puppet 6.22.1-x64-mingw32 → 6.23.0-x64-mingw32

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (129) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +14 -14
  3. data/ext/osx/puppet.plist +2 -0
  4. data/lib/puppet/application/agent.rb +12 -5
  5. data/lib/puppet/application/apply.rb +2 -1
  6. data/lib/puppet/application/device.rb +2 -1
  7. data/lib/puppet/application/resource.rb +2 -1
  8. data/lib/puppet/application/script.rb +2 -1
  9. data/lib/puppet/configurer/downloader.rb +2 -1
  10. data/lib/puppet/defaults.rb +5 -3
  11. data/lib/puppet/file_serving/fileset.rb +14 -2
  12. data/lib/puppet/functions/all.rb +1 -1
  13. data/lib/puppet/functions/camelcase.rb +1 -1
  14. data/lib/puppet/functions/capitalize.rb +2 -2
  15. data/lib/puppet/functions/downcase.rb +2 -2
  16. data/lib/puppet/functions/get.rb +5 -5
  17. data/lib/puppet/functions/group_by.rb +13 -5
  18. data/lib/puppet/functions/lest.rb +1 -1
  19. data/lib/puppet/functions/new.rb +100 -100
  20. data/lib/puppet/functions/partition.rb +4 -4
  21. data/lib/puppet/functions/require.rb +5 -5
  22. data/lib/puppet/functions/sort.rb +3 -3
  23. data/lib/puppet/functions/tree_each.rb +7 -9
  24. data/lib/puppet/functions/type.rb +4 -4
  25. data/lib/puppet/functions/upcase.rb +2 -2
  26. data/lib/puppet/http/resolver/server_list.rb +15 -4
  27. data/lib/puppet/http/service/compiler.rb +69 -0
  28. data/lib/puppet/http/service/file_server.rb +2 -1
  29. data/lib/puppet/indirector/catalog/compiler.rb +1 -0
  30. data/lib/puppet/indirector/file_metadata/rest.rb +1 -0
  31. data/lib/puppet/parser/functions/fqdn_rand.rb +14 -6
  32. data/lib/puppet/pops/types/p_sem_ver_type.rb +8 -2
  33. data/lib/puppet/pops/types/p_sensitive_type.rb +10 -0
  34. data/lib/puppet/provider/package/nim.rb +11 -6
  35. data/lib/puppet/provider/service/systemd.rb +13 -3
  36. data/lib/puppet/provider/service/windows.rb +38 -0
  37. data/lib/puppet/provider/user/directoryservice.rb +25 -12
  38. data/lib/puppet/reference/configuration.rb +1 -1
  39. data/lib/puppet/transaction/additional_resource_generator.rb +1 -1
  40. data/lib/puppet/type/file.rb +19 -1
  41. data/lib/puppet/type/file/selcontext.rb +1 -1
  42. data/lib/puppet/type/service.rb +18 -38
  43. data/lib/puppet/type/tidy.rb +21 -2
  44. data/lib/puppet/type/user.rb +38 -20
  45. data/lib/puppet/util/selinux.rb +30 -4
  46. data/lib/puppet/version.rb +1 -1
  47. data/locales/puppet.pot +109 -101
  48. data/man/man5/puppet.conf.5 +272 -252
  49. data/man/man8/puppet-agent.8 +1 -1
  50. data/man/man8/puppet-apply.8 +1 -1
  51. data/man/man8/puppet-catalog.8 +1 -1
  52. data/man/man8/puppet-config.8 +1 -1
  53. data/man/man8/puppet-describe.8 +1 -1
  54. data/man/man8/puppet-device.8 +1 -1
  55. data/man/man8/puppet-doc.8 +1 -1
  56. data/man/man8/puppet-epp.8 +1 -1
  57. data/man/man8/puppet-facts.8 +1 -1
  58. data/man/man8/puppet-filebucket.8 +1 -1
  59. data/man/man8/puppet-generate.8 +1 -1
  60. data/man/man8/puppet-help.8 +1 -1
  61. data/man/man8/puppet-key.8 +1 -1
  62. data/man/man8/puppet-lookup.8 +1 -1
  63. data/man/man8/puppet-man.8 +1 -1
  64. data/man/man8/puppet-module.8 +1 -1
  65. data/man/man8/puppet-node.8 +1 -1
  66. data/man/man8/puppet-parser.8 +1 -1
  67. data/man/man8/puppet-plugin.8 +1 -1
  68. data/man/man8/puppet-report.8 +1 -1
  69. data/man/man8/puppet-resource.8 +1 -1
