puppet 6.22.1-x64-mingw32 → 6.23.0-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile.lock +14 -14
- data/ext/osx/puppet.plist +2 -0
- data/lib/puppet/application/agent.rb +12 -5
- data/lib/puppet/application/apply.rb +2 -1
- data/lib/puppet/application/device.rb +2 -1
- data/lib/puppet/application/resource.rb +2 -1
- data/lib/puppet/application/script.rb +2 -1
- data/lib/puppet/configurer/downloader.rb +2 -1
- data/lib/puppet/defaults.rb +5 -3
- data/lib/puppet/file_serving/fileset.rb +14 -2
- data/lib/puppet/functions/all.rb +1 -1
- data/lib/puppet/functions/camelcase.rb +1 -1
- data/lib/puppet/functions/capitalize.rb +2 -2
- data/lib/puppet/functions/downcase.rb +2 -2
- data/lib/puppet/functions/get.rb +5 -5
- data/lib/puppet/functions/group_by.rb +13 -5
- data/lib/puppet/functions/lest.rb +1 -1
- data/lib/puppet/functions/new.rb +100 -100
- data/lib/puppet/functions/partition.rb +4 -4
- data/lib/puppet/functions/require.rb +5 -5
- data/lib/puppet/functions/sort.rb +3 -3
- data/lib/puppet/functions/tree_each.rb +7 -9
- data/lib/puppet/functions/type.rb +4 -4
- data/lib/puppet/functions/upcase.rb +2 -2
- data/lib/puppet/http/resolver/server_list.rb +15 -4
- data/lib/puppet/http/service/compiler.rb +69 -0
- data/lib/puppet/http/service/file_server.rb +2 -1
- data/lib/puppet/indirector/catalog/compiler.rb +1 -0
- data/lib/puppet/indirector/file_metadata/rest.rb +1 -0
- data/lib/puppet/parser/functions/fqdn_rand.rb +14 -6
- data/lib/puppet/pops/types/p_sem_ver_type.rb +8 -2
- data/lib/puppet/pops/types/p_sensitive_type.rb +10 -0
- data/lib/puppet/provider/package/nim.rb +11 -6
- data/lib/puppet/provider/service/systemd.rb +13 -3
- data/lib/puppet/provider/service/windows.rb +38 -0
- data/lib/puppet/provider/user/directoryservice.rb +25 -12
- data/lib/puppet/reference/configuration.rb +1 -1
- data/lib/puppet/transaction/additional_resource_generator.rb +1 -1
- data/lib/puppet/type/file.rb +19 -1
- data/lib/puppet/type/file/selcontext.rb +1 -1
- data/lib/puppet/type/service.rb +18 -38
- data/lib/puppet/type/tidy.rb +21 -2
- data/lib/puppet/type/user.rb +38 -20
- data/lib/puppet/util/selinux.rb +30 -4
- data/lib/puppet/version.rb +1 -1
- data/locales/puppet.pot +109 -101
- data/man/man5/puppet.conf.5 +272 -252
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -57
- data/spec/fixtures/ssl/127.0.0.1.pem +52 -31
- data/spec/fixtures/ssl/bad-basic-constraints.pem +57 -35
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +57 -35
- data/spec/fixtures/ssl/ca.pem +57 -35
- data/spec/fixtures/ssl/crl.pem +28 -18
- data/spec/fixtures/ssl/ec-key.pem +11 -11
- data/spec/fixtures/ssl/ec.pem +33 -24
- data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
- data/spec/fixtures/ssl/encrypted-key.pem +108 -58
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +28 -19
- data/spec/fixtures/ssl/intermediate-agent.pem +57 -36
- data/spec/fixtures/ssl/intermediate-crl.pem +31 -21
- data/spec/fixtures/ssl/intermediate.pem +57 -36
- data/spec/fixtures/ssl/pluto-key.pem +107 -57
- data/spec/fixtures/ssl/pluto.pem +52 -30
- data/spec/fixtures/ssl/request-key.pem +107 -57
- data/spec/fixtures/ssl/request.pem +47 -26
- data/spec/fixtures/ssl/revoked-key.pem +107 -57
