puppet 6.3.0-x64-mingw32 → 6.4.0-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CODEOWNERS +30 -0
- data/Gemfile.lock +9 -9
- data/lib/puppet.rb +13 -0
- data/lib/puppet/application/agent.rb +8 -12
- data/lib/puppet/application/device.rb +2 -3
- data/lib/puppet/application/filebucket.rb +6 -1
- data/lib/puppet/application/ssl.rb +102 -55
- data/lib/puppet/configurer.rb +8 -7
- data/lib/puppet/defaults.rb +3 -1
- data/lib/puppet/file_system.rb +24 -4
- data/lib/puppet/file_system/file_impl.rb +25 -0
- data/lib/puppet/file_system/jruby.rb +23 -0
- data/lib/puppet/file_system/windows.rb +84 -0
- data/lib/puppet/indirector/rest.rb +4 -2
- data/lib/puppet/loaders.rb +1 -0
- data/lib/puppet/network/http.rb +1 -0
- data/lib/puppet/network/http/base_pool.rb +18 -0
- data/lib/puppet/network/http/connection.rb +49 -17
- data/lib/puppet/network/http/nocache_pool.rb +9 -4
- data/lib/puppet/network/http/pool.rb +10 -11
- data/lib/puppet/network/http/session.rb +3 -2
- data/lib/puppet/network/http_pool.rb +32 -0
- data/lib/puppet/pops/loader/generic_plan_instantiator.rb +28 -0
- data/lib/puppet/pops/loader/loader_paths.rb +46 -10
- data/lib/puppet/pops/loader/module_loaders.rb +10 -3
- data/lib/puppet/provider/file/windows.rb +49 -1
- data/lib/puppet/provider/package/windows.rb +5 -1
- data/lib/puppet/reports/http.rb +2 -1
- data/lib/puppet/rest/client.rb +7 -3
- data/lib/puppet/rest/routes.rb +9 -44
- data/lib/puppet/ssl.rb +6 -0
- data/lib/puppet/ssl/error.rb +26 -0
- data/lib/puppet/ssl/host.rb +9 -92
- data/lib/puppet/ssl/ssl_context.rb +30 -0
- data/lib/puppet/ssl/ssl_provider.rb +232 -0
- data/lib/puppet/ssl/state_machine.rb +261 -0
- data/lib/puppet/ssl/validator.rb +1 -0
- data/lib/puppet/ssl/validator/default_validator.rb +1 -0
- data/lib/puppet/ssl/validator/no_validator.rb +2 -0
- data/lib/puppet/ssl/verifier.rb +134 -0
- data/lib/puppet/ssl/verifier_adapter.rb +48 -0
- data/lib/puppet/test/test_helper.rb +2 -1
- data/lib/puppet/type/exec.rb +30 -6
- data/lib/puppet/type/file/mode.rb +6 -1
- data/lib/puppet/type/file/source.rb +2 -2
- data/lib/puppet/type/filebucket.rb +12 -8
- data/lib/puppet/type/user.rb +14 -1
- data/lib/puppet/util/connection.rb +10 -5
- data/lib/puppet/util/feature.rb +11 -2
- data/lib/puppet/util/http_proxy.rb +3 -2
- data/lib/puppet/util/pidlock.rb +1 -1
- data/lib/puppet/util/ssl.rb +1 -10
- data/lib/puppet/util/windows/security.rb +29 -8
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509.rb +7 -0
- data/lib/puppet/x509/cert_provider.rb +286 -0
- data/lib/puppet/x509/pem_store.rb +55 -0
- data/locales/ja/puppet.po +740 -590
- data/locales/puppet.pot +433 -208
- data/man/man5/puppet.conf.5 +6 -3
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +6 -2
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +5 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/ssl/127.0.0.1-key.pem +67 -0
