puppet 7.25.0-universal-darwin → 7.27.0-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/Gemfile.lock +28 -28
- data/ext/project_data.yaml +2 -2
- data/lib/puppet/application/ssl.rb +42 -7
- data/lib/puppet/application.rb +5 -1
- data/lib/puppet/defaults.rb +1 -5
- data/lib/puppet/functions/split.rb +28 -1
- data/lib/puppet/http/client.rb +12 -5
- data/lib/puppet/node/environment.rb +6 -4
- data/lib/puppet/pops/evaluator/deferred_resolver.rb +20 -3
- data/lib/puppet/pops/time/timespan.rb +1 -1
- data/lib/puppet/provider/package/apt.rb +1 -1
- data/lib/puppet/provider/package/dnf.rb +1 -1
- data/lib/puppet/provider/package/yum.rb +1 -1
- data/lib/puppet/ssl/oids.rb +1 -0
- data/lib/puppet/util/execution.rb +7 -2
- data/lib/puppet/util/windows/adsi.rb +7 -0
- data/lib/puppet/util/windows/sid.rb +4 -2
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509/cert_provider.rb +6 -2
- data/man/man5/puppet.conf.5 +2 -2
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +5 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/integration/application/apply_spec.rb +14 -0
- data/spec/integration/http/client_spec.rb +16 -0
- data/spec/integration/type/exec_spec.rb +13 -0
- data/spec/unit/application/ssl_spec.rb +49 -0
- data/spec/unit/defaults_spec.rb +2 -40
- data/spec/unit/file_system/path_pattern_spec.rb +15 -0
- data/spec/unit/functions/split_spec.rb +6 -0
- data/spec/unit/ssl/certificate_signer_spec.rb +17 -0
- data/spec/unit/ssl/ssl_provider_spec.rb +2 -2
- data/spec/unit/util/execution_spec.rb +1 -0
- data/spec/unit/util/windows/adsi_spec.rb +25 -0
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1c8e68ee599ed861726eab93a5c562c4b78b4ac8dedb858b463e42d0f227fc08
|
4
|
+
data.tar.gz: 682f12641fdef56f5a9966bd9ceb3ef5c4040b8fbc78cb2047b95b6f1e9d4249
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d06c4acb947c364b0d03acac6b8460633fa10f0003da26a46ab6c75885b2fc5a5449ef8e498763a21a025368ae4f21a0b5583f647220e683c4319bb0e1486ed4
|
7
|
+
data.tar.gz: 5babca90f6a026d264cc36c681b5a7de11955801b52ca25f64185106c8997429546caa3c66a906a177c3ec32261e303ab382f6bcc35b545f37a0e32bc7089c51
|
data/Gemfile
CHANGED
@@ -35,7 +35,7 @@ group(:features) do
|
|
35
35
|
end
|
36
36
|
|
37
37
|
group(:test) do
|
38
|
-
gem "ffi", require: false
|
38
|
+
gem "ffi", '1.15.5', require: false
|
39
39
|
gem "json-schema", "~> 2.0", require: false
|
40
40
|
gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
|
41
41
|
gem "rspec", "~> 3.1", require: false
|
data/Gemfile.lock
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
GIT
|
2
2
|
remote: https://github.com/puppetlabs/packaging
|
3
|
-
revision:
|
3
|
+
revision: 8adf33f59cc443c311c5d5d70c6ba2084625ceea
|
4
4
|
branch: 1.0.x
|
5
5
|
specs:
|
6
6
|
packaging (0)
|
@@ -15,7 +15,7 @@ GIT
|
|
15
15
|
PATH
|
16
16
|
remote: .
|
17
17
|
specs:
|
18
|
-
puppet (7.
|
18
|
+
puppet (7.27.0)
|
19
19
|
CFPropertyList (~> 2.2)
|
20
20
|
concurrent-ruby (~> 1.0)
|
21
21
|
deep_merge (~> 1.0)
|
@@ -31,27 +31,29 @@ GEM
|
|
31
31
|
remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
|
32
32
|
specs:
|
33
33
|
CFPropertyList (2.3.6)
|
34
|
-
addressable (2.8.
|
34
|
+
addressable (2.8.5)
|
35
35
|
public_suffix (>= 2.0.2, < 6.0)
|
36
36
|
apt_stage_artifacts (0.11.0)
|
37
37
|
docopt
|
38
38
|
artifactory (3.0.15)
|
39
39
|
ast (2.4.2)
|
40
|
+
base64 (0.1.1)
|
40
41
|
coderay (1.1.3)
|
41
42
|
concurrent-ruby (1.2.2)
|
42
43
|
crack (0.4.5)
|
43
44
|
rexml
|
44
|
-
csv (3.2.
|
45
|
+
csv (3.2.7)
|
45
46
|
declarative (0.0.20)
|
46
47
|
deep_merge (1.2.2)
|
47
48
|
diff-lcs (1.5.0)
|
48
|
-
digest-crc (0.6.
