puppet 6.19.1-x64-mingw32 → 6.23.0-x64-mingw32

data/spec/integration/resource/type_collection_spec.rb

@@ -11,12 +11,8 @@ describe Puppet::Resource::TypeCollection do
       @dir = tmpfile("autoload_testing")
       FileUtils.mkdir_p @dir
 
-      loader = Object.new
-      allow(loader).to receive(:load).and_return(nil)
-      allow(loader).to receive(:set_entry)
-
-      loaders = Object.new
-      expect(loaders).to receive(:runtime3_type_loader).at_most(:once).and_return(loader)
+      loader = double('loader', load: nil, set_entry: nil)
+      loaders = double('loaders', runtime3_type_loader: loader)
       expect(Puppet::Pops::Loaders).to receive(:loaders).at_most(:once).and_return(loaders)
 
       environment = Puppet::Node::Environment.create(:env, [@dir])

data/spec/integration/transaction_spec.rb

@@ -61,7 +61,7 @@ describe Puppet::Transaction do
 
     transaction = Puppet::Transaction.new(catalog, nil, Puppet::Graph::SequentialPrioritizer.new)
 
-    expect(resource).not_to receive(:evaluate)
+    expect(resource).not_to receive(:retrieve)
 
     transaction.evaluate
   end
@@ -86,7 +86,7 @@ describe Puppet::Transaction do
 
     transaction = Puppet::Transaction.new(catalog, nil, Puppet::Graph::SequentialPrioritizer.new)
 
-    expect(resource).not_to receive(:evaluate)
+    expect(resource).not_to receive(:retrieve)
 
     transaction.evaluate
   end
@@ -315,16 +315,14 @@ describe Puppet::Transaction do
         file1 = tmpfile("file1")
         file2 = tmpfile("file2")
 
+        expect(Puppet::FileSystem).to_not be_exist(file2)
+
         exec1 = Puppet::Type.type(:exec).new(
           :name        => "exec1",
           :path        => ENV["PATH"],
           :command     => touch(file1),
         )
 
-        allow(exec1).to receive(:eval_generate).and_return(
-          [ Puppet::Type.type(:notify).new(:name => "eval1_notify") ]
-        )
-
         exec2 = Puppet::Type.type(:exec).new(
           :name        => "exec2",
           :path        => ENV["PATH"],
@@ -332,9 +330,6 @@ describe Puppet::Transaction do
           :refreshonly => true,
           :subscribe   => exec1,
         )
-        allow(exec2).to receive(:eval_generate).and_return(
-          [ Puppet::Type.type(:notify).new(:name => "eval2_notify") ]
-        )
 
         Puppet[:tags] = "exec"
         catalog = mk_catalog(exec1, exec2)

data/spec/integration/util/windows/adsi_spec.rb

@@ -55,6 +55,24 @@ describe Puppet::Util::Windows::ADSI::User,
       end
     end
   end
+
+  describe '.current_user_name_with_format' do
+    context 'when desired format is NameSamCompatible' do
+      it 'should get the same user name as the current_user_name method but fully qualified' do
+        user_name = Puppet::Util::Windows::ADSI::User.current_user_name
+        fully_qualified_user_name = Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name
+
+        expect(fully_qualified_user_name).to match(/^.+\\#{user_name}$/)
+      end
+
+      it 'should have the same SID as with the current_user_name method' do
+        user_name = Puppet::Util::Windows::ADSI::User.current_user_name
+        fully_qualified_user_name = Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name
+
+        expect(Puppet::Util::Windows::SID.name_to_sid(user_name)).to eq(Puppet::Util::Windows::SID.name_to_sid(fully_qualified_user_name))
+      end
+    end
+  end
 end
 
 describe Puppet::Util::Windows::ADSI::Group,
@@ -157,7 +175,9 @@ describe Puppet::Util::Windows::ADSI::Group,
 
       # touch the native_object member to have it lazily loaded, so COM objects can be stubbed
       admins.native_object
-      allow(admins.native_object).to receive(:Members).and_return(members)
+      without_partial_double_verification do
+        allow(admins.native_object).to receive(:Members).and_return(members)
+      end
 