- data/spec/fixtures/ssl/revoked.pem +52 -30
- data/spec/fixtures/ssl/signed-key.pem +107 -57
- data/spec/fixtures/ssl/signed.pem +52 -30
- data/spec/fixtures/ssl/tampered-cert.pem +52 -30
- data/spec/fixtures/ssl/tampered-csr.pem +47 -26
- data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -57
- data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -29
- data/spec/fixtures/ssl/unknown-ca-key.pem +107 -57
- data/spec/fixtures/ssl/unknown-ca.pem +55 -33
- data/spec/integration/application/resource_spec.rb +30 -0
- data/spec/lib/puppet/test_ca.rb +2 -2
- data/spec/unit/application/agent_spec.rb +7 -2
- data/spec/unit/configurer/downloader_spec.rb +6 -0
- data/spec/unit/configurer_spec.rb +23 -0
- data/spec/unit/file_serving/fileset_spec.rb +60 -0
- data/spec/unit/gettext/config_spec.rb +12 -0
- data/spec/unit/http/service/compiler_spec.rb +123 -0
- data/spec/unit/indirector/catalog/compiler_spec.rb +14 -10
- data/spec/unit/parser/functions/fqdn_rand_spec.rb +15 -1
- data/spec/unit/pops/types/p_sem_ver_type_spec.rb +18 -0
- data/spec/unit/pops/types/p_sensitive_type_spec.rb +18 -0
- data/spec/unit/provider/package/nim_spec.rb +42 -0
- data/spec/unit/provider/service/init_spec.rb +1 -0
- data/spec/unit/provider/service/openwrt_spec.rb +3 -1
- data/spec/unit/provider/service/systemd_spec.rb +42 -8
- data/spec/unit/provider/service/windows_spec.rb +202 -0
- data/spec/unit/provider/user/directoryservice_spec.rb +67 -35
- data/spec/unit/ssl/state_machine_spec.rb +19 -5
- data/spec/unit/transaction/additional_resource_generator_spec.rb +0 -2
- data/spec/unit/transaction_spec.rb +18 -20
- data/spec/unit/type/file/selinux_spec.rb +3 -3
- data/spec/unit/type/service_spec.rb +59 -188
- data/spec/unit/type/tidy_spec.rb +17 -7
- data/spec/unit/type/user_spec.rb +45 -0
- data/spec/unit/util/selinux_spec.rb +87 -16
- data/tasks/generate_cert_fixtures.rake +2 -2
- metadata +4 -2
@@ -83,6 +83,7 @@ describe 'Puppet::Type::Service::Provider::Init',
|
|
83
83
|
allow(provider_class).to receive(:defpath).and_return('tmp')
|
84
84
|
|
85
85
|
@services = ['one', 'two', 'three', 'four', 'umountfs']
|
86
|
+
allow(Dir).to receive(:entries).and_call_original
|
86
87
|
allow(Dir).to receive(:entries).with('tmp').and_return(@services)
|
87
88
|
expect(FileTest).to receive(:directory?).with('tmp').and_return(true)
|
88
89
|
allow(FileTest).to receive(:executable?).and_return(true)
|
@@ -32,6 +32,7 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
|
|
32
32
|
allow(File).to receive(:directory?).with('/etc/init.d').and_return(true)
|
33
33
|
|
34
34
|
allow(Puppet::FileSystem).to receive(:exist?).with('/etc/init.d/myservice').and_return(true)
|
35
|
+
allow(FileTest).to receive(:file?).and_call_original
|
35
36
|
allow(FileTest).to receive(:file?).with('/etc/init.d/myservice').and_return(true)
|
36
37
|
allow(FileTest).to receive(:executable?).with('/etc/init.d/myservice').and_return(true)
|
37
38
|
end
|
@@ -47,7 +48,8 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
|
|
47
48
|
let(:services) {['dnsmasq', 'dropbear', 'firewall', 'led', 'puppet', 'uhttpd' ]}
|
48
49
|
|
49
50
|
before :each do
|
50
|
-
allow(Dir).to receive(:entries).
