puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/spec/integration/network/http_pool_spec.rb

@@ -0,0 +1,222 @@
+require 'spec_helper'
+require 'puppet_spec/https'
+require 'puppet_spec/files'
+require 'puppet/network/http_pool'
+
+describe Puppet::Network::HttpPool, unless: Puppet::Util::Platform.jruby? do
+  include PuppetSpec::Files
+
+  before :all do
+    WebMock.disable!
+  end
+
+  after :all do
+    WebMock.enable!
+  end
+
+  before :each do
+    # make sure we don't take too long
+    Puppet[:http_connect_timeout] = '5s'
+  end
+
+  let(:hostname) { '127.0.0.1' }
+  let(:wrong_hostname) { 'localhost' }
+  let(:server) { PuppetSpec::HTTPSServer.new }
+
+  context "when calling deprecated HttpPool methods" do
+    let(:ssl_host) {
+      # use server's cert/key as the client cert/key
+      host = Puppet::SSL::Host.new
+      host.key = Puppet::SSL::Key.from_instance(server.server_key, host.name)
+      host.certificate = Puppet::SSL::Certificate.from_instance(server.server_cert, host.name)
+      host
+    }
+
+    before(:each) do
+      ssldir = tmpdir('http_pool')
+      Puppet[:ssldir] = ssldir
+      Puppet.settings.use(:main, :ssl)
+
+      File.write(Puppet[:localcacert], server.ca_cert.to_pem)
+      File.write(Puppet[:hostcrl], server.ca_crl.to_pem)
+      File.write(Puppet[:hostcert], server.server_cert.to_pem)
+      File.write(Puppet[:hostprivkey], server.server_key.to_pem)
+    end
+
+    # Can't use `around(:each)` because it will cause ssl_host to be
+    # created outside of any rspec example, and $confdir won't be set
+    before(:each) do
+      Puppet.push_context(ssl_host: ssl_host)
+    end
+
+    after (:each) do
+      Puppet.pop_context
+    end
+
+    def connection(host, port)
+      Puppet::Network::HttpPool.http_instance(host, port, use_ssl: true)
+    end
+
+    shared_examples_for 'HTTPS client' do
+      it "connects over SSL" do
+        server.start_server do |port|
+          http = connection(hostname, port)
+          res = http.get('/')
+          expect(res.code).to eq('200')
+        end
+      end
+
+      it "raises if the server's cert doesn't match the hostname we connected to" do
+        server.start_server do |port|
+          http = connection(wrong_hostname, port)
+          expect {
+            http.get('/')
+          }.to raise_error { |err|
+            pending("PUP-8213") if RUBY_VERSION.to_f >= 2.4
+
+            expect(err).to be_instance_of(Puppet::SSL::CertMismatchError)
+            expect(err.message).to match(/\AServer hostname '#{wrong_hostname}' did not match server certificate; expected one of (.+)/)
+
+            md = err.message.match(/expected one of (.+)/)
+            expect(md[1].split(', ')).to contain_exactly('127.0.0.1', 'DNS:127.0.0.1', 'DNS:127.0.0.2')
+          }
+        end
+      end
+
+      it "raises if the server's CA is unknown" do
+        # File must exist and by not empty so DefaultValidator doesn't
+        # downgrade to VERIFY_NONE, so use a different CA that didn't
+        # issue the server's cert
+        capath = tmpfile('empty')
+        File.write(capath, cert_fixture('netlock-arany-utf8.pem'))
+        Puppet[:localcacert] = capath
+        Puppet[:certificate_revocation] = false
+
+        server.start_server do |port|
+          http = connection(hostname, port)
+          expect {
+            http.get('/')
+          }.to raise_error(Puppet::Error,
+                           %r{certificate verify failed.* .self signed certificate in certificate chain for /CN=Test CA.})
+        end
+      end
+    end
+
+
+    context "when using single use HTTPS connections" do
+      include_examples 'HTTPS client'
+    end
+
+    context "when using persistent HTTPS connections" do
+      around :each do |example|
+        pool = Puppet::Network::HTTP::Pool.new
+        Puppet.override(:http_pool => pool) do
+          example.run
+        end
+        pool.close
+      end
+
+      include_examples 'HTTPS client'
+    end
+  end
+
+  context "when calling HttpPool.connection method" do
+    let(:ssl) { Puppet::SSL::SSLProvider.new }
+    let(:ssl_context) { ssl.create_root_context(cacerts: [server.ca_cert], crls: [server.ca_crl]) }
+
+    def connection(host, port, ssl_context:)
+      Puppet::Network::HttpPool.connection(host, port, ssl_context: ssl_context)
+    end
+
+    # Configure the server's SSLContext to require a client certificate. The `client_ca`
+    # setting allows the server to advertise which client CAs it will accept.
