puppet 4.9.4 → 4.10.0

data/spec/unit/provider/package/pkg_spec.rb

@@ -9,6 +9,8 @@ describe Puppet::Type.type(:package).provider(:pkg) do
     # Get a pid for $CHILD_STATUS to latch on to
     command = "cmd.exe /c \"exit 0\""
     Puppet::Util::Execution.execute(command, {:failonfail => false})
+  else
+    Puppet::Util::Execution.execute('exit 0', {:failonfail => false})
   end
 
   before :each do

data/spec/unit/provider/service/src_spec.rb

@@ -167,6 +167,11 @@ _EOF_
       @provider.expects(:execute).with(['/usr/bin/lssrc', '-s', "myservice"]).returns sample_output
       expect(@provider.status).to eq(nil)
     end
+
+    it "should consider a non-existing service to be have a status of :stopped" do
+      @provider.expects(:execute).with(['/usr/bin/lssrc', '-s', 'myservice']).raises(Puppet::ExecutionFailure, "fail")
+      expect(@provider.status).to eq(:stopped)
+    end
   end
 
   describe "when restarting a service" do

data/spec/unit/ssl/base_spec.rb

@@ -45,6 +45,15 @@ describe Puppet::SSL::Certificate do
     end
   end
 
+  describe "when initializing wrapped class from a file with #read" do
+    it "should open the file with ASCII encoding" do
+      path = '/foo/bar/cert'
+      Puppet::SSL::Base.stubs(:valid_certname).returns(true)
+      Puppet::FileSystem.expects(:read).with(path, :encoding => Encoding::ASCII).returns("bar")
+      @base.read(path)
+    end
+  end
+
   describe "#digest_algorithm" do
     let(:content) { stub 'content' }
     let(:base) {

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -167,7 +167,7 @@ describe Puppet::SSL::CertificateAuthority do
       Puppet::FileSystem.expects(:exist?).with(Puppet[:capass]).returns false
 
       fh = StringIO.new
-      Puppet.settings.setting(:capass).expects(:open).with('w').yields fh
+      Puppet.settings.setting(:capass).expects(:open).with('w:ASCII').yields fh
 
       @ca.stubs(:sign)
 
@@ -1067,7 +1067,7 @@ describe "CertificateAuthority.generate" do
   end
 
   def expect_to_write_the_ca_password
-    Puppet.settings.setting(:capass).expects(:open).with('w')
+    Puppet.settings.setting(:capass).expects(:open).with('w:ASCII')
   end
 
   def expect_ca_initialization

data/spec/unit/ssl/certificate_request_attributes_spec.rb

@@ -9,6 +9,12 @@ describe Puppet::SSL::CertificateRequestAttributes do
       "custom_attributes" => {
         "1.3.6.1.4.1.34380.2.2"=>[3232235521, 3232235777], # system IPs in hex
         "1.3.6.1.4.1.34380.2.0"=>"hostname.domain.com",
+        # different UTF-8 widths
+        # 1-byte A
+        # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+        # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+        # 4-byte 𠜎 - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+        "1.2.840.113549.1.9.7"=>"utf8passwordA\u06FF\u16A0\u{2070E}"
       }
     }
   end

data/spec/unit/ssl/certificate_request_spec.rb

@@ -60,7 +60,7 @@ describe Puppet::SSL::CertificateRequest do
 
     it "should be able to read requests from disk" do
       path = "/my/path"
-      File.expects(:read).with(path).returns("my request")
+      Puppet::FileSystem.expects(:read).with(path, :encoding => Encoding::ASCII).returns("my request")
       my_req = mock 'request'
       OpenSSL::X509::Request.expects(:new).with("my request").returns(my_req)
       expect(request.read(path)).to equal(my_req)

data/spec/unit/ssl/certificate_spec.rb

@@ -162,7 +162,7 @@ describe Puppet::SSL::Certificate do
 
     it "should be able to read certificates from disk" do
       path = "/my/path"
-      File.expects(:read).with(path).returns("my certificate")
+      Puppet::FileSystem.expects(:read).with(path, :encoding => Encoding::ASCII).returns("my certificate")
       certificate = mock 'certificate'
       OpenSSL::X509::Certificate.expects(:new).with("my certificate").returns(certificate)
       expect(@certificate.read(path)).to equal(certificate)

