puppet 6.23.0 → 7.0.0

data/lib/puppet/module_tool/applications/searcher.rb

@@ -1,29 +0,0 @@
-module Puppet::ModuleTool
-  module Applications
-    class Searcher < Application
-      include Puppet::Forge::Errors
-
-      def initialize(term, forge, options = {})
-        @term = term
-        @forge = forge
-        super(options)
-      end
-
-      def run
-        results = {}
-        begin
-          Puppet.notice _("Searching %{host} ...") % { host: @forge.host }
-          results[:answers] = @forge.search(@term)
-          results[:result] = :success
-        rescue ForgeError => e
-          results[:result] = :failure
-          results[:error] = {
-            :oneline   => e.message,
-            :multiline => e.multiline,
-          }
-        end
-        results
-      end
-    end
-  end
-end

data/lib/puppet/network/auth_config_parser.rb

@@ -1,90 +0,0 @@
-require 'puppet/network/rights'
-
-module Puppet::Network
-class AuthConfigParser
-
-  def self.new_from_file(file)
-    self.new(Puppet::FileSystem.read(file, :encoding => 'utf-8'))
-  end
-
-  def initialize(string)
-    @string = string
-  end
-
-  def parse
-    Puppet::Network::AuthConfig.new(parse_rights)
-  end
-
-  def parse_rights
-    rights = Puppet::Network::Rights.new
-    right = nil
-    count = 1
-    @string.each_line { |line|
-      case line.chomp
-      when /^\s*#/, /^\s*$/
-        # skip comments and blank lines
-      when /^path\s+((?:~\s+)?[^ ]+)\s*$/ # "path /path" or "path ~ regex"
-        name = $1.chomp
-        right = rights.newright(name, count, @file)
-      when /^\s*(allow(?:_ip)?|deny(?:_ip)?|method|environment|auth(?:enticated)?)\s+(.+?)(\s*#.*)?$/
-        if right.nil?
-          #TRANSLATORS "path" is a configuration file entry and should not be translated
-          raise Puppet::ConfigurationError, _("Missing or invalid 'path' before right directive at %{error_location}") %
-              { error_location: Puppet::Util::Errors.error_location(@file, count) }
-        end
-        parse_right_directive(right, $1, $2, count)
-      else
-        error_location_str = Puppet::Util::Errors.error_location(nil, count)
-        raise Puppet::ConfigurationError, _("Invalid entry at %{error_location}: %{file_text}") %
-            { error_location: error_location_str, file_text: line }
-      end
-      count += 1
-    }
-
-    # Verify each of the rights are valid.
-    # We let the check raise an error, so that it can raise an error
-    # pointing to the specific problem.
-    rights.each { |name, r|
-      r.valid?
-    }
-    rights
-  end
-
-  def parse_right_directive(right, var, value, count)
-    value.strip!
-    case var
-    when "allow"
-      modify_right(right, :allow, value, _("allowing %{value} access"), count)
-    when "deny"
-      modify_right(right, :deny, value, _("denying %{value} access"), count)
-    when "allow_ip"
-      modify_right(right, :allow_ip, value, _("allowing IP %{value} access"), count)
-    when "deny_ip"
-      modify_right(right, :deny_ip, value, _("denying IP %{value} access"), count)
-    when "method"
-      modify_right(right, :restrict_method, value, _("allowing 'method' %{value}"), count)
-    when "environment"
-      modify_right(right, :restrict_environment, value, _("adding environment %{value}"), count)
-    when /auth(?:enticated)?/
-      modify_right(right, :restrict_authenticated, value, _("adding authentication %{value}"), count)
-    else
-      error_location_str = Puppet::Util::Errors.error_location(nil, count)
-      raise Puppet::ConfigurationError, _("Invalid argument '%{var}' at %{error_location}") %
-          { var: var, error_location: error_location_str }
-    end
-  end
-
-  def modify_right(right, method, value, msg, count)
-    value.split(/\s*,\s*/).each do |val|
-      begin
-        val.strip!
-        right.info msg % { value: val }
-        right.send(method, val)
-      rescue Puppet::AuthStoreError => detail
-        error_location_str = Puppet::Util::Errors.error_location(@file, count)
-        raise Puppet::ConfigurationError, "#{detail} #{error_location_str}", detail.backtrace
-      end
-    end
-  end
-end
-end