|
51
|
+
allow(Dir).to receive(:entries).and_call_original
|
52
|
+
allow(Dir).to receive(:entries).with('/etc/init.d').and_return(services)
|
51
53
|
allow(FileTest).to receive(:directory?).and_return(true)
|
52
54
|
allow(FileTest).to receive(:executable?).and_return(true)
|
53
55
|
end
|
@@ -357,6 +357,9 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
|
|
357
357
|
describe "#mask" do
|
358
358
|
it "should run systemctl to disable and mask a service" do
|
359
359
|
provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service'))
|
360
|
+
expect(provider).to receive(:execute).
|
361
|
+
with(['/bin/systemctl','cat', '--', 'sshd.service'], :failonfail => false).
|
362
|
+
and_return(Puppet::Util::Execution::ProcessOutput.new("# /lib/systemd/system/sshd.service\n...", 0))
|
360
363
|
# :disable is the only call in the provider that uses a symbol instead of
|
361
364
|
# a string.
|
362
365
|
# This should be made consistent in the future and all tests updated.
|
@@ -364,6 +367,15 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
|
|
364
367
|
expect(provider).to receive(:systemctl).with(:mask, '--', 'sshd.service')
|
365
368
|
provider.mask
|
366
369
|
end
|
370
|
+
|
371
|
+
it "masks a service that doesn't exist" do
|
372
|
+
provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'doesnotexist.service'))
|
373
|
+
expect(provider).to receive(:execute).
|
374
|
+
with(['/bin/systemctl','cat', '--', 'doesnotexist.service'], :failonfail => false).
|
375
|
+
and_return(Puppet::Util::Execution::ProcessOutput.new("No files found for doesnotexist.service.\n", 1))
|
376
|
+
expect(provider).to receive(:systemctl).with(:mask, '--', 'doesnotexist.service')
|
377
|
+
provider.mask
|
378
|
+
end
|
367
379
|
end
|
368
380
|
|
369
381
|
# Note: systemd provider does not care about hasstatus or a custom status
|
@@ -467,17 +479,39 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
|
|
467
479
|
context 'when service state is static' do
|
468
480
|
let(:service_state) { 'static' }
|
469
481
|
|
470
|
-
|
471
|
-
|
472
|
-
|
482
|
+
context 'when enable is not mask' do
|
483
|
+
it 'is always enabled_insync even if current value is the same as expected' do
|
484
|
+
expect(provider).to be_enabled_insync(:false)
|
485
|
+
end
|
473
486
|
|
474
|
-
|
475
|
-
|
487
|
+
it 'is always enabled_insync even if current value is not the same as expected' do
|
488
|
+
expect(provider).to be_enabled_insync(:true)
|
489
|
+
end
|
490
|
+
|
491
|
+
it 'logs a debug messsage' do
|
492
|
+
expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
|
493
|
+
provider.enabled_insync?(:true)
|
494
|
+
end
|
476
495
|
end
|
477
496
|
|
478
|
-
|
479
|
-
|
480
|
-
|
497
|
+
context 'when enable is mask' do
|
498
|
+
let(:provider) do
|
499
|
+
provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service',
|
500
|
+
:enable => 'mask'))
|
501
|
+
end
|
502
|
+
|
503
|
+
it 'is enabled_insync if current value is the same as expected' do
|
504
|
+
expect(provider).to be_enabled_insync(:mask)
|
505
|
+
end
|
506
|
+
|
507
|
+
it 'is not enabled_insync if current value is not the same as expected' do
|
508
|
+
expect(provider).not_to be_enabled_insync(:true)
|
509
|
+
end
|
510
|
+
|
511
|
+
it 'logs no debug messsage' do
|
512
|
+
expect(Puppet).not_to receive(:debug)
|
513
|
+
provider.enabled_insync?(:true)
|
514
|
+
end
|
481
515
|
end
|
482
516
|
end
|
483
517
|
|
@@ -271,4 +271,206 @@ describe 'Puppet::Type::Service::Provider::Windows',
|
|
271
271
|
}.to raise_error(Puppet::Error, /Cannot enable #{name}/)
|
272
272
|
end
|
273
273
|
end
|
274
|
+
|
275
|
+
describe "when managing logon credentials" do
|
276
|
+
before do
|
277
|
+
allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return(computer_name)
|
278
|
+
allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(principal)
|
279
|
+
allow(Puppet::Util::Windows::Service).to receive(:set_startup_configuration).and_return(nil)
|
280
|
+
end
|
281
|
+
|
282
|
+
let(:computer_name) { 'myPC' }
|
283
|
+
|
284
