RubyGems - puppet - Versions diffs - 3.3.2 → 3.4.0.rc1 - Mend

puppet 3.3.2 → 3.4.0.rc1

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (589) hide show

data/CONTRIBUTING.md +22 -0
data/Gemfile +11 -2
data/README.md +13 -17
data/README_DEVELOPER.md +1 -1
data/Rakefile +1 -1
data/examples/hiera/README.md +4 -4
data/ext/debian/puppetmaster.init +1 -0
data/ext/debian/rules +2 -5
data/ext/nagios/check_puppet.rb +7 -7
data/ext/osx/file_mapping.yaml +1 -1
data/ext/osx/preflight.erb +34 -19
data/ext/rack/{files/config.ru → config.ru} +0 -0
data/ext/rack/{files/apache2.conf → example-passenger-vhost.conf} +6 -0
data/ext/redhat/puppet.spec.erb +20 -2
data/ext/systemd/{puppetagent.service → puppet.service} +0 -0
data/lib/hiera_puppet.rb +2 -2
data/lib/puppet/agent.rb +1 -6
data/lib/puppet/application.rb +15 -2
data/lib/puppet/application/agent.rb +2 -7
data/lib/puppet/application/apply.rb +8 -13
data/lib/puppet/application/cert.rb +47 -7
data/lib/puppet/application/device.rb +1 -6
data/lib/puppet/application/face_base.rb +1 -1
data/lib/puppet/application/filebucket.rb +1 -1
data/lib/puppet/application/inspect.rb +3 -12
data/lib/puppet/application/master.rb +1 -6
data/lib/puppet/application/queue.rb +1 -6
data/lib/puppet/application/resource.rb +2 -6
data/lib/puppet/coercion.rb +11 -0
data/lib/puppet/configurer.rb +5 -3
data/lib/puppet/configurer/downloader.rb +3 -1
data/lib/puppet/configurer/plugin_handler.rb +10 -0
data/lib/puppet/confine.rb +80 -0
data/lib/puppet/{provider/confine → confine}/exists.rb +3 -3
data/lib/puppet/{provider/confine → confine}/false.rb +2 -2
data/lib/puppet/{provider/confine → confine}/feature.rb +2 -2
data/lib/puppet/{provider/confine → confine}/true.rb +2 -2
data/lib/puppet/{provider/confine → confine}/variable.rb +2 -2
data/lib/puppet/{provider/confine_collection.rb → confine_collection.rb} +4 -4
data/lib/puppet/{provider/confiner.rb → confiner.rb} +4 -4
data/lib/puppet/daemon.rb +2 -6
data/lib/puppet/data_binding.rb +2 -30
data/lib/puppet/defaults.rb +283 -174
data/lib/puppet/error.rb +1 -0
data/lib/puppet/external/nagios.rb +0 -2
data/lib/puppet/external/nagios/base.rb +4 -3
data/lib/puppet/external/nagios/grammar.ry +173 -112
data/lib/puppet/external/nagios/parser.rb +233 -184
data/lib/puppet/face/file/store.rb +1 -1
data/lib/puppet/face/module/generate.rb +5 -7
data/lib/puppet/face/parser.rb +12 -2
data/lib/puppet/face/plugin.rb +6 -0
data/lib/puppet/feature/base.rb +16 -0
data/lib/puppet/feature/external_facts.rb +5 -0
data/lib/puppet/feature/libuser.rb +1 -1
data/lib/puppet/feature/msgpack.rb +1 -0
data/lib/puppet/feature/rails.rb +2 -2
data/lib/puppet/file_bucket/dipper.rb +8 -6
data/lib/puppet/file_bucket/file.rb +17 -1
data/lib/puppet/file_serving/base.rb +21 -10
data/lib/puppet/file_serving/configuration.rb +5 -7
data/lib/puppet/file_serving/configuration/parser.rb +1 -1
data/lib/puppet/file_serving/content.rb +1 -1
data/lib/puppet/file_serving/fileset.rb +3 -3
data/lib/puppet/file_serving/metadata.rb +22 -18
data/lib/puppet/file_serving/mount/file.rb +1 -1
data/lib/puppet/file_serving/mount/pluginfacts.rb +35 -0
data/lib/puppet/file_system.rb +3 -0
data/lib/puppet/file_system/file.rb +261 -0
data/lib/puppet/file_system/file18.rb +5 -0
data/lib/puppet/file_system/file19.rb +5 -0
data/lib/puppet/file_system/file19windows.rb +113 -0
data/lib/puppet/file_system/memory_file.rb +31 -0
data/lib/puppet/file_system/tempfile.rb +20 -0
data/lib/puppet/indirector/active_record.rb +1 -0
data/lib/puppet/indirector/catalog/compiler.rb +28 -0
data/lib/puppet/indirector/certificate_request/memory.rb +6 -0
data/lib/puppet/indirector/data_binding/hiera.rb +46 -2
data/lib/puppet/indirector/direct_file_server.rb +2 -2
data/lib/puppet/indirector/facts/facter.rb +25 -0
data/lib/puppet/indirector/file_bucket_file/file.rb +60 -74
data/lib/puppet/indirector/indirection.rb +5 -1
data/lib/puppet/indirector/json.rb +1 -1
data/lib/puppet/indirector/key/ca.rb +4 -0
data/lib/puppet/indirector/key/file.rb +7 -3
data/lib/puppet/indirector/key/memory.rb +6 -0
data/lib/puppet/indirector/node/write_only_yaml.rb +2 -2
data/lib/puppet/indirector/request.rb +17 -11
data/lib/puppet/indirector/resource/ral.rb +5 -0
data/lib/puppet/indirector/resource/rest.rb +1 -0
data/lib/puppet/indirector/resource/store_configs.rb +4 -0
data/lib/puppet/indirector/rest.rb +2 -1
data/lib/puppet/indirector/ssl_file.rb +7 -7
data/lib/puppet/indirector/terminus.rb +4 -0
data/lib/puppet/indirector/yaml.rb +3 -3
data/lib/puppet/interface/documentation.rb +4 -11
data/lib/puppet/module.rb +19 -6
data/lib/puppet/module_tool/applications/builder.rb +1 -1
data/lib/puppet/module_tool/applications/installer.rb +1 -1
data/lib/puppet/module_tool/checksums.rb +1 -1
data/lib/puppet/module_tool/dependency.rb +7 -3
data/lib/puppet/module_tool/metadata.rb +6 -2
data/lib/puppet/module_tool/tar.rb +2 -1
data/lib/puppet/module_tool/tar/gnu.rb +6 -2
data/lib/puppet/module_tool/tar/mini.rb +2 -0
data/lib/puppet/module_tool/tar/solaris.rb +2 -5
data/lib/puppet/network/authconfig.rb +0 -2
data/lib/puppet/network/authentication.rb +1 -1
data/lib/puppet/network/authstore.rb +6 -7
data/lib/puppet/network/format.rb +2 -3
data/lib/puppet/network/format_handler.rb +16 -11
data/lib/puppet/network/format_support.rb +14 -0
data/lib/puppet/network/formats.rb +26 -0
data/lib/puppet/network/http/connection.rb +8 -41
data/lib/puppet/network/http/handler.rb +28 -32
data/lib/puppet/network/http/webrick.rb +15 -22
data/lib/puppet/network/http_pool.rb +43 -9
data/lib/puppet/network/rights.rb +0 -0
data/lib/puppet/node.rb +24 -8
data/lib/puppet/node/environment.rb +18 -20
data/lib/puppet/node/facts.rb +23 -6
