puppet 3.2.0.rc2 → 3.2.1.rc1

data/lib/puppet/indirector/catalog/static_compiler.rb

@@ -15,23 +15,25 @@ class Puppet::Resource::Catalog::StaticCompiler < Puppet::Indirector::Code
     This terminus works today, but cannot be used without additional
     configuration. Specifically:
 
-    You must create a `Filebucket['puppet']` resource in site.pp (or somewhere
-    else where it will be added to every node's catalog). The title of this
-    resource **MUST** be "puppet"; the static compiler treats this title as magical.
-
-        # Note: the special $servername var always contains the master's FQDN,
-        # even if it was reached at a different name.
-        filebucket { puppet:
-          server => $servername,
-          path   => false,
-        }
-
-    You must set `catalog_terminus = static_compiler` in the puppet master's puppet.conf.
-
-    If you are using multiple puppet masters, you must configure load balancer
-    affinity for agent nodes. This is because puppet masters other than the one
-    that compiled a given catalog may not have stored the required file contents
-    in their filebuckets.}
+    * You must create a special filebucket resource --- with the title `puppet`
+      and the `path` attribute set to `false` --- in site.pp or somewhere else
+      where it will be added to every node's catalog. Using `puppet` as the title
+      is mandatory; the static compiler treats this title as magical.
+
+          filebucket { puppet:
+            path => false,
+          }
+
+    * You must set `catalog_terminus = static_compiler` in the puppet
+      master's puppet.conf.
+    * The puppet master's auth.conf must allow authenticated nodes to access the
+      `file_bucket_file` endpoint. This is enabled by default (see the
+      `path /file` rule), but if you have made your auth.conf more restrictive,
+      you may need to re-enable it.)
+    * If you are using multiple puppet masters, you must configure load balancer
+      affinity for agent nodes. This is because puppet masters other than the one
+      that compiled a given catalog may not have stored the required file contents
+      in their filebuckets.}
 
   def compiler
     @compiler ||= indirection.terminus(:compiler)

data/lib/puppet/network/http/rack/rest.rb

@@ -111,9 +111,11 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
     # if we find SSL info in the headers, use them to get a hostname from the CN.
     # try this with :ssl_client_header, which defaults should work for
     # Apache with StdEnvVars.
-    if subj_str = request.env[Puppet[:ssl_client_header]]
-      subject = Puppet::Util::SSL.subject_from_dn(subj_str)
-      result[:node] = Puppet::Util::SSL.cn_from_subject(subject)
+    subj_str = request.env[Puppet[:ssl_client_header]]
+    subject = Puppet::Util::SSL.subject_from_dn(subj_str || "")
+
+    if cn = Puppet::Util::SSL.cn_from_subject(subject)
+      result[:node] = cn
       result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
     else
       result[:node] = resolve_node(result)

data/lib/puppet/provider/package/sun.rb

@@ -49,7 +49,7 @@ Puppet::Type.type(:package).provide :sun, :parent => Puppet::Provider::Package d
   end
 
   def self.instances
-    parse_pkginfo(execute([command(:pkginfo), '-l'])).collect do |p|
+    parse_pkginfo(pkginfo('-l')).collect do |p|
       hash = namemap(p)
       hash[:provider] = :sun
       new(hash)
@@ -58,17 +58,24 @@ Puppet::Type.type(:package).provide :sun, :parent => Puppet::Provider::Package d
 
   # Get info on a package, optionally specifying a device.
   def info2hash(device = nil)
-    cmd = [command(:pkginfo), '-l']
-    cmd << '-d' << device if device
-    cmd << @resource[:name]
-    pkgs = self.class.parse_pkginfo(execute(cmd, :failonfail => false, :combine => false))
-    errmsg = case pkgs.size
-             when 0; 'No message'
-             when 1; pkgs[0]['ERROR']
-             end
-    return self.class.namemap(pkgs[0]) if errmsg.nil?
-    return {:ensure => :absent} if errmsg =~ /information for "#{Regexp.escape(@resource[:name])}"/
-    raise Puppet::Error, "Unable to get information about package #{@resource[:name]} because of: #{errmsg}"
+    args = ['-l']
+    args << '-d' << device if device
+    args << @resource[:name]
+    begin
+      pkgs = self.class.parse_pkginfo(pkginfo(*args))
+      errmsg = case pkgs.size
+        when 0
+          'No message'
+        when 1
+           pkgs[0]['ERROR']
+      end
+      return self.class.namemap(pkgs[0]) if errmsg.nil?
+      # according to commit 41356a7 some errors do not raise an exception
+      # so eventhough pkginfo passed, we have to check the actual output
+      raise Puppet::Error, "Unable to get information about package #{@resource[:name]} because of: #{errmsg}"
+    rescue Puppet::ExecutionFailure
+      return {:ensure => :absent}
+    end
   end
 