       # well-known NULL SID
       expect(admins.members[0].sid).to eq('S-1-0-0')

data/spec/integration/util/windows/principal_spec.rb

@@ -7,6 +7,7 @@ describe Puppet::Util::Windows::SID::Principal, :if => Puppet::Util::Platform.wi
   let (:system_bytes) { [1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0] }
   let (:null_sid_bytes) { [1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }
   let (:administrator_bytes) { [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0] }
+  let (:all_application_packages_bytes) { [1, 2, 0, 0, 0, 0, 0, 15, 2, 0, 0, 0, 1, 0, 0, 0] }
   let (:computer_sid) { Puppet::Util::Windows::SID.name_to_principal(Puppet::Util::Windows::ADSI.computer_name) }
   # BUILTIN is localized on German Windows, but not French
   # looking this up like this dilutes the values of the tests as we're comparing two mechanisms
@@ -121,6 +122,26 @@ describe Puppet::Util::Windows::SID::Principal, :if => Puppet::Util::Platform.wi
       expect(principal.to_s).to eq(builtin_localized)
     end
 
+    it "should always sanitize the account name first" do
+      expect(Puppet::Util::Windows::SID::Principal).to receive(:sanitize_account_name).with('NT AUTHORITY\\SYSTEM').and_call_original
+      Puppet::Util::Windows::SID::Principal.lookup_account_name('NT AUTHORITY\\SYSTEM')
+    end
+
+    it "should be able to create an instance from an account name prefixed by APPLICATION PACKAGE AUTHORITY" do
+      principal = Puppet::Util::Windows::SID::Principal.lookup_account_name('APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES')
+      expect(principal.account).to eq('ALL APPLICATION PACKAGES')
+      expect(principal.sid_bytes).to eq(all_application_packages_bytes)
+      expect(principal.sid).to eq('S-1-15-2-1')
+      expect(principal.domain).to eq('APPLICATION PACKAGE AUTHORITY')
+      expect(principal.domain_account).to eq('APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES')
+      expect(principal.account_type).to eq(:SidTypeWellKnownGroup)
+      expect(principal.to_s).to eq('APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES')
+    end
+
+    it "should fail without proper account name sanitization when it is prefixed by APPLICATION PACKAGE AUTHORITY" do
+      given_account_name = 'APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES'
+      expect { Puppet::Util::Windows::SID::Principal.lookup_account_name(nil, false, given_account_name) }.to raise_error(Puppet::Util::Windows::Error, /No mapping between account names and security IDs was done./)
+    end
   end
 
   describe ".lookup_account_sid" do

data/spec/integration/util/windows/registry_spec.rb

@@ -146,16 +146,6 @@ describe Puppet::Util::Windows::Registry do
         utf_8_bytes = ENDASH_UTF_8 + TM_UTF_8
         utf_8_str = utf_8_bytes.pack('c*').force_encoding(Encoding::UTF_8)
 
-        # this problematic Ruby codepath triggers a conversion of UTF-16LE to
-        # a local codepage which can totally break when that codepage has no
-        # conversion from the given UTF-16LE characters to local codepage
-        # a prime example is that IBM437 has no conversion from a Unicode en-dash
-        expect(Win32::Registry).not_to receive(:export_string)
-
-        # also, expect that we're using our variants of keys / values, not Rubys
-        expect(Win32::Registry).not_to receive(:each_key)
-        expect(Win32::Registry).not_to receive(:each_value)
-
         hklm.create("#{puppet_key}\\#{subkey_name}", Win32::Registry::KEY_ALL_ACCESS | regsam) do |reg|
           reg.write("#{guid}", Win32::Registry::REG_SZ, utf_16_str)
 
@@ -273,6 +263,12 @@ describe Puppet::Util::Windows::Registry do
           type: Win32::Registry::REG_EXPAND_SZ,
           value: "\0\0\0reg expand string",
           expected_value: ""
+        },
+        {
+          name: 'REG_EXPAND_SZ_2',
+          type: Win32::Registry::REG_EXPAND_SZ,
+          value: "1\x002\x003\x004\x00\x00\x00\x90\xD8UoY".force_encoding("UTF-16LE"),
+          expected_value: "1234"
         }
       ].each do |pair|
         it 'reads up to the first wide null' do

