puppet 6.21.0 → 6.24.0

data/spec/unit/util/selinux_spec.rb

@@ -3,26 +3,29 @@ require 'spec_helper'
 require 'pathname'
 require 'puppet/util/selinux'
 
-unless defined?(Selinux)
-  module Selinux
-    def self.is_selinux_enabled
-      false
-    end
-  end
-end
-
 describe Puppet::Util::SELinux do
   include Puppet::Util::SELinux
 
+  let(:selinux) { double('selinux', is_selinux_enabled: false) }
+
+  before :each do
+    stub_const('Selinux', selinux)
+  end
+
   describe "selinux_support?" do
-    it "should return :true if this system has SELinux enabled" do
+    it "should return true if this system has SELinux enabled" do
       expect(Selinux).to receive(:is_selinux_enabled).and_return(1)
-      expect(selinux_support?).to be_truthy
+      expect(selinux_support?).to eq(true)
     end
 
-    it "should return :false if this system lacks SELinux" do
+    it "should return false if this system has SELinux disabled" do
       expect(Selinux).to receive(:is_selinux_enabled).and_return(0)
-      expect(selinux_support?).to be_falsey
+      expect(selinux_support?).to eq(false)
+    end
+
+    it "should return false if this system lacks SELinux" do
+      hide_const('Selinux')
+      expect(selinux_support?).to eq(false)
     end
 
     it "should return nil if /proc/mounts does not exist" do
@@ -156,7 +159,7 @@ describe Puppet::Util::SELinux do
       end
     end
 
-    it "handles no such file or directory errors by issuing a warning" do
+    it "backward compatibly handles no such file or directory errors by issuing a warning when resource_ensure not set" do
       without_partial_double_verification do
         allow(self).to receive(:selinux_support?).and_return(true)
         allow(self).to receive(:selinux_label_support?).and_return(true)
@@ -167,6 +170,51 @@ describe Puppet::Util::SELinux do
       end
     end
 
+    it "should determine mode based on resource ensure when set to file" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 32768).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :present)).to be_nil
+        expect(get_selinux_default_context("/root/chuj", :file)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to dir" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 16384).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :directory)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to link" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 40960).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :link)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to unknown" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", "unknown")).to be_nil
+      end
+    end
+
     it "should return nil if matchpathcon returns failure" do
       without_partial_double_verification do
         expect(self).to receive(:selinux_support?).and_return(true)
@@ -326,21 +374,44 @@ describe Puppet::Util::SELinux do
     end
 
     it "should return nil if no default context exists" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return(nil)
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return(nil)
       expect(set_selinux_default_context("/foo")).to be_nil
     end
 
     it "should do nothing and return nil if the current context matches the default context" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return("user_u:role_r:type_t")
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return("user_u:role_r:type_t")
       expect(self).to receive(:get_selinux_current_context).with("/foo").and_return("user_u:role_r:type_t")
       expect(set_selinux_default_context("/foo")).to be_nil
     end
 
     it "should set and return the default context if current and default do not match" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return("user_u:role_r:type_t")
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return("user_u:role_r:type_t")
       expect(self).to receive(:get_selinux_current_context).with("/foo").and_return("olduser_u:role_r:type_t")
       expect(self).to receive(:set_selinux_context).with("/foo", "user_u:role_r:type_t").and_return(true)
       expect(set_selinux_default_context("/foo")).to eq("user_u:role_r:type_t")
     end
   end
+
+  describe "get_create_mode" do
+    it "should return 0 if the resource is absent" do
+      expect(get_create_mode(:absent)).to eq(0)
+    end
+
+    it "should return mode with file type set to S_IFREG when resource is file" do
+      expect(get_create_mode(:present)).to eq(32768)
+      expect(get_create_mode(:file)).to eq(32768)
+    end
+
+    it "should return mode with file type set to S_IFDIR when resource is dir" do
+      expect(get_create_mode(:directory)).to eq(16384)
+    end
+
+    it "should return mode with file type set to S_IFLNK when resource is link" do
+      expect(get_create_mode(:link)).to eq(40960)
+    end
+
+    it "should return 0 for everything else" do
+      expect(get_create_mode("unknown")).to eq(0)
+    end
+  end
 end

data/spec/unit/util/windows/sid_spec.rb

@@ -131,33 +131,74 @@ describe "Puppet::Util::Windows::SID", :if => Puppet::Util::Platform.windows? do
       expect(subject.name_to_principal(unknown_name)).to be_nil
     end
 
