puppet 7.13.1-universal-darwin → 7.16.0-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CODEOWNERS +1 -1
- data/Gemfile +1 -1
- data/Gemfile.lock +30 -30
- data/lib/puppet/application/lookup.rb +25 -23
- data/lib/puppet/configurer.rb +8 -14
- data/lib/puppet/defaults.rb +11 -1
- data/lib/puppet/face/generate.rb +2 -0
- data/lib/puppet/functions/next.rb +18 -1
- data/lib/puppet/functions/tree_each.rb +0 -1
- data/lib/puppet/generate/type.rb +9 -0
- data/lib/puppet/http/client.rb +1 -1
- data/lib/puppet/node.rb +1 -1
- data/lib/puppet/resource/type_collection.rb +21 -17
- data/lib/puppet/ssl/ssl_provider.rb +10 -7
- data/lib/puppet/type/exec.rb +1 -1
- data/lib/puppet/type/user.rb +1 -1
- data/lib/puppet/util/monkey_patches.rb +0 -2
- data/lib/puppet/util/yaml.rb +5 -1
- data/lib/puppet/util.rb +1 -0
- data/lib/puppet/version.rb +1 -1
- data/locales/puppet.pot +5 -9763
- data/man/man5/puppet.conf.5 +13 -2
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/integration/application/lookup_spec.rb +65 -57
- data/spec/integration/application/resource_spec.rb +6 -2
- data/spec/integration/http/client_spec.rb +30 -0
- data/spec/unit/configurer_spec.rb +124 -61
- data/spec/unit/confiner_spec.rb +6 -6
- data/spec/unit/face/generate_spec.rb +64 -0
- data/spec/unit/node_spec.rb +6 -0
- data/spec/unit/type/user_spec.rb +67 -0
- data/spec/unit/util/windows_spec.rb +23 -0
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cd799c6f43bc760ac90b228ebad0819067875e24ca9a734dcd29b722d9c5af85
|
4
|
+
data.tar.gz: 25dd46d4c27898d532d918d058d744a992959cda11d79ae5a12d902f26c4360f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0de6ad89ce2240c8f2013c0fe29d3ab9a215727a205e032a3af0f3b76ad0993e4c9580e4644740be599a701c5e64bd7f2f3c2b10ac4744e663ad03bae7452c42
|
7
|
+
data.tar.gz: 0e5329faafcac9f60da50eb37f6a3cf6b3637bb09adb8f48d6a190a20ecec1f3047102dfb780124a27ee1906f5e9ce84c5aa49458109cba017808974b131c5b8
|
data/CODEOWNERS
CHANGED
data/Gemfile
CHANGED
@@ -26,7 +26,7 @@ group(:features) do
|
|
26
26
|
#gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
|
27
27
|
gem 'minitar', '~> 0.9', require: false
|
28
28
|
gem 'msgpack', '~> 1.2', require: false
|
29
|
-
gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
|
29
|
+
gem 'rdoc', ['~> 6.0', '< 6.4.0'], require: false, platforms: [:ruby]
|
30
30
|
# requires native augeas headers/libs
|
31
31
|
# gem 'ruby-augeas', require: false, platforms: [:ruby]
|
32
32
|
# requires native ldap headers/libs
|
data/Gemfile.lock
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
GIT
|
2
2
|
remote: https://github.com/puppetlabs/packaging
|
3
|
-
revision:
|
3
|
+
revision: 0b07772b72c5e4076e145bab3d56d42331ec342b
|
4
4
|
branch: 1.0.x
|
5
5
|
specs:
|
6
|
-
packaging (0.
|
6
|
+
packaging (0.106.1)
|
7
7
|
apt_stage_artifacts
|
8
|
-
artifactory (~>
|
8
|
+
artifactory (~> 3)
|
9
9
|
csv (= 3.1.5)
|
10
10
|
rake (>= 12.3)
|
11
11
|
release-metrics
|
@@ -13,7 +13,7 @@ GIT
|
|
13
13
|
PATH
|
14
14
|
remote: .