  70. data/man/man8/puppet-script.8 +1 -1
  71. data/man/man8/puppet-ssl.8 +1 -1
  72. data/man/man8/puppet-status.8 +1 -1
  73. data/man/man8/puppet.8 +2 -2
  74. data/spec/fixtures/ssl/127.0.0.1-key.pem +107 -57
  75. data/spec/fixtures/ssl/127.0.0.1.pem +52 -31
  76. data/spec/fixtures/ssl/bad-basic-constraints.pem +57 -35
  77. data/spec/fixtures/ssl/bad-int-basic-constraints.pem +57 -35
  78. data/spec/fixtures/ssl/ca.pem +57 -35
  79. data/spec/fixtures/ssl/crl.pem +28 -18
  80. data/spec/fixtures/ssl/ec-key.pem +11 -11
  81. data/spec/fixtures/ssl/ec.pem +33 -24
  82. data/spec/fixtures/ssl/encrypted-ec-key.pem +12 -12
  83. data/spec/fixtures/ssl/encrypted-key.pem +108 -58
  84. data/spec/fixtures/ssl/intermediate-agent-crl.pem +28 -19
  85. data/spec/fixtures/ssl/intermediate-agent.pem +57 -36
  86. data/spec/fixtures/ssl/intermediate-crl.pem +31 -21
  87. data/spec/fixtures/ssl/intermediate.pem +57 -36
  88. data/spec/fixtures/ssl/pluto-key.pem +107 -57
  89. data/spec/fixtures/ssl/pluto.pem +52 -30
  90. data/spec/fixtures/ssl/request-key.pem +107 -57
  91. data/spec/fixtures/ssl/request.pem +47 -26
  92. data/spec/fixtures/ssl/revoked-key.pem +107 -57
  93. data/spec/fixtures/ssl/revoked.pem +52 -30
  94. data/spec/fixtures/ssl/signed-key.pem +107 -57
  95. data/spec/fixtures/ssl/signed.pem +52 -30
  96. data/spec/fixtures/ssl/tampered-cert.pem +52 -30
  97. data/spec/fixtures/ssl/tampered-csr.pem +47 -26
  98. data/spec/fixtures/ssl/unknown-127.0.0.1-key.pem +107 -57
  99. data/spec/fixtures/ssl/unknown-127.0.0.1.pem +50 -29
  100. data/spec/fixtures/ssl/unknown-ca-key.pem +107 -57
  101. data/spec/fixtures/ssl/unknown-ca.pem +55 -33
  102. data/spec/integration/application/resource_spec.rb +30 -0
  103. data/spec/lib/puppet/test_ca.rb +2 -2
  104. data/spec/unit/application/agent_spec.rb +7 -2
  105. data/spec/unit/configurer/downloader_spec.rb +6 -0
  106. data/spec/unit/configurer_spec.rb +23 -0
  107. data/spec/unit/file_serving/fileset_spec.rb +60 -0
  108. data/spec/unit/gettext/config_spec.rb +12 -0
  109. data/spec/unit/http/service/compiler_spec.rb +123 -0
  110. data/spec/unit/indirector/catalog/compiler_spec.rb +14 -10
  111. data/spec/unit/parser/functions/fqdn_rand_spec.rb +15 -1
  112. data/spec/unit/pops/types/p_sem_ver_type_spec.rb +18 -0
  113. data/spec/unit/pops/types/p_sensitive_type_spec.rb +18 -0
  114. data/spec/unit/provider/package/nim_spec.rb +42 -0
  115. data/spec/unit/provider/service/init_spec.rb +1 -0
  116. data/spec/unit/provider/service/openwrt_spec.rb +3 -1
  117. data/spec/unit/provider/service/systemd_spec.rb +42 -8
  118. data/spec/unit/provider/service/windows_spec.rb +202 -0
  119. data/spec/unit/provider/user/directoryservice_spec.rb +67 -35
  120. data/spec/unit/ssl/state_machine_spec.rb +19 -5
  121. data/spec/unit/transaction/additional_resource_generator_spec.rb +0 -2
  122. data/spec/unit/transaction_spec.rb +18 -20
  123. data/spec/unit/type/file/selinux_spec.rb +3 -3
  124. data/spec/unit/type/service_spec.rb +59 -188
  125. data/spec/unit/type/tidy_spec.rb +17 -7
  126. data/spec/unit/type/user_spec.rb +45 -0
  127. data/spec/unit/util/selinux_spec.rb +87 -16
  128. data/tasks/generate_cert_fixtures.rake +2 -2
  129. metadata +4 -2
@@ -83,6 +83,7 @@ describe 'Puppet::Type::Service::Provider::Init',
83
83
  allow(provider_class).to receive(:defpath).and_return('tmp')
84
84
 
