puppet 3.1.0 → 3.1.1

data/conf/auth.conf

@@ -75,10 +75,10 @@ path /certificate_revocation_list/ca
 method find
 allow *
 
-# allow all nodes to store their reports
-path /report
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
 method save
-allow *
+allow $1
 
 # Allow all nodes to access all file services; this is necessary for
 # pluginsync, file serving from modules, and file serving from custom

data/lib/puppet/indirector/catalog/compiler.rb

@@ -12,7 +12,9 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
 
   def extract_facts_from_request(request)
     return unless text_facts = request.options[:facts]
-    raise ArgumentError, "Facts but no fact format provided for #{request.name}" unless format = request.options[:facts_format]
+    unless format = request.options[:facts_format]
+      raise ArgumentError, "Facts but no fact format provided for #{request.key}"
+    end
 
     # If the facts were encoded as yaml, then the param reconstitution system
     # in Network::HTTP::Handler will automagically deserialize the value.
@@ -21,6 +23,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     else
       facts = Puppet::Node::Facts.convert_from(format, text_facts)
     end
+
+    unless facts.name == request.key
+      raise Puppet::Error, "Catalog for #{request.key.inspect} was requested with fact definition for the wrong node (#{facts.name.inspect})."
+    end
+
     facts.add_timestamp
     Puppet::Node::Facts.indirection.save(facts)
   end
@@ -104,7 +111,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
   # to find the node.
   def node_from_request(request)
     if node = request.options[:use_node]
-      return node
+      if request.remote?
+        raise Puppet::Error, "Invalid option use_node for a remote request"
+      else
+        return node
+      end
     end
 
     # We rely on our authorization system to determine whether the connected

data/lib/puppet/indirector/certificate_status/file.rb

@@ -83,4 +83,9 @@ class Puppet::Indirector::CertificateStatus::File < Puppet::Indirector::Code
       nil
     end
   end
+
+  def validate_key(request)
+    # We only use desired_state from the instance and use request.key
+    # otherwise, so the name does not need to match
+  end
 end

data/lib/puppet/indirector/errors.rb

@@ -0,0 +1,5 @@
+require 'puppet/error'
+
+module Puppet::Indirector
+  class ValidationError < Puppet::Error; end
+end

data/lib/puppet/indirector/file_bucket_file/file.rb

@@ -48,6 +48,10 @@ module Puppet::FileBucketFile
       instance.to_s
     end
 
+    def validate_key(request)
+      # There are no ACLs on filebucket files so validating key is not important
+    end
+
     private
 
     def path_match(dir_path, files_original_path)

data/lib/puppet/indirector/file_bucket_file/selector.rb

@@ -44,6 +44,10 @@ module Puppet::FileBucketFile
         true
       end
     end
+
+    def validate_key(request)
+      get_terminus(request).validate(request)
+    end
   end
 end
 

data/lib/puppet/indirector/indirection.rb

@@ -192,7 +192,7 @@ class Puppet::Indirector::Indirection
       result.expiration ||= self.expiration if result.respond_to?(:expiration)
       if cache? and request.use_cache?
         Puppet.info "Caching #{self.name} for #{request.key}"
-        cache.save request(:save, nil, result, options)
+        cache.save request(:save, key, result, options)
       end
 
       return terminus.respond_to?(:filter) ? terminus.filter(result) : result
@@ -303,6 +303,7 @@ class Puppet::Indirector::Indirection
 
     dest_terminus = terminus(terminus_name)
     check_authorization(request, dest_terminus)
+    dest_terminus.validate(request)
 
     dest_terminus
   end

data/lib/puppet/indirector/resource/active_record.rb

@@ -1,6 +1,8 @@
 require 'puppet/indirector/active_record'
+require 'puppet/indirector/resource/validator'
 
 class Puppet::Resource::ActiveRecord < Puppet::Indirector::ActiveRecord
+  include Puppet::Resource::Validator
 
   desc "A component of ActiveRecord storeconfigs. ActiveRecord-based storeconfigs
     and inventory are deprecated. See http://links.puppetlabs.com/activerecord-deprecation"

data/lib/puppet/indirector/resource/ral.rb

@@ -1,4 +1,7 @@
+require 'puppet/indirector/resource/validator'
+
 class Puppet::Resource::Ral < Puppet::Indirector::Code
+  include Puppet::Resource::Validator
 
   desc "Manipulate resources with the resource abstraction layer. Only used internally."
 

