RubyGems - puppet - Versions diffs - 6.14.0 → 6.15.0 - Mend

puppet 6.14.0 → 6.15.0

Potentially problematic release.

This version of puppet might be problematic. Click here for more details.

Files changed (195) hide show

checksums.yaml +4 -4
data/Gemfile.lock +15 -15
data/ext/windows/service/daemon.rb +3 -3
data/lib/puppet.rb +1 -1
data/lib/puppet/agent.rb +2 -10
data/lib/puppet/application/agent.rb +2 -1
data/lib/puppet/application/filebucket.rb +5 -14
data/lib/puppet/application/ssl.rb +2 -2
data/lib/puppet/configurer.rb +7 -3
data/lib/puppet/configurer/plugin_handler.rb +1 -1
data/lib/puppet/defaults.rb +22 -2
data/lib/puppet/environments.rb +4 -5
data/lib/puppet/face/plugin.rb +1 -1
data/lib/puppet/file_system/file_impl.rb +13 -9
data/lib/puppet/forge/repository.rb +1 -1
data/lib/puppet/functions/call.rb +1 -1
data/lib/puppet/functions/reduce.rb +2 -4
data/lib/puppet/http.rb +2 -0
data/lib/puppet/http/client.rb +191 -52
data/lib/puppet/http/external_client.rb +96 -0
data/lib/puppet/http/redirector.rb +34 -0
data/lib/puppet/http/resolver.rb +46 -3
data/lib/puppet/http/resolver/server_list.rb +75 -15
data/lib/puppet/http/resolver/settings.rb +22 -2
data/lib/puppet/http/resolver/srv.rb +28 -2
data/lib/puppet/http/response.rb +63 -1
data/lib/puppet/http/retry_after_handler.rb +39 -0
data/lib/puppet/http/service.rb +67 -1
data/lib/puppet/http/service/ca.rb +71 -9
data/lib/puppet/http/service/compiler.rb +213 -11
data/lib/puppet/http/service/file_server.rb +105 -4
data/lib/puppet/http/service/report.rb +36 -3
data/lib/puppet/http/session.rb +59 -8
data/lib/puppet/indirector/catalog/rest.rb +2 -1
data/lib/puppet/indirector/facts/rest.rb +2 -1
data/lib/puppet/indirector/file_bucket_file/rest.rb +48 -0
data/lib/puppet/indirector/file_metadata/rest.rb +4 -2
data/lib/puppet/indirector/node/rest.rb +2 -1
data/lib/puppet/indirector/report/yaml.rb +23 -0
data/lib/puppet/indirector/status/rest.rb +2 -1
data/lib/puppet/metatype/manager.rb +80 -80
data/lib/puppet/network/http/base_pool.rb +6 -1
data/lib/puppet/network/http/pool.rb +2 -4
data/lib/puppet/network/http_pool.rb +1 -0
data/lib/puppet/node/environment.rb +11 -1
data/lib/puppet/pal/pal_impl.rb +1 -29
data/lib/puppet/parser/compiler.rb +14 -7
data/lib/puppet/parser/functions.rb +18 -13
data/lib/puppet/pops/loaders.rb +7 -5
data/lib/puppet/provider/group/windows_adsi.rb +3 -3
data/lib/puppet/provider/package/apt.rb +61 -1
data/lib/puppet/provider/package/dnfmodule.rb +39 -12
data/lib/puppet/provider/package/gem.rb +41 -7
data/lib/puppet/provider/package/pacman.rb +2 -5
data/lib/puppet/provider/package/pip.rb +105 -33
data/lib/puppet/provider/package/pip3.rb +0 -2
data/lib/puppet/provider/package/pkgdmg.rb +1 -1
data/lib/puppet/provider/package/pkgng.rb +16 -4
data/lib/puppet/provider/package/puppet_gem.rb +6 -2
data/lib/puppet/provider/package/rpm.rb +6 -213
data/lib/puppet/provider/package/yum.rb +92 -19
data/lib/puppet/provider/service/systemd.rb +2 -1
data/lib/puppet/reports/http.rb +13 -11
data/lib/puppet/resource/type_collection.rb +20 -16