data/lib/puppet/network/authstore.rb

@@ -1,283 +0,0 @@
-# standard module for determining whether a given hostname or IP has access to
-# the requested resource
-
-require 'ipaddr'
-require 'puppet/util/logging'
-
-module Puppet
-  class AuthStoreError < Puppet::Error; end
-  class AuthorizationError < Puppet::Error; end
-
-  class Network::AuthStore
-    include Puppet::Util::Logging
-
-    # Is a given combination of name and ip address allowed?  If either input
-    # is non-nil, then both inputs must be provided.  If neither input
-    # is provided, then the authstore is considered local and defaults to "true".
-    def allowed?(name, ip)
-      if name or ip
-        # This is probably unnecessary, and can cause some weirdness in
-        # cases where we're operating over localhost but don't have a real
-        # IP defined.
-        raise Puppet::DevError, _("Name and IP must be passed to 'allowed?'") unless name and ip
-        # else, we're networked and such
-      else
-        # we're local
-        return true
-      end
-
-      # yay insecure overrides
-      return true if globalallow?
-
-      decl = declarations.find { |d| d.match?(name, ip) }
-      if decl
-        return decl.result
-      end
-
-      info _("defaulting to no access for %{name}") % { name: name }
-      false
-    end
-
-    # Mark a given pattern as allowed.
-    def allow(pattern)
-      # a simple way to allow anyone at all to connect
-      if pattern == "*"
-        @globalallow = true
-      else
-        store(:allow, pattern)
-      end
-
-      nil
-    end
-
-    def allow_ip(pattern)
-      store(:allow_ip, pattern)
-    end
-
-    # Deny a given pattern.
-    def deny(pattern)
-      store(:deny, pattern)
-    end
-
-    def deny_ip(pattern)
-      store(:deny_ip, pattern)
-    end
-
-    # Is global allow enabled?
-    def globalallow?
-      @globalallow
-    end
-
-    # does this auth store has any rules?
-    def empty?
-      @globalallow.nil? && @declarations.size == 0
-    end
-
-    def initialize
-      @globalallow = nil
-      @declarations = []
-    end
-
-    def to_s
-      "authstore"
-    end
-
-    def interpolate(match)
-      @modified_declarations = @declarations.collect { |ace| ace.interpolate(match) }.sort
-    end
-
-    def reset_interpolation
-      @modified_declarations = nil
-    end
-
-    private
-
-    # Returns our ACEs list, but if we have a modification of it, let's return
-    # it. This is used if we want to override the this purely immutable list
-    # by a modified version.
-    def declarations
-      @modified_declarations || @declarations
-    end
-
-    # Store the results of a pattern into our hash.  Basically just
-    # converts the pattern and sticks it into the hash.
-    def store(type, pattern)
-      @declarations << Declaration.new(type, pattern)
-      @declarations.sort!
-
-      nil
-    end
-
-    # A single declaration.  Stores the info for a given declaration,
-    # provides the methods for determining whether a declaration matches,
-    # and handles sorting the declarations appropriately.
-    class Declaration
-      include Puppet::Util
-      include Comparable
-
-      # The type of declaration: either :allow or :deny
-      attr_reader :type
-      VALID_TYPES = [ :allow, :deny, :allow_ip, :deny_ip ]
-
-      attr_accessor :name
-
-      # The pattern we're matching against.  Can be an IPAddr instance,
-      # or an array of strings, resulting from reversing a hostname
-      # or domain name.
-      attr_reader :pattern
-
-      # The length.  Only used for iprange and domain.
-      attr_accessor :length
-
-      # Sort the declarations most specific first.
-      def <=>(other)
-        compare(exact?, other.exact?) ||
-        compare(ip?, other.ip?)  ||
-        ((length != other.length) &&  (other.length <=> length)) ||
-        compare(deny?, other.deny?) ||
-        ( ip? ? pattern.to_s <=> other.pattern.to_s : pattern <=> other.pattern)
-      end
-
-      def deny?
-        type == :deny
-      end
-
-      def exact?
-        @exact == :exact
-      end
-
-      def initialize(type, pattern)
-        self.type = type
-        self.pattern = pattern
-      end
-
-      # Are we an IP type?
-      def ip?
-        name == :ip
-      end
-
-      # Does this declaration match the name/ip combo?
-      def match?(name, ip)
-        if ip?
-          pattern.include?(IPAddr.new(ip))
-        else
-          matchname?(name)
-        end
-      end
-
-      # Set the pattern appropriately.  Also sets the name and length.
-      def pattern=(pattern)
-        if [:allow_ip, :deny_ip].include?(self.type)