data/lib/puppet/parameter.rb +15 -2
data/lib/puppet/parameter/boolean.rb +5 -0
data/lib/puppet/parameter/value_collection.rb +6 -4
data/lib/puppet/parser/ast/resourceparam.rb +2 -1
data/lib/puppet/parser/compiler.rb +25 -9
data/lib/puppet/parser/files.rb +1 -1
data/lib/puppet/parser/functions.rb +12 -21
data/lib/puppet/parser/functions/collect.rb +6 -35
data/lib/puppet/parser/functions/contain.rb +26 -0
data/lib/puppet/parser/functions/create_resources.rb +5 -0
data/lib/puppet/parser/functions/extlookup.rb +2 -2
data/lib/puppet/parser/functions/file.rb +1 -1
data/lib/puppet/parser/functions/{reject.rb → filter.rb} +13 -12
data/lib/puppet/parser/functions/fqdn_rand.rb +13 -5
data/lib/puppet/parser/functions/include.rb +18 -1
data/lib/puppet/parser/functions/map.rb +44 -0
data/lib/puppet/parser/functions/select.rb +6 -38
data/lib/puppet/parser/lexer.rb +1 -1
data/lib/puppet/parser/parser_support.rb +1 -1
data/lib/puppet/parser/resource.rb +6 -45
data/lib/puppet/parser/scope.rb +33 -2
data/lib/puppet/parser/type_loader.rb +4 -60
data/lib/puppet/pops/binder/bindings_loader.rb +1 -1
data/lib/puppet/pops/binder/config/binder_config.rb +3 -3
data/lib/puppet/pops/binder/hiera2/bindings_provider.rb +1 -1
data/lib/puppet/pops/binder/scheme_handler/confdir_hiera_scheme.rb +1 -1
data/lib/puppet/pops/binder/scheme_handler/module_hiera_scheme.rb +2 -2
data/lib/puppet/pops/issues.rb +4 -0
data/lib/puppet/pops/model/ast_transformer.rb +4 -1
data/lib/puppet/pops/model/model_label_provider.rb +1 -1
data/lib/puppet/pops/parser/egrammar.ra +5 -24
data/lib/puppet/pops/parser/eparser.rb +859 -902
data/lib/puppet/pops/parser/lexer.rb +48 -30
data/lib/puppet/pops/parser/parser_support.rb +1 -1
data/lib/puppet/pops/patterns.rb +4 -4
data/lib/puppet/pops/utils.rb +1 -1
data/lib/puppet/pops/validation/checker3_1.rb +25 -20
data/lib/puppet/provider.rb +23 -6
data/lib/puppet/provider/aixobject.rb +0 -0
data/lib/puppet/provider/augeas/augeas.rb +21 -5
data/lib/puppet/provider/confine.rb +5 -79
data/lib/puppet/provider/cron/crontab.rb +0 -0
data/lib/puppet/provider/exec.rb +9 -7
data/lib/puppet/provider/exec/posix.rb +10 -1
data/lib/puppet/provider/exec/windows.rb +1 -1
data/lib/puppet/provider/file/posix.rb +1 -0
data/lib/puppet/provider/file/windows.rb +16 -5
data/lib/puppet/provider/group/aix.rb +0 -0
data/lib/puppet/provider/group/windows_adsi.rb +33 -1
data/lib/puppet/provider/macauthorization/macauthorization.rb +1 -1
data/lib/puppet/provider/mailalias/aliases.rb +0 -0
data/lib/puppet/provider/maillist/mailman.rb +0 -0
data/lib/puppet/provider/mount/parsed.rb +0 -0
data/lib/puppet/provider/nameservice/directoryservice.rb +3 -3
data/lib/puppet/provider/package/appdmg.rb +1 -1
data/lib/puppet/provider/package/apple.rb +1 -1
data/lib/puppet/provider/package/apt.rb +1 -1
data/lib/puppet/provider/package/aptitude.rb +0 -0
data/lib/puppet/provider/package/blastwave.rb +1 -1
data/lib/puppet/provider/package/dpkg.rb +1 -1
data/lib/puppet/provider/package/fink.rb +1 -1
data/lib/puppet/provider/package/freebsd.rb +0 -0
data/lib/puppet/provider/package/gem.rb +0 -0
data/lib/puppet/provider/package/macports.rb +0 -0
data/lib/puppet/provider/package/msi.rb +4 -10
data/lib/puppet/provider/package/nim.rb +8 -8
data/lib/puppet/provider/package/openbsd.rb +1 -1
data/lib/puppet/provider/package/opkg.rb +0 -0
data/lib/puppet/provider/package/pacman.rb +2 -2
data/lib/puppet/provider/package/pkgdmg.rb +1 -1
data/lib/puppet/provider/package/pkgutil.rb +1 -1
data/lib/puppet/provider/package/ports.rb +0 -0
data/lib/puppet/provider/package/rpm.rb +39 -3
data/lib/puppet/provider/package/sun.rb +3 -3
data/lib/puppet/provider/package/sunfreeware.rb +0 -0
data/lib/puppet/provider/package/windows.rb +12 -19
data/lib/puppet/provider/package/windows/package.rb +1 -1
data/lib/puppet/provider/package/yum.rb +2 -2
data/lib/puppet/provider/parsedfile.rb +0 -0
data/lib/puppet/provider/port/parsed.rb +0 -0
data/lib/puppet/provider/service/base.rb +0 -0
data/lib/puppet/provider/service/bsd.rb +3 -3
data/lib/puppet/provider/service/daemontools.rb +8 -8
data/lib/puppet/provider/service/debian.rb +0 -0
data/lib/puppet/provider/service/freebsd.rb +3 -3
data/lib/puppet/provider/service/init.rb +5 -4
data/lib/puppet/provider/service/launchd.rb +35 -24
data/lib/puppet/provider/service/openbsd.rb +23 -0
data/lib/puppet/provider/service/redhat.rb +0 -0
data/lib/puppet/provider/service/runit.rb +3 -3
data/lib/puppet/provider/service/smf.rb +0 -0
data/lib/puppet/provider/service/src.rb +0 -0
data/lib/puppet/provider/service/systemd.rb +0 -0
data/lib/puppet/provider/service/upstart.rb +3 -3
data/lib/puppet/provider/ssh_authorized_key/parsed.rb +2 -2
data/lib/puppet/provider/sshkey/parsed.rb +0 -0
data/lib/puppet/provider/user/aix.rb +0 -0
data/lib/puppet/provider/user/directoryservice.rb +1 -1
data/lib/puppet/provider/user/useradd.rb +1 -1
data/lib/puppet/provider/zone/solaris.rb +1 -1
data/lib/puppet/rails/benchmark.rb +1 -1
data/lib/puppet/reference/configuration.rb +1 -2
data/lib/puppet/reference/indirection.rb +12 -14
data/lib/puppet/relationship.rb +7 -4
data/lib/puppet/reports.rb +2 -2
data/lib/puppet/reports/rrdgraph.rb +1 -1
data/lib/puppet/reports/store.rb +3 -3
data/lib/puppet/reports/tagmail.rb +2 -2
data/lib/puppet/resource.rb +66 -8
data/lib/puppet/resource/catalog.rb +18 -25
data/lib/puppet/resource/status.rb +10 -4
data/lib/puppet/run.rb +6 -2
data/lib/puppet/settings.rb +39 -119
data/lib/puppet/settings/base_setting.rb +8 -9
data/lib/puppet/settings/directory_setting.rb +8 -0
data/lib/puppet/settings/file_setting.rb +35 -1
data/lib/puppet/settings/priority_setting.rb +42 -0
data/lib/puppet/ssl.rb +4 -0
