puppet 2.7.1 → 2.7.3

data/lib/puppet/face/node/clean.rb

@@ -0,0 +1,154 @@
+Puppet::Face.define(:node, '0.0.1') do
+  action(:clean) do
+    option "--[no-]unexport" do
+      summary "Unexport exported resources"
+    end
+
+    summary "Clean up everything a puppetmaster knows about a node"
+    arguments "<host1> [<host2> ...]"
+    description <<-EOT
+      This includes
+
+       * Signed certificates ($vardir/ssl/ca/signed/node.domain.pem)
+       * Cached facts ($vardir/yaml/facts/node.domain.yaml)
+       * Cached node stuff ($vardir/yaml/node/node.domain.yaml)
+       * Reports ($vardir/reports/node.domain)
+       * Stored configs: it can either remove all data from an host in your
+       storedconfig database, or with --unexport turn every exported resource
+       supporting ensure to absent so that any other host checking out their
+       config can remove those exported configurations.
+
+      This will unexport exported resources of a
+      host, so that consumers of these resources can remove the exported
+      resources and we will safely remove the node from our
+      infrastructure.
+    EOT
+
+    when_invoked do |*args|
+      nodes = args[0..-2]
+      options = args.last
+      raise "At least one node should be passed" if nodes.empty? || nodes == options
+
+      # TODO: this is a hack and should be removed if faces provide the proper
+      # infrastructure to set the run mode.
+      require 'puppet/util/run_mode'
+      $puppet_application_mode = Puppet::Util::RunMode[:master]
+
+      if Puppet::SSL::CertificateAuthority.ca?
+        Puppet::SSL::Host.ca_location = :local
+      else
+        Puppet::SSL::Host.ca_location = :none
+      end
+
+      Puppet::Node::Facts.indirection.terminus_class = :yaml
+      Puppet::Node::Facts.indirection.cache_class = :yaml
+      Puppet::Node.indirection.terminus_class = :yaml
+      Puppet::Node.indirection.cache_class = :yaml
+
+      nodes.each { |node| cleanup(node.downcase, options[:unexport]) }
+    end
+  end
+
+  def cleanup(node, unexport)
+    clean_cert(node)
+    clean_cached_facts(node)
+    clean_cached_node(node)
+    clean_reports(node)
+
+    # This is roughly functional, but seems to introduce order-dependent test
+    # failures; this can be re-added when those issues are resolved.
+    # clean_storeconfigs(node, unexport)
+  end
+
+  # clean signed cert for +host+
+  def clean_cert(node)
+    if Puppet::SSL::CertificateAuthority.ca?
+      Puppet::Face[:ca, :current].revoke(node)
+      Puppet::Face[:ca, :current].destroy(node)
+      Puppet.info "#{node} certificates removed from ca"
+    else
+      Puppet.info "Not managing #{node} certs as this host is not a CA"
+    end
+  end
+
+  # clean facts for +host+
+  def clean_cached_facts(node)
+    Puppet::Node::Facts.indirection.destroy(node)
+    Puppet.info "#{node}'s facts removed"
+  end
+
+  # clean cached node +host+
+  def clean_cached_node(node)
+    Puppet::Node.indirection.destroy(node)
+    Puppet.info "#{node}'s cached node removed"
+  end
+
+  # clean node reports for +host+
+  def clean_reports(node)
+    Puppet::Transaction::Report.indirection.destroy(node)
+    Puppet.info "#{node}'s reports removed"
+  end
+
+  # clean storeconfig for +node+
+  def clean_storeconfigs(node, do_unexport=false)
+    return unless Puppet[:storeconfigs] && Puppet.features.rails?
+    require 'puppet/rails'
+    Puppet::Rails.connect
+    unless rails_node = Puppet::Rails::Host.find_by_name(node)
+      Puppet.notice "No entries found for #{node} in storedconfigs."
+      return
+    end
+
+    if do_unexport
+      unexport(rails_node)
+      Puppet.notice "Force #{node}'s exported resources to absent"
+      Puppet.warning "Please wait until all other hosts have checked out their configuration before finishing the cleanup with:"
+      Puppet.warning "$ puppet node clean #{node}"
+    else
+      rails_node.destroy
+      Puppet.notice "#{node} storeconfigs removed"
+    end
+  end
+
+  def unexport(node)
+    # fetch all exported resource
+    query = {:include => {:param_values => :param_name}}
+    query[:conditions] = [ "exported=? AND host_id=?", true, node.id ]
+    Puppet::Rails::Resource.find(:all, query).each do |resource|
+      if type_is_ensurable(resource)
+        line = 0
+        param_name = Puppet::Rails::ParamName.find_or_create_by_name("ensure")
+
+        if ensure_param = resource.param_values.find(
+          :first,
+          :conditions => [ 'param_name_id = ?', param_name.id ]
+        )
+          line = ensure_param.line.to_i
+          Puppet::Rails::ParamValue.delete(ensure_param.id);
+        end
+
+        # force ensure parameter to "absent"
+        resource.param_values.create(
+          :value => "absent",
+          :line => line,
+          :param_name => param_name
+        )
+        Puppet.info("#{resource.name} has been marked as \"absent\"")
+      end
+    end
+  end
+
+  def environment
+    @environment ||= Puppet::Node::Environment.new
+  end
+
+  def type_is_ensurable(resource)
+    if (type = Puppet::Type.type(resource.restype)) && type.validattr?(:ensure)
+      return true
+    else
+      type = environment.known_resource_types.find_definition('', resource.restype)
+      return true if type && type.arguments.keys.include?('ensure')
+    end
+    return false
+  end
+end