data/spec/unit/ssl/configuration_spec.rb

@@ -9,6 +9,13 @@ describe Puppet::SSL::Configuration do
 
   let(:ssl_server_ca_auth) { "/path/to/certs/ssl_server_ca_auth.pem" }
 
+  # different UTF-8 widths
+  # 1-byte A
+  # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+  # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+  # 4-byte 𠜎 - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+  let (:mixed_utf8) { "A\u06FF\u16A0\u{2070E}" } # Aۿᚠ𠜎
+
   it "should require the localcacert argument" do
     expect { subject }.to raise_error ArgumentError
   end
@@ -44,8 +51,7 @@ describe Puppet::SSL::Configuration do
     end
 
     it "#ca_auth_certificates returns an Array<OpenSSL::X509::Certificate>" do
-      subject.stubs(:read_file).returns(master_ca_pem + root_ca_pem)
-
+      Puppet::FileSystem.expects(:read).with(subject.ca_auth_file, :encoding => Encoding::UTF_8).returns(master_ca_pem + root_ca_pem)
       certs = subject.ca_auth_certificates
       certs.each { |cert| expect(cert).to be_a_kind_of OpenSSL::X509::Certificate }
     end
@@ -67,6 +73,7 @@ describe Puppet::SSL::Configuration do
   # certificates.  It is signed by the Root CA.
   def master_ca_pem
     @master_ca_pem ||= <<-AUTH_BUNDLE
+# Master CA #{mixed_utf8}
 -----BEGIN CERTIFICATE-----
 MIICljCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMRAwDgYDVQQDDAdSb290
 IENBMRowGAYDVQQLDBFTZXJ2ZXIgT3BlcmF0aW9uczEZMBcGA1UECgwQRXhhbXBs
@@ -89,6 +96,7 @@ l1k75xLLIcrlsDYo3999KOSSchH2K7bLT7TuQ2okdP6FHWmeWmudewlu
   # This is the Root CA
   def root_ca_pem
     @root_ca_pem ||= <<-LOCALCACERT
+# Root CA #{mixed_utf8}
 -----BEGIN CERTIFICATE-----
 MIICYDCCAcmgAwIBAgIJALf2Pk2HvtBzMA0GCSqGSIb3DQEBBQUAMEkxEDAOBgNV
 BAMMB1Jvb3QgQ0ExGjAYBgNVBAsMEVNlcnZlciBPcGVyYXRpb25zMRkwFwYDVQQK
@@ -111,6 +119,7 @@ rPsNU/Tx19jHC87oXlmAePLI4IaUHXrWb7CRbY9TEcPdmj1R
   # signed by the Root CA.
   def agent_ca_pem
     @agent_ca_pem ||= <<-AGENT_CA
+# Agent CA #{mixed_utf8}
 -----BEGIN CERTIFICATE-----
 MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMRAwDgYDVQQDDAdSb290
 IENBMRowGAYDVQQLDBFTZXJ2ZXIgT3BlcmF0aW9uczEZMBcGA1UECgwQRXhhbXBs

data/spec/unit/ssl/inventory_spec.rb

@@ -5,6 +5,14 @@ require 'puppet/ssl/inventory'
 
 describe Puppet::SSL::Inventory, :unless => Puppet.features.microsoft_windows? do
   let(:cert_inventory) { File.expand_path("/inven/tory") }
+
+  # different UTF-8 widths
+  # 1-byte A
+  # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+  # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+  # 4-byte ܎ - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+  let (:mixed_utf8) { "A\u06FF\u16A0\u{2070E}" } # Aۿᚠ܎
+
   before do
     @class = Puppet::SSL::Inventory
   end
@@ -56,7 +64,7 @@ describe Puppet::SSL::Inventory, :unless => Puppet.features.microsoft_windows? d
     describe "and adding a certificate" do
 
       it "should use the Settings to write to the file" do
-        Puppet.settings.setting(:cert_inventory).expects(:open).with("a")
+        Puppet.settings.setting(:cert_inventory).expects(:open).with('a:UTF-8')
 
         @inventory.add(@cert)
       end
@@ -66,7 +74,7 @@ describe Puppet::SSL::Inventory, :unless => Puppet.features.microsoft_windows? d
         cert.content = @cert
 
         fh = StringIO.new
-        Puppet.settings.setting(:cert_inventory).expects(:open).with("a").yields(fh)
+        Puppet.settings.setting(:cert_inventory).expects(:open).with('a:UTF-8').yields(fh)
 
         @inventory.expects(:format).with(@cert).returns "myformat"
 