|
15
15
|
specs:
|
16
|
-
puppet (7.
|
16
|
+
puppet (7.16.0)
|
17
17
|
CFPropertyList (~> 2.2)
|
18
18
|
concurrent-ruby (~> 1.0)
|
19
19
|
deep_merge (~> 1.0)
|
@@ -33,21 +33,21 @@ GEM
|
|
33
33
|
public_suffix (>= 2.0.2, < 5.0)
|
34
34
|
apt_stage_artifacts (0.10.1)
|
35
35
|
docopt
|
36
|
-
artifactory (
|
36
|
+
artifactory (3.0.15)
|
37
37
|
ast (2.4.2)
|
38
38
|
coderay (1.1.3)
|
39
|
-
concurrent-ruby (1.1.
|
39
|
+
concurrent-ruby (1.1.10)
|
40
40
|
crack (0.4.5)
|
41
41
|
rexml
|
42
42
|
csv (3.1.5)
|
43
|
-
deep_merge (1.2.
|
44
|
-
diff-lcs (1.
|
43
|
+
deep_merge (1.2.2)
|
44
|
+
diff-lcs (1.5.0)
|
45
45
|
docopt (0.6.1)
|
46
|
-
facter (4.2.
|
46
|
+
facter (4.2.9)
|
47
47
|
hocon (~> 1.3)
|
48
48
|
thor (>= 1.0.1, < 2.0)
|
49
49
|
fast_gettext (1.1.2)
|
50
|
-
ffi (1.15.
|
50
|
+
ffi (1.15.5)
|
51
51
|
gettext (3.2.9)
|
52
52
|
locale (>= 2.0.5)
|
53
53
|
text (>= 1.3.0)
|
@@ -56,7 +56,7 @@ GEM
|
|
56
56
|
gettext (>= 3.0.2, < 3.3.0)
|
57
57
|
locale
|
58
58
|
hashdiff (1.0.1)
|
59
|
-
hiera (3.
|
59
|
+
hiera (3.8.0)
|
60
60
|
hiera-eyaml (3.2.2)
|
61
61
|
highline
|
62
62
|
optimist
|
@@ -69,21 +69,21 @@ GEM
|
|
69
69
|
memory_profiler (1.0.0)
|
70
70
|
method_source (1.0.0)
|
71
71
|
minitar (0.9)
|
72
|
-
msgpack (1.
|
72
|
+
msgpack (1.5.1)
|
73
73
|
multi_json (1.15.0)
|
74
74
|
mustache (1.1.1)
|
75
75
|
optimist (3.0.1)
|
76
|
-
parallel (1.
|
76
|
+
parallel (1.22.1)
|
77
77
|
parser (2.7.2.0)
|
78
78
|
ast (~> 2.4.1)
|
79
79
|
powerpack (0.1.3)
|
80
80
|
pry (0.14.1)
|
81
81
|
coderay (~> 1.1)
|
82
82
|
method_source (~> 1.0)
|
83
|
-
public_suffix (4.0.
|
83
|
+
public_suffix (4.0.7)
|
84
84
|
puppet-resource_api (1.8.14)
|
85
85
|
hocon (>= 1.0)
|
86
|
-
puppetserver-ca (2.3.
|
86
|
+
puppetserver-ca (2.3.6)
|
87
87
|
facter (>= 2.0.1, < 5)
|
88
88
|
racc (1.5.2)
|
89
89
|
rainbow (2.2.2)
|
@@ -99,22 +99,22 @@ GEM
|
|
99
99
|
hpricot (>= 0.8.2)
|
100
100
|
mustache (>= 0.7.0)
|
101
101
|
rdiscount (>= 1.5.8)
|
102
|
-
rspec (3.
|
103
|
-
rspec-core (~> 3.
|
104
|
-
rspec-expectations (~> 3.
|
105
|
-
rspec-mocks (~> 3.
|
106
|
-
rspec-core (3.
|
107
|
-
rspec-support (~> 3.
|
108
|
-
rspec-expectations (3.
