puppet 3.1.0 → 3.1.1

data/spec/integration/file_serving/terminus_helper_spec.rb

@@ -13,7 +13,7 @@ end
 describe Puppet::FileServing::TerminusHelper do
   it "should be able to recurse on a single file" do
     @path = Tempfile.new("fileset_integration")
-    request = Puppet::Indirector::Request.new(:metadata, :find, @path.path, :recurse => true)
+    request = Puppet::Indirector::Request.new(:metadata, :find, @path.path, nil, :recurse => true)
 
     tester = TerminusHelperIntegrationTester.new
     lambda { tester.path2instances(request, @path.path) }.should_not raise_error

data/spec/integration/indirector/catalog/queue_spec.rb

@@ -6,7 +6,7 @@ require 'puppet/resource/catalog'
 describe "Puppet::Resource::Catalog::Queue" do
   before do
     Puppet::Resource::Catalog.indirection.terminus(:queue)
-    @catalog = Puppet::Resource::Catalog.new
+    @catalog = Puppet::Resource::Catalog.new("foo")
 
     @one = Puppet::Resource.new(:file, "/one")
     @two = Puppet::Resource.new(:file, "/two")

data/spec/integration/resource/catalog_spec.rb

@@ -46,6 +46,7 @@ describe Puppet::Resource::Catalog do
       Puppet::Resource::Catalog.indirection.stubs(:terminus).returns terminus
 
       node = mock 'node'
+      terminus.stubs(:validate)
       terminus.expects(:find).with { |request| request.options[:use_node] == node }
       Puppet::Resource::Catalog.indirection.find("me", :use_node => node)
     end

data/spec/unit/indirector/catalog/compiler_spec.rb

@@ -53,13 +53,22 @@ describe Puppet::Resource::Catalog::Compiler do
       @request = Puppet::Indirector::Request.new(:catalog, :find, @name, nil, :node => @name)
     end
 
-    it "should directly use provided nodes" do
+    it "should directly use provided nodes for a local request" do
       Puppet::Node.indirection.expects(:find).never
       @compiler.expects(:compile).with(@node)
       @request.stubs(:options).returns(:use_node => @node)
+      @request.stubs(:remote?).returns(false)
       @compiler.find(@request)
     end
 
+    it "rejects a provided node if the request is remote" do
+      @request.stubs(:options).returns(:use_node => @node)
+      @request.stubs(:remote?).returns(true)
+      expect {
+        @compiler.find(@request)
+      }.to raise_error Puppet::Error, /invalid option use_node/i
+    end
+
     it "should use the authenticated node name if no request key is provided" do
       @request.stubs(:key).returns(nil)
       Puppet::Node.indirection.expects(:find).with(@name, anything).returns(@node)
@@ -99,6 +108,24 @@ describe Puppet::Resource::Catalog::Compiler do
       @compiler.find(@request)
     end
 
+    it "requires `facts_format` option if facts are passed in" do
+      facts = Puppet::Node::Facts.new("mynode", :afact => "avalue")
+      request = Puppet::Indirector::Request.new(:catalog, :find, "mynode", nil, :facts => facts)
+      expect {
+        @compiler.find(request)
+      }.to raise_error ArgumentError, /no fact format provided for mynode/
+    end
+
+    it "rejects facts in the request from a different node" do
+      facts = Puppet::Node::Facts.new("differentnode", :afact => "avalue")
+      request = Puppet::Indirector::Request.new(
+        :catalog, :find, "mynode", nil, :facts => facts, :facts_format => "unused"
+      )
+      expect {
+        @compiler.find(request)
+      }.to raise_error Puppet::Error, /fact definition for the wrong node/i
+    end
+
     it "should return the results of compiling as the catalog" do
       Puppet::Node.indirection.stubs(:find).returns(@node)
       config = mock 'config'
@@ -133,7 +160,7 @@ describe Puppet::Resource::Catalog::Compiler do
     before do
       Facter.stubs(:value).returns "something"
       @compiler = Puppet::Resource::Catalog::Compiler.new
-      @request = stub 'request', :options => {}
+      @request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
 
