puppet 6.22.1-universal-darwin → 6.23.0-universal-darwin

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (129) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +14 -14
  3. data/ext/osx/puppet.plist +2 -0
  4. data/lib/puppet/application/agent.rb +12 -5
  5. data/lib/puppet/application/apply.rb +2 -1
  6. data/lib/puppet/application/device.rb +2 -1
  7. data/lib/puppet/application/resource.rb +2 -1
  8. data/lib/puppet/application/script.rb +2 -1
  9. data/lib/puppet/configurer/downloader.rb +2 -1
  10. data/lib/puppet/defaults.rb +5 -3
  11. data/lib/puppet/file_serving/fileset.rb +14 -2
  12. data/lib/puppet/functions/all.rb +1 -1
  13. data/lib/puppet/functions/camelcase.rb +1 -1
  14. data/lib/puppet/functions/capitalize.rb +2 -2
  15. data/lib/puppet/functions/downcase.rb +2 -2
  16. data/lib/puppet/functions/get.rb +5 -5
  17. data/lib/puppet/functions/group_by.rb +13 -5
  18. data/lib/puppet/functions/lest.rb +1 -1
  19. data/lib/puppet/functions/new.rb +100 -100
  20. data/lib/puppet/functions/partition.rb +4 -4
  21. data/lib/puppet/functions/require.rb +5 -5
  22. data/lib/puppet/functions/sort.rb +3 -3
  23. data/lib/puppet/functions/tree_each.rb +7 -9
  24. data/lib/puppet/functions/type.rb +4 -4
  25. data/lib/puppet/functions/upcase.rb +2 -2
  26. data/lib/puppet/http/resolver/server_list.rb +15 -4
  27. data/lib/puppet/http/service/compiler.rb +69 -0
  28. data/lib/puppet/http/service/file_server.rb +2 -1
  29. data/lib/puppet/indirector/catalog/compiler.rb +1 -0
  30. data/lib/puppet/indirector/file_metadata/rest.rb +1 -0
  31. data/lib/puppet/parser/functions/fqdn_rand.rb +14 -6
  32. data/lib/puppet/pops/types/p_sem_ver_type.rb +8 -2
  33. data/lib/puppet/pops/types/p_sensitive_type.rb +10 -0
  34. data/lib/puppet/provider/package/nim.rb +11 -6
  35. data/lib/puppet/provider/service/systemd.rb +13 -3
  36. data/lib/puppet/provider/service/windows.rb +38 -0
  37. data/lib/puppet/provider/user/directoryservice.rb +25 -12
  38. data/lib/puppet/reference/configuration.rb +1 -1
  39. data/lib/puppet/transaction/additional_resource_generator.rb +1 -1
  40. data/lib/puppet/type/file/selcontext.rb +1 -1
  41. data/lib/puppet/type/file.rb +19 -1
  42. data/lib/puppet/type/service.rb +18 -38
  43. data/lib/puppet/type/tidy.rb +21 -2
  44. data/lib/puppet/type/user.rb +38 -20
  45. data/lib/puppet/util/selinux.rb +30 -4
  46. data/lib/puppet/version.rb +1 -1
  47. data/locales/puppet.pot +109 -101
  48. data/man/man5/puppet.conf.5 +272 -252
  49. data/man/man8/puppet-agent.8 +1 -1
  50. data/man/man8/puppet-apply.8 +1 -1
  51. data/man/man8/puppet-catalog.8 +1 -1
  52. data/man/man8/puppet-config.8 +1 -1
  53. data/man/man8/puppet-describe.8 +1 -1
  54. data/man/man8/puppet-device.8 +1 -1
  55. data/man/man8/puppet-doc.8 +1 -1
  56. data/man/man8/puppet-epp.8 +1 -1
  57. data/man/man8/puppet-facts.8 +1 -1
  58. data/man/man8/puppet-filebucket.8 +1 -1
  59. data/man/man8/puppet-generate.8 +1 -1
  60. data/man/man8/puppet-help.8 +1 -1
  61. data/man/man8/puppet-key.8 +1 -1
  62. data/man/man8/puppet-lookup.8 +1 -1
  63. data/man/man8/puppet-man.8 +1 -1
  64. data/man/man8/puppet-module.8 +1 -1
  65. data/man/man8/puppet-node.8 +1 -1
  66. data/man/man8/puppet-parser.8 +1 -1
  67. data/man/man8/puppet-plugin.8 +1 -1
  68. data/man/man8/puppet-report.8 +1 -1
  69. data/man/man8/puppet-resource.8 +1 -1