   # Retrieve the version from the current package file.

data/lib/puppet/provider/package/windows/package.rb

@@ -1,3 +1,29 @@
+# 'puppet/type/package' is being required here to avoid a load order issue that
+# manifests as 'uninitialized constant Puppet::Util::Windows::MsiPackage' or
+# 'uninitialized constant Puppet::Util::Windows::Package' (or similar case
+# where Puppet::Provider::Package::Windows somehow ends up pointing to
+# Puppet:Util::Windows) if puppet/provider/package/windows/package is loaded
+# before the puppet/type/package.
+#
+# Example:
+#
+#  jpartlow@percival:~/work/puppet$ bundle exec rspec spec/unit/provider/package/windows/package_spec.rb spec/unit/provider/package/rpm_spec.rb 
+#  Run options: exclude {:broken=>true}
+#  ..F..FFF........................
+#  
+#  Failures:
+#  
+#    1) Puppet::Util::Package::Windows::Package::each should yield each package it finds
+#       Failure/Error: Puppet::Provider::Package::Windows::MsiPackage.expects(:from_registry).with('Google', {}).returns(package)
+#       NameError:
+#         uninitialized constant Puppet::Util::Windows::MsiPackage
+#       # ./spec/unit/provider/package/windows/package_spec.rb:24:in `block (3 levels) in <top (required)>'
+#
+# ---
+#
+# Needs more investigation to pinpoint what's going on.
+#
+require 'puppet/type/package'
 require 'puppet/util/windows'
 
 class Puppet::Provider::Package::Windows

data/lib/puppet/provider/user/useradd.rb

@@ -170,13 +170,6 @@ Puppet::Type.type(:user).provide :useradd, :parent => Puppet::Provider::NameServ
     cmd << @resource[:name]
   end
 
-  def modifycmd(param, value)
-    cmd = super(param, value)
-    cmd += check_manage_home if param == :home
-
-    cmd
-  end
-
   def deletecmd
     if @resource.forcelocal?
        cmd = [command(:localdelete)]

data/lib/puppet/type/file.rb

@@ -58,47 +58,44 @@ Puppet::Type.newtype(:file) do
   end
 
   newparam(:backup) do
-    desc "Whether files should be backed up before
-      being replaced.  The preferred method of backing files up is via
-      a `filebucket`, which stores files by their MD5 sums and allows
-      easy retrieval without littering directories with backups.  You
-      can specify a local filebucket or a network-accessible
-      server-based filebucket by setting `backup => bucket-name`.
-      Alternatively, if you specify any value that begins with a `.`
-      (e.g., `.puppet-bak`), then Puppet will use copy the file in
-      the same directory with that value as the extension of the
-      backup. Setting `backup => false` disables all backups of the
-      file in question.
-
-      Puppet automatically creates a local filebucket named `puppet` and
-      defaults to backing up there.  To use a server-based filebucket,
-      you must specify one in your configuration.
-
-            filebucket { main:
-              server => puppet,
-              path   => false,
-              # The path => false line works around a known issue with the filebucket type.
-            }
-
-      The `puppet master` daemon creates a filebucket by default,
-      so you can usually back up to your main server with this
-      configuration.  Once you've described the bucket in your
-      configuration, you can use it in any file's backup attribute:
-
-            file { \"/my/file\":
-              source => \"/path/in/nfs/or/something\",
-              backup => main
-            }
-
-      This will back the file up to the central server.
-
-      At this point, the benefits of using a central filebucket are that you
-      do not have backup files lying around on each of your machines, a given
-      version of a file is only backed up once, you can restore any given file
-      manually (no matter how old), and you can use Puppet Dashboard to view
-      file contents.  Eventually, transactional support will be able to
-      automatically restore filebucketed files.
-      "
+    desc <<-EOT
+      Whether (and how) file content should be backed up before being replaced.
+      This attribute works best as a resource default in the site manifest
+      (`File { backup => main }`), so it can affect all file resources.
+
+      * If set to `false`, file content won't be backed up.
+      * If set to a string beginning with `.` (e.g., `.puppet-bak`), Puppet will
+        use copy the file in the same directory with that value as the extension
+        of the backup. (A value of `true` is a synonym for `.puppet-bak`.)
+      * If set to any other string, Puppet will try to back up to a filebucket
+        with that title. See the `filebucket` resource type for more details.
+        (This is the preferred method for backup, since it can be centralized
+        and queried.)
+
+      Default value: `puppet`, which backs up to a filebucket of the same name.
+      (Puppet automatically creates a **local** filebucket named `puppet` if one
+      doesn't already exist.)
+
+      Backing up to a local filebucket isn't particularly useful. If you want
+      to make organized use of backups, you will generally want to use the
+      puppet master server's filebucket service. This requires declaring a
+      filebucket resource and a resource default for the `backup` attribute
+      in site.pp:
+
+          # /etc/puppet/manifests/site.pp
+          filebucket { 'main':
+            path   => false,                # This is required for remote filebuckets.
+            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
+          }
+
+          File { backup => main, }
+
+      If you are using multiple puppet master servers, you will want to
+      centralize the contents of the filebucket. Either configure your load
+      balancer to direct all filebucket traffic to a single master, or use
+      something like an out-of-band rsync task to synchronize the content on all
+      masters.
+    EOT
 