|
49
|
+
digest-crc (0.6.5)
|
49
50
|
rake (>= 12.0.0, < 14.0.0)
|
50
51
|
docopt (0.6.1)
|
51
|
-
facter (4.
|
52
|
+
facter (4.5.0)
|
52
53
|
hocon (~> 1.3)
|
53
54
|
thor (>= 1.0.1, < 2.0)
|
54
|
-
faraday (2.7.
|
55
|
+
faraday (2.7.11)
|
56
|
+
base64
|
55
57
|
faraday-net_http (>= 2.0, < 3.1)
|
56
58
|
ruby2_keywords (>= 0.0.4)
|
57
59
|
faraday-net_http (3.0.2)
|
@@ -64,7 +66,7 @@ GEM
|
|
64
66
|
fast_gettext (~> 1.1.0)
|
65
67
|
gettext (>= 3.0.2, < 3.3.0)
|
66
68
|
locale
|
67
|
-
google-apis-core (0.11.
|
69
|
+
google-apis-core (0.11.1)
|
68
70
|
addressable (~> 2.5, >= 2.5.1)
|
69
71
|
googleauth (>= 0.16.2, < 2.a)
|
70
72
|
httpclient (>= 2.8.1, < 3.a)
|
@@ -91,10 +93,9 @@ GEM
|
|
91
93
|
google-cloud-core (~> 1.6)
|
92
94
|
googleauth (>= 0.16.2, < 2.a)
|
93
95
|
mini_mime (~> 1.0)
|
94
|
-
googleauth (1.
|
96
|
+
googleauth (1.8.1)
|
95
97
|
faraday (>= 0.17.3, < 3.a)
|
96
98
|
jwt (>= 1.4, < 3.0)
|
97
|
-
memoist (~> 0.16)
|
98
99
|
multi_json (~> 1.11)
|
99
100
|
os (>= 0.9, < 2.0)
|
100
101
|
signet (>= 0.16, < 2.a)
|
@@ -111,34 +112,33 @@ GEM
|
|
111
112
|
addressable (>= 2.4)
|
112
113
|
jwt (2.7.1)
|
113
114
|
locale (2.1.3)
|
114
|
-
memoist (0.16.2)
|
115
115
|
memory_profiler (1.0.1)
|
116
116
|
method_source (1.0.0)
|
117
|
-
mini_mime (1.1.
|
117
|
+
mini_mime (1.1.5)
|
118
118
|
minitar (0.9)
|
119
|
-
msgpack (1.7.
|
119
|
+
msgpack (1.7.2)
|
120
120
|
multi_json (1.15.0)
|
121
121
|
mustache (1.1.1)
|
122
|
-
optimist (3.0
|
122
|
+
optimist (3.1.0)
|
123
123
|
os (1.1.4)
|
124
124
|
parallel (1.23.0)
|
125
|
-
parser (3.2.2.
|
125
|
+
parser (3.2.2.4)
|
126
126
|
ast (~> 2.4.1)
|
127
127
|
racc
|
128
128
|
pry (0.14.2)
|
129
129
|
coderay (~> 1.1)
|
130
130
|
method_source (~> 1.0)
|
131
|
-
public_suffix (5.0.
|
132
|
-
puppet-resource_api (1.
|
131
|
+
public_suffix (5.0.3)
|
132
|
+
puppet-resource_api (1.9.0)
|
133
133
|
hocon (>= 1.0)
|
134
134
|
puppetserver-ca (2.6.0)
|
135
135
|
facter (>= 2.0.1, < 5)
|
136
136
|
racc (1.5.2)
|
137
137
|
rainbow (3.1.1)
|
138
138
|
rake (13.0.6)
|
139
|
-
rdiscount (2.2.7)
|
139
|
+
rdiscount (2.2.7.1)
|
140
140
|
rdoc (6.3.3)
|
141
|
-
regexp_parser (2.8.
|
141
|
+
regexp_parser (2.8.2)
|
142
142
|
release-metrics (1.1.0)
|
143
143
|
csv
|
144
144
|
docopt
|
@@ -147,7 +147,7 @@ GEM
|
|
147
147
|
trailblazer-option (>= 0.1.1, < 0.2.0)
|
148
148
|
uber (< 0.2.0)
|
149
149
|
retriable (3.1.2)
|
150
|
-
rexml (3.2.
|
150
|
+
rexml (3.2.6)
|
151
151
|
ronn (0.7.3)
|
152
152
|
hpricot (>= 0.8.2)
|
153
153
|
mustache (>= 0.7.0)
|
@@ -164,10 +164,10 @@ GEM
|
|
164
164
|
rspec-its (1.3.0)
|
165
165
|
rspec-core (>= 3.0.0)
|
166
166
|
rspec-expectations (>= 3.0.0)
|
167
|
-
rspec-mocks (3.12.