- data/spec/fixtures/ssl/127.0.0.1.pem +48 -0
- data/spec/fixtures/ssl/bad-basic-constraints.pem +59 -0
- data/spec/fixtures/ssl/bad-int-basic-constraints.pem +59 -0
- data/spec/fixtures/ssl/ca.pem +59 -0
- data/spec/fixtures/ssl/crl.pem +30 -0
- data/spec/fixtures/ssl/encrypted-key.pem +70 -0
- data/spec/fixtures/ssl/intermediate-agent-crl.pem +31 -0
- data/spec/fixtures/ssl/intermediate-agent.pem +60 -0
- data/spec/fixtures/ssl/intermediate-crl.pem +36 -0
- data/spec/fixtures/ssl/intermediate.pem +60 -0
- data/spec/fixtures/ssl/netlock-arany-utf8.pem +23 -0
- data/spec/fixtures/ssl/pluto-key.pem +67 -0
- data/spec/fixtures/ssl/pluto.pem +44 -0
- data/spec/fixtures/ssl/request-key.pem +67 -0
- data/spec/fixtures/ssl/request.pem +39 -0
- data/spec/fixtures/ssl/revoked-key.pem +67 -0
- data/spec/fixtures/ssl/revoked.pem +44 -0
- data/spec/fixtures/ssl/signed-key.pem +67 -0
- data/spec/fixtures/ssl/signed.pem +44 -0
- data/spec/fixtures/ssl/tampered-cert.pem +44 -0
- data/spec/fixtures/ssl/tampered-csr.pem +39 -0
- data/spec/integration/network/http_pool_spec.rb +222 -0
- data/spec/integration/provider/file/windows_spec.rb +162 -0
- data/spec/integration/rest/client_spec.rb +73 -0
- data/spec/integration/type/file_spec.rb +0 -19
- data/spec/lib/puppet/test_ca.rb +87 -50
- data/spec/lib/puppet_spec/fixtures.rb +20 -0
- data/spec/lib/puppet_spec/https.rb +84 -0
- data/spec/unit/application/agent_spec.rb +29 -30
- data/spec/unit/application/device_spec.rb +12 -49
- data/spec/unit/application/ssl_spec.rb +24 -38
- data/spec/unit/configurer_spec.rb +11 -11
- data/spec/unit/file_system/uniquefile_spec.rb +6 -0
- data/spec/unit/file_system_spec.rb +214 -0
- data/spec/unit/indirector/rest_spec.rb +3 -3
- data/spec/unit/network/http/connection_spec.rb +30 -90
- data/spec/unit/network/http/factory_spec.rb +1 -0
- data/spec/unit/network/http/nocache_pool_spec.rb +8 -8
- data/spec/unit/network/http/pool_spec.rb +63 -33
- data/spec/unit/network/http/session_spec.rb +8 -1
- data/spec/unit/network/http_pool_spec.rb +36 -0
- data/spec/unit/pops/loaders/loader_spec.rb +26 -1
- data/spec/unit/provider/package/windows_spec.rb +12 -1
- data/spec/unit/reports/http_spec.rb +7 -7
- data/spec/unit/rest/client_spec.rb +4 -6
- data/spec/unit/ssl/host_spec.rb +39 -33
- data/spec/unit/ssl/ssl_provider_spec.rb +428 -0
- data/spec/unit/ssl/state_machine_spec.rb +502 -0
- data/spec/unit/ssl/verifier_spec.rb +123 -0
- data/spec/unit/type/exec_spec.rb +63 -0
- data/spec/unit/type/file/source_spec.rb +5 -5
- data/spec/unit/type/filebucket_spec.rb +8 -6
- data/spec/unit/util/feature_spec.rb +2 -2
- data/spec/unit/util/storage_spec.rb +19 -19
- data/spec/unit/x509/cert_provider_spec.rb +527 -0
- data/spec/unit/x509/pem_store_spec.rb +160 -0
