puppet 6.21.1-x64-mingw32 → 7.4.1-x64-mingw32

data/lib/puppet/network/authstore.rb

@@ -1,283 +0,0 @@
-# standard module for determining whether a given hostname or IP has access to
-# the requested resource
-
-require 'ipaddr'
-require 'puppet/util/logging'
-
-module Puppet
-  class AuthStoreError < Puppet::Error; end
-  class AuthorizationError < Puppet::Error; end
-
-  class Network::AuthStore
-    include Puppet::Util::Logging
-
-    # Is a given combination of name and ip address allowed?  If either input
-    # is non-nil, then both inputs must be provided.  If neither input
-    # is provided, then the authstore is considered local and defaults to "true".
-    def allowed?(name, ip)
-      if name or ip
-        # This is probably unnecessary, and can cause some weirdness in
-        # cases where we're operating over localhost but don't have a real
-        # IP defined.
-        raise Puppet::DevError, _("Name and IP must be passed to 'allowed?'") unless name and ip
-        # else, we're networked and such
-      else
-        # we're local
-        return true
-      end
-
-      # yay insecure overrides
-      return true if globalallow?
-
-      decl = declarations.find { |d| d.match?(name, ip) }
-      if decl
-        return decl.result
-      end
-
-      info _("defaulting to no access for %{name}") % { name: name }
-      false
-    end
-
-    # Mark a given pattern as allowed.
-    def allow(pattern)
-      # a simple way to allow anyone at all to connect
-      if pattern == "*"
-        @globalallow = true
-      else
-        store(:allow, pattern)
-      end
-
-      nil
-    end
-
-    def allow_ip(pattern)
-      store(:allow_ip, pattern)
-    end
-
-    # Deny a given pattern.
-    def deny(pattern)
-      store(:deny, pattern)
-    end
-
-    def deny_ip(pattern)
-      store(:deny_ip, pattern)
-    end
-
-    # Is global allow enabled?
-    def globalallow?
-      @globalallow
-    end
-
-    # does this auth store has any rules?
-    def empty?
-      @globalallow.nil? && @declarations.size == 0
-    end
-
-    def initialize
-      @globalallow = nil
-      @declarations = []
-    end
-
-    def to_s
-      "authstore"
-    end
-
-    def interpolate(match)
-      @modified_declarations = @declarations.collect { |ace| ace.interpolate(match) }.sort
-    end
-
-    def reset_interpolation
-      @modified_declarations = nil
-    end
-
-    private
-
-    # Returns our ACEs list, but if we have a modification of it, let's return
-    # it. This is used if we want to override the this purely immutable list
-    # by a modified version.
-    def declarations
-      @modified_declarations || @declarations
-    end
-
-    # Store the results of a pattern into our hash.  Basically just
-    # converts the pattern and sticks it into the hash.
-    def store(type, pattern)
-      @declarations << Declaration.new(type, pattern)
-      @declarations.sort!
-
-      nil
-    end
-
-    # A single declaration.  Stores the info for a given declaration,
-    # provides the methods for determining whether a declaration matches,
-    # and handles sorting the declarations appropriately.