data/lib/puppet/ssl.rb +1 -0
data/lib/puppet/ssl/host.rb +4 -4
data/lib/puppet/ssl/oids.rb +1 -0
data/lib/puppet/ssl/state_machine.rb +50 -33
data/lib/puppet/transaction/report.rb +2 -2
data/lib/puppet/type.rb +6 -1
data/lib/puppet/type/file/source.rb +4 -2
data/lib/puppet/type/package.rb +25 -2
data/lib/puppet/type/user.rb +0 -19
data/lib/puppet/util/at_fork.rb +1 -1
data/lib/puppet/util/autoload.rb +3 -0
data/lib/puppet/util/instance_loader.rb +14 -10
data/lib/puppet/util/package/version/debian.rb +175 -0
data/lib/puppet/util/package/version/gem.rb +15 -0
data/lib/puppet/util/package/version/pip.rb +167 -0
data/lib/puppet/util/package/version/range.rb +50 -0
data/lib/puppet/util/package/version/range/gt.rb +14 -0
data/lib/puppet/util/package/version/range/gt_eq.rb +14 -0
data/lib/puppet/util/package/version/range/lt.rb +14 -0
data/lib/puppet/util/package/version/range/lt_eq.rb +14 -0
data/lib/puppet/util/package/version/range/min_max.rb +21 -0
data/lib/puppet/util/package/version/range/simple.rb +11 -0
data/lib/puppet/util/package/version/rpm.rb +73 -0
data/lib/puppet/util/pidlock.rb +13 -7
data/lib/puppet/util/platform.rb +5 -0
data/lib/puppet/util/rpm_compare.rb +193 -0
data/lib/puppet/util/windows/adsi.rb +2 -2
data/lib/puppet/util/windows/process.rb +15 -14
data/lib/puppet/util/windows/security.rb +1 -0
data/lib/puppet/util/windows/sid.rb +3 -3
data/lib/puppet/version.rb +1 -1
data/locales/puppet.pot +207 -201
data/man/man5/puppet.conf.5 +11 -3
data/man/man8/puppet-agent.8 +1 -1
data/man/man8/puppet-apply.8 +1 -1
data/man/man8/puppet-catalog.8 +1 -1
data/man/man8/puppet-config.8 +1 -1
data/man/man8/puppet-describe.8 +1 -1
data/man/man8/puppet-device.8 +1 -1
data/man/man8/puppet-doc.8 +1 -1
data/man/man8/puppet-epp.8 +1 -1
data/man/man8/puppet-facts.8 +1 -1
data/man/man8/puppet-filebucket.8 +1 -1
data/man/man8/puppet-generate.8 +1 -1
data/man/man8/puppet-help.8 +1 -1
data/man/man8/puppet-key.8 +1 -1
data/man/man8/puppet-lookup.8 +1 -1
data/man/man8/puppet-man.8 +1 -1
data/man/man8/puppet-module.8 +1 -1
data/man/man8/puppet-node.8 +1 -1
data/man/man8/puppet-parser.8 +1 -1
data/man/man8/puppet-plugin.8 +1 -1
data/man/man8/puppet-report.8 +1 -1
data/man/man8/puppet-resource.8 +1 -1
data/man/man8/puppet-script.8 +1 -1
data/man/man8/puppet-ssl.8 +1 -1
data/man/man8/puppet-status.8 +1 -1
data/man/man8/puppet.8 +2 -2
data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +67 -0
data/spec/fixtures/ssl/unknown-127.0.0.1.pem +48 -0
data/spec/fixtures/ssl/unknown-ca-key.pem +67 -0
data/spec/fixtures/ssl/unknown-ca.pem +59 -0
data/spec/fixtures/unit/provider/package/dnfmodule/{dnf-module-list-installed.txt → dnf-module-list-enabled.txt} +2 -0
data/spec/fixtures/unit/provider/package/pkgng/pkg.version +2 -0
data/spec/fixtures/unit/provider/package/yum/yum-check-update-subscription-manager.txt +9 -0
data/spec/fixtures/unit/provider/service/systemd/list_unit_files_services +9 -0
data/spec/integration/application/agent_spec.rb +329 -0
data/spec/integration/application/apply_spec.rb +132 -3