85
85
  @services = ['one', 'two', 'three', 'four', 'umountfs']
86
+ allow(Dir).to receive(:entries).and_call_original
86
87
  allow(Dir).to receive(:entries).with('tmp').and_return(@services)
87
88
  expect(FileTest).to receive(:directory?).with('tmp').and_return(true)
88
89
  allow(FileTest).to receive(:executable?).and_return(true)
@@ -32,6 +32,7 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
32
32
  allow(File).to receive(:directory?).with('/etc/init.d').and_return(true)
33
33
 
34
34
  allow(Puppet::FileSystem).to receive(:exist?).with('/etc/init.d/myservice').and_return(true)
35
+ allow(FileTest).to receive(:file?).and_call_original
35
36
  allow(FileTest).to receive(:file?).with('/etc/init.d/myservice').and_return(true)
36
37
  allow(FileTest).to receive(:executable?).with('/etc/init.d/myservice').and_return(true)
37
38
  end
@@ -47,7 +48,8 @@ describe 'Puppet::Type::Service::Provider::Openwrt',
47
48
  let(:services) {['dnsmasq', 'dropbear', 'firewall', 'led', 'puppet', 'uhttpd' ]}
48
49
 
49
50
  before :each do
50
- allow(Dir).to receive(:entries).and_return(services)
51
+ allow(Dir).to receive(:entries).and_call_original
52
+ allow(Dir).to receive(:entries).with('/etc/init.d').and_return(services)
51
53
  allow(FileTest).to receive(:directory?).and_return(true)
52
54
  allow(FileTest).to receive(:executable?).and_return(true)
53
55
  end
@@ -357,6 +357,9 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
357
357
  describe "#mask" do
358
358
  it "should run systemctl to disable and mask a service" do
359
359
  provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service'))
360
+ expect(provider).to receive(:execute).
361
+ with(['/bin/systemctl','cat', '--', 'sshd.service'], :failonfail => false).
362
+ and_return(Puppet::Util::Execution::ProcessOutput.new("# /lib/systemd/system/sshd.service\n...", 0))
360
363
  # :disable is the only call in the provider that uses a symbol instead of
361
364
  # a string.
362
365
  # This should be made consistent in the future and all tests updated.
@@ -364,6 +367,15 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
364
367
  expect(provider).to receive(:systemctl).with(:mask, '--', 'sshd.service')
365
368
  provider.mask
366
369
  end
370
+
371
+ it "masks a service that doesn't exist" do
372
+ provider = provider_class.new(Puppet::Type.type(:service).new(:name => 'doesnotexist.service'))
373
+ expect(provider).to receive(:execute).
374
+ with(['/bin/systemctl','cat', '--', 'doesnotexist.service'], :failonfail => false).
375
+ and_return(Puppet::Util::Execution::ProcessOutput.new("No files found for doesnotexist.service.\n", 1))
376
+ expect(provider).to receive(:systemctl).with(:mask, '--', 'doesnotexist.service')
377
+ provider.mask
378
+ end
367
379
  end
368
380
 
