puppet 5.5.6 → 5.5.7

data/man/man8/puppet.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET" "8" "August 2018" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET" "8" "October 2018" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\fR
@@ -16,4 +16,4 @@ Available subcommands:
 agent The puppet agent daemon apply Apply Puppet manifests locally ca Local Puppet Certificate Authority management\. (Deprecated) catalog Compile, save, view, and convert catalogs\. cert Manage certificates and requests (Deprecated) certificate Provide access to the CA for certificate management\. (Deprecated) certificate_request Manage certificate requests\. (Deprecated) certificate_revocation_list Manage the list of revoked certificates\. (Deprecated) config Interact with Puppet\'s settings\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. help Display Puppet help\. key Create, save, and remove certificate keys\. (Deprecated) lookup Interactive Hiera lookup man Display Puppet manual pages\. (Deprecated) master The puppet master daemon module Creates, installs and searches for modules on the Puppet Forge\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. report Create, display, and submit reports\. resource The resource abstraction layer shell script Run a puppet manifests as a script without compiling a catalog status View puppet server status\. (Deprecated)
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v5\.5\.6
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v5\.5\.7

data/spec/fixtures/unit/provider/aix_object/aix_colon_list_real_world_input.out

@@ -0,0 +1 @@
+root:0:system:system,bin,sys,security,cron,audit,lp:/:/usr/bin/ksh:root:general:true:false:false:true:true:system:nosak:ALL:0:SYSTEM:NONE:22:files:compat:0:0:false:0:0:-1:0:0:0:0:0:0:0:8:0:0:0:-1:-1:-1:-1:-1:-1:-1:1527849270:1533085305:ssh:ssh:fd8c#!:215d#!:178e#!:12#!:290#!:fa72#!:fab2#!:882:10.10.28.247:147:This is some comment I added

data/spec/fixtures/unit/provider/aix_object/aix_colon_list_real_world_output.out

@@ -0,0 +1 @@
+["root", "0", "system", "system,bin,sys,security,cron,audit,lp", "/", "/usr/bin/ksh", "root", "general", "true", "false", "false", "true", "true", "system", "nosak", "ALL", "0", "SYSTEM", "NONE", "22", "files", "compat", "0", "0", "false", "0", "0", "-1", "0", "0", "0", "0", "0", "0", "0", "8", "0", "0", "0", "-1", "-1", "-1", "-1", "-1", "-1", "-1", "1527849270", "1533085305", "ssh", "ssh", "fd8c:215d:178e:12:290:fa72:fab2:882", "10.10.28.247", "147", "This is some comment I added"]

data/spec/fixtures/unit/provider/user/aix/aix_passwd_file.out

@@ -0,0 +1,32 @@
+
+test_aix_user:
+        password = some_password
+        lastupdate = last_update
+
+no_password_user:
+        lastupdate = another_last_update
+
+daemon:
+        password = *
+
+bin:
+        password = *
+
+sys:
+        password = *
+
+adm:
+        password = *
+
+uucp:
+        password = *
+
+guest:
+        password = *
+
+nobody:
+        password = *
+
+lpd:
+        password = *
+

data/spec/integration/parser/collection_spec.rb

@@ -12,6 +12,10 @@ describe 'collectors' do
     expect(messages).to include(*expected_messages)
   end
 
+  def warnings
+    @logs.select { |log| log.level == :warning }.map { |log| log.message }
+  end
+  
   context "virtual resource collection" do
     it "matches everything when no query given" do
       expect_the_message_to_be(["the other message", "the message"], <<-MANIFEST)
@@ -313,8 +317,6 @@ describe 'collectors' do
       end
 
       context 'when overriding an already evaluated resource' do
-        let(:logs) { [] }
-        let(:warnings) { logs.select { |log| log.level == :warning }.map { |log| log.message } }
         let(:manifest) { <<-MANIFEST }
           define foo($message) {
             notify { "testing": message => $message }
@@ -326,12 +328,6 @@ describe 'collectors' do
           delayed {'do it now': }
         MANIFEST
 
-        around(:each) do |example|
-          Puppet::Util::Log.with_destination(Puppet::Test::LogCollector.new(logs)) do
-            example.run
-          end
-        end
-
         it 'and --strict=off, it silently skips the override' do
           Puppet[:strict] = :off
           expect_the_message_to_be(['given'], manifest)

data/spec/integration/provider/service/windows_spec.rb

@@ -10,17 +10,17 @@ describe Puppet::Type.type(:service).provider(:windows), '(integration)',
     Puppet::Type.type(:service).stubs(:defaultprovider).returns described_class
   end
 
-  context 'should fail querying services that do not exist' do
+  context 'should return valid values when querying a service that does not exist' do
     let(:service) do
       Puppet::Type.type(:service).new(:name => 'foobarservice1234')
     end
 