data/spec/integration/application/filebucket_spec.rb +190 -0
data/spec/integration/application/plugin_spec.rb +50 -0
data/spec/integration/http/client_spec.rb +34 -40
data/spec/integration/indirector/report/yaml.rb +83 -0
data/spec/integration/module_tool/forge_spec.rb +2 -15
data/spec/integration/network/http_pool_spec.rb +11 -19
data/spec/integration/node/environment_spec.rb +15 -0
data/spec/integration/util/windows/adsi_spec.rb +1 -1
data/spec/lib/puppet/test_ca.rb +2 -2
data/spec/lib/puppet_spec/https.rb +10 -7
data/spec/lib/puppet_spec/puppetserver.rb +119 -0
data/spec/shared_contexts/https.rb +29 -0
data/spec/unit/agent_spec.rb +33 -25
data/spec/unit/application/agent_spec.rb +5 -1
data/spec/unit/application/device_spec.rb +2 -2
data/spec/unit/application/filebucket_spec.rb +22 -2
data/spec/unit/configurer_spec.rb +1 -1
data/spec/unit/defaults_spec.rb +24 -1
data/spec/unit/environments_spec.rb +8 -0
data/spec/unit/file_system_spec.rb +10 -0
data/spec/unit/http/client_spec.rb +105 -46
data/spec/unit/http/external_client_spec.rb +201 -0
data/spec/unit/http/resolver_spec.rb +20 -0
data/spec/unit/http/service/ca_spec.rb +25 -2
data/spec/unit/http/service/compiler_spec.rb +184 -6
data/spec/unit/http/service/file_server_spec.rb +35 -3
data/spec/unit/http/service/report_spec.rb +3 -1
data/spec/unit/http/service_spec.rb +3 -3
data/spec/unit/http/session_spec.rb +56 -7
data/spec/unit/indirector/file_bucket_file/rest_spec.rb +82 -2
data/spec/unit/network/http/pool_spec.rb +3 -3
data/spec/unit/node/environment_spec.rb +16 -0
data/spec/unit/provider/group/windows_adsi_spec.rb +43 -10
data/spec/unit/provider/package/apt_spec.rb +30 -0
data/spec/unit/provider/package/dnfmodule_spec.rb +33 -14
data/spec/unit/provider/package/gem_spec.rb +40 -0
data/spec/unit/provider/package/pacman_spec.rb +6 -21
data/spec/unit/provider/package/pip_spec.rb +26 -3
data/spec/unit/provider/package/pkgdmg_spec.rb +1 -1
data/spec/unit/provider/package/pkgng_spec.rb +38 -0
data/spec/unit/provider/package/puppet_gem_spec.rb +8 -0
data/spec/unit/provider/package/rpm_spec.rb +0 -212
data/spec/unit/provider/package/yum_spec.rb +235 -1
data/spec/unit/provider/service/systemd_spec.rb +10 -1
data/spec/unit/provider/user/windows_adsi_spec.rb +3 -3
data/spec/unit/puppet_pal_2pec.rb +0 -29
data/spec/unit/reports/http_spec.rb +70 -52
data/spec/unit/ssl/host_spec.rb +4 -2
data/spec/unit/ssl/oids_spec.rb +1 -0
data/spec/unit/ssl/state_machine_spec.rb +38 -6
data/spec/unit/transaction/report_spec.rb +4 -0
data/spec/unit/util/at_fork_spec.rb +2 -2
data/spec/unit/util/package/version/debian_spec.rb +83 -0
data/spec/unit/util/package/version/pip_spec.rb +464 -0
data/spec/unit/util/package/version/range_spec.rb +154 -0
data/spec/unit/util/package/version/rpm_spec.rb +121 -0
data/spec/unit/util/pidlock_spec.rb +83 -47
data/spec/unit/util/rpm_compare_spec.rb +196 -0
data/spec/unit/util/windows/adsi_spec.rb +4 -4
data/spec/unit/util/windows/sid_spec.rb +2 -2
data/tasks/generate_cert_fixtures.rake +15 -1
metadata +51 -6
data/spec/integration/faces/plugin_spec.rb +0 -63