|
+
describe "#logonaccount=" do
|
285
|
+
before do
|
286
|
+
allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
|
287
|
+
resource[:logonaccount] = user_input
|
288
|
+
provider.logonaccount_insync?(user_input)
|
289
|
+
end
|
290
|
+
|
291
|
+
let(:user_input) { principal.account }
|
292
|
+
let(:principal) do
|
293
|
+
Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, computer_name, :SidTypeUser)
|
294
|
+
end
|
295
|
+
|
296
|
+
context "when given user is 'myUser'" do
|
297
|
+
it "should fail when the `Log On As A Service` right is missing from given user" do
|
298
|
+
allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("")
|
299
|
+
expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" is missing the 'Log On As A Service' right./)
|
300
|
+
end
|
301
|
+
|
302
|
+
it "should fail when the `Log On As A Service` right is set to denied for given user" do
|
303
|
+
allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeDenyServiceLogonRight")
|
304
|
+
expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" has the 'Log On As A Service' right set to denied./)
|
305
|
+
end
|
306
|
+
|
307
|
+
it "should not fail when given user has the `Log On As A Service` right" do
|
308
|
+
allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
|
309
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
310
|
+
end
|
311
|
+
|
312
|
+
['myUser', 'myPC\\myUser', ".\\myUser", "MYPC\\mYuseR"].each do |user_input_variant|
|
313
|
+
let(:user_input) { user_input_variant }
|
314
|
+
|
315
|
+
it "should succesfully munge #{user_input_variant} to '.\\myUser'" do
|
316
|
+
allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
|
317
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
318
|
+
expect(resource[:logonaccount]).to eq(".\\myUser")
|
319
|
+
end
|
320
|
+
end
|
321
|
+
end
|
322
|
+
|
323
|
+
context "when given user is a system account" do
|
324
|
+
before do
|
325
|
+
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
|
326
|
+
end
|
327
|
+
|
328
|
+
let(:user_input) { principal.account }
|
329
|
+
let(:principal) do
|
330
|
+
Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
|
331
|
+
end
|
332
|
+
|
333
|
+
it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
|
334
|
+
expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
|
335
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
336
|
+
end
|
337
|
+
|
338
|
+
['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input_variant|
|
339
|
+
let(:user_input) { user_input_variant }
|
340
|
+
|
341
|
+
it "should succesfully munge #{user_input_variant} to 'LocalSystem'" do
|
342
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
343
|
+
expect(resource[:logonaccount]).to eq('LocalSystem')
|
344
|
+
end
|
345
|
+
end
|
346
|
+
end
|
347
|
+
|
348
|
+
context "when domain is different from computer name" do
|
349
|
+
before do
|
350
|
+
allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return("SeServiceLogonRight")
|
351
|
+
end
|
352
|
+
|
353
|
+
context "when given user is from AD" do
|
354
|
+
let(:user_input) { 'myRemoteUser' }
|
355
|
+
let(:principal) do
|
356
|
+
Puppet::Util::Windows::SID::Principal.new("myRemoteUser", nil, nil, "AD", :SidTypeUser)
|
357
|
+
end
|
358
|
+
|
359
|
+
it "should not raise any error" do
|
360
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
361
|
+
end
|
362
|
+
|
363
|
+
it "should succesfully be munged" do
|
364
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
365
|
+
expect(resource[:logonaccount]).to eq('AD\myRemoteUser')
|
366
|
+
end
|
367
|
+
end
|
368
|
+
|
369
|
+
context "when given user is LocalService" do
|
370
|
+
let(:user_input) { 'LocalService' }
|
371
|
+
let(:principal) do
|
372
|
+
Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup)
|
373
|
+
end
|
374
|
+
|
375
|
+
it "should succesfully munge well known user" do
|
376
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
377
|
+
expect(resource[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
|
378
|
+
end
|
379
|
+
end
|
380
|
