puppet 2.7.17 → 2.7.18

data/lib/puppet/ssl/base.rb

@@ -5,6 +5,9 @@ class Puppet::SSL::Base
   # For now, use the YAML separator.
   SEPARATOR = "\n---\n"
 
+  # Only allow printing ascii characters, excluding /
+  VALID_CERTNAME = /\A[ -.0-~]+\Z/
+
   def self.from_multiple_s(text)
     text.split(SEPARATOR).collect { |inst| from_s(inst) }
   end
@@ -22,6 +25,10 @@ class Puppet::SSL::Base
     @wrapped_class
   end
 
+  def self.validate_certname(name)
+    raise "Certname #{name.inspect} must not contain unprintable or non-ASCII characters" unless name =~ VALID_CERTNAME
+  end
+
   attr_accessor :name, :content
 
   # Is this file for the CA?
@@ -35,6 +42,7 @@ class Puppet::SSL::Base
 
   def initialize(name)
     @name = name.to_s.downcase
+    self.class.validate_certname(@name)
   end
 
   # Read content from disk appropriately.

data/lib/puppet/ssl/certificate_authority.rb

@@ -303,6 +303,16 @@ class Puppet::SSL::CertificateAuthority
       raise CertificateSigningError.new(hostname), "CSR has request extensions that are not permitted: #{names}"
     end
 
+    # Do not sign misleading CSRs
+    cn = csr.content.subject.to_a.assoc("CN")[1]
+    if hostname != cn
+      raise CertificateSigningError.new(hostname), "CSR subject common name #{cn.inspect} does not match expected certname #{hostname.inspect}"
+    end
+
+    if hostname !~ Puppet::SSL::Base::VALID_CERTNAME
+      raise CertificateSigningError.new(hostname), "CSR #{hostname.inspect} subject contains unprintable or non-ASCII characters"
+    end
+
     # Wildcards: we don't allow 'em at any point.
     #
     # The stringification here makes the content visible, and saves us having

data/lib/puppet/ssl/certificate_authority/interface.rb

@@ -88,6 +88,8 @@ module Puppet
           names = certs.values.map(&:keys).flatten
 
           name_width = names.sort_by(&:length).last.length rescue 0
+          # We quote these names, so account for those characters
+          name_width += 2
 
           output = [:request, :signed, :invalid].map do |type|
             next if certs[type].empty?
@@ -113,11 +115,11 @@ module Puppet
 
           alt_names.delete(host)
 
-          alt_str = "(alt names: #{alt_names.join(', ')})" unless alt_names.empty?
+          alt_str = "(alt names: #{alt_names.map(&:inspect).join(', ')})" unless alt_names.empty?
 
           glyph = {:signed => '+', :request => ' ', :invalid => '-'}[type]
 
-          name = host.ljust(width)
+          name = host.inspect.ljust(width)
           fingerprint = "(#{ca.fingerprint(host, @digest)})"
 
           explanation = "(#{verify_error})" if verify_error

data/lib/puppet/ssl/host.rb

@@ -236,6 +236,7 @@ ERROR_STRING
 
   def initialize(name = nil)
     @name = (name || Puppet[:certname]).downcase
+    Puppet::SSL::Base.validate_certname(@name)
     @key = @certificate = @certificate_request = nil
     @ca = (name == self.class.ca_name)
   end

data/spec/integration/file_bucket/file_spec.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/env rspec
+
+require 'spec_helper'
+
+require 'puppet/file_bucket/file'
+
+describe Puppet::FileBucket::File do
+  describe "#indirection" do
+    before :each do
+      # Never connect to the network, no matter what
+      described_class.indirection.terminus(:rest).class.any_instance.stubs(:find)
+    end
+
+    describe "when running the master application" do
+      before :each do
+        Puppet::Application[:master].setup_terminuses
+      end
+
+      {
+        "md5/d41d8cd98f00b204e9800998ecf8427e" => :file,
+        "https://puppetmaster:8140/production/file_bucket_file/md5/d41d8cd98f00b204e9800998ecf8427e" => :file,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+
+    describe "when running another application" do
+      {
+        "md5/d41d8cd98f00b204e9800998ecf8427e" => :file,
+        "https://puppetmaster:8140/production/file_bucket_file/md5/d41d8cd98f00b204e9800998ecf8427e" => :rest,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+  end
+end

data/spec/integration/file_serving/content_spec.rb

@@ -1,14 +1,9 @@
 #!/usr/bin/env rspec
+
 require 'spec_helper'
 
 require 'puppet/file_serving/content'
-require 'shared_behaviours/file_serving'
-
-describe Puppet::FileServing::Content, " when finding files" do
-  it_should_behave_like "Puppet::FileServing::Files"
 