data/lib/puppet/face/status.rb

@@ -12,6 +12,7 @@ Puppet::Indirector::Face.define(:status, '0.0.1') do
   get_action(:search).summary "Invalid for this subcommand."
 
   find = get_action(:find)
+  find.default = true
   find.summary "Check status of puppet master server."
   find.arguments "<dummy_text>"
   find.returns <<-'EOT'

data/lib/puppet/file_serving/configuration/parser.rb

@@ -24,9 +24,10 @@ class Puppet::FileServing::Configuration::Parser < Puppet::Util::LoadedFile
         when /^\s*$/; next # skip blank lines
         when /\[([-\w]+)\]/
           mount = newmount($1)
-        when /^\s*(\w+)\s+(.+)$/
+        when /^\s*(\w+)\s+(.+?)(\s*#.*)?$/
           var = $1
           value = $2
+          value.strip!
           raise(ArgumentError, "Fileserver configuration file does not use '=' as a separator") if value =~ /^=/
           case var
           when "path"
@@ -58,12 +59,8 @@ class Puppet::FileServing::Configuration::Parser < Puppet::Util::LoadedFile
       begin
         mount.info "allowing #{val} access"
         mount.allow(val)
-      rescue AuthStoreError => detail
-
-              raise ArgumentError.new(
-        detail.to_s,
-        
-          @count, file)
+      rescue Puppet::AuthStoreError => detail
+        raise ArgumentError.new(detail.to_s, @count, file)
       end
     }
   end
@@ -75,12 +72,8 @@ class Puppet::FileServing::Configuration::Parser < Puppet::Util::LoadedFile
       begin
         mount.info "denying #{val} access"
         mount.deny(val)
-      rescue AuthStoreError => detail
-
-              raise ArgumentError.new(
-        detail.to_s,
-        
-          @count, file)
+      rescue Puppet::AuthStoreError => detail
+        raise ArgumentError.new(detail.to_s, @count, file)
       end
     }
   end

data/lib/puppet/indirector/exec.rb

@@ -16,8 +16,8 @@ class Puppet::Indirector::Exec < Puppet::Indirector::Terminus
   private
 
   # Proxy the execution, so it's easier to test.
-  def execute(command)
-    Puppet::Util.execute(command)
+  def execute(command, arguments)
+    Puppet::Util.execute(command,arguments)
   end
 
   # Call the external command and see if it returns our output.
@@ -33,7 +33,7 @@ class Puppet::Indirector::Exec < Puppet::Indirector::Terminus
     # Add our name to it.
     external_command << name
     begin
-      output = execute(external_command)
+      output = execute(external_command, :combine => false)
     rescue Puppet::ExecutionFailure => detail
       raise Puppet::Error, "Failed to find #{name} via exec: #{detail}"
     end

data/lib/puppet/indirector/face.rb

@@ -48,16 +48,26 @@ class Puppet::Indirector::Face < Puppet::Face
     return result
   end
 
