puppet 6.22.1-universal-darwin → 6.23.0-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile.lock +14 -14
- data/ext/osx/puppet.plist +2 -0
- data/lib/puppet/application/agent.rb +12 -5
- data/lib/puppet/application/apply.rb +2 -1
- data/lib/puppet/application/device.rb +2 -1
- data/lib/puppet/application/resource.rb +2 -1
- data/lib/puppet/application/script.rb +2 -1
- data/lib/puppet/configurer/downloader.rb +2 -1
- data/lib/puppet/defaults.rb +5 -3
- data/lib/puppet/file_serving/fileset.rb +14 -2
- data/lib/puppet/functions/all.rb +1 -1
- data/lib/puppet/functions/camelcase.rb +1 -1
- data/lib/puppet/functions/capitalize.rb +2 -2
- data/lib/puppet/functions/downcase.rb +2 -2
- data/lib/puppet/functions/get.rb +5 -5
- data/lib/puppet/functions/group_by.rb +13 -5
- data/lib/puppet/functions/lest.rb +1 -1
- data/lib/puppet/functions/new.rb +100 -100
- data/lib/puppet/functions/partition.rb +4 -4
- data/lib/puppet/functions/require.rb +5 -5
- data/lib/puppet/functions/sort.rb +3 -3
- data/lib/puppet/functions/tree_each.rb +7 -9
- data/lib/puppet/functions/type.rb +4 -4
- data/lib/puppet/functions/upcase.rb +2 -2
- data/lib/puppet/http/resolver/server_list.rb +15 -4
- data/lib/puppet/http/service/compiler.rb +69 -0
- data/lib/puppet/http/service/file_server.rb +2 -1
- data/lib/puppet/indirector/catalog/compiler.rb +1 -0
- data/lib/puppet/indirector/file_metadata/rest.rb +1 -0
- data/lib/puppet/parser/functions/fqdn_rand.rb +14 -6
- data/lib/puppet/pops/types/p_sem_ver_type.rb +8 -2
- data/lib/puppet/pops/types/p_sensitive_type.rb +10 -0
- data/lib/puppet/provider/package/nim.rb +11 -6
- data/lib/puppet/provider/service/systemd.rb +13 -3
- data/lib/puppet/provider/service/windows.rb +38 -0
- data/lib/puppet/provider/user/directoryservice.rb +25 -12
- data/lib/puppet/reference/configuration.rb +1 -1
- data/lib/puppet/transaction/additional_resource_generator.rb +1 -1
- data/lib/puppet/type/file/selcontext.rb +1 -1
- data/lib/puppet/type/file.rb +19 -1
- data/lib/puppet/type/service.rb +18 -38
- data/lib/puppet/type/tidy.rb +21 -2
- data/lib/puppet/type/user.rb +38 -20
- data/lib/puppet/util/selinux.rb +30 -4
- data/lib/puppet/version.rb +1 -1
- data/locales/puppet.pot +109 -101
- data/man/man5/puppet.conf.5 +272 -252
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -57
- data/spec/fixtures/ssl/127.0.0.1.pem +52 -31
- data/spec/fixtures/ssl/bad-basic-constraints.pem +57 -35
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +57 -35
- data/spec/fixtures/ssl/ca.pem +57 -35
- data/spec/fixtures/ssl/crl.pem +28 -18
- data/spec/fixtures/ssl/ec-key.pem +11 -11
- data/spec/fixtures/ssl/ec.pem +33 -24
- data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
- data/spec/fixtures/ssl/encrypted-key.pem +108 -58
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +28 -19
- data/spec/fixtures/ssl/intermediate-agent.pem +57 -36
- data/spec/fixtures/ssl/intermediate-crl.pem +31 -21
- data/spec/fixtures/ssl/intermediate.pem +57 -36
- data/spec/fixtures/ssl/pluto-key.pem +107 -57
- data/spec/fixtures/ssl/pluto.pem +52 -30
- data/spec/fixtures/ssl/request-key.pem +107 -57
- data/spec/fixtures/ssl/request.pem +47 -26
- data/spec/fixtures/ssl/revoked-key.pem +107 -57
- data/spec/fixtures/ssl/revoked.pem +52 -30
- data/spec/fixtures/ssl/signed-key.pem +107 -57
- data/spec/fixtures/ssl/signed.pem +52 -30
- data/spec/fixtures/ssl/tampered-cert.pem +52 -30
- data/spec/fixtures/ssl/tampered-csr.pem +47 -26
- data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -57
- data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -29
- data/spec/fixtures/ssl/unknown-ca-key.pem +107 -57
- data/spec/fixtures/ssl/unknown-ca.pem +55 -33
- data/spec/integration/application/resource_spec.rb +30 -0
- data/spec/lib/puppet/test_ca.rb +2 -2
- data/spec/unit/application/agent_spec.rb +7 -2
- data/spec/unit/configurer/downloader_spec.rb +6 -0
- data/spec/unit/configurer_spec.rb +23 -0
- data/spec/unit/file_serving/fileset_spec.rb +60 -0
- data/spec/unit/gettext/config_spec.rb +12 -0
- data/spec/unit/http/service/compiler_spec.rb +123 -0
- data/spec/unit/indirector/catalog/compiler_spec.rb +14 -10
- data/spec/unit/parser/functions/fqdn_rand_spec.rb +15 -1