data/spec/fixtures/ssl/unknown-ca.pem ADDED

@@ -0,0 +1,59 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Unknown CA
+        Validity
+            Not Before: Jan  1 00:00:00 1970 GMT
+            Not After : Mar 10 06:54:16 2030 GMT
+        Subject: CN=Unknown CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+                    00:c1:5e:5d:26:ae:73:17:5a:70:37:ac:42:25:ca:
+                    05:10:86:17:23:6c:28:84:48:2a:4a:d4:b0:3a:2a:
+                    d8:33:ae:58:67:6f:9b:4f:a6:b4:87:b1:ec:37:00:
+                    69:8d:d5:cf:71:8a:96:e1:4a:f8:c8:81:36:f9:43:
+                    ad:d8:d6:76:83:27:99:a4:48:17:c2:ef:9c:22:40:
+                    4b:c6:58:21:88:e5:1d:37:79:4e:ba:31:e6:52:ec:
+                    8c:23:ed:d6:ce:3b:58:ad:82:c7:ae:28:47:d4:e7:
+                    cc:31:ac:78:c9:02:87:d0:b1:91:09:f6:1e:9a:c3:
+                    4f:f6:5a:fe:a2:21:0e:c0:95
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier:
+                E9:58:70:FE:F1:C1:AA:5A:70:7A:C1:02:11:1D:9A:F4:60:4F:70:76
+            Netscape Comment:
+                Puppet Server Internal Certificate
+            X509v3 Authority Key Identifier:
+                keyid:E9:58:70:FE:F1:C1:AA:5A:70:7A:C1:02:11:1D:9A:F4:60:4F:70:76
+    Signature Algorithm: sha256WithRSAEncryption
+         00:45:89:e8:68:a7:50:8c:92:84:3c:c4:e6:10:00:29:27:99:
+         c6:82:aa:aa:b5:0b:ef:97:58:bc:bb:e6:e7:93:7c:a7:ea:e5:
+         9a:61:1d:e3:4f:3f:f9:ac:c4:96:14:a5:1f:77:a6:01:dc:08:
+         15:9c:3f:66:29:92:80:49:e9:db:d9:22:fb:c3:86:bf:40:ab:
+         46:bf:c5:47:bb:c8:89:df:d4:ca:36:f5:08:c4:08:c6:0b:d6:
+         9e:8a:86:41:1e:7e:6f:a9:75:ef:8a:94:a9:fd:1a:9b:0f:55:
+         3a:55:e5:04:82:71:c3:47:78:62:8e:07:ed:dc:4e:ac:f9:33:
+         7b:27
+-----BEGIN CERTIFICATE-----
+MIICODCCAaGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApVbmtu
+b3duIENBMB4XDTcwMDEwMTAwMDAwMFoXDTMwMDMxMDA2NTQxNlowFTETMBEGA1UE
+AwwKVW5rbm93biBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV5dJq5z
+F1pwN6xCJcoFEIYXI2wohEgqStSwOirYM65YZ2+bT6a0h7HsNwBpjdXPcYqW4Ur4
+yIE2+UOt2NZ2gyeZpEgXwu+cIkBLxlghiOUdN3lOujHmUuyMI+3WzjtYrYLHrihH
+1OfMMax4yQKH0LGRCfYemsNP9lr+oiEOwJUCAwEAAaOBlzCBlDAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU6Vhw/vHBqlpwesECER2a
+9GBPcHYwMQYJYIZIAYb4QgENBCQWIlB1cHBldCBTZXJ2ZXIgSW50ZXJuYWwgQ2Vy
+dGlmaWNhdGUwHwYDVR0jBBgwFoAU6Vhw/vHBqlpwesECER2a9GBPcHYwDQYJKoZI
+hvcNAQELBQADgYEAAEWJ6GinUIyShDzE5hAAKSeZxoKqqrUL75dYvLvm55N8p+rl
+mmEd408/+azElhSlH3emAdwIFZw/ZimSgEnp29ki+8OGv0CrRr/FR7vIid/Uyjb1
+CMQIxgvWnoqGQR5+b6l174qUqf0amw9VOlXlBIJxw0d4Yo4H7dxOrPkzeyc=
+-----END CERTIFICATE-----

data/spec/fixtures/unit/provider/package/dnfmodule/{dnf-module-list-installed.txt → dnf-module-list-enabled.txt} RENAMED

@@ -1,10 +1,12 @@
 localmirror-appstream
 Name         Stream       Profiles                                  Summary
+389-ds       1.4 [e]                                                389 Directory Server (base)
 gimp         2.8 [d][e]   common [d], devel [i]                     gimp module
 mariadb      10.3 [d][e]  client [i], server [d], galera            MariaDB Module
 nodejs       10 [d][e]    common [d], development, minimal [i], s2i Javascript runtime
 perl         5.26 [d][e]  common [d], minimal [i]                   Practical Extraction and Report Language
 postgresql   10 [d][e]    client, server [d] [i]                    PostgreSQL server and client module
+ruby         2.5 [d][e]   common [d]                                An interpreter of object-oriented scripting language
 rust-toolset rhel8 [d][e] common [d] [i]                            Rust
 subversion   1.10 [d][e]  common [d], server [i]                    Apache Subversion

data/spec/fixtures/unit/provider/package/pkgng/pkg.version CHANGED

@@ -1,3 +1,5 @@
 shells/bash-completion             <   needs updating (index has 2.1_3)
 ftp/curl                           <   needs updating (index has 7.33.0_2)
 shells/zsh                         <   needs updating (index has 5.0.4)
+sysutils/orphan                    ?   orphaned: sysutils/orphan
+sysutils/broken                    !   Comparison failed

data/spec/fixtures/unit/provider/package/yum/yum-check-update-subscription-manager.txt ADDED