data/lib/puppet/indirector/resource/store_configs.rb

@@ -1,5 +1,8 @@
 require 'puppet/indirector/store_configs'
+require 'puppet/indirector/resource/validator'
+
 class Puppet::Resource::StoreConfigs < Puppet::Indirector::StoreConfigs
+  include Puppet::Resource::Validator
 
   desc %q{Part of the "storeconfigs" feature. Should not be directly set by end users.}
 

data/lib/puppet/indirector/resource/validator.rb

@@ -0,0 +1,8 @@
+module Puppet::Resource::Validator
+  def validate_key(request)
+    type, title = request.key.split('/', 2)
+    unless type.downcase == request.instance.type.downcase and title == request.instance.title
+      raise Puppet::Indirector::ValidationError, "Resource instance does not match request key"
+    end
+  end
+end

data/lib/puppet/indirector/rest.rb

@@ -177,6 +177,10 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
     request.do_request(self.class.srv_service, self.class.server, self.class.port) { |request| yield(request) }
   end
 
+  def validate_key(request)
+    # Validation happens on the remote end
+  end
+
   private
 
   def environment

data/lib/puppet/indirector/run/local.rb

@@ -8,4 +8,8 @@ class Puppet::Run::Local < Puppet::Indirector::Code
   def save( request )
     request.instance.run
   end
+
+  def validate_key(request)
+    # No key is necessary for kick
+  end
 end

data/lib/puppet/indirector/terminus.rb

@@ -1,4 +1,5 @@
 require 'puppet/indirector'
+require 'puppet/indirector/errors'
 require 'puppet/indirector/indirection'
 require 'puppet/util/instance_loader'
 
@@ -142,4 +143,23 @@ class Puppet::Indirector::Terminus
   def terminus_type
     self.class.terminus_type
   end
+
+  def validate(request)
+    if request.instance
+      validate_model(request)
+      validate_key(request)
+    end
+  end
+
+  def validate_key(request)
+    unless request.key == request.instance.name
+      raise Puppet::Indirector::ValidationError, "Instance name #{request.instance.name.inspect} does not match requested key #{request.key.inspect}"
+    end
+  end
+
+  def validate_model(request)
+    unless model === request.instance
+      raise Puppet::Indirector::ValidationError, "Invalid instance type #{request.instance.class.inspect}, expected #{model.inspect}"
+    end
+  end
 end

data/lib/puppet/network/authconfig.rb

@@ -15,7 +15,7 @@ module Puppet
       # to fileserver.conf
       { :acl => "/file" },
       { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
-      { :acl => "/report", :method => :save, :authenticated => true },
+      { :acl => "~ ^\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
       # These allow `auth any`, because if you can do them anonymously you
       # should probably also be able to do them when trusted.
       { :acl => "/certificate/ca", :method => :find, :authenticated => :any },

data/lib/puppet/network/formats.rb

@@ -3,12 +3,12 @@ require 'puppet/network/format_handler'
 Puppet::Network::FormatHandler.create_serialized_formats(:yaml) do
   # Yaml doesn't need the class name; it's serialized.
   def intern(klass, text)
-    YAML.load(text)
+    YAML.safely_load(text)
   end
 