|
102
|
+
rspec (3.11.0)
|
103
|
+
rspec-core (~> 3.11.0)
|
104
|
+
rspec-expectations (~> 3.11.0)
|
105
|
+
rspec-mocks (~> 3.11.0)
|
106
|
+
rspec-core (3.11.0)
|
107
|
+
rspec-support (~> 3.11.0)
|
108
|
+
rspec-expectations (3.11.0)
|
109
109
|
diff-lcs (>= 1.2.0, < 2.0)
|
110
|
-
rspec-support (~> 3.
|
110
|
+
rspec-support (~> 3.11.0)
|
111
111
|
rspec-its (1.3.0)
|
112
112
|
rspec-core (>= 3.0.0)
|
113
113
|
rspec-expectations (>= 3.0.0)
|
114
|
-
rspec-mocks (3.
|
114
|
+
rspec-mocks (3.11.1)
|
115
115
|
diff-lcs (>= 1.2.0, < 2.0)
|
116
|
-
rspec-support (~> 3.
|
117
|
-
rspec-support (3.
|
116
|
+
rspec-support (~> 3.11.0)
|
117
|
+
rspec-support (3.11.0)
|
118
118
|
rubocop (0.49.1)
|
119
119
|
parallel (~> 1.10)
|
120
120
|
parser (>= 2.3.3.1, < 3.0)
|
@@ -129,7 +129,7 @@ GEM
|
|
129
129
|
scanf (1.0.0)
|
130
130
|
semantic_puppet (1.0.4)
|
131
131
|
text (1.3.1)
|
132
|
-
thor (1.1
|
132
|
+
thor (1.2.1)
|
133
133
|
unicode-display_width (1.8.0)
|
134
134
|
vcr (5.1.0)
|
135
135
|
webmock (3.14.0)
|
@@ -141,7 +141,7 @@ GEM
|
|
141
141
|
webrick (~> 1.7.0)
|
142
142
|
|
143
143
|
PLATFORMS
|
144
|
-
|
144
|
+
x86_64-linux
|
145
145
|
|
146
146
|
DEPENDENCIES
|
147
147
|
diff-lcs (~> 1.3)
|
@@ -160,7 +160,7 @@ DEPENDENCIES
|
|
160
160
|
puppetserver-ca (~> 2.0)
|
161
161
|
racc (= 1.5.2)
|
162
162
|
rake (~> 13.0)
|
163
|
-
rdoc (~> 6.0)
|
163
|
+
rdoc (~> 6.0, < 6.4.0)
|
164
164
|
ronn (~> 0.7.3)
|
165
165
|
rspec (~> 3.1)
|
166
166
|
rspec-expectations (~> 3.9, != 3.9.3)
|
@@ -174,4 +174,4 @@ DEPENDENCIES
|
|
174
174
|
yard
|
175
175
|
|
176
176
|
BUNDLED WITH
|
177
|
-
|
177
|
+
2.3.10
|
@@ -373,32 +373,34 @@ Copyright (c) 2015 Puppet Inc., LLC Licensed under the Apache 2.0 License
|
|
373
373
|
end
|
374
374
|
|
375
375
|
unless node.is_a?(Puppet::Node) # to allow unit tests to pass a node instance
|
376
|
-
facts = retrieve_node_facts(node, given_facts)
|
377
|
-
|
378
|
-
|
379
|
-
|
380
|
-
|
381
|
-
|
382
|
-
|
383
|
-
|
384
|
-
|
385
|
-
|
386
|
-
|
387
|
-
|
388
|
-
|
389
|
-
|
390
|
-
|
391
|
-
|
392
|
-
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
397
|
-
ni.terminus_class = :plain
|
376
|
+
facts = retrieve_node_facts(node, given_facts)
|
377
|
+
ni = Puppet::Node.indirection
|
378
|
+
tc = ni.terminus_class
|
379
|
+
if options[:compile] && !Puppet.settings.set_by_cli?('environment')
|
380
|
+
if tc == :plain
|
381
|
+
node = ni.find(node, facts: facts)
|
382
|
+
else
|
383
|
+
begin
|
384
|
+
service = Puppet.runtime[:http]
|
385
|
+
session = service.create_session
|
386
|
+
cert = session.route_to(:ca)
|
387
|
+
|
388
|
+
_, x509 = cert.get_certificate(node)
|
389
|
+
cert = OpenSSL::X509::Certificate.new(x509)
|
390
|
+
Puppet::SSL::Oids.register_puppet_oids
|
391
|
+
trusted = Puppet::Context::TrustedInformation.remote(true, facts.values['certname'] || node, Puppet::SSL::Certificate.from_instance(cert))
|
392
|
+
Puppet.override(trusted_information: trusted) do
|
393
|
+
node = ni.find(node, facts: facts)
|
394
|
+
end
|
395
|
+
rescue
|
396
|
+
Puppet.warning _("CA is not available, the operation will continue without using trusted facts.")