data/spec/lib/puppet/test_ca.rb

@@ -30,7 +30,7 @@ module Puppet
     end
 
     def create_request(name)
-      key = OpenSSL::PKey::RSA.new(1024)
+      key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
       csr.subject = OpenSSL::X509::Name.new([["CN", name]])
@@ -127,7 +127,7 @@ module Puppet
       key = if opts[:key_type] == :ec
               key = OpenSSL::PKey::EC.generate('prime256v1')
             else
-              key = OpenSSL::PKey::RSA.new(1024)
+              key = OpenSSL::PKey::RSA.new(2048)
             end
       cert = OpenSSL::X509::Certificate.new
       cert.public_key = if key.is_a?(OpenSSL::PKey::EC)

data/spec/lib/puppet_spec/settings.rb

@@ -12,7 +12,12 @@ module PuppetSpec::Settings
     :codedir      => { :type => :directory, :default => "test", :desc => "codedir" },
     :vardir       => { :type => :directory, :default => "test", :desc => "vardir" },
     :rundir       => { :type => :directory, :default => "test", :desc => "rundir" },
-  }
+  }.freeze
+
+  TEST_APP_DEFAULT_VALUES = TEST_APP_DEFAULT_DEFINITIONS.inject({}) do |memo, (key, value)|
+    memo[key] = value[:default]
+    memo
+  end.freeze
 
   def set_puppet_conf(confdir, settings)
     write_file(File.join(confdir, "puppet.conf"), settings)

data/spec/spec_helper.rb

@@ -84,10 +84,7 @@ RSpec.configure do |config|
   config.filter_run_when_matching :focus
 
   config.mock_with :rspec do |mocks|
-    # We really should have this on, but it breaks a _lot_ of tests. We'll
-    # need to go through and fix those tests first before it can be enabled
-    # for real.
-    mocks.verify_partial_doubles = false
+    mocks.verify_partial_doubles = true
   end
 
   tmpdir = Puppet::FileSystem.expand_path(Dir.mktmpdir("rspecrun"))
@@ -163,10 +160,20 @@ RSpec.configure do |config|
   PUPPET_FACTER_2_GCE_URL = %r{^http://metadata/computeMetadata/v1(beta1)?}.freeze
   PUPPET_FACTER_3_GCE_URL = "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=json".freeze
 
+  # Facter azure metadata endpoint
+  PUPPET_FACTER_AZ_URL = "http://169.254.169.254/metadata/instance?api-version=2020-09-01"
+
+  # Facter EC2 endpoint
+  PUPPET_FACTER_EC2_METADATA_URL = 'http://169.254.169.254/latest/meta-data/'
+  PUPPET_FACTER_EC2_USERDATA_URL = 'http://169.254.169.254/latest/user-data/'
+
   config.around :each do |example|
-    # Ignore requests from Facter GCE fact in Travis
+    # Ignore requests from Facter to external services
     stub_request(:get, PUPPET_FACTER_2_GCE_URL)
     stub_request(:get, PUPPET_FACTER_3_GCE_URL)
+    stub_request(:get, PUPPET_FACTER_AZ_URL)
+    stub_request(:get, PUPPET_FACTER_EC2_METADATA_URL)
+    stub_request(:get, PUPPET_FACTER_EC2_USERDATA_URL)
 
     # Enable VCR if the example is tagged with `:vcr` metadata.
     if example.metadata[:vcr]

data/spec/unit/agent_spec.rb

@@ -3,9 +3,13 @@ require 'puppet/agent'
 require 'puppet/configurer'
 
 class AgentTestClient
-  def run
+  def initialize(transaction_uuid = nil, job_id = nil)
+  end
+
+  def run(client_args)
     # no-op
   end
+
   def stop
     # no-op
   end
@@ -51,11 +55,10 @@ describe Puppet::Agent do
 
   it "should create an instance of its client class and run it when asked to run" do
     client = double('client')
-    expect(AgentTestClient).to receive(:new).and_return(client)
-
-    expect(client).to receive(:run)
+    allow(AgentTestClient).to receive(:new).with(nil, nil).and_return(client)
 
     allow(@agent).to receive(:disabled?).and_return(false)
+    expect(client).to receive(:run)
     @agent.run
   end
 
@@ -92,7 +95,6 @@ describe Puppet::Agent do
 
   describe "when being run" do
     before do
-      allow(AgentTestClient).to receive(:lockfile_path).and_return("/my/lock")
       allow(@agent).to receive(:disabled?).and_return(false)
     end
 
@@ -188,7 +190,7 @@ describe Puppet::Agent do
         allow(lockfile).to receive(:lock).and_return(false)
       end
 