+    def require_client_certs(ctx)
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      ctx.client_ca = [cert_fixture('ca.pem')]
+    end
+
+    it "connects over SSL" do
+      server.start_server do |port|
+        http = connection(hostname, port, ssl_context: ssl_context)
+        res = http.get('/')
+        expect(res.code).to eq('200')
+      end
+    end
+
+    it "raises if the server's cert doesn't match the hostname we connected to" do
+      server.start_server do |port|
+        http = connection(wrong_hostname, port, ssl_context: ssl_context)
+        expect {
+          http.get('/')
+        }.to raise_error { |err|
+          expect(err).to be_instance_of(Puppet::SSL::CertMismatchError)
+          expect(err.message).to match(/\AServer hostname '#{wrong_hostname}' did not match server certificate; expected one of (.+)/)
+
+          md = err.message.match(/expected one of (.+)/)
+          expect(md[1].split(', ')).to contain_exactly('127.0.0.1', 'DNS:127.0.0.1', 'DNS:127.0.0.2')
+        }
+      end
+    end
+
+    it "raises if the server's CA is unknown" do
+      server.start_server do |port|
+        ssl_context = ssl.create_root_context(cacerts: [cert_fixture('netlock-arany-utf8.pem')],
+                                              crls: [server.ca_crl])
+        http = Puppet::Network::HttpPool.connection(hostname, port, ssl_context: ssl_context)
+        expect {
+          http.get('/')
+        }.to raise_error(Puppet::Error,
+                         %r{certificate verify failed.* .self signed certificate in certificate chain for /CN=Test CA.})
+      end
+    end
+
+    it "warns when client has an incomplete client cert chain" do
+      Puppet.expects(:warning).with("The issuer '/CN=Test CA Agent Subauthority' of certificate '/CN=pluto' cannot be found locally")
+
+      pluto = cert_fixture('pluto.pem')
+
+      ssl_context = ssl.create_context(
+        cacerts: [server.ca_cert], crls: [server.ca_crl],
+        client_cert: pluto, private_key: key_fixture('pluto-key.pem')
+      )
+
+      # verify client has incomplete chain
+      expect(ssl_context.client_chain.map(&:to_der)).to eq([pluto.to_der])
+
+      # force server to require (not request) client certs
+      ctx_proc = -> (ctx) {
+        require_client_certs(ctx)
+
+        # server needs to trust the client's intermediate CA to complete the client's chain
+        ctx.cert_store.add_cert(cert_fixture('intermediate-agent.pem'))
+      }
+
+      server.start_server(ctx_proc: ctx_proc) do |port|
+        http = Puppet::Network::HttpPool.connection(hostname, port, ssl_context: ssl_context)
+        res = http.get('/')
+        expect(res.code).to eq('200')
+      end
+    end
+
+    it "sends a complete client cert chain" do
+      pluto = cert_fixture('pluto.pem')
+      client_ca = cert_fixture('intermediate-agent.pem')
+
+      ssl_context = ssl.create_context(
+        cacerts: [server.ca_cert, client_ca],
+        crls: [server.ca_crl, crl_fixture('intermediate-agent-crl.pem')],
+        client_cert: pluto,
+        private_key: key_fixture('pluto-key.pem')
+      )
+
+      # verify client has complete chain from leaf to root
+      expect(ssl_context.client_chain.map(&:to_der)).to eq([pluto, client_ca, server.ca_cert].map(&:to_der))
+
+      server.start_server(ctx_proc: method(:require_client_certs)) do |port|
+        http = Puppet::Network::HttpPool.connection(hostname, port, ssl_context: ssl_context)
+        res = http.get('/')
+        expect(res.code).to eq('200')
+      end
+    end
+  end
+end

data/spec/integration/provider/file/windows_spec.rb

@@ -0,0 +1,162 @@
+require 'spec_helper'
+require 'puppet_spec/compiler'
+require 'puppet_spec/files'
+
+# For some reason the provider test will not filter out on windows when using the
+# :if => Puppet.features.microsoft_windows? method of filtering the tests.