@@ -0,0 +1,9 @@
+Loaded plugins: product-id, search-disabled-repos, subscription-manager
+This system is not registered with an entitlement server. You can use subscription-manager to register on.
+curl.i686                               7.32.0-10.fc20           updates
+curl.x86_64                             7.32.0-10.fc20           updates
+gawk.i686                               4.1.0-3.fc20             updates
+dhclient.i686                           12:4.1.1-38.P1.fc20      updates
+java-1.8.0-openjdk.x86_64               1:1.8.0.131-2.b11.el7_3  updates

data/spec/fixtures/unit/provider/service/systemd/list_unit_files_services CHANGED

@@ -5,3 +5,12 @@ autovt@.service                             disabled
 avahi-daemon.service                        enabled
 blk-availability.service                    disabled
 brandbot.service                            static
+apparmor.service                            bad
+udev.service                                enabled-runtime
+ufw.service                                 linked
+umountfs.service                            linked-runtime
+umountnfs.service                           masked
+umountroot.service                          masked-runtime
+urandom.service                             indirect
+user@.service                               generated
+uuidd.service                               transient

data/spec/integration/application/agent_spec.rb ADDED

@@ -0,0 +1,329 @@
+require 'spec_helper'
+require 'puppet_spec/files'
+require 'puppet_spec/puppetserver'
+require 'puppet_spec/compiler'
+require 'puppet_spec/https'
+describe "puppet agent", unless: Puppet::Util::Platform.jruby? do
+  include PuppetSpec::Files
+  include PuppetSpec::Compiler
+  include_context "https client"
+  let(:server) { PuppetSpec::Puppetserver.new }
+  let(:agent) { Puppet::Application[:agent] }
+  let(:node) { Puppet::Node.new(Puppet[:certname], environment: 'production')}
+  let(:formatter) { Puppet::Network::FormatHandler.format(:rich_data_json) }
+  context 'server_list' do
+    before :each do
+      Puppet[:log_level] = 'debug'
+    end
+    it "uses the first server in the list" do
+      Puppet[:server_list] = '127.0.0.1'
+      server.start_server do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(0)
+        }.to output(%r{HTTP GET https://127.0.0.1:#{port}/status/v1/simple/master returned 200 OK}).to_stdout
+      end
+    end
+    it "falls back, recording the first viable server in the report" do
+      Puppet[:server_list] = "puppet.example.com,#{Puppet[:server]}"
+      server.start_server do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(0)
+        }.to output(%r{Unable to connect to server from server_list setting: Request to https://puppet.example.com:#{port}/status/v1/simple/master failed}).to_stdout
+        report = Puppet::Transaction::Report.convert_from(:yaml, File.read(Puppet[:lastrunreport]))
+        expect(report.master_used).to eq("127.0.0.1:#{port}")
+      end
+    end
+    it "doesn't write a report if no servers could be contacted" do
+      Puppet[:server_list] = "puppet.example.com"
+      expect {
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(1)
+        }.to output(%r{Unable to connect to server from server_list setting: Could not select a functional puppet master from server_list: 'puppet.example.com'}).to_stdout
+      }.to output(/Error: Could not run Puppet configuration client: Could not select a functional puppet master from server_list: 'puppet.example.com'/).to_stderr
+      # I'd expect puppet to update the last run report even if the server_list was
+      # exhausted, but it doesn't work that way currently, see PUP-6708
+      expect(File).to_not be_exist(Puppet[:lastrunreport])
+    end
+    it "omits master_used when not using server_list" do
+      server.start_server do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(0)
+        }.to output(%r{Resolved service 'puppet' to https://127.0.0.1:#{port}/puppet/v3}).to_stdout