+
|
381
|
+
context "when given user is in SID form" do
|
382
|
+
let(:user_input) { 'S-1-5-20' }
|
383
|
+
let(:principal) do
|
384
|
+
Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
|
385
|
+
end
|
386
|
+
|
387
|
+
it "should succesfully munge" do
|
388
|
+
expect { provider.logonaccount=(user_input) }.not_to raise_error
|
389
|
+
expect(resource[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
|
390
|
+
end
|
391
|
+
end
|
392
|
+
|
393
|
+
context "when given user is actually a group" do
|
394
|
+
let(:principal) do
|
395
|
+
Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias)
|
396
|
+
end
|
397
|
+
let(:user_input) { 'Administrators' }
|
398
|
+
|
399
|
+
it "should fail when sid type is not user or well known user" do
|
400
|
+
expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /"BUILTIN\\#{user_input}" is not a valid account/)
|
401
|
+
end
|
402
|
+
end
|
403
|
+
end
|
404
|
+
end
|
405
|
+
|
406
|
+
describe "#logonpassword=" do
|
407
|
+
before do
|
408
|
+
allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
|
409
|
+
resource[:logonaccount] = account
|
410
|
+
resource[:logonpassword] = user_input
|
411
|
+
provider.logonaccount_insync?(account)
|
412
|
+
end
|
413
|
+
|
414
|
+
let(:account) { 'LocalSystem' }
|
415
|
+
|
416
|
+
describe "when given logonaccount is a predefined_local_account" do
|
417
|
+
let(:user_input) { 'pass' }
|
418
|
+
let(:principal) { nil }
|
419
|
+
|
420
|
+
it "should pass validation when given account is 'LocalSystem'" do
|
421
|
+
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
|
422
|
+
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(true)
|
423
|
+
|
424
|
+
expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
|
425
|
+
expect { provider.logonpassword=(user_input) }.not_to raise_error
|
426
|
+
end
|
427
|
+
|
428
|
+
['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
|
429
|
+
describe "when given account is #{predefined_local_account}" do
|
430
|
+
let(:account) { 'predefined_local_account' }
|
431
|
+
let(:principal) do
|
432
|
+
Puppet::Util::Windows::SID::Principal.new(account, nil, nil, "NT AUTHORITY", :SidTypeUser)
|
433
|
+
end
|
434
|
+
|
435
|
+
it "should pass validation" do
|
436
|
+
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.account).and_return(false)
|
437
|
+
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.domain_account).and_return(false)
|
438
|
+
expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(principal.domain_account).and_return(true).twice
|
439
|
+
|
440
|
+
expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
|
441
|
+
expect { provider.logonpassword=(user_input) }.not_to raise_error
|
442
|
+
end
|
443
|
+
end
|
444
|
+
end
|
445
|
+
end
|
446
|
+
|
447
|
+
describe "when given logonaccount is not a predefined local account" do
|
448
|
+
before do
|
449
|
+
allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(".\\#{principal.account}").and_return(false)
|
450
|
+
allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with(".\\#{principal.account}").and_return(false)
|
451
|
+
end
|
452
|
+
|
453
|
+
let(:account) { 'myUser' }
|
454
|
+
let(:principal) do
|
455
|
+
Puppet::Util::Windows::SID::Principal.new(account, nil, nil, computer_name, :SidTypeUser)
|
456
|
+
end
|
457
|
+
|
458
|
+
describe "when password is proven correct" do
|
459
|
+
let(:user_input) { 'myPass' }
|
460
|
+
it "should pass validation" do
|
461
|
+
allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
|
462
|
+
expect { provider.logonpassword=(user_input) }.not_to raise_error
|
463
|
+
end
|
464
|
+
end
|
465
|
+
|
466
|
+
describe "when password is not proven correct" do
|
467
|
+
let(:user_input) { 'myWrongPass' }
|
468
|
+
it "should not pass validation" do
|
469
|
+
allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
|
470
|
+
expect { provider.logonpassword=(user_input) }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
|
471
|
+
end
|
472
|
+
end
|
473
|
+
end
|
474
|
+
end
|
475
|
+
end
|
274
476
|
end
|