- data/spec/unit/pops/types/p_sem_ver_type_spec.rb +18 -0
- data/spec/unit/pops/types/p_sensitive_type_spec.rb +18 -0
- data/spec/unit/provider/package/nim_spec.rb +42 -0
- data/spec/unit/provider/service/init_spec.rb +1 -0
- data/spec/unit/provider/service/openwrt_spec.rb +3 -1
- data/spec/unit/provider/service/systemd_spec.rb +42 -8
- data/spec/unit/provider/service/windows_spec.rb +202 -0
- data/spec/unit/provider/user/directoryservice_spec.rb +67 -35
- data/spec/unit/ssl/state_machine_spec.rb +19 -5
- data/spec/unit/transaction/additional_resource_generator_spec.rb +0 -2
- data/spec/unit/transaction_spec.rb +18 -20
- data/spec/unit/type/file/selinux_spec.rb +3 -3
- data/spec/unit/type/service_spec.rb +59 -188
- data/spec/unit/type/tidy_spec.rb +17 -7
- data/spec/unit/type/user_spec.rb +45 -0
- data/spec/unit/util/selinux_spec.rb +87 -16
- data/tasks/generate_cert_fixtures.rake +2 -2
- metadata +4 -2
@@ -925,28 +925,75 @@ end
|
|
925
925
|
}
|
926
926
|
end
|
927
927
|
|
928
|
-
|
929
|
-
|
930
|
-
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
|
931
|
-
expect(provider.class).to receive(:get_os_version).and_return('10.7')
|
932
|
-
expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
|
933
|
-
provider.write_password_to_users_plist(sha512_password_hash)
|
928
|
+
before do
|
929
|
+
allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
|
934
930
|
end
|
935
931
|
|
936
|
-
|
937
|
-
|
938
|
-
|
939
|
-
|
940
|
-
|
941
|
-
|
932
|
+
describe 'when on macOS 11 (Big Sur) or greater' do
|
933
|
+
before do
|
934
|
+
allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
|
935
|
+
end
|
936
|
+
|
937
|
+
it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
|
938
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
939
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
940
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
941
|
+
expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
|
942
|
+
|
943
|
+
expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
|
944
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
945
|
+
end
|
946
|
+
|
947
|
+
it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
|
948
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
949
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
950
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
951
|
+
expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
|
952
|
+
|
953
|
+
expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
|
954
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
955
|
+
end
|
942
956
|
end
|
943
957
|
|
944
|
-
|
945
|
-
|
946
|
-
|
947
|
-
|
948
|
-
|
949
|
-
|
958
|
+
describe 'when on macOS version lower than 11' do
|
959
|
+
before do
|
960
|
+
allow(provider.class).to receive(:get_os_version)
|
961
|
+
allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
|
962
|
+
end
|
963
|
+
|
964
|
+
it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
|
965
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
966
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
967
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
968
|
+
expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
|
969
|
+
|
970
|
+
expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
|
971
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
972
|
+
end
|
973
|
+
|
974
|
+
it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
|
975
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
976
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
|
977
|
+
expect(provider.class).to receive(:get_os_version).and_return('10.7')
|
978
|
+
expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
|
979
|
+
provider.write_password_to_users_plist(sha512_password_hash)
|
980
|
+
end
|
981
|
+
|
982
|
+
it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
|
983
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
984
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
985
|
+
expect(provider.class).to receive(:get_os_version).and_return('10.8')
|
986
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
987
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
988
|
+
end
|
989
|
+
|
990
|
+
it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