       @facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386")
       Puppet::Node::Facts.indirection.stubs(:save).returns(nil)

data/spec/unit/indirector/indirection_spec.rb

@@ -40,7 +40,7 @@ shared_examples_for "Indirection Delegator" do
       end
     end
 
-    request = stub 'request', :key => "me", :options => {}
+    request = Puppet::Indirector::Request.new(:indirection, :find, "me", nil)
 
     @indirection.stubs(:request).returns request
 
@@ -101,6 +101,16 @@ shared_examples_for "Delegation Authorizer" do
   end
 end
 
+shared_examples_for "Request validator" do
+  it "asks the terminus to validate the request" do
+    @terminus.expects(:validate).raises(Puppet::Indirector::ValidationError, "Invalid")
+    @terminus.expects(@method).never
+    expect {
+      @indirection.send(@method, "key")
+    }.to raise_error Puppet::Indirector::ValidationError
+  end
+end
+
 describe Puppet::Indirector::Indirection do
   describe "when initializing" do
     # (LAK) I've no idea how to test this, really.
@@ -141,6 +151,7 @@ describe Puppet::Indirector::Indirection do
     before :each do
       @terminus_class = mock 'terminus_class'
       @terminus = mock 'terminus'
+      @terminus.stubs(:validate)
       @terminus_class.stubs(:new).returns(@terminus)
       @cache = stub 'cache', :name => "mycache"
       @cache_class = mock 'cache_class'
@@ -211,6 +222,7 @@ describe Puppet::Indirector::Indirection do
 
       it_should_behave_like "Indirection Delegator"
       it_should_behave_like "Delegation Authorizer"
+      it_should_behave_like "Request validator"
 
       it "should return the results of the delegation" do
         @terminus.expects(:find).returns(@instance)
@@ -384,6 +396,7 @@ describe Puppet::Indirector::Indirection do
 
       it_should_behave_like "Indirection Delegator"
       it_should_behave_like "Delegation Authorizer"
+      it_should_behave_like "Request validator"
 
       it "should return true if the head method returned true" do
         @terminus.expects(:head).returns(true)
@@ -501,6 +514,7 @@ describe Puppet::Indirector::Indirection do
 
       it_should_behave_like "Indirection Delegator"
       it_should_behave_like "Delegation Authorizer"
+      it_should_behave_like "Request validator"
 
       it "should return the result of removing the instance" do
         @terminus.stubs(:destroy).returns "yayness"
@@ -539,6 +553,7 @@ describe Puppet::Indirector::Indirection do
 
       it_should_behave_like "Indirection Delegator"
       it_should_behave_like "Delegation Authorizer"
+      it_should_behave_like "Request validator"
 
       it "should set the expiration date on any instances without one set" do
         @terminus.stubs(:search).returns([@instance])
@@ -707,6 +722,7 @@ describe Puppet::Indirector::Indirection do
     before do
       @indirection = Puppet::Indirector::Indirection.new(mock('model'), :test)
       @terminus = mock 'terminus'
+      @terminus.stubs(:validate)
       @terminus_class = stub 'terminus class', :new => @terminus
     end
 

data/spec/unit/indirector/terminus_spec.rb

@@ -9,6 +9,10 @@ describe Puppet::Indirector::Terminus do
     class Puppet::AbstractConcept
       extend Puppet::Indirector
       indirects :abstract_concept
+      attr_accessor :name
+      def initialize(name = "name")
+        @name = name
+      end
     end
 
     class Puppet::AbstractConcept::Freedom < Puppet::Indirector::Code
@@ -23,6 +27,7 @@ describe Puppet::Indirector::Terminus do
   let :terminus_class do Puppet::AbstractConcept::Freedom end
   let :terminus       do terminus_class.new end
   let :indirection    do Puppet::AbstractConcept.indirection end
+  let :model          do Puppet::AbstractConcept end
 