data/lib/puppet/ssl/certificate.rb +18 -0
data/lib/puppet/ssl/certificate_authority.rb +101 -72
data/lib/puppet/ssl/certificate_authority/autosign_command.rb +44 -0
data/lib/puppet/ssl/certificate_authority/interface.rb +21 -17
data/lib/puppet/ssl/certificate_factory.rb +38 -12
data/lib/puppet/ssl/certificate_request.rb +201 -47
data/lib/puppet/ssl/certificate_request_attributes.rb +34 -0
data/lib/puppet/ssl/certificate_revocation_list.rb +2 -2
data/lib/puppet/ssl/host.rb +21 -10
data/lib/puppet/ssl/inventory.rb +6 -10
data/lib/puppet/ssl/key.rb +1 -1
data/lib/puppet/ssl/oids.rb +78 -0
data/lib/puppet/ssl/validator.rb +41 -97
data/lib/puppet/ssl/validator/default_validator.rb +153 -0
data/lib/puppet/ssl/validator/no_validator.rb +17 -0
data/lib/puppet/status.rb +4 -0
data/lib/puppet/test/test_helper.rb +5 -0
data/lib/puppet/transaction.rb +13 -0
data/lib/puppet/transaction/event.rb +8 -3
data/lib/puppet/transaction/report.rb +6 -2
data/lib/puppet/transaction/resource_harness.rb +173 -115
data/lib/puppet/type.rb +30 -13
data/lib/puppet/type/augeas.rb +12 -46
data/lib/puppet/type/component.rb +1 -7
data/lib/puppet/type/cron.rb +0 -0
data/lib/puppet/type/exec.rb +13 -1
data/lib/puppet/type/file.rb +19 -10
data/lib/puppet/type/file/checksum.rb +0 -0
data/lib/puppet/type/file/content.rb +3 -0
data/lib/puppet/type/file/ensure.rb +33 -15
data/lib/puppet/type/file/group.rb +0 -0
data/lib/puppet/type/file/mode.rb +6 -2
data/lib/puppet/type/file/owner.rb +0 -0
data/lib/puppet/type/file/source.rb +65 -14
data/lib/puppet/type/file/target.rb +6 -6
data/lib/puppet/type/file/type.rb +0 -0
data/lib/puppet/type/filebucket.rb +0 -0
data/lib/puppet/type/group.rb +18 -0
data/lib/puppet/type/host.rb +0 -0
data/lib/puppet/type/k5login.rb +4 -4
data/lib/puppet/type/mailalias.rb +0 -0
data/lib/puppet/type/maillist.rb +0 -0
data/lib/puppet/type/mount.rb +15 -1
data/lib/puppet/type/package.rb +7 -1
data/lib/puppet/type/port.rb +0 -0
data/lib/puppet/type/schedule.rb +9 -4
data/lib/puppet/type/service.rb +1 -1
data/lib/puppet/type/sshkey.rb +0 -0
data/lib/puppet/type/tidy.rb +1 -1
data/lib/puppet/type/user.rb +3 -0
data/lib/puppet/type/yumrepo.rb +8 -6
data/lib/puppet/type/zpool.rb +0 -0
data/lib/puppet/util.rb +4 -31
data/lib/puppet/util/adsi.rb +73 -17
data/lib/puppet/util/autoload.rb +3 -3
data/lib/puppet/util/backups.rb +4 -4
data/lib/puppet/util/cacher.rb +7 -13
data/lib/puppet/util/checksums.rb +2 -2
data/lib/puppet/util/classgen.rb +3 -1
data/lib/puppet/util/colors.rb +1 -0
data/lib/puppet/util/command_line.rb +5 -0
data/lib/puppet/util/docs.rb +33 -27
data/lib/puppet/util/execution.rb +42 -18
data/lib/puppet/util/filetype.rb +3 -3
data/lib/puppet/util/instance_loader.rb +2 -2
data/lib/puppet/util/instrumentation.rb +23 -42
data/lib/puppet/util/instrumentation/data.rb +11 -4
data/lib/puppet/util/instrumentation/indirection_probe.rb +11 -4
data/lib/puppet/util/instrumentation/instrumentable.rb +7 -14
data/lib/puppet/util/instrumentation/listener.rb +15 -8
data/lib/puppet/util/instrumentation/listeners/log.rb +4 -10
data/lib/puppet/util/instrumentation/listeners/performance.rb +8 -14
data/lib/puppet/util/limits.rb +12 -0
data/lib/puppet/util/lockfile.rb +2 -2
data/lib/puppet/util/log.rb +14 -6
data/lib/puppet/util/log/destinations.rb +23 -1
data/lib/puppet/util/metric.rb +9 -3
data/lib/puppet/util/monkey_patches.rb +7 -2
data/lib/puppet/util/network_device/config.rb +1 -1
data/lib/puppet/util/plugins.rb +1 -1
data/lib/puppet/util/posix.rb +0 -0
data/lib/puppet/util/profiler.rb +7 -2
data/lib/puppet/util/provider_features.rb +2 -2
data/lib/puppet/util/rdoc.rb +28 -30
data/lib/puppet/util/rdoc/code_objects.rb +75 -25
data/lib/puppet/util/rdoc/generators/puppet_generator.rb +1 -1
data/lib/puppet/util/rdoc/parser.rb +12 -487
data/lib/puppet/util/rdoc/parser/puppet_parser_core.rb +477 -0
data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc1.rb +19 -0
data/lib/puppet/util/rdoc/parser/puppet_parser_rdoc2.rb +14 -0
data/lib/puppet/util/reference.rb +1 -1
data/lib/puppet/util/resource_template.rb +1 -1
data/lib/puppet/util/selinux.rb +1 -1
data/lib/puppet/util/storage.rb +2 -2
data/lib/puppet/util/suidmanager.rb +1 -1
data/lib/puppet/util/tag_set.rb +29 -0
data/lib/puppet/util/tagging.rb +8 -24
data/lib/puppet/util/watched_file.rb +1 -1
data/lib/puppet/util/watcher.rb +1 -1
data/lib/puppet/util/windows.rb +3 -0
data/lib/puppet/util/windows/access_control_entry.rb +84 -0
data/lib/puppet/util/windows/access_control_list.rb +106 -0
data/lib/puppet/util/windows/file.rb +213 -0
data/lib/puppet/util/windows/process.rb +199 -0
data/lib/puppet/util/windows/root_certs.rb +52 -37
data/lib/puppet/util/windows/security.rb +270 -245
data/lib/puppet/util/windows/security_descriptor.rb +62 -0
data/lib/puppet/util/windows/sid.rb +26 -4
data/lib/puppet/version.rb +2 -2
data/spec/fixtures/releases/jamtur01-apache/lib/puppet/provider/a2mod/debian.rb +1 -1
data/spec/fixtures/unit/indirector/{hiera → data_binding/hiera}/global.yaml +0 -0
data/spec/fixtures/unit/indirector/data_binding/hiera/invalid.yaml +1 -0
data/spec/fixtures/unit/module/trailing-comma.json +24 -0
data/spec/fixtures/unit/util/monkey_patches/x509.pem +32 -0
data/spec/integration/application/apply_spec.rb +1 -1
data/spec/integration/application/doc_spec.rb +1 -1
data/spec/integration/configurer_spec.rb +4 -2
data/spec/integration/data_binding.rb +100 -0
data/spec/integration/indirector/catalog/compiler_spec.rb +16 -13
data/spec/integration/indirector/direct_file_server_spec.rb +3 -5
data/spec/integration/indirector/file_content/file_server_spec.rb +2 -2
data/spec/integration/node/facts_spec.rb +1 -1
data/spec/integration/node_spec.rb +1 -1