-      it "should notify that a run is already in progres" do
+      it "should notify that a run is already in progress" do
         client = AgentTestClient.new
         expect(AgentTestClient).to receive(:new).and_return(client)
         expect(Puppet).to receive(:notice).with(/Run of .* already in progress; skipping .* exists/)

data/spec/unit/application/agent_spec.rb

@@ -202,7 +202,6 @@ describe Puppet::Application::Agent do
       allow(Puppet::Resource::Catalog.indirection).to receive(:terminus_class=)
       allow(Puppet::Resource::Catalog.indirection).to receive(:cache_class=)
       allow(Puppet::Node::Facts.indirection).to receive(:terminus_class=)
-      allow(Puppet).to receive(:settraps)
     end
 
     it "should not run with extra arguments" do
@@ -547,11 +546,16 @@ describe Puppet::Application::Agent do
         @puppetd.options[:digest] = :MD5
       end
 
+      def expected_fingerprint(name, x509)
+        digest = OpenSSL::Digest.new(name).hexdigest(x509.to_der)
+        digest.scan(/../).join(':').upcase
+      end
+
       it "should fingerprint the certificate if it exists" do
         cert = cert_fixture('signed.pem')
         allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(cert)
 
-        expect(@puppetd).to receive(:puts).with('(MD5) E2:BA:9A:EF:20:A8:7D:10:8D:82:9A:61:5D:FD:5B:33')
+        expect(@puppetd).to receive(:puts).with("(MD5) #{expected_fingerprint('md5', cert)}")
 
         @puppetd.fingerprint
       end
@@ -561,7 +565,7 @@ describe Puppet::Application::Agent do
         allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(nil)
         allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_request).and_return(request)
 
-        expect(@puppetd).to receive(:puts).with('(MD5) B8:4C:FB:31:AE:17:86:E3:AD:53:97:CA:F6:3C:4A:CB')
+        expect(@puppetd).to receive(:puts).with("(MD5) #{expected_fingerprint('md5', request)}")
 
         @puppetd.fingerprint
       end

data/spec/unit/application/config_spec.rb

@@ -1,12 +1,232 @@
+# coding: utf-8
 require 'spec_helper'
 require 'puppet/application/config'
 
 describe Puppet::Application::Config do
-  it "should be a subclass of Puppet::Application::FaceBase" do
-    expect(Puppet::Application::Config.superclass).to equal(Puppet::Application::FaceBase)
+  include PuppetSpec::Files
+
+  # different UTF-8 widths
+  # 1-byte A
+  # 2-byte ۿ - http://www.fileformat.info/info/unicode/char/06ff/index.htm - 0xDB 0xBF / 219 191
+  # 3-byte ᚠ - http://www.fileformat.info/info/unicode/char/16A0/index.htm - 0xE1 0x9A 0xA0 / 225 154 160
+  # 4-byte 𠜎 - http://www.fileformat.info/info/unicode/char/2070E/index.htm - 0xF0 0xA0 0x9C 0x8E / 240 160 156 142
+  MIXED_UTF8 = "A\u06FF\u16A0\u{2070E}" # Aۿᚠ𠜎
+
+  let(:app) { Puppet::Application[:config] }
+
+  before :each do
+    Puppet[:config] = tmpfile('config')
+  end
+
+  def initialize_app(args)
+    app.command_line.args = args
+    # ensure global defaults are initialized prior to app defaults
+    Puppet.initialize_settings(args)
+  end
+
+  def read_utf8(path)
+    File.read(path, :encoding => 'UTF-8')
+  end
+
+  def write_utf8(path, content)
+    File.write(path, content, 0, :encoding => 'UTF-8')
+  end
+
+  context "when printing" do
+    it "prints a value" do
+      initialize_app(%w[print certname])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(a_string_matching(Puppet[:certname])).to_stdout
+    end
+
+    it "prints a value from a section" do
+      File.write(Puppet[:config], <<~END)
+        [main]
+        external_nodes=none
+        [server]
+        external_nodes=exec
+      END
+
+      initialize_app(%w[print external_nodes --section server])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(a_string_matching('exec')).to_stdout
+    end
+
+    it "doesn't require the environment to exist" do
+      initialize_app(%w[print certname --environment doesntexist])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(a_string_matching(Puppet[:certname])).to_stdout
+    end
   end
 