-  before do
-    @test_class = Puppet::FileServing::Content
-    @indirection = Puppet::FileServing::Content.indirection
-  end
+describe Puppet::FileServing::Content do
+  it_should_behave_like "a file_serving model"
 end

data/spec/integration/file_serving/metadata_spec.rb

@@ -1,15 +1,10 @@
 #!/usr/bin/env rspec
+
 require 'spec_helper'
 
 require 'puppet/file_serving/metadata'
-require 'shared_behaviours/file_serving'
-require 'puppet/indirector/file_metadata/file_server'
-
-describe Puppet::FileServing::Metadata, " when finding files" do
-  it_should_behave_like "Puppet::FileServing::Files"
 
-  before do
-    @test_class = Puppet::FileServing::Metadata
-    @indirection = Puppet::FileServing::Metadata.indirection
-  end
+describe Puppet::FileServing::Metadata do
+  it_should_behave_like "a file_serving model"
 end
+

data/spec/integration/network/rest_authconfig_spec.rb

@@ -44,12 +44,31 @@ describe Puppet::Network::RestAuthConfig do
   end
 
   def request(args = {})
-    { :ip => '10.1.1.1', :node => 'host.domain.com', :key => 'key', :authenticated => true }.each do |k,v|
-      args[k] ||= v
-    end
+    args = {
+      :key => 'key',
+      :node => 'host.domain.com',
+      :ip => '10.1.1.1',
+      :authenticated => true
+    }.merge(args)
     ['test', :find, args[:key], args]
   end
 
+  it "should warn when matching against IP addresses" do
+    add_rule("allow 10.1.1.1")
+
+    @auth.should allow(request)
+
+    @logs.should be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/}
+  end
+
+  it "should not warn when matches against IP addresses fail" do
+    add_rule("allow 10.1.1.2")
+
+    @auth.should_not allow(request)
+
+    @logs.should_not be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/}
+  end
+
   it "should support IPv4 address" do
     add_rule("allow 10.1.1.1")
 

data/spec/shared_behaviours/file_serving.rb

@@ -1,68 +1,80 @@
 #!/usr/bin/env rspec
-shared_examples_for "Puppet::FileServing::Files" do
-  it "should use the rest terminus when the 'puppet' URI scheme is used and a host name is present" do
-    uri = "puppet://myhost/fakemod/my/file"
-
-    # It appears that the mocking somehow interferes with the caching subsystem.
-    # This mock somehow causes another terminus to get generated.
-    term = @indirection.terminus(:rest)
-    @indirection.stubs(:terminus).with(:rest).returns term
-    term.expects(:find)
-    @indirection.find(uri)
-  end
 
-  it "should use the rest terminus when the 'puppet' URI scheme is used, no host name is present, and the process name is not 'puppet' or 'apply'" do
-    uri = "puppet:///fakemod/my/file"
-    Puppet.settings.stubs(:value).returns "foo"
-    Puppet.settings.stubs(:value).with(:name).returns("puppetd")
-    Puppet.settings.stubs(:value).with(:modulepath).returns("")
-    @indirection.terminus(:rest).expects(:find)
-    @indirection.find(uri)
-  end
+shared_examples_for "Puppet::FileServing::Files" do |indirection|
+  %w[find search].each do |method|
+    let(:request) { Puppet::Indirector::Request.new(indirection, method, 'foo') }
 
-  it "should use the file_server terminus when the 'puppet' URI scheme is used, no host name is present, and the process name is 'puppet'" do
-    uri = "puppet:///fakemod/my/file"
-    Puppet::Node::Environment.stubs(:new).returns(stub("env", :name => "testing", :module => nil, :modulepath => []))
-    Puppet.settings.stubs(:value).returns ""
-    Puppet.settings.stubs(:value).with(:name).returns("puppet")
-    Puppet.settings.stubs(:value).with(:fileserverconfig).returns("/whatever")
-    @indirection.terminus(:file_server).expects(:find)
-    @indirection.terminus(:file_server).stubs(:authorized?).returns(true)
-    @indirection.find(uri)
-  end
+    before :each do
+      # Stub this so we can set the :name setting
+      Puppet::Util::Settings::ReadOnly.stubs(:include?)
+    end
 
-  it "should use the file_server terminus when the 'puppet' URI scheme is used, no host name is present, and the process name is 'apply'" do
-    uri = "puppet:///fakemod/my/file"
-    Puppet::Node::Environment.stubs(:new).returns(stub("env", :name => "testing", :module => nil, :modulepath => []))
-    Puppet.settings.stubs(:value).returns ""
-    Puppet.settings.stubs(:value).with(:name).returns("apply")
-    Puppet.settings.stubs(:value).with(:fileserverconfig).returns("/whatever")
-    @indirection.terminus(:file_server).expects(:find)
-    @indirection.terminus(:file_server).stubs(:authorized?).returns(true)
-    @indirection.find(uri)
-  end
+    describe "##{method}" do
+      it "should proxy to file terminus if the path is absolute" do
+        request.key = make_absolute('/tmp/foo')
 