  70. data/man/man8/puppet-script.8 +1 -1
  71. data/man/man8/puppet-ssl.8 +1 -1
  72. data/man/man8/puppet-status.8 +1 -1
  73. data/man/man8/puppet.8 +2 -2
  74. data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -57
  75. data/spec/fixtures/ssl/127.0.0.1.pem +52 -31
  76. data/spec/fixtures/ssl/bad-basic-constraints.pem +57 -35
  77. data/spec/fixtures/ssl/bad-int-basic-constraints.pem +57 -35
  78. data/spec/fixtures/ssl/ca.pem +57 -35
  79. data/spec/fixtures/ssl/crl.pem +28 -18
  80. data/spec/fixtures/ssl/ec-key.pem +11 -11
  81. data/spec/fixtures/ssl/ec.pem +33 -24
  82. data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
  83. data/spec/fixtures/ssl/encrypted-key.pem +108 -58
  84. data/spec/fixtures/ssl/intermediate-agent-crl.pem +28 -19
  85. data/spec/fixtures/ssl/intermediate-agent.pem +57 -36
  86. data/spec/fixtures/ssl/intermediate-crl.pem +31 -21
  87. data/spec/fixtures/ssl/intermediate.pem +57 -36
  88. data/spec/fixtures/ssl/pluto-key.pem +107 -57
  89. data/spec/fixtures/ssl/pluto.pem +52 -30
  90. data/spec/fixtures/ssl/request-key.pem +107 -57
  91. data/spec/fixtures/ssl/request.pem +47 -26
  92. data/spec/fixtures/ssl/revoked-key.pem +107 -57
  93. data/spec/fixtures/ssl/revoked.pem +52 -30
  94. data/spec/fixtures/ssl/signed-key.pem +107 -57
  95. data/spec/fixtures/ssl/signed.pem +52 -30
  96. data/spec/fixtures/ssl/tampered-cert.pem +52 -30
  97. data/spec/fixtures/ssl/tampered-csr.pem +47 -26
  98. data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -57
  99. data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -29
  100. data/spec/fixtures/ssl/unknown-ca-key.pem +107 -57
  101. data/spec/fixtures/ssl/unknown-ca.pem +55 -33
  102. data/spec/integration/application/resource_spec.rb +30 -0
  103. data/spec/lib/puppet/test_ca.rb +2 -2
  104. data/spec/unit/application/agent_spec.rb +7 -2
  105. data/spec/unit/configurer/downloader_spec.rb +6 -0
  106. data/spec/unit/configurer_spec.rb +23 -0
  107. data/spec/unit/file_serving/fileset_spec.rb +60 -0
  108. data/spec/unit/gettext/config_spec.rb +12 -0
  109. data/spec/unit/http/service/compiler_spec.rb +123 -0
  110. data/spec/unit/indirector/catalog/compiler_spec.rb +14 -10
  111. data/spec/unit/parser/functions/fqdn_rand_spec.rb +15 -1
  112. data/spec/unit/pops/types/p_sem_ver_type_spec.rb +18 -0
  113. data/spec/unit/pops/types/p_sensitive_type_spec.rb +18 -0
  114. data/spec/unit/provider/package/nim_spec.rb +42 -0
  115. data/spec/unit/provider/service/init_spec.rb +1 -0
  116. data/spec/unit/provider/service/openwrt_spec.rb +3 -1
  117. data/spec/unit/provider/service/systemd_spec.rb +42 -8
  118. data/spec/unit/provider/service/windows_spec.rb +202 -0
  119. data/spec/unit/provider/user/directoryservice_spec.rb +67 -35
  120. data/spec/unit/ssl/state_machine_spec.rb +19 -5
  121. data/spec/unit/transaction/additional_resource_generator_spec.rb +0 -2
  122. data/spec/unit/transaction_spec.rb +18 -20
  123. data/spec/unit/type/file/selinux_spec.rb +3 -3
  124. data/spec/unit/type/service_spec.rb +59 -188
  125. data/spec/unit/type/tidy_spec.rb +17 -7
  126. data/spec/unit/type/user_spec.rb +45 -0
  127. data/spec/unit/util/selinux_spec.rb +87 -16
  128. data/tasks/generate_cert_fixtures.rake +2 -2
  129. metadata +4 -2
@@ -925,28 +925,75 @@ end
925
925
  }
926
926
  end
927
927
 