- data/tasks/generate_cert_fixtures.rake +158 -0
- metadata +78 -4
- data/MAINTAINERS +0 -47
- data/lib/puppet/rest/ssl_context.rb +0 -13
@@ -1525,15 +1525,6 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
|
|
1525
1525
|
catalog.apply
|
1526
1526
|
end
|
1527
1527
|
|
1528
|
-
it "should not allow the user to explicitly set the mode to 4 ,and correct to 7" do
|
1529
|
-
system_aces = get_aces_for_path_by_sid(path, @sids[:system])
|
1530
|
-
expect(system_aces).not_to be_empty
|
1531
|
-
|
1532
|
-
system_aces.each do |ace|
|
1533
|
-
expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
|
1534
|
-
end
|
1535
|
-
end
|
1536
|
-
|
1537
1528
|
it "prepends SYSTEM ace when changing group from system to power users" do
|
1538
1529
|
@file[:group] = @sids[:power_users]
|
1539
1530
|
catalog.apply
|
@@ -1612,16 +1603,6 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
|
|
1612
1603
|
catalog.apply
|
1613
1604
|
end
|
1614
1605
|
|
1615
|
-
it "should not allow the user to explicitly set the mode to 4, and correct to 7" do
|
1616
|
-
system_aces = get_aces_for_path_by_sid(dir, @sids[:system])
|
1617
|
-
expect(system_aces).not_to be_empty
|
1618
|
-
|
1619
|
-
system_aces.each do |ace|
|
1620
|
-
# unlike files, Puppet sets execute bit on directories that are readable
|
1621
|
-
expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
|
1622
|
-
end
|
1623
|
-
end
|
1624
|
-
|
1625
1606
|
it "prepends SYSTEM ace when changing group from system to power users" do
|
1626
1607
|
@directory[:group] = @sids[:power_users]
|
1627
1608
|
catalog.apply
|
data/spec/lib/puppet/test_ca.rb
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
module Puppet
|
2
2
|
class TestCa
|
3
3
|
|
4
|
-
CERT_VALID_FROM =
|
5
|
-
CERT_VALID_UNTIL = (Time.now +
|
4
|
+
CERT_VALID_FROM = Time.at(0).freeze # 1969-12-31 16:00:00 -0800
|
5
|
+
CERT_VALID_UNTIL = (Time.now + (10 * 365 * 24 * 60 * 60)).freeze # 10 years from now
|
6
6
|
|
7
7
|
CA_EXTENSIONS = [
|
8
8
|
["basicConstraints", "CA:TRUE", true],
|
@@ -12,13 +12,78 @@ module Puppet
|
|
12
12
|
["authorityKeyIdentifier", "keyid:always", false]
|
13
13
|
].freeze
|
14
14
|
|
15
|
-
attr_reader :ca_cert, :ca_crl
|
15
|
+
attr_reader :ca_cert, :ca_crl, :key
|
16
|
+
|
17
|
+
@serial = 0
|
18
|
+
def self.next_serial
|
19
|
+
id = @serial
|
20
|
+
@serial += 1
|
21
|
+
id
|
22
|
+
end
|
16
23
|
|
17
24
|
def initialize
|
18
25
|
@digest = OpenSSL::Digest::SHA256.new
|
19
|
-
|
20
|
-
@
|
21
|
-
@
|
26
|
+
info = create_cacert('Test CA')
|
27
|
+
@key = info[:private_key]
|
28
|
+
@ca_cert = info[:cert]
|
29
|
+
@ca_crl = create_crl(@ca_cert, @key)
|
30
|
+
end
|
31
|
+
|
32
|
+
def create_request(name)
|
33
|
+
key = OpenSSL::PKey::RSA.new(1024)
|
34
|
+
csr = OpenSSL::X509::Request.new
|
35
|
+
csr.public_key = key.public_key
|
36
|
+
csr.subject = OpenSSL::X509::Name.new([["CN", name]])