|
398
397
|
node = ni.find(node, facts: facts)
|
399
|
-
ni.terminus_class = tc
|
400
398
|
end
|
401
399
|
end
|
400
|
+
else
|
401
|
+
ni.terminus_class = :plain
|
402
|
+
node = ni.find(node, facts: facts, environment: Puppet[:environment])
|
403
|
+
ni.terminus_class = tc
|
402
404
|
end
|
403
405
|
else
|
404
406
|
node.add_extra_facts(given_facts) if given_facts
|
data/lib/puppet/configurer.rb
CHANGED
@@ -392,7 +392,7 @@ class Puppet::Configurer
|
|
392
392
|
Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
|
393
393
|
initial_environment, loaded_last_environment = last_server_specified_environment
|
394
394
|
|
395
|
-
unless loaded_last_environment
|
395
|
+
unless Puppet[:use_last_environment] && loaded_last_environment
|
396
396
|
Puppet.debug(_("Requesting environment from the server"))
|
397
397
|
initial_environment = current_server_specified_environment(@environment, configured_environment, options)
|
398
398
|
end
|
@@ -418,7 +418,7 @@ class Puppet::Configurer
|
|
418
418
|
temp_value = options[:pluginsync]
|
419
419
|
|
420
420
|
# only validate server environment if pluginsync is requested
|
421
|
-
options[:pluginsync] = valid_server_environment? if options[:pluginsync]
|
421
|
+
options[:pluginsync] = valid_server_environment? if options[:pluginsync]
|
422
422
|
|
423
423
|
query_options, facts = get_facts(options) unless query_options
|
424
424
|
options[:pluginsync] = temp_value
|
@@ -531,7 +531,11 @@ class Puppet::Configurer
|
|
531
531
|
true
|
532
532
|
rescue Puppet::HTTP::ResponseError => detail
|
533
533
|
if detail.response.code == 404
|
534
|
-
Puppet
|
534
|
+
if Puppet[:strict_environment_mode]
|
535
|
+
raise Puppet::Error.new(_("Environment '%{environment}' not found on server, aborting run.") % { environment: @environment })
|
536
|
+
else
|
537
|
+
Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
|
538
|
+
end
|
535
539
|
else
|
536
540
|
Puppet.log_exception(detail, detail.message)
|
537
541
|
end
|
@@ -601,17 +605,7 @@ class Puppet::Configurer
|
|
601
605
|
:transaction_uuid => @transaction_uuid,
|
602
606
|
:fail_on_404 => true)