+      end
+      report = Puppet::Transaction::Report.convert_from(:yaml, File.read(Puppet[:lastrunreport]))
+      expect(report.master_used).to be_nil
+    end
+  end
+  context 'rich data' do
+    it "applies deferred values" do
+      catalog_handler = -> (req, res) {
+        catalog = compile_to_catalog(<<-MANIFEST, node)
+          notify { 'deferred':
+            message => Deferred('join', [[1,2,3], ':'])
+          }
+        MANIFEST
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+      server.start_server(mounts: {catalog: catalog_handler}) do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(2)
+        }.to output(%r{Notice: /Stage\[main\]/Main/Notify\[deferred\]/message: defined 'message' as '1:2:3'}).to_stdout
+      end
+    end
+    it "redacts sensitive values" do
+      catalog_handler = -> (req, res) {
+        catalog = compile_to_catalog(<<-MANIFEST, node)
+          notify { 'sensitive':
+            message => Sensitive('supersecret')
+          }
+        MANIFEST
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+      server.start_server(mounts: {catalog: catalog_handler}) do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(2)
+        }.to output(a_string_matching(
+          /Notice: Sensitive \[value redacted\]/
+        ).and matching(
+          /Notify\[sensitive\]\/message: changed \[redacted\] to \[redacted\]/
+        )).to_stdout
+      end
+    end
+  end
+  context 'static catalogs' do
+    let(:path) { tmpfile('file') }
+    let(:metadata) { Puppet::FileServing::Metadata.new(path) }
+    let(:source) { "puppet:///modules/foo/foo.txt" }
+    before :each do
+      Puppet::FileSystem.touch(path)
+      metadata.collect
+      metadata.source = source
+      metadata.content_uri = "puppet:///modules/foo/files/foo.txt"
+    end
+    it 'uses inline file metadata to determine the file is insync' do
+      catalog_handler = -> (req, res) {
+        catalog = compile_to_catalog(<<-MANIFEST, node)
+          file { "#{path}":
+            ensure => file,
+            source => "#{source}"
+          }
+        MANIFEST
+        catalog.metadata = { path => metadata }
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+      server.start_server(mounts: {catalog: catalog_handler}) do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(0)
+        }.to_not output(/content changed/).to_stdout
+      end
+    end
+    it 'retrieves file content using the content_uri from the inlined file metadata' do
+      # create file with binary content
+      binary_content = "\xC0\xFF".force_encoding('binary')
+      File.binwrite(path, binary_content)
+      # recollect metadata
+      metadata.collect
+      # overwrite local file so it is no longer in sync
+      File.binwrite(path, "")
+      catalog_handler = -> (req, res) {
+        catalog = compile_to_catalog(<<-MANIFEST, node)
+          file { "#{path}":
+            ensure => file,
+            source => "#{source}",
+          }
+        MANIFEST
+        catalog.metadata = { path => metadata }
+        res.body = formatter.render(catalog)
+        res['Content-Type'] = formatter.mime
+      }
+      static_file_content_handler = -> (req, res) {
+        res.body = binary_content
+        res['Content-Type'] = 'application/octet-stream'
+      }
+      mounts = {
+        catalog: catalog_handler,
+        static_file_content: static_file_content_handler
+      }
+      server.start_server(mounts: mounts) do |port|
+        Puppet[:masterport] = port
+        expect {
+          expect {
+            agent.command_line.args << '--test'
+            agent.run
+          }.to exit_with(2)
+        }.to output(/content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}4cf49285ae567157ebfba72bd04ccf32'/).to_stdout
+        # verify puppet restored binary content
+        expect(File.binread(path)).to eq(binary_content)
+      end
+    end