+if Puppet.features.microsoft_windows?
+  require 'puppet/util/windows'
+  describe Puppet::Type.type(:file).provider(:windows), '(integration)' do
+    include PuppetSpec::Compiler
+    include PuppetSpec::Files
+
+    def create_temp_file(owner_sid, group_sid, initial_mode)
+      tmp_file = tmpfile('filewindowsprovider')
+      File.delete(tmp_file) if File.exist?(tmp_file)
+      File.open(tmp_file, 'w') { |file| file.write("rspec test") }
+
+      # There are other tests to ensure that these methods do indeed
+      # set the owner and group.  Therefore it's ok to depend on them
+      # here
+      Puppet::Util::Windows::Security.set_owner(owner_sid, tmp_file) unless owner_sid.nil?
+      Puppet::Util::Windows::Security.set_group(group_sid, tmp_file) unless group_sid.nil?
+      # Pretend we are managing the owner and group to FORCE this mode, even if it's "bad"
+      Puppet::Util::Windows::Security.set_mode(initial_mode.to_i(8), tmp_file, true, true, true) unless initial_mode.nil?
+
+      tmp_file
+    end
+
+    def strip_sticky(value)
+      # For the purposes of these tests we don't care about the extra-ace bit in modes
+      # This function removes it
+      value & ~Puppet::Util::Windows::Security::S_IEXTRA
+    end
+
+    sids = {
+      :system => Puppet::Util::Windows::SID::LocalSystem,
+      :administrators => Puppet::Util::Windows::SID::BuiltinAdministrators,
+      :users => Puppet::Util::Windows::SID::BuiltinUsers,
+      :power_users => Puppet::Util::Windows::SID::PowerUsers,
+      :none => Puppet::Util::Windows::SID::Nobody,
+      :everyone => Puppet::Util::Windows::SID::Everyone
+    }
+
+    # Testcase Hash options
+    # create_* : These options are used when creating the initial test file
+    # create_owner (Required!)
+    # create_group (Required!)
+    # create_mode
+    #
+    # manifest_* : These options are used to craft the manifest which is applied to the test file after createion
+    # manifest_owner,
+    # manifest_group,
+    # manifest_mode (Required!)
+    #
+    # actual_* : These options are used to check the _actual_ values as opposed to the munged values from puppet
+    # actual_mode (Uses manifest_mode for checks if not set)
+
+    RSpec.shared_examples "a mungable file resource" do |testcase|
+
+      before(:each) do
+        @tmp_file = create_temp_file(sids[testcase[:create_owner]], sids[testcase[:create_group]], testcase[:create_mode])
+        raise "Could not create temporary file" if @tmp_file.nil?
+      end
+
+      after(:each) do
+        File.delete(@tmp_file) if File.exist?(@tmp_file)
+      end
+
+      context_name = "With initial owner '#{testcase[:create_owner]}' and initial group '#{testcase[:create_owner]}'"
+      context_name += " and initial mode of '#{testcase[:create_mode]}'" unless testcase[:create_mode].nil?