@@ -925,28 +925,75 @@ end
|
|
925
925
|
}
|
926
926
|
end
|
927
927
|
|
928
|
-
|
929
|
-
|
930
|
-
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
|
931
|
-
expect(provider.class).to receive(:get_os_version).and_return('10.7')
|
932
|
-
expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
|
933
|
-
provider.write_password_to_users_plist(sha512_password_hash)
|
928
|
+
before do
|
929
|
+
allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
|
934
930
|
end
|
935
931
|
|
936
|
-
|
937
|
-
|
938
|
-
|
939
|
-
|
940
|
-
|
941
|
-
|
932
|
+
describe 'when on macOS 11 (Big Sur) or greater' do
|
933
|
+
before do
|
934
|
+
allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
|
935
|
+
end
|
936
|
+
|
937
|
+
it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
|
938
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
939
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
940
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
941
|
+
expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
|
942
|
+
|
943
|
+
expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
|
944
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
945
|
+
end
|
946
|
+
|
947
|
+
it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
|
948
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
949
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
950
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
951
|
+
expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
|
952
|
+
|
953
|
+
expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
|
954
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
955
|
+
end
|
942
956
|
end
|
943
957
|
|
944
|
-
|
945
|
-
|
946
|
-
|
947
|
-
|
948
|
-
|
949
|
-
|
958
|
+
describe 'when on macOS version lower than 11' do
|
959
|
+
before do
|
960
|
+
allow(provider.class).to receive(:get_os_version)
|
961
|
+
allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
|
962
|
+
end
|
963
|
+
|
964
|
+
it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
|
965
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
966
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
967
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
968
|
+
expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
|
969
|
+
|
970
|
+
expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
|
971
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
972
|
+
end
|
973
|
+
|
974
|
+
it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
|
975
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
976
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
|
977
|
+
expect(provider.class).to receive(:get_os_version).and_return('10.7')
|
978
|
+
expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
|
979
|
+
provider.write_password_to_users_plist(sha512_password_hash)
|
980
|
+
end
|
981
|
+
|
982
|
+
it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
|
983
|
+
expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
|
984
|
+
expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
|
985
|
+
expect(provider.class).to receive(:get_os_version).and_return('10.8')
|
986
|
+
expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
|
987
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
988
|
+
end
|
989
|
+
|
990
|
+
it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
|
991
|
+
expect(provider).to receive(:get_users_plist).and_return('users_plist')
|
992
|
+
expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
|
993
|
+
expect(provider.class).to receive(:get_os_version).and_return('10.8')
|
994
|
+
expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
|
995
|
+
provider.write_password_to_users_plist(pbkdf2_password_hash)
|
996
|
+
end
|
950
997
|
end
|
951
998
|
end
|
952
999
|
|
@@ -974,16 +1021,7 @@ end
|
|
974
1021
|
describe '#set_shadow_hash_data' do
|
975
1022
|
let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
|
976
1023
|
|
977
|
-
it 'should flush the plist data to
|
978
|
-
allow(provider.class).to receive(:get_os_version).and_return('10.12')