     defaultto "puppet"
 

data/lib/puppet/type/filebucket.rb

@@ -2,35 +2,44 @@ module Puppet
   require 'puppet/file_bucket/dipper'
 
   newtype(:filebucket) do
-    @doc = "A repository for backing up files.  If no filebucket is
-      defined, then files will be backed up in their current directory,
-      but the filebucket can be either a host- or site-global repository
-      for backing up.  It stores files and returns the MD5 sum, which
-      can later be used to retrieve the file if restoration becomes
-      necessary.  A filebucket does not do any work itself; instead,
-      it can be specified as the value of *backup* in a **file** object.
-
-      Currently, filebuckets are only useful for manual retrieval of
-      accidentally removed files (e.g., you look in the log for the md5 sum
-      and retrieve the file with that sum from the filebucket), but when
-      transactions are fully supported filebuckets will be used to undo
-      transactions.
-
-      You will normally want to define a single filebucket for your
-      whole network and then use that as the default backup location:
-
-          # Define the bucket
+    @doc = <<-EOT
+      A repository for storing and retrieving file content by MD5 checksum. Can
+      be local to each agent node, or centralized on a puppet master server. All
+      puppet masters provide a filebucket service that agent nodes can access
+      via HTTP, but you must declare a filebucket resource before any agents
+      will do so.
+
+      Filebuckets are used for the following features:
+
+      - **Content backups.** If the `file` type's `backup` attribute is set to
+        the name of a filebucket, Puppet will back up the _old_ content whenever
+        it rewrites a file; see the documentation for the `file` type for more
+        details. These backups can be used for manual recovery of content, but
+        are more commonly used to display changes and differences in a tool like
+        Puppet Dashboard.
+      - **Content distribution.** The optional static compiler populates the
+        puppet master's filebucket with the _desired_ content for each file,
+        then instructs the agent to retrieve the content for a specific
+        checksum. For more details,
+        [see the `static_compiler` section in the catalog indirection docs](http://docs.puppetlabs.com/references/latest/indirection.html#catalog).
+
+      To use a central filebucket for backups, you will usually want to declare
+      a filebucket resource and a resource default for the `backup` attribute
+      in site.pp:
+
+          # /etc/puppet/manifests/site.pp
           filebucket { 'main':
-            server => puppet,
-            path   => false,
-            # Due to a known issue, path must be set to false for remote filebuckets.
+            path   => false,                # This is required for remote filebuckets.
+            server => 'puppet.example.com', # Optional; defaults to the configured puppet master.
           }
 
-          # Specify it as the default target
-          File { backup => main }
+          File { backup => main, }
 
-      Puppetmaster servers create a filebucket by default, so this will
-      work in a default configuration."
+      Puppet master servers automatically provide the filebucket service, so
+      this will work in a default configuration. If you have a heavily
+      restricted `auth.conf` file, you may need to allow access to the
+      `file_bucket_file` endpoint.
+    EOT
 
     newparam(:name) do
       desc "The name of the filebucket."
@@ -38,27 +47,25 @@ module Puppet
     end
 
     newparam(:server) do
-      desc "The server providing the remote filebucket.  If this is not
-        specified then *path* is checked. If it is set, then the
-        bucket is local.  Otherwise the puppetmaster server specified
-        in the config or at the commandline is used.
+      desc "The server providing the remote filebucket service. Defaults to the
+        value of the `server` setting (that is, the currently configured
+        puppet master server).
 
