puppet 6.21.0 → 6.24.0

data/spec/integration/application/ssl_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe "puppet ssl", unless: Puppet::Util::Platform.jruby? do
+  context "print" do
+    it 'translates custom oids to their long name' do
+      basedir = File.expand_path("#{__FILE__}/../../../fixtures/ssl")
+      # registering custom oids changes global state, so shell out
+      output =
+        %x{puppet ssl show \
+           --certname oid \
+           --localcacert #{basedir}/ca.pem \
+           --hostcrl #{basedir}/crl.pem \
+           --hostprivkey #{basedir}/oid-key.pem \
+           --hostcert #{basedir}/oid.pem \
+           --trusted_oid_mapping_file #{basedir}/trusted_oid_mapping.yaml 2>&1
+        }
+      expect(output).to match(/Long name:/)
+    end
+  end
+end

data/spec/integration/environments/settings_interpolation_spec.rb

@@ -9,10 +9,6 @@ describe "interpolating $environment" do
   let(:confdir) { Puppet[:confdir] }
   let(:cmdline_args) { ['--confdir', confdir, '--vardir', Puppet[:vardir], '--hiera_config', Puppet[:hiera_config]] }
 
-  before(:each) do
-    FileUtils.mkdir_p(confdir)
-  end
-
   shared_examples_for "a setting that does not interpolate $environment" do
 
     before(:each) do

data/spec/integration/http/client_spec.rb

@@ -151,4 +151,16 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
       end
     end
   end
+
+  context 'ciphersuites' do
+    it "does not connect when using an SSLv3 ciphersuite", :if => Puppet::Util::Package.versioncmp(OpenSSL::OPENSSL_LIBRARY_VERSION.split[1], '1.1.1e') > 0 do
+      Puppet[:ciphers] = "DES-CBC3-SHA"
+
+      https_server.start_server do |port|
+        expect {
+          client.get(URI("https://127.0.0.1:#{port}"), options: {ssl_context: root_context})
+        }.to raise_error(Puppet::HTTP::ConnectionError, /no cipher match|sslv3 alert handshake failure/)
+      end
+    end
+  end
 end

data/spec/integration/indirector/direct_file_server_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'matchers/include'
 
 require 'puppet/indirector/file_content/file'
 require 'puppet/indirector/file_metadata/file'
@@ -30,7 +29,6 @@ end
 
 describe Puppet::Indirector::DirectFileServer, " when interacting with FileServing::Fileset and the model" do
   include PuppetSpec::Files
-  include Matchers::Include
 
   matcher :file_with_content do |name, content|
     match do |actual|
@@ -52,7 +50,7 @@ describe Puppet::Indirector::DirectFileServer, " when interacting with FileServi
     terminus = Puppet::Indirector::FileContent::File.new
     request = terminus.indirection.request(:search, Puppet::Util.path_to_uri(path).to_s, nil, :recurse => true)
 
-    expect(terminus.search(request)).to include_in_any_order(
+    expect(terminus.search(request)).to contain_exactly(
       file_with_content(File.join(path, "one"), "one content"),
       file_with_content(File.join(path, "two"), "two content"),
       directory_named(path))

data/spec/integration/indirector/facts/facter_spec.rb

@@ -6,6 +6,7 @@ require 'puppet/indirector/facts/facter'
 describe Puppet::Node::Facts::Facter do
   include PuppetSpec::Files
   include PuppetSpec::Compiler
+  include PuppetSpec::Settings
 
   before :each do
     Puppet::Node::Facts.indirection.terminus_class = :facter
@@ -66,49 +67,102 @@ describe Puppet::Node::Facts::Facter do
     end
   end
 
-  it "adds the puppetversion fact" do
-    allow(Facter).to receive(:reset)
-
-    cat = compile_to_catalog('notify { $::puppetversion: }',
-                             Puppet::Node.indirection.find('foo'))
-    expect(cat.resource("Notify[#{Puppet.version.to_s}]")).to be
-  end
+  context "adding facts" do
+    it "adds the puppetversion fact" do
+      allow(Facter).to receive(:reset)
 
-  it "the agent_specified_environment fact is nil when not set" do
-    expect do
-      compile_to_catalog('notify { $::agent_specified_environment: }',
-                         Puppet::Node.indirection.find('foo'))
-    end.to raise_error(Puppet::PreformattedError)
-  end
-
-  it "adds the agent_specified_environment fact when set in puppet.conf" do
-    FileUtils.mkdir_p(Puppet[:confdir])
-    File.open(File.join(Puppet[:confdir], 'puppet.conf'), 'w') do |f|
-      f.puts("environment=bar")
+      cat = compile_to_catalog('notify { $::puppetversion: }',
+                               Puppet::Node.indirection.find('foo'))
+      expect(cat.resource("Notify[#{Puppet.version.to_s}]")).to be
     end
 