   it "should provide a method for setting terminus class documentation" do
     terminus_class.should respond_to(:desc)
@@ -216,4 +221,44 @@ describe Puppet::Indirector::Terminus do
       Puppet::Indirector::Terminus.terminus_classes('my_stuff').should == [:baz, :marathon]
     end
   end
+
+  describe "when validating a request" do
+    let :request do
+      Puppet::Indirector::Request.new(indirection.name, :find, "the_key", instance)
+    end
+
+    describe "`instance.name` does not match the key in the request" do
+      let(:instance) { model.new("wrong_key") }
+
+      it "raises an error " do
+        expect {
+          terminus.validate(request)
+        }.to raise_error(
+          Puppet::Indirector::ValidationError,
+          /Instance name .* does not match requested key/
+        )
+      end
+    end
+
+    describe "`instance` is not an instance of the model class" do
+      let(:instance) { mock "instance" }
+
+      it "raises an error" do
+        expect {
+          terminus.validate(request)
+        }.to raise_error(
+          Puppet::Indirector::ValidationError,
+          /Invalid instance type/
+        )
+      end
+    end
+
+    describe "the instance key and class match the request key and model class" do
+      let(:instance) { model.new("the_key") }
+
+      it "passes" do
+        terminus.validate(request)
+      end
+    end
+  end
 end

data/spec/unit/network/authconfig_spec.rb

@@ -78,6 +78,18 @@ describe Puppet::Network::AuthConfig do
       @authconfig.rights['/'].should be_empty
       @authconfig.rights['/'].authentication.should be_false
     end
+
+    it '(CVE-2013-2275) allows report submission only for the node matching the certname by default' do
+      acl = {
+        :acl => "~ ^\/report\/([^\/]+)$",
+        :method => :save,
+        :allow => '$1',
+        :authenticated => true
+      }
+      @authconfig.stubs(:mk_acl)
+      @authconfig.expects(:mk_acl).with(acl)
+      @authconfig.insert_default_acl
+    end
   end
 
   describe "when checking authorization" do

data/spec/unit/network/authorization_spec.rb

@@ -11,6 +11,10 @@ describe Puppet::Network::Authorization do
 
   describe "when creating an authconfig object" do
     it "creates default ACL entries if no file has been read" do
+      # Other tests may have created an authconfig, so we have to undo that.
+      Puppet::Network::AuthConfigLoader.instance_variable_set(:@auth_config, nil)
+      Puppet::Network::AuthConfigLoader.instance_variable_set(:@auth_config_file, nil)
+
       Puppet::Network::AuthConfigParser.expects(:new_from_file).raises Errno::ENOENT
       Puppet::Network::AuthConfig.any_instance.expects(:insert_default_acl)
 

data/spec/unit/network/formats_spec.rb

@@ -55,15 +55,15 @@ describe "Puppet Network Format" do
       @yaml.render_multiple(instances).should == "foo"
     end
 
-    it "should intern by calling 'YAML.load'" do
+    it "should safely load YAML when interning" do
       text = "foo"
-      YAML.expects(:load).with("foo").returns "bar"
+      YAML.expects(:safely_load).with("foo").returns "bar"
       @yaml.intern(String, text).should == "bar"
     end
 
-    it "should intern multiples by calling 'YAML.load'" do
+    it "should safely load YAML when interning multiples" do
       text = "foo"
-      YAML.expects(:load).with("foo").returns "bar"
+      YAML.expects(:safely_load).with("foo").returns "bar"
       @yaml.intern_multiple(String, text).should == "bar"
     end
   end
@@ -120,10 +120,10 @@ describe "Puppet Network Format" do
       @yaml.intern_multiple(String, text).should == "bar"
     end
 
