puppet 2.7.20 → 2.7.21

data/ext/packaging/tasks/tar.rake

@@ -1,9 +1,9 @@
 namespace :package do
   desc "Create a source tar archive"
   task :tar => [ :clean ] do
-    Rake::Task["package:doc"].invoke if @build_doc
+    Rake::Task["package:doc"].invoke if @build.build_doc
     tar = ENV['TAR'] || 'tar'
-    workdir = "pkg/#{@name}-#{@version}"
+    workdir = "pkg/#{@build.project}-#{@build.version}"
     mkdir_p(workdir)
 
     # The list of files to install in the tarball
@@ -13,13 +13,13 @@ namespace :package do
     # to support a mode where a space-separated string was used.  Support both
     # to allow a gentle migration to a modern style...
     patterns =
-      case @files
+      case @build.files
       when String
         STDERR.puts "warning: `files` should be an array, not a string"
-        @files.split(' ')
+        @build.files.split(' ')
 
       when Array
-        @files
+        @build.files
 
       else
         raise "`files` must be a string or an array!"
@@ -55,14 +55,30 @@ namespace :package do
       end
     end
 
-    tar_excludes = @tar_excludes.nil? ? [] : @tar_excludes.split(' ')
-    tar_excludes << "ext/#{@packaging_repo}"
+    tar_excludes = @build.tar_excludes.nil? ? [] : @build.tar_excludes.split(' ')
+    tar_excludes << "ext/#{@build.packaging_repo}"
     Rake::Task["package:template"].invoke(workdir)
+
+    # This is to support packages that only burn-in the version number in the
+    # release artifact, rather than storing it two (or more) times in the
+    # version control system.  Razor is a good example of that; see
+    # https://github.com/puppetlabs/Razor/blob/master/lib/project_razor/version.rb
+    # for an example of that this looks like.
+    #
+    # If you set this the version will only be modified in the temporary copy,
+    # with the intent that it never change the official source tree.
+    ENV['NEW_STYLE_PACKAGE'] and Rake::Task["package:versionbump"].invoke(workdir)
+
     cd "pkg" do
-      sh "#{tar} --exclude #{tar_excludes.join(" --exclude ")} -zcf #{@name}-#{@version}.tar.gz #{@name}-#{@version}"
+      sh "#{tar} --exclude #{tar_excludes.join(" --exclude ")} -zcf #{@build.project}-#{@build.version}.tar.gz #{@build.project}-#{@build.version}"
     end
     rm_rf(workdir)
     puts
-    puts "Wrote #{`pwd`.strip}/pkg/#{@name}-#{@version}.tar.gz"
+    puts "Wrote #{`pwd`.strip}/pkg/#{@build.project}-#{@build.version}.tar.gz"
   end
 end
+
+namespace :pl do
+  task :tar => ["package:tar"]
+end
+

data/ext/packaging/tasks/update.rake

@@ -2,8 +2,8 @@ namespace :package do
   desc "Update your clone of the packaging repo with `git pull`"
   task :update do
     cd 'ext/packaging' do
-      remote = @packaging_url.split(' ')[0]
-      branch = @packaging_url.split(' ')[1].split('=')[1]
+      remote = @build.packaging_url.split(' ')[0]
+      branch = @build.packaging_url.split(' ')[1].split('=')[1]
       if branch.nil? or remote.nil?
         STDERR.puts "Couldn't parse the packaging repo URL from 'ext/build_defaults.yaml'."
         STDERR.puts "Normally this is a string in the format git@github.com:<User>/<packaging_repo> --branch=<branch>"

