puppet 2.7.5 → 2.7.6

data/CHANGELOG

@@ -1,3 +1,110 @@
+2.7.6 (includes CVE-2011-3872 see http://puppetlabs.com/security/hotfixes/cve-2011-3872/
+===
+c09517a Improve the error message when a CSR is rejected
+9346530 Allow a master to bootstrap itself with dns_alt_names and autosign
+7679c66 (maint) Remove ssl dir before starting a master with DNS alt names
+e4c64c7 Fix failing CA Interface specs on Ruby 1.9
+9ee1215 Fix some inconsistencies from merging
+8144939 Add support for DNS alt names to `puppet ca`
+2ba56e3 More 1.8.5 compatibility fixes.
+6257188 Better 1.8.5 compatible implementation of `lines`.
+4ba4db7 (#2848) Config options require '_', not '-'.
+493f8d1 Add --allow-dns-alt-names option to `puppet certificate sign`
+0cc8936 Add support for dns-alt-names option to `puppet certificate generate`
+c65236d Ruby 1.8.5 compatibility changes in tests and code.
+6c37623 Add `lines` alias for `each_line` in Ruby 1.8.5.
+e29eb6a s/not_to/should_not/ for older versions of RSpec 2.
+f1f5298 (#2848) Eliminate redundant `master_dns_alt_names`.
+3a8b376 (#2848) Remove the legacy SSLCertificates code
+28dead0 (#2848) Rework the xmlrpc CA handler to use the modern SSL code
+a644514 (#2848) Remove unused xmlrpc code
+2b1ad43 (#2848) Consistent return values from `subject_alt_names` accessors.
+d8516d9 (#2848) Consistently use `subject_alt_names` as accessor name.
+0b45f4c (#2848) Don't strip the subjectAltName label when listing.
+99488f3 (#2848) Don't enable `emailProtection` for server keys.
+f1285a4 (#2848) Only mark `subjectAltName` critical if `subject` is empty.
+e65a88e (#2848) Migrate `dns-alt-names` back to settings.
+b876c39 Wire up the `setbycli` slot in Puppet settings.
+a53f2f2 (#2848) rename subject-alt-name option to dns-alt-names
+bc2267a (#2848) Rename `certdnsnames` to match new behaviour.
+a720499 (#2848) Use `certdnsnames` when bootstrapping a local master.
+6e3f529 (#2848) CSR subjectAltNames handling while signing.
+978b65c (#2848) List subject alt names in output of puppet cert --list
+7460a5e (#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names
+94345eb (#2848) Rewrite SSL Certificate Factory, fixing `subjectAltName` leak.
+a729d90 (#2848) Reject unknown (== all) extensions on the CSR.
+f4fc11d (#2848) extract the subjectAltName value from the CSR.
+d64b01b (#2848) Set `certdnsnames` values into the CSR.
+78a01a2 (#6928) Don't blow up when the method is undefined...
+43d1e38 (#9996) Restore functionality for multi-line commands in exec resources
+d457763 (#9832) General StoreConfigs regression.
+2958b05 maint: Deal with [].to_s problem in 1.9.2
+9c25af4 (#9027) Get rid of spurious info messages in groupadd
+1f25c20 (#8411) Fix change group for POSIX file provider
+599642d Fix problem with set_mode (chmod) behavior on different test environments.
+b43765d Undo change to failing test on 1.8.5
+c275a51 Resist directory traversal attacks through indirections.
+d759f84 (#9838) Return the tranaction report when doing a ral save
+127f83e (#9837) Split parameter pruning from manifest formatting
+9d5ce00 (#9837) Move resource formatting method to Puppet::Resource
+86230d8 (#9837) Move properties in prep to move proc to method
+bf952e1 (#9837) Make a clearer variable name in the specs
+6885c36 (#9837) Call puppet apply to avoid deprecation warning
+93f8057 (#9837) Extract methods from the main section of the resource application
+5d33214 (#9837) Start the cleanup of the puppet resource application
+54a2565 (#9832) Test failures with some ActiveRecord versions.
+2bf8004 Updates for 2.6.11
+8343077 (#9832) 2.7.4 StoreConfigs regression with PostgreSQL.
+dce82ea (#9458) Require main puppet module
+e158b26 (#9793) "secure" indirector file backed terminus base class.
+343c7bd (#9792) Predictable temporary filename in ralsh.
+88512e8 Drop privileges before creating and chmodding SSH keys.
+6533292 (#9328) Retrieve user and group SIDs on windows.
+2775c21 (#9794) k5login can overwrite arbitrary files as root
+e7a6995 (#9794) k5login can overwrite arbitrary files as root
+408d117 Updated CHANGELOG for 2.6.10
+ec5a32a Update spec and lib/puppet.rb for 2.6.10 release
+4e8d3a1 (#9775) Only list managed resources in the resources file
+51b33d1 (#9326) Support plaintext passwords in Windows 'user' provider.
+fe2de81 Resist directory traversal attacks through indirections.
+5fea1dc Fix issues with Windows based file URIs
+1a13d24 Simplify absolute path detection
+a163cd5 Eliminate duplicate absolute path detection
+0ce60a5 Added methods for manipulating URI and file paths
+71ba92c Restrict the absolute path regex to the start of the string
+1edf767 Move group management into providers
+15149c1 Remove duplicate SID resolution code
+f932511 Move owner management into providers
+f05fc83 Add platform-specific metadata collectors
+db0b4fb Make string_to_sid_ptr block optional
+7fc6baf Add the ability to retrieve user and group SIDs
+22bfd9c Move mode management into the providers
+4c3aae8 Fix typo bug that prevented FILE_DELETE_CHILD from being set
+7de0a80 Sub away trailing backslashes at the end of sources on Windows
+44cb1f1 Refactor autorequire of parent to use pathname with ancestors
+1300e0a Remove unnecessary Windows-on-non-Windows-master code for path parameter
+1f9b57f Cleanup file type integration tests
+8d21262 Cleanup and improve coverage of file type unit tests
+0a92a70 Resist directory traversal attacks through indirections.
+8b6a775 Call Array#join explicitly on command
+ae74c68 Fix failing SSL Host test introduced by b6a67edc
+37a1975 (#4549) Fix templates to be able to call all functions
+a74e56d Expand paths in catalog_spec for windows testing
+8d86e5a (9547) Minor mods to acceptance tests
+8ec3c7b (#4135) Update pluginsync to only load ruby files.
+0c8a0c7 Fix order dependent test failures relating to ADSI
+c0edb76 (#9186) Fix tests that fail on 2008 when running as SYSTEM
+8e14de6 (#9186) Handle when running under non 'user' contexts
+7595475 Fix device.conf error reporting
+1d3a3a7 Fix #9164 - allow '-' in device certificate names
+b6a67ed Fix #7982 - puppet device doesn't reset all cached attributes
+ba1f469 (#9186) Change to shared_examples_for
+b27b013 (#8410) Fix child exit status on Windows
+42c9982 (#9186) Add the ability to get/set windows permissions
+d34d28d (#9435) Gracefully handle when syslog feature is unavailable
+f013c65 (#9435) Fix absolute path matching for file log destinations
+ea88745 (#9329) Disable agent daemonizing on Windows
+
 2.7.5
 ===
 a36f39d Updating version numbers for 2.7.5
@@ -1090,6 +1197,20 @@ d532e6d Fixing #3185 Rakefile is loading puppet.rb twice
 5aa596c Fix #3150 - require function doesn't like ::class syntax
 3457b87 Added time module to tagmail report
 