-    class Declaration
-      include Puppet::Util
-      include Comparable
-
-      # The type of declaration: either :allow or :deny
-      attr_reader :type
-      VALID_TYPES = [ :allow, :deny, :allow_ip, :deny_ip ]
-
-      attr_accessor :name
-
-      # The pattern we're matching against.  Can be an IPAddr instance,
-      # or an array of strings, resulting from reversing a hostname
-      # or domain name.
-      attr_reader :pattern
-
-      # The length.  Only used for iprange and domain.
-      attr_accessor :length
-
-      # Sort the declarations most specific first.
-      def <=>(other)
-        compare(exact?, other.exact?) ||
-        compare(ip?, other.ip?)  ||
-        ((length != other.length) &&  (other.length <=> length)) ||
-        compare(deny?, other.deny?) ||
-        ( ip? ? pattern.to_s <=> other.pattern.to_s : pattern <=> other.pattern)
-      end
-
-      def deny?
-        type == :deny
-      end
-
-      def exact?
-        @exact == :exact
-      end
-
-      def initialize(type, pattern)
-        self.type = type
-        self.pattern = pattern
-      end
-
-      # Are we an IP type?
-      def ip?
-        name == :ip
-      end
-
-      # Does this declaration match the name/ip combo?
-      def match?(name, ip)
-        if ip?
-          pattern.include?(IPAddr.new(ip))
-        else
-          matchname?(name)
-        end
-      end
-
-      # Set the pattern appropriately.  Also sets the name and length.
-      def pattern=(pattern)
-        if [:allow_ip, :deny_ip].include?(self.type)
-          parse_ip(pattern)
-        else
-          parse(pattern)
-        end
-        @orig = pattern
-      end
-
-      # Mapping a type of statement into a return value.
-      def result
-        [:allow, :allow_ip].include?(type)
-      end
-
-      def to_s
-        "#{type}: #{pattern}"
-      end
-
-      # Set the declaration type.  Either :allow or :deny.
-      def type=(type)
-        type = type.intern
-        raise ArgumentError, _("Invalid declaration type %{type}") % { type: type } unless VALID_TYPES.include?(type)
-        @type = type
-      end
-
-      # interpolate a pattern to replace any
-      # backreferences by the given match
-      # for instance if our pattern is $1.reductivelabs.com
-      # and we're called with a MatchData whose capture 1 is puppet
-      # we'll return a pattern of puppet.reductivelabs.com
-      def interpolate(match)
-        clone = dup
-        if @name == :dynamic
-          clone.pattern = clone.pattern.reverse.collect do |p|
-            p.gsub(/\$(\d)/) { |m| match[$1.to_i] }
-          end.join(".")
-        end
-        clone
-      end
-
-      private
-
-      # Returns nil if both values are true or both are false, returns
-      # -1 if the first is true, and 1 if the second is true.  Used
-      # in the <=> operator.
-      def compare(me, them)
-        (me and them) ? nil : me ? -1 : them ? 1 : nil
-      end
-
-      # Does the name match our pattern?
-      def matchname?(name)
-        case @name
-          when :domain, :dynamic, :opaque