-    Puppet.initialize_settings
-    cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+    context "when adding the agent_specified_environment fact" do
+      it "does not add the fact if the agent environment is not set" do
+        expect do
+          compile_to_catalog('notify { $::agent_specified_environment: }',
                              Puppet::Node.indirection.find('foo'))
-    expect(cat.resource("Notify[bar]")).to be
-  end
+        end.to raise_error(Puppet::PreformattedError)
+      end
 
-  it "adds the agent_specified_environment fact when set via command-line" do
-    Puppet.initialize_settings(['--environment', 'bar'])
-    cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+      it "does not add the fact if the agent environment is set in sections other than agent or main" do
+        set_puppet_conf(Puppet[:confdir], <<~CONF)
+        [user]
+        environment=bar
+        CONF
+
+        Puppet.initialize_settings
+        expect do
+          compile_to_catalog('notify { $::agent_specified_environment: }',
                              Puppet::Node.indirection.find('foo'))
-    expect(cat.resource("Notify[bar]")).to be
-  end
+        end.to raise_error(Puppet::PreformattedError)
+      end
 
-  it "adds the agent_specified_environment fact, preferring cli, when set in puppet.conf and via command-line" do
-    FileUtils.mkdir_p(Puppet[:confdir])
-    File.open(File.join(Puppet[:confdir], 'puppet.conf'), 'w') do |f|
-      f.puts("environment=bar")
-    end
+      it "adds the agent_specified_environment fact when set in the agent section in puppet.conf" do
+        set_puppet_conf(Puppet[:confdir], <<~CONF)
+        [agent]
+        environment=bar
+        CONF
 
-    Puppet.initialize_settings(['--environment', 'baz'])
-    cat = compile_to_catalog('notify { $::agent_specified_environment: }',
-                             Puppet::Node.indirection.find('foo'))
-    expect(cat.resource("Notify[baz]")).to be
+        Puppet.initialize_settings
+        cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+                                 Puppet::Node.indirection.find('foo'))
+        expect(cat.resource("Notify[bar]")).to be
+      end
+
+      it "prefers agent_specified_environment from main if set in section other than agent" do
+        set_puppet_conf(Puppet[:confdir], <<~CONF)
+        [main]
+        environment=baz
+
+        [user]
+        environment=bar
+        CONF
+
+        Puppet.initialize_settings
+        cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+                                 Puppet::Node.indirection.find('foo'))
+        expect(cat.resource("Notify[baz]")).to be
+      end
+
+      it "prefers agent_specified_environment from agent if set in multiple sections" do
+        set_puppet_conf(Puppet[:confdir], <<~CONF)
+        [main]
+        environment=baz
+
+        [agent]
+        environment=bar
+        CONF
+
+        Puppet.initialize_settings
+        cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+                                 Puppet::Node.indirection.find('foo'))
+        expect(cat.resource("Notify[bar]")).to be
+      end
+
+      it "adds the agent_specified_environment fact when set in puppet.conf" do
+        set_puppet_conf(Puppet[:confdir], 'environment=bar')
+
+        Puppet.initialize_settings
+        cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+                                 Puppet::Node.indirection.find('foo'))
+        expect(cat.resource("Notify[bar]")).to be
+      end
+
+      it "adds the agent_specified_environment fact when set via command-line" do
+        Puppet.initialize_settings(['--environment', 'bar'])
+        cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+                                 Puppet::Node.indirection.find('foo'))
+        expect(cat.resource("Notify[bar]")).to be
+      end
+
+      it "adds the agent_specified_environment fact, preferring cli, when set in puppet.conf and via command-line" do
+        set_puppet_conf(Puppet[:confdir], 'environment=bar')
+
+        Puppet.initialize_settings(['--environment', 'baz'])
+        cat = compile_to_catalog('notify { $::agent_specified_environment: }',
+                                 Puppet::Node.indirection.find('foo'))
+        expect(cat.resource("Notify[baz]")).to be
+      end
+    end
   end
 end

data/spec/integration/type/exec_spec.rb

@@ -7,70 +7,95 @@ describe Puppet::Type.type(:exec), unless: Puppet::Util::Platform.jruby? do
 
   let(:catalog) { Puppet::Resource::Catalog.new }
   let(:path) { tmpfile('exec_provider') }
-  let(:command) { "ruby -e 'File.open(\"#{path}\", \"w\") { |f| f.print \"foo\" }'" }
 
   before :each do
     catalog.host_config = false
   end
 
-  it "should execute the command" do
-    exec = described_class.new :command => command, :path => ENV['PATH']
+  shared_examples_for 'a valid exec resource' do
+    it "should execute the command" do
+      exec = described_class.new :command => command, :path => ENV['PATH']
 