+2.6.11
+===
+e158b26 (#9793) "secure" indirector file backed terminus base class.
+343c7bd (#9792) Predictable temporary filename in ralsh.
+88512e8 Drop privileges before creating and chmodding SSH keys.
+2775c21 (#9794) k5login can overwrite arbitrary files as root
+
+2.6.10
+===
+ec5a32a Update spec and lib/puppet.rb for 2.6.10 release
+fe2de81 Resist directory traversal attacks through indirections. (CVE-2011-3484)
+243aaa9 (#7956) Porting cron tests
+3e3fc69 (#7956) Port resource acceptance tests
+
 2.6.9
 ====
 db1a392 (#7506) Organize READMEs; specify supported Ruby versions in README.md

data/conf/redhat/puppet.spec

@@ -5,13 +5,13 @@
 %global confdir conf/redhat
 
 Name:           puppet
-Version:        2.7.5
+Version:        2.7.6
 Release:        1%{?dist}
 Summary:        A network tool for managing many disparate systems
 License:        ASL 2.0
 URL:            http://puppetlabs.com
-Source0:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc1.tar.gz
-Source1:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc1.tar.gz.asc
+Source0:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz
+Source1:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz.asc
 
 Group:          System Environment/Base
 
@@ -65,7 +65,7 @@ Provides the central puppet server daemon which provides manifests to clients.
 The server can also function as a certificate authority and file server.
 
