puppet 6.22.1 → 6.23.0

data/spec/unit/type/user_spec.rb

@@ -174,6 +174,51 @@ describe Puppet::Type.type(:user) do
     end
   end
 
+  describe "when managing the purge_ssh_keys property" do
+    context "with valid input" do
+      it "should support a :true value" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => :true) }.to_not raise_error
+      end
+
+      it "should support a :false value" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => :false) }.to_not raise_error
+      end
+
+      it "should support a String value" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => File.expand_path('home/foo/.ssh/authorized_keys')) }.to_not raise_error
+      end
+
+      it "should support an Array value" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => [File.expand_path('home/foo/.ssh/authorized_keys'),
+          File.expand_path('custom/authorized_keys')]) }.to_not raise_error
+      end
+    end
+
+    context "with faulty input" do
+      it "should raise error for relative path" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => 'home/foo/.ssh/authorized_keys') }.to raise_error(Puppet::ResourceError,
+          /Paths to keyfiles must be absolute/ )
+      end
+
+      it "should raise error for invalid type" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => :invalid) }.to raise_error(Puppet::ResourceError,
+          /purge_ssh_keys must be true, false, or an array of file names/ )
+      end
+
+      it "should raise error for array with relative path" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => ['home/foo/.ssh/authorized_keys',
+          File.expand_path('custom/authorized_keys')]) }.to raise_error(Puppet::ResourceError,
+          /Paths to keyfiles must be absolute/ )
+      end
+
+      it "should raise error for array with invalid type" do
+        expect { described_class.new(:name => 'foo', :purge_ssh_keys => [:invalid,
+          File.expand_path('custom/authorized_keys')]) }.to raise_error(Puppet::ResourceError,
+          /Each entry for purge_ssh_keys must be a string/ )
+      end
+    end
+  end
+
   describe "when managing the uid property" do
     it "should convert number-looking strings into actual numbers" do
       expect(described_class.new(:name => 'foo', :uid => '50')[:uid]).to eq(50)

data/spec/unit/util/selinux_spec.rb

@@ -3,26 +3,29 @@ require 'spec_helper'
 require 'pathname'
 require 'puppet/util/selinux'
 
-unless defined?(Selinux)
-  module Selinux
-    def self.is_selinux_enabled
-      false
-    end
-  end
-end
-
 describe Puppet::Util::SELinux do
   include Puppet::Util::SELinux
 
+  let(:selinux) { double('selinux', is_selinux_enabled: false) }
+
+  before :each do
+    stub_const('Selinux', selinux)
+  end
+
   describe "selinux_support?" do
-    it "should return :true if this system has SELinux enabled" do
+    it "should return true if this system has SELinux enabled" do
       expect(Selinux).to receive(:is_selinux_enabled).and_return(1)
-      expect(selinux_support?).to be_truthy
+      expect(selinux_support?).to eq(true)
     end
 
-    it "should return :false if this system lacks SELinux" do
+    it "should return false if this system has SELinux disabled" do
       expect(Selinux).to receive(:is_selinux_enabled).and_return(0)
-      expect(selinux_support?).to be_falsey
+      expect(selinux_support?).to eq(false)
+    end
+
+    it "should return false if this system lacks SELinux" do
+      hide_const('Selinux')
+      expect(selinux_support?).to eq(false)
     end
 
     it "should return nil if /proc/mounts does not exist" do
@@ -156,7 +159,7 @@ describe Puppet::Util::SELinux do
       end
     end
 
-    it "handles no such file or directory errors by issuing a warning" do
+    it "backward compatibly handles no such file or directory errors by issuing a warning when resource_ensure not set" do
       without_partial_double_verification do
         allow(self).to receive(:selinux_support?).and_return(true)
         allow(self).to receive(:selinux_label_support?).and_return(true)
@@ -167,6 +170,51 @@ describe Puppet::Util::SELinux do
       end
     end
 