|
991
|
+
expect(provider).to receive(:get_users_plist).and_return('users_plist')
|
992
|
+
expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
|
993
|
+
expect(provider.class).to receive(:get_os_version).and_return('10.8')
|
994
|
+
expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
|
995
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
996
|
+
end
|
950
997
|
end
|
951
998
|
end
|
952
999
|
|
@@ -974,16 +1021,7 @@ end
|
|
974
1021
|
describe '#set_shadow_hash_data' do
|
975
1022
|
let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
|
976
1023
|
|
977
|
-
it 'should flush the plist data to
|
978
|
-
allow(provider.class).to receive(:get_os_version).and_return('10.12')
|
979
|
-
|
980
|
-
expect(provider).to receive(:write_users_plist_to_disk)
|
981
|
-
provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
|
982
|
-
end
|
983
|
-
|
984
|
-
it 'should flush the plist data a temporary file on OS X >= 10.15' do
|
985
|
-
allow(provider.class).to receive(:get_os_version).and_return('10.15')
|
986
|
-
|
1024
|
+
it 'should flush the plist data to a temporary file' do
|
987
1025
|
expect(provider).to receive(:write_and_import_shadow_hash_data)
|
988
1026
|
provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
|
989
1027
|
end
|
@@ -1033,13 +1071,6 @@ end
|
|
1033
1071
|
end
|
1034
1072
|
end
|
1035
1073
|
|
1036
|
-
describe '#write_users_plist_to_disk' do
|
1037
|
-
it 'should save the passed plist to disk and convert it to a binary plist' do
|
1038
|
-
expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
|
1039
|
-
provider.write_users_plist_to_disk(user_plist_xml)
|
1040
|
-
end
|
1041
|
-
end
|
1042
|
-
|
1043
1074
|
describe '#write_and_import_shadow_hash_data' do
|
1044
1075
|
it 'should save the passed plist to a temporary file and import it' do
|
1045
1076
|
tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
|
@@ -1203,6 +1234,7 @@ end
|
|
1203
1234
|
before :each do
|
1204
1235
|
allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
|
1205
1236
|
allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
|
1237
|
+
allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
|
1206
1238
|
provider.class.prefetch({})
|
1207
1239
|
end
|
1208
1240
|
|
@@ -31,6 +31,14 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
|
|
31
31
|
allow(Kernel).to receive(:sleep)
|
32
32
|
end
|
33
33
|
|
34
|
+
def expected_digest(name, content)
|
35
|
+
OpenSSL::Digest.new(name).hexdigest(content)
|
36
|
+
end
|
37
|
+
|
38
|
+
def to_fingerprint(digest)
|
39
|
+
digest.scan(/../).join(':').upcase
|
40
|
+
end
|
41
|
+
|
34
42
|
context 'when passing keyword arguments' do
|
35
43
|
it "accepts digest" do
|
36
44
|
expect(described_class.new(digest: 'SHA512').digest).to eq('SHA512')
|
@@ -395,29 +403,35 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
|
|
395
403
|
|
396
404
|
it 'verifies CA cert bundle if a ca_fingerprint is given case-insensitively' do
|
397
405
|
Puppet[:log_level] = :info
|
398
|
-
|
406
|
+
|
407
|
+
digest = expected_digest('SHA256', cacert_pem)
|
408
|
+
fingerprint = to_fingerprint(digest)
|
409
|
+
machine = described_class.new(digest: 'SHA256', ca_fingerprint: digest.downcase)
|
399
410
|
state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
|
400
411
|
state.next_state
|
401
412
|
|
402
|
-
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256)
|
413
|
+
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) #{fingerprint}"))
|
403
414
|
end
|
404
415
|
|
405
416
|
it 'verifies CA cert bundle using non-default fingerprint' do
|
406
417
|
Puppet[:log_level] = :info
|
407
|
-
|
418
|
+
|
419
|
+
digest = expected_digest('SHA512', cacert_pem)
|
420
|
+
machine = described_class.new(digest: 'SHA512', ca_fingerprint: digest)
|
408
421
|
state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
|
409
422
|
state.next_state
|
410
423
|
|
411
|
-
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512)
|
424
|
+
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) #{to_fingerprint(digest)}"))
|
412
425
|
end
|
413
426
|
|
414
427
|
it 'returns an error if verification fails' do
|
415
428
|
machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'wrong!')
