puppet 5.5.17-x86-mingw32 → 5.5.18-x86-mingw32

data/spec/unit/forge/forge_spec.rb

@@ -97,10 +97,8 @@ describe Puppet::Forge do
   def mock_proxy(port, proxy_args, result, &block)
     http = double("http client")
     proxy = double("http proxy")
-    proxy_class = double("http proxy class")
 
-    expect(Net::HTTP).to receive(:Proxy).with(*proxy_args).and_return(proxy_class)
-    expect(proxy_class).to receive(:new).with(host, port).and_return(proxy)
+    expect(Net::HTTP).to receive(:new).with(host, port, *proxy_args).and_return(proxy)
 
     expect(proxy).to receive(:open_timeout=)
     expect(proxy).to receive(:read_timeout=)

data/spec/unit/forge/repository_spec.rb

@@ -234,10 +234,8 @@ describe Puppet::Forge::Repository do
   def mock_proxy(port, proxy_args, result, &block)
     http = double("http client")
     proxy = double("http proxy")
-    proxy_class = double("http proxy class")
 
-    expect(Net::HTTP).to receive(:Proxy).with(*proxy_args).and_return(proxy_class)
-    expect(proxy_class).to receive(:new).with("fake.com", port).and_return(proxy)
+    expect(Net::HTTP).to receive(:new).with("fake.com", port, *proxy_args).and_return(proxy)
 
     expect(proxy).to receive(:open_timeout=)
     expect(proxy).to receive(:read_timeout=)

data/spec/unit/indirector/resource/ral_spec.rb

@@ -47,7 +47,7 @@ describe "Puppet::Resource::Ral" do
     end
 
     it "should convert ral resources into regular resources" do
-      my_resource = double("my user resource")
+      my_resource = double("my user resource", :title => "my user resource")
       my_instance = double("my user", :name => "root", :to_resource => my_resource)
 
       expect(Puppet::Type::User).to receive(:instances).and_return([ my_instance ])
@@ -55,7 +55,7 @@ describe "Puppet::Resource::Ral" do
     end
 
     it "should filter results by name if there's a name in the key" do
-      my_resource = double("my user resource")
+      my_resource = double("my user resource", title: "my user resource")
       allow(my_resource).to receive(:to_resource).and_return(my_resource)
       allow(my_resource).to receive(:[]).with(:name).and_return("root")
 
@@ -73,11 +73,11 @@ describe "Puppet::Resource::Ral" do
     end
 
     it "should filter results by query parameters" do
-      wrong_resource = double("my user resource")
+      wrong_resource = double("my user resource", title: "my user resource")
       allow(wrong_resource).to receive(:to_resource).and_return(wrong_resource)
       allow(wrong_resource).to receive(:[]).with(:name).and_return("root")
 
-      my_resource = double("wrong resource")
+      my_resource = double("wrong resource", title: "wrong resource")
       allow(my_resource).to receive(:to_resource).and_return(my_resource)
       allow(my_resource).to receive(:[]).with(:name).and_return("bob")
 

data/spec/unit/network/http/connection_spec.rb

@@ -266,4 +266,30 @@ describe Puppet::Network::HTTP::Connection do
 
     subject.get('/path')
   end
+
+  describe 'connection request errors' do
+    it "logs and raises generic http errors" do
+      generic_error = Net::HTTPError.new('generic error', double("response"))
+      expect_any_instance_of(Net::HTTP).to receive(:request).and_raise(generic_error)
+
+      expect(Puppet).to receive(:log_exception).with(anything, /^.*failed: generic error$/)
+      expect { subject.get('/foo') }.to raise_error(generic_error)
+    end
+
+    it "logs and raises timeout errors" do
+      timeout_error = Timeout::Error.new
+      expect_any_instance_of(Net::HTTP).to receive(:request).and_raise(timeout_error)
+
+      expect(Puppet).to receive(:log_exception).with(anything, /^.*timed out after .* seconds$/)
+      expect { subject.get('/foo') }.to raise_error(timeout_error)
+    end
+
+    it "logs and raises eof errors" do
+      eof_error = EOFError
+      expect_any_instance_of(Net::HTTP).to receive(:request).and_raise(eof_error)
+
+      expect(Puppet).to receive(:log_exception).with(anything, /^.*interrupted after .* seconds$/)
+      expect { subject.get('/foo') }.to raise_error(eof_error)
+    end
+  end
 end