928
- it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
929
- expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
930
- expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
931
- expect(provider.class).to receive(:get_os_version).and_return('10.7')
932
- expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
933
- provider.write_password_to_users_plist(sha512_password_hash)
928
+ before do
929
+ allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
934
930
  end
935
931
 
936
- it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
937
- expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
938
- expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
939
- expect(provider.class).to receive(:get_os_version).and_return('10.8')
940
- expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
941
- provider.write_password_to_users_plist(pbkdf2_password_hash)
932
+ describe 'when on macOS 11 (Big Sur) or greater' do
933
+ before do
934
+ allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
935
+ end
936
+
937
+ it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
938
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
939
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
940
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
941
+ expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
942
+
943
+ expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
944
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
945
+ end
946
+
947
+ it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
948
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
949
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
950
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
951
+ expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
952
+
953
+ expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
954
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
955
+ end
942
956
  end
943
957
 
944
- it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
945
- expect(provider).to receive(:get_users_plist).and_return('users_plist')
946
- expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
947
- expect(provider.class).to receive(:get_os_version).and_return('10.8')
948
- expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
949
- provider.write_password_to_users_plist(pbkdf2_password_hash)
958
+ describe 'when on macOS version lower than 11' do
959
+ before do
960
+ allow(provider.class).to receive(:get_os_version)
961
+ allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
962
+ end
963
+
964
+ it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
965
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
966
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
967
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
968
+ expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
969
+
970
+ expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
971
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
972
+ end
973
+
974
+ it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
975
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
976
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
977
+ expect(provider.class).to receive(:get_os_version).and_return('10.7')
978
+ expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
979
+ provider.write_password_to_users_plist(sha512_password_hash)
980
+ end
981
+
982
+ it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
983
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
984
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
985
+ expect(provider.class).to receive(:get_os_version).and_return('10.8')
986
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
987
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
988
+ end
989
+
990
+ it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
991
+ expect(provider).to receive(:get_users_plist).and_return('users_plist')
992
+ expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
993
+ expect(provider.class).to receive(:get_os_version).and_return('10.8')
994
+ expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
995
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
996
+ end
950
997
  end
951
998
  end
952
999
 
@@ -974,16 +1021,7 @@ end
974
1021
  describe '#set_shadow_hash_data' do
975
1022
  let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
976
1023
 
977
- it 'should flush the plist data to disk on OS X < 10.15' do
978
- allow(provider.class).to receive(:get_os_version).and_return('10.12')
979
-
980
- expect(provider).to receive(:write_users_plist_to_disk)
981
- provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
982
- end
983
-
984
- it 'should flush the plist data a temporary file on OS X >= 10.15' do
985
- allow(provider.class).to receive(:get_os_version).and_return('10.15')
986
-
1024
+ it 'should flush the plist data to a temporary file' do
987
1025
  expect(provider).to receive(:write_and_import_shadow_hash_data)
988
1026
  provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
989
1027
  end
@@ -1033,13 +1071,6 @@ end
1033
1071
  end
1034
1072
  end
1035
1073
 