data/spec/integration/parser/compiler_spec.rb +90 -0
data/spec/integration/parser/parser_spec.rb +2 -2
data/spec/integration/provider/cron/crontab_spec.rb +3 -5
data/spec/integration/resource/catalog_spec.rb +1 -1
data/spec/integration/ssl/autosign_spec.rb +90 -0
data/spec/integration/ssl/certificate_authority_spec.rb +62 -69
data/spec/integration/ssl/certificate_revocation_list_spec.rb +1 -1
data/spec/integration/ssl/host_spec.rb +1 -1
data/spec/integration/transaction_spec.rb +13 -13
data/spec/integration/type/exec_spec.rb +2 -2
data/spec/integration/type/file_spec.rb +287 -45
data/spec/integration/type/tidy_spec.rb +3 -3
data/spec/integration/util/rdoc/parser_spec.rb +236 -35
data/spec/integration/util/settings_spec.rb +1 -1
data/spec/integration/util/windows/process_spec.rb +22 -0
data/spec/integration/util/windows/security_spec.rb +316 -106
data/spec/lib/matchers/containment_matchers.rb +52 -0
data/spec/lib/puppet_spec/compiler.rb +6 -0
data/spec/lib/puppet_spec/files.rb +20 -21
data/spec/shared_behaviours/documentation_on_faces.rb +3 -3
data/spec/shared_behaviours/file_server_terminus.rb +2 -2
data/spec/shared_contexts/platform.rb +1 -0
data/spec/spec_helper.rb +13 -1
data/spec/unit/agent_spec.rb +0 -12
data/spec/unit/application/agent_spec.rb +4 -4
data/spec/unit/application/apply_spec.rb +18 -2
data/spec/unit/application/cert_spec.rb +8 -6
data/spec/unit/application/device_spec.rb +1 -1
data/spec/unit/application/filebucket_spec.rb +1 -1
data/spec/unit/application/inspect_spec.rb +1 -1
data/spec/unit/application_spec.rb +24 -0
data/spec/unit/configurer/downloader_spec.rb +8 -7
data/spec/unit/configurer/fact_handler_spec.rb +23 -0
data/spec/unit/configurer/plugin_handler_spec.rb +7 -2
data/spec/unit/configurer_spec.rb +15 -5
data/spec/unit/{provider/confine → confine}/exists_spec.rb +12 -12
data/spec/unit/{provider/confine → confine}/false_spec.rb +9 -9
data/spec/unit/{provider/confine → confine}/feature_spec.rb +10 -10
data/spec/unit/{provider/confine → confine}/true_spec.rb +7 -7
data/spec/unit/{provider/confine → confine}/variable_spec.rb +16 -16
data/spec/unit/{provider/confine_collection_spec.rb → confine_collection_spec.rb} +30 -30
data/spec/unit/{provider/confine_spec.rb → confine_spec.rb} +11 -11
data/spec/unit/{provider/confiner_spec.rb → confiner_spec.rb} +4 -4
data/spec/unit/face/parser_spec.rb +54 -0
data/spec/unit/file_bucket/dipper_spec.rb +2 -2
data/spec/unit/file_serving/base_spec.rb +32 -9
data/spec/unit/file_serving/configuration_spec.rb +7 -7
data/spec/unit/file_serving/content_spec.rb +12 -7
data/spec/unit/file_serving/fileset_spec.rb +57 -27
data/spec/unit/file_serving/metadata_spec.rb +74 -12
data/spec/unit/file_serving/mount/file_spec.rb +10 -10
data/spec/unit/file_serving/mount/pluginfacts_spec.rb +73 -0
data/spec/unit/file_system/file_spec.rb +486 -0
data/spec/unit/file_system/tempfile_spec.rb +48 -0
data/spec/unit/graph/relationship_graph_spec.rb +0 -6
data/spec/unit/hiera_puppet_spec.rb +2 -2
data/spec/unit/indirector/catalog/compiler_spec.rb +15 -19
data/spec/unit/indirector/certificate_status/file_spec.rb +30 -40
data/spec/unit/indirector/data_binding/hiera_spec.rb +95 -2
data/spec/unit/indirector/direct_file_server_spec.rb +6 -6
data/spec/unit/indirector/facts/facter_spec.rb +33 -0
data/spec/unit/indirector/file_bucket_file/file_spec.rb +61 -52
data/spec/unit/indirector/file_metadata/file_spec.rb +2 -2
data/spec/unit/indirector/file_server_spec.rb +4 -4
data/spec/unit/indirector/json_spec.rb +4 -4
data/spec/unit/indirector/key/file_spec.rb +13 -14
data/spec/unit/indirector/resource/ral_spec.rb +7 -0
data/spec/unit/indirector/resource/store_configs_spec.rb +11 -0
data/spec/unit/indirector/rest_spec.rb +7 -3
data/spec/unit/indirector/ssl_file_spec.rb +14 -17
data/spec/unit/indirector/yaml_spec.rb +4 -4
data/spec/unit/module_spec.rb +43 -15
data/spec/unit/module_tool/tar/gnu_spec.rb +2 -2
data/spec/unit/module_tool/tar/solaris_spec.rb +2 -2
data/spec/unit/module_tool/tar_spec.rb +45 -0
data/spec/unit/network/authconfig_spec.rb +2 -1
data/spec/unit/network/authentication_spec.rb +2 -2
data/spec/unit/network/format_handler_spec.rb +2 -2
data/spec/unit/network/formats_spec.rb +24 -0
data/spec/unit/network/http/connection_spec.rb +76 -199
data/spec/unit/network/http/handler_spec.rb +33 -34
data/spec/unit/network/http_pool_spec.rb +8 -5
data/spec/unit/node/environment_spec.rb +76 -90
data/spec/unit/node/facts_spec.rb +20 -3
data/spec/unit/node_spec.rb +43 -0
data/spec/unit/parameter/boolean_spec.rb +22 -12
data/spec/unit/parser/ast/resourceparam_spec.rb +51 -0
data/spec/unit/parser/compiler_spec.rb +103 -35
data/spec/unit/parser/eparser_adapter_spec.rb +12 -12
data/spec/unit/parser/files_spec.rb +11 -11
data/spec/unit/parser/functions/contain_spec.rb +185 -0
data/spec/unit/parser/functions/create_resources_spec.rb +13 -5
data/spec/unit/parser/functions/generate_spec.rb +1 -1
data/spec/unit/parser/functions_spec.rb +2 -2
data/spec/unit/parser/lexer_spec.rb +1 -1
data/spec/unit/parser/methods/each_spec.rb +1 -1
data/spec/unit/parser/methods/{select_spec.rb → filter_spec.rb} +11 -11
data/spec/unit/parser/methods/map_spec.rb +95 -0
data/spec/unit/parser/methods/reduce_spec.rb +12 -11
data/spec/unit/parser/methods/shared.rb +5 -5
data/spec/unit/parser/methods/slice_spec.rb +13 -13
data/spec/unit/parser/parser_spec.rb +1 -1
data/spec/unit/parser/resource/param_spec.rb +44 -0
data/spec/unit/parser/resource_spec.rb +16 -15
data/spec/unit/pops/model/ast_transformer_spec.rb +18 -4
data/spec/unit/pops/parser/lexer_spec.rb +22 -5
data/spec/unit/pops/parser/parse_calls_spec.rb +5 -5