-          parse_ip(pattern)
-        else
-          parse(pattern)
-        end
-        @orig = pattern
-      end
-
-      # Mapping a type of statement into a return value.
-      def result
-        [:allow, :allow_ip].include?(type)
-      end
-
-      def to_s
-        "#{type}: #{pattern}"
-      end
-
-      # Set the declaration type.  Either :allow or :deny.
-      def type=(type)
-        type = type.intern
-        raise ArgumentError, _("Invalid declaration type %{type}") % { type: type } unless VALID_TYPES.include?(type)
-        @type = type
-      end
-
-      # interpolate a pattern to replace any
-      # backreferences by the given match
-      # for instance if our pattern is $1.reductivelabs.com
-      # and we're called with a MatchData whose capture 1 is puppet
-      # we'll return a pattern of puppet.reductivelabs.com
-      def interpolate(match)
-        clone = dup
-        if @name == :dynamic
-          clone.pattern = clone.pattern.reverse.collect do |p|
-            p.gsub(/\$(\d)/) { |m| match[$1.to_i] }
-          end.join(".")
-        end
-        clone
-      end
-
-      private
-
-      # Returns nil if both values are true or both are false, returns
-      # -1 if the first is true, and 1 if the second is true.  Used
-      # in the <=> operator.
-      def compare(me, them)
-        (me and them) ? nil : me ? -1 : them ? 1 : nil
-      end
-
-      # Does the name match our pattern?
-      def matchname?(name)
-        case @name
-          when :domain, :dynamic, :opaque
-            name = munge_name(name)
-            (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n })
-          when :regex
-            Regexp.new(pattern.slice(1..-2)).match(name)
-        end
-      end
-
-      # Convert the name to a common pattern.
-      def munge_name(name)
-        # Change to name.downcase.split(".",-1).reverse for FQDN support
-        name.downcase.split(".").reverse
-      end
-
-      # Parse our input pattern and figure out what kind of allowable
-      # statement it is.  The output of this is used for later matching.
-      Octet = '(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])'
-      IPv4 = "#{Octet}\.#{Octet}\.#{Octet}\.#{Octet}"
-      IPv6_full    = "_:_:_:_:_:_:_:_|_:_:_:_:_:_::_?|_:_:_:_:_::((_:)?_)?|_:_:_:_::((_:){0,2}_)?|_:_:_::((_:){0,3}_)?|_:_::((_:){0,4}_)?|_::((_:){0,5}_)?|::((_:){0,6}_)?"
-      IPv6_partial = "_:_:_:_:_:_:|_:_:_:_::(_:)?|_:_::(_:){0,2}|_::(_:){0,3}"
-      # It should be:
-      #     IP = "#{IPv4}|#{IPv6_full}|(#{IPv6_partial}#{IPv4})".gsub(/_/,'([0-9a-fA-F]{1,4})').gsub(/\(/,'(?:')
-      # but ruby's ipaddr lib doesn't support the hybrid format
-      IP = "#{IPv4}|#{IPv6_full}".gsub(/_/,'([0-9a-fA-F]{1,4})').gsub(/\(/,'(?:')
-
-      def parse_ip(value)
-        @name = :ip
-        @exact, @length, @pattern = *case value
-        when /^(?:#{IP})\/(\d+)$/                                 # 12.34.56.78/24, a001:b002::efff/120, c444:1000:2000::9:192.168.0.1/112
-          [:inexact, $1.to_i, IPAddr.new(value)]
-        when /^(#{IP})$/                                          # 10.20.30.40,
-          [:exact, nil, IPAddr.new(value)]
-        when /^(#{Octet}\.){1,3}\*$/                              # an ip address with a '*' at the end
-          segments = value.split(".")[0..-2]
-          bits = 8*segments.length
-          [:inexact, bits, IPAddr.new((segments+[0,0,0])[0,4].join(".") + "/#{bits}")]
-        else
-          raise AuthStoreError, _("Invalid IP pattern %{value}") % { value: value }
-        end
-      end
-
-      def parse(value)
-        @name,@exact,@length,@pattern = *case value
-        when /^(\w[-\w]*\.)+[-\w]+$/                              # a full hostname
-          # Change to /^(\w[-\w]*\.)+[-\w]+\.?$/ for FQDN support
-          [:domain,:exact,nil,munge_name(value)]
-        when /^\*(\.(\w[-\w]*)){1,}$/                             # *.domain.com
-          host_sans_star = munge_name(value)[0..-2]
-          [:domain,:inexact,host_sans_star.length,host_sans_star]
-        when /\$\d+/                                              # a backreference pattern ala $1.reductivelabs.com or 192.168.0.$1 or $1.$2
-          [:dynamic,:exact,nil,munge_name(value)]
-        when /^\w[-.@\w]*$/                                       # ? Just like a host name but allow '@'s and ending '.'s
-          [:opaque,:exact,nil,[value]]
-        when /^\/.*\/$/                                           # a regular expression
-          [:regex,:inexact,nil,value]
-        else
-          raise AuthStoreError, "Invalid pattern #{value}"
-        end
-      end
-    end
-  end
-end
-