-            name = munge_name(name)
-            (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n })
-          when :regex
-            Regexp.new(pattern.slice(1..-2)).match(name)
-        end
-      end
-
-      # Convert the name to a common pattern.
-      def munge_name(name)
-        # Change to name.downcase.split(".",-1).reverse for FQDN support
-        name.downcase.split(".").reverse
-      end
-
-      # Parse our input pattern and figure out what kind of allowable
-      # statement it is.  The output of this is used for later matching.
-      Octet = '(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])'
-      IPv4 = "#{Octet}\.#{Octet}\.#{Octet}\.#{Octet}"
-      IPv6_full    = "_:_:_:_:_:_:_:_|_:_:_:_:_:_::_?|_:_:_:_:_::((_:)?_)?|_:_:_:_::((_:){0,2}_)?|_:_:_::((_:){0,3}_)?|_:_::((_:){0,4}_)?|_::((_:){0,5}_)?|::((_:){0,6}_)?"
-      IPv6_partial = "_:_:_:_:_:_:|_:_:_:_::(_:)?|_:_::(_:){0,2}|_::(_:){0,3}"
-      # It should be:
-      #     IP = "#{IPv4}|#{IPv6_full}|(#{IPv6_partial}#{IPv4})".gsub(/_/,'([0-9a-fA-F]{1,4})').gsub(/\(/,'(?:')
-      # but ruby's ipaddr lib doesn't support the hybrid format
-      IP = "#{IPv4}|#{IPv6_full}".gsub(/_/,'([0-9a-fA-F]{1,4})').gsub(/\(/,'(?:')
-
-      def parse_ip(value)
-        @name = :ip
-        @exact, @length, @pattern = *case value
-        when /^(?:#{IP})\/(\d+)$/                                 # 12.34.56.78/24, a001:b002::efff/120, c444:1000:2000::9:192.168.0.1/112
-          [:inexact, $1.to_i, IPAddr.new(value)]
-        when /^(#{IP})$/                                          # 10.20.30.40,
-          [:exact, nil, IPAddr.new(value)]
-        when /^(#{Octet}\.){1,3}\*$/                              # an ip address with a '*' at the end
-          segments = value.split(".")[0..-2]
-          bits = 8*segments.length
-          [:inexact, bits, IPAddr.new((segments+[0,0,0])[0,4].join(".") + "/#{bits}")]
-        else
-          raise AuthStoreError, _("Invalid IP pattern %{value}") % { value: value }
-        end
-      end
-
-      def parse(value)
-        @name,@exact,@length,@pattern = *case value
-        when /^(\w[-\w]*\.)+[-\w]+$/                              # a full hostname
-          # Change to /^(\w[-\w]*\.)+[-\w]+\.?$/ for FQDN support
-          [:domain,:exact,nil,munge_name(value)]
-        when /^\*(\.(\w[-\w]*)){1,}$/                             # *.domain.com
-          host_sans_star = munge_name(value)[0..-2]
-          [:domain,:inexact,host_sans_star.length,host_sans_star]
-        when /\$\d+/                                              # a backreference pattern ala $1.reductivelabs.com or 192.168.0.$1 or $1.$2
-          [:dynamic,:exact,nil,munge_name(value)]
-        when /^\w[-.@\w]*$/                                       # ? Just like a host name but allow '@'s and ending '.'s
-          [:opaque,:exact,nil,[value]]
-        when /^\/.*\/$/                                           # a regular expression
-          [:regex,:inexact,nil,value]
-        else
-          raise AuthStoreError, "Invalid pattern #{value}"
-        end
-      end
-    end
-  end
-end
-