-  it "should use the file terminus when the 'file' URI scheme is used" do
-    uri = Puppet::Util.path_to_uri(File.expand_path('/fakemod/my/other file'))
-    uri.scheme.should == 'file'
-    @indirection.terminus(:file).expects(:find)
-    @indirection.find(uri.to_s)
-  end
+        described_class.indirection.terminus(:file).class.any_instance.expects(method).with(request)
 
-  it "should use the file terminus when a fully qualified path is provided" do
-    uri = File.expand_path("/fakemod/my/file")
-    @indirection.terminus(:file).expects(:find)
-    @indirection.find(uri)
-  end
+        subject.send(method, request)
+      end
+
+      it "should proxy to file terminus if the protocol is file" do
+        request.protocol = 'file'
+
+        described_class.indirection.terminus(:file).class.any_instance.expects(method).with(request)
+
+        subject.send(method, request)
+      end
+
+      describe "when the protocol is puppet" do
+        before :each do
+          request.protocol = 'puppet'
+        end
+
+        describe "and a server is specified" do
+          before :each do
+            request.server = 'puppet_server'
+          end
+
+          it "should proxy to rest terminus if we're 'apply'" do
+            Puppet[:name] = 'apply'
+
+            described_class.indirection.terminus(:rest).class.any_instance.expects(method).with(request)
+
+            subject.send(method, request)
+          end
+
+          it "should proxy to rest terminus if we aren't 'apply'" do
+            Puppet[:name] = 'not_apply'
+
+            described_class.indirection.terminus(:rest).class.any_instance.expects(method).with(request)
+
+            subject.send(method, request)
+          end
+        end
+
+        describe "and no server is specified" do
+          before :each do
+            request.server = nil
+          end
+
+          it "should proxy to file_server if we're 'apply'" do
+            Puppet[:name] = 'apply'
+
+            described_class.indirection.terminus(:file_server).class.any_instance.expects(method).with(request)
+
+            subject.send(method, request)
+          end
+
+          it "should proxy to rest if we're not 'apply'" do
+            Puppet[:name] = 'not_apply'
 
-  it "should use the configuration to test whether the request is allowed" do
-    uri = "fakemod/my/file"
-    mount = mock 'mount'
-    config = stub 'configuration', :split_path => [mount, "eh"]
-    @indirection.terminus(:file_server).stubs(:configuration).returns config
+            described_class.indirection.terminus(:rest).class.any_instance.expects(method).with(request)
 
-    @indirection.terminus(:file_server).expects(:find)
-    mount.expects(:allowed?).returns(true)
-    @indirection.find(uri, :node => "foo", :ip => "bar")
+            subject.send(method, request)
+          end
+        end
+      end
+    end
   end
 end

data/spec/shared_behaviours/file_serving_model.rb

@@ -0,0 +1,73 @@
+#!/usr/bin/env rspec
+
+shared_examples_for "a file_serving model" do
+  include PuppetSpec::Files
+
+  describe "#indirection" do
+    before :each do
+      # Never connect to the network, no matter what
+      described_class.indirection.terminus(:rest).class.any_instance.stubs(:find)
+    end
+
+    describe "when running the master application" do
+      before :each do
+        Puppet::Application[:master].setup_terminuses
+      end
+
+      {
+       "/etc/sudoers"                    => :file_server,
+       "file:///etc/sudoers"             => :file_server,
+       "puppet:///modules/foo/bar"       => :file_server,
+       "puppet://server/modules/foo/bar" => :file_server,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+
+    describe "when running the apply application" do
+      before :each do
+        # Stub this so we can set the 'name' setting
+        Puppet::Util::Settings::ReadOnly.stubs(:include?)
+        Puppet[:name] = 'apply'
+      end
+
+      {
+       "/etc/sudoers"                    => :file,
+       "file:///etc/sudoers"             => :file,
+       "puppet:///modules/foo/bar"       => :file_server,
+       "puppet://server/modules/foo/bar" => :rest,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+
+    describe "when running another application" do
+      before :each do
+        # Stub this so we can set the 'name' setting
+        Puppet::Util::Settings::ReadOnly.stubs(:include?)
+        Puppet[:name] = 'agent'
+      end
+
+      {
+       "/etc/sudoers"                    => :file,
+       "file:///etc/sudoers"             => :file,
+       "puppet:///modules/foo/bar"       => :rest,
+       "puppet://server/modules/foo/bar" => :rest,
+      }.each do |key, terminus|
+        it "should use the #{terminus} terminus when requesting #{key.inspect}" do
+          described_class.indirection.terminus(terminus).class.any_instance.expects(:find)
+
+          described_class.indirection.find(key)
+        end
+      end
+    end
+  end
+end

data/spec/unit/file_serving/configuration_spec.rb

@@ -158,80 +158,88 @@ describe Puppet::FileServing::Configuration do
     end
   end
 