1036
- describe '#write_users_plist_to_disk' do
1037
- it 'should save the passed plist to disk and convert it to a binary plist' do
1038
- expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
1039
- provider.write_users_plist_to_disk(user_plist_xml)
1040
- end
1041
- end
1042
-
1043
1074
  describe '#write_and_import_shadow_hash_data' do
1044
1075
  it 'should save the passed plist to a temporary file and import it' do
1045
1076
  tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
@@ -1203,6 +1234,7 @@ end
1203
1234
  before :each do
1204
1235
  allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
1205
1236
  allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
1237
+ allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
1206
1238
  provider.class.prefetch({})
1207
1239
  end
1208
1240
 
@@ -31,6 +31,14 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
31
31
  allow(Kernel).to receive(:sleep)
32
32
  end
33
33
 
34
+ def expected_digest(name, content)
35
+ OpenSSL::Digest.new(name).hexdigest(content)
36
+ end
37
+
38
+ def to_fingerprint(digest)
39
+ digest.scan(/../).join(':').upcase
40
+ end
41
+
34
42
  context 'when passing keyword arguments' do
35
43
  it "accepts digest" do
36
44
  expect(described_class.new(digest: 'SHA512').digest).to eq('SHA512')
@@ -395,29 +403,35 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
395
403
 
396
404
  it 'verifies CA cert bundle if a ca_fingerprint is given case-insensitively' do
397
405
  Puppet[:log_level] = :info
398
- machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'caacf69bbbcdad9dbcda92dd2da3608b639d1aea4c314d6cc6823cdb32d8e0f8')
406
+
407
+ digest = expected_digest('SHA256', cacert_pem)
408
+ fingerprint = to_fingerprint(digest)
409
+ machine = described_class.new(digest: 'SHA256', ca_fingerprint: digest.downcase)
399
410
  state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
400
411
  state.next_state
401
412
 
402
- expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) CA:AC:F6:9B:BB:CD:AD:9D:BC:DA:92:DD:2D:A3:60:8B:63:9D:1A:EA:4C:31:4D:6C:C6:82:3C:DB:32:D8:E0:F8"))
413
+ expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) #{fingerprint}"))
403
414
  end
404
415
 
405
416
  it 'verifies CA cert bundle using non-default fingerprint' do
406
417
  Puppet[:log_level] = :info
407
- machine = described_class.new(digest: 'SHA512', ca_fingerprint: '3c9d1482b878913ad95c9631feac5090cb05c6eab9496178d6fd5c14a023da3b1a8650a3cbaac516d9a48caf0b0742e1ed7eebf55105c024c74834a45056a9d9')
418
+
419
+ digest = expected_digest('SHA512', cacert_pem)
420
+ machine = described_class.new(digest: 'SHA512', ca_fingerprint: digest)
408
421
  state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
409
422
  state.next_state
410
423
 
411
- expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) 3C:9D:14:82:B8:78:91:3A:D9:5C:96:31:FE:AC:50:90:CB:05:C6:EA:B9:49:61:78:D6:FD:5C:14:A0:23:DA:3B:1A:86:50:A3:CB:AA:C5:16:D9:A4:8C:AF:0B:07:42:E1:ED:7E:EB:F5:51:05:C0:24:C7:48:34:A4:50:56:A9:D9"))
424
+ expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) #{to_fingerprint(digest)}"))
412
425
  end
413
426
 
414
427
  it 'returns an error if verification fails' do
415
428
  machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'wrong!')
416
429
  state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
417
430
 