   # Yaml doesn't need the class name; it's serialized.
   def intern_multiple(klass, text)
-    YAML.load(text)
+    YAML.safely_load(text)
   end
 
   def render(instance)
@@ -72,7 +72,7 @@ Puppet::Network::FormatHandler.create_serialized_formats(:b64_zlib_yaml) do
 
   def decode(yaml)
     requiring_zlib do
-      YAML.load(Zlib::Inflate.inflate(Base64.decode64(yaml)))
+      YAML.safely_load(Zlib::Inflate.inflate(Base64.decode64(yaml)))
     end
   end
 end

data/lib/puppet/network/http/handler.rb

@@ -73,6 +73,8 @@ module Puppet::Network::HTTP::Handler
     raise
   rescue Exception => e
     return do_exception(response, e)
+  ensure
+    cleanup(request)
   end
 
   # Set the response up, with the body and status.
@@ -219,11 +221,14 @@ module Puppet::Network::HTTP::Handler
     raise NotImplementedError
   end
 
-  # Retrieve the client certificate from the request if possible
   def client_cert(request)
     raise NotImplementedError
   end
 
+  def cleanup(request)
+    # By default, there is nothing to cleanup.
+  end
+
   def decode_params(params)
     params.inject({}) do |result, ary|
       param, value = ary
@@ -237,7 +242,7 @@ module Puppet::Network::HTTP::Handler
       next result if param == :ip
       value = CGI.unescape(value)
       if value =~ /^---/
-        value = YAML.load(value)
+        value = YAML.safely_load(value)
       else
         value = true if value == "true"
         value = false if value == "false"

data/lib/puppet/network/http/rack/rest.rb

@@ -73,8 +73,6 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
   end
 
   # return the request body
-  # request.body has some limitiations, so we need to concat it back
-  # into a regular string, which is something puppet can use.
   def body(request)
     request.body.read
   end
@@ -89,6 +87,13 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
     OpenSSL::X509::Certificate.new(cert)
   end
 
+  # Passenger freaks out if we finish handling the request without reading any
+  # part of the body, so make sure we have.
+  def cleanup(request)
+    request.body.read(1)
+    nil
+  end
+
   def extract_client_info(request)
     result = {}
     result[:ip] = request.ip

data/lib/puppet/network/http/webrick.rb

@@ -94,6 +94,7 @@ class Puppet::Network::HTTP::WEBrick
     results[:SSLCertificate] = host.certificate.content
     results[:SSLStartImmediately] = true
     results[:SSLEnable] = true
+    results[:SSLOptions] = OpenSSL::SSL::OP_NO_SSLv2
 
     raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.indirection.find(Puppet::SSL::CA_NAME)
 

data/lib/puppet/parser/templatewrapper.rb

@@ -5,8 +5,6 @@ require 'erb'
 
 class Puppet::Parser::TemplateWrapper
   attr_writer :scope
-  attr_reader :file
-  attr_accessor :string
   include Puppet::Util
   Puppet::Util.logmethods(self)
 
@@ -14,6 +12,10 @@ class Puppet::Parser::TemplateWrapper
     @__scope__ = scope
   end
 
+  def file
+    @__file__
+  end
+
   def scope
     @__scope__
   end
@@ -22,7 +24,7 @@ class Puppet::Parser::TemplateWrapper
     # find which line in the template (if any) we were called from
     # but defer to when necessary since fetching the caller information on
     # every variable lookup can be quite time consuming
-    Proc.new { (caller.find { |l| l =~ /#{file}:/ }||"")[/:(\d+):/,1] }
+    Proc.new { (caller.find { |l| l =~ /#{@__file__}:/ }||"")[/:(\d+):/,1] }
   end
 
   def script_line
@@ -63,51 +65,49 @@ class Puppet::Parser::TemplateWrapper
   # dead.
   def method_missing(name, *args)
     if scope.include?(name.to_s)
-      return scope[name.to_s, {:file => file,:lineproc => script_line_proc}]
+      return scope[name.to_s, {:file => @__file__, :lineproc => script_line_proc}]
     else
       # Just throw an error immediately, instead of searching for
       # other missingmethod things or whatever.
-      raise Puppet::ParseError.new("Could not find value for '#{name}'",@file,script_line)
+      raise Puppet::ParseError.new("Could not find value for '#{name}'", @__file__, script_line)
     end
   end
 