-    it "should decode by base64 decoding, uncompressing and Yaml loading" do
+    it "should decode by base64 decoding, uncompressing and safely Yaml loading" do
       Base64.expects(:decode64).with("zorg").returns "foo"
       Zlib::Inflate.expects(:inflate).with("foo").returns "baz"
-      YAML.expects(:load).with("baz").returns "bar"
+      YAML.expects(:safely_load).with("baz").returns "bar"
       @yaml.decode("zorg").should == "bar"
     end
 

data/spec/unit/network/http/connection_spec.rb

@@ -90,7 +90,6 @@ describe Puppet::Network::HTTP::Connection do
 
         it                { should be_use_ssl }
         its(:cert)        { should be_nil }
-        its(:cert_store)  { should be_nil }
         its(:ca_file)     { should be_nil }
         its(:key)         { should be_nil }
         its(:verify_mode) { should == OpenSSL::SSL::VERIFY_NONE }

data/spec/unit/network/http/handler_spec.rb

@@ -137,6 +137,31 @@ describe Puppet::Network::HTTP::Handler do
       @handler.request_format(@request).should == "s"
     end
 
+    it "should deserialize YAML parameters" do
+      params = {'my_param' => [1,2,3].to_yaml}
+
+      decoded_params = @handler.send(:decode_params, params)
+
+      decoded_params.should == {:my_param => [1,2,3]}
+    end
+
+    it "should accept YAML parameters with !ruby/hash tags on Ruby 1.8", :if => RUBY_VERSION =~ /^1\.8/ do
+      params = {'my_param' => "--- !ruby/hash:Array {}"}
+
+      decoded_params = @handler.send(:decode_params, params)
+
+      decoded_params[:my_param].should be_an(Array)
+    end
+
+    # These are only dangerous with Psych, which is Ruby 1.9-only. Since
+    # there's no real way to change the yamler in Puppet, assume that 1.9 means
+    # Psych, especially in tests.
+    it "should fail if YAML parameters have !ruby/hash tags on Ruby 1.9", :unless => RUBY_VERSION =~ /^1\.8/ do
+      params = {'my_param' => "--- !ruby/hash:Array {}"}
+
+      expect { @handler.send(:decode_params, params) }.to raise_error(ArgumentError, /Illegal YAML mapping found/)
+    end
+
     describe "when finding a model instance" do
       before do
         @indirection.stubs(:find).returns @result

data/spec/unit/network/http/rack/rest_spec.rb

@@ -111,6 +111,23 @@ describe "Puppet::Network::HTTP::RackREST", :if => Puppet.features.rack? do
           @handler.set_response(@response, @file, 200)
         end
       end
+
+      it "should ensure the body has been read on success" do
+        req = mk_req('/production/report/foo', :method => 'PUT')
+        req.body.expects(:read).at_least_once
+
+        Puppet::Transaction::Report.stubs(:save)
+
+        @handler.process(req, @response)
+      end
+
+      it "should ensure the body has been partially read on failure" do
+        req = mk_req('/production/report/foo')
+        req.body.expects(:read).with(1)
+        req.stubs(:check_authorization).raises(Exception)
+
+        @handler.process(req, @response)
+      end
     end
 
     describe "and determining the request parameters" do

data/spec/unit/network/http/webrick_spec.rb

@@ -241,6 +241,10 @@ describe Puppet::Network::HTTP::WEBrick do
       server.setup_ssl[:SSLEnable].should be_true
     end
 
+    it "should reject SSLv2" do
+      server.setup_ssl[:SSLOptions].should == OpenSSL::SSL::OP_NO_SSLv2
+    end
+
     it "should configure the verification method as 'OpenSSL::SSL::VERIFY_PEER'" do
       server.setup_ssl[:SSLVerifyClient].should == OpenSSL::SSL::VERIFY_PEER
     end

data/spec/unit/parser/functions/inline_template_spec.rb

@@ -6,58 +6,29 @@ describe "the inline_template function" do
     Puppet::Parser::Functions.autoloader.loadall
   end
 