data/spec/unit/pops/evaluator/evaluating_parser_spec.rb

@@ -442,21 +442,26 @@ describe 'Puppet::Pops::Evaluator::EvaluatorImpl' do
       }.each do |source, coerced_val|
           it "should warn about numeric coercion in '#{source}' when strict = warning" do
             Puppet[:strict] = :warning
+            expect(Puppet::Pops::Evaluator::Runtime3Support::EvaluationError).not_to receive(:new)
             collect_notices(source)
             expect(warnings).to include(/The string '#{coerced_val}' was automatically coerced to the numerical value #{coerced_val}/)
           end
 
           it "should not warn about numeric coercion in '#{source}' if strict = off" do
             Puppet[:strict] = :off
+            expect(Puppet::Pops::Evaluator::Runtime3Support::EvaluationError).not_to receive(:new)
             collect_notices(source)
             expect(warnings).to_not include(/The string '#{coerced_val}' was automatically coerced to the numerical value #{coerced_val}/)
           end
 
         it "should error when finding numeric coercion in '#{source}' if strict = error" do
           Puppet[:strict] = :error
-          expect { parser.evaluate_string(scope, source, __FILE__) }.to raise_error(
-            /The string '#{coerced_val}' was automatically coerced to the numerical value #{coerced_val}/
-            )
+          expect {
+            parser.evaluate_string(scope, source, __FILE__)
+          }.to raise_error {|error|
+            expect(error.message).to match(/The string '#{coerced_val}' was automatically coerced to the numerical value #{coerced_val}/)
+            expect(error.backtrace.first).to match(/runtime3_support\.rb.+optionally_fail/)
+          }
         end
       end
 

data/spec/unit/provider/exec_spec.rb

@@ -1,7 +1,12 @@
 require 'spec_helper'
 require 'puppet/provider/exec'
+require 'puppet_spec/compiler'
+require 'puppet_spec/files'
 