|
167
|
+
rspec-mocks (3.12.6)
|
168
168
|
diff-lcs (>= 1.2.0, < 2.0)
|
169
169
|
rspec-support (~> 3.12.0)
|
170
|
-
rspec-support (3.12.
|
170
|
+
rspec-support (3.12.1)
|
171
171
|
rubocop (1.28.0)
|
172
172
|
parallel (~> 1.10)
|
173
173
|
parser (>= 3.1.0.0)
|
@@ -186,18 +186,18 @@ GEM
|
|
186
186
|
ruby2_keywords (0.0.5)
|
187
187
|
scanf (1.0.0)
|
188
188
|
semantic_puppet (1.1.0)
|
189
|
-
signet (0.
|
189
|
+
signet (0.18.0)
|
190
190
|
addressable (~> 2.8)
|
191
191
|
faraday (>= 0.17.5, < 3.a)
|
192
192
|
jwt (>= 1.5, < 3.0)
|
193
193
|
multi_json (~> 1.10)
|
194
194
|
text (1.3.1)
|
195
|
-
thor (1.
|
195
|
+
thor (1.3.0)
|
196
196
|
trailblazer-option (0.1.2)
|
197
197
|
uber (0.1.0)
|
198
|
-
unicode-display_width (2.
|
198
|
+
unicode-display_width (2.5.0)
|
199
199
|
vcr (5.1.0)
|
200
|
-
webmock (3.
|
200
|
+
webmock (3.19.1)
|
201
201
|
addressable (>= 2.8.0)
|
202
202
|
crack (>= 0.3.2)
|
203
203
|
hashdiff (>= 0.4.0, < 2.0.0)
|
@@ -209,7 +209,7 @@ PLATFORMS
|
|
209
209
|
|
210
210
|
DEPENDENCIES
|
211
211
|
diff-lcs (~> 1.3)
|
212
|
-
ffi
|
212
|
+
ffi (= 1.15.5)
|
213
213
|
gettext-setup (~> 0.28)
|
214
214
|
hiera-eyaml
|
215
215
|
hocon (~> 1.0)
|
@@ -238,4 +238,4 @@ DEPENDENCIES
|
|
238
238
|
yard
|
239
239
|
|
240
240
|
BUNDLED WITH
|
241
|
-
2.4.
|
241
|
+
2.4.20
|
data/ext/project_data.yaml
CHANGED
@@ -40,11 +40,11 @@ gem_platform_dependencies:
|
|
40
40
|
CFPropertyList: '~> 2.2'
|
41
41
|
x86-mingw32:
|
42
42
|
gem_runtime_dependencies:
|
43
|
-
ffi:
|
43
|
+
ffi: '1.15.5'
|
44
44
|
minitar: '~> 0.9'
|
45
45
|
x64-mingw32:
|
46
46
|
gem_runtime_dependencies:
|
47
|
-
ffi:
|
47
|
+
ffi: '1.15.5'
|
48
48
|
minitar: '~> 0.9'
|
49
49
|
bundle_platforms:
|
50
50
|
universal-darwin: all
|
@@ -59,6 +59,11 @@ ACTIONS
|
|
59
59
|
the CSR. Otherwise a new key pair will be generated. If a CSR has already
|
60
60
|
been submitted with the given `certname`, then the operation will fail.
|
61
61
|
|
62
|
+
* generate_request:
|
63
|
+
Generate a certificate signing request (CSR). If
|
64
|
+
a private and public key pair already exist, they will be used to generate
|
65
|
+
the CSR. Otherwise a new key pair will be generated.
|
66
|
+
|
62
67
|
* download_cert:
|
63
68
|
Download a certificate for this host. If the current private key matches
|
64
69
|
the downloaded certificate, then the certificate will be saved and used
|
@@ -136,9 +141,21 @@ HELP
|
|
136
141
|
unless cert
|
137
142
|
raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
|
138
143
|
end
|
144
|
+
when 'generate_request'
|
145
|
+
generate_request(certname)
|
139
146
|
when 'verify'
|
140
147
|
verify(certname)
|
141
148
|
when 'clean'
|
149
|
+
possible_extra_args = command_line.args.drop(1)
|
150
|
+
unless possible_extra_args.empty?