-  before :each do
-    node     = Puppet::Node.new('localhost')
-    compiler = Puppet::Parser::Compiler.new(node)
-    @scope   = Puppet::Parser::Scope.new(compiler)
-  end
-
-  it "should exist" do
-    Puppet::Parser::Functions.function("inline_template").should == "function_inline_template"
-  end
-
-  it "should create a TemplateWrapper when called" do
-    tw = stub_everything 'template_wrapper'
+  let(:node) { Puppet::Node.new('localhost') }
+  let(:compiler) { Puppet::Parser::Compiler.new(node) }
+  let(:scope) { Puppet::Parser::Scope.new(compiler) }
 
-    Puppet::Parser::TemplateWrapper.expects(:new).returns(tw)
-
-    @scope.function_inline_template(["test"])
+  it "should concatenate template wrapper outputs for multiple templates" do
+    inline_template("template1", "template2").should == "template1template2"
   end
 
-  it "should pass the template string to TemplateWrapper.result" do
-    tw = stub_everything 'template_wrapper'
-    Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw)
-
-    tw.expects(:result).with("test")
-
-    @scope.function_inline_template(["test"])
+  it "should raise an error if the template raises an error" do
+    expect { inline_template("<% raise 'error' %>") }.to raise_error(Puppet::ParseError)
   end
 
-  it "should return what TemplateWrapper.result returns" do
-    tw = stub_everything 'template_wrapper'
-    Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw)
-
-    tw.expects(:result).returns("template contents evaluated")
-
-    @scope.function_inline_template(["test"]).should == "template contents evaluated"
+  it "is not interfered with by a variable called 'string' (#14093)" do
+    scope['string'] = "this is a variable"
+    inline_template("this is a template").should == "this is a template"
   end
 
-  it "should concatenate template wrapper outputs for multiple templates" do
-    tw1 = stub_everything "template_wrapper1"
-    tw2 = stub_everything "template_wrapper2"
-    Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw1,tw2)
-    tw1.stubs(:result).returns("result1")
-    tw2.stubs(:result).returns("result2")
-
-    @scope.function_inline_template(["1","2"]).should == "result1result2"
+  it "has access to a variable called 'string' (#14093)" do
+    scope['string'] = "this is a variable"
+    inline_template("string was: <%= @string %>").should == "string was: this is a variable"
   end
 
-  it "should raise an error if the template raises an error" do
-    tw = stub_everything 'template_wrapper'
-    Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw)
-    tw.stubs(:result).raises
-
-    lambda { @scope.function_inline_template(["1"]) }.should raise_error(Puppet::ParseError)
+  def inline_template(*templates)
+    scope.function_inline_template(templates)
   end
-
 end

data/spec/unit/parser/functions/template_spec.rb

@@ -10,38 +10,7 @@ describe "the template function" do
   let :compiler do Puppet::Parser::Compiler.new(node) end
   let :scope    do Puppet::Parser::Scope.new(compiler) end
 
-  it "should exist" do
-    Puppet::Parser::Functions.function("template").should == "function_template"
-  end
-
-  it "should create a TemplateWrapper when called" do
-    tw = stub_everything 'template_wrapper'
-
-    Puppet::Parser::TemplateWrapper.expects(:new).returns(tw)
-
-    scope.function_template(["test"])
-  end
-
-  it "should give the template filename to the TemplateWrapper" do
-    tw = stub_everything 'template_wrapper'
-    Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw)
-
-    tw.expects(:file=).with("test")
-
-    scope.function_template(["test"])
-  end
-
-  it "should return what TemplateWrapper.result returns" do
-    tw = stub_everything 'template_wrapper'
-    Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw)
-    tw.stubs(:file=).with("test")
-
-    tw.expects(:result).returns("template contents evaluated")
-
-    scope.function_template(["test"]).should == "template contents evaluated"
-  end
-
-  it "should concatenate template wrapper outputs for multiple templates" do
+  it "concatenates outputs for multiple templates" do
     tw1 = stub_everything "template_wrapper1"
     tw2 = stub_everything "template_wrapper2"
     Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw1,tw2)
@@ -53,7 +22,7 @@ describe "the template function" do
     scope.function_template(["1","2"]).should == "result1result2"
   end
 