 describe Puppet::Provider::Exec do
+  include PuppetSpec::Compiler
+  include PuppetSpec::Files
+
   describe "#extractexe" do
     it "should return the first element of an array" do
       expect(subject.extractexe(['one', 'two'])).to eq('one')
@@ -31,4 +36,208 @@ describe Puppet::Provider::Exec do
       end
     end
   end
+
+  context "when handling sensitive data" do
+    before :each do
+      Puppet[:log_level] = 'debug'
+    end
+
+    let(:supersecret) { 'supersecret' }
+    let(:path) do
+      if Puppet::Util::Platform.windows?
+        # The `apply_compiled_manifest` helper doesn't add the `path` fact, so
+        # we can't reference that in our manifest. Windows PATHs can contain
+        # double quotes and trailing backslashes, which confuse HEREDOC
+        # interpolation below. So sanitize it:
+        ENV['PATH'].split(File::PATH_SEPARATOR).map do |dir|
+          dir.gsub(/"/, '\"').gsub(/\\$/, '')
+        end.join(File::PATH_SEPARATOR)
+      else
+        ENV['PATH']
+      end
+    end
+
+    def ruby_exit_0
+      "ruby -e 'exit 0'"
+    end
+
+    def echo_from_ruby_exit_0(message)
+      # Escape double quotes due to HEREDOC interpolation below
+      "ruby -e 'puts \"#{message}\"; exit 0'".gsub(/"/, '\"')
+    end
+
+    def echo_from_ruby_exit_1(message)
+      # Escape double quotes due to HEREDOC interpolation below
+      "ruby -e 'puts \"#{message}\"; exit 1'".gsub(/"/, '\"')
+    end
+
+    context "when validating the command" do
+      it "redacts the arguments if the command is relative" do
+        expect {
+          apply_compiled_manifest(<<-MANIFEST)
+            exec { 'echo':
+              command => Sensitive.new('echo #{supersecret}')
+            }
+          MANIFEST
+        }.to raise_error do |err|
+          expect(err).to be_a(Puppet::Error)
+          expect(err.message).to match(/'echo' is not qualified and no path was specified. Please qualify the command or specify a path./)
+          expect(err.message).to_not match(/#{supersecret}/)
+        end
+      end
+
+      it "redacts the arguments if the command is a directory" do
+        dir = tmpdir('exec')
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'echo':
+            command => Sensitive.new('#{dir} #{supersecret}'),
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :err, message: /'#{dir}' is a directory, not a file/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+      end
+
+      it "redacts the arguments if the command isn't executable" do
+        file = tmpfile('exec')
+        Puppet::FileSystem.touch(file)
+        Puppet::FileSystem.chmod(0644, file)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'echo':
+            command => Sensitive.new('#{file} #{supersecret}'),
+          }
+        MANIFEST
+        # Execute permission works differently on Windows, but execute will fail since the
+        # file doesn't have a valid extension and isn't a valid executable. The raised error
+        # will be Errno::EIO, which is not useful. The Windows execute code needs to raise
+        # Puppet::Util::Windows::Error so the Win32 error message is preserved.
+        pending("PUP-3561 Needs to raise a meaningful Puppet::Error") if Puppet::Util::Platform.windows?
+        expect(@logs).to include(an_object_having_attributes(level: :err, message: /'#{file}' is not executable/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+      end
+
+      it "redacts the arguments if the relative command cannot be resolved using the path parameter" do
+        file = File.basename(tmpfile('exec'))
+        dir = tmpdir('exec')
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'echo':
+            command => Sensitive.new('#{file} #{supersecret}'),
+            path    => "#{dir}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :err, message: /Could not find command '#{file}'/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+      end
+    end
+
+    it "redacts the command on success" do
+      command = echo_from_ruby_exit_0(supersecret)
+
+      apply_compiled_manifest(<<-MANIFEST)
+        exec { 'true':
+          command => Sensitive.new("#{command}"),
+          path    => "#{path}",
+        }
+      MANIFEST
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[true\]/))
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+      expect(@logs).to include(an_object_having_attributes(level: :notice, message: "executed successfully"))
+      expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+    end
+
+    it "redacts the command on failure" do
+      command = echo_from_ruby_exit_1(supersecret)
+
+      apply_compiled_manifest(<<-MANIFEST)
+        exec { 'false':
+          command => Sensitive.new("#{command}"),
+          path    => "#{path}",
+        }
+      MANIFEST
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[false\]/))
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+      expect(@logs).to include(an_object_having_attributes(level: :err, message: "[command redacted] returned 1 instead of one of [0]"))
+      expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+    end
+
+    context "when handling checks" do
+      let(:onlyifsecret) { "onlyifsecret" }
+      let(:unlesssecret) { "unlesssecret" }
+
+      it "redacts command and onlyif outputs" do
+        onlyif = echo_from_ruby_exit_0(onlyifsecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{ruby_exit_0}"),
+            onlyif  => Sensitive.new("#{onlyif}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[true\]/))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :notice, message: "executed successfully"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{onlyifsecret}/))
+      end
+
+      it "redacts the command that would have been executed but didn't due to onlyif" do
+        command = echo_from_ruby_exit_0(supersecret)
+        onlyif = echo_from_ruby_exit_1(onlyifsecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{command}"),
+            onlyif  => Sensitive.new("#{onlyif}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "'[command redacted]' won't be executed because of failed check 'onlyif'"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{onlyifsecret}/))
+      end
+
+      it "redacts command and unless outputs" do
+        unlesscmd = echo_from_ruby_exit_1(unlesssecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{ruby_exit_0}"),
+            unless  => Sensitive.new("#{unlesscmd}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[true\]/))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :notice, message: "executed successfully"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{unlesssecret}/))
+      end
+
+      it "redacts the command that would have been executed but didn't due to unless" do
+        command = echo_from_ruby_exit_0(supersecret)
+        unlesscmd = echo_from_ruby_exit_0(unlesssecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{command}"),
+            unless  => Sensitive.new("#{unlesscmd}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "'[command redacted]' won't be executed because of failed check 'unless'"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{unlesssecret}/))
+      end
+    end
+  end
 end