|
416
429
|
state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
|
417
430
|
|
431
|
+
fingerprint = to_fingerprint(expected_digest('SHA256', cacert_pem))
|
418
432
|
st = state.next_state
|
419
433
|
expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
|
420
|
-
expect(st.message).to eq("CA bundle with digest (SHA256)
|
434
|
+
expect(st.message).to eq("CA bundle with digest (SHA256) #{fingerprint} did not match expected digest WR:ON:G!")
|
421
435
|
end
|
422
436
|
end
|
423
437
|
end
|
@@ -5,13 +5,6 @@ require 'puppet_spec/compiler'
|
|
5
5
|
require 'puppet/transaction'
|
6
6
|
require 'fileutils'
|
7
7
|
|
8
|
-
Puppet::Type.newtype(:generator) do
|
9
|
-
newparam(:name) { isnamevar }
|
10
|
-
|
11
|
-
def generate
|
12
|
-
end
|
13
|
-
end
|
14
|
-
|
15
8
|
describe Puppet::Transaction do
|
16
9
|
include PuppetSpec::Files
|
17
10
|
include PuppetSpec::Compiler
|
@@ -27,6 +20,19 @@ describe Puppet::Transaction do
|
|
27
20
|
transaction
|
28
21
|
end
|
29
22
|
|
23
|
+
before(:all) do
|
24
|
+
Puppet::Type.newtype(:transaction_generator) do
|
25
|
+
newparam(:name) { isnamevar }
|
26
|
+
|
27
|
+
def generate
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
after(:all) do
|
33
|
+
Puppet::Type.rmtype(:transaction_generator)
|
34
|
+
end
|
35
|
+
|
30
36
|
before do
|
31
37
|
@basepath = make_absolute("/what/ever")
|
32
38
|
@transaction = Puppet::Transaction.new(Puppet::Resource::Catalog.new, nil, Puppet::Graph::SequentialPrioritizer.new)
|
@@ -330,9 +336,9 @@ describe Puppet::Transaction do
|
|
330
336
|
describe "when generating resources before traversal" do
|
331
337
|
let(:catalog) { Puppet::Resource::Catalog.new }
|
332
338
|
let(:transaction) { Puppet::Transaction.new(catalog, nil, Puppet::Graph::SequentialPrioritizer.new) }
|
333
|
-
let(:generator) { Puppet::Type.type(:
|
339
|
+
let(:generator) { Puppet::Type.type(:transaction_generator).new :title => "generator" }
|
334
340
|
let(:generated) do
|
335
|
-
%w[a b c].map { |name| Puppet::Type.type(:
|
341
|
+
%w[a b c].map { |name| Puppet::Type.type(:transaction_generator).new(:name => name) }
|
336
342
|
end
|
337
343
|
|
338
344
|
before :each do
|
@@ -673,7 +679,7 @@ describe Puppet::Transaction do
|
|
673
679
|
end
|
674
680
|
|
675
681
|
describe "and new resources are generated" do
|
676
|
-
let(:generator) { Puppet::Type.type(:
|
682
|
+
let(:generator) { Puppet::Type.type(:transaction_generator).new :title => "generator" }
|
677
683
|
let(:generated) do
|
678
684
|
%w[a b c].map { |name| Puppet::Type.type(:package).new :title => "foo", :name => name, :provider => :apt }
|
679
685
|
end
|
@@ -787,16 +793,8 @@ describe Puppet::Transaction do
|
|
787
793
|
end
|
788
794
|
|
789
795
|
it "should call Selinux.matchpathcon_fini in case Selinux is enabled ", :if => Puppet.features.posix? do
|
790
|
-
|
791
|
-
|
792
|
-
def self.is_selinux_enabled
|
793
|
-
true
|
794
|
-
end
|
795
|
-
|
796
|
-
def self.matchpathcon_fini
|
797
|
-
end
|
798
|
-
end
|
799
|
-
end
|
796
|
+
selinux = double('selinux', is_selinux_enabled: true, matchpathcon_fini: nil)
|
797
|
+
stub_const('Selinux', selinux)
|
800
798
|
|
801
799
|
resource = Puppet::Type.type(:file).new(:path => make_absolute("/tmp/foo"))
|
802
800
|
transaction = transaction_with_resource(resource)
|
@@ -7,7 +7,7 @@ require 'spec_helper'
|
|
7
7
|
|
8
8
|
before do
|
9
9
|
@path = make_absolute("/my/file")
|
10
|
-
@resource = Puppet::Type.type(:file).new
|
10
|
+
@resource = Puppet::Type.type(:file).new(:path => @path, :ensure => :file)
|
11
11
|
@sel = property.new :resource => @resource
|
12
12
|
end
|
13
13
|
|
@@ -50,13 +50,13 @@ require 'spec_helper'
|
|
50
50
|
end
|
51
51
|
|
52
52
|
it "should handle no default gracefully" do
|
53
|
-
expect(@sel).to receive(:get_selinux_default_context).with(@path).and_return(nil)
|
53
|
+
expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return(nil)
|
54
54
|
expect(@sel.default).to be_nil
|
55
55
|
end
|
56
56
|
|
57
57
|
it "should be able to detect matchpathcon defaults" do
|
58
58
|
allow(@sel).to receive(:debug)
|
59
|
-
expect(@sel).to receive(:get_selinux_default_context).with(@path).and_return("user_u:role_r:type_t:s0")
|
59
|
+
expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return("user_u:role_r:type_t:s0")
|
60
60
|
expectedresult = case param
|
61
61
|
when :seluser; "user_u"
|
62
62
|
when :selrole; "role_r"
|
@@ -72,50 +72,65 @@ describe test_title, "when validating attribute values" do
|
|
72
72
|
allow(@provider.class).to receive(:supports_parameter?).and_return(true)
|
73
73
|
end
|
74
74
|
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
75
|
+
describe "for value without required features" do
|
76
|
+
before :each do
|
77
|
+
allow(@provider).to receive(:satisfies?)
|
78
|
+
end
|
79
79
|
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
80
|
+
it "should not support :mask as a value" do
|
81
|
+
expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :mask) }.to raise_error(
|
82
|
+
Puppet::ResourceError,
|
83
|
+
/Provider .+ must have features 'maskable' to set 'enable' to 'mask'/
|
84
|
+
)
|
85
|
+
end
|
84
86
|
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
87
|
+
it "should not support :manual as a value" do
|
88
|
+
expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
|
89
|
+
Puppet::ResourceError,
|
90
|
+
/Provider .+ must have features 'manual_startable' to set 'enable' to 'manual'/
|
91
|
+
)
|
92
|
+
end
|
89
93
|
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
+
it "should not support :mask as a value" do
|
95
|
+
expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
|
96
|
+
Puppet::ResourceError,
|
97
|
+
/Provider .+ must have features 'delayed_startable' to set 'enable' to 'delayed'/
|
98
|
+
)
|
99
|
+
end
|
94
100
|
end
|
95
101
|
|
96
|
-
|
97
|
-
|
102
|
+
describe "for value with required features" do
|
103
|
+
before :each do
|
104
|
+
allow(@provider).to receive(:satisfies?).and_return(:true)
|
105
|
+
end
|
98
106
|
|
99
|
-
|
100
|
-
|
101
|
-
|
107
|
+
it "should support :true as a value" do
|
108
|
+
srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
|
109
|
+
expect(srv.should(:enable)).to eq(:true)
|
110
|
+
end
|
102
111
|
|
103
|
-
|
104
|
-
|
112
|
+
it "should support :false as a value" do
|
113
|
+
srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
|
114
|
+
expect(srv.should(:enable)).to eq(:false)
|
115
|
+
end
|
105
116
|
|
106
|
-
|
107
|
-
Puppet::
|
108
|
-
|
109
|
-
|
110
|
-
end
|
117
|
+
it "should support :mask as a value" do
|
118
|
+
srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
|
119
|
+
expect(srv.should(:enable)).to eq(:mask)
|
120
|
+
end
|
111
121
|
|
112
|
-
|
113
|
-
|
122
|
+
it "should support :manual as a value on Windows" do
|
123
|
+
allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
|
124
|
+
srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
|
125
|
+
expect(srv.should(:enable)).to eq(:manual)
|
126
|
+
end
|
114
127
|
|
115
|
-
|
116
|
-
Puppet::
|
117
|
-
|
118
|
-
|
128
|
+
it "should support :delayed as a value on Windows" do
|
129
|
+
allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
|
130
|
+
|
131
|
+
srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
|
132
|
+
expect(srv.should(:enable)).to eq(:delayed)
|
133
|
+
end
|
119
134
|
end
|
120
135
|
end
|
121
136
|
|
@@ -150,105 +165,24 @@ describe test_title, "when validating attribute values" do
|
|
150
165
|
provider_class_with_logon_credentials = Puppet::Type.type(:service).provide(:simple) do
|
151
166
|
has_features :manages_logon_credentials
|
152
167
|
def logonpassword=(value) end
|
168
|
+
def logonaccount_insync?(current) end
|
153
169
|
end
|
154
170
|
allow(Puppet::Type.type(:service)).to receive(:defaultprovider).and_return(provider_class_with_logon_credentials)
|
155
171
|
end
|
156
172
|
|
157
173
|
describe "the 'logonaccount' property" do
|
158
|
-
|
159
|
-
allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
|
160
|
-
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'NonWindowsUser')
|
174
|
+
let(:service) {Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')}
|
161
175
|
|
162
|
-
|
163
|
-
|
176
|
+
it "should let superclass implementation resolve insyncness when provider does not respond to the 'logonaccount_insync?' method" do
|
177
|
+
allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?).and_return(false)
|
178
|
+