data/lib/puppet/network/http/api/master/v3/authorization.rb

@@ -1,18 +0,0 @@
-require 'puppet/network/authorization'
-
-class Puppet::Network::HTTP::API::Master::V3::Authorization
-  include Puppet::Network::Authorization
-
-  def wrap(&block)
-    lambda do |request, response|
-      begin
-        authconfig.check_authorization(:find, request.path, request.params)
-      rescue Puppet::Network::AuthorizationError => e
-        raise Puppet::Network::HTTP::Error::HTTPNotAuthorizedError.new(e.message, Puppet::Network::HTTP::Issues::FAILED_AUTHORIZATION)
-      end
-
-      block.call.call(request, response)
-    end
-  end
-
-end

data/lib/puppet/network/http/api/master/v3/environment.rb

@@ -1,88 +0,0 @@
-require 'puppet/util/json'
-require 'puppet/parser/environment_compiler'
-
-# @deprecated application orchestration will be removed in puppet 7
-class Puppet::Network::HTTP::API::Master::V3::Environment
-  def call(request, response)
-    Puppet.deprecation_warning("Application orchestration is deprecated. See https://puppet.com/docs/puppet/5.5/deprecated_language.html")
-
-    env_name = request.routing_path.split('/').last
-    env = Puppet.lookup(:environments).get(env_name)
-    code_id = request.params[:code_id]
-
-    if env.nil?
-      raise Puppet::Network::HTTP::Error::HTTPNotFoundError.new(_("%{env_name} is not a known environment") % { env_name: env_name }, Puppet::Network::HTTP::Issues::RESOURCE_NOT_FOUND)
-    end
-
-    catalog = Puppet::Parser::EnvironmentCompiler.compile(env, code_id).to_resource
-
-    env_graph = build_environment_graph(catalog)
-
-    response.respond_with(200, "application/json", Puppet::Util::Json.dump(env_graph))
-  end
-
-  def build_environment_graph(catalog)
-    # This reads catalog and code_id off the catalog rather than using the one
-    # from the request. There shouldn't really be a case where the two differ,
-    # but if they do, the one from the catalog itself is authoritative.
-    env_graph = {:environment => catalog.environment, :applications => {}, :code_id => catalog.code_id}
-    applications = catalog.resources.select do |res|
-      type = res.resource_type
-      type.is_a?(Puppet::Resource::Type) && type.application?
-    end
-    applications.each do |app|
-      file, line = app.file, app.line
-      nodes = app['nodes']
-
-      required_components = catalog.direct_dependents_of(app).map {|comp| comp.ref}
-      mapped_components = nodes.values.flatten.map {|comp| comp.ref}
-
-      nonexistent_components = mapped_components - required_components
-      if nonexistent_components.any?
-        raise Puppet::ParseError.new(
-            _("Application %{application} assigns nodes to non-existent components: %{component_list}") %
-                { application: app, component_list: nonexistent_components.join(', ') }, file, line)
-      end
-
-      missing_components = required_components - mapped_components
-      if missing_components.any?
-        raise Puppet::ParseError.new(_("Application %{application} has components without assigned nodes: %{component_list}") %
-                                         { application: app, component_list: missing_components.join(', ') }, file, line)
-      end
-
-      # Turn the 'nodes' hash into a map component ref => node name
-      node_mapping = {}
-      nodes.each do |node, comps|
-        comps = [comps] unless comps.is_a?(Array)
-        comps.each do |comp|
-          raise Puppet::ParseError.new(_("Application %{app} assigns multiple nodes to component %{comp}") % { app: app, comp: comp }, file, line) if node_mapping.include?(comp.ref)
-          node_mapping[comp.ref] = node.title
-        end
-      end
-
-      app_components = {}
-      catalog.direct_dependents_of(app).each do |comp|
-        app_components[comp.ref] = {
-          :produces => comp.export.map(&:ref),
-          :consumes => prerequisites(comp).map(&:ref),
-          :node => node_mapping[comp.ref]
-        }
-      end
-      env_graph[:applications][app.ref] = app_components
-    end
-
-    env_graph
-  end
-
-  private
-
-  # Finds all the prerequisites of component +comp+. They are all the
-  # capability resources that +comp+ depends on; this includes resources
-  # that +comp+ consumes but also resources it merely requires
-  def prerequisites(comp)
-    params = Puppet::Type.relationship_params.select { |p| p.direction == :in }.map(&:name)
-    params.map { |rel| comp[rel] }.flatten.compact.select do |rel|
-      rel.resource_type && rel.resource_type.is_capability?
-    end
-  end
-end