|
37
|
+
csr.version = 2
|
38
|
+
csr.sign(key, @digest)
|
39
|
+
{ private_key: key, csr: csr }
|
40
|
+
end
|
41
|
+
|
42
|
+
def create_cert(name, issuer_cert, issuer_key, opts = {})
|
43
|
+
key, cert = build_cert(name, issuer_cert.subject)
|
44
|
+
ef = extension_factory_for(issuer_cert, cert)
|
45
|
+
if opts[:subject_alt_names]
|
46
|
+
ext = ef.create_extension(["subjectAltName", opts[:subject_alt_names], false])
|
47
|
+
cert.add_extension(ext)
|
48
|
+
end
|
49
|
+
cert.sign(issuer_key, @digest)
|
50
|
+
{ private_key: key, cert: cert }
|
51
|
+
end
|
52
|
+
|
53
|
+
def create_intermediate_cert(name, issuer_cert, issuer_key)
|
54
|
+
key, cert = build_cert(name, issuer_cert.subject)
|
55
|
+
ef = extension_factory_for(issuer_cert, cert)
|
56
|
+
CA_EXTENSIONS.each do |ext|
|
57
|
+
cert.add_extension(ef.create_extension(*ext))
|
58
|
+
end
|
59
|
+
cert.sign(issuer_key, @digest)
|
60
|
+
{ private_key: key, cert: cert }
|
61
|
+
end
|
62
|
+
|
63
|
+
def create_cacert(name)
|
64
|
+
issuer = OpenSSL::X509::Name.new([["CN", name]])
|
65
|
+
key, cert = build_cert(name, issuer)
|
66
|
+
ef = extension_factory_for(cert, cert)
|
67
|
+
CA_EXTENSIONS.each do |ext|
|
68
|
+
cert.add_extension(ef.create_extension(*ext))
|
69
|
+
end
|
70
|
+
cert.sign(key, @digest)
|
71
|
+
{ private_key: key, cert: cert }
|
72
|
+
end
|
73
|
+
|
74
|
+
def create_crl(issuer_cert, issuer_key)
|
75
|
+
crl = OpenSSL::X509::CRL.new
|
76
|
+
crl.version = 1
|
77
|
+
crl.issuer = issuer_cert.subject
|
78
|
+
ef = extension_factory_for(issuer_cert)
|
79
|
+
crl.add_extension(
|
80
|
+
ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
|
81
|
+
crl.add_extension(
|
82
|
+
OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
|
83
|
+
crl.last_update = CERT_VALID_FROM
|
84
|
+
crl.next_update = CERT_VALID_UNTIL
|
85
|
+
crl.sign(issuer_key, @digest)
|
86
|
+
crl
|
22
87
|
end
|
23
88
|
|
24
89
|
def sign(csr, opts = {})
|
@@ -27,7 +92,7 @@ module Puppet
|
|
27
92
|
cert.subject = csr.subject
|
28
93
|
cert.issuer = @ca_cert.subject
|
29
94
|
cert.version = 2
|
30
|
-
cert.serial =
|
95
|
+
cert.serial = self.class.next_serial
|
31
96
|
cert.not_before = CERT_VALID_FROM
|
32
97
|
cert.not_after = CERT_VALID_UNTIL
|
33
98
|
ef = extension_factory_for(@ca_cert, cert)
|
@@ -39,64 +104,36 @@ module Puppet
|
|
39
104
|
Puppet::SSL::Certificate.from_instance(cert)
|
40
105
|
end
|
41
106
|
|
42
|
-
def revoke(cert)
|
107
|
+
def revoke(cert, crl = @crl, issuer_key = @key)
|
43
108
|
revoked = OpenSSL::X509::Revoked.new
|
44
109
|
revoked.serial = cert.serial
|
45
110
|
revoked.time = Time.now
|
46
111
|
enum = OpenSSL::ASN1::Enumerated(OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
|
47
112
|
ext = OpenSSL::X509::Extension.new("CRLReason", enum)
|
48
|
-
revoked.