@@ -74,6 +82,22 @@ describe Puppet::SSL::Inventory, :unless => Puppet.features.microsoft_windows? d
 
         expect(fh.string).to eq("myformat")
       end
+
+      it "can use UTF-8 in the CN per RFC 5280" do
+        cert = Puppet::SSL::Certificate.new("mycert")
+        cert.content = stub 'cert',
+          :serial => 1,
+          :not_before => Time.now,
+          :not_after => Time.now,
+          :subject => "/CN=#{mixed_utf8}"
+
+        fh = StringIO.new
+        Puppet.settings.setting(:cert_inventory).expects(:open).with('a:UTF-8').yields(fh)
+
+        @inventory.add(cert)
+
+        expect(fh.string).to match(/\/CN=#{mixed_utf8}/)
+      end
     end
 
     describe "and formatting a certificate" do
@@ -118,7 +142,7 @@ describe Puppet::SSL::Inventory, :unless => Puppet.features.microsoft_windows? d
       end
 
       it "should return the all the serial numbers from the lines matching the provided name" do
-        File.expects(:readlines).with(cert_inventory).returns ["0x00f blah blah /CN=me\n", "0x001 blah blah /CN=you\n", "0x002 blah blah /CN=me\n"]
+        File.expects(:readlines).with(cert_inventory, :encoding => Encoding::UTF_8).returns ["0x00f blah blah /CN=me\n", "0x001 blah blah /CN=you\n", "0x002 blah blah /CN=me\n"]
 
         expect(@inventory.serials("me")).to eq([15, 2])
       end

data/spec/unit/ssl/key_spec.rb

@@ -63,7 +63,7 @@ describe Puppet::SSL::Key do
 
     it "should be able to read keys from disk" do
       path = "/my/path"
-      File.expects(:read).with(path).returns("my key")
+      Puppet::FileSystem.expects(:read).with(path, :encoding => Encoding::ASCII).returns("my key")
       key = mock 'key'
       OpenSSL::PKey::RSA.expects(:new).returns(key)
       expect(@key.read(path)).to equal(key)
@@ -76,9 +76,9 @@ describe Puppet::SSL::Key do
 
       path = "/my/path"
 
-      File.stubs(:read).with(path).returns("my key")
+      Puppet::FileSystem.stubs(:read).with(path, :encoding => Encoding::ASCII).returns("my key")
       OpenSSL::PKey::RSA.expects(:new).with("my key", nil).returns(mock('key'))
-      File.expects(:read).with("/path/to/password").never
+      Puppet::FileSystem.expects(:read).with("/path/to/password", :encoding => Encoding::BINARY).never
 
       @key.read(path)
     end
@@ -88,8 +88,8 @@ describe Puppet::SSL::Key do
       @key.password_file = "/path/to/password"
 
       path = "/my/path"
-      File.expects(:read).with(path).returns("my key")
-      File.expects(:read).with("/path/to/password").returns("my password")
+      Puppet::FileSystem.expects(:read).with(path, :encoding => Encoding::ASCII).returns("my key")
+      Puppet::FileSystem.expects(:read).with("/path/to/password", :encoding => Encoding::BINARY).returns("my password")
 
       key = mock 'key'
       OpenSSL::PKey::RSA.expects(:new).with("my key", "my password").returns(key)
@@ -155,7 +155,7 @@ describe Puppet::SSL::Key do
     describe "with a password file set" do
       it "should return a nil password if the password file does not exist" do
         Puppet::FileSystem.expects(:exist?).with("/path/to/pass").returns false
-        File.expects(:read).with("/path/to/pass").never
+        Puppet::FileSystem.expects(:read).with("/path/to/pass", :encoding => Encoding::BINARY).never
 
         @instance.password_file = "/path/to/pass"
 
@@ -164,7 +164,7 @@ describe Puppet::SSL::Key do
 
       it "should return the contents of the password file as its password" do
         Puppet::FileSystem.expects(:exist?).with("/path/to/pass").returns true
-        File.expects(:read).with("/path/to/pass").returns "my password"
+        Puppet::FileSystem.expects(:read).with("/path/to/pass", :encoding => Encoding::BINARY).returns "my password"
 