data/spec/unit/pops/transformer/transform_calls_spec.rb +6 -6
data/spec/unit/pops/transformer/transform_containers_spec.rb +2 -2
data/spec/unit/pops/validator/validator_spec.rb +31 -0
data/spec/unit/provider/augeas/augeas_spec.rb +57 -2
data/spec/unit/provider/exec/posix_spec.rb +8 -3
data/spec/unit/provider/file/posix_spec.rb +2 -2
data/spec/unit/provider/group/windows_adsi_spec.rb +70 -3
data/spec/unit/provider/nameservice/directoryservice_spec.rb +3 -3
data/spec/unit/provider/package/apt_spec.rb +1 -1
data/spec/unit/provider/package/msi_spec.rb +15 -42
data/spec/unit/provider/package/openbsd_spec.rb +3 -3
data/spec/unit/provider/package/rpm_spec.rb +56 -13
data/spec/unit/provider/package/windows_spec.rb +15 -19
data/spec/unit/provider/service/base_spec.rb +1 -1
data/spec/unit/provider/service/daemontools_spec.rb +18 -8
data/spec/unit/provider/service/freebsd_spec.rb +3 -3
data/spec/unit/provider/service/gentoo_spec.rb +5 -2
data/spec/unit/provider/service/init_spec.rb +17 -17
data/spec/unit/provider/service/launchd_spec.rb +76 -23
data/spec/unit/provider/service/openbsd_spec.rb +125 -0
data/spec/unit/provider/service/openwrt_spec.rb +1 -1
data/spec/unit/provider/service/runit_spec.rb +12 -5
data/spec/unit/provider/service/upstart_spec.rb +4 -4
data/spec/unit/provider/ssh_authorized_key/parsed_spec.rb +5 -5
data/spec/unit/provider/user/directoryservice_spec.rb +4 -4
data/spec/unit/provider/zone/solaris_spec.rb +1 -1
data/spec/unit/provider_spec.rb +2 -2
data/spec/unit/reports/http_spec.rb +19 -34
data/spec/unit/reports/store_spec.rb +2 -2
data/spec/unit/resource/catalog_spec.rb +81 -11
data/spec/unit/resource/status_spec.rb +11 -1
data/spec/unit/resource/type_spec.rb +30 -1
data/spec/unit/resource_spec.rb +40 -4
data/spec/unit/settings/file_setting_spec.rb +2 -2
data/spec/unit/settings/path_setting_spec.rb +2 -2
data/spec/unit/settings/priority_setting_spec.rb +66 -0
data/spec/unit/settings_spec.rb +16 -31
data/spec/unit/ssl/certificate_authority/autosign_command_spec.rb +30 -0
data/spec/unit/ssl/certificate_authority_spec.rb +129 -134
data/spec/unit/ssl/certificate_factory_spec.rb +18 -0
data/spec/unit/ssl/certificate_request_attributes_spec.rb +61 -0
data/spec/unit/ssl/certificate_request_spec.rb +103 -0
data/spec/unit/ssl/certificate_spec.rb +31 -18
data/spec/unit/ssl/host_spec.rb +34 -8
data/spec/unit/ssl/inventory_spec.rb +27 -62
data/spec/unit/ssl/key_spec.rb +4 -4
data/spec/unit/ssl/oids_spec.rb +48 -0
data/spec/unit/ssl/validator_spec.rb +49 -6
data/spec/unit/status_spec.rb +9 -0
data/spec/unit/transaction/event_spec.rb +1 -9
data/spec/unit/transaction/report_spec.rb +20 -1
data/spec/unit/transaction/resource_harness_spec.rb +60 -210
data/spec/unit/transaction_spec.rb +54 -8
data/spec/unit/type/component_spec.rb +2 -2
data/spec/unit/type/exec_spec.rb +14 -7
data/spec/unit/type/file/content_spec.rb +13 -2
data/spec/unit/type/file/ctime_spec.rb +1 -1
data/spec/unit/type/file/mode_spec.rb +48 -2
data/spec/unit/type/file/mtime_spec.rb +1 -1
data/spec/unit/type/file/source_spec.rb +177 -7
data/spec/unit/type/file_spec.rb +63 -71
data/spec/unit/type/group_spec.rb +20 -0
data/spec/unit/type/k5login_spec.rb +3 -3
data/spec/unit/type/mount_spec.rb +53 -0
data/spec/unit/type/nagios_spec.rb +216 -0
data/spec/unit/type/package_spec.rb +7 -1
data/spec/unit/type/schedule_spec.rb +6 -0
data/spec/unit/type/service_spec.rb +3 -3
data/spec/unit/type/tidy_spec.rb +14 -14
data/spec/unit/type/user_spec.rb +9 -0
data/spec/unit/type_spec.rb +86 -4
data/spec/unit/util/adsi_spec.rb +120 -12
data/spec/unit/util/autoload_spec.rb +14 -14
data/spec/unit/util/backups_spec.rb +29 -21
data/spec/unit/util/checksums_spec.rb +2 -1
data/spec/unit/util/command_line_spec.rb +41 -0
data/spec/unit/util/docs_spec.rb +91 -0
data/spec/unit/util/execution_spec.rb +26 -2
data/spec/unit/util/filetype_spec.rb +7 -7
data/spec/unit/util/lockfile_spec.rb +2 -2
data/spec/unit/util/log/destinations_spec.rb +32 -0
data/spec/unit/util/monkey_patches_spec.rb +41 -0
data/spec/unit/util/pidlock_spec.rb +6 -6
data/spec/unit/util/rdoc/parser_spec.rb +15 -13
data/spec/unit/util/rdoc_spec.rb +18 -24
data/spec/unit/util/resource_template_spec.rb +3 -3
data/spec/unit/util/selinux_spec.rb +4 -2
data/spec/unit/util/storage_spec.rb +4 -4
data/spec/unit/util/suidmanager_spec.rb +7 -0
data/spec/unit/util/tag_set_spec.rb +46 -0
data/spec/unit/util/tagging_spec.rb +82 -45
data/spec/unit/util/watcher_spec.rb +4 -1
data/spec/unit/util/windows/access_control_entry_spec.rb +67 -0
data/spec/unit/util/windows/access_control_list_spec.rb +133 -0
data/spec/unit/util/windows/root_certs_spec.rb +10 -8
data/spec/unit/util/windows/security_descriptor_spec.rb +117 -0
data/spec/unit/util/windows/sid_spec.rb +69 -0
data/spec/unit/util_spec.rb +7 -7
data/tasks/ci.rake +17 -36
metadata +2811 -2746
checksums.yaml +0 -7
data/examples/mac_automount.pp +0 -16
data/examples/mcx_dock_absent.pp +0 -4
data/examples/mcx_dock_default.pp +0 -118
data/examples/mcx_dock_full.pp +0 -125
data/examples/mcx_dock_invalid.pp +0 -9
data/examples/mcx_nogroup.pp +0 -118
data/examples/mcx_notexists_absent.pp +0 -4
data/ext/rack/README +0 -58
data/ext/rack/manifest.pp +0 -59
data/lib/puppet/external/lock.rb +0 -63
data/lib/puppet/indirector/hiera.rb +0 -39
data/lib/puppet/parser/functions/foreach.rb +0 -95
data/spec/integration/network/server/webrick_spec.rb +0 -76
data/spec/integration/parser/functions_spec.rb +0 -16
data/spec/unit/indirector/hiera_spec.rb +0 -154
data/spec/unit/parser/methods/collect_spec.rb +0 -153
data/spec/unit/parser/methods/foreach_spec.rb +0 -91
data/spec/unit/parser/methods/reject_spec.rb +0 -73
data/spec/unit/resource/resource_type.json +0 -34