+      context_name += " and a mode of '#{testcase[:manifest_mode]}' in the manifest"
+      context_name += " and an owner of '#{testcase[:manifest_owner]}' in the manifest" unless testcase[:manifest_owner].nil?
+      context_name += " and a group of '#{testcase[:manifest_group]}' in the manifest" unless testcase[:manifest_group].nil?
+
+      context context_name do
+        is_idempotent = testcase[:is_idempotent].nil? || testcase[:is_idempotent]
+
+        let(:manifest) do
+          value = <<-MANIFEST
+            file { 'rspec_example':
+              ensure => present,
+              path   => '#{@tmp_file}',
+              mode   => '#{testcase[:manifest_mode]}',
+          MANIFEST
+          value += "  owner  => '#{testcase[:manifest_owner]}',\n" unless testcase[:manifest_owner].nil?
+          value += "  group  => '#{testcase[:manifest_group]}',\n" unless testcase[:manifest_group].nil?
+          value + "}"
+        end
+
+        it "should apply with no errors and have expected ACL" do
+          apply_with_error_check(manifest)
+          new_mode = strip_sticky(Puppet::Util::Windows::Security.get_mode(@tmp_file))
+          expect(new_mode.to_s(8)).to eq (testcase[:actual_mode].nil? ? testcase[:manifest_mode] : testcase[:actual_mode])
+        end
+
+        it "should be idempotent", :if => is_idempotent do
+          result = apply_with_error_check(manifest)
+          result = apply_with_error_check(manifest)
+          # Idempotent. Should be no changed resources
+          expect(result.changed?.count).to eq 0
+        end
+
+        it "should NOT be idempotent", :unless => is_idempotent do
+          result = apply_with_error_check(manifest)
+          result = apply_with_error_check(manifest)
+          result = apply_with_error_check(manifest)
+          result = apply_with_error_check(manifest)
+          # Not idempotent. Expect changed resources
+          expect(result.changed?.count).to be > 0
+        end
+      end
+    end
+
+    # These scenarios round-trip permissions and are idempotent
+    [
+      { :create_owner => :system,         :create_group => :administrators, :manifest_mode => '760' },
+      { :create_owner => :administrators, :create_group => :administrators, :manifest_mode => '660' },
+      { :create_owner => :system,         :create_group => :system,         :manifest_mode => '770' },
+    ].each do |testcase|
+      # What happens if the owner and group are not managed
+      it_behaves_like "a mungable file resource", testcase
+      # What happens if the owner is managed
+      it_behaves_like "a mungable file resource", testcase.merge({ :manifest_owner => testcase[:create_owner]})
+      # What happens if the group is managed
+      it_behaves_like "a mungable file resource", testcase.merge({ :manifest_group => testcase[:create_group]})
+      # What happens if both the owner and group are managed
+      it_behaves_like "a mungable file resource", testcase.merge({
+        :manifest_owner => testcase[:create_owner],
+        :manifest_group => testcase[:create_group]
+      })
+    end
+
+    # SYSTEM is special in that when specifying less than mode 7, the owner and/or group MUST be managed
+    # otherwise it's munged to 7 behind the scenes and is not idempotent
+    both_system_testcase = { :create_owner => :system, :create_group => :system, :manifest_mode => '660', :actual_mode => '770', :is_idempotent => false }
+    # What happens if the owner and group are not managed
+    it_behaves_like "a mungable file resource", both_system_testcase.merge({ :is_idempotent => true })
+    # What happens if the owner is managed
+    it_behaves_like "a mungable file resource", both_system_testcase.merge({ :manifest_owner => both_system_testcase[:create_owner]})
+    # What happens if the group is managed