expect(service.property(:logonaccount).insync?('myUser')).to eq(true)
|
164
179
|
end
|
165
180
|
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
end
|
172
|
-
|
173
|
-
it "should fail when the `Log On As A Service` right is missing from given user" do
|
174
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
|
175
|
-
allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("")
|
176
|
-
|
177
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" is missing the 'Log On As A Service' right./)
|
178
|
-
end
|
179
|
-
|
180
|
-
it "should fail when the `Log On As A Service` right is set to denied for given user" do
|
181
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
|
182
|
-
allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeDenyServiceLogonRight")
|
183
|
-
|
184
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" has the 'Log On As A Service' right set to denied./)
|
185
|
-
end
|
186
|
-
|
187
|
-
it "should not fail when given user has the `Log On As A Service` right" do
|
188
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
|
189
|
-
allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeServiceLogonRight")
|
190
|
-
|
191
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
|
192
|
-
end
|
193
|
-
|
194
|
-
it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
|
195
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
|
196
|
-
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
|
197
|
-
|
198
|
-
expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
|
199
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
|
200
|
-
end
|
201
|
-
|
202
|
-
['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input|
|
203
|
-
it "should succesfully munge #{user_input} to 'LocalSystem'" do
|
204
|
-
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => user_input)
|
205
|
-
|
206
|
-
expect { service }.not_to raise_error
|
207
|
-
expect(service[:logonaccount]).to eq('LocalSystem')
|
208
|
-
end
|
209
|
-
end
|
210
|
-
|
211
|
-
it "should succesfully munge local account" do
|
212
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
|
213
|
-
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
|
214
|
-
|
215
|
-
expect { service }.not_to raise_error
|
216
|
-
expect(service[:logonaccount]).to eq('.\myUser')
|
217
|
-
end
|
218
|
-
|
219
|
-
it "should succesfully munge domain account" do
|
220
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("DomainUser", nil, nil, "myDomain", :SidTypeUser))
|
221
|
-
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'DomainUser')
|
222
|
-
|
223
|
-
expect { service }.not_to raise_error
|
224
|
-
expect(service[:logonaccount]).to eq('myDomain\DomainUser')
|
225
|
-
end
|
226
|
-
|
227
|
-
it "should succesfully munge well known user" do
|
228
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup))
|
229
|
-
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalService')
|
230
|
-
|
231
|
-
expect { service }.not_to raise_error
|
232
|
-
expect(service[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
|
233
|
-
end
|
234
|
-
|
235
|
-
it "should succesfully munge a SID" do
|
236
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
|
237
|
-
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'S-1-5-20')
|
238
|
-
|
239
|
-
expect { service }.not_to raise_error
|
240
|
-
expect(service[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
|
241
|
-
end
|
242
|
-
|
243
|
-
it "should fail when account is invalid" do
|
244
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(nil)
|
245
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'InvalidUser') }.to raise_error(Puppet::Error, /"InvalidUser" is not a valid account/)
|
246
|
-
end
|
247
|
-
|
248
|
-
it "should fail when sid type is not user or well known user" do
|
249
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias))
|
250
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'Administrators') }.to raise_error(Puppet::Error, /"Administrators" is not a valid account/)
|
251
|
-
end
|
181
|
+
it "should let provider resolve insyncness when provider responds to the 'logonaccount_insync?' method" do
|
182
|
+
allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?, any_args).and_return(true)