|
603
607
|
|
604
|
-
|
605
|
-
# environment instance. Attempting to get the environment instance will load
|
606
|
-
# it from disk, which will likely fail. So create a remote environment.
|
607
|
-
#
|
608
|
-
# The :plain node terminus returns a node with an environment, but not an
|
609
|
-
# environment_name.
|
610
|
-
if !node.has_environment_instance? && node.environment_name
|
611
|
-
node.environment = Puppet::Node::Environment.remote(node.environment_name)
|
612
|
-
end
|
613
|
-
|
614
|
-
@server_specified_environment = node.environment.to_s
|
608
|
+
@server_specified_environment = node.environment_name.to_s
|
615
609
|
|
616
610
|
if @server_specified_environment != @environment
|
617
611
|
Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: @server_specified_environment }
|
data/lib/puppet/defaults.rb
CHANGED
@@ -421,6 +421,17 @@ module Puppet
|
|
421
421
|
<https://puppet.com/docs/puppet/latest/environments_about.html>",
|
422
422
|
:type => :path,
|
423
423
|
},
|
424
|
+
:use_last_environment => {
|
425
|
+
:type => :boolean,
|
426
|
+
:default => true,
|
427
|
+
:desc => <<-'EOT'
|
428
|
+
Puppet saves both the initial and converged environment in the last_run_summary file.
|
429
|
+
If they differ, and this setting is set to true, we will use the last converged
|
430
|
+
environment and skip the node request.
|
431
|
+
|
432
|
+
When set to false, we will do the node request and ignore the environment data from the last_run_summary file.
|
433
|
+
EOT
|
434
|
+
},
|
424
435
|
:always_retry_plugins => {
|
425
436
|
:type => :boolean,
|
426
437
|
:default => true,
|
@@ -1984,7 +1995,6 @@ EOT
|
|
1984
1995
|
:hook => proc do |value|
|
1985
1996
|
paths = value.split(File::PATH_SEPARATOR)
|
1986
1997
|
facter = Puppet.runtime[:facter]
|
1987
|
-
facter.reset
|
1988
1998
|
facter.search(*paths)
|
1989
1999
|
end
|
1990
2000
|
}
|
data/lib/puppet/face/generate.rb
CHANGED
@@ -1,8 +1,25 @@
|
|
1
1
|
# Makes iteration continue with the next value, optionally with a given value for this iteration.
|
2
2
|
# If a value is not given it defaults to `undef`
|
3
|
+
#
|
4
|
+
# @example Using the `next()` function
|
3
5
|
#
|
4
|
-
#
|
6
|
+
# ```puppet
|
7
|
+
# $data = ['a','b','c']
|
8
|
+
# $data.each |Integer $index, String $value| {
|
9
|
+
# if $index == 1 {
|
10
|
+
# next()
|
11
|
+
# }
|
12
|
+
# notice ("${index} = ${value}")
|
13
|
+
# }
|
14
|
+
# ```
|
15
|
+
#
|
16
|
+
# Would notice:
|
17
|
+
# ```
|
18
|
+
# Notice: Scope(Class[main]): 0 = a
|
19
|
+
# Notice: Scope(Class[main]): 2 = c
|
20
|
+
# ```
|
5
21
|
#
|
22
|
+
# @since 4.7.0
|
6
23
|
Puppet::Functions.create_function(:next) do
|
7
24
|
dispatch :next_impl do
|
8
25
|
optional_param 'Any', :value
|
@@ -112,7 +112,6 @@
|
|
112
112
|
# * `reverse_each` - get "leaves before root"
|
113
113
|
# * `filter` - prune the tree
|
114
114
|
# * `map` - transform each element
|
115
|
-
# * `reduce` - produce something else
|
116
115
|
#
|
117
116
|
# Note than when chaining, the value passed on is a `Tuple` with `[path, value]`.
|
118
117
|
#
|
data/lib/puppet/generate/type.rb
CHANGED
@@ -134,6 +134,9 @@ module Puppet
|
|
134
134
|
inputs.sort_by! { |input| input.path }
|
135
135
|
end
|
136
136
|
|
137
|
+
def self.bad_input?
|
138
|
+
@bad_input
|
139
|
+
end
|
137
140
|
# Generates files for the given inputs.
|
138
141
|
# If a file is up to date (newer than input) it is kept.
|
139
142
|
# If a file is out of date it is regenerated.
|
@@ -170,6 +173,8 @@ module Puppet
|
|
170
173
|
}
|
171
174
|
|
172
175
|
up_to_date = true
|
176
|
+
@bad_input = false
|
177
|
+
|
173
178
|
Puppet.notice _('Generating Puppet resource types.')