|
151
|
+
raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
|
152
|
+
Extra arguments detected: %{args}
|
153
|
+
Did you mean to run:
|
154
|
+
puppetserver ca clean --certname <name>
|
155
|
+
Or:
|
156
|
+
puppet ssl clean --target <name>
|
157
|
+
END
|
158
|
+
end
|
142
159
|
clean(certname)
|
143
160
|
when 'bootstrap'
|
144
161
|
if !Puppet::Util::Log.sendlevel?(:info)
|
@@ -162,13 +179,7 @@ HELP
|
|
162
179
|
def submit_request(ssl_context)
|
163
180
|
key = @cert_provider.load_private_key(Puppet[:certname])
|
164
181
|
unless key
|
165
|
-
|
166
|
-
Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
|
167
|
-
key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
|
168
|
-
else
|
169
|
-
Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
|
170
|
-
key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
|
171
|
-
end
|
182
|
+
key = create_key(Puppet[:certname])
|
172
183
|
@cert_provider.save_private_key(Puppet[:certname], key)
|
173
184
|
end
|
174
185
|
|
@@ -187,6 +198,20 @@ HELP
|
|
187
198
|
raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
|
188
199
|
end
|
189
200
|
|
201
|
+
def generate_request(certname)
|
202
|
+
key = @cert_provider.load_private_key(certname)
|
203
|
+
unless key
|
204
|
+
key = create_key(certname)
|
205
|
+
@cert_provider.save_private_key(certname, key)
|
206
|
+
end
|
207
|
+
|
208
|
+
csr = @cert_provider.create_request(certname, key)
|
209
|
+
@cert_provider.save_request(certname, csr)
|
210
|
+
Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
|
211
|
+
rescue => e
|
212
|
+
raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
|
213
|
+
end
|
214
|
+
|
190
215
|
def download_cert(ssl_context)
|
191
216
|
key = @cert_provider.load_private_key(Puppet[:certname])
|
192
217
|
|
@@ -285,4 +310,14 @@ END
|
|
285
310
|
def create_route(ssl_context)
|
286
311
|
@session.route_to(:ca, ssl_context: ssl_context)
|
287
312
|
end
|
313
|
+
|
314
|
+
def create_key(certname)
|
315
|
+
if Puppet[:key_type] == 'ec'
|
316
|
+
Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
|
317
|
+
OpenSSL::PKey::EC.generate(Puppet[:named_curve])
|
318
|
+
else
|
319
|
+
Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
|
320
|
+
OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
|
321
|
+
end
|
322
|
+
end
|
288
323
|
end
|
data/lib/puppet/application.rb
CHANGED
@@ -503,8 +503,12 @@ class Application
|
|
503
503
|
runtime_info = {
|
504
504
|
'puppet_version' => Puppet.version,
|
505
505
|
'ruby_version' => RUBY_VERSION,
|
506
|
-
'run_mode' => self.class.run_mode.name
|
506
|
+
'run_mode' => self.class.run_mode.name
|
507
507
|
}
|
508
|
+
unless Puppet::Util::Platform.jruby_fips?
|
509
|
+
runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
|
510
|
+
runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
|
511
|
+
end
|
508
512
|
runtime_info['default_encoding'] = Encoding.default_external
|
509
513
|
runtime_info.merge!(extra_info) unless extra_info.nil?
|
510
514
|
|
data/lib/puppet/defaults.rb
CHANGED
@@ -3,11 +3,7 @@ require_relative '../puppet/util/platform'
|
|
3
3
|
module Puppet
|
4
4
|
|
5
5
|
def self.default_diffargs
|
6
|
-
|
7
|
-
""
|
8
|
-
else
|
9
|
-
"-u"
|
10
|
-
end
|
6
|
+
'-u'
|
11
7
|
end
|
12
8
|
|
13
9
|
def self.default_digest_algorithm
|
@@ -35,6 +35,21 @@ Puppet::Functions.create_function(:split) do
|
|
35
35
|
param 'Type[Regexp]', :pattern
|
36
36
|
end
|
37
37
|
|
38
|
+
dispatch :split_String_sensitive do
|
39
|
+
param 'Sensitive[String]', :sensitive
|
40
|
+
param 'String', :pattern
|
41
|
+
end
|
42
|
+
|
43
|
+
dispatch :split_Regexp_sensitive do
|
44
|
+
param 'Sensitive[String]', :sensitive
|
45
|
+
param 'Regexp', :pattern
|
46
|
+
end
|
47
|
+
|
48
|
+
dispatch :split_RegexpType_sensitive do
|
49
|
+
param 'Sensitive[String]', :sensitive
|
50
|
+
param 'Type[Regexp]', :pattern
|
51
|
+
end
|
52
|
+
|
38
53
|
def split_String(str, pattern)
|
39
54
|
str.split(Regexp.compile(pattern))
|
40
55
|
end
|
@@ -46,4 +61,16 @@ Puppet::Functions.create_function(:split) do
|
|
46
61
|
def split_RegexpType(str, pattern)
|
47
62
|
str.split(pattern.regexp)
|
48
63
|
end
|
49
|
-
|
64
|
+
|
65
|
+
def split_String_sensitive(sensitive, pattern)
|
66
|
+
Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
|
67
|
+
end
|
68
|
+
|
69
|
+
def split_Regexp_sensitive(sensitive, pattern)
|
70
|
+
Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
|
71
|
+
end
|
72
|
+
|
73
|
+
def split_RegexpType_sensitive(sensitive, pattern)
|
74
|
+
Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
|
75
|
+
end
|
76
|
+
end
|
data/lib/puppet/http/client.rb
CHANGED
@@ -367,6 +367,7 @@ class Puppet::HTTP::Client
|
|
367
367
|
apply_auth(request, basic_auth) if redirects.zero?