-    catalog.add_resource exec
-    catalog.apply
+      catalog.add_resource exec
+      catalog.apply
 
-    expect(File.read(path)).to eq('foo')
-  end
+      expect(File.read(path)).to eq('foo')
+    end
 
-  it "should not execute the command if onlyif returns non-zero" do
-    exec = described_class.new(
-      :command => command,
-      :onlyif => "ruby -e 'exit 44'",
-      :path => ENV['PATH']
-    )
+    it "should not execute the command if onlyif returns non-zero" do
+      exec = described_class.new(
+        :command => command,
+        :onlyif => "ruby -e 'exit 44'",
+        :path => ENV['PATH']
+      )
 
-    catalog.add_resource exec
-    catalog.apply
+      catalog.add_resource exec
+      catalog.apply
 
-    expect(Puppet::FileSystem.exist?(path)).to be_falsey
-  end
+      expect(Puppet::FileSystem.exist?(path)).to be_falsey
+    end
 
-  it "should execute the command if onlyif returns zero" do
-    exec = described_class.new(
-      :command => command,
-      :onlyif => "ruby -e 'exit 0'",
-      :path => ENV['PATH']
-    )
+    it "should execute the command if onlyif returns zero" do
+      exec = described_class.new(
+        :command => command,
+        :onlyif => "ruby -e 'exit 0'",
+        :path => ENV['PATH']
+      )
 
-    catalog.add_resource exec
-    catalog.apply
+      catalog.add_resource exec
+      catalog.apply
 
-    expect(File.read(path)).to eq('foo')
-  end
+      expect(File.read(path)).to eq('foo')
+    end
+
+    it "should execute the command if unless returns non-zero" do
+      exec = described_class.new(
+        :command => command,
+        :unless => "ruby -e 'exit 45'",
+        :path => ENV['PATH']
+      )
+
+      catalog.add_resource exec
+      catalog.apply
+
+      expect(File.read(path)).to eq('foo')
+    end
 
-  it "should execute the command if unless returns non-zero" do
-    exec = described_class.new(
-      :command => command,
-      :unless => "ruby -e 'exit 45'",
-      :path => ENV['PATH']
-    )
+    it "should not execute the command if unless returns zero" do
+      exec = described_class.new(
+        :command => command,
+        :unless => "ruby -e 'exit 0'",
+        :path => ENV['PATH']
+      )
 
-    catalog.add_resource exec
-    catalog.apply
+      catalog.add_resource exec
+      catalog.apply
 
-    expect(File.read(path)).to eq('foo')
+      expect(Puppet::FileSystem.exist?(path)).to be_falsey
+    end
   end
 
-  it "should not execute the command if unless returns zero" do
-    exec = described_class.new(
-      :command => command,
-      :unless => "ruby -e 'exit 0'",
-      :path => ENV['PATH']
-    )
+  context 'when command is a string' do
+    let(:command) { "ruby -e 'File.open(\"#{path}\", \"w\") { |f| f.print \"foo\" }'" }
+
+    it_behaves_like 'a valid exec resource'
+  end
+
+  context 'when command is an array' do
+    let(:command) { ['ruby', '-e', "File.open(\"#{path}\", \"w\") { |f| f.print \"foo\" }"] }
+
+    it_behaves_like 'a valid exec resource'
+
+    context 'when is invalid' do
+      let(:command) { [ "ruby -e 'puts 1'" ] }
 
-    catalog.add_resource exec
-    catalog.apply
+      it 'logs error' do
+        exec = described_class.new :command => command, :path => ENV['PATH']
+        catalog.add_resource exec
+        logs = catalog.apply.report.logs
 
-    expect(Puppet::FileSystem.exist?(path)).to be_falsey
+        expect(logs[0].message).to eql("Could not find command 'ruby -e 'puts 1''")
+      end
+    end
   end
 end

data/spec/integration/util/windows/adsi_spec.rb

@@ -55,6 +55,24 @@ describe Puppet::Util::Windows::ADSI::User,
       end
     end
   end
+
+  describe '.current_user_name_with_format' do
+    context 'when desired format is NameSamCompatible' do
+      it 'should get the same user name as the current_user_name method but fully qualified' do
+        user_name = Puppet::Util::Windows::ADSI::User.current_user_name
+        fully_qualified_user_name = Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name
+
+        expect(fully_qualified_user_name).to match(/^.+\\#{user_name}$/)
+      end
+
+      it 'should have the same SID as with the current_user_name method' do
+        user_name = Puppet::Util::Windows::ADSI::User.current_user_name
+        fully_qualified_user_name = Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name
+
+        expect(Puppet::Util::Windows::SID.name_to_sid(user_name)).to eq(Puppet::Util::Windows::SID.name_to_sid(fully_qualified_user_name))
+      end
+    end
+  end
 end
 