data/spec/unit/provider/package/dnfmodule_spec.rb

@@ -0,0 +1,186 @@
+require 'spec_helper'
+
+describe Puppet::Type.type(:package).provider(:dnfmodule) do
+  include PuppetSpec::Fixtures
+
+  let(:dnf_version) do
+    <<-DNF_OUTPUT
+    4.0.9
+      Installed: dnf-0:4.0.9.2-5.el8.noarch at Wed 29 May 2019 07:05:05 AM GMT
+      Built    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Thu 14 Feb 2019 12:04:07 PM GMT
+
+      Installed: rpm-0:4.14.2-9.el8.x86_64 at Wed 29 May 2019 07:04:33 AM GMT
+      Built    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Thu 20 Dec 2018 01:30:03 PM GMT
+    DNF_OUTPUT
+  end
+
+  let(:execute_options) do
+    {:failonfail => true, :combine => true, :custom_environment => {}}
+  end
+
+  let(:packages) { File.read(my_fixture("dnf-module-list-installed.txt")) }
+  let(:dnf_path) { '/usr/bin/dnf' }
+
+  before(:each) { allow(Puppet::Util).to receive(:which).with('/usr/bin/dnf').and_return(dnf_path) }
+
+  it "should have lower specificity" do
+    allow(Facter).to receive(:value).with(:osfamily).and_return(:redhat)
+    allow(Facter).to receive(:value).with(:operatingsystem).and_return(:redhat)
+    allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return('8')
+    expect(described_class.specificity).to be < 200
+  end
+
+  describe "should be an opt-in provider" do
+    Array(4..8).each do |ver|
+      it "should not be default for redhat #{ver}" do
+        allow(Facter).to receive(:value).with(:operatingsystem).and_return('redhat')
+        allow(Facter).to receive(:value).with(:osfamily).and_return('redhat')
+        allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return(ver.to_s)
+        expect(described_class).not_to be_default
+      end
+    end
+  end
+
+  describe "handling dnf versions" do
+    before(:each) do
+      expect(Puppet::Type::Package::ProviderDnfmodule).to receive(:execute)
+          .with(["/usr/bin/dnf", "--version"])
+          .and_return(dnf_version).at_most(:once)
+      expect(Puppet::Util::Execution).to receive(:execute)
+          .with(["/usr/bin/dnf", "--version"], execute_options)
+          .and_return(Puppet::Util::Execution::ProcessOutput.new(dnf_version, 0))
+    end
+
+    describe "with a supported dnf version" do
+      it "correctly parses the version" do
+        expect(described_class.current_version).to eq('4.0.9')
+      end
+    end
+
+    describe "with an unsupported dnf version" do
+      let(:dnf_version) do
+        <<-DNF_OUTPUT
+        2.7.5
+          Installed: dnf-0:2.7.5-12.fc28.noarch at Mon 13 Aug 2018 11:05:27 PM GMT
+          Built    : Fedora Project at Wed 18 Apr 2018 02:29:51 PM GMT
+
+          Installed: rpm-0:4.14.1-7.fc28.x86_64 at Mon 13 Aug 2018 11:05:25 PM GMT
+          Built    : Fedora Project at Mon 19 Feb 2018 09:29:01 AM GMT
+        DNF_OUTPUT
+      end
+
+      before(:each) { described_class.instance_variable_set("@current_version", nil) }
+
+      it "correctly parses the version" do
+        expect(described_class.current_version).to eq('2.7.5')
+      end
+
+      it "raises an error when attempting prefetch" do
+        expect { described_class.prefetch('anything') }.to raise_error(Puppet::Error, "Modules are not supported on DNF versions lower than 3.0.1")
+      end
+    end
+  end
+
+  describe "when installing a module" do
+    let(:name) { 'baz' }
+
+    let(:resource) do
+      Puppet::Type.type(:package).new(
+        :name => name,
+        :provider => 'dnfmodule',
+      )
+    end
+
+    let(:provider) do
+      provider = described_class.new
+      provider.resource = resource