369
381
  # Note: systemd provider does not care about hasstatus or a custom status
@@ -467,17 +479,39 @@ Jun 14 21:43:23 foo.example.com systemd[1]: sshd.service lacks both ExecStart= a
467
479
  context 'when service state is static' do
468
480
  let(:service_state) { 'static' }
469
481
 
470
- it 'is always enabled_insync even if current value is the same as expected' do
471
- expect(provider).to be_enabled_insync(:false)
472
- end
482
+ context 'when enable is not mask' do
483
+ it 'is always enabled_insync even if current value is the same as expected' do
484
+ expect(provider).to be_enabled_insync(:false)
485
+ end
473
486
 
474
- it 'is always enabled_insync even if current value is not the same as expected' do
475
- expect(provider).to be_enabled_insync(:true)
487
+ it 'is always enabled_insync even if current value is not the same as expected' do
488
+ expect(provider).to be_enabled_insync(:true)
489
+ end
490
+
491
+ it 'logs a debug messsage' do
492
+ expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
493
+ provider.enabled_insync?(:true)
494
+ end
476
495
  end
477
496
 
478
- it 'logs a debug messsage' do
479
- expect(Puppet).to receive(:debug).with("Unable to enable or disable static service sshd.service")
480
- provider.enabled_insync?(:true)
497
+ context 'when enable is mask' do
498
+ let(:provider) do
499
+ provider_class.new(Puppet::Type.type(:service).new(:name => 'sshd.service',
500
+ :enable => 'mask'))
501
+ end
502
+
503
+ it 'is enabled_insync if current value is the same as expected' do
504
+ expect(provider).to be_enabled_insync(:mask)
505
+ end
506
+
507
+ it 'is not enabled_insync if current value is not the same as expected' do
508
+ expect(provider).not_to be_enabled_insync(:true)
509
+ end
510
+
511
+ it 'logs no debug messsage' do
512
+ expect(Puppet).not_to receive(:debug)
513
+ provider.enabled_insync?(:true)
514
+ end
481
515
  end
482
516
  end
483
517
 