|
979
|
-
|
980
|
-
expect(provider).to receive(:write_users_plist_to_disk)
|
981
|
-
provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
|
982
|
-
end
|
983
|
-
|
984
|
-
it 'should flush the plist data a temporary file on OS X >= 10.15' do
|
985
|
-
allow(provider.class).to receive(:get_os_version).and_return('10.15')
|
986
|
-
|
1024
|
+
it 'should flush the plist data to a temporary file' do
|
987
1025
|
expect(provider).to receive(:write_and_import_shadow_hash_data)
|
988
1026
|
provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
|
989
1027
|
end
|
@@ -1033,13 +1071,6 @@ end
|
|
1033
1071
|
end
|
1034
1072
|
end
|
1035
1073
|
|
1036
|
-
describe '#write_users_plist_to_disk' do
|
1037
|
-
it 'should save the passed plist to disk and convert it to a binary plist' do
|
1038
|
-
expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
|
1039
|
-
provider.write_users_plist_to_disk(user_plist_xml)
|
1040
|
-
end
|
1041
|
-
end
|
1042
|
-
|
1043
1074
|
describe '#write_and_import_shadow_hash_data' do
|
1044
1075
|
it 'should save the passed plist to a temporary file and import it' do
|
1045
1076
|
tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
|
@@ -1203,6 +1234,7 @@ end
|
|
1203
1234
|
before :each do
|
1204
1235
|
allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
|
1205
1236
|
allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
|
1237
|
+
allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
|
1206
1238
|
provider.class.prefetch({})
|
1207
1239
|
end
|
1208
1240
|
|
@@ -31,6 +31,14 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
|
|
31
31
|
allow(Kernel).to receive(:sleep)
|
32
32
|
end
|
33
33
|
|
34
|
+
def expected_digest(name, content)
|
35
|
+
OpenSSL::Digest.new(name).hexdigest(content)
|
36
|
+
end
|
37
|
+
|
38
|
+
def to_fingerprint(digest)
|
39
|
+
digest.scan(/../).join(':').upcase
|
40
|
+
end
|
41
|
+
|
34
42
|
context 'when passing keyword arguments' do
|
35
43
|
it "accepts digest" do
|
36
44
|
expect(described_class.new(digest: 'SHA512').digest).to eq('SHA512')
|
@@ -395,29 +403,35 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
|
|
395
403
|
|
396
404
|
it 'verifies CA cert bundle if a ca_fingerprint is given case-insensitively' do
|
397
405
|
Puppet[:log_level] = :info
|
398
|
-
|
406
|
+
|
407
|
+
digest = expected_digest('SHA256', cacert_pem)
|
408
|
+
fingerprint = to_fingerprint(digest)
|
409
|
+
machine = described_class.new(digest: 'SHA256', ca_fingerprint: digest.downcase)
|
399
410
|
state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
|
400
411
|
state.next_state
|
401
412
|
|
402
|
-
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256)
|
413
|
+
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) #{fingerprint}"))
|
403
414
|
end
|
404
415
|
|
405
416
|
it 'verifies CA cert bundle using non-default fingerprint' do
|
406
417
|
Puppet[:log_level] = :info
|
407
|
-
|
418
|
+
|
419
|
+
digest = expected_digest('SHA512', cacert_pem)
|
420
|
+
machine = described_class.new(digest: 'SHA512', ca_fingerprint: digest)
|
408
421
|
state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
|
409
422
|
state.next_state
|
410
423
|
|
411
|
-
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512)
|
424
|
+
expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) #{to_fingerprint(digest)}"))
|
412
425
|
end
|
413
426
|
|
414
427
|
it 'returns an error if verification fails' do
|
415
428
|
machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'wrong!')
|
416
429
|
state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
|
417
430
|
|
431
|
+
fingerprint = to_fingerprint(expected_digest('SHA256', cacert_pem))
|
418
432
|
st = state.next_state
|
419
433
|
expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
|
420
|
-
expect(st.message).to eq("CA bundle with digest (SHA256)
|
434
|
+
expect(st.message).to eq("CA bundle with digest (SHA256) #{fingerprint} did not match expected digest WR:ON:G!")
|
421
435
|
end
|
422
436
|
end
|
423
437
|
end
|