431
+ fingerprint = to_fingerprint(expected_digest('SHA256', cacert_pem))
418
432
  st = state.next_state
419
433
  expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
420
- expect(st.message).to eq("CA bundle with digest (SHA256) CA:AC:F6:9B:BB:CD:AD:9D:BC:DA:92:DD:2D:A3:60:8B:63:9D:1A:EA:4C:31:4D:6C:C6:82:3C:DB:32:D8:E0:F8 did not match expected digest WR:ON:G!")
434
+ expect(st.message).to eq("CA bundle with digest (SHA256) #{fingerprint} did not match expected digest WR:ON:G!")
421
435
  end
422
436
  end
423
437
  end
@@ -93,8 +93,6 @@ describe Puppet::Transaction::AdditionalResourceGenerator do
93
93
  end
94
94
  end
95
95
 
96
-
97
-
98
96
  after(:each) do
99
97
  Puppet::Type.rmtype(:gen_empty)
100
98
  Puppet::Type.rmtype(:eval_after)
@@ -5,13 +5,6 @@ require 'puppet_spec/compiler'
5
5
  require 'puppet/transaction'
6
6
  require 'fileutils'
7
7
 
8
- Puppet::Type.newtype(:generator) do
9
- newparam(:name) { isnamevar }
10
-
11
- def generate
12
- end
13
- end
14
-
15
8
  describe Puppet::Transaction do
16
9
  include PuppetSpec::Files
17
10
  include PuppetSpec::Compiler
@@ -27,6 +20,19 @@ describe Puppet::Transaction do
27
20
  transaction
28
21
  end
29
22
 
23
+ before(:all) do
24
+ Puppet::Type.newtype(:transaction_generator) do
25
+ newparam(:name) { isnamevar }
26
+
27
+ def generate
28
+ end
29
+ end
30
+ end
31
+
32
+ after(:all) do
33
+ Puppet::Type.rmtype(:transaction_generator)
34
+ end
35
+
30
36
  before do
31
37
  @basepath = make_absolute("/what/ever")
32
38
  @transaction = Puppet::Transaction.new(Puppet::Resource::Catalog.new, nil, Puppet::Graph::SequentialPrioritizer.new)
@@ -330,9 +336,9 @@ describe Puppet::Transaction do
330
336
  describe "when generating resources before traversal" do
331
337
  let(:catalog) { Puppet::Resource::Catalog.new }
332
338
  let(:transaction) { Puppet::Transaction.new(catalog, nil, Puppet::Graph::SequentialPrioritizer.new) }
333
- let(:generator) { Puppet::Type.type(:generator).new :title => "generator" }
339
+ let(:generator) { Puppet::Type.type(:transaction_generator).new :title => "generator" }
334
340
  let(:generated) do
335
- %w[a b c].map { |name| Puppet::Type.type(:generator).new(:name => name) }
341
+ %w[a b c].map { |name| Puppet::Type.type(:transaction_generator).new(:name => name) }
336
342
  end
337
343
 
338
344
  before :each do
@@ -673,7 +679,7 @@ describe Puppet::Transaction do
673
679
  end
674
680
 
675
681
  describe "and new resources are generated" do
676
- let(:generator) { Puppet::Type.type(:generator).new :title => "generator" }
682
+ let(:generator) { Puppet::Type.type(:transaction_generator).new :title => "generator" }
677
683
  let(:generated) do
678
684
  %w[a b c].map { |name| Puppet::Type.type(:package).new :title => "foo", :name => name, :provider => :apt }
679
685
  end
@@ -787,16 +793,8 @@ describe Puppet::Transaction do
787
793
  end
788
794
 
789
795
  it "should call Selinux.matchpathcon_fini in case Selinux is enabled ", :if => Puppet.features.posix? do
790
- unless defined?(Selinux)
791
- module Selinux
792
- def self.is_selinux_enabled
793
- true
794
- end
795
-
796
- def self.matchpathcon_fini
797
- end
798
- end
799
- end
796
+ selinux = double('selinux', is_selinux_enabled: true, matchpathcon_fini: nil)
797
+ stub_const('Selinux', selinux)
800
798
 