-        Due to a known issue, you currently must set the `path` attribute to
-        false if you wish to specify a `server` attribute."
+        This setting is _only_ consulted if the `path` attribute is set to `false`."
       defaultto { Puppet[:server] }
     end
 
     newparam(:port) do
-      desc "The port on which the remote server is listening.
-        Defaults to the normal Puppet port, %s." % Puppet[:masterport]
+      desc "The port on which the remote server is listening. Defaults to the
+        value of the `masterport` setting, which is usually %s." % Puppet[:masterport]
 
       defaultto { Puppet[:masterport] }
     end
 
     newparam(:path) do
-      desc "The path to the local filebucket.  If this is
-        unset, then the bucket is remote.  The parameter *server* must
-        can be specified to set the remote server."
+      desc "The path to the _local_ filebucket; defaults to the value of the
+        `clientbucketdir` setting.  To use a remote filebucket, you _must_ set
+        this attribute to `false`."
 
       defaultto { Puppet[:clientbucketdir] }
 

data/lib/puppet/type/user.rb

@@ -23,7 +23,7 @@ module Puppet
       "The provider supports duplicate users with the same UID."
 
     feature :manages_homedir,
-      "The provider can create, remove, and update home directories."
+      "The provider can create and remove home directories."
 
     feature :manages_passwords,
       "The provider can modify user passwords, by accepting a password
@@ -303,10 +303,8 @@ module Puppet
 
     newparam(:managehome, :boolean => true) do
       desc "Whether to manage the home directory when managing the user.
-        This will create the home directory when `ensure => present`,
-        delete the home directory when `ensure => absent`. Linux only:
-        this will update the user's home directory when the `home` property
-        changes. Defaults to `false`."
+        This will create the home directory when `ensure => present`, and
+        delete the home directory when `ensure => absent`. Defaults to `false`."
 
       newvalues(:true, :false)
 

data/lib/puppet/util/ssl.rb

@@ -4,6 +4,14 @@
 #
 # @api private
 module Puppet::Util::SSL
+  NO_NAME = OpenSSL::X509::Name.new
+
+  DN_PARSERS = [
+    OpenSSL::X509::Name.method(:parse_rfc2253),
+    OpenSSL::X509::Name.method(:parse_openssl),
+    lambda { |dn| NO_NAME }
+  ]
+
   # Given a DN string, parse it into an OpenSSL certificate subject.  This
   # method will flexibly handle both OpenSSl and RFC2253 formats, as given by
   # nginx and Apache, respectively.
@@ -12,13 +20,16 @@ module Puppet::Util::SSL
   #
   # @return [OpenSSL::X509::Name] the certificate subject
   def self.subject_from_dn(dn)
-    # try to parse both rfc2253 (Apache) and OpenSSL (nginx) formats
-    begin
-      subject = OpenSSL::X509::Name.parse_rfc2253(dn)
-    rescue OpenSSL::X509::NameError
-      subject = OpenSSL::X509::Name.parse_openssl(dn)
+    if is_possibly_valid_dn?(dn)
+      DN_PARSERS.each do |parser|
+        begin
+          return parser.call(dn)
+        rescue OpenSSL::X509::NameError
+        end
+      end
+    else
+      NO_NAME
     end
-    subject
   end
 
   ##
@@ -35,4 +46,8 @@ module Puppet::Util::SSL
       (subject.to_a.assoc('CN') || [])[1]
     end
   end
+
+  def self.is_possibly_valid_dn?(dn)
+    dn =~ /=/
+  end
 end

data/lib/puppet/version.rb

@@ -7,7 +7,7 @@
 
 
 module Puppet
-  PUPPETVERSION = '3.2.0-rc2'
+  PUPPETVERSION = '3.2.1-rc1'
 
   ##
   # version is a public API method intended to always provide a fast and

data/spec/unit/network/http/rack/rest_spec.rb

@@ -253,6 +253,23 @@ describe "Puppet::Network::HTTP::RackREST", :if => Puppet.features.rack? do
         @handler.expects(:resolve_node).returns("host.domain.com")
         @handler.params(req)[:node].should == "host.domain.com"
       end
+
+      it "should resolve the node name with an ip address look-up if a certificate without a CN is present" do
+        Puppet[:ssl_client_header] = "myheader"
+        req = mk_req('/', "myheader" => "O=no CN")
+        @handler.expects(:resolve_node).returns("host.domain.com")
+        @handler.params(req)[:node].should == "host.domain.com"
+      end
+
+      it "should not allow authentication via the verify header if there is no CN available" do
+        Puppet[:ssl_client_header] = "dn_header"
+        Puppet[:ssl_client_verify_header] = "verify_header"
+        req = mk_req('/', "dn_header" => "O=no CN", "verify_header" => 'SUCCESS')
+
+        @handler.expects(:resolve_node).returns("host.domain.com")
+
+        @handler.params(req)[:authenticated].should be_false
+      end
     end
   end
 end