         @instance.password_file = "/path/to/pass"
 

data/spec/unit/type/exec_spec.rb

@@ -67,7 +67,12 @@ describe Puppet::Type.type(:exec) do
 
       it "should report a failure" do
         expect { exec_tester('false', 1).refresh }.
-          to raise_error(Puppet::Error, /^false returned 1 instead of/)
+          to raise_error(Puppet::Error, /^'false' returned 1 instead of/)
+      end
+
+      it "should redact sensitive commands on failure" do
+        expect { exec_tester('false', 1, :sensitive_parameters => [:command]).refresh }.
+            to raise_error(Puppet::Error, /^\[command redacted\] returned 1 instead of/)
       end
 
       it "should not report a failure if the exit status is specified in a returns array" do
@@ -76,7 +81,12 @@ describe Puppet::Type.type(:exec) do
 
       it "should report a failure if the exit status is not specified in a returns array" do
         expect { exec_tester('false', 1, :returns => [0, 100]).refresh }.
-          to raise_error(Puppet::Error, /^false returned 1 instead of/)
+          to raise_error(Puppet::Error, /^'false' returned 1 instead of/)
+      end
+
+      it "should report redact sensitive commands if the exit status is not specified in a returns array" do
+        expect { exec_tester('false', 1, :returns => [0, 100], :sensitive_parameters => [:command]).refresh }.
+            to raise_error(Puppet::Error, /^\[command redacted\] returned 1 instead of/)
       end
 
       it "should log the output on success" do
@@ -106,7 +116,19 @@ describe Puppet::Type.type(:exec) do
       it "should log the output on failure" do
         output = "output1\noutput2\n"
         expect { exec_tester('false', 1, :output => output, :logoutput => :on_failure).refresh }.
-          to raise_error(Puppet::Error, /^false returned 1 instead of/)
+          to raise_error(Puppet::Error, /^'false' returned 1 instead of/)
+
+        output.split("\n").each do |line|
+          log = @logs.shift
+          expect(log.level).to eq(:err)
+          expect(log.message).to eq(line)
+        end
+      end
+
+      it "should redact the command on failure" do
+        output = "output1\noutput2\n"
+        expect { exec_tester('false', 1, :output => output, :logoutput => :on_failure, :sensitive_parameters => [:command]).refresh }.
+            to raise_error(Puppet::Error, /^\[command redacted\] returned 1 instead of/)
 
         output.split("\n").each do |line|
           log = @logs.shift
@@ -121,7 +143,22 @@ describe Puppet::Type.type(:exec) do
         expect {
           exec_tester('false', 1, :output => output, :returns => [0, 100],
                :logoutput => :on_failure).refresh
-        }.to raise_error(Puppet::Error, /^false returned 1 instead of/)
+        }.to raise_error(Puppet::Error, /^'false' returned 1 instead of/)
+
+        output.split("\n").each do |line|
+          log = @logs.shift
+          expect(log.level).to eq(:err)
+          expect(log.message).to eq(line)
+        end
+      end
+
+      it "should redact the command on failure when returns is specified as an array" do
+        output = "output1\noutput2\n"
+
+        expect {
+          exec_tester('false', 1, :output => output, :returns => [0, 100],
+                      :logoutput => :on_failure, :sensitive_parameters => [:command]).refresh
+        }.to raise_error(Puppet::Error, /^\[command redacted\] returned 1 instead of/)
 
         output.split("\n").each do |line|
           log = @logs.shift

data/spec/unit/type/file_spec.rb

@@ -1598,7 +1598,10 @@ describe Puppet::Type.type(:file) do
       catalog.apply
 
       expect(Puppet::FileSystem.exist?(path)).to be_truthy
-      expect(@logs).not_to be_any {|l| l.level != :notice }
+      expect(@logs).not_to be_any { |l|
+        # the audit metaparameter is deprecated and logs a warning
+        l.level != :notice
+      }
     end
   end
 