801
799
  resource = Puppet::Type.type(:file).new(:path => make_absolute("/tmp/foo"))
802
800
  transaction = transaction_with_resource(resource)
@@ -7,7 +7,7 @@ require 'spec_helper'
7
7
 
8
8
  before do
9
9
  @path = make_absolute("/my/file")
10
- @resource = Puppet::Type.type(:file).new :path => @path
10
+ @resource = Puppet::Type.type(:file).new(:path => @path, :ensure => :file)
11
11
  @sel = property.new :resource => @resource
12
12
  end
13
13
 
@@ -50,13 +50,13 @@ require 'spec_helper'
50
50
  end
51
51
 
52
52
  it "should handle no default gracefully" do
53
- expect(@sel).to receive(:get_selinux_default_context).with(@path).and_return(nil)
53
+ expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return(nil)
54
54
  expect(@sel.default).to be_nil
55
55
  end
56
56
 
57
57
  it "should be able to detect matchpathcon defaults" do
58
58
  allow(@sel).to receive(:debug)
59
- expect(@sel).to receive(:get_selinux_default_context).with(@path).and_return("user_u:role_r:type_t:s0")
59
+ expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return("user_u:role_r:type_t:s0")
60
60
  expectedresult = case param
61
61
  when :seluser; "user_u"
62
62
  when :selrole; "role_r"
@@ -72,50 +72,65 @@ describe test_title, "when validating attribute values" do
72
72
  allow(@provider.class).to receive(:supports_parameter?).and_return(true)
73
73
  end
74
74
 
75
- it "should support :true as a value" do
76
- srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
77
- expect(srv.should(:enable)).to eq(:true)
78
- end
75
+ describe "for value without required features" do
76
+ before :each do
77
+ allow(@provider).to receive(:satisfies?)
78
+ end
79
79
 
80
- it "should support :false as a value" do
81
- srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
82
- expect(srv.should(:enable)).to eq(:false)
83
- end
80
+ it "should not support :mask as a value" do
81
+ expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :mask) }.to raise_error(
82
+ Puppet::ResourceError,
83
+ /Provider .+ must have features 'maskable' to set 'enable' to 'mask'/
84
+ )
85
+ end
84
86
 
85
- it "should support :mask as a value" do
86
- srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
87
- expect(srv.should(:enable)).to eq(:mask)
88
- end
87
+ it "should not support :manual as a value" do
88
+ expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
89
+ Puppet::ResourceError,
90
+ /Provider .+ must have features 'manual_startable' to set 'enable' to 'manual'/
91
+ )
92
+ end
89
93
 
90
- it "should support :manual as a value on Windows" do
91
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
92
- srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
93
- expect(srv.should(:enable)).to eq(:manual)
94
+ it "should not support :mask as a value" do
95
+ expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
96
+ Puppet::ResourceError,
97
+ /Provider .+ must have features 'delayed_startable' to set 'enable' to 'delayed'/
98
+ )
99
+ end
94
100
  end
95
101
 
96
- it "should support :delayed as a value on Windows" do
97
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
102
+ describe "for value with required features" do
103
+ before :each do
104
+ allow(@provider).to receive(:satisfies?).and_return(:true)
105
+ end
98
106
 
99
- srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
100
- expect(srv.should(:enable)).to eq(:delayed)
101
- end
107
+ it "should support :true as a value" do
108
+ srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :true)
109
+ expect(srv.should(:enable)).to eq(:true)
110
+ end
102
111
 
103
- it "should not support :manual as a value when not on Windows" do
104
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
112
+ it "should support :false as a value" do
113
+ srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :false)
114
+ expect(srv.should(:enable)).to eq(:false)
115
+ end
105
116
 
106
- expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :manual) }.to raise_error(
107
- Puppet::Error,
108
- /Setting enable to manual is only supported on Microsoft Windows\./
109
- )
110
- end
117
+ it "should support :mask as a value" do
118
+ srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :mask)
119
+ expect(srv.should(:enable)).to eq(:mask)
120
+ end
111
121
 