+    it "should determine mode based on resource ensure when set to file" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 32768).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :present)).to be_nil
+        expect(get_selinux_default_context("/root/chuj", :file)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to dir" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 16384).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :directory)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to link" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 40960).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :link)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to unknown" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", "unknown")).to be_nil
+      end
+    end
+
     it "should return nil if matchpathcon returns failure" do
       without_partial_double_verification do
         expect(self).to receive(:selinux_support?).and_return(true)
@@ -326,21 +374,44 @@ describe Puppet::Util::SELinux do
     end
 
     it "should return nil if no default context exists" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return(nil)
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return(nil)
       expect(set_selinux_default_context("/foo")).to be_nil
     end
 
     it "should do nothing and return nil if the current context matches the default context" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return("user_u:role_r:type_t")
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return("user_u:role_r:type_t")
       expect(self).to receive(:get_selinux_current_context).with("/foo").and_return("user_u:role_r:type_t")
       expect(set_selinux_default_context("/foo")).to be_nil
     end
 
     it "should set and return the default context if current and default do not match" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return("user_u:role_r:type_t")
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return("user_u:role_r:type_t")
       expect(self).to receive(:get_selinux_current_context).with("/foo").and_return("olduser_u:role_r:type_t")
       expect(self).to receive(:set_selinux_context).with("/foo", "user_u:role_r:type_t").and_return(true)
       expect(set_selinux_default_context("/foo")).to eq("user_u:role_r:type_t")
     end
   end
+
+  describe "get_create_mode" do
+    it "should return 0 if the resource is absent" do
+      expect(get_create_mode(:absent)).to eq(0)
+    end
+
+    it "should return mode with file type set to S_IFREG when resource is file" do
+      expect(get_create_mode(:present)).to eq(32768)
+      expect(get_create_mode(:file)).to eq(32768)
+    end
+
+    it "should return mode with file type set to S_IFDIR when resource is dir" do
+      expect(get_create_mode(:directory)).to eq(16384)
+    end
+
+    it "should return mode with file type set to S_IFLNK when resource is link" do
+      expect(get_create_mode(:link)).to eq(40960)
+    end
+
+    it "should return 0 for everything else" do
+      expect(get_create_mode("unknown")).to eq(0)
+    end
+  end
 end

data/tasks/generate_cert_fixtures.rake

@@ -173,12 +173,12 @@ task(:gen_cert_fixtures) do
 
   # Create a request, but replace its public key after it's signed
   tampered_csr = ca.create_request('signed')[:csr]
-  tampered_csr.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  tampered_csr.public_key = OpenSSL::PKey::RSA.new(2048).public_key
   save(dir, 'tampered-csr.pem', tampered_csr)
 
   # Create a cert issued from the real intermediate CA, but replace its
   # public key
   tampered_cert = ca.create_cert('signed', inter[:cert], inter[:private_key])[:cert]
-  tampered_cert.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  tampered_cert.public_key = OpenSSL::PKey::RSA.new(2048).public_key
   save(dir, 'tampered-cert.pem', tampered_cert)
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 6.22.1
+  version: 6.23.0
 platform: ruby
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-22 00:00:00.000000000 Z
+date: 2021-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -1817,6 +1817,7 @@ files:
 - spec/integration/application/lookup_spec.rb
 - spec/integration/application/module_spec.rb
 - spec/integration/application/plugin_spec.rb
+- spec/integration/application/resource_spec.rb
 - spec/integration/configurer_spec.rb
 - spec/integration/data_binding_spec.rb
 - spec/integration/defaults_spec.rb
@@ -3086,6 +3087,7 @@ test_files:
 - spec/integration/application/lookup_spec.rb
 - spec/integration/application/module_spec.rb
 - spec/integration/application/plugin_spec.rb
+- spec/integration/application/resource_spec.rb
 - spec/integration/configurer_spec.rb
 - spec/integration/data_binding_spec.rb
 - spec/integration/defaults_spec.rb