 describe Puppet::Util::Windows::ADSI::Group,

data/spec/integration/util/windows/principal_spec.rb

@@ -7,6 +7,7 @@ describe Puppet::Util::Windows::SID::Principal, :if => Puppet::Util::Platform.wi
   let (:system_bytes) { [1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0] }
   let (:null_sid_bytes) { [1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }
   let (:administrator_bytes) { [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0] }
+  let (:all_application_packages_bytes) { [1, 2, 0, 0, 0, 0, 0, 15, 2, 0, 0, 0, 1, 0, 0, 0] }
   let (:computer_sid) { Puppet::Util::Windows::SID.name_to_principal(Puppet::Util::Windows::ADSI.computer_name) }
   # BUILTIN is localized on German Windows, but not French
   # looking this up like this dilutes the values of the tests as we're comparing two mechanisms
@@ -121,6 +122,26 @@ describe Puppet::Util::Windows::SID::Principal, :if => Puppet::Util::Platform.wi
       expect(principal.to_s).to eq(builtin_localized)
     end
 
+    it "should always sanitize the account name first" do
+      expect(Puppet::Util::Windows::SID::Principal).to receive(:sanitize_account_name).with('NT AUTHORITY\\SYSTEM').and_call_original
+      Puppet::Util::Windows::SID::Principal.lookup_account_name('NT AUTHORITY\\SYSTEM')
+    end
+
+    it "should be able to create an instance from an account name prefixed by APPLICATION PACKAGE AUTHORITY" do
+      principal = Puppet::Util::Windows::SID::Principal.lookup_account_name('APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES')
+      expect(principal.account).to eq('ALL APPLICATION PACKAGES')
+      expect(principal.sid_bytes).to eq(all_application_packages_bytes)
+      expect(principal.sid).to eq('S-1-15-2-1')
+      expect(principal.domain).to eq('APPLICATION PACKAGE AUTHORITY')
+      expect(principal.domain_account).to eq('APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES')
+      expect(principal.account_type).to eq(:SidTypeWellKnownGroup)
+      expect(principal.to_s).to eq('APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES')
+    end
+
+    it "should fail without proper account name sanitization when it is prefixed by APPLICATION PACKAGE AUTHORITY" do
+      given_account_name = 'APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES'
+      expect { Puppet::Util::Windows::SID::Principal.lookup_account_name(nil, false, given_account_name) }.to raise_error(Puppet::Util::Windows::Error, /No mapping between account names and security IDs was done./)
+    end
   end
 
   describe ".lookup_account_sid" do

data/spec/integration/util/windows/registry_spec.rb

@@ -263,6 +263,12 @@ describe Puppet::Util::Windows::Registry do
           type: Win32::Registry::REG_EXPAND_SZ,
           value: "\0\0\0reg expand string",
           expected_value: ""
+        },
+        {
+          name: 'REG_EXPAND_SZ_2',
+          type: Win32::Registry::REG_EXPAND_SZ,
+          value: "1\x002\x003\x004\x00\x00\x00\x90\xD8UoY".force_encoding("UTF-16LE"),
+          expected_value: "1234"
         }
       ].each do |pair|
         it 'reads up to the first wide null' do

data/spec/lib/puppet/test_ca.rb

@@ -30,7 +30,7 @@ module Puppet
     end
 
     def create_request(name)
-      key = OpenSSL::PKey::RSA.new(1024)
+      key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
       csr.subject = OpenSSL::X509::Name.new([["CN", name]])
@@ -46,6 +46,11 @@ module Puppet
         ext = ef.create_extension(["subjectAltName", opts[:subject_alt_names], false])
         cert.add_extension(ext)
       end
+      if exts = opts[:extensions]
+        exts.each do |e|
+          cert.add_extension(OpenSSL::X509::Extension.new(*e))
+        end
+      end
       cert.sign(issuer_key, @digest)
       { private_key: key, cert: cert }
     end
@@ -127,7 +132,7 @@ module Puppet
       key = if opts[:key_type] == :ec
               key = OpenSSL::PKey::EC.generate('prime256v1')
             else
-              key = OpenSSL::PKey::RSA.new(1024)
+              key = OpenSSL::PKey::RSA.new(2048)
             end
       cert = OpenSSL::X509::Certificate.new
       cert.public_key = if key.is_a?(OpenSSL::PKey::EC)