|
49
|
-
|
113
|
+
revoked.add_extension(ext)
|
114
|
+
crl.add_revoked(revoked)
|
115
|
+
crl.sign(issuer_key, @digest)
|
50
116
|
end
|
51
117
|
|
52
118
|
def generate(name, opts)
|
53
|
-
|
54
|
-
|
55
|
-
|
119
|
+
info = create_request(name)
|
120
|
+
cert = sign(info[:csr], opts).content
|
121
|
+
info.merge(cert: cert)
|
56
122
|
end
|
57
123
|
|
58
124
|
private
|
59
125
|
|
60
|
-
def
|
61
|
-
|
62
|
-
csr.public_key = key.public_key
|
63
|
-
csr.subject = OpenSSL::X509::Name.new([["CN", name]])
|
64
|
-
csr.version = 2
|
65
|
-
csr.sign(key, @digest)
|
66
|
-
csr
|
67
|
-
end
|
68
|
-
|
69
|
-
def self_signed_ca
|
126
|
+
def build_cert(name, issuer)
|
127
|
+
key = OpenSSL::PKey::RSA.new(1024)
|
70
128
|
cert = OpenSSL::X509::Certificate.new
|
71
|
-
cert.public_key =
|
72
|
-
cert.subject = OpenSSL::X509::Name.new([["CN",
|
73
|
-
cert.issuer =
|
129
|
+
cert.public_key = key.public_key
|
130
|
+
cert.subject = OpenSSL::X509::Name.new([["CN", name]])
|
131
|
+
cert.issuer = issuer
|
74
132
|
cert.version = 2
|
75
|
-
cert.serial =
|
133
|
+
cert.serial = self.class.next_serial
|
76
134
|
cert.not_before = CERT_VALID_FROM
|
77
|
-
cert.not_after
|
78
|
-
|
79
|
-
CA_EXTENSIONS.each do |ext|
|
80
|
-
extension = ef.create_extension(*ext)
|
81
|
-
cert.add_extension(extension)
|
82
|
-
end
|
83
|
-
cert.sign(@key, @digest)
|
84
|
-
cert
|
85
|
-
end
|
86
|
-
|
87
|
-
def create_crl
|
88
|
-
crl = OpenSSL::X509::CRL.new
|
89
|
-
crl.version = 1
|
90
|
-
crl.issuer = @ca_cert.subject
|
91
|
-
ef = extension_factory_for(@ca_cert)
|
92
|
-
crl.add_extension(
|
93
|
-
ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
|
94
|
-
crl.add_extension(
|
95
|
-
OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
|
96
|
-
crl.last_update = CERT_VALID_FROM
|
97
|
-
crl.next_update = CERT_VALID_UNTIL
|
98
|
-
crl.sign(@key, @digest)
|
99
|
-
crl
|
135
|
+
cert.not_after = CERT_VALID_UNTIL
|
136
|
+
[key, cert]
|
100
137
|
end
|
101
138
|
|
102
139
|
def extension_factory_for(ca, cert = nil)
|
@@ -25,4 +25,24 @@ module PuppetSpec::Fixtures
|
|
25
25
|
block_given? and files.each do |file| yield file end
|
26
26
|
files
|
27
27
|
end
|
28
|
+
|
29
|
+
def pem_content(name)
|
30
|
+
File.read(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', name), encoding: 'UTF-8')
|
31
|
+
end
|
32
|
+
|
33
|
+
def cert_fixture(name)
|
34
|
+
OpenSSL::X509::Certificate.new(pem_content(name))
|
35
|
+
end
|
36
|
+
|
37
|
+
def crl_fixture(name)
|
38
|
+
OpenSSL::X509::CRL.new(pem_content(name))
|
39
|
+
end
|
40
|
+
|
41
|
+
def key_fixture(name)
|
42
|
+
OpenSSL::PKey::RSA.new(pem_content(name))
|
43
|
+
end
|
44
|
+
|
45
|
+
def request_fixture(name)
|
46
|
+
OpenSSL::X509::Request.new(pem_content(name))
|
47
|
+
end
|
28
48
|
end
|
@@ -0,0 +1,84 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
require 'webrick'
|
3
|
+
|
4
|
+
class PuppetSpec::HTTPSServer
|
5
|
+
include PuppetSpec::Fixtures
|
6
|
+