-    it "with a Puppet::Error when querying enabled?" do
-      expect { service.provider.enabled? }.to raise_error(Puppet::Error)
+    it "with :false when asked if enabled" do
+      expect(service.provider.enabled?).to eql(:false)
     end
 
-    it "with a Puppet::Error when querying status" do
-      expect { service.provider.status }.to raise_error(Puppet::Error)
+    it "with :stopped when asked about status" do
+      expect(service.provider.status).to eql(:stopped)
     end
   end
 

data/spec/integration/type/file_spec.rb

@@ -579,7 +579,7 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
         if Puppet::Util::Platform.windows? && ['sha512', 'sha384'].include?(example.metadata[:digest_algorithm])
           skip "PUP-8257: Skip file bucket test on windows for #{example.metadata[:digest_algorithm]} due to long path names"
         end
-        
+
         bucket = Puppet::Type.type(:filebucket).new :path => tmpfile("filebucket"), :name => "mybucket"
         file = described_class.new({:path => tmpfile("bucket_backs"), :backup => "mybucket", :content => "foo", :force => true}.merge(resource_options))
         catalog.add_resource file
@@ -1283,7 +1283,7 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
   describe "when sourcing" do
     it "should give a deprecation warning when the user sets source_permissions" do
       Puppet.expects(:puppet_deprecation_warning).with(
-        'The `source_permissions` parameter is deprecated. Explicitly set `owner`, `group`, and `mode`.', 
+        'The `source_permissions` parameter is deprecated. Explicitly set `owner`, `group`, and `mode`.',
         {:file => 'my/file.pp', :line => 5})
 
       catalog.add_resource described_class.new(:path => path, :content => 'this is content', :source_permissions => :use_when_creating)
@@ -1525,12 +1525,12 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
               catalog.apply
             end
 
-            it "should allow the user to explicitly set the mode to 4" do
+            it "should not allow the user to explicitly set the mode to 4 ,and correct to 7" do
               system_aces = get_aces_for_path_by_sid(path, @sids[:system])
               expect(system_aces).not_to be_empty
 
               system_aces.each do |ace|
-                expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_GENERIC_READ)
+                expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
               end
             end
 
@@ -1612,13 +1612,13 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
                 catalog.apply
               end
 
-              it "should allow the user to explicitly set the mode to 4" do
+              it "should not allow the user to explicitly set the mode to 4, and correct to 7" do
                 system_aces = get_aces_for_path_by_sid(dir, @sids[:system])
                 expect(system_aces).not_to be_empty
 
                 system_aces.each do |ace|
                   # unlike files, Puppet sets execute bit on directories that are readable
-                  expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_GENERIC_READ | Puppet::Util::Windows::File::FILE_GENERIC_EXECUTE)
+                  expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
                 end
               end
 

data/spec/integration/util/windows/adsi_spec.rb

@@ -13,7 +13,7 @@ describe Puppet::Util::Windows::ADSI::User,
       #     HRESULT error code:0x800708ad
       #           The user name could not be found.
       # Matching on error code alone is sufficient
-      expect { system.native_user }.to raise_error(/0x800708ad/)
+      expect { system.native_object }.to raise_error(/0x800708ad/)
     end
   end
 
@@ -118,7 +118,8 @@ describe Puppet::Util::Windows::ADSI::Group,
         # create a test group and add above 5 members by SID
         group = described_class.create(temp_groupname)
         group.commit()
-        group.set_members(users.map { |u| u[:sid]} )
+        members = users.map { |u| u[:sid] }
+        group.set_members(members.join(','))
 
         # most importantly make sure that all name are convertible to SIDs
         expect { described_class.name_sid_hash(group.members) }.to_not raise_error
@@ -152,9 +153,9 @@ describe Puppet::Util::Windows::ADSI::Group,
       admins_name = Puppet::Util::Windows::SID.sid_to_name('S-1-5-32-544')
       admins = Puppet::Util::Windows::ADSI::Group.new(admins_name)
 
-      # touch the native_group member to have it lazily loaded, so COM objects can be stubbed
-      admins.native_group
-      admins.native_group.stubs(:Members).returns(members)
+      # touch the native_object member to have it lazily loaded, so COM objects can be stubbed
+      admins.native_object
+      admins.native_object.stubs(:Members).returns(members)
 