|
174
179
|
inputs.each do |input|
|
175
180
|
if !force && input.up_to_date?(outputdir)
|
@@ -187,6 +192,7 @@ module Puppet
|
|
187
192
|
raise
|
188
193
|
rescue Exception => e
|
189
194
|
# Log the exception and move on to the next input
|
195
|
+
@bad_input = true
|
190
196
|
Puppet.log_exception(e, _("Failed to load custom type '%{type_name}' from '%{input}': %{message}") % { type_name: type_name, input: input, message: e.message })
|
191
197
|
next
|
192
198
|
end
|
@@ -205,6 +211,7 @@ module Puppet
|
|
205
211
|
begin
|
206
212
|
model = Models::Type::Type.new(type)
|
207
213
|
rescue Exception => e
|
214
|
+
@bad_input = true
|
208
215
|
# Move on to the next input
|
209
216
|
Puppet.log_exception(e, "#{input}: #{e.message}")
|
210
217
|
next
|
@@ -214,6 +221,7 @@ module Puppet
|
|
214
221
|
begin
|
215
222
|
result = model.render(templates[input.template_path])
|
216
223
|
rescue Exception => e
|
224
|
+
@bad_input = true
|
217
225
|
Puppet.log_exception(e)
|
218
226
|
raise
|
219
227
|
end
|
@@ -227,6 +235,7 @@ module Puppet
|
|
227
235
|
file.write(result)
|
228
236
|
end
|
229
237
|
rescue Exception => e
|
238
|
+
@bad_input = true
|
230
239
|
Puppet.log_exception(e, _("Failed to generate '%{effective_output_path}': %{message}") % { effective_output_path: effective_output_path, message: e.message })
|
231
240
|
# Move on to the next input
|
232
241
|
next
|
data/lib/puppet/http/client.rb
CHANGED
@@ -19,7 +19,7 @@
|
|
19
19
|
# response = client.get(URI("http://www.example.com"))
|
20
20
|
#
|
21
21
|
# @example To make an HTTPS GET request, trusting the puppet CA and certs in Puppet's CA bundle:
|
22
|
-
# response = client.get(URI("https://www.example.com"), include_system_store: true)
|
22
|
+
# response = client.get(URI("https://www.example.com"), options: { include_system_store: true })
|
23
23
|
#
|
24
24
|
# @example To use a URL containing special characters, such as spaces:
|
25
25
|
# response = client.get(URI(Puppet::Util.uri_encode("https://www.example.com/path to file")))
|
data/lib/puppet/node.rb
CHANGED
@@ -89,7 +89,7 @@ class Puppet::Node
|
|
89
89
|
unless @environment.nil?