@@ -271,4 +271,206 @@ describe 'Puppet::Type::Service::Provider::Windows',
271
271
  }.to raise_error(Puppet::Error, /Cannot enable #{name}/)
272
272
  end
273
273
  end
274
+
275
+ describe "when managing logon credentials" do
276
+ before do
277
+ allow(Puppet::Util::Windows::ADSI).to receive(:computer_name).and_return(computer_name)
278
+ allow(Puppet::Util::Windows::SID).to receive(:name_to_principal).and_return(principal)
279
+ allow(Puppet::Util::Windows::Service).to receive(:set_startup_configuration).and_return(nil)
280
+ end
281
+
282
+ let(:computer_name) { 'myPC' }
283
+
284
+ describe "#logonaccount=" do
285
+ before do
286
+ allow(Puppet::Util::Windows::User).to receive(:password_is?).and_return(true)
287
+ resource[:logonaccount] = user_input
288
+ provider.logonaccount_insync?(user_input)
289
+ end
290
+
291
+ let(:user_input) { principal.account }
292
+ let(:principal) do
293
+ Puppet::Util::Windows::SID::Principal.new("myUser", nil, nil, computer_name, :SidTypeUser)
294
+ end
295
+
296
+ context "when given user is 'myUser'" do
297
+ it "should fail when the `Log On As A Service` right is missing from given user" do
298
+ allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("")
299
+ expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" is missing the 'Log On As A Service' right./)
300
+ end
301
+
302
+ it "should fail when the `Log On As A Service` right is set to denied for given user" do
303
+ allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeDenyServiceLogonRight")
304
+ expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /".\\#{principal.account}" has the 'Log On As A Service' right set to denied./)
305
+ end
306
+
307
+ it "should not fail when given user has the `Log On As A Service` right" do
308
+ allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
309
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
310
+ end
311
+
312
+ ['myUser', 'myPC\\myUser', ".\\myUser", "MYPC\\mYuseR"].each do |user_input_variant|
313
+ let(:user_input) { user_input_variant }
314
+
315
+ it "should succesfully munge #{user_input_variant} to '.\\myUser'" do
316
+ allow(Puppet::Util::Windows::User).to receive(:get_rights).with(principal.domain_account).and_return("SeServiceLogonRight")
317
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
318
+ expect(resource[:logonaccount]).to eq(".\\myUser")
319
+ end
320
+ end
321
+ end
322
+
323
+ context "when given user is a system account" do
324
+ before do
325
+ allow(Puppet::Util::Windows::User).to receive(:default_system_account?).and_return(true)
326
+ end
327
+
328
+ let(:user_input) { principal.account }
329
+ let(:principal) do
330
+ Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
331
+ end
332
+
333
+ it "should not fail when given user is a default system account even if the `Log On As A Service` right is missing" do
334
+ expect(Puppet::Util::Windows::User).not_to receive(:get_rights)
335
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
336
+ end
337
+
338
+ ['LocalSystem', '.\LocalSystem', 'myPC\LocalSystem', 'lOcALsysTem'].each do |user_input_variant|
339
+ let(:user_input) { user_input_variant }
340
+
341
+ it "should succesfully munge #{user_input_variant} to 'LocalSystem'" do
342
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
343
+ expect(resource[:logonaccount]).to eq('LocalSystem')
344
+ end
345
+ end
346
+ end
347
+
348
+ context "when domain is different from computer name" do
349
+ before do
350
+ allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return("SeServiceLogonRight")
351
+ end
352
+
353
+ context "when given user is from AD" do
354
+ let(:user_input) { 'myRemoteUser' }
355
+ let(:principal) do
356
+ Puppet::Util::Windows::SID::Principal.new("myRemoteUser", nil, nil, "AD", :SidTypeUser)
357
+ end
358
+
359
+ it "should not raise any error" do
360
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
361
+ end
362
+
363
+ it "should succesfully be munged" do
364
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
365
+ expect(resource[:logonaccount]).to eq('AD\myRemoteUser')
366
+ end
367
+ end
368
+
369
+ context "when given user is LocalService" do
370
+ let(:user_input) { 'LocalService' }
371
+ let(:principal) do
372
+ Puppet::Util::Windows::SID::Principal.new("LOCAL SERVICE", nil, nil, "NT AUTHORITY", :SidTypeWellKnownGroup)
373
+ end
374
+
375