data/lib/puppet/ssl/inventory.rb CHANGED

@@ -8,11 +8,7 @@ class Puppet::SSL::Inventory
   # Add a certificate to our inventory.
   def add(cert)
     cert = cert.content if cert.is_a?(Puppet::SSL::Certificate)
-    # Create our file, if one does not already exist.
-    rebuild unless FileTest.exist?(@path)
-    Puppet.settings.write(:cert_inventory, "a") do |f|
+    Puppet.settings.setting(:cert_inventory).open("a") do |f|
       f.print format(cert)
     end
   end
@@ -32,16 +28,16 @@ class Puppet::SSL::Inventory
   def rebuild
     Puppet.notice "Rebuilding inventory file"
-    Puppet.settings.write(:cert_inventory) do |f|
-      f.print "# Inventory of signed certificates\n# SERIAL NOT_BEFORE NOT_AFTER SUBJECT\n"
+    Puppet.settings.setting(:cert_inventory).open('w') do |f|
+      Puppet::SSL::Certificate.indirection.search("*").each do |cert|
+        f.print format(cert.content)
+      end
     end
-    Puppet::SSL::Certificate.indirection.search("*").each { |cert| add(cert) }
   end
   # Find the serial number for a given certificate.
   def serial(name)
-    return nil unless FileTest.exist?(@path)
+    return nil unless Puppet::FileSystem::File.exist?(@path)
     File.readlines(@path).each do |line|
       next unless line =~ /^(\S+).+\/CN=#{name}$/

data/lib/puppet/ssl/key.rb CHANGED

@@ -36,7 +36,7 @@ DOC
   end
   def password
-    return nil unless password_file and FileTest.exist?(password_file)
+    return nil unless password_file and Puppet::FileSystem::File.exist?(password_file)
     ::File.read(password_file)
   end

