puppet 6.10.1 → 6.11.0

data/spec/unit/network/http/site_spec.rb

@@ -86,4 +86,11 @@ describe Puppet::Network::HTTP::Site do
     expect(new_site.host).to eq('host2')
     expect(new_site.port).to eq(443)
   end
+
+  it 'creates a site from a URI' do
+    site = create_site('https', 'rubygems.org', 443)
+    uri = URI.parse('https://rubygems.org/gems/puppet/')
+
+    expect(described_class.from_uri(uri)).to eq(site)
+  end
 end

data/spec/unit/parser/scope_spec.rb

@@ -680,5 +680,15 @@ describe Puppet::Parser::Scope do
       @scope.setvar("orange", :undef)
       expect(@scope.to_hash).to eq({'pear' => :green, 'apple' => :red })
     end
+
+    it "should not delete values that are :undef in inner scope when include_undef is true" do
+      @scope.new_ephemeral true
+      @scope.setvar("orange", :tangerine)
+      @scope.setvar("pear", :green)
+      @scope.new_ephemeral true
+      @scope.setvar("apple", :red)
+      @scope.setvar("orange", :undef)
+      expect(@scope.to_hash(true, true)).to eq({'pear' => :green, 'apple' => :red, 'orange' => :undef })
+    end
   end
 end

data/spec/unit/pops/loaders/loaders_spec.rb

@@ -52,6 +52,10 @@ describe 'loaders' do
 
   # Loaders caches the puppet_system_loader, must reset between tests
 
+  before :each do
+    allow(File).to receive(:read).and_call_original
+  end
+
   context 'when loading pp resource types using auto loading' do
     let(:pp_resources) { config_dir('pp_resources') }
     let(:environments) { Puppet::Environments::Directories.new(my_fixture_dir, []) }
@@ -100,6 +104,11 @@ describe 'loaders' do
     expect(loaders.puppet_cache_loader()).to be_a(Puppet::Pops::Loader::ModuleLoaders::LibRootedFileBased)
   end
 
+  it 'creates a cached_puppet loader that can load version 4 functions, version 3 functions, and data types, in that order' do
+    loaders = Puppet::Pops::Loaders.new(empty_test_env, true)
+    expect(loaders.puppet_cache_loader.loadables).to eq([:func_4x, :func_3x, :datatype])
+  end
+
   it 'does not create a cached_puppet loader when for_agent is the default false value' do
     loaders = Puppet::Pops::Loaders.new(empty_test_env)
     expect(loaders.puppet_cache_loader()).to be(nil)
@@ -450,7 +459,9 @@ describe 'loaders' do
     end
 
     it "a function with syntax error has helpful error message" do
-      expect { loader.load_typed(typed_name(:function, 'func_with_syntax_error')) }.to raise_error(/syntax error, unexpected keyword_end/)
+      expect {
+        loader.load_typed(typed_name(:function, 'func_with_syntax_error'))
+      }.to raise_error(/syntax error, unexpected (keyword_)?end/)
     end
   end
 
@@ -487,7 +498,7 @@ describe 'loaders' do
     end
 
     it "to self inside function body is reported as an error" do
-      expect { 
+      expect {
         f = loader.load_typed(typed_name(:function, 'bad_func_load4')).value
         f.call(scope)
       }.to raise_error(/Illegal method definition.*'bad_func_load4_illegal_method'/)