data/spec/unit/util/character_encoding_spec.rb

@@ -0,0 +1,88 @@
+#! /usr/bin/env ruby
+require 'spec_helper'
+require 'puppet/util/character_encoding'
+
+describe Puppet::Util::CharacterEncoding do
+  describe "::convert_to_utf_8!" do
+    context "when passed a string that is already UTF-8" do
+      context "with valid encoding" do
+        it "should return the string unaltered" do
+          utf8_string = "\u06FF\u2603"
+          expect(Puppet::Util::CharacterEncoding.convert_to_utf_8!(utf8_string)).to eq(utf8_string)
+        end
+      end
+
+      context "with invalid encoding" do
+        let(:invalid_utf8_string) { "\xfd\xf1".force_encoding(Encoding::UTF_8) }
+
+        it "should issue a debug message" do
+          Puppet.expects(:debug).with(regexp_matches(/not valid UTF-8/))
+          Puppet::Util::CharacterEncoding.convert_to_utf_8!(invalid_utf8_string)
+        end
+
+        it "should return nil" do
+          expect(Puppet::Util::CharacterEncoding.convert_to_utf_8!(invalid_utf8_string)).to be_nil
+        end
+      end
+    end
+
+    context "when passed a string not in UTF-8 encoding" do
+      context "the bytes of which represent valid UTF-8" do
+        # I think this effectively what the ruby Etc module is doing when it
+        # returns strings read in from /etc/passwd and /etc/group
+        let(:iso_8859_1_string) { [225, 154, 160].pack('C*').force_encoding(Encoding::ISO_8859_1) }
+        let(:result) { Puppet::Util::CharacterEncoding.convert_to_utf_8!(iso_8859_1_string) }
+
+        it "should set external encoding to UTF-8" do
+          expect(result.encoding).to eq(Encoding::UTF_8)
+        end
+
+        it "should not modify the bytes (transcode) the string" do
+          expect(result.bytes.to_a).to eq([225, 154, 160])
+        end
+      end
+
+      context "the bytes of which do not represent valid UTF-8" do
+        it "should transcode the string to UTF-8 if it is transcodable" do
+          # http://www.fileformat.info/info/unicode/char/3050/index.htm
+          # ぐ - HIRAGANA LETTER GU
+          # In Shift_JIS: \x82 \xae - 130 174
+          # In Unicode: \u3050 - \xe3 \x81 \x90 - 227 129 144
+          # if we were only ruby > 2.3.0, we could do String.new("\x82\xae", :encoding => Encoding::Shift_JIS)
+          as_shift_jis = [130, 174].pack('C*').force_encoding(Encoding::Shift_JIS)
+          as_utf8 = "\u3050"
+
+          # this is not valid UTF-8
+          expect(as_shift_jis.dup.force_encoding(Encoding::UTF_8).valid_encoding?).to be_falsey
+
+          result = Puppet::Util::CharacterEncoding.convert_to_utf_8!(as_shift_jis)
+          expect(result).to eq(as_utf8)
+          # largely redundant but reinforces the point - this was transcoded:
+          expect(result.bytes.to_a).to eq([227, 129, 144])
+        end
+
+        context "if it is not transcodable" do
+          let(:as_ascii) { [254, 241].pack('C*').force_encoding(Encoding::ASCII) }
+          it "should issue a debug message and return nil if not transcodable" do
+            # An admittedly contrived case, but perhaps not so improbable
+            # http://www.fileformat.info/info/unicode/char/5e0c/index.htm
+            # 希 Han Character 'rare; hope, expect, strive for'
+            # In EUC_KR: \xfd \xf1 - 253 241
+            # In Unicode: \u5e0c - \xe5 \xb8 \x8c - 229 184 140
+
+            # If the original system value is in EUC_KR, and puppet (ruby) is run
+            # in ISO_8859_1, this value will be read in as ASCII, with invalid
+            # escape sequences in that encoding. It is also not valid unicode
+            # as-is. This scenario is one we can't recover from, so fail.
+            Puppet.expects(:debug).with(regexp_matches(/not valid UTF-8/))
+            Puppet::Util::CharacterEncoding.convert_to_utf_8!(as_ascii)
+          end
+
+          it "should return nil" do
+            expect(Puppet::Util::CharacterEncoding.convert_to_utf_8!(as_ascii)).to be_nil
+          end
+        end
+      end
+    end
+  end
+end

data/spec/unit/util/execution_spec.rb

@@ -512,6 +512,10 @@ describe Puppet::Util::Execution do
         Puppet::Util::Execution.expects(:debug).with("Executing with uid=100 gid=mygroup: 'echo hello'")
         Puppet::Util::Execution.execute('echo hello', {:uid => 100, :gid => 'mygroup'})
       end
+      it 'should redact commands in debug output when passed sensitive option' do
+        Puppet::Util::Execution.expects(:debug).with("Executing: '[redacted]'")
+        Puppet::Util::Execution.execute('echo hello', {:sensitive => true})
+      end
     end
 
     describe "after execution" do
@@ -587,6 +591,14 @@ describe Puppet::Util::Execution do
         }.to raise_error(Puppet::ExecutionFailure, /Execution of 'fail command' returned 1/)
       end
 
+      it "should raise an error with redacted sensitive command if failonfail is true and the child failed" do
+        stub_process_wait(1)
+
+        expect {
+          subject.execute('fail command', :failonfail => true, :sensitive => true)
+        }.to raise_error(Puppet::ExecutionFailure, /Execution of '\[redacted\]' returned 1/)
+      end
+
       it "should not raise an error if failonfail is false and the child failed" do
         stub_process_wait(1)