|
7
|
+
attr_reader :ca_cert, :ca_crl, :server_cert, :server_key
|
8
|
+
|
9
|
+
def initialize
|
10
|
+
@ca_cert = cert_fixture('ca.pem')
|
11
|
+
@ca_crl = crl_fixture('crl.pem')
|
12
|
+
@server_key = key_fixture('127.0.0.1-key.pem')
|
13
|
+
@server_cert = cert_fixture('127.0.0.1.pem')
|
14
|
+
@config = WEBrick::Config::HTTP.dup
|
15
|
+
end
|
16
|
+
|
17
|
+
def handle_request(ctx, ssl)
|
18
|
+
req = WEBrick::HTTPRequest.new(@config)
|
19
|
+
req.parse(ssl)
|
20
|
+
|
21
|
+
res = WEBrick::HTTPResponse.new(@config)
|
22
|
+
res.status = 200
|
23
|
+
res.body = 'OK'
|
24
|
+
res.send_response(ssl)
|
25
|
+
end
|
26
|
+
|
27
|
+
def start_server(ctx_proc: nil, &block)
|
28
|
+
errors = []
|
29
|
+
|
30
|
+
IO.pipe {|stop_pipe_r, stop_pipe_w|
|
31
|
+
store = OpenSSL::X509::Store.new
|
32
|
+
store.add_cert(@ca_cert)
|
33
|
+
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
34
|
+
ctx = OpenSSL::SSL::SSLContext.new
|
35
|
+
ctx.cert_store = store
|
36
|
+
ctx.cert = @server_cert
|
37
|
+
ctx.key = @server_key
|
38
|
+
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
39
|
+
ctx_proc.call(ctx) if ctx_proc
|
40
|
+
|
41
|
+
Socket.do_not_reverse_lookup = true
|
42
|
+
tcps = TCPServer.new("127.0.0.1", 0)
|
43
|
+
begin
|
44
|
+
port = tcps.connect_address.ip_port
|
45
|
+
begin
|
46
|
+
server_thread = Thread.new do
|
47
|
+
begin
|
48
|
+
ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
|
49
|
+
ssls.start_immediately = true
|
50
|
+
|
51
|
+
loop do
|
52
|
+
readable, = IO.select([ssls, stop_pipe_r])
|
53
|
+
break if readable.include? stop_pipe_r
|
54
|
+
|
55
|
+
ssl = ssls.accept
|
56
|
+
begin
|
57
|
+
handle_request(ctx, ssl)
|
58
|
+
ensure
|
59
|
+
ssl.close
|
60
|
+
end
|
61
|
+
end
|
62
|
+
rescue => e
|
63
|
+
# uncomment this line if something goes wrong
|
64
|
+
# puts "SERVER #{e.message}"
|
65
|
+
errors << e
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
begin
|
70
|
+
yield port
|
71
|
+
ensure
|
72
|
+
stop_pipe_w.close
|
73
|
+
end
|
74
|
+
ensure
|
75
|
+
server_thread.join
|
76
|
+
end
|
77
|
+
ensure
|
78
|
+
tcps.close
|
79
|
+
end
|
80
|
+
}
|
81
|
+
|
82
|
+
errors
|
83
|
+
end
|
84
|
+
end
|
@@ -24,9 +24,6 @@ describe Puppet::Application::Agent do
|
|
24
24
|
@puppetd.preinit
|
25
25
|
Puppet::Util::Log.stubs(:newdestination)
|
26
26
|
|
27
|
-
@ssl_host = stub_everything 'ssl host'
|
28
|
-
Puppet::SSL::Host.stubs(:new).returns(@ssl_host)
|
29
|
-
|
30
27
|
Puppet::Node.indirection.stubs(:terminus_class=)
|
31
28
|
Puppet::Node.indirection.stubs(:cache_class=)
|
32
29
|
Puppet::Node::Facts.indirection.stubs(:terminus_class=)
|
@@ -129,7 +126,7 @@ describe Puppet::Application::Agent do
|
|
129
126
|
@agent.stubs(:run).returns(2)
|
130
127
|
Puppet[:onetime] = true
|
131
128
|
|
132
|
-
|
129
|
+
Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 0).returns(stub(ensure_client_certificate: nil))
|
133
130
|
|
134
131
|
expect { execute_agent }.to exit_with 0