|
368
368
|
|
369
369
|
# don't call return within the `request` block
|
370
|
+
close_and_sleep = nil
|
370
371
|
http.request(request) do |nethttp|
|
371
372
|
response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
|
372
373
|
begin
|
@@ -380,12 +381,14 @@ class Puppet::HTTP::Client
|
|
380
381
|
interval = @retry_after_handler.retry_after_interval(request, response, retries)
|
381
382
|
retries += 1
|
382
383
|
if interval
|
383
|
-
|
384
|
-
|
385
|
-
|
384
|
+
close_and_sleep = proc do
|
385
|
+
if http.started?
|
386
|
+
Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
|
387
|
+
http.finish
|
388
|
+
end
|
389
|
+
Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
|
390
|
+
::Kernel.sleep(interval)
|
386
391
|
end
|
387
|
-
Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
|
388
|
-
::Kernel.sleep(interval)
|
389
392
|
next
|
390
393
|
end
|
391
394
|
end
|
@@ -404,6 +407,10 @@ class Puppet::HTTP::Client
|
|
404
407
|
|
405
408
|
done = true
|
406
409
|
end
|
410
|
+
ensure
|
411
|
+
# If a server responded with a retry, make sure the connection is closed and then
|
412
|
+
# sleep the specified time.
|
413
|
+
close_and_sleep.call if close_and_sleep
|
407
414
|
end
|
408
415
|
end
|
409
416
|
|
@@ -591,10 +591,12 @@ class Puppet::Node::Environment
|
|
591
591
|
if file == NO_MANIFEST
|
592
592
|
empty_parse_result
|
593
593
|
elsif File.directory?(file)
|
594
|
-
|
595
|
-
|
596
|
-
|
597
|
-
|
594
|
+
# JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
|
595
|
+
# We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
|
596
|
+
parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
|
597
|
+
parser.file = file_to_parse
|
598
|
+
parser.parse
|
599
|
+
end
|
598
600
|
# Use a parser type specific merger to concatenate the results
|
599
601
|
Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
|
600
602
|
else
|
@@ -9,7 +9,13 @@ class DeferredValue
|
|
9
9
|
end
|
10
10
|
|
11
11
|
def resolve
|
12
|
-
@proc.call
|
12
|
+
val = @proc.call
|
13
|
+
# Deferred sensitive values will be marked as such in resolve_futures()
|
14
|
+
if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
15
|
+
val.unwrap
|
16
|
+
else
|
17
|
+
val
|
18
|
+
end
|
13
19
|
end
|
14
20
|
end
|
15
21
|
|
@@ -87,8 +93,12 @@ class DeferredResolver
|
|
87
93
|
#
|
88
94
|
if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
89
95
|
resolved = resolved.unwrap
|
90
|
-
|
91
|
-
|
96
|
+
mark_sensitive_parameters(r, k)
|
97
|
+
# If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
|
98
|
+
# The DeferredValue.resolve method will unwrap it during catalog application
|
99
|
+
elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
|
100
|
+
if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
|
101
|
+
mark_sensitive_parameters(r, k)
|
92
102
|
end
|
93
103
|
end
|
94
104
|
overrides[ k ] = resolved
|
@@ -97,6 +107,13 @@ class DeferredResolver
|
|
97
107
|
end
|
98
108
|
end
|
99
109
|
|
110
|
+
def mark_sensitive_parameters(r, k)
|
111
|
+
unless r.sensitive_parameters.include?(k.to_sym)
|
112
|
+
r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
|
113
|
+
end
|
114
|
+
end
|
115
|
+
private :mark_sensitive_parameters
|
116
|
+
|
100
117
|
def resolve(x)
|
101
118
|
if x.class == @deferred_class
|
102
119
|
resolve_future(x)
|
@@ -12,7 +12,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
|
|
12
12
|
These options should be specified as an array where each element is either a
|
13
13
|
string or a hash."
|
14
14
|
|
15
|
-
has_feature :versionable, :install_options, :virtual_packages
|
15
|
+
has_feature :versionable, :install_options, :virtual_packages, :version_ranges
|
16
16
|
|
17
17
|
commands :aptget => "/usr/bin/apt-get"
|
18
18
|
commands :aptcache => "/usr/bin/apt-cache"
|
@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
|
|
9
9
|
These options should be specified as an array where each element is either
|
10
10
|
a string or a hash."
|
11
11
|
|
12
|
-
has_feature :install_options, :versionable, :virtual_packages, :install_only
|
12
|
+
has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
|
13
13
|
|
14
14
|
commands :cmd => "dnf", :rpm => "rpm"
|
15
15
|
|
@@ -15,7 +15,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
|
|
15
15
|
This provider supports the `install_options` attribute, which allows command-line flags to be passed to yum.