data/spec/unit/pops/loaders/module_loaders_spec.rb

@@ -163,6 +163,43 @@ describe 'FileBased module loader' do
       expect(module_loader.load_typed(typed_name(:task, 'testmodule::baz'))).not_to be_nil
       expect { module_loader.load_typed(typed_name(:task, 'testmodule::qux')) }.to raise_error(/No source besides task metadata was found/)
     end
+
+    it 'raises and error when `parameters` is not a hash' do
+      metadata = { 'parameters' => 'foo' }
+      module_dir = dir_containing('testmodule', 'tasks' => {'foo.py' => '', 'foo.json' => metadata.to_json})
+
+      module_loader = Puppet::Pops::Loader::ModuleLoaders.module_loader_from(static_loader, loaders, 'testmodule', module_dir)
+      expect{module_loader.load_typed(typed_name(:task, 'testmodule::foo'))}
+        .to raise_error(Puppet::ParseError, /Failed to load metadata for task testmodule::foo: 'parameters' must be a hash/)
+    end
+
+    it 'raises and error when `implementations` `requirements` key is not an array' do
+      metadata = { 'implementations' => { 'name' => 'foo.py', 'requirements' => 'foo'} }
+      module_dir = dir_containing('testmodule', 'tasks' => {'foo.py' => '', 'foo.json' => metadata.to_json})
+
+      module_loader = Puppet::Pops::Loader::ModuleLoaders.module_loader_from(static_loader, loaders, 'testmodule', module_dir)
+      expect{module_loader.load_typed(typed_name(:task, 'testmodule::foo'))}
+        .to raise_error(Puppet::Module::Task::InvalidMetadata,
+        /Task metadata for task testmodule::foo does not specify implementations as an array/)
+    end
+
+    it 'raises and error when top-level `files` is not an array' do
+      metadata = { 'files' => 'foo' }
+      module_dir = dir_containing('testmodule', 'tasks' => {'foo.py' => '', 'foo.json' => metadata.to_json})
+
+      module_loader = Puppet::Pops::Loader::ModuleLoaders.module_loader_from(static_loader, loaders, 'testmodule', module_dir)
+      expect{module_loader.load_typed(typed_name(:task, 'testmodule::foo'))}
+        .to raise_error(Puppet::Module::Task::InvalidMetadata, /The 'files' task metadata expects an array, got foo/)
+    end
+
+    it 'raises and error when `files` nested in `interpreters` is not an array' do
+      metadata = { 'implementations' => [{'name' => 'foo.py', 'files' => 'foo'}] }
+      module_dir = dir_containing('testmodule', 'tasks' => {'foo.py' => '', 'foo.json' => metadata.to_json})
+
+      module_loader = Puppet::Pops::Loader::ModuleLoaders.module_loader_from(static_loader, loaders, 'testmodule', module_dir)
+      expect{module_loader.load_typed(typed_name(:task, 'testmodule::foo'))}
+        .to raise_error(Puppet::Module::Task::InvalidMetadata, /The 'files' task metadata expects an array, got foo/)
+    end
   end
 
   def typed_name(type, name)

data/spec/unit/provider/exec_spec.rb

@@ -1,7 +1,12 @@
 require 'spec_helper'
 require 'puppet/provider/exec'
+require 'puppet_spec/compiler'
+require 'puppet_spec/files'
 