data/ext/packaging/tasks/version.rake

@@ -12,32 +12,52 @@
 # revisiting this task and improving it substantially,
 # and/or standardizing the expected version file format.
 namespace :package do
-  desc "Update the version in #{@version_file} to current and commit."
-  task :versionbump  do
-    version = ENV['VERSION'] || @version.to_s.strip
-    old_version =  get_version_file_version
-    contents = IO.read(@version_file)
+  desc "Update the version in #{@build.version_file} to current and commit."
+  task :versionbump, :workdir do |t, args|
+    version = ENV['VERSION'] || @build.version.to_s.strip
     new_version = '"' + version + '"'
-    puts "Updating #{old_version} to #{new_version} in #{@version_file}"
+
+    version_file = "#{args.workdir ? args.workdir + '/' : ''}#{@build.version_file}"
+
+    # Read the previous version file in...
+    contents = IO.read(version_file)
+
+    # Match version files containing 'VERSION = "x.x.x"' and just x.x.x
+    if version_string = contents.match(/VERSION =.*/)
+      old_version = version_string.to_s.split()[-1]
+    else
+      old_version = contents
+    end
+
+    puts "Updating #{old_version} to #{new_version} in #{version_file}"
     if contents.match("@DEVELOPMENT_VERSION@")
       contents.gsub!("@DEVELOPMENT_VERSION@", version)
+    elsif contents.match('version\s*=\s*[\'"]DEVELOPMENT[\'"]')
+      contents.gsub!(/version\s*=\s*['"]DEVELOPMENT['"]/, "version = '#{version}'")
     elsif contents.match("VERSION = #{old_version}")
       contents.gsub!("VERSION = #{old_version}", "VERSION = #{new_version}")
-    elsif contents.match("#{@name.upcase}VERSION = #{old_version}")
-      contents.gsub!("#{@name.upcase}VERSION = #{old_version}", "#{@name.upcase}VERSION = #{new_version}")
+    elsif contents.match("#{@build.project.upcase}VERSION = #{old_version}")
+      contents.gsub!("#{@build.project.upcase}VERSION = #{old_version}", "#{@build.project.upcase}VERSION = #{new_version}")
     else
-      contents.gsub!(old_version, @version)
+      contents.gsub!(old_version, @build.version)
     end
-    file = File.open(@version_file, 'w')
-    file.write contents
-    file.close
+
+    # ...and write it back on out.
+    File.open(version_file, 'w') {|f| f.write contents }
   end
 
-  desc "Set and commit the version in #{@version_file}, requires VERSION."
+  desc "Set and commit the version in #{@build.version_file}, requires VERSION."
   task :versionset do
     check_var('VERSION', ENV['VERSION'])
     Rake::Task["package:versionbump"].invoke
-    git_commit_file(@version_file, "update to #{ENV['VERSION']}")
+    git_commit_file(@build.version_file, "update to #{ENV['VERSION']}")
+  end
+
+  # A set of tasks for printing the version
+  [:version, :rpmversion, :rpmrelease, :debversion, :release].each do |task|
+    task "#{task}" do
+      STDOUT.puts self.instance_variable_get("@#{task}")
+    end
   end
 end
 

data/ext/packaging/tasks/z_data_dump.rake

@@ -0,0 +1,33 @@
+##
+# These tasks are just wrappers for the build objects capabilities, exposed
+# for our debugging purposes. This file is prepended with `z_` to ensure it is
+# loaded last, so that any variable manipulations that occur in the rake tasks
+# happen prior to printing (although ideally all variables have been set after
+# loading `20_setupextrasvars.rake`).
+#
+namespace :pl do
+  ##
+  # Utility rake task that will dump all current build parameters and variables
+  # to a yaml file to a temporary location and print the path. Given the
+  # environment variable 'OUTPUT_DIR', output file at 'OUTPUT_DIR'. The
+  # environment variable TASK sets the task instance variable of the build to the
+  # supplied args, allowing us to use this file for later builds.
+  #
+  desc "Write all package build parameters to a yaml file, pass OUTPUT_DIR to specify outut location"
+  task :write_build_params do
+    if ENV['TASK']
+      task_args = ENV['TASK'].split(' ')
+      @build.task = { :task => task_args[0], :args => task_args[1..-1] }
+    end
+    @build.params_to_yaml(ENV['OUTPUT_DIR'])
+  end
+
+  ##
+  # Print all build parameters to STDOUT.
+  #
+  desc "Print all package build parameters"
+  task :print_build_params do
+    @build.print_params
+  end
+end
+

data/lib/puppet/indirector/catalog/compiler.rb

@@ -13,7 +13,9 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
 
   def extract_facts_from_request(request)
     return unless text_facts = request.options[:facts]
-    raise ArgumentError, "Facts but no fact format provided for #{request.name}" unless format = request.options[:facts_format]
+    unless format = request.options[:facts_format]
+      raise ArgumentError, "Facts but no fact format provided for #{request.key}"
+    end
 