+    it "should print a debug message if the account does not exist" do
+      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(unknown_name)
+    end
+
     it "should return a Puppet::Util::Windows::SID::Principal instance for any valid sid" do
       expect(subject.name_to_principal(sid)).to be_an_instance_of(Puppet::Util::Windows::SID::Principal)
     end
 
+    it "should not print debug messages for valid sid" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(sid)
+    end
+
+    it "should print a debug message for invalid sid" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('S-1-5-21-INVALID-SID')
+    end
+
     it "should accept unqualified account name" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM').sid).to eq(sid)
     end
 
+    it "should not print debug messages for unqualified account name" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('SYSTEM')
+    end
+
     it "should be case-insensitive" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM')).to eq(subject.name_to_principal('system'))
     end
 
+    it "should not print debug messages for wrongly cased account name" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('system')
+    end
+
     it "should be leading and trailing whitespace-insensitive" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM')).to eq(subject.name_to_principal(' SYSTEM '))
     end
 
+    it "should not print debug messages for account name with leading and trailing whitespace" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(' SYSTEM ')
+    end
+
     it "should accept domain qualified account names" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really AUTORITE NT\\Syst\u00E8me
       expect(subject.name_to_principal('NT AUTHORITY\SYSTEM').sid).to eq(sid)
     end
+
+    it "should not print debug messages for domain qualified account names" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('NT AUTHORITY\SYSTEM')
+    end
   end
 
   context "#ads_to_principal" do

data/tasks/generate_cert_fixtures.rake

@@ -40,6 +40,7 @@ task(:gen_cert_fixtures) do
   # 127.0.0.1.pem                     |   +- /CN=127.0.0.1 (with dns alt names)
   # tampered-cert.pem                 |   +- /CN=signed (with different public key)
   # ec.pem                            |   +- /CN=ec (with EC private key)
+  # oid.pem                           |   +- /CN=oid (with custom oid)
   #                                   |
   #                                   + /CN=Test CA Agent Subauthority
   #                                   |  |
@@ -49,7 +50,7 @@ task(:gen_cert_fixtures) do
   #
   # bad-basic-constraints.pem        /CN=Test CA (bad isCA constraint)
   #
-  # unknown-ca.pemm                  /CN=Unknown CA
+  # unknown-ca.pem                   /CN=Unknown CA
   #                                   |
   # unknown-127.0.0.1.pem             +- /CN=127.0.0.1
   #
@@ -103,6 +104,14 @@ task(:gen_cert_fixtures) do
   save(dir, '127.0.0.1.pem', signed[:cert])
   save(dir, '127.0.0.1-key.pem', signed[:private_key])
 
+  # Create an SSL cert with extensions containing custom oids
+  extensions = [
+    ['1.3.6.1.4.1.34380.1.2.1.1', OpenSSL::ASN1::UTF8String.new('somevalue'), false],
+  ]
+  oid = ca.create_cert('oid', inter[:cert], inter[:private_key], extensions: extensions)
+  save(dir, 'oid.pem', oid[:cert])
+  save(dir, 'oid-key.pem', oid[:private_key])
+
   # Create a leaf/entity key and cert for host "revoked", issued by "Test CA Subauthority"
   # and revoke the cert
   revoked = ca.create_cert('revoked', inter[:cert], inter[:private_key])
@@ -173,12 +182,12 @@ task(:gen_cert_fixtures) do
 
   # Create a request, but replace its public key after it's signed
   tampered_csr = ca.create_request('signed')[:csr]
-  tampered_csr.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  tampered_csr.public_key = OpenSSL::PKey::RSA.new(2048).public_key
   save(dir, 'tampered-csr.pem', tampered_csr)
 
