collection/lookup.rb
@@ -125,13 +124,13 @@ files:
 - lib/puppet/file_serving/configuration.rb
 - lib/puppet/file_serving/content.rb
 - lib/puppet/file_serving/fileset.rb
-- lib/puppet/file_serving/indirection_hooks.rb
 - lib/puppet/file_serving/metadata.rb
 - lib/puppet/file_serving/mount/file.rb
 - lib/puppet/file_serving/mount/modules.rb
 - lib/puppet/file_serving/mount/plugins.rb
 - lib/puppet/file_serving/mount.rb
 - lib/puppet/file_serving/terminus_helper.rb
+- lib/puppet/file_serving/terminus_selector.rb
 - lib/puppet/file_serving.rb
 - lib/puppet/indirector/active_record.rb
 - lib/puppet/indirector/catalog/active_record.rb
@@ -163,13 +162,16 @@ files:
 - lib/puppet/indirector/facts/yaml.rb
 - lib/puppet/indirector/file_bucket_file/file.rb
 - lib/puppet/indirector/file_bucket_file/rest.rb
+- lib/puppet/indirector/file_bucket_file/selector.rb
 - lib/puppet/indirector/file_content/file.rb
 - lib/puppet/indirector/file_content/file_server.rb
 - lib/puppet/indirector/file_content/rest.rb
+- lib/puppet/indirector/file_content/selector.rb
 - lib/puppet/indirector/file_content.rb
 - lib/puppet/indirector/file_metadata/file.rb
 - lib/puppet/indirector/file_metadata/file_server.rb
 - lib/puppet/indirector/file_metadata/rest.rb
+- lib/puppet/indirector/file_metadata/selector.rb
 - lib/puppet/indirector/file_metadata.rb
 - lib/puppet/indirector/file_server.rb
 - lib/puppet/indirector/indirection.rb
@@ -935,6 +937,7 @@ files:
 - spec/integration/application/doc_spec.rb
 - spec/integration/configurer_spec.rb
 - spec/integration/defaults_spec.rb
+- spec/integration/file_bucket/file_spec.rb
 - spec/integration/file_serving/content_spec.rb
 - spec/integration/file_serving/fileset_spec.rb
 - spec/integration/file_serving/metadata_spec.rb
@@ -992,6 +995,7 @@ files:
 - spec/monkey_patches/publicize_methods.rb
 - spec/shared_behaviours/file_server_terminus.rb
 - spec/shared_behaviours/file_serving.rb
+- spec/shared_behaviours/file_serving_model.rb
 - spec/shared_behaviours/memory_terminus.rb
 - spec/shared_behaviours/path_parameters.rb
 - spec/spec.opts
@@ -1026,13 +1030,13 @@ files:
 - spec/unit/file_serving/configuration_spec.rb
 - spec/unit/file_serving/content_spec.rb
 - spec/unit/file_serving/fileset_spec.rb
-- spec/unit/file_serving/indirection_hooks_spec.rb
 - spec/unit/file_serving/metadata_spec.rb
 - spec/unit/file_serving/mount/file_spec.rb
 - spec/unit/file_serving/mount/modules_spec.rb
 - spec/unit/file_serving/mount/plugins_spec.rb
 - spec/unit/file_serving/mount_spec.rb
 - spec/unit/file_serving/terminus_helper_spec.rb
+- spec/unit/file_serving/terminus_selector_spec.rb
 - spec/unit/indirector/active_record_spec.rb
 - spec/unit/indirector/catalog/active_record_spec.rb
 - spec/unit/indirector/catalog/compiler_spec.rb
@@ -1061,12 +1065,15 @@ files:
 - spec/unit/indirector/facts/yaml_spec.rb
 - spec/unit/indirector/file_bucket_file/file_spec.rb
 - spec/unit/indirector/file_bucket_file/rest_spec.rb
+- spec/unit/indirector/file_bucket_file/selector_spec.rb
 - spec/unit/indirector/file_content/file_server_spec.rb
 - spec/unit/indirector/file_content/file_spec.rb
 - spec/unit/indirector/file_content/rest_spec.rb
+- spec/unit/indirector/file_content/selector_spec.rb
 - spec/unit/indirector/file_metadata/file_server_spec.rb
 - spec/unit/indirector/file_metadata/file_spec.rb
 - spec/unit/indirector/file_metadata/rest_spec.rb
+- spec/unit/indirector/file_metadata/selector_spec.rb
 - spec/unit/indirector/file_server_spec.rb
 - spec/unit/indirector/indirection_spec.rb
 - spec/unit/indirector/key/ca_spec.rb
@@ -1402,7 +1409,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: puppet
-rubygems_version: 1.8.10
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Puppet, an automated configuration management tool