+  end
+  context 'https file sources' do
+    let(:path) { tmpfile('https_file_source') }
+    let(:response_body) { "from https server" }
+    let(:digest) { Digest::SHA1.hexdigest(response_body) }
+    it 'rejects HTTPS servers whose root cert is not in the system CA store' do
+      unknown_ca_cert = cert_fixture('unknown-ca.pem')
+      https = PuppetSpec::HTTPSServer.new(
+        ca_cert: unknown_ca_cert,
+        server_cert: cert_fixture('unknown-127.0.0.1.pem'),
+        server_key: key_fixture('unknown-127.0.0.1-key.pem')
+      )
+      # create a temp cacert bundle
+      ssl_file = tmpfile('systemstore')
+      # add CA cert that is neither the puppet CA nor unknown CA
+      File.write(ssl_file, cert_fixture('netlock-arany-utf8.pem').to_pem)
+      https.start_server do |https_port|
+        catalog_handler = -> (req, res) {
+          catalog = compile_to_catalog(<<-MANIFEST, node)
+            file { "#{path}":
+              ensure => file,
+              backup => false,
+              checksum => sha1,
+              checksum_value => '#{digest}',
+              source => "https://127.0.0.1:#{https_port}/path/to/file"
+            }
+          MANIFEST
+          res.body = formatter.render(catalog)
+          res['Content-Type'] = formatter.mime
+        }
+        server.start_server(mounts: {catalog: catalog_handler}) do |puppetserver_port|
+          Puppet[:masterport] = puppetserver_port
+          # override path to system cacert bundle, this must be done before
+          # the SSLContext is created and the call to X509::Store.set_default_paths
+          Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+            expect {
+              agent.command_line.args << '--test'
+              agent.run
+            }.to exit_with(4)
+             .and output(/Notice: Applied catalog/).to_stdout
+             .and output(%r{Error: Could not retrieve file metadata for https://127.0.0.1:#{https_port}/path/to/file: .* certificate verify failed}).to_stderr
+          end
+          expect(File).to_not be_exist(path)
+        end
+      end
+    end
+    it 'accepts HTTPS servers whose cert is in the system CA store' do
+      unknown_ca_cert = cert_fixture('unknown-ca.pem')
+      https = PuppetSpec::HTTPSServer.new(
+        ca_cert: unknown_ca_cert,
+        server_cert: cert_fixture('unknown-127.0.0.1.pem'),
+        server_key: key_fixture('unknown-127.0.0.1-key.pem')
+      )
+      # create a temp cacert bundle
+      ssl_file = tmpfile('systemstore')
+      File.write(ssl_file, unknown_ca_cert.to_pem)
+      response_proc = -> (req, res) {
+        res.status = 200
+        res.body = response_body
+      }
+      https.start_server(response_proc: response_proc) do |https_port|
+        catalog_handler = -> (req, res) {
+          catalog = compile_to_catalog(<<-MANIFEST, node)
+            file { "#{path}":
+              ensure => file,
+              backup => false,
+              checksum => sha1,
+              checksum_value => '#{digest}',
+              source => "https://127.0.0.1:#{https_port}/path/to/file"
+            }
+          MANIFEST
+          res.body = formatter.render(catalog)
+          res['Content-Type'] = formatter.mime
+        }
+        server.start_server(mounts: {catalog: catalog_handler}) do |puppetserver_port|
+          Puppet[:masterport] = puppetserver_port
+          # override path to system cacert bundle, this must be done before
+          # the SSLContext is created and the call to X509::Store.set_default_paths
+          Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+            expect {
+                agent.command_line.args << '--test'
+                agent.run
+            }.to exit_with(2)
+             .and output(%r{https_file_source.*/ensure: created}).to_stdout
+          end
+          expect(File.binread(path)).to eq("from https server")
+        end
+      end
+    end
+  end
+end