|
16
16
|
These options should be specified as an array where each element is either a string or a hash."
|
17
17
|
|
18
|
-
has_feature :install_options, :versionable, :virtual_packages, :install_only
|
18
|
+
has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
|
19
19
|
|
20
20
|
RPM_VERSION = Puppet::Util::Package::Version::Rpm
|
21
21
|
RPM_VERSION_RANGE = Puppet::Util::Package::Version::Range
|
data/lib/puppet/ssl/oids.rb
CHANGED
@@ -71,6 +71,7 @@ module Puppet::SSL::Oids
|
|
71
71
|
|
72
72
|
["1.3.6.1.4.1.34380.1.3.1", 'pp_authorization', 'Certificate Extension Authorization'],
|
73
73
|
["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
|
74
|
+
["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization'],
|
74
75
|
]
|
75
76
|
|
76
77
|
@did_register_puppet_oids = false
|
@@ -222,8 +222,12 @@ module Puppet::Util::Execution
|
|
222
222
|
# Use non-blocking read to check for data. After each attempt,
|
223
223
|
# check whether the child is done. This is done in case the child
|
224
224
|
# forks and inherits stdout, as happens in `foo &`.
|
225
|
-
|
226
|
-
|
225
|
+
# If we encounter EOF, though, then switch to a blocking wait for
|
226
|
+
# the child; after EOF, IO.select will never block and the loop
|
227
|
+
# below will use maximum CPU available.
|
228
|
+
|
229
|
+
wait_flags = Process::WNOHANG
|
230
|
+
until results = Process.waitpid2(child_pid, wait_flags) #rubocop:disable Lint/AssignmentInCondition
|
227
231
|
|
228
232
|
# If not done, wait for data to read with a timeout
|
229
233
|
# This timeout is selected to keep activity low while waiting on
|
@@ -234,6 +238,7 @@ module Puppet::Util::Execution
|
|
234
238
|
output << reader.read_nonblock(4096) if ready
|
235
239
|
rescue Errno::EAGAIN
|
236
240
|
rescue EOFError
|
241
|
+
wait_flags = 0
|
237
242
|
end
|
238
243
|
end
|
239
244
|
|
@@ -175,6 +175,13 @@ module Puppet::Util::Windows::ADSI
|
|
175
175
|
sids = []
|
176
176
|
adsi_child_collection.each do |m|
|
177
177
|
sids << Puppet::Util::Windows::SID.ads_to_principal(m)
|
178
|
+
rescue Puppet::Util::Windows::Error => e
|
179
|
+
case e.code
|
180
|
+
when Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE, Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE
|
181
|
+
sids << Puppet::Util::Windows::SID.unresolved_principal(m.name, m.sid)
|
182
|
+
else
|
183
|
+
raise e
|
184
|
+
end
|
178
185
|
end
|
179
186
|
|
180
187
|
sids
|
@@ -6,8 +6,10 @@ module Puppet::Util::Windows
|
|
6
6
|
extend FFI::Library
|
7
7
|
|
8
8
|
# missing from Windows::Error
|
9
|
-
ERROR_NONE_MAPPED
|
10
|
-
ERROR_INVALID_SID_STRUCTURE
|
9
|
+
ERROR_NONE_MAPPED = 1332
|
10
|
+
ERROR_INVALID_SID_STRUCTURE = 1337
|
11
|
+
ERROR_TRUSTED_DOMAIN_FAILURE = 1788
|
12
|
+
ERROR_TRUSTED_RELATIONSHIP_FAILURE = 1789
|
11
13
|
|
12
14
|
# Well Known SIDs
|
13
15
|
Null = 'S-1-0'
|
data/lib/puppet/version.rb
CHANGED
@@ -346,13 +346,17 @@ class Puppet::X509::CertProvider
|
|
346
346
|
OpenSSL::X509::Request.new(pem)
|
347
347
|
end
|
348
348
|
|
349
|
-
|
350
|
-
|
349
|
+
# Return the path to the cert related object (key, CSR, cert, etc).
|
350
|
+
#
|
351
|
+
# @param base [String] base directory
|
352
|
+
# @param name [String] the name associated with the cert related object
|
351
353
|
def to_path(base, name)
|
352
354
|
raise _("Certname %{name} must not contain unprintable or non-ASCII characters") % { name: name.inspect } unless name =~ VALID_CERTNAME
|
353
355
|
File.join(base, "#{name.downcase}.pem")
|
354
356
|
end
|
355
357
|
|
358
|
+
private
|
359
|
+
|
356
360
|
def permissions_for_setting(name)
|
357
361
|
setting = Puppet.settings.setting(name)
|
358
362
|
perm = { mode: setting.mode.to_i(8) }
|
data/man/man5/puppet.conf.5
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPETCONF" "5" "
|
4
|
+
.TH "PUPPETCONF" "5" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
\fBThis page is autogenerated; any changes will get overwritten\fR
|
6
6
|
.