|
90
90
|
# always set the environment parameter. It becomes top scope $environment for a manifest during catalog compilation.
|
91
91
|
@parameters[ENVIRONMENT] = @environment.name.to_s
|
92
|
-
self.environment_name = @environment.name
|
92
|
+
self.environment_name = @environment.name
|
93
93
|
end
|
94
94
|
@environment
|
95
95
|
end
|
@@ -24,6 +24,7 @@ class Puppet::Resource::TypeCollection
|
|
24
24
|
@definitions = {}
|
25
25
|
@nodes = {}
|
26
26
|
@notfound = {}
|
27
|
+
# always lock the environment before acquiring this lock
|
27
28
|
@lock = Puppet::Concurrent::Lock.new
|
28
29
|
|
29
30
|
# So we can keep a list and match the first-defined regex
|
@@ -185,26 +186,29 @@ class Puppet::Resource::TypeCollection
|
|
185
186
|
# Resolve namespaces and find the given object. Autoload it if
|
186
187
|
# necessary.
|
187
188
|
def find_or_load(name, type)
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
199
|
-
|
189
|
+
# always lock the environment before locking the type collection
|
190
|
+
@environment.lock.synchronize do
|
191
|
+
@lock.synchronize do
|
192
|
+
# Name is always absolute, but may start with :: which must be removed
|
193
|
+
fqname = (name[0,2] == COLON_COLON ? name[2..-1] : name)
|
194
|
+
|
195
|
+
result = send(type, fqname)
|
196
|
+
unless result
|
197
|
+
if @notfound[ fqname ] && Puppet[ :ignoremissingtypes ]
|
198
|
+
# do not try to autoload if we already tried and it wasn't conclusive
|
199
|
+
# as this is a time consuming operation. Warn the user.
|
200
|
+
# Check first if debugging is on since the call to debug_once is expensive
|
201
|
+
if Puppet[:debug]
|
202
|
+
debug_once _("Not attempting to load %{type} %{fqname} as this object was missing during a prior compilation") % { type: type, fqname: fqname }
|
203
|
+
end
|
204
|
+
else
|
205
|
+
fqname = munge_name(fqname)
|
206
|
+
result = loader.try_load_fqname(type, fqname)
|
207
|
+
@notfound[ fqname ] = result.nil?
|
200
208
|
end
|
201
|
-
else
|
202
|
-
fqname = munge_name(fqname)
|
203
|
-
result = loader.try_load_fqname(type, fqname)
|
204
|
-
@notfound[ fqname ] = result.nil?
|
205
209
|
end
|
210
|
+
result
|
206
211
|
end
|
207
|
-
result
|
208
212
|
end
|
209
213
|
end
|
210
214
|
|
@@ -68,8 +68,7 @@ class Puppet::SSL::SSLProvider
|
|
68
68
|
# @raise (see #create_context)
|
69
69
|
# @api private
|
70
70
|
def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
|
71
|
-
store = create_x509_store(cacerts, [], false)
|
72
|
-
store.set_default_paths
|
71
|
+
store = create_x509_store(cacerts, [], false, include_system_store: true)
|
73
72
|
|
74
73
|
if path
|
75
74
|
stat = Puppet::FileSystem.stat(path)
|
@@ -111,19 +110,20 @@ class Puppet::SSL::SSLProvider
|
|
111
110
|
# @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
|
112
111
|
# key matches the `private_key`
|
113
112
|
# @param revocation [:chain, :leaf, false] revocation mode
|
113
|
+
# @param include_system_store [true, false] Also trust system CA
|
114
114
|
# @return [Puppet::SSL::SSLContext] A context to use to create connections
|
115
115
|
# @raise [Puppet::SSL::CertVerifyError] There was an issue with
|
116
116
|
# one of the certs or CRLs.
|
117
117
|
# @raise [Puppet::SSL::SSLError] There was an issue with the
|
118
118
|
# `private_key`.
|
119
119
|
# @api private
|
120
|
-
def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
|
120
|
+
def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation], include_system_store: false)
|
121
121
|
raise ArgumentError, _("CA certs are missing") unless cacerts
|
122
122
|
raise ArgumentError, _("CRLs are missing") unless crls
|
123
123
|
raise ArgumentError, _("Private key is missing") unless private_key
|
124
124
|
raise ArgumentError, _("Client cert is missing") unless client_cert
|
125
125
|
|
126
|
-
store = create_x509_store(cacerts, crls, revocation)
|
126
|
+
store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
|
127
127
|
client_chain = verify_cert_with_store(store, client_cert)