|
183
|
+
allow(service.provider).to receive(:logonaccount_insync?).and_return(false)
|
184
|
+
|
185
|
+
expect(service.property(:logonaccount).insync?('myUser')).to eq(false)
|
252
186
|
end
|
253
187
|
end
|
254
188
|
|
@@ -258,7 +192,6 @@ describe test_title, "when validating attribute values" do
|
|
258
192
|
end
|
259
193
|
|
260
194
|
it "should default to empty string when only logonaccount is being managed" do
|
261
|
-
allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
|
262
195
|
service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
|
263
196
|
|
264
197
|
expect { service }.not_to raise_error
|
@@ -271,70 +204,8 @@ describe test_title, "when validating attribute values" do
|
|
271
204
|
end
|
272
205
|
|
273
206
|
it "should fail when logonpassword includes the ':' character" do
|
274
|
-
allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
|
275
207
|
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'my:Pass') }.to raise_error(Puppet::Error, /Passwords cannot include ':'/)
|
276
208
|
end
|
277
|
-
|
278
|
-
it "should not further check the password against given account when not on Windows" do
|
279
|
-
allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
|
280
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
|
281
|
-
end
|
282
|
-
|
283
|
-
context "when on Windows", :if => Puppet::Util::Platform.windows? do
|
284
|
-
before do
|
285
|
-
allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
|
286
|
-
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(name_to_principal_result)
|
287
|
-
allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
|
288
|
-
end
|
289
|
-
|
290
|
-
it "should pass validation when given account is 'LocalSystem'" do
|
291
|
-
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
|
292
|
-
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(false)
|
293
|
-
|
294
|
-
expect(Puppet::Util::Windows::SID).not_to receive(:name_to_principal)
|
295
|
-
expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
|
296
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalSystem') }.not_to raise_error
|
297
|
-
end
|
298
|
-
|
299
|
-
['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
|
300
|
-
describe "when given account is #{predefined_local_account}" do
|
301
|
-
let(:name_to_principal_result) do
|
302
|
-
Puppet::Util::Windows::SID::Principal.new(predefined_local_account, nil, nil, "NT AUTHORITY", :SidTypeUser)
|
303
|
-
end
|
304
|
-
|
305
|
-
it "should pass validation" do
|
306
|
-
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(predefined_local_account).and_return(false)
|
307
|
-
expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(predefined_local_account).and_return(true)
|
308
|
-
expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with("NT AUTHORITY\\#{predefined_local_account}").and_return(true)
|
309
|
-
|
310
|
-
expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
|
311
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => predefined_local_account) }.not_to raise_error
|
312
|
-
end
|
313
|
-
end
|
314
|
-
end
|
315
|
-
|
316
|
-
let(:name_to_principal_result) do
|
317
|
-
Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser)
|
318
|
-
end
|
319
|
-
|
320
|
-
describe "when given logonaccount is not a predefined local account" do
|
321
|
-
before do
|
322
|
-
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('myUser').and_return(false)
|
323
|
-
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('myUser').and_return(false)
|
324
|
-
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('.\\myUser').and_return(false)
|
325
|
-
end
|
326
|
-
|
327
|
-
it "should pass validation if password is proven correct" do
|
328
|
-
allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
|
329
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
|
330
|
-
end
|
331
|
-
|
332
|
-
it "should not pass validation if password check fails" do
|
333
|
-
allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
|
334
|
-
expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myWrongPass') }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
|
335
|
-
end
|
336
|
-
end
|
337
|
-
end
|
338
209
|
end
|
339
210
|
end
|
340
211
|
|