     # If the facts were encoded as yaml, then the param reconstitution system
     # in Network::HTTP::Handler will automagically deserialize the value.
@@ -22,6 +24,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     else
       facts = Puppet::Node::Facts.convert_from(format, text_facts)
     end
+
+    unless facts.name == request.key
+      raise Puppet::Error, "Catalog for #{request.key.inspect} was requested with fact definition for the wrong node (#{facts.name.inspect})."
+    end
+
     facts.add_timestamp
     Puppet::Node::Facts.indirection.save(facts)
   end
@@ -104,7 +111,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   # to find the node.
   def node_from_request(request)
     if node = request.options[:use_node]
-      return node
+      if request.remote?
+        raise Puppet::Error, "Invalid option use_node for a remote request"
+      else
+        return node
+      end
     end
 
     # We rely on our authorization system to determine whether the connected

data/lib/puppet/indirector/certificate_status/file.rb

@@ -79,4 +79,9 @@ class Puppet::Indirector::CertificateStatus::File < Puppet::Indirector::Code
       nil
     end
   end
+
+  def validate_key(request)
+    # We only use desired_state from the instance and use request.key
+    # otherwise, so the name does not need to match
+  end
 end

data/lib/puppet/indirector/errors.rb

@@ -0,0 +1,5 @@
+require 'puppet/error'
+
+module Puppet::Indirector
+  class ValidationError < Puppet::Error; end
+end

data/lib/puppet/indirector/file_bucket_file/file.rb

@@ -48,6 +48,10 @@ module Puppet::FileBucketFile
       instance.to_s
     end
 
+    def validate_key(request)
+      # There are no ACLs on filebucket files so validating key is not important
+    end
+
     private
 
     def path_match(dir_path, files_original_path)

data/lib/puppet/indirector/file_bucket_file/selector.rb

@@ -44,6 +44,10 @@ module Puppet::FileBucketFile
         true
       end
     end
+
+    def validate_key(request)
+      get_terminus(request).validate(request)
+    end
   end
 end
 

data/lib/puppet/indirector/indirection.rb

@@ -308,6 +308,7 @@ class Puppet::Indirector::Indirection
 
     dest_terminus = terminus(terminus_name)
     check_authorization(request, dest_terminus)
+    dest_terminus.validate(request)
 
     dest_terminus
   end

data/lib/puppet/indirector/resource/active_record.rb

@@ -1,6 +1,9 @@
 require 'puppet/indirector/active_record'
+require 'puppet/indirector/resource/validator'
 
 class Puppet::Resource::ActiveRecord < Puppet::Indirector::ActiveRecord
+  include Puppet::Resource::Validator
+
   def search(request)
     type   = request_to_type_name(request)
     host   = request.options[:host]

data/lib/puppet/indirector/resource/ral.rb

@@ -1,4 +1,8 @@
+require 'puppet/indirector/resource/validator'
+
 class Puppet::Resource::Ral < Puppet::Indirector::Code
+  include Puppet::Resource::Validator
+
   def find( request )
     # find by name
     res   = type(request).instances.find { |o| o.name == resource_name(request) }

data/lib/puppet/indirector/resource/store_configs.rb

@@ -1,3 +1,6 @@
 require 'puppet/indirector/store_configs'
+require 'puppet/indirector/resource/validator'
+
 class Puppet::Resource::StoreConfigs < Puppet::Indirector::StoreConfigs
+  include Puppet::Resource::Validator
 end

data/lib/puppet/indirector/resource/validator.rb

@@ -0,0 +1,8 @@
+module Puppet::Resource::Validator
+  def validate_key(request)
+    type, title = request.key.split('/', 2)
+    unless type.downcase == request.instance.type.downcase and title == request.instance.title
+      raise Puppet::Indirector::ValidationError, "Resource instance does not match request key"
+    end
+  end
+end

data/lib/puppet/indirector/rest.rb

@@ -108,6 +108,10 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
       msg = valid_certnames.length > 1 ? "one of #{valid_certnames.join(', ')}" : valid_certnames.first
 
       raise Puppet::Error, "Server hostname '#{http_connection.address}' did not match server certificate; expected #{msg}"
+    elsif error.message.empty?
+      # This may be because the server is speaking SSLv2 and we
+      # monkey patch OpenSSL::SSL:SSLContext to reject SSLv2.
+      raise error.exception("#{error.class} with no message")
     else
       raise
     end
@@ -158,6 +162,10 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
     deserialize http_put(request, indirection2uri(request), request.instance.render, headers.merge({ "Content-Type" => request.instance.mime }))
   end
 