+  option "--extra HASH" do
+    summary "Extra arguments to pass to the indirection request"
+    description <<-end
+      A terminus can take additional arguments to refine the operation, which
+      are passed as an arbitrary hash to the back-end.  Anything passed as
+      the extra value is just send direct to the back-end.
+    end
+    default_to do Hash.new end
+  end
+
   action :destroy do
     summary "Delete an object."
     arguments "<key>"
-    when_invoked { |key, options| call_indirection_method(:destroy, key, options) }
+    when_invoked {|key, options| call_indirection_method :destroy, key, options[:extra] }
   end
 
   action :find do
     summary "Retrieve an object by name."
     arguments "<key>"
-    when_invoked { |key, options| call_indirection_method(:find, key, options) }
+    when_invoked {|key, options| call_indirection_method :find, key, options[:extra] }
   end
 
   action :save do
@@ -68,13 +78,13 @@ class Puppet::Indirector::Face < Puppet::Face
       currently accept data from STDIN, save actions cannot currently be invoked
       from the command line.
     EOT
-    when_invoked { |key, options| call_indirection_method(:save, key, options) }
+    when_invoked {|key, options| call_indirection_method :save, key, options[:extra] }
   end
 
   action :search do
     summary "Search for an object or retrieve multiple objects."
     arguments "<query>"
-    when_invoked { |key, options| call_indirection_method(:search, key, options) }
+    when_invoked {|key, options| call_indirection_method :search, key, options[:extra] }
   end
 
   # Print the configuration for the current terminus class
@@ -86,11 +96,11 @@ class Puppet::Indirector::Face < Puppet::Face
       run mode with the '--mode' option.
     EOT
 
-    when_invoked do |*args|
+    when_invoked do |options|
       if t = indirection.terminus_class
-        puts "Run mode '#{Puppet.run_mode.name}': #{t}"
+        "Run mode '#{Puppet.run_mode.name}': #{t}"
       else
-        $stderr.puts "No default terminus class for run mode '#{Puppet.run_mode.name}'"
+        "No default terminus class for run mode '#{Puppet.run_mode.name}'"
       end
     end
   end

data/lib/puppet/indirector/report/processor.rb

@@ -14,28 +14,30 @@ class Puppet::Transaction::Report::Processor < Puppet::Indirector::Code
     process(request.instance)
   end
 
+  def destroy(request)
+    processors do |mod|
+      mod.destroy(request.key) if mod.respond_to?(:destroy)
+    end
+  end
+
   private
 
   # Process the report with each of the configured report types.
   # LAK:NOTE This isn't necessarily the best design, but it's backward
   # compatible and that's good enough for now.
   def process(report)
-    return if Puppet[:reports] == "none"
-
-    reports.each do |name|
-      if mod = Puppet::Reports.report(name)
-        # We have to use a dup because we're including a module in the
-        # report.
-        newrep = report.dup
-        begin
-          newrep.extend(mod)
-          newrep.process
-        rescue => detail
-          puts detail.backtrace if Puppet[:trace]
-          Puppet.err "Report #{name} failed: #{detail}"
-        end
-      else
-        Puppet.warning "No report named '#{name}'"
+    Puppet.debug "Recieved report to process from #{report.host}"
+    processors do |mod|
+      Puppet.debug "Processing report from #{report.host} with processor #{mod}"
+      # We have to use a dup because we're including a module in the
+      # report.
+      newrep = report.dup
+      begin
+        newrep.extend(mod)
+        newrep.process
+      rescue => detail
+        puts detail.backtrace if Puppet[:trace]
+        Puppet.err "Report #{name} failed: #{detail}"
       end
     end
   end
@@ -45,4 +47,15 @@ class Puppet::Transaction::Report::Processor < Puppet::Indirector::Code
     # LAK:NOTE See http://snurl.com/21zf8  [groups_google_com]
     x = Puppet[:reports].gsub(/(^\s+)|(\s+$)/, '').split(/\s*,\s*/)
   end
+
+  def processors(&blk)
+    return if Puppet[:reports] == "none"
+    reports.each do |name|
+      if mod = Puppet::Reports.report(name)
+        yield(mod)
+      else
+        Puppet.warning "No report named '#{name}'"
+      end
+    end
+  end
 end

data/lib/puppet/indirector/rest.rb

@@ -71,16 +71,51 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
     Puppet::Network::HttpPool.http_instance(request.server || self.class.server, request.port || self.class.port)
   end
 