+ it "should succesfully munge well known user" do
376
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
377
+ expect(resource[:logonaccount]).to eq('NT AUTHORITY\LOCAL SERVICE')
378
+ end
379
+ end
380
+
381
+ context "when given user is in SID form" do
382
+ let(:user_input) { 'S-1-5-20' }
383
+ let(:principal) do
384
+ Puppet::Util::Windows::SID::Principal.new("NETWORK SERVICE", nil, nil, "NT AUTHORITY", :SidTypeUser)
385
+ end
386
+
387
+ it "should succesfully munge" do
388
+ expect { provider.logonaccount=(user_input) }.not_to raise_error
389
+ expect(resource[:logonaccount]).to eq('NT AUTHORITY\NETWORK SERVICE')
390
+ end
391
+ end
392
+
393
+ context "when given user is actually a group" do
394
+ let(:principal) do
395
+ Puppet::Util::Windows::SID::Principal.new("Administrators", nil, nil, "BUILTIN", :SidTypeAlias)
396
+ end
397
+ let(:user_input) { 'Administrators' }
398
+
399
+ it "should fail when sid type is not user or well known user" do
400
+ expect { provider.logonaccount=(user_input) }.to raise_error(Puppet::Error, /"BUILTIN\\#{user_input}" is not a valid account/)
401
+ end
402
+ end
403
+ end
404
+ end
405
+
406
+ describe "#logonpassword=" do
407
+ before do
408
+ allow(Puppet::Util::Windows::User).to receive(:get_rights).and_return('SeServiceLogonRight')
409
+ resource[:logonaccount] = account
410
+ resource[:logonpassword] = user_input
411
+ provider.logonaccount_insync?(account)
412
+ end
413
+
414
+ let(:account) { 'LocalSystem' }
415
+
416
+ describe "when given logonaccount is a predefined_local_account" do
417
+ let(:user_input) { 'pass' }
418
+ let(:principal) { nil }
419
+
420
+ it "should pass validation when given account is 'LocalSystem'" do
421
+ allow(Puppet::Util::Windows::User).to receive(:localsystem?).with('LocalSystem').and_return(true)
422
+ allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with('LocalSystem').and_return(true)
423
+
424
+ expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
425
+ expect { provider.logonpassword=(user_input) }.not_to raise_error
426
+ end
427
+
428
+ ['LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'].each do |predefined_local_account|
429
+ describe "when given account is #{predefined_local_account}" do
430
+ let(:account) { 'predefined_local_account' }
431
+ let(:principal) do
432
+ Puppet::Util::Windows::SID::Principal.new(account, nil, nil, "NT AUTHORITY", :SidTypeUser)
433
+ end
434
+
435
+ it "should pass validation" do
436
+ allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.account).and_return(false)
437
+ allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(principal.domain_account).and_return(false)
438
+ expect(Puppet::Util::Windows::User).to receive(:default_system_account?).with(principal.domain_account).and_return(true).twice
439
+
440
+ expect(Puppet::Util::Windows::User).not_to receive(:password_is?)
441
+ expect { provider.logonpassword=(user_input) }.not_to raise_error
442
+ end
443
+ end
444
+ end
445
+ end
446
+
447
+ describe "when given logonaccount is not a predefined local account" do
448
+ before do
449
+ allow(Puppet::Util::Windows::User).to receive(:localsystem?).with(".\\#{principal.account}").and_return(false)
450
+ allow(Puppet::Util::Windows::User).to receive(:default_system_account?).with(".\\#{principal.account}").and_return(false)
451
+ end
452
+
453
+ let(:account) { 'myUser' }
454
+ let(:principal) do
455
+ Puppet::Util::Windows::SID::Principal.new(account, nil, nil, computer_name, :SidTypeUser)
456
+ end
457
+
458
+ describe "when password is proven correct" do
459
+ let(:user_input) { 'myPass' }
460
+ it "should pass validation" do
461
+ allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myPass', '.').and_return(true)
462
+ expect { provider.logonpassword=(user_input) }.not_to raise_error
463
+ end
464
+ end
465
+
466
+ describe "when password is not proven correct" do
467
+ let(:user_input) { 'myWrongPass' }
468
+ it "should not pass validation" do
469
+ allow(Puppet::Util::Windows::User).to receive(:password_is?).with('myUser', 'myWrongPass', '.').and_return(false)
470
+ expect { provider.logonpassword=(user_input) }.to raise_error(Puppet::Error, /The given password is invalid for user '.\\myUser'/)
471
+ end
472
+ end
473
+ end
474
+ end
475
+ end
274
476
  end
@@ -925,28 +925,75 @@ end
925
925
  }
926
926
  end
927
927
 