112
- it "should not support :delayed as a value when not on Windows" do
113
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
122
+ it "should support :manual as a value on Windows" do
123
+ allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
124
+ srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :manual)
125
+ expect(srv.should(:enable)).to eq(:manual)
126
+ end
114
127
 
115
- expect { Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed) }.to raise_error(
116
- Puppet::Error,
117
- /Setting enable to delayed is only supported on Microsoft Windows\./
118
- )
128
+ it "should support :delayed as a value on Windows" do
129
+ allow(Puppet::Util::Platform).to receive(:windows?).and_return(true)
130
+
131
+ srv = Puppet::Type.type(:service).new(:name => "yay", :enable => :delayed)
132
+ expect(srv.should(:enable)).to eq(:delayed)
133
+ end
119
134
  end
120
135
  end
121
136
 
@@ -150,105 +165,24 @@ describe test_title, "when validating attribute values" do
150
165
  provider_class_with_logon_credentials = Puppet::Type.type(:service).provide(:simple) do
151
166
  has_features :manages_logon_credentials
152
167
  def logonpassword=(value) end
168
+ def logonaccount_insync?(current) end
153
169
  end
154
170
  allow(Puppet::Type.type(:service)).to receive(:defaultprovider).and_return(provider_class_with_logon_credentials)
155
171
  end
156
172
 
157
173
  describe "the 'logonaccount' property" do
158
- it "should not be munged nor checked when not on Windows" do
159
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
160
- service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'NonWindowsUser')
174
+ let(:service) {Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')}
161
175
 
162
- expect { service }.not_to raise_error
163
- expect(service[:logonaccount]).to eq('NonWindowsUser')
176
+ it "should let superclass implementation resolve insyncness when provider does not respond to the 'logonaccount_insync?' method" do
177
+ allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?).and_return(false)
178
+ expect(service.property(:logonaccount).insync?('myUser')).to eq(true)
164
179
  end
165
180
 
166
- context "when on Windows", :if => Puppet::Util::Platform.windows? do
167
- before do
168
- allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
169
- allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
170
- allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
171
- end
172
-
173
- it "should fail when the `Log On As A Service` right is missing from given user" do
174
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
175
- allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("")
176
-
177
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" is missing the 'Log On As A Service' right./)
178
- end
179
-
180
- it "should fail when the `Log On As A Service` right is set to denied for given user" do
181
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
182
- allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeDenyServiceLogonRight")
183
-
184
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.to raise_error(Puppet::Error, /"myPC\\myUser" has the 'Log On As A Service' right set to denied./)
185
- end
186
-
187
- it "should not fail when given user has the `Log On As A Service` right" do
188
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
189
- allow(Puppet::Util::Windows::User).to receive(:get_rights).with('myPC\\myUser').and_return("SeServiceLogonRight")
190
-
191
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
192
- end
193
-
194
- it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
195
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
196
- allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
197
-
198
- expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
199
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser') }.not_to raise_error
200
- end
201
-
202
- ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input|
203
- it "should succesfully munge #{user_input} to 'LocalSystem'" do
204
- service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => user_input)
205
-
206
- expect { service }.not_to raise_error
207
- expect(service[:logonaccount]).to eq('LocalSystem')
208
- end
209
- end
210
-
211
- it "should succesfully munge local account" do
212
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser))
213
- service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
214
-
215
- expect { service }.not_to raise_error
216
- expect(service[:logonaccount]).to eq('.\myUser')
217
- end
218
-
219
- it "should succesfully munge domain account" do
220
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("DomainUser", nil, nil, "myDomain", :SidTypeUser))
221
- service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'DomainUser')
222
-
223
- expect { service }.not_to raise_error
224
- expect(service[:logonaccount]).to eq('myDomain\DomainUser')
225
- end
226
-
227
- it "should succesfully munge well known user" do
228
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup))
229
- service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalService')
230
-
231
- expect { service }.not_to raise_error
232
- expect(service[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
233
- end
234
-
235
- it "should succesfully munge a SID" do
236
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser))
237
- service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'S-1-5-20')
238
-
239
- expect { service }.not_to raise_error
240
- expect(service[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
241
- end
242
-
243
- it "should fail when account is invalid" do
244
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(nil)
245
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'InvalidUser') }.to raise_error(Puppet::Error, /"InvalidUser" is not a valid account/)
246
- end
247
-
248
- it "should fail when sid type is not user or well known user" do
249
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias))
250
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'Administrators') }.to raise_error(Puppet::Error, /"Administrators" is not a valid account/)
251
- end
181
+ it "should let provider resolve insyncness when provider responds to the 'logonaccount_insync?' method" do
182
+ allow(service.provider).to receive(:respond_to?).with(:logonaccount_insync?, any_args).and_return(true)
183
+ allow(service.provider).to receive(:logonaccount_insync?).and_return(false)
184
+
185
+ expect(service.property(:logonaccount).insync?('myUser')).to eq(false)
252
186
  end
253
187
  end
254
188
 