   # Create a cert issued from the real intermediate CA, but replace its
   # public key
   tampered_cert = ca.create_cert('signed', inter[:cert], inter[:private_key])[:cert]
-  tampered_cert.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  tampered_cert.public_key = OpenSSL::PKey::RSA.new(2048).public_key
   save(dir, 'tampered-cert.pem', tampered_cert)
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 6.21.0
+  version: 6.24.0
 platform: ruby
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-05 00:00:00.000000000 Z
+date: 2021-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -1458,6 +1458,8 @@ files:
 - spec/fixtures/ssl/intermediate-crl.pem
 - spec/fixtures/ssl/intermediate.pem
 - spec/fixtures/ssl/netlock-arany-utf8.pem
+- spec/fixtures/ssl/oid-key.pem
+- spec/fixtures/ssl/oid.pem
 - spec/fixtures/ssl/pluto-key.pem
 - spec/fixtures/ssl/pluto.pem
 - spec/fixtures/ssl/request-key.pem
@@ -1468,6 +1470,7 @@ files:
 - spec/fixtures/ssl/signed.pem
 - spec/fixtures/ssl/tampered-cert.pem
 - spec/fixtures/ssl/tampered-csr.pem
+- spec/fixtures/ssl/trusted_oid_mapping.yaml
 - spec/fixtures/ssl/unknown-127.0.0.1-key.pem
 - spec/fixtures/ssl/unknown-127.0.0.1.pem
 - spec/fixtures/ssl/unknown-ca-key.pem
@@ -1787,6 +1790,7 @@ files:
 - spec/fixtures/unit/provider/service/smf/svcs_fmri.out
 - spec/fixtures/unit/provider/service/smf/svcs_multiple_fmris.out
 - spec/fixtures/unit/provider/service/systemd/list_unit_files_services
+- spec/fixtures/unit/provider/service/systemd/list_unit_files_services_vendor_preset
 - spec/fixtures/unit/provider/user/aix/aix_passwd_file.out
 - spec/fixtures/unit/reports/tagmail/tagmail_email.conf
 - spec/fixtures/unit/reports/tagmail/tagmail_failers.conf
@@ -1816,6 +1820,8 @@ files:
 - spec/integration/application/lookup_spec.rb
 - spec/integration/application/module_spec.rb
 - spec/integration/application/plugin_spec.rb
+- spec/integration/application/resource_spec.rb
+- spec/integration/application/ssl_spec.rb
 - spec/integration/configurer_spec.rb
 - spec/integration/data_binding_spec.rb
 - spec/integration/defaults_spec.rb
@@ -1875,10 +1881,8 @@ files:
 - spec/integration/util/windows/user_spec.rb
 - spec/integration/util_spec.rb
 - spec/lib/matchers/containment_matchers.rb
-- spec/lib/matchers/include.rb
 - spec/lib/matchers/include_in_order.rb
 - spec/lib/matchers/include_in_order_spec.rb
-- spec/lib/matchers/include_spec.rb
 - spec/lib/matchers/json.rb
 - spec/lib/matchers/match_tokens2.rb
 - spec/lib/matchers/relationship_graph_matchers.rb
@@ -2651,7 +2655,8 @@ files:
 - tasks/parser.rake
 - tasks/yard.rake
 homepage: https://github.com/puppetlabs/puppet
-licenses: []
+licenses:
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options:
@@ -2728,6 +2733,8 @@ test_files:
 - spec/fixtures/ssl/intermediate-crl.pem
 - spec/fixtures/ssl/intermediate.pem
 - spec/fixtures/ssl/netlock-arany-utf8.pem
+- spec/fixtures/ssl/oid-key.pem
+- spec/fixtures/ssl/oid.pem
 - spec/fixtures/ssl/pluto-key.pem
 - spec/fixtures/ssl/pluto.pem
 - spec/fixtures/ssl/request-key.pem
@@ -2738,6 +2745,7 @@ test_files:
 - spec/fixtures/ssl/signed.pem
 - spec/fixtures/ssl/tampered-cert.pem
 - spec/fixtures/ssl/tampered-csr.pem
+- spec/fixtures/ssl/trusted_oid_mapping.yaml
 - spec/fixtures/ssl/unknown-127.0.0.1-key.pem
 - spec/fixtures/ssl/unknown-127.0.0.1.pem
 - spec/fixtures/ssl/unknown-ca-key.pem
@@ -3057,6 +3065,7 @@ test_files:
 - spec/fixtures/unit/provider/service/smf/svcs_fmri.out
 - spec/fixtures/unit/provider/service/smf/svcs_multiple_fmris.out
 - spec/fixtures/unit/provider/service/systemd/list_unit_files_services
+- spec/fixtures/unit/provider/service/systemd/list_unit_files_services_vendor_preset
 - spec/fixtures/unit/provider/user/aix/aix_passwd_file.out
 - spec/fixtures/unit/reports/tagmail/tagmail_email.conf
 - spec/fixtures/unit/reports/tagmail/tagmail_failers.conf
@@ -3086,6 +3095,8 @@ test_files:
 - spec/integration/application/lookup_spec.rb
 - spec/integration/application/module_spec.rb
 - spec/integration/application/plugin_spec.rb
+- spec/integration/application/resource_spec.rb
+- spec/integration/application/ssl_spec.rb
 - spec/integration/configurer_spec.rb
 - spec/integration/data_binding_spec.rb
 - spec/integration/defaults_spec.rb
@@ -3145,10 +3156,8 @@ test_files:
 - spec/integration/util/windows/user_spec.rb
 - spec/integration/util_spec.rb
 - spec/lib/matchers/containment_matchers.rb
-- spec/lib/matchers/include.rb
 - spec/lib/matchers/include_in_order.rb
 - spec/lib/matchers/include_in_order_spec.rb
-- spec/lib/matchers/include_spec.rb
 - spec/lib/matchers/json.rb
 - spec/lib/matchers/match_tokens2.rb
 - spec/lib/matchers/relationship_graph_matchers.rb