 describe Puppet::Provider::Exec do
+  include PuppetSpec::Compiler
+  include PuppetSpec::Files
+
   describe "#extractexe" do
     it "should return the first element of an array" do
       expect(subject.extractexe(['one', 'two'])).to eq('one')
@@ -31,4 +36,208 @@ describe Puppet::Provider::Exec do
       end
     end
   end
+
+  context "when handling sensitive data" do
+    before :each do
+      Puppet[:log_level] = 'debug'
+    end
+
+    let(:supersecret) { 'supersecret' }
+    let(:path) do
+      if Puppet::Util::Platform.windows?
+        # The `apply_compiled_manifest` helper doesn't add the `path` fact, so
+        # we can't reference that in our manifest. Windows PATHs can contain
+        # double quotes and trailing backslashes, which confuse HEREDOC
+        # interpolation below. So sanitize it:
+        ENV['PATH'].split(File::PATH_SEPARATOR).map do |dir|
+          dir.gsub(/"/, '\"').gsub(/\\$/, '')
+        end.join(File::PATH_SEPARATOR)
+      else
+        ENV['PATH']
+      end
+    end
+
+    def ruby_exit_0
+      "ruby -e 'exit 0'"
+    end
+
+    def echo_from_ruby_exit_0(message)
+      # Escape double quotes due to HEREDOC interpolation below
+      "ruby -e 'puts \"#{message}\"; exit 0'".gsub(/"/, '\"')
+    end
+
+    def echo_from_ruby_exit_1(message)
+      # Escape double quotes due to HEREDOC interpolation below
+      "ruby -e 'puts \"#{message}\"; exit 1'".gsub(/"/, '\"')
+    end
+
+    context "when validating the command" do
+      it "redacts the arguments if the command is relative" do
+        expect {
+          apply_compiled_manifest(<<-MANIFEST)
+            exec { 'echo':
+              command => Sensitive.new('echo #{supersecret}')
+            }
+          MANIFEST
+        }.to raise_error do |err|
+          expect(err).to be_a(Puppet::Error)
+          expect(err.message).to match(/'echo' is not qualified and no path was specified. Please qualify the command or specify a path./)
+          expect(err.message).to_not match(/#{supersecret}/)
+        end
+      end
+
+      it "redacts the arguments if the command is a directory" do
+        dir = tmpdir('exec')
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'echo':
+            command => Sensitive.new('#{dir} #{supersecret}'),
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :err, message: /'#{dir}' is a directory, not a file/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+      end
+
+      it "redacts the arguments if the command isn't executable" do
+        file = tmpfile('exec')
+        Puppet::FileSystem.touch(file)
+        Puppet::FileSystem.chmod(0644, file)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'echo':
+            command => Sensitive.new('#{file} #{supersecret}'),
+          }
+        MANIFEST
+        # Execute permission works differently on Windows, but execute will fail since the
+        # file doesn't have a valid extension and isn't a valid executable. The raised error
+        # will be Errno::EIO, which is not useful. The Windows execute code needs to raise
+        # Puppet::Util::Windows::Error so the Win32 error message is preserved.
+        pending("PUP-3561 Needs to raise a meaningful Puppet::Error") if Puppet::Util::Platform.windows?
+        expect(@logs).to include(an_object_having_attributes(level: :err, message: /'#{file}' is not executable/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+      end
+
+      it "redacts the arguments if the relative command cannot be resolved using the path parameter" do
+        file = File.basename(tmpfile('exec'))
+        dir = tmpdir('exec')
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'echo':
+            command => Sensitive.new('#{file} #{supersecret}'),
+            path    => "#{dir}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :err, message: /Could not find command '#{file}'/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+      end
+    end
+
+    it "redacts the command on success", unless: Puppet::Util::Platform.jruby? do
+      command = echo_from_ruby_exit_0(supersecret)
+
+      apply_compiled_manifest(<<-MANIFEST)
+        exec { 'true':
+          command => Sensitive.new("#{command}"),
+          path    => "#{path}",
+        }
+      MANIFEST
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[true\]/))
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+      expect(@logs).to include(an_object_having_attributes(level: :notice, message: "executed successfully"))
+      expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+    end
+
+    it "redacts the command on failure", unless: Puppet::Util::Platform.jruby? do
+      command = echo_from_ruby_exit_1(supersecret)
+
+      apply_compiled_manifest(<<-MANIFEST)
+        exec { 'false':
+          command => Sensitive.new("#{command}"),
+          path    => "#{path}",
+        }
+      MANIFEST
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[false\]/))
+      expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+      expect(@logs).to include(an_object_having_attributes(level: :err, message: "[command redacted] returned 1 instead of one of [0]"))
+      expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+    end
+
+    context "when handling checks", unless: Puppet::Util::Platform.jruby? do
+      let(:onlyifsecret) { "onlyifsecret" }
+      let(:unlesssecret) { "unlesssecret" }
+
+      it "redacts command and onlyif outputs" do
+        onlyif = echo_from_ruby_exit_0(onlyifsecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{ruby_exit_0}"),
+            onlyif  => Sensitive.new("#{onlyif}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[true\]/))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :notice, message: "executed successfully"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{onlyifsecret}/))
+      end
+
+      it "redacts the command that would have been executed but didn't due to onlyif" do
+        command = echo_from_ruby_exit_0(supersecret)
+        onlyif = echo_from_ruby_exit_1(onlyifsecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{command}"),
+            onlyif  => Sensitive.new("#{onlyif}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "'[command redacted]' won't be executed because of failed check 'onlyif'"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{onlyifsecret}/))
+      end
+
+      it "redacts command and unless outputs" do
+        unlesscmd = echo_from_ruby_exit_1(unlesssecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{ruby_exit_0}"),
+            unless  => Sensitive.new("#{unlesscmd}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing '[redacted]'", source: /Exec\[true\]/))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :notice, message: "executed successfully"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{unlesssecret}/))
+      end
+
+      it "redacts the command that would have been executed but didn't due to unless" do
+        command = echo_from_ruby_exit_0(supersecret)
+        unlesscmd = echo_from_ruby_exit_0(unlesssecret)
+
+        apply_compiled_manifest(<<-MANIFEST)
+          exec { 'true':
+            command => Sensitive.new("#{command}"),
+            unless  => Sensitive.new("#{unlesscmd}"),
+            path    => "#{path}",
+          }
+        MANIFEST
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing check '[redacted]'"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "Executing: '[redacted]'", source: "Puppet"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "[output redacted]"))
+        expect(@logs).to include(an_object_having_attributes(level: :debug, message: "'[command redacted]' won't be executed because of failed check 'unless'"))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{supersecret}/))
+        expect(@logs).to_not include(an_object_having_attributes(message: /#{unlesssecret}/))
+      end
+    end
+  end
 end