       # well-known NULL SID
       expect(admins.members[0].sid).to eq('S-1-0-0')

data/spec/integration/util/windows/security_spec.rb

@@ -285,10 +285,11 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
                     # access mask, and back to mode without loss of information
                     # (provided the owner and group are not the same)
                     next if ((u & g) != g) or ((g & o) != o)
-
-                    mode = (s << 9 | u << 6 | g << 3 | o << 0)
-                    winsec.set_mode(mode, path)
-                    expect(winsec.get_mode(path).to_s(8)).to eq(mode.to_s(8))
+                    applied_mode  = (s << 9 | u << 6 | g << 3 | o << 0)
+                    # SYSTEM must always be Full Control (7)
+                    expected_mode = (s << 9 | u << 6 | 7 << 3 | o << 0)
+                    winsec.set_mode(applied_mode, path)
+                    expect(winsec.get_mode(path).to_s(8)).to eq(expected_mode.to_s(8))
                   end
                 end
               end
@@ -634,9 +635,11 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win
                   # access mask, and back to mode without loss of information
                   # (provided the owner and group are the same)
                   next if ((ug & o) != o)
-                  mode = (s << 9 | ug << 6 | ug << 3 | o << 0)
-                  winsec.set_mode(mode, path)
-                  expect(winsec.get_mode(path).to_s(8)).to eq(mode.to_s(8))
+                  applied_mode  = (s << 9 | ug << 6 | ug << 3 | o << 0)
+                  # SYSTEM must always be Full Control (7)
+                  expected_mode = (s << 9 | 7 << 6 | 7 << 3 | o << 0)
+                  winsec.set_mode(applied_mode, path)
+                  expect(winsec.get_mode(path).to_s(8)).to eq(expected_mode.to_s(8))
                 end
               end
             end

data/spec/integration/util/windows/user_spec.rb

@@ -6,54 +6,74 @@ describe "Puppet::Util::Windows::User", :if => Puppet.features.microsoft_windows
   describe "2003 without UAC" do
     before :each do
       Puppet::Util::Windows::Process.stubs(:windows_major_version).returns(5)
+      Puppet::Util::Windows::Process.stubs(:supports_elevated_security?).returns(false)
     end
 
     it "should be an admin if user's token contains the Administrators SID" do
       Puppet::Util::Windows::User.expects(:check_token_membership).returns(true)
-      Puppet::Util::Windows::Process.expects(:elevated_security?).never
 
       expect(Puppet::Util::Windows::User).to be_admin
     end
 
     it "should not be an admin if user's token doesn't contain the Administrators SID" do
       Puppet::Util::Windows::User.expects(:check_token_membership).returns(false)
-      Puppet::Util::Windows::Process.expects(:elevated_security?).never
 
       expect(Puppet::Util::Windows::User).not_to be_admin
     end
 
     it "should raise an exception if we can't check token membership" do
       Puppet::Util::Windows::User.expects(:check_token_membership).raises(Puppet::Util::Windows::Error, "Access denied.")
-      Puppet::Util::Windows::Process.expects(:elevated_security?).never
 
       expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
     end
   end
 
-  describe "2008 with UAC" do
+  context "2008 with UAC" do
     before :each do
       Puppet::Util::Windows::Process.stubs(:windows_major_version).returns(6)
+      Puppet::Util::Windows::Process.stubs(:supports_elevated_security?).returns(true)
     end
 
-    it "should be an admin if user is running with elevated privileges" do
-      Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true)
-      Puppet::Util::Windows::User.expects(:check_token_membership).never
+    describe "in local administrators group" do
+      before :each do
+        Puppet::Util::Windows::User.stubs(:check_token_membership).returns(true)
+      end
 
-      expect(Puppet::Util::Windows::User).to be_admin
-    end
+      it "should be an admin if user is running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true)
 
-    it "should not be an admin if user is not running with elevated privileges" do
-      Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false)
-      Puppet::Util::Windows::User.expects(:check_token_membership).never
+        expect(Puppet::Util::Windows::User).to be_admin
+      end
 
-      expect(Puppet::Util::Windows::User).not_to be_admin
+      it "should not be an admin if user is not running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false)
+
+        expect(Puppet::Util::Windows::User).not_to be_admin
+      end
+
+      it "should raise an exception if the process fails to open the process token" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).raises(Puppet::Util::Windows::Error, "Access denied.")
+
+        expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
+      end
     end
 
-    it "should raise an exception if the process fails to open the process token" do
-      Puppet::Util::Windows::Process.stubs(:elevated_security?).raises(Puppet::Util::Windows::Error, "Access denied.")
-      Puppet::Util::Windows::User.expects(:check_token_membership).never
+    describe "not in local administrators group" do
+      before :each do
+        Puppet::Util::Windows::User.stubs(:check_token_membership).returns(false)
+      end
+
+      it "should not be an admin if user is running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true)
 
-      expect { Puppet::Util::Windows::User.admin? }.to raise_error(Puppet::Util::Windows::Error, /Access denied./)
+        expect(Puppet::Util::Windows::User).not_to be_admin
+      end
+
+      it "should not be an admin if user is not running with elevated privileges" do
+        Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false)
+
+        expect(Puppet::Util::Windows::User).not_to be_admin
+      end
     end
   end
 

data/spec/spec_helper.rb

@@ -117,7 +117,6 @@ RSpec.configure do |config|
     # I suck for letting this float. --daniel 2011-04-21
     Signal.stubs(:trap)
 