data/lib/puppet/network/http/api/master/v3/authorization.rb

@@ -1,18 +0,0 @@
-require 'puppet/network/authorization'
-
-class Puppet::Network::HTTP::API::Master::V3::Authorization
-  include Puppet::Network::Authorization
-
-  def wrap(&block)
-    lambda do |request, response|
-      begin
-        authconfig.check_authorization(:find, request.path, request.params)
-      rescue Puppet::Network::AuthorizationError => e
-        raise Puppet::Network::HTTP::Error::HTTPNotAuthorizedError.new(e.message, Puppet::Network::HTTP::Issues::FAILED_AUTHORIZATION)
-      end
-
-      block.call.call(request, response)
-    end
-  end
-
-end

data/lib/puppet/network/http/api/master/v3/environment.rb

@@ -1,88 +0,0 @@
-require 'puppet/util/json'
-require 'puppet/parser/environment_compiler'
-
-# @deprecated application orchestration will be removed in puppet 7
-class Puppet::Network::HTTP::API::Master::V3::Environment
-  def call(request, response)
-    Puppet.deprecation_warning("Application orchestration is deprecated. See https://puppet.com/docs/puppet/5.5/deprecated_language.html")
-
-    env_name = request.routing_path.split('/').last
-    env = Puppet.lookup(:environments).get(env_name)
-    code_id = request.params[:code_id]
-
-    if env.nil?
-      raise Puppet::Network::HTTP::Error::HTTPNotFoundError.new(_("%{env_name} is not a known environment") % { env_name: env_name }, Puppet::Network::HTTP::Issues::RESOURCE_NOT_FOUND)
-    end
-
-    catalog = Puppet::Parser::EnvironmentCompiler.compile(env, code_id).to_resource
-
-    env_graph = build_environment_graph(catalog)
-
-    response.respond_with(200, "application/json", Puppet::Util::Json.dump(env_graph))
-  end
-
-  def build_environment_graph(catalog)
-    # This reads catalog and code_id off the catalog rather than using the one
-    # from the request. There shouldn't really be a case where the two differ,
-    # but if they do, the one from the catalog itself is authoritative.
-    env_graph = {:environment => catalog.environment, :applications => {}, :code_id => catalog.code_id}
-    applications = catalog.resources.select do |res|
-      type = res.resource_type
-      type.is_a?(Puppet::Resource::Type) && type.application?
-    end
-    applications.each do |app|
-      file, line = app.file, app.line
-      nodes = app['nodes']
-
-      required_components = catalog.direct_dependents_of(app).map {|comp| comp.ref}
-      mapped_components = nodes.values.flatten.map {|comp| comp.ref}
-
-      nonexistent_components = mapped_components - required_components
-      if nonexistent_components.any?
-        raise Puppet::ParseError.new(
-            _("Application %{application} assigns nodes to non-existent components: %{component_list}") %
-                { application: app, component_list: nonexistent_components.join(', ') }, file, line)
-      end
-
-      missing_components = required_components - mapped_components
-      if missing_components.any?
-        raise Puppet::ParseError.new(_("Application %{application} has components without assigned nodes: %{component_list}") %
-                                         { application: app, component_list: missing_components.join(', ') }, file, line)
-      end
-
-      # Turn the 'nodes' hash into a map component ref => node name
-      node_mapping = {}
-      nodes.each do |node, comps|
-        comps = [comps] unless comps.is_a?(Array)
-        comps.each do |comp|
-          raise Puppet::ParseError.new(_("Application %{app} assigns multiple nodes to component %{comp}") % { app: app, comp: comp }, file, line) if node_mapping.include?(comp.ref)
-          node_mapping[comp.ref] = node.title
-        end
-      end
-
-      app_components = {}
-      catalog.direct_dependents_of(app).each do |comp|
-        app_components[comp.ref] = {
-          :produces => comp.export.map(&:ref),
-          :consumes => prerequisites(comp).map(&:ref),
-          :node => node_mapping[comp.ref]
-        }
-      end
-      env_graph[:applications][app.ref] = app_components
-    end
-
-    env_graph
-  end
-
-  private
-
-  # Finds all the prerequisites of component +comp+. They are all the
-  # capability resources that +comp+ depends on; this includes resources
-  # that +comp+ consumes but also resources it merely requires
-  def prerequisites(comp)
-    params = Puppet::Type.relationship_params.select { |p| p.direction == :in }.map(&:name)
-    params.map { |rel| comp[rel] }.flatten.compact.select do |rel|
-      rel.resource_type && rel.resource_type.is_capability?
-    end
-  end
-end

data/lib/puppet/network/http/base_pool.rb

@@ -1,36 +0,0 @@
-# Base pool for HTTP connections.
-#
-# @api private
-class Puppet::Network::HTTP::BasePool
-  def start(site, verifier, http)
-    Puppet.debug("Starting connection for #{site}")
-    if site.use_ssl?
-      verifier.setup_connection(http)
-      begin
-        http.start
-        print_ssl_info(http) if Puppet::Util::Log.sendlevel?(:debug)
-      rescue OpenSSL::SSL::SSLError => error
-        verifier.handle_connection_error(http, error)
-      end
-    else
-      http.start
-    end
-  end
-
-  private
-
-  def print_ssl_info(http)
-    buffered_io = http.instance_variable_get(:@socket)
-    return unless buffered_io
-
-    socket = buffered_io.io
-    return unless socket
-
-    cipher = if Puppet::Util::Platform.jruby?
-               socket.cipher
-             else
-               socket.cipher.first
-             end
-    Puppet.debug("Using #{socket.ssl_version} with cipher #{cipher}")
-  end
-end