data/spec/unit/provider/package/dnfmodule_spec.rb

@@ -0,0 +1,186 @@
+require 'spec_helper'
+
+describe Puppet::Type.type(:package).provider(:dnfmodule) do
+  include PuppetSpec::Fixtures
+
+  let(:dnf_version) do
+    <<-DNF_OUTPUT
+    4.0.9
+      Installed: dnf-0:4.0.9.2-5.el8.noarch at Wed 29 May 2019 07:05:05 AM GMT
+      Built    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Thu 14 Feb 2019 12:04:07 PM GMT
+
+      Installed: rpm-0:4.14.2-9.el8.x86_64 at Wed 29 May 2019 07:04:33 AM GMT
+      Built    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Thu 20 Dec 2018 01:30:03 PM GMT
+    DNF_OUTPUT
+  end
+
+  let(:execute_options) do
+    {:failonfail => true, :combine => true, :custom_environment => {}}
+  end
+
+  let(:packages) { File.read(my_fixture("dnf-module-list-installed.txt")) }
+  let(:dnf_path) { '/usr/bin/dnf' }
+
+  before(:each) { allow(Puppet::Util).to receive(:which).with('/usr/bin/dnf').and_return(dnf_path) }
+
+  it "should have lower specificity" do
+    allow(Facter).to receive(:value).with(:osfamily).and_return(:redhat)
+    allow(Facter).to receive(:value).with(:operatingsystem).and_return(:redhat)
+    allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return('8')
+    expect(described_class.specificity).to be < 200
+  end
+
+  describe "should be an opt-in provider" do
+    Array(4..8).each do |ver|
+      it "should not be default for redhat #{ver}" do
+        allow(Facter).to receive(:value).with(:operatingsystem).and_return('redhat')
+        allow(Facter).to receive(:value).with(:osfamily).and_return('redhat')
+        allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return(ver.to_s)
+        expect(described_class).not_to be_default
+      end
+    end
+  end
+
+  describe "handling dnf versions" do
+    before(:each) do
+      expect(Puppet::Type::Package::ProviderDnfmodule).to receive(:execute)
+          .with(["/usr/bin/dnf", "--version"])
+          .and_return(dnf_version).at_most(:once)
+      expect(Puppet::Util::Execution).to receive(:execute)
+          .with(["/usr/bin/dnf", "--version"], execute_options)
+          .and_return(Puppet::Util::Execution::ProcessOutput.new(dnf_version, 0))
+    end
+
+    describe "with a supported dnf version" do
+      it "correctly parses the version" do
+        expect(described_class.current_version).to eq('4.0.9')
+      end
+    end
+
+    describe "with an unsupported dnf version" do
+      let(:dnf_version) do
+        <<-DNF_OUTPUT
+        2.7.5
+          Installed: dnf-0:2.7.5-12.fc28.noarch at Mon 13 Aug 2018 11:05:27 PM GMT
+          Built    : Fedora Project at Wed 18 Apr 2018 02:29:51 PM GMT
+
+          Installed: rpm-0:4.14.1-7.fc28.x86_64 at Mon 13 Aug 2018 11:05:25 PM GMT
+          Built    : Fedora Project at Mon 19 Feb 2018 09:29:01 AM GMT
+        DNF_OUTPUT
+      end
+
+      before(:each) { described_class.instance_variable_set("@current_version", nil) }
+
+      it "correctly parses the version" do
+        expect(described_class.current_version).to eq('2.7.5')
+      end
+
+      it "raises an error when attempting prefetch" do
+        expect { described_class.prefetch('anything') }.to raise_error(Puppet::Error, "Modules are not supported on DNF versions lower than 3.0.1")
+      end
+    end
+  end
+
+  describe "when installing a module" do
+    let(:name) { 'baz' }
+
+    let(:resource) do
+      Puppet::Type.type(:package).new(
+        :name => name,
+        :provider => 'dnfmodule',
+      )
+    end
+
+    let(:provider) do
+      provider = described_class.new
+      provider.resource = resource