data/lib/puppet/ssl/oids.rb ADDED

@@ -0,0 +1,78 @@
+require 'puppet/ssl'
+# This module defines OIDs for use within Puppet.
+#
+# == ASN.1 Definition
+#
+# The following is the formal definition of OIDs specified in this file.
+#
+# puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
+#    dod(6) internet(1) private(4) enterprise(1) 34380 1}
+#
+# -- the tree under registeredExtensions 'belongs' to puppetlabs
+# -- privateExtensions can be extended by enterprises to suit their own needs
+# registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 }
+# privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 }
+#
+# -- subtree of common registered extensions
+# -- The short names for these OIDs are intentionally lowercased and formatted
+# -- since they may be exposed inside the Puppet DSL as variables.
+# pp_uuid  OBJECT IDENTIFIER ::= { registeredExtensions 1 }
+# pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 }
+# pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 }
+# pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 }
+#
+# @api private
+module Puppet::SSL::Oids
+  PUPPET_OIDS = [
+    ["1.3.6.1.4.1.34380", 'puppetlabs', 'Puppet Labs'],
+    ["1.3.6.1.4.1.34380.1", 'ppCertExt', 'Puppet Certificate Extension'],
+    ["1.3.6.1.4.1.34380.1.1", 'ppRegCertExt', 'Puppet Registered Certificate Extension'],
+    ["1.3.6.1.4.1.34380.1.1.1", 'pp_uuid', 'Puppet Node UUID'],
+    ["1.3.6.1.4.1.34380.1.1.2", 'pp_instance_id', 'Puppet Node Instance ID'],
+    ["1.3.6.1.4.1.34380.1.1.3", 'pp_image_name', 'Puppet Node Image Name'],
+    ["1.3.6.1.4.1.34380.1.1.4", 'pp_preshared_key', 'Puppet Node Preshared Key'],
+    ["1.3.6.1.4.1.34380.1.2", 'ppPrivCertExt', 'Puppet Private Certificate Extension'],
+  ]
+  PUPPET_OIDS.each do |oid_defn|
+    OpenSSL::ASN1::ObjectId.register(*oid_defn)
+  end
+  # Determine if the first OID contains the second OID
+  #
+  # @param first [String] The containing OID, in dotted form or as the short name
+  # @param second [String] The contained OID, in dotted form or as the short name
+  # @param exclusive [true, false] If an OID should not be considered as a subtree of itself
+  #
+  # @example Comparing two dotted OIDs
+  #   Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true
+  #   Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false
+  #
+  # @example Comparing an OID short name with a dotted OID
+  #   Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true
+  #   Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true
+  #
+  # @example Comparing an OID against itself
+  #   Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true
+  #   Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false
+  #
+  # @return [true, false]
+  def self.subtree_of?(first, second, exclusive = false)
+    first_oid = OpenSSL::ASN1::ObjectId.new(first).oid
+    second_oid = OpenSSL::ASN1::ObjectId.new(second).oid
+    if exclusive and first_oid == second_oid
+      false
+    else
+      second_oid.index(first_oid) == 0
+    end
+  rescue OpenSSL::ASN1::ASN1Error
+    false
+  end
+end

data/lib/puppet/ssl/validator.rb CHANGED

@@ -1,116 +1,60 @@
-require 'puppet/ssl'
 require 'openssl'
-module Puppet
-module SSL
-class Validator
-  attr_reader :peer_certs
-  attr_reader :verify_errors
-  attr_reader :ssl_configuration
-  ##
-  # @param [Hash] opts the options to initialze the instance with.
-  #
-  # @option opts [Puppet::SSL::Configuration] :ssl_configuration to use for
-  #   authorizing the peer certificate chain.
-  def initialize(opts = {})
-    reset!
-    @ssl_configuration = opts[:ssl_configuration] or raise ArgumentError, ":ssl_configuration is required"
-  end
+# API for certificate verification
+#
+# @api public
+class Puppet::SSL::Validator
-  ##
-  # reset to the initial state.
-  def reset!
-    @peer_certs = []
-    @verify_errors = []
+  # Factory method for creating an instance of a null/no validator.
+  # This method does not have to be implemented by concrete implementations of this API.
+  #
+  # @return [Puppet::SSL::Validator] produces a validator that performs no validation
+  #
+  # @api public
+  #
+  def self.no_validator()
+    @@no_validator_cache ||= Puppet::SSL::Validator::NoValidator.new()
   end
-  ##
-  # call performs verification of the SSL connection and collection of the
-  # certificates for use in constructing the error message if the verification
-  # failed.  This callback will be executed once for each certificate in a
-  # chain being verified.
+  # Factory method for creating an instance of the default Puppet validator.
+  # This method does not have to be implemented by concrete implementations of this API.
   #
-  # From the [OpenSSL
-  # documentation](http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html):
-  # The `verify_callback` function is used to control the behaviour when the
-  # SSL_VERIFY_PEER flag is set. It must be supplied by the application and
-  # receives two arguments: preverify_ok indicates, whether the verification of
-  # the certificate in question was passed (preverify_ok=1) or not
-  # (preverify_ok=0). x509_ctx is a pointer to the complete context used for
-  # the certificate chain verification.
+  # @return [Puppet::SSL::Validator] produces a validator that performs no validation
   #
-  # See {Puppet::Network::HTTP::Connection} for more information and where this
-  # class is intended to be used.
+  # @api public
   #
-  # @param [Boolean] preverify_ok indicates whether the verification of the
-  #   certificate in question was passed (preverify_ok=true)
-  # @param [OpenSSL::SSL::SSLContext] ssl_context holds the SSLContext for the
-  #   chain being verified.
-  #
-  # @return [Boolean] false if the peer is invalid, true otherwise.
-  def call(preverify_ok, ssl_context)
-    # We must make a copy since the scope of the ssl_context will be lost
-    # across invocations of this method.
-    current_cert = ssl_context.current_cert
-    @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
-    if preverify_ok
-      # If we've copied all of the certs in the chain out of the SSL library
-      if @peer_certs.length == ssl_context.chain.length
-        # (#20027) The peer cert must be issued by a specific authority
-        preverify_ok = valid_peer?
-      end
-    else
-      if ssl_context.error_string
-        @verify_errors << "#{ssl_context.error_string} for #{current_cert.subject}"
-      end
-    end
-    preverify_ok
-  rescue => ex
-    @verify_errors << ex.message
-    false
+  def self.default_validator()
+    Puppet::SSL::Validator::DefaultValidator.new()
   end
-  ##
-  # Register the instance's call method with the connection.
+  # Array of peer certificates
+  # @return [Array<Puppet::SSL::Certificate>] peer certificates
   #
-  # @param [Net::HTTP] connection The connection to velidate
+  # @api public
   #
-  # @return [void]
-  def register_verify_callback(connection)
-    connection.verify_callback = self
+  def peer_certs
+    raise NotImplementedError, "Concrete class should have implemented this method"
   end
-  ##
-  # Validate the peer certificates against the authorized certificates.
-  def valid_peer?
-    descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
-    authz_ca_certs = ssl_configuration.ca_auth_certificates
-    if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
-      msg = "The server presented a SSL certificate chain which does not include a " <<
-        "CA listed in the ssl_client_ca_auth file.  "
-      msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')}  " <<
-        "Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
-      @verify_errors << msg
-      false
-    else
-      true
-    end
+  # Contains the result of validation
+  # @return [Array<String>, nil] nil, empty Array, or Array with messages
+  #
+  # @api public
+  #
+  def verify_errors
+    raise NotImplementedError, "Concrete class should have implemented this method"
   end
-  ##
-  # checks if the set of peer_certs contains at least one certificate issued
-  # by a certificate listed in authz_certs
+  # Registers the connection to validate.
+  #
+  # @param [Net::HTTP] connection The connection to validate
+  #
+  # @return [void]
   #
-  # @return [Boolean]
-  def has_authz_peer_cert(peer_certs, authz_certs)
-    peer_certs.any? do |peer_cert|
-      authz_certs.any? do |authz_cert|
-        peer_cert.verify(authz_cert.public_key)
-      end
-    end
+  # @api public
+  #
+  def setup_connection(connection)
+    raise NotImplementedError, "Concrete class should have implemented this method"
   end
 end
-end
-end