+  [:get, :post, :head, :delete, :put].each do |method|
+    define_method "http_#{method}" do |request, *args|
+      http_request(method, request, *args)
+    end
+  end
+
+  def http_request(method, request, *args)
+    http_connection = network(request)
+    peer_certs = []
+
+    # We add the callback to collect the certificates for use in constructing
+    # the error message if the verification failed.  This is necessary since we
+    # don't have direct access to the cert that we expected the connection to
+    # use otherwise.
+    #
+    http_connection.verify_callback = proc do |preverify_ok, ssl_context|
+      peer_certs << Puppet::SSL::Certificate.from_s(ssl_context.current_cert.to_pem)
+      preverify_ok
+    end
+
+    http_connection.send(method, *args)
+  rescue OpenSSL::SSL::SSLError => error
+    if error.message.include? "certificate verify failed"
+      raise Puppet::Error, "#{error.message}.  This is often because the time is out of sync on the server or client"
+    elsif error.message.include? "hostname was not match"
+      raise unless cert = peer_certs.find { |c| c.name !~ /^puppet ca/i }
+
+      valid_certnames = [cert.name, *cert.alternate_names].uniq
+      msg = valid_certnames.length > 1 ? "one of #{valid_certnames.join(', ')}" : valid_certnames.first
+
+      raise Puppet::Error, "Server hostname '#{http_connection.address}' did not match server certificate; expected #{msg}"
+    else
+      raise
+    end
+  end
+
   def find(request)
     uri, body = request_to_uri_and_body(request)
     uri_with_query_string = "#{uri}?#{body}"
-    http_connection = network(request)
     # WEBrick in Ruby 1.9.1 only supports up to 1024 character lines in an HTTP request
     # http://redmine.ruby-lang.org/issues/show/3991
     response = if "GET #{uri_with_query_string} HTTP/1.1\r\n".length > 1024
-      http_connection.post(uri, body, headers)
+      http_post(request, uri, body, headers)
     else
-      http_connection.get(uri_with_query_string, headers)
+      http_get(request, uri_with_query_string, headers)
     end
     result = deserialize response
     result.name = request.key if result.respond_to?(:name=)
@@ -88,7 +123,7 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
   end
 
   def head(request)
-    response = network(request).head(indirection2uri(request), headers)
+    response = http_head(request, indirection2uri(request), headers)
     case response.code
     when "404"
       return false
@@ -101,7 +136,7 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
   end
 
   def search(request)
-    unless result = deserialize(network(request).get(indirection2uri(request), headers), true)
+    unless result = deserialize(http_get(request, indirection2uri(request), headers), true)
       return []
     end
     result
@@ -109,12 +144,12 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
 
   def destroy(request)
     raise ArgumentError, "DELETE does not accept options" unless request.options.empty?
-    deserialize network(request).delete(indirection2uri(request), headers)
+    deserialize http_delete(request, indirection2uri(request), headers)
   end
 
   def save(request)
     raise ArgumentError, "PUT does not accept options" unless request.options.empty?
-    deserialize network(request).put(indirection2uri(request), request.instance.render, headers.merge({ "Content-Type" => request.instance.mime }))
+    deserialize http_put(request, indirection2uri(request), request.instance.render, headers.merge({ "Content-Type" => request.instance.mime }))
   end
 
   private

data/lib/puppet/indirector/yaml.rb

@@ -47,6 +47,11 @@ class Puppet::Indirector::Yaml < Puppet::Indirector::Terminus
     File.join(base, self.class.indirection_name.to_s, name.to_s + ext)
   end
 
+  def destroy(request)
+    file_path = path(request.key)
+    File.unlink(file_path) if File.exists?(file_path)
+  end
+
   def search(request)
     Dir.glob(path(request.key,'')).collect do |file|
       YAML.load_file(file)

data/lib/puppet/interface.rb

@@ -2,6 +2,7 @@ require 'puppet'
 require 'puppet/util/autoload'
 require 'puppet/interface/documentation'
 require 'prettyprint'
+require 'semver'
 
 class Puppet::Interface
   include FullDocs
@@ -63,6 +64,10 @@ class Puppet::Interface
       end
       face
     end
+
+    def find_action(name, action, version = :current)
+      Puppet::Interface::FaceCollection.get_action_for_face(name, action, version)
+    end
   end
 
   def set_default_format(format)
@@ -84,12 +89,12 @@ class Puppet::Interface
   attr_reader :name, :version
 
   def initialize(name, version, &block)
-    unless Puppet::Interface::FaceCollection.validate_version(version)
+    unless SemVer.valid?(version)
       raise ArgumentError, "Cannot create face #{name.inspect} with invalid version number '#{version}'!"
     end
 
     @name    = Puppet::Interface::FaceCollection.underscorize(name)
-    @version = version
+    @version = SemVer.new(version)
 
     # The few bits of documentation we actually demand.  The default license
     # is a favour to our end users; if you happen to get that in a core face