+      provider
+    end
+
+    describe 'provider features' do
+      it { is_expected.to be_versionable }
+      it { is_expected.to be_installable }
+      it { is_expected.to be_uninstallable }
+    end
+
+    context "when installing a new module" do
+      before do
+        provider.instance_variable_get('@property_hash')[:ensure] = :absent
+      end
+
+      it "should not reset the module stream when package is absent" do
+        resource[:ensure] = :present
+        expect(provider).not_to receive(:uninstall)
+        expect(provider).to receive(:execute)
+        provider.install
+      end
+
+      it "should not reset the module stream when package is purged" do
+        provider.instance_variable_get('@property_hash')[:ensure] = :purged
+        resource[:ensure] = :present
+        expect(provider).not_to receive(:uninstall)
+        expect(provider).to receive(:execute)
+        provider.install
+      end
+
+      it "should install the default stream and flavor" do
+        resource[:ensure] = :present
+        expect(provider).to receive(:execute).with(array_including('baz'))
+        provider.install
+      end
+
+      it "should install a specific stream" do
+        resource[:ensure] = '9.6'
+        expect(provider).to receive(:execute).with(array_including('baz:9.6'))
+        provider.install
+      end
+
+      it "should install a specific flavor" do
+        resource[:ensure] = :present
+        resource[:flavor] = 'minimal'
+        expect(provider).to receive(:execute).with(array_including('baz/minimal'))
+        provider.install
+      end
+
+      it "should install a specific flavor and stream" do
+        resource[:ensure] = '9.6'
+        resource[:flavor] = 'minimal'
+        expect(provider).to receive(:execute).with(array_including('baz:9.6/minimal'))
+        provider.install
+      end
+    end
+
+    context "when ensuring a specific version on top of another stream" do
+      before do
+        provider.instance_variable_get('@property_hash')[:ensure] = '9.6'
+      end
+
+      it "should remove existing packages and reset the module stream before installing" do
+        resource[:ensure] = '10'
+        expect(provider).to receive(:execute).thrice.with(array_including(/remove|reset|install/))
+        provider.install
+      end
+    end
+  end
+
+  context "parsing the output of module list --installed" do
+    before { allow(described_class).to receive(:command).with(:dnf).and_return(dnf_path) }
+
+    it "returns an array of installed modules" do
+      allow(Puppet::Util::Execution).to receive(:execute)
+        .with("/usr/bin/dnf module list --installed -d 0 -e 1")
+        .and_return(packages)
+
+      installed_packages = described_class.instances.map { |package| package.properties }
+      expected_packages = [{name: "gimp", ensure: "2.8", flavor: "devel", :provider => :dnfmodule},
+                           {name: "mariadb", ensure: "10.3", flavor: "client", :provider => :dnfmodule},
+                           {name: "nodejs", ensure: "10", flavor: "minimal", :provider => :dnfmodule},
+                           {name: "perl", ensure: "5.26", flavor: "minimal", :provider => :dnfmodule},
+                           {name: "postgresql", ensure: "10", flavor: "server", :provider => :dnfmodule},
+                           {name: "rust-toolset", ensure: "rhel8", flavor: "common", :provider => :dnfmodule},
+                           {name: "subversion", ensure: "1.10", flavor: "server", :provider => :dnfmodule}]
+
+      expect(installed_packages).to eql(expected_packages)
+    end
+  end
+end