data/lib/puppet/ssl/validator/default_validator.rb ADDED

@@ -0,0 +1,153 @@
+require 'openssl'
+# Perform peer certificate verification against the known CA.
+# If there is no CA information known, then no verification is performed
+#
+# @api private
+#
+class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
+  attr_reader :peer_certs
+  attr_reader :verify_errors
+  attr_reader :ssl_configuration
+  # Creates a new DefaultValidator, optionally with an SSL Configuration and SSL Host.
+  #
+  # @param [Puppet::SSL::Configuration] (a default configuration) ssl_configuration the SSL configuration to use
+  # @param [Puppet::SSL::Host] (Puppet::SSL::Host.localhost) the SSL host to use
+  #
+  # @api private
+  #
+  def initialize(
+      ssl_configuration = Puppet::SSL::Configuration.new(
+                                        Puppet[:localcacert], {
+                                          :ca_chain_file => Puppet[:ssl_client_ca_chain],
+                                          :ca_auth_file  => Puppet[:ssl_client_ca_auth]
+                                        }),
+      ssl_host = Puppet::SSL::Host.localhost)
+    reset!
+    @ssl_configuration = ssl_configuration
+    @ssl_host = ssl_host
+  end
+  # Resets this validator to its initial validation state. The ssl configuration is not changed.
+  #
+  # @api private
+  #
+  def reset!
+    @peer_certs = []
+    @verify_errors = []
+  end
+  # Performs verification of the SSL connection and collection of the
+  # certificates for use in constructing the error message if the verification
+  # failed.  This callback will be executed once for each certificate in a
+  # chain being verified.
+  #
+  # From the [OpenSSL
+  # documentation](http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html):
+  # The `verify_callback` function is used to control the behaviour when the
+  # SSL_VERIFY_PEER flag is set. It must be supplied by the application and
+  # receives two arguments: preverify_ok indicates, whether the verification of
+  # the certificate in question was passed (preverify_ok=1) or not
+  # (preverify_ok=0). x509_ctx is a pointer to the complete context used for
+  # the certificate chain verification.
+  #
+  # See {Puppet::Network::HTTP::Connection} for more information and where this
+  # class is intended to be used.
+  #
+  # @param [Boolean] preverify_ok indicates whether the verification of the
+  #   certificate in question was passed (preverify_ok=true)
+  # @param [OpenSSL::SSL::SSLContext] ssl_context holds the SSLContext for the
+  #   chain being verified.
+  #
+  # @return [Boolean] false if the peer is invalid, true otherwise.
+  #
+  # @api private
+  #
+  def call(preverify_ok, ssl_context)
+    # We must make a copy since the scope of the ssl_context will be lost
+    # across invocations of this method.
+    current_cert = ssl_context.current_cert
+    @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)
+    if preverify_ok
+      # If we've copied all of the certs in the chain out of the SSL library
+      if @peer_certs.length == ssl_context.chain.length
+        # (#20027) The peer cert must be issued by a specific authority
+        preverify_ok = valid_peer?
+      end
+    else
+      if ssl_context.error_string
+        @verify_errors << "#{ssl_context.error_string} for #{current_cert.subject}"
+      end
+    end
+    preverify_ok
+  rescue => ex
+    @verify_errors << ex.message
+    false
+  end
+  # Registers the instance's call method with the connection.
+  #
+  # @param [Net::HTTP] connection The connection to validate
+  #
+  # @return [void]
+  #
+  # @api private
+  #
+  def setup_connection(connection)
+    if ssl_certificates_are_present?
+      connection.cert_store = @ssl_host.ssl_store
+      connection.ca_file = @ssl_configuration.ca_auth_file
+      connection.cert = @ssl_host.certificate.content
+      connection.key = @ssl_host.key.content
+      connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      connection.verify_callback = self
+    else
+      connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    end
+  end
+  # Validates the peer certificates against the authorized certificates.
+  #
+  # @api private
+  #
+  def valid_peer?
+    descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
+    authz_ca_certs = ssl_configuration.ca_auth_certificates
+    if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
+      msg = "The server presented a SSL certificate chain which does not include a " <<
+        "CA listed in the ssl_client_ca_auth file.  "
+      msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')}  " <<
+        "Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
+      @verify_errors << msg
+      false
+    else
+      true
+    end
+  end
+  # Checks if the set of peer_certs contains at least one certificate issued
+  # by a certificate listed in authz_certs
+  #
+  # @return [Boolean]
+  #
+  # @api private
+  #
+  def has_authz_peer_cert(peer_certs, authz_certs)
+    peer_certs.any? do |peer_cert|
+      authz_certs.any? do |authz_cert|
+        peer_cert.verify(authz_cert.public_key)
+      end
+    end
+  end
+  # @api private
+  #
+  def ssl_certificates_are_present?
+    Puppet::FileSystem::File.exist?(Puppet[:hostcert]) && Puppet::FileSystem::File.exist?(@ssl_configuration.ca_auth_file)
+  end
+end

data/lib/puppet/ssl/validator/no_validator.rb ADDED

@@ -0,0 +1,17 @@
+# Performs no SSL verification
+# @api private
+#
+class Puppet::SSL::Validator::NoValidator < Puppet::SSL::Validator
+  def setup_connection(connection)
+    connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  end
+  def peer_certs
+    []
+  end
+  def verify_errors
+    []
+  end
+end