|
135
132
|
end
|
@@ -139,20 +136,21 @@ describe Puppet::Application::Agent do
|
|
139
136
|
Puppet[:onetime] = true
|
140
137
|
@puppetd.handle_waitforcert(60)
|
141
138
|
|
142
|
-
|
139
|
+
Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 60).returns(stub(ensure_client_certificate: nil))
|
143
140
|
|
144
141
|
expect { execute_agent }.to exit_with 0
|
145
142
|
end
|
146
143
|
|
147
144
|
it "should use a default value for waitforcert when --onetime and --waitforcert are not specified" do
|
148
|
-
|
145
|
+
Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 120).returns(stub(ensure_client_certificate: nil))
|
149
146
|
|
150
147
|
execute_agent
|
151
148
|
end
|
152
149
|
|
153
150
|
it "should use the waitforcert setting when checking for a signed certificate" do
|
154
151
|
Puppet[:waitforcert] = 10
|
155
|
-
|
152
|
+
|
153
|
+
Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 10).returns(stub(ensure_client_certificate: nil))
|
156
154
|
|
157
155
|
execute_agent
|
158
156
|
end
|
@@ -392,6 +390,8 @@ describe Puppet::Application::Agent do
|
|
392
390
|
it "should inform the daemon about our agent if :client is set to 'true'" do
|
393
391
|
@puppetd.options[:client] = true
|
394
392
|
|
393
|
+
Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
|
394
|
+
|
395
395
|
execute_agent
|
396
396
|
|
397
397
|
expect(@daemon.agent).to eq(@agent)
|
@@ -402,6 +402,8 @@ describe Puppet::Application::Agent do
|
|
402
402
|
Puppet[:daemonize] = true
|
403
403
|
Signal.stubs(:trap)
|
404
404
|
|
405
|
+
Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
|
406
|
+
|
405
407
|
@daemon.expects(:daemonize)
|
406
408
|
|
407
409
|
execute_agent
|
@@ -409,7 +411,8 @@ describe Puppet::Application::Agent do
|
|
409
411
|
|
410
412
|
it "should wait for a certificate" do
|
411
413
|
@puppetd.options[:waitforcert] = 123
|
412
|
-
|
414
|
+
|
415
|
+
Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 123).returns(stub(ensure_client_certificate: nil))
|
413
416
|
|
414
417
|
execute_agent
|
415
418
|
end
|
@@ -420,11 +423,11 @@ describe Puppet::Application::Agent do
|
|
420
423
|
@puppetd.options[:digest] = 'MD5'
|
421
424
|
|
422
425
|
certificate = mock 'certificate'
|
423
|
-
certificate.stubs(:
|
424
|
-
|
426
|
+
certificate.stubs(:to_der).returns('ABCDE')
|
427
|
+
ssl_context = mock('ssl_context', client_cert: certificate)
|
428
|
+
Puppet::SSL::StateMachine.stubs(:new).with(onetime: true).returns(stub(ensure_client_certificate: ssl_context))
|
425
429
|
|
426
|
-
@
|
427
|
-
@puppetd.expects(:puts).with('ABCDE')
|
430
|
+
@puppetd.expects(:puts).with('(MD5) 2E:CD:DE:39:59:05:1D:91:3F:61:B1:45:79:EA:13:6D')
|
428
431
|
|
429
432
|
execute_agent
|
430
433
|
end
|
@@ -473,23 +476,25 @@ describe Puppet::Application::Agent do
|
|
473
476
|
it "should dispatch to fingerprint if --fingerprint is used" do
|
474
477
|
@puppetd.options[:fingerprint] = true
|
475
478
|
|
476
|
-
@puppetd.