data/spec/unit/provider/package/sun_spec.rb

@@ -5,14 +5,6 @@ describe Puppet::Type.type(:package).provider(:sun) do
   let(:resource) { Puppet::Type.type(:package).new(:name => 'dummy', :ensure => :installed, :provider => :sun) }
   let(:provider) { resource.provider }
 
-  before(:each) do
-    # Stub some provider methods to avoid needing the actual software
-    # installed, so we can test on whatever platform we want.
-    provider.class.stubs(:command).with(:pkginfo).returns('/usr/bin/pkginfo')
-    provider.class.stubs(:command).with(:pkgadd).returns('/usr/sbin/pkgadd')
-    provider.class.stubs(:command).with(:pkgrm).returns('/usr/sbin/pkgrm')
-  end
-
   describe 'provider features' do
     it { should be_installable }
     it { should be_uninstallable }
@@ -35,7 +27,7 @@ describe Puppet::Type.type(:package).provider(:sun) do
     end
 
     it "should install a package if it is not present on update" do
-      Puppet::Util::Execution.expects(:execute).with(['/usr/bin/pkginfo', '-l', 'dummy'], {:failonfail => false, :combine => false}).returns File.read(my_fixture('dummy.server'))
+      provider.expects(:pkginfo).with('-l', 'dummy').returns File.read(my_fixture('dummy.server'))
       provider.expects(:pkgrm).with(['-n', 'dummy'])
       provider.expects(:install)
       provider.update
@@ -74,7 +66,7 @@ describe Puppet::Type.type(:package).provider(:sun) do
 
   context '#query' do
     it "should find the package on query" do
-      Puppet::Util::Execution.expects(:execute).with(['/usr/bin/pkginfo', '-l', 'dummy'], {:failonfail => false, :combine => false}).returns File.read(my_fixture('dummy.server'))
+      provider.expects(:pkginfo).with('-l', 'dummy').returns File.read(my_fixture('dummy.server'))
       provider.query.should == {
         :name     => 'SUNWdummy',
         :category=>"system",
@@ -87,19 +79,19 @@ describe Puppet::Type.type(:package).provider(:sun) do
     end
 
     it "shouldn't find the package on query if it is not present" do
-      Puppet::Util::Execution.expects(:execute).with(['/usr/bin/pkginfo', '-l', 'dummy'], {:failonfail => false, :combine => false}).returns 'ERROR: information for "dummy" not found.'
+      provider.expects(:pkginfo).with('-l', 'dummy').raises Puppet::ExecutionFailure, "Execution of 'pkginfo -l dummy' returned 3: ERROR: information for \"dummy\" not found."
       provider.query.should == {:ensure => :absent}
     end
 
     it "unknown message should raise error." do
-      Puppet::Util::Execution.expects(:execute).with(['/usr/bin/pkginfo', '-l', 'dummy'], {:failonfail => false, :combine => false}).returns 'RANDOM'
-      lambda { provider.query }.should raise_error(Puppet::Error)
+      provider.expects(:pkginfo).with('-l', 'dummy').returns 'RANDOM'
+      expect { provider.query }.to raise_error Puppet::Error
     end
   end
 
   context '#instance' do
     it "should list instances when there are packages in the system" do
-      Puppet::Util::Execution.expects(:execute).with(['/usr/bin/pkginfo', '-l']).returns File.read(my_fixture('simple'))
+      described_class.expects(:pkginfo).with('-l').returns File.read(my_fixture('simple'))
       instances = provider.class.instances.map { |p| {:name => p.get(:name), :ensure => p.get(:ensure)} }
       instances.size.should == 2
       instances[0].should == {
@@ -113,7 +105,7 @@ describe Puppet::Type.type(:package).provider(:sun) do
     end
 
     it "should return empty if there were no packages" do
-      Puppet::Util::Execution.expects(:execute).with(['/usr/bin/pkginfo', '-l']).returns ''
+      described_class.expects(:pkginfo).with('-l').returns ''
       instances = provider.class.instances
       instances.size.should == 0
     end