   def file=(filename)
-    unless @file = Puppet::Parser::Files.find_template(filename, scope.compiler.environment.to_s)
+    unless @__file__ = Puppet::Parser::Files.find_template(filename, scope.compiler.environment.to_s)
       raise Puppet::ParseError, "Could not find template '#{filename}'"
     end
 
     # We'll only ever not have a parser in testing, but, eh.
-    scope.known_resource_types.watch_file(file)
-
-    @string = File.read(file)
+    scope.known_resource_types.watch_file(@__file__)
   end
 
   def result(string = nil)
     if string
-      self.string = string
       template_source = "inline template"
     else
-      template_source = file
+      string = File.read(@__file__)
+      template_source = @__file__
     end
 
     # Expose all the variables in our scope as instance variables of the
     # current object, making it possible to access them without conflict
     # to the regular methods.
     benchmark(:debug, "Bound template variables for #{template_source}") do
-      scope.to_hash.each { |name, value|
+      scope.to_hash.each do |name, value|
         if name.kind_of?(String)
           realname = name.gsub(/[^\w]/, "_")
         else
           realname = name
         end
         instance_variable_set("@#{realname}", value)
-      }
+      end
     end
 
     result = nil
     benchmark(:debug, "Interpolated template #{template_source}") do
-      template = ERB.new(self.string, 0, "-")
-      template.filename = file
+      template = ERB.new(string, 0, "-")
+      template.filename = @__file__
       result = template.result(binding)
     end
 
@@ -115,6 +115,6 @@ class Puppet::Parser::TemplateWrapper
   end
 
   def to_s
-    "template[#{(file ? file : "inline")}]"
+    "template[#{(@__file__ ? @__file__ : "inline")}]"
   end
 end

data/lib/puppet/util/monkey_patches.rb

@@ -41,6 +41,21 @@ end
   end
 }
 
+if defined?(YAML::ENGINE) and YAML::ENGINE.yamler == 'psych'
+  def Psych.safely_load(str)
+    result = Psych.parse(str)
+    if invalid_node = result.find { |node| node.tag =~ /!map:(.*)/ || node.tag =~ /!ruby\/hash:(.*)/ }
+      raise ArgumentError, "Illegal YAML mapping found with tag #{invalid_node.tag}; please use !ruby/object:#{$1} instead"
+    else
+      result.to_ruby
+    end
+  end
+else
+  def YAML.safely_load(str)
+    self.load(str)
+  end
+end
+
 def YAML.dump(*args)
   ZAML.dump(*args)
 end
@@ -356,3 +371,26 @@ unless Dir.respond_to?(:mktmpdir)
     end
   end
 end
+
+# (#19151) Reject all SSLv2 ciphers and handshakes
+require 'openssl'
+class OpenSSL::SSL::SSLContext
+  if DEFAULT_PARAMS[:options]
+    DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2
+  else
+    DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2
+  end
+  DEFAULT_PARAMS[:ciphers] << ':!SSLv2'
+
+  alias __original_initialize initialize
+  private :__original_initialize
+
+  def initialize(*args)
+    __original_initialize(*args)
+    params = {
+      :options => DEFAULT_PARAMS[:options],
+      :ciphers => DEFAULT_PARAMS[:ciphers],
+    }
+    set_params(params)
+  end
+end

data/lib/puppet/version.rb

@@ -7,7 +7,7 @@
 
 
 module Puppet
-  PUPPETVERSION = '3.1.0'
+  PUPPETVERSION = '3.1.1'
 
   ##
   # version is a public API method intended to always provide a fast and