data/spec/integration/application/apply_spec.rb CHANGED

@@ -1,8 +1,9 @@
 require 'spec_helper'
 require 'puppet_spec/files'
 require 'puppet_spec/compiler'
+require 'puppet_spec/https'
-describe "apply" do
+describe "apply", unless: Puppet::Util::Platform.jruby? do
   include PuppetSpec::Files
   before :each do
@@ -257,7 +258,7 @@ end
     expect(@logs.map(&:to_s)).to include(/{environment =>.*/)
   end
-  it "applies a given file even when an ENC is configured", :unless => Puppet::Util::Platform.windows? || RUBY_PLATFORM == 'java' do
+  it "applies a given file even when an ENC is configured", :unless => Puppet::Util::Platform.windows? || Puppet::Util::Platform.jruby? do
     manifest = file_containing("manifest.pp", "notice('specific manifest applied')")
     enc = script_containing('enc_script',
       :windows => '@echo classes: []' + "\n" + '@echo environment: special',
@@ -378,7 +379,7 @@ end
     # External node script execution will fail, likely due to the tampering
     # with the basic file descriptors.
     # Workaround: Define a log destination and merely inspect logs.
-    context "with an ENC", :unless => RUBY_PLATFORM == 'java' do
+    context "with an ENC" do
       let(:logdest) { tmpfile('logdest') }
       let(:args) { ['-e', execute, '--logdest', logdest ] }
       let(:enc) do
@@ -534,4 +535,132 @@ class amod::bad_type {
       end
     end
   end
+  context 'puppet file sources' do
+    let(:env_name) { 'dev' }
+    let(:env_dir) { File.join(Puppet[:environmentpath], env_name) }
+    let(:env) { Puppet::Node::Environment.create(env_name.to_sym, [File.join(env_dir, 'modules')]) }
+    let(:node) { Puppet::Node.new(Puppet[:certname], environment: environment) }
+    let(:apply) { Puppet::Application[:apply] }
+    before :each do
+      Puppet[:environment] = env_name
+      Puppet::FileSystem.mkpath(env_dir)
+    end
+    it "recursively copies a directory from a module" do
+      dir = File.join(env.full_modulepath, 'amod', 'files', 'dir1', 'dir2')
+      Puppet::FileSystem.mkpath(dir)
+      File.write(File.join(dir, 'file'), 'content from the module')
+      base_dir = tmpdir('apply_spec_base')
+      manifest = file_containing("manifest.pp", <<-MANIFEST)
+        file { "#{base_dir}/dir1":
+          ensure  => file,
+          source  => "puppet:///modules/amod/dir1",
+          recurse => true,
+        }
+      MANIFEST
+      expect {
+        apply.command_line.args << manifest
+         apply.run
+      }.to exit_with(0)
+       .and output(a_string_matching(
+         /dir1\]\/ensure: created/
+      ).and matching(
+         /dir1\/dir2\]\/ensure: created/
+      ).and matching(
+         /dir1\/dir2\/file\]\/ensure: defined content as '{md5}51f37efb13c3a1e486106f90db6490a5'/
+      )).to_stdout
+      dest_file = File.join(base_dir, 'dir1', 'dir2', 'file')
+      expect(File.read(dest_file)).to eq("content from the module")
+    end
+  end
+  context 'http report processor' do
+    include_context 'https client'
+    before :each do
+      Puppet[:reports] = 'http'
+    end
+    let(:apply) { Puppet::Application[:apply] }
+    let(:unknown_server) do
+      unknown_ca_cert = cert_fixture('unknown-ca.pem')
+      PuppetSpec::HTTPSServer.new(
+        ca_cert: unknown_ca_cert,
+        server_cert: cert_fixture('unknown-127.0.0.1.pem'),
+        server_key: key_fixture('unknown-127.0.0.1-key.pem')
+      )
+    end
+    it 'submits a report via reporturl' do
+      report = nil
+      response_proc = -> (req, res) {
+        report = Puppet::Transaction::Report.convert_from(:yaml, req.body)
+      }
+      https = PuppetSpec::HTTPSServer.new
+      https.start_server(response_proc: response_proc) do |https_port|
+        Puppet[:reporturl] = "https://127.0.0.1:#{https_port}/reports/upload"
+        expect {
+          apply.command_line.args = ['-e', 'notify { "hi": }']
+          apply.run
+        }.to exit_with(0)
+         .and output(/Applied catalog/).to_stdout
+        expect(report).to be_a(Puppet::Transaction::Report)
+        expect(report.resource_statuses['Notify[hi]']).to be_a(Puppet::Resource::Status)
+      end
+    end
+    it 'rejects an HTTPS report server whose root cert is not the puppet CA' do
+      unknown_server.start_server do |https_port|
+        Puppet[:reporturl] = "https://127.0.0.1:#{https_port}/reports/upload"
+        # processing the report happens after the transaction is finished,
+        # so we expect exit code 0, with a later failure on stderr
+        expect {
+          apply.command_line.args = ['-e', 'notify { "hi": }']
+          apply.run
+        }.to exit_with(0)
+         .and output(/Applied catalog/).to_stdout
+         .and output(/Report processor failed: certificate verify failed \[self signed certificate in certificate chain for CN=Unknown CA\]/).to_stderr
+      end
+    end
+    it 'accepts an HTTPS report servers whose cert is in the system CA store' do
+      Puppet[:report_include_system_store] = true
+      report = nil
+      response_proc = -> (req, res) {
+        report = Puppet::Transaction::Report.convert_from(:yaml, req.body)
+      }
+      # create a temp cacert bundle
+      ssl_file = tmpfile('systemstore')
+      File.write(ssl_file, unknown_server.ca_cert.to_pem)
+      unknown_server.start_server(response_proc: response_proc) do |https_port|
+        Puppet[:reporturl] = "https://127.0.0.1:#{https_port}/reports/upload"
+        # override path to system cacert bundle, this must be done before
+        # the SSLContext is created and the call to X509::Store.set_default_paths
+        Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+          expect {
+            apply.command_line.args = ['-e', 'notify { "hi": }']
+            apply.run
+          }.to exit_with(0)
+           .and output(/Applied catalog/).to_stdout
+        end
+        expect(report).to be_a(Puppet::Transaction::Report)
+        expect(report.resource_statuses['Notify[hi]']).to be_a(Puppet::Resource::Status)
+      end
+    end
+  end
 end