@@ -258,7 +192,6 @@ describe test_title, "when validating attribute values" do
258
192
  end
259
193
 
260
194
  it "should default to empty string when only logonaccount is being managed" do
261
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
262
195
  service = Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser')
263
196
 
264
197
  expect { service }.not_to raise_error
@@ -271,70 +204,8 @@ describe test_title, "when validating attribute values" do
271
204
  end
272
205
 
273
206
  it "should fail when logonpassword includes the ':' character" do
274
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
275
207
  expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'my:Pass') }.to raise_error(Puppet::Error, /Passwords cannot include ':'/)
276
208
  end
277
-
278
- it "should not further check the password against given account when not on Windows" do
279
- allow(Puppet::Util::Platform).to receive(:windows?).and_return(false)
280
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
281
- end
282
-
283
- context "when on Windows", :if => Puppet::Util::Platform.windows? do
284
- before do
285
- allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return("myPC")
286
- allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(name_to_principal_result)
287
- allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
288
- end
289
-
290
- it "should pass validation when given account is 'LocalSystem'" do
291
- allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
292
- allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(false)
293
-
294
- expect(Puppet::Util::Windows::SID).not_to receive(:name_to_principal)
295
- expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
296
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'LocalSystem') }.not_to raise_error
297
- end
298
-
299
- ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
300
- describe "when given account is #{predefined_local_account}" do
301
- let(:name_to_principal_result) do
302
- Puppet::Util::Windows::SID::Principal.new(predefined_local_account, nil, nil, "NT AUTHORITY", :SidTypeUser)
303
- end
304
-
305
- it "should pass validation" do
306
- allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(predefined_local_account).and_return(false)
307
- expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(predefined_local_account).and_return(true)
308
- expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with("NT AUTHORITY\\#{predefined_local_account}").and_return(true)
309
-
310
- expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
311
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => predefined_local_account) }.not_to raise_error
312
- end
313
- end
314
- end
315
-
316
- let(:name_to_principal_result) do
317
- Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, "myPC", :SidTypeUser)
318
- end
319
-
320
- describe "when given logonaccount is not a predefined local account" do
321
- before do
322
- allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('myUser').and_return(false)
323
- allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('myUser').and_return(false)
324
- allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('.\\myUser').and_return(false)
325
- end
326
-
327
- it "should pass validation if password is proven correct" do
328
- allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
329
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myPass') }.not_to raise_error
330
- end
331
-
332
- it "should not pass validation if password check fails" do
333
- allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
334
- expect { Puppet::Type.type(:service).new(:name => "yay", :logonaccount => 'myUser', :logonpassword => 'myWrongPass') }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
335
- end
336
- end
337
- end
338
209
  end
339
210
  end
340
211