-  describe "when finding the mount name and relative path in a request key" do
-    before do
-      @config = Puppet::FileServing::Configuration.configuration
-      @config.stubs(:find_mount)
+  describe "#split_path" do
+    let(:config) { Puppet::FileServing::Configuration.configuration }
+    let(:request) { stub 'request', :key => "foo/bar/baz", :options => {}, :node => nil, :environment => mock("env") }
 
-      @request = stub 'request', :key => "foo/bar/baz", :options => {}, :node => nil, :environment => mock("env")
+    before do
+      config.stubs(:find_mount)
     end
 
     it "should reread the configuration" do
-      @config.expects(:readconfig)
+      config.expects(:readconfig)
 
-      @config.split_path(@request)
+      config.split_path(request)
     end
 
     it "should treat the first field of the URI path as the mount name" do
-      @config.expects(:find_mount).with { |name, node| name == "foo" }
+      config.expects(:find_mount).with { |name, node| name == "foo" }
 
-      @config.split_path(@request)
+      config.split_path(request)
     end
 
     it "should fail if the mount name is not alpha-numeric" do
-      @request.expects(:key).returns "foo&bar/asdf"
+      request.expects(:key).returns "foo&bar/asdf"
 
-      lambda { @config.split_path(@request) }.should raise_error(ArgumentError)
+      lambda { config.split_path(request) }.should raise_error(ArgumentError)
     end
 
     it "should support dashes in the mount name" do
-      @request.expects(:key).returns "foo-bar/asdf"
+      request.expects(:key).returns "foo-bar/asdf"
 
-      lambda { @config.split_path(@request) }.should_not raise_error(ArgumentError)
+      lambda { config.split_path(request) }.should_not raise_error(ArgumentError)
     end
 
     it "should use the mount name and environment to find the mount" do
-      @config.expects(:find_mount).with { |name, env| name == "foo" and env == @request.environment }
-      @request.stubs(:node).returns("mynode")
+      config.expects(:find_mount).with { |name, env| name == "foo" and env == request.environment }
+      request.stubs(:node).returns("mynode")
 
-      @config.split_path(@request)
+      config.split_path(request)
     end
 
     it "should return nil if the mount cannot be found" do
-      @config.expects(:find_mount).returns nil
+      config.expects(:find_mount).returns nil
 
-      @config.split_path(@request).should be_nil
+      config.split_path(request).should be_nil
     end
 
     it "should return the mount and the relative path if the mount is found" do
       mount = stub 'mount', :name => "foo"
-      @config.expects(:find_mount).returns mount
+      config.expects(:find_mount).returns mount
 
-      @config.split_path(@request).should == [mount, "bar/baz"]
+      config.split_path(request).should == [mount, "bar/baz"]
     end
 
     it "should remove any double slashes" do
-      @request.stubs(:key).returns "foo/bar//baz"
+      request.stubs(:key).returns "foo/bar//baz"
       mount = stub 'mount', :name => "foo"
-      @config.expects(:find_mount).returns mount
+      config.expects(:find_mount).returns mount
+
+      config.split_path(request).should == [mount, "bar/baz"]
+    end
+
+    it "should fail if the path contains .." do
+      request.stubs(:key).returns 'module/foo/../../bar'
 
-      @config.split_path(@request).should == [mount, "bar/baz"]
+      expect do
+        config.split_path(request)
+      end.to raise_error(ArgumentError, /Invalid relative path/)
     end
 
     it "should return the relative path as nil if it is an empty string" do
-      @request.expects(:key).returns "foo"
+      request.expects(:key).returns "foo"
       mount = stub 'mount', :name => "foo"
-      @config.expects(:find_mount).returns mount
+      config.expects(:find_mount).returns mount
 
-      @config.split_path(@request).should == [mount, nil]
+      config.split_path(request).should == [mount, nil]
     end
 
     it "should add 'modules/' to the relative path if the modules mount is used but not specified, for backward compatibility" do
-      @request.expects(:key).returns "foo/bar"
+      request.expects(:key).returns "foo/bar"
       mount = stub 'mount', :name => "modules"
-      @config.expects(:find_mount).returns mount
+      config.expects(:find_mount).returns mount
 
-      @config.split_path(@request).should == [mount, "foo/bar"]
+      config.split_path(request).should == [mount, "foo/bar"]
     end
   end
 end