 %prep
-%setup -q -n %{name}-%{version}rc1
+%setup -q -n %{name}-%{version}
 patch -s -p1 < conf/redhat/rundir-perms.patch
 
 
@@ -282,6 +282,18 @@ fi
 rm -rf %{buildroot}
 
 %changelog
+* Fri Oct 21 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.7.6-1
+- 2.7.6 final
+
+* Thu Oct 13 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.7.6-.1rc3
+- New RC
+
+* Fri Oct 07 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.7.6-0.1rc2
+- New RC
+
+* Mon Oct 03 2011 Michael Stahnke <stahnma@puppetlabs.com> -  2.7.6-0.1rc1
+- New RC
+
 * Fri Sep 30 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.7.5-1
 - Fixes for CVE-2011-3869, 3870, 3871
 
@@ -295,9 +307,6 @@ rm -rf %{buildroot}
 * Wed Jul 06 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.7.2-0.1.rc1
 - Update to 2.7.2rc1
 
-* Tue Jun 21 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.6.9-1
-- Release of 2.6.9 
-
 * Wed Jun 15 2011 Todd Zullinger <tmz@pobox.com> - 2.6.9-0.1.rc1
 - Update rc versioning to ensure 2.6.9 final is newer to rpm
 - sync changes with Fedora/EPEL

data/lib/puppet.rb

@@ -24,7 +24,7 @@ require 'puppet/util/run_mode'
 # it's also a place to find top-level commands like 'debug'
 
 module Puppet
-  PUPPETVERSION = '2.7.5'
+  PUPPETVERSION = '2.7.6'
 
   def Puppet.version
     PUPPETVERSION

data/lib/puppet/application/cert.rb

@@ -10,6 +10,7 @@ class Puppet::Application::Cert < Puppet::Application
   def subcommand
     @subcommand
   end
+
   def subcommand=(name)
     # Handle the nasty, legacy mapping of "clean" to "destroy".
     sub = name.to_sym
@@ -38,11 +39,15 @@ class Puppet::Application::Cert < Puppet::Application
 
   require 'puppet/ssl/certificate_authority/interface'
   Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.reject {|m| m == :destroy }.each do |method|
-    option("--#{method}", "-#{method.to_s[0,1]}") do
+    option("--#{method.to_s.gsub('_','-')}", "-#{method.to_s[0,1]}") do
       self.subcommand = method
     end
   end
 
+  option("--[no-]allow-dns-alt-names") do |value|
+    options[:allow_dns_alt_names] = value
+  end
+
   option("--verbose", "-v") do
     Puppet::Util::Log.level = :info
   end
@@ -181,8 +186,8 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
       hosts = command_line.args.collect { |h| h.downcase }
     end
     begin
-      @ca.apply(:revoke, :to => hosts) if subcommand == :destroy
-      @ca.apply(subcommand, :to => hosts, :digest => @digest)
+      @ca.apply(:revoke, options.merge(:to => hosts)) if subcommand == :destroy
+      @ca.apply(subcommand, options.merge(:to => hosts, :digest => @digest))
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
       puts detail.to_s
@@ -202,6 +207,15 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
       Puppet::SSL::Host.ca_location = :only
     end
 
+    # If we are generating, and the option came from the CLI, it gets added to
+    # the data.  This will do the right thing for non-local certificates, in
+    # that the command line but *NOT* the config file option will apply.
+    if subcommand == :generate
+      if Puppet.settings.setting(:dns_alt_names).setbycli
+        options[:dns_alt_names] = Puppet[:dns_alt_names]
+      end
+    end
+
     begin
       @ca = Puppet::SSL::CertificateAuthority.new
     rescue => detail

data/lib/puppet/application/device.rb

@@ -196,6 +196,7 @@ Licensed under the Apache 2.0 License
         Puppet.settings.set_value(:vardir, vardir, :cli)
         Puppet.settings.set_value(:confdir, confdir, :cli)
         Puppet.settings.set_value(:certname, certname, :cli)
+        Puppet::SSL::Host.reset
       end
     end
   end

data/lib/puppet/application/kick.rb

@@ -173,8 +173,6 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
   end
 
   def main
-    require 'puppet/network/client'
-
     Puppet.warning "Failed to load ruby LDAP library. LDAP functionality will not be available" unless Puppet.features.ldap?
     require 'puppet/util/ldap/connection'
 

data/lib/puppet/application/resource.rb

@@ -8,7 +8,6 @@ class Puppet::Application::Resource < Puppet::Application
 
   def preinit
     @extra_params = []
-    @host = nil
     Facter.loadfacts
   end
 