+      provider
+    end
+
+    describe 'provider features' do
+      it { is_expected.to be_versionable }
+      it { is_expected.to be_installable }
+      it { is_expected.to be_uninstallable }
+    end
+
+    context "when installing a new module" do
+      before do
+        provider.instance_variable_get('@property_hash')[:ensure] = :absent
+      end
+
+      it "should not reset the module stream when package is absent" do
+        resource[:ensure] = :present
+        expect(provider).not_to receive(:uninstall)
+        expect(provider).to receive(:execute)
+        provider.install
+      end
+
+      it "should not reset the module stream when package is purged" do
+        provider.instance_variable_get('@property_hash')[:ensure] = :purged
+        resource[:ensure] = :present
+        expect(provider).not_to receive(:uninstall)
+        expect(provider).to receive(:execute)
+        provider.install
+      end
+
+      it "should install the default stream and flavor" do
+        resource[:ensure] = :present
+        expect(provider).to receive(:execute).with(array_including('baz'))
+        provider.install
+      end
+
+      it "should install a specific stream" do
+        resource[:ensure] = '9.6'
+        expect(provider).to receive(:execute).with(array_including('baz:9.6'))
+        provider.install
+      end
+
+      it "should install a specific flavor" do
+        resource[:ensure] = :present
+        resource[:flavor] = 'minimal'
+        expect(provider).to receive(:execute).with(array_including('baz/minimal'))
+        provider.install
+      end
+
+      it "should install a specific flavor and stream" do
+        resource[:ensure] = '9.6'
+        resource[:flavor] = 'minimal'
+        expect(provider).to receive(:execute).with(array_including('baz:9.6/minimal'))
+        provider.install
+      end
+    end
+
+    context "when ensuring a specific version on top of another stream" do
+      before do
+        provider.instance_variable_get('@property_hash')[:ensure] = '9.6'
+      end
+
+      it "should remove existing packages and reset the module stream before installing" do
+        resource[:ensure] = '10'
+        expect(provider).to receive(:execute).thrice.with(array_including(/remove|reset|install/))
+        provider.install
+      end
+    end
+  end
+
+  context "parsing the output of module list --installed" do
+    before { allow(described_class).to receive(:command).with(:dnf).and_return(dnf_path) }
+
+    it "returns an array of installed modules" do
+      allow(Puppet::Util::Execution).to receive(:execute)
+        .with("/usr/bin/dnf module list --installed -d 0 -e 1")
+        .and_return(packages)
+
+      installed_packages = described_class.instances.map { |package| package.properties }
+      expected_packages = [{name: "gimp", ensure: "2.8", flavor: "devel", :provider => :dnfmodule},
+                           {name: "mariadb", ensure: "10.3", flavor: "client", :provider => :dnfmodule},
+                           {name: "nodejs", ensure: "10", flavor: "minimal", :provider => :dnfmodule},
+                           {name: "perl", ensure: "5.26", flavor: "minimal", :provider => :dnfmodule},
+                           {name: "postgresql", ensure: "10", flavor: "server", :provider => :dnfmodule},
+                           {name: "rust-toolset", ensure: "rhel8", flavor: "common", :provider => :dnfmodule},
+                           {name: "subversion", ensure: "1.10", flavor: "server", :provider => :dnfmodule}]
+
+      expect(installed_packages).to eql(expected_packages)
+    end
+  end
+end