|
479
|
+
@puppetd.expects(:fingerprint)
|
477
480
|
|
478
481
|
execute_agent
|
479
482
|
end
|
480
483
|
|
481
484
|
it "should dispatch to onetime if --onetime is used" do
|
482
|
-
|
485
|
+
Puppet[:onetime] = true
|
486
|
+
Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
|
483
487
|
|
484
|
-
@puppetd.
|
488
|
+
@puppetd.expects(:onetime)
|
485
489
|
|
486
490
|
execute_agent
|
487
491
|
end
|
488
492
|
|
489
493
|
it "should dispatch to main if --onetime and --fingerprint are not used" do
|
490
|
-
|
494
|
+
Puppet[:onetime] = false
|
495
|
+
Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
|
491
496
|
|
492
|
-
@puppetd.
|
497
|
+
@puppetd.expects(:main)
|
493
498
|
|
494
499
|
execute_agent
|
495
500
|
end
|
@@ -501,6 +506,8 @@ describe Puppet::Application::Agent do
|
|
501
506
|
Puppet[:onetime] = true
|
502
507
|
@puppetd.options[:client] = :client
|
503
508
|
@puppetd.options[:detailed_exitcodes] = false
|
509
|
+
|
510
|
+
Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
|
504
511
|
end
|
505
512
|
|
506
513
|
it "should setup traps" do
|
@@ -557,20 +564,11 @@ describe Puppet::Application::Agent do
|
|
557
564
|
end
|
558
565
|
|
559
566
|
it "should fingerprint the certificate if it exists" do
|
560
|
-
@
|
561
|
-
|
562
|
-
|
563
|
-
@puppetd.expects(:puts).with "fingerprint"
|
564
|
-
|
565
|
-
@puppetd.fingerprint
|
566
|
-
end
|
567
|
-
|
568
|
-
it "should fingerprint the certificate request if no certificate have been signed" do
|
569
|
-
@ssl_host.stubs(:certificate).returns(nil)
|
570
|
-
@ssl_host.stubs(:certificate_request).returns(@cert)
|
571
|
-
@cert.stubs(:digest).with('MD5').returns "fingerprint"
|
567
|
+
@cert.stubs(:to_der).returns('ABCDE')
|
568
|
+
ssl_context = mock('ssl_context', client_cert: @cert)
|
569
|
+
Puppet::SSL::StateMachine.stubs(:new).with(onetime: true).returns(stub(ensure_client_certificate: ssl_context))
|
572
570
|
|
573
|
-
@puppetd.expects(:puts).with
|
571
|
+
@puppetd.expects(:puts).with('(MD5) 2E:CD:DE:39:59:05:1D:91:3F:61:B1:45:79:EA:13:6D')
|
574
572
|
|
575
573
|
@puppetd.fingerprint
|
576
574
|
end
|
@@ -579,6 +577,7 @@ describe Puppet::Application::Agent do
|
|
579
577
|
describe "without --onetime and --fingerprint" do
|
580
578
|
before :each do
|
581
579
|
Puppet.stubs(:notice)
|
580
|
+
Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
|
582
581
|
end
|
583
582
|
|
584
583
|
it "should start our daemon" do
|