+  def validate_key(request)
+    # Validation happens on the remote end
+  end
+
   private
 
   def environment

data/lib/puppet/indirector/run/local.rb

@@ -5,4 +5,8 @@ class Puppet::Run::Local < Puppet::Indirector::Code
   def save( request )
     request.instance.run
   end
+
+  def validate_key(request)
+    # No key is necessary for kick
+  end
 end

data/lib/puppet/indirector/terminus.rb

@@ -1,4 +1,5 @@
 require 'puppet/indirector'
+require 'puppet/indirector/errors'
 require 'puppet/indirector/indirection'
 require 'puppet/util/instance_loader'
 
@@ -142,4 +143,23 @@ class Puppet::Indirector::Terminus
   def terminus_type
     self.class.terminus_type
   end
+
+  def validate(request)
+    if request.instance
+      validate_model(request)
+      validate_key(request)
+    end
+  end
+
+  def validate_key(request)
+    unless request.key == request.instance.name
+      raise Puppet::Indirector::ValidationError, "Instance name #{request.instance.name.inspect} does not match requested key #{request.key.inspect}"
+    end
+  end
+
+  def validate_model(request)
+    unless model === request.instance
+      raise Puppet::Indirector::ValidationError, "Invalid instance type #{request.instance.class.inspect}, expected #{model.inspect}"
+    end
+  end
 end

data/lib/puppet/network/formats.rb

@@ -3,12 +3,12 @@ require 'puppet/network/format_handler'
 Puppet::Network::FormatHandler.create_serialized_formats(:yaml) do
   # Yaml doesn't need the class name; it's serialized.
   def intern(klass, text)
-    YAML.load(text)
+    YAML.safely_load(text)
   end
 
   # Yaml doesn't need the class name; it's serialized.
   def intern_multiple(klass, text)
-    YAML.load(text)
+    YAML.safely_load(text)
   end
 
   def render(instance)
@@ -72,7 +72,7 @@ Puppet::Network::FormatHandler.create_serialized_formats(:b64_zlib_yaml) do
 
   def decode(yaml)
     requiring_zlib do
-      YAML.load(Zlib::Inflate.inflate(Base64.decode64(yaml)))
+      YAML.safely_load(Zlib::Inflate.inflate(Base64.decode64(yaml)))
     end
   end
 end

data/lib/puppet/network/handler/master.rb

@@ -69,7 +69,7 @@ class Puppet::Network::Handler
         Puppet.debug "Our client is remote"
 
         begin
-          facts = YAML.load(CGI.unescape(facts))
+          facts = YAML.safely_load(CGI.unescape(facts))
         rescue => detail
           raise XMLRPC::FaultException.new(
             1, "Could not rebuild facts"

data/lib/puppet/network/handler/report.rb

@@ -45,7 +45,7 @@ class Puppet::Network::Handler
 
       # First convert the report to real objects
       begin
-        report = YAML.load(yaml)
+        report = YAML.safely_load(yaml)
       rescue => detail
         Puppet.warning "Could not load report: #{detail}"
         return

data/lib/puppet/network/http/handler.rb

@@ -70,6 +70,8 @@ module Puppet::Network::HTTP::Handler
     raise
   rescue Exception => e
     return do_exception(response, e)
+  ensure
+    cleanup(request)
   end
 
   # Set the response up, with the body and status.
@@ -220,6 +222,10 @@ module Puppet::Network::HTTP::Handler
     raise NotImplementedError
   end
 
+  def cleanup(request)
+    # By default, there is nothing to cleanup.
+  end
+
   def decode_params(params)
     params.inject({}) do |result, ary|
       param, value = ary
@@ -233,7 +239,7 @@ module Puppet::Network::HTTP::Handler
       next result if param == :ip
       value = CGI.unescape(value)
       if value =~ /^---/
-        value = YAML.load(value)
+        value = YAML.safely_load(value)
       else
         value = true if value == "true"
         value = false if value == "false"

data/lib/puppet/network/http/rack/rest.rb

@@ -73,12 +73,17 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
   end
 
   # return the request body
-  # request.body has some limitiations, so we need to concat it back
-  # into a regular string, which is something puppet can use.
   def body(request)
     request.body.read
   end
 
+  # Passenger freaks out if we finish handling the request without reading any
+  # part of the body, so make sure we have.
+  def cleanup(request)
+    request.body.read(1)
+    nil
+  end
+
   def extract_client_info(request)
     result = {}
     result[:ip] = request.ip