928
- it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
929
- expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
930
- expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
931
- expect(provider.class).to receive(:get_os_version).and_return('10.7')
932
- expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
933
- provider.write_password_to_users_plist(sha512_password_hash)
928
+ before do
929
+ allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
934
930
  end
935
931
 
936
- it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
937
- expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
938
- expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
939
- expect(provider.class).to receive(:get_os_version).and_return('10.8')
940
- expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
941
- provider.write_password_to_users_plist(pbkdf2_password_hash)
932
+ describe 'when on macOS 11 (Big Sur) or greater' do
933
+ before do
934
+ allow(provider.class).to receive(:get_os_version).and_return('11.0.0')
935
+ end
936
+
937
+ it 'should add salted_sha512_pbkdf2 AuthenticationAuthority key if missing' do
938
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
939
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
940
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
941
+ expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(true)
942
+
943
+ expect(Puppet).to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
944
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
945
+ end
946
+
947
+ it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority key if not missing' do
948
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
949
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
950
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
951
+ expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
952
+
953
+ expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
954
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
955
+ end
942
956
  end
943
957
 
944
- it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
945
- expect(provider).to receive(:get_users_plist).and_return('users_plist')
946
- expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
947
- expect(provider.class).to receive(:get_os_version).and_return('10.8')
948
- expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
949
- provider.write_password_to_users_plist(pbkdf2_password_hash)
958
+ describe 'when on macOS version lower than 11' do
959
+ before do
960
+ allow(provider.class).to receive(:get_os_version)
961
+ allow(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
962
+ end
963
+
964
+ it 'should not add salted_sha512_pbkdf2 AuthenticationAuthority' do
965
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
966
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
967
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
968
+ expect(provider).to receive(:needs_sha512_pbkdf2_authentication_authority_to_be_added?).and_return(false)
969
+
970
+ expect(Puppet).not_to receive(:debug).with("Adding 'SALTED-SHA512-PBKDF2' AuthenticationAuthority key for ShadowHash to user 'nonexistent_user'")
971
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
972
+ end
973
+
974
+ it 'should call set_salted_sha512 on 10.7 when given a salted-SHA512 password hash' do
975
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
976
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(sha512_shadowhashdata)
977
+ expect(provider.class).to receive(:get_os_version).and_return('10.7')
978
+ expect(provider).to receive(:set_salted_sha512).with(sample_users_plist, sha512_shadowhashdata, sha512_password_hash)
979
+ provider.write_password_to_users_plist(sha512_password_hash)
980
+ end
981
+
982
+ it 'should call set_salted_pbkdf2 on 10.8 when given a PBKDF2 password hash' do
983
+ expect(provider).to receive(:get_users_plist).and_return(sample_users_plist)
984
+ expect(provider).to receive(:get_shadow_hash_data).with(sample_users_plist).and_return(pbkdf2_shadowhashdata)
985
+ expect(provider.class).to receive(:get_os_version).and_return('10.8')
986
+ expect(provider).to receive(:set_salted_pbkdf2).with(sample_users_plist, pbkdf2_shadowhashdata, 'entropy', pbkdf2_password_hash)
987
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
988
+ end
989
+
990
+ it "should delete the SALTED-SHA512 key in the shadow_hash_data hash if it exists on a 10.8 system and write_password_to_users_plist has been called to set the user's password" do
991
+ expect(provider).to receive(:get_users_plist).and_return('users_plist')
992
+ expect(provider).to receive(:get_shadow_hash_data).with('users_plist').and_return(sha512_shadowhashdata)
993
+ expect(provider.class).to receive(:get_os_version).and_return('10.8')
994
+ expect(provider).to receive(:set_salted_pbkdf2).with('users_plist', {}, 'entropy', pbkdf2_password_hash)
995
+ provider.write_password_to_users_plist(pbkdf2_password_hash)
996
+ end
950
997
  end
951
998
  end
952
999
 
@@ -974,16 +1021,7 @@ end
974
1021
  describe '#set_shadow_hash_data' do
975
1022
  let(:users_plist) { {'ShadowHashData' => ['string_data'] } }
976
1023
 
977
- it 'should flush the plist data to disk on OS X < 10.15' do
978
- allow(provider.class).to receive(:get_os_version).and_return('10.12')
979
-
980
- expect(provider).to receive(:write_users_plist_to_disk)
981
- provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
982
- end
983
-
984
- it 'should flush the plist data a temporary file on OS X >= 10.15' do
985
- allow(provider.class).to receive(:get_os_version).and_return('10.15')
986
-
1024
+ it 'should flush the plist data to a temporary file' do
987
1025
  expect(provider).to receive(:write_and_import_shadow_hash_data)
988
1026
  provider.set_shadow_hash_data(users_plist, pbkdf2_embedded_plist)
989
1027
  end
@@ -1033,13 +1071,6 @@ end
1033
1071
  end
1034
1072
  end
1035
1073
 
1036
- describe '#write_users_plist_to_disk' do
1037
- it 'should save the passed plist to disk and convert it to a binary plist' do
1038
- expect(Puppet::Util::Plist).to receive(:write_plist_file).with(user_plist_xml, "#{users_plist_dir}/nonexistent_user.plist", :binary)
1039
- provider.write_users_plist_to_disk(user_plist_xml)
1040
- end
1041
- end
1042
-
1043
1074
  describe '#write_and_import_shadow_hash_data' do
1044
1075
  it 'should save the passed plist to a temporary file and import it' do
1045
1076
  tmpfile = double('tempfile', :path => "/tmp/dsimport_#{username}", :flush => nil)
@@ -1203,6 +1234,7 @@ end
1203
1234
  before :each do
1204
1235
  allow(provider.class).to receive(:get_all_users).and_return(all_users_hash)
1205
1236
  allow(provider.class).to receive(:get_list_of_groups).and_return(group_plist_hash_guid)
1237
+ allow(provider).to receive(:merge_attribute_with_dscl).with('Users', username, 'AuthenticationAuthority', any_args)
1206
1238
  provider.class.prefetch({})
1207
1239
  end
1208
1240
 