|
7
7
|
.SH "Configuration settings"
|
@@ -945,7 +945,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
|
|
945
945
|
The HTTP User\-Agent string to send when making network requests\.
|
946
946
|
.
|
947
947
|
.IP "\(bu" 4
|
948
|
-
\fIDefault\fR: \fBPuppet/7\.
|
948
|
+
\fIDefault\fR: \fBPuppet/7\.27\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
|
949
949
|
.
|
950
950
|
.IP "" 0
|
951
951
|
.
|
data/man/man8/puppet-agent.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-AGENT" "8" "
|
4
|
+
.TH "PUPPET\-AGENT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-agent\fR \- The puppet agent daemon
|
data/man/man8/puppet-apply.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-APPLY" "8" "
|
4
|
+
.TH "PUPPET\-APPLY" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-apply\fR \- Apply Puppet manifests locally
|
data/man/man8/puppet-catalog.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-CATALOG" "8" "
|
4
|
+
.TH "PUPPET\-CATALOG" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.
|
data/man/man8/puppet-config.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-CONFIG" "8" "
|
4
|
+
.TH "PUPPET\-CONFIG" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-config\fR \- Interact with Puppet\'s settings\.
|
data/man/man8/puppet-describe.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-DESCRIBE" "8" "
|
4
|
+
.TH "PUPPET\-DESCRIBE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-describe\fR \- Display help about resource types
|
data/man/man8/puppet-device.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-DEVICE" "8" "
|
4
|
+
.TH "PUPPET\-DEVICE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-device\fR \- Manage remote network devices
|
data/man/man8/puppet-doc.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-DOC" "8" "
|
4
|
+
.TH "PUPPET\-DOC" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-doc\fR \- Generate Puppet references
|
data/man/man8/puppet-epp.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-EPP" "8" "
|
4
|
+
.TH "PUPPET\-EPP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.
|
data/man/man8/puppet-facts.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-FACTS" "8" "
|
4
|
+
.TH "PUPPET\-FACTS" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-facts\fR \- Retrieve and store facts\.
|
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-FILEBUCKET" "8" "
|
4
|
+
.TH "PUPPET\-FILEBUCKET" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket
|
data/man/man8/puppet-generate.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-GENERATE" "8" "
|
4
|
+
.TH "PUPPET\-GENERATE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.
|
data/man/man8/puppet-help.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-HELP" "8" "
|
4
|
+
.TH "PUPPET\-HELP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-help\fR \- Display Puppet help\.
|
data/man/man8/puppet-lookup.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-LOOKUP" "8" "
|
4
|
+
.TH "PUPPET\-LOOKUP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-lookup\fR \- Interactive Hiera lookup
|
data/man/man8/puppet-module.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-MODULE" "8" "
|
4
|
+
.TH "PUPPET\-MODULE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.
|
data/man/man8/puppet-node.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-NODE" "8" "
|
4
|
+
.TH "PUPPET\-NODE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-node\fR \- View and manage node definitions\.
|
data/man/man8/puppet-parser.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-PARSER" "8" "
|
4
|
+
.TH "PUPPET\-PARSER" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-parser\fR \- Interact directly with the parser\.
|
data/man/man8/puppet-plugin.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-PLUGIN" "8" "
|
4
|
+
.TH "PUPPET\-PLUGIN" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.
|
data/man/man8/puppet-report.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-REPORT" "8" "
|
4
|
+
.TH "PUPPET\-REPORT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-report\fR \- Create, display, and submit reports\.
|
data/man/man8/puppet-resource.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-RESOURCE" "8" "
|
4
|
+
.TH "PUPPET\-RESOURCE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-resource\fR \- The resource abstraction layer shell
|
data/man/man8/puppet-script.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-SCRIPT" "8" "
|
4
|
+
.TH "PUPPET\-SCRIPT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog
|
data/man/man8/puppet-ssl.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET\-SSL" "8" "
|
4
|
+
.TH "PUPPET\-SSL" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients
|
@@ -42,6 +42,10 @@ submit_request
|
|
42
42
|
Generate a certificate signing request (CSR) and submit it to the CA\. If a private and public key pair already exist, they will be used to generate the CSR\. Otherwise a new key pair will be generated\. If a CSR has already been submitted with the given \fBcertname\fR, then the operation will fail\.
|
43
43
|
.
|
44
44
|
.TP
|
45
|
+
generate_request
|
46
|
+
Generate a certificate signing request (CSR)\. If a private and public key pair already exist, they will be used to generate the CSR\. Otherwise a new key pair will be generated\.
|
47
|
+
.