@@ -138,9 +137,70 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
   end
 
   def main
-    args = command_line.args
+    type, name, params = parse_args(command_line.args)
+
+    raise "You cannot edit a remote host" if options[:edit] and @host
+
+    resources = find_or_save_resources(type, name, params)
+    text = resources.
+      map { |resource| resource.prune_parameters(:parameters_to_include => @extra_params).to_manifest }.
+      join("\n")
+
+    options[:edit] ?
+      handle_editing(text) :
+      (puts text)
+  end
+
+  def setup
+    Puppet::Util::Log.newdestination(:console)
+
+    Puppet.parse_config
+
+    if options[:debug]
+      Puppet::Util::Log.level = :debug
+    elsif options[:verbose]
+      Puppet::Util::Log.level = :info
+    end
+  end
+
+  private
+
+  def remote_key(type, name)
+    Puppet::Resource.indirection.terminus_class = :rest
+    port = Puppet[:puppetport]
+    ["https://#{@host}:#{port}", "production", "resources", type, name].join('/')
+  end
+
+  def local_key(type, name)
+    [type, name].join('/')
+  end
+
+  def handle_editing(text)
+    require 'tempfile'
+    # Prefer the current directory, which is more likely to be secure
+    # and, in the case of interactive use, accessible to the user.
+    tmpfile = Tempfile.new('x2puppet', Dir.pwd)
+    begin
+      # sync write, so nothing buffers before we invoke the editor.
+      tmpfile.sync = true
+      tmpfile.puts text
+
+      # edit the content
+      system(ENV["EDITOR"] || 'vi', tmpfile.path)
+
+      # ...and, now, pass that file to puppet to apply.  Because
+      # many editors rename or replace the original file we need to
+      # feed the pathname, not the file content itself, to puppet.
+      system('puppet apply -v ' + tmpfile.path)
+    ensure
+      # The temporary file will be safely removed.
+      tmpfile.close(true)
+    end
+  end
+
+  def parse_args(args)
     type = args.shift or raise "You must specify the type to display"
-    typeobj = Puppet::Type.type(type) or raise "Could not find type #{type}"
+    Puppet::Type.type(type) or raise "Could not find type #{type}"
     name = args.shift
     params = {}
     args.each do |setting|
@@ -151,80 +211,27 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
       end
     end
 
-    raise "You cannot edit a remote host" if options[:edit] and @host
-
-    properties = typeobj.properties.collect { |s| s.name }
-
-    format = proc {|trans|
-      trans.dup.collect do |param, value|
-        if value.nil? or value.to_s.empty?
-          trans.delete(param)
-        elsif value.to_s == "absent" and param.to_s != "ensure"
-          trans.delete(param)
-        end
-
-        trans.delete(param) unless properties.include?(param) or @extra_params.include?(param)
-      end
-      trans.to_manifest
-    }
+    [type, name, params]
+  end
 
-    if @host
-      Puppet::Resource.indirection.terminus_class = :rest
-      port = Puppet[:puppetport]
-      key = ["https://#{host}:#{port}", "production", "resources", type, name].join('/')
-    else
-      key = [type, name].join('/')
-    end
+  def find_or_save_resources(type, name, params)
+    key = @host ? remote_key(type, name) : local_key(type, name)
 
-    text = if name
+    if name
       if params.empty?
         [ Puppet::Resource.indirection.find( key ) ]
       else
-        [ Puppet::Resource.indirection.save(Puppet::Resource.new( type, name, :parameters => params ), key) ]
+        resource = Puppet::Resource.new( type, name, :parameters => params )
+
+        # save returns [resource that was saved, transaction log from applying the resource]
+        save_result = Puppet::Resource.indirection.save(resource, key)
+        [ save_result.first ]
       end
     else
       if type == "file"
         raise "Listing all file instances is not supported.  Please specify a file or directory, e.g. puppet resource file /etc"
       end
       Puppet::Resource.indirection.search( key, {} )
-    end.map(&format).join("\n")
-
-    if options[:edit]
-      require 'tempfile'
-      # Prefer the current directory, which is more likely to be secure
-      # and, in the case of interactive use, accessible to the user.
-      tmpfile = Tempfile.new('x2puppet', Dir.pwd)
-      begin
-        # sync write, so nothing buffers before we invoke the editor.
-        tmpfile.sync = true
-        tmpfile.puts text
-
-        # edit the content
-        system(ENV["EDITOR"] || 'vi', tmpfile.path)
-
-        # ...and, now, pass that file to puppet to apply.  Because
-        # many editors rename or replace the original file we need to
-        # feed the pathname, not the file content itself, to puppet.
-        system('puppet -v ' + tmpfile.path)
-      ensure
-        # The temporary file will be safely removed.
-        tmpfile.close(true)
-      end
-    else
-      puts text
-    end
-  end
-
-  def setup
-    Puppet::Util::Log.newdestination(:console)
-
-    # Now parse the config
-    Puppet.parse_config
-
-    if options[:debug]
-      Puppet::Util::Log.level = :debug
-    elsif options[:verbose]
-      Puppet::Util::Log.level = :info
     end
   end
 end

data/lib/puppet/configurer/plugin_handler.rb

@@ -24,8 +24,12 @@ module Puppet::Configurer::PluginHandler
     return if FileTest.directory?(file)
 
     begin
-      Puppet.info "Loading downloaded plugin #{file}"
-      load file
+      if file =~ /.rb$/
+        Puppet.info "Loading downloaded plugin #{file}"
+        load file
+      else
+        Puppet.debug "Skipping downloaded plugin #{file}"
+      end
     rescue Exception => detail
       Puppet.err "Could not load downloaded file #{file}: #{detail}"
     end