+    it_behaves_like "a mungable file resource", both_system_testcase.merge({ :manifest_group => both_system_testcase[:create_group]})
+
+    # However when we manage SYSTEM explicitly, then the modes lower than 7 stick and the file provider
+    # assumes it's insync (i.e. idempotent)
+    it_behaves_like "a mungable file resource", both_system_testcase.merge({
+      :manifest_owner => both_system_testcase[:create_owner],
+      :manifest_group => both_system_testcase[:create_group],
+      :actual_mode    => both_system_testcase[:manifest_mode],
+      :is_idempotent  => true
+    })
+
+    # What happens if we _create_ a file that SYSTEM is a part of, and is Full Control, but the manifest says it should not be Full Control
+    # Behind the scenes the mode should be changed to 7 and be idempotent
+    [
+      { :create_owner => :system,         :create_group => :system,         :manifest_mode => '660' },
+      { :create_owner => :administrators, :create_group => :system,         :manifest_mode => '760' },
+      { :create_owner => :system,         :create_group => :administrators, :manifest_mode => '670' },
+    ].each do |testcase|
+      it_behaves_like "a mungable file resource", testcase.merge({ :create_mode => '770', :actual_mode => '770'})
+    end
+  end
+end

data/spec/integration/rest/client_spec.rb

@@ -0,0 +1,73 @@
+require 'spec_helper'
+require 'puppet_spec/https'
+require 'puppet_spec/files'
+require 'puppet/rest/client'
+
+describe Puppet::Rest::Client, unless: Puppet::Util::Platform.jruby? do
+  include PuppetSpec::Files
+
+  before :all do
+    WebMock.disable!
+  end
+
+  after :all do
+    WebMock.enable!
+  end
+
+  let(:hostname) { '127.0.0.1' }
+  let(:wrong_hostname) { 'localhost' }
+  let(:server) { PuppetSpec::HTTPSServer.new }
+  let(:ssl) { Puppet::SSL::SSLProvider.new }
+  let(:ssl_context) { ssl.create_root_context(cacerts: [server.ca_cert], crls: [server.ca_crl]) }
+  let(:client) { Puppet::Rest::Client.new(ssl_context: ssl_context) }
+
+  before(:each) do
+    localcacert = tmpfile('rest_client')
+    File.write(localcacert, server.ca_cert.to_pem)
+    Puppet[:ssl_client_ca_auth] = localcacert
+
+    # make sure we don't take too long
+    Puppet[:http_connect_timeout] = '5s'
+  end
+
+  it "connects over SSL" do
+    server.start_server do |port|
+      uri = URI.parse("https://#{hostname}:#{port}/blah")
+      expect { |b|
+        client.get(uri, &b)
+      }.to yield_with_args('OK')
+    end
+  end
+
+  it 'provides a meaningful error message when cert validation fails' do
+    ssl_context = ssl.create_root_context(
+      cacerts: [cert_fixture('netlock-arany-utf8.pem')]
+    )
+    client = Puppet::Rest::Client.new(ssl_context: ssl_context)
+
+    server.start_server do |port|
+      uri = URI.parse("https://#{hostname}:#{port}/blah")
+      expect {
+        client.get(uri)
+      }.to raise_error(Puppet::Error,
+                       %r{certificate verify failed.* .self signed certificate in certificate chain for /CN=Test CA.})
+    end
+  end
+
+  it 'provides valuable error message when cert names do not match' do
+    server.start_server do |port|
+      uri = URI.parse("https://#{wrong_hostname}:#{port}/blah")
+      expect {
+        client.get(uri)
+      }.to raise_error do |error|
+        pending("PUP-8213") if RUBY_VERSION.to_f >= 2.4 && !Puppet::Util::Platform.jruby?
+
+        expect(error).to be_instance_of(Puppet::SSL::CertMismatchError)
+        expect(error.message).to match(/\AServer hostname '#{wrong_hostname}' did not match server certificate; expected one of (.+)/)
+
+        md = error.message.match(/expected one of (.+)/)
+        expect(md[1].split(', ')).to contain_exactly('127.0.0.1', 'DNS:127.0.0.1', 'DNS:127.0.0.2')
+      end
+    end
+  end
+end