|
128
128
|
|
129
129
|
if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
|
@@ -151,12 +151,13 @@ class Puppet::SSL::SSLProvider
|
|
151
151
|
# @param password [String, nil] If the private key is encrypted, decrypt
|
152
152
|
# it using the password. If the key is encrypted, but a password is
|
153
153
|
# not specified, then the key cannot be loaded.
|
154
|
+
# @param include_system_store [true, false] Also trust system CA
|
154
155
|
# @return [Puppet::SSL::SSLContext] A context to use to create connections
|
155
156
|
# @raise [Puppet::SSL::CertVerifyError] There was an issue with
|
156
157
|
# one of the certs or CRLs.
|
157
158
|
# @raise [Puppet::Error] There was an issue with one of the required components.
|
158
159
|
# @api private
|
159
|
-
def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil)
|
160
|
+
def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation], password: nil, include_system_store: false)
|
160
161
|
cert = Puppet::X509::CertProvider.new
|
161
162
|
cacerts = cert.load_cacerts(required: true)
|
162
163
|
crls = case revocation
|
@@ -168,7 +169,7 @@ class Puppet::SSL::SSLProvider
|
|
168
169
|
private_key = cert.load_private_key(certname, required: true, password: password)
|
169
170
|
client_cert = cert.load_client_cert(certname, required: true)
|
170
171
|
|
171
|
-
create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation)
|
172
|
+
create_context(cacerts: cacerts, crls: crls, private_key: private_key, client_cert: client_cert, revocation: revocation, include_system_store: include_system_store)
|
172
173
|
rescue OpenSSL::PKey::PKeyError => e
|
173
174
|
raise Puppet::SSL::SSLError.new(_("Failed to load private key for host '%{name}': %{message}") % { name: certname, message: e.message }, e)
|
174
175
|
end
|
@@ -203,7 +204,7 @@ class Puppet::SSL::SSLProvider
|
|
203
204
|
end
|
204
205
|
end
|
205
206
|
|
206
|
-
def create_x509_store(roots, crls, revocation)
|
207
|
+
def create_x509_store(roots, crls, revocation, include_system_store: false)
|
207
208
|
store = OpenSSL::X509::Store.new
|
208
209
|
store.purpose = OpenSSL::X509::PURPOSE_ANY
|
209
210
|
store.flags = default_flags | revocation_mode(revocation)
|
@@ -211,6 +212,8 @@ class Puppet::SSL::SSLProvider
|
|
211
212
|
roots.each { |cert| store.add_cert(cert) }
|
212
213
|
crls.each { |crl| store.add_crl(crl) }
|
213
214
|
|
215
|
+
store.set_default_paths if include_system_store
|
216
|
+
|
214
217
|
store
|
215
218
|
end
|
216
219
|
|
data/lib/puppet/type/exec.rb
CHANGED
@@ -457,7 +457,7 @@ module Puppet
|
|
457
457
|
|
458
458
|
exec { '/bin/echo root >> /usr/lib/cron/cron.allow':
|
459
459
|
path => '/usr/bin:/usr/sbin:/bin',
|
460
|
-
unless => 'grep root /usr/lib/cron/cron.allow 2>/dev/null',
|
460
|
+
unless => 'grep ^root$ /usr/lib/cron/cron.allow 2>/dev/null',
|
461
461
|
}
|
462
462
|
|
463
463
|
This would add `root` to the cron.allow file (on Solaris) unless
|
data/lib/puppet/type/user.rb
CHANGED
@@ -693,7 +693,7 @@ module Puppet
|
|
693
693
|
end
|
694
694
|
|
695
695
|
def generate
|
696
|
-
if !self[:purge_ssh_keys].empty?
|
696
|
+
if !self[:purge_ssh_keys].empty?
|
697
697
|
if Puppet::Type.type(:ssh_authorized_key).nil?
|
698
698
|
warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
|
699
699
|
else
|
data/lib/puppet/util/yaml.rb
CHANGED
@@ -24,7 +24,11 @@ module Puppet::Util::Yaml
|
|
24
24
|
# @raise [YamlLoadException] If deserialization fails.
|
25
25
|
# @return The parsed YAML, which can be Hash, Array or scalar types.
|
26
26
|
def self.safe_load(yaml, allowed_classes = [], filename = nil)
|
27
|
-
|
27
|
+
if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0')
|
28
|
+
data = YAML.safe_load(yaml, permitted_classes: allowed_classes, aliases: true, filename: filename)
|
29
|
+
else
|
30
|
+
data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
|
31
|
+
end
|
28
32
|
data = false if data.nil?
|
29
33
|
data
|
30
34
|
rescue ::Psych::DisallowedClass => detail
|
data/lib/puppet/util.rb
CHANGED
data/lib/puppet/version.rb
CHANGED