-  it "should raise an error if the template raises an error" do
+  it "raises an error if the template raises an error" do
     tw = stub_everything 'template_wrapper'
     Puppet::Parser::TemplateWrapper.stubs(:new).returns(tw)
     tw.stubs(:result).raises
@@ -63,40 +32,58 @@ describe "the template function" do
     }.to raise_error(Puppet::ParseError, /Failed to parse template/)
   end
 
-  def eval_template(content, *rest)
-    File.stubs(:read).with("template").returns(content)
-    Puppet::Parser::Files.stubs(:find_template).returns("template")
-    scope.function_template(['template'] + rest)
+  context "when accessing scope variables via method calls (deprecated)" do
+    it "raises an error when accessing an undefined variable" do
+      expect {
+        eval_template("template <%= deprecated %>")
+      }.to raise_error(Puppet::ParseError, /Could not find value for 'deprecated'/)
+    end
+
+    it "looks up the value from the scope" do
+      scope["deprecated"] = "deprecated value"
+      eval_template("template <%= deprecated %>").should == "template deprecated value"
+    end
+
+    it "still has access to Kernel methods" do
+      expect { eval_template("<%= binding %>") }.to_not raise_error
+    end
   end
 
-  it "should handle legacy template variable access correctly" do
-    expect {
-      eval_template("template <%= deprecated %>")
-    }.to raise_error(Puppet::ParseError)
+  context "when accessing scope variables as instance variables" do
+    it "has access to values" do
+      scope['scope_var'] = "value"
+      eval_template("<%= @scope_var %>").should == "value"
+    end
+
+    it "get nil accessing a variable that does not exist" do
+      eval_template("<%= @not_defined.nil? %>").should == "true"
+    end
+
+    it "get nil accessing a variable that is undef" do
+      scope['undef_var'] = :undef
+      eval_template("<%= @undef_var.nil? %>").should == "true"
+    end
   end
 
-  it "should get values from the scope correctly" do
-    scope["deprecated"] = "deprecated value"
-    eval_template("template <%= deprecated %>").should == "template deprecated value"
+  it "is not interfered with by having a variable named 'string' (#14093)" do
+    scope['string'] = "this output should not be seen"
+    eval_template("some text that is static").should == "some text that is static"
   end
 
-  it "should handle kernel shadows without raising" do
-    expect { eval_template("<%= binding %>") }.to_not raise_error
+  it "has access to a variable named 'string' (#14093)" do
+    scope['string'] = "the string value"
+    eval_template("string was: <%= @string %>").should == "string was: the string value"
   end
 
-  it "should not see scopes" do
-    scope['myvar'] = 'this is yayness'
+  it "does not have direct access to Scope#lookupvar" do
     expect {
       eval_template("<%= lookupvar('myvar') %>")
-    }.to raise_error(Puppet::ParseError)
+    }.to raise_error(Puppet::ParseError, /Could not find value for 'lookupvar'/)
   end
 
-  { "" => "", false => "false", true => "true" }.each do |input, output|
-    it "should support defined variables (#{input.inspect} => #{output.inspect})" do
-      scope['yayness'] = input
-      expect {
-        eval_template("<%= @yayness %>").should == output
-      }.to_not raise_error
-    end
+  def eval_template(content)
+    File.stubs(:read).with("template").returns(content)
+    Puppet::Parser::Files.stubs(:find_template).returns("template")
+    scope.function_template(['template'])
   end
 end