@@ -31,6 +31,14 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
31
31
  allow(Kernel).to receive(:sleep)
32
32
  end
33
33
 
34
+ def expected_digest(name, content)
35
+ OpenSSL::Digest.new(name).hexdigest(content)
36
+ end
37
+
38
+ def to_fingerprint(digest)
39
+ digest.scan(/../).join(':').upcase
40
+ end
41
+
34
42
  context 'when passing keyword arguments' do
35
43
  it "accepts digest" do
36
44
  expect(described_class.new(digest: 'SHA512').digest).to eq('SHA512')
@@ -395,29 +403,35 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
395
403
 
396
404
  it 'verifies CA cert bundle if a ca_fingerprint is given case-insensitively' do
397
405
  Puppet[:log_level] = :info
398
- machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'caacf69bbbcdad9dbcda92dd2da3608b639d1aea4c314d6cc6823cdb32d8e0f8')
406
+
407
+ digest = expected_digest('SHA256', cacert_pem)
408
+ fingerprint = to_fingerprint(digest)
409
+ machine = described_class.new(digest: 'SHA256', ca_fingerprint: digest.downcase)
399
410
  state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
400
411
  state.next_state
401
412
 
402
- expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) CA:AC:F6:9B:BB:CD:AD:9D:BC:DA:92:DD:2D:A3:60:8B:63:9D:1A:EA:4C:31:4D:6C:C6:82:3C:DB:32:D8:E0:F8"))
413
+ expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA256) #{fingerprint}"))
403
414
  end
404
415
 
405
416
  it 'verifies CA cert bundle using non-default fingerprint' do
406
417
  Puppet[:log_level] = :info
407
- machine = described_class.new(digest: 'SHA512', ca_fingerprint: '3c9d1482b878913ad95c9631feac5090cb05c6eab9496178d6fd5c14a023da3b1a8650a3cbaac516d9a48caf0b0742e1ed7eebf55105c024c74834a45056a9d9')
418
+
419
+ digest = expected_digest('SHA512', cacert_pem)
420
+ machine = described_class.new(digest: 'SHA512', ca_fingerprint: digest)
408
421
  state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
409
422
  state.next_state
410
423
 
411
- expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) 3C:9D:14:82:B8:78:91:3A:D9:5C:96:31:FE:AC:50:90:CB:05:C6:EA:B9:49:61:78:D6:FD:5C:14:A0:23:DA:3B:1A:86:50:A3:CB:AA:C5:16:D9:A4:8C:AF:0B:07:42:E1:ED:7E:EB:F5:51:05:C0:24:C7:48:34:A4:50:56:A9:D9"))
424
+ expect(@logs).to include(an_object_having_attributes(message: "Verified CA bundle with digest (SHA512) #{to_fingerprint(digest)}"))
412
425
  end
413
426
 
414
427
  it 'returns an error if verification fails' do
415
428
  machine = described_class.new(digest: 'SHA256', ca_fingerprint: 'wrong!')
416
429
  state = Puppet::SSL::StateMachine::NeedCACerts.new(machine)
417
430
 
431
+ fingerprint = to_fingerprint(expected_digest('SHA256', cacert_pem))
418
432
  st = state.next_state
419
433
  expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
420
- expect(st.message).to eq("CA bundle with digest (SHA256) CA:AC:F6:9B:BB:CD:AD:9D:BC:DA:92:DD:2D:A3:60:8B:63:9D:1A:EA:4C:31:4D:6C:C6:82:3C:DB:32:D8:E0:F8 did not match expected digest WR:ON:G!")
434
+ expect(st.message).to eq("CA bundle with digest (SHA256) #{fingerprint} did not match expected digest WR:ON:G!")
421
435
  end
422
436
  end
423
437
  end