-  it "should set `environment_mode` to :not_required" do
-    expect(Puppet::Application::Config.get_environment_mode).to equal(:not_required)
+  context "when setting" do
+    it "sets a value in its config file" do
+      initialize_app(%w[set certname www.example.com])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+
+      expect(File.read(Puppet[:config])).to eq("[main]\ncertname = www.example.com\n")
+    end
+
+    it "sets a value in the server section" do
+      initialize_app(%w[set external_nodes exec --section server])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+
+      expect(File.read(Puppet[:config])).to eq("[server]\nexternal_nodes = exec\n")
+    end
+
+    {
+      %w[certname WWW.EXAMPLE.COM] => /Certificate names must be lower case/,
+      %w[log_level all] => /Invalid loglevel all/,
+      %w[disable_warnings true] => /Cannot disable unrecognized warning types 'true'/,
+      %w[strict on] => /Invalid value 'on' for parameter strict/,
+      %w[digest_algorithm rot13] => /Invalid value 'rot13' for parameter digest_algorithm/,
+      %w[http_proxy_password a#b] => /Passwords set in the http_proxy_password setting must be valid as part of a URL/,
+    }.each_pair do |args, message|
+      it "rejects #{args.join(' ')}" do
+        initialize_app(['set', *args])
+
+        expect {
+          app.run
+        }.to exit_with(1)
+         .and output(message).to_stderr
+      end
+    end
+
+    it 'sets unknown settings' do
+      initialize_app(['set', 'notarealsetting', 'true'])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+
+      expect(File.read(Puppet[:config])).to eq("[main]\nnotarealsetting = true\n")
+    end
+  end
+
+  context "when deleting" do
+    it "deletes a value" do
+      initialize_app(%w[delete external_nodes])
+
+      File.write(Puppet[:config], <<~END)
+        [main]
+        external_nodes=none
+      END
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(/Deleted setting from 'main': 'external_nodes=none'/).to_stdout
+
+      expect(File.read(Puppet[:config])).to eq("[main]\n")
+    end
+
+    it "warns when deleting a value that isn't set" do
+      initialize_app(%w[delete external_nodes])
+
+      File.write(Puppet[:config], "")
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(a_string_matching("Warning: No setting found in configuration file for section 'main' setting name 'external_nodes'")).to_stderr
+
+      expect(File.read(Puppet[:config])).to eq("")
+    end
+
+    it "deletes a value from main" do
+      initialize_app(%w[delete external_nodes])
+
+      File.write(Puppet[:config], <<~END)
+        [main]
+        external_nodes=none
+      END
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(/Deleted setting from 'main': 'external_nodes=none'/).to_stdout
+
+      expect(File.read(Puppet[:config])).to eq("[main]\n")
+    end
+
+    it "deletes a value from main a section" do
+      initialize_app(%w[delete external_nodes --section server])
+
+      File.write(Puppet[:config], <<~END)
+        [main]
+        external_nodes=none
+        [server]
+        external_nodes=exec
+      END
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(/Deleted setting from 'server': 'external_nodes'/).to_stdout
+
+      expect(File.read(Puppet[:config])).to eq("[main]\nexternal_nodes=none\n[server]\n")
+    end
+  end
+
+  context "when managing UTF-8 values" do
+    it "reads a UTF-8 value" do
+      write_utf8(Puppet[:config], <<~EOF)
+        [main]
+        tags=#{MIXED_UTF8}
+      EOF
+
+      initialize_app(%w[print tags])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output("#{MIXED_UTF8}\n").to_stdout
+    end
+
+    it "sets a UTF-8 value" do
+      initialize_app(['set', 'tags', MIXED_UTF8])
+
+      expect {
+        app.run
+      }.to exit_with(0)
+
+      expect(read_utf8(Puppet[:config])).to eq(<<~EOF)
+        [main]
+        tags = #{MIXED_UTF8}
+      EOF
+    end
+
+    it "deletes a UTF-8 value" do
+      initialize_app(%w[delete tags])
+
+      write_utf8(Puppet[:config], <<~EOF)
+        [main]
+        tags=#{MIXED_UTF8}
+      EOF
+
+      expect {
+        app.run
+      }.to exit_with(0)
+       .and output(/Deleted setting from 'main': 'tags=#{MIXED_UTF8}'/).to_stdout
+
+      expect(read_utf8(Puppet[:config])).to eq(<<~EOF)
+        [main]
+      EOF
+    end
   end
 end