data/lib/puppet/network/http/compression.rb

@@ -1,127 +0,0 @@
-require 'puppet/network/http'
-
-module Puppet::Network::HTTP::Compression
-  # from https://github.com/ruby/ruby/blob/v2_1_3/lib/net/http/generic_request.rb#L40
-  ACCEPT_ENCODING = "gzip;q=1.0,deflate;q=0.6,identity;q=0.3"
-
-  # this module function allows to use the right underlying
-  # methods depending on zlib presence
-  def module
-    return(Puppet.features.zlib? ? Active : None)
-  end
-  module_function :module
-
-  module Active
-    require 'zlib'
-    require 'stringio'
-
-    # return an uncompressed body if the response has been
-    # compressed
-    def uncompress_body(response)
-      case response['content-encoding']
-      when 'gzip'
-        Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::Active#uncompress_body is deprecated.'))
-        # ZLib::GzipReader has an associated encoding, by default Encoding.default_external
-        return Zlib::GzipReader.new(StringIO.new(response.body), :encoding => Encoding::BINARY).read
-      when 'deflate'
-        Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::Active#uncompress_body is deprecated.'))
-        return Zlib::Inflate.new.inflate(response.body)
-      when nil, 'identity'
-        return response.body
-      else
-        raise Net::HTTPError.new(_("Unknown content encoding - %{encoding}") % { encoding: response['content-encoding'] }, response)
-      end
-    end
-
-    def uncompress(response)
-      Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::Active#uncompress is deprecated.'))
-      raise Net::HTTPError.new("No block passed", response) unless block_given?
-
-      case response['content-encoding']
-      when 'gzip','deflate'
-        uncompressor = ZlibAdapter.new
-      when nil, 'identity'
-        uncompressor = IdentityAdapter.new
-      else
-        raise Net::HTTPError.new(_("Unknown content encoding - %{encoding}") % { encoding: response['content-encoding'] }, response)
-      end
-
-      begin
-        yield uncompressor
-      ensure
-        uncompressor.close
-      end
-    end
-
-    def add_accept_encoding(headers={})
-      headers['accept-encoding'] = Puppet::Network::HTTP::Compression::ACCEPT_ENCODING
-      headers
-    end
-
-    # This adapters knows how to uncompress both 'zlib' stream (the deflate algorithm from Content-Encoding)
-    # and GZip streams.
-    class ZlibAdapter
-      def initialize(uncompressor = Zlib::Inflate.new(15 + 32))
-        # Create an inflater that knows to parse GZip streams and zlib streams.
-        # This uses a property of the C Zlib library, documented as follow:
-        #   windowBits can also be greater than 15 for optional gzip decoding. Add
-        #   32 to windowBits to enable zlib and gzip decoding with automatic header
-        #   detection, or add 16 to decode only the gzip format (the zlib format will
-        #   return a Z_DATA_ERROR).  If a gzip stream is being decoded, strm->adler is
-        #   a crc32 instead of an adler32.
-        @uncompressor = uncompressor
-        @first = true
-      end
-
-      def uncompress(chunk)
-        Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::ZlibAdapter#uncompress is deprecated.'))
-        out = @uncompressor.inflate(chunk)
-        @first = false
-        return out
-      rescue Zlib::DataError
-        # it can happen that we receive a raw deflate stream
-        # which might make our inflate throw a data error.
-        # in this case, we try with a verbatim (no header)
-        # deflater.
-        @uncompressor = Zlib::Inflate.new
-        if @first then
-          @first = false
-          retry
-        end
-        raise
-      end
-
-      def close
-        @uncompressor.finish
-      ensure
-        @uncompressor.close
-      end
-    end
-  end
-
-  module None
-    def uncompress_body(response)
-      Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::None#uncompress_body is deprecated.'))
-      response.body
-    end
-
-    def add_accept_encoding(headers)
-      headers
-    end
-
-    def uncompress(response)
-      Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::None#uncompress is deprecated.'))
-      yield IdentityAdapter.new
-    end
-  end
-
-  class IdentityAdapter
-    def uncompress(chunk)
-      Puppet.deprecation_warning(_('Puppet::Network::HTTP::Compression::IdentityAdapter#uncompress is deprecated.'))
-      chunk
-    end
-
-    def close
-    end
-  end
-end