-
     # TODO: in a more sane world, we'd move this logging redirection into our TestHelper class.
     #  Without doing so, external projects will all have to roll their own solution for
     #  redirecting logging, and for validating expected log messages.  However, because the

data/spec/unit/application/apply_spec.rb

@@ -7,6 +7,8 @@ require 'puppet/configurer'
 require 'fileutils'
 
 describe Puppet::Application::Apply do
+  include PuppetSpec::Files
+
   before :each do
     @apply = Puppet::Application[:apply]
     Puppet::Util::Log.stubs(:newdestination)
@@ -91,6 +93,13 @@ describe Puppet::Application::Apply do
       @apply.setup
     end
 
+    it "sets the log destination if logdest is provided via settings" do
+      Puppet::Log.expects(:newdestination).with("set_via_config")
+      Puppet[:logdest] = "set_via_config"
+
+      @apply.setup
+    end
+
     it "should set INT trap" do
       Signal.expects(:trap).with(:INT)
 
@@ -172,8 +181,6 @@ describe Puppet::Application::Apply do
     end
 
     describe "the main command" do
-      include PuppetSpec::Files
-
       before :each do
         Puppet[:prerun_command] = ''
         Puppet[:postrun_command] = ''
@@ -477,6 +484,38 @@ describe Puppet::Application::Apply do
     end
   end
 
+  describe "when really executing" do
+    let(:testfile) { tmpfile('secret_file_name') }
+    let(:resourcefile) { tmpfile('resourcefile') }
+    let(:classfile) { tmpfile('classfile') }
+
+    it "should not expose sensitive data in the relationship file" do
+      @apply.options[:code] = <<-CODE
+        $secret = Sensitive('cat #{testfile}')
+
+        exec { 'do it':
+          command => $secret,
+          path    => '/bin/'
+        }
+      CODE
+
+      @apply.options[:write_catalog_summary] = true
+
+      Puppet.settings[:resourcefile] = resourcefile
+      Puppet.settings[:classfile] = classfile
+
+      #We don't actually need the resource to do anything, we are using it's properties in other parts of the workflow.
+      Puppet::Util::Execution.stubs(:execute)
+
+      expect { @apply.main }.to exit_with 0
+
+      result = File.read(resourcefile)
+
+      expect(result).not_to match(/secret_file_name/)
+      expect(result).to match(/do it/)
+    end
+  end
+
   describe "apply_catalog" do
     it "should call the configurer with the catalog" do
       catalog = "I am a catalog"

data/spec/unit/application/master_spec.rb

@@ -155,6 +155,13 @@ describe Puppet::Application::Master, :unless => Puppet.features.microsoft_windo
           @master.setup
         end
       end
+
+      it "sets the log destination using settings" do
+        Puppet::Util::Log.expects(:newdestination).with("set_via_config")
+        Puppet[:logdest] = "set_via_config"
+
+        @master.setup
+      end
     end
 
     it "should print puppet config if asked to in Puppet config" do

data/spec/unit/application_spec.rb

@@ -398,7 +398,6 @@ describe Puppet::Application do
   end
 
   describe "when calling default setup" do
-
     before :each do
       @app.options.stubs(:[])
     end
@@ -419,6 +418,14 @@ describe Puppet::Application do
 
       @app.setup
     end
+  
+    it "sets the log destination if provided via settings" do
+      @app.options.unstub(:[])
+      Puppet[:logdest] = "set_via_config"
+      Puppet::Util::Log.expects(:newdestination).with("set_via_config")
+
+      @app.setup
+    end
 
     it "does not downgrade the loglevel when --verbose is specified" do
       Puppet[:log_level] = :debug
@@ -628,7 +635,6 @@ describe Puppet::Application do
   end
 
   describe "#handle_logdest_arg" do
-
     let(:test_arg) { "arg_test_logdest" }
 
     it "should log an exception that is raised" do
@@ -648,6 +654,18 @@ describe Puppet::Application do
       @app.handle_logdest_arg(test_arg)
       expect(@app.options[:setdest]).to be_truthy
     end
-  end
 
+    it "does not set the log destination if setdest is true" do
+      Puppet::Util::Log.expects(:newdestination).never
+      @app.options[:setdest] = true
+
+      @app.handle_logdest_arg(test_arg)
+    end
+
+    it "does not set the log destination if arg is nil" do
+      Puppet::Util::Log.expects(:newdestination).never
+
+      @app.handle_logdest_arg(nil)
+    end
+  end
 end