data/spec/lib/matchers/include.rb

@@ -1,27 +0,0 @@
-module Matchers; module Include
-  extend RSpec::Matchers::DSL
-
-  matcher :include_in_any_order do |*matchers|
-    match do |enumerable|
-      @not_matched = []
-      expected_as_array.each do |matcher|
-        if enumerable.empty?
-          break
-        end
-
-        if found = enumerable.find { |elem| matcher.matches?(elem) }
-          enumerable = enumerable.reject { |elem| elem == found }
-        else
-          @not_matched << matcher
-        end
-      end
-
-
-      @not_matched.empty? && enumerable.empty?
-    end
-
-    failure_message do |enumerable|
-      "did not match #{@not_matched.collect(&:description).join(', ')} in #{enumerable.inspect}: <#{@not_matched.collect(&:failure_message).join('>, <')}>"
-    end
-  end
-end; end

data/spec/lib/matchers/include_spec.rb

@@ -1,32 +0,0 @@
-require 'spec_helper'
-require 'matchers/include'
-
-describe "include matchers" do
-  include Matchers::Include
-
-  context :include_in_any_order do
-    it "matches an empty list" do
-      expect([]).to include_in_any_order()
-    end
-
-    it "matches a list with a single element" do
-      expect([1]).to include_in_any_order(eq(1))
-    end
-
-    it "does not match when an expected element is missing" do
-      expect([1]).to_not include_in_any_order(eq(2))
-    end
-
-    it "matches a list with 2 elements in a different order from the expectation" do
-      expect([1, 2]).to include_in_any_order(eq(2), eq(1))
-    end
-
-    it "does not match when there are more than just the expected elements" do
-      expect([1, 2]).to_not include_in_any_order(eq(1))
-    end
-
-    it "matches multiple, equal elements when there are multiple, equal exepectations" do
-      expect([1, 1]).to include_in_any_order(eq(1), eq(1))
-    end
-  end
-end