|
48
|
+
.TP
|
45
49
|
download_cert
|
46
50
|
Download a certificate for this host\. If the current private key matches the downloaded certificate, then the certificate will be saved and used for subsequent requests\. If there is already an existing certificate, it will be overwritten\.
|
47
51
|
.
|
data/man/man8/puppet.8
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "PUPPET" "8" "
|
4
|
+
.TH "PUPPET" "8" "October 2023" "Puppet, Inc." "Puppet manual"
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
7
|
\fBpuppet\fR
|
@@ -25,4 +25,4 @@ Specialized:
|
|
25
25
|
catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
|
26
26
|
.
|
27
27
|
.P
|
28
|
-
See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.
|
28
|
+
See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.27\.0
|
@@ -755,5 +755,19 @@ class amod::bad_type {
|
|
755
755
|
.and output(/Notify\[runs before file\]/).to_stdout
|
756
756
|
.and output(/Validation of File.* failed: You cannot specify more than one of content, source, target/).to_stderr
|
757
757
|
end
|
758
|
+
|
759
|
+
it "applies deferred sensitive file content" do
|
760
|
+
manifest = <<~END
|
761
|
+
file { '#{deferred_file}':
|
762
|
+
ensure => file,
|
763
|
+
content => Deferred('new', [Sensitive, "hello\n"])
|
764
|
+
}
|
765
|
+
END
|
766
|
+
apply.command_line.args = ['-e', manifest]
|
767
|
+
expect {
|
768
|
+
apply.run
|
769
|
+
}.to exit_with(0)
|
770
|
+
.and output(/ensure: changed \[redacted\] to \[redacted\]/).to_stdout
|
771
|
+
end
|
758
772
|
end
|
759
773
|
end
|
@@ -175,6 +175,22 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
|
|
175
175
|
end
|
176
176
|
end
|
177
177
|
|
178
|
+
context 'ensure that retrying does not attempt to read the body after closing the connection' do
|
179
|
+
let(:client) { Puppet::HTTP::Client.new(retry_limit: 1) }
|
180
|
+
it 'raises a retry error instead' do
|
181
|
+
response_proc = -> (req, res) {
|
182
|
+
res['Retry-After'] = 1
|
183
|
+
res.status = 503
|
184
|
+
}
|
185
|
+
|
186
|
+
https_server.start_server(response_proc: response_proc) do |port|
|
187
|
+
uri = URI("https://127.0.0.1:#{port}")
|
188
|
+
kwargs = {headers: {'Content-Type' => 'text/plain'}, options: {ssl_context: root_context}}
|
189
|
+
expect{client.post(uri, '', **kwargs)}.to raise_error(Puppet::HTTP::TooManyRetryAfters)
|
190
|
+
end
|
191
|
+
end
|
192
|
+
end
|
193
|
+
|
178
194
|
context 'persistent connections' do
|
179
195
|
it "detects when the server has closed the connection and reconnects" do
|
180
196
|
Puppet[:http_debug] = true
|
@@ -75,6 +75,19 @@ describe Puppet::Type.type(:exec), unless: Puppet::Util::Platform.jruby? do
|
|
75
75
|
end
|
76
76
|
end
|
77
77
|
|
78
|
+
context 'when an exec sends an EOF' do
|
79
|
+
let(:command) { ["/bin/bash", "-c", "exec /bin/sleep 1 >/dev/null 2>&1"] }
|
80
|
+
|
81
|
+
it 'should not take significant user time' do
|
82
|
+
exec = described_class.new :command => command, :path => ENV['PATH']
|
83
|
+
catalog.add_resource exec
|
84
|
+
timed_apply = Benchmark.measure { catalog.apply }
|
85
|
+
# In testing I found the user time before the patch in 4f35fd262e to be above
|
86
|
+
# 0.3, after the patch it was consistently below 0.1 seconds.
|
87
|
+
expect(timed_apply.utime).to be < 0.3
|
88
|
+
end
|
89
|
+
end
|
90
|
+
|
78
91
|
context 'when command is a string' do
|
79
92
|
let(:command) { "ruby -e 'File.open(\"#{path}\", \"w\") { |f| f.print \"foo\" }'" }
|
80
93
|
|
@@ -171,6 +171,50 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
|
|
171
171
|
end
|
172
172
|
end
|
173
173
|
|
174
|
+
context 'when generating a CSR' do
|
175
|
+
let(:csr_path) { Puppet[:hostcsr] }
|
176
|
+
let(:requestdir) { Puppet[:requestdir] }
|
177
|
+
|
178
|
+
before do
|
179
|
+
ssl.command_line.args << 'generate_request'
|
180
|
+
end
|
181
|
+
|
182
|
+
it 'generates an RSA private key' do
|
183
|
+
File.unlink(Puppet[:hostprivkey])
|
184
|
+
|
185
|
+
expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
|
186
|
+
end
|
187
|
+
|
188
|
+
it 'generates an EC private key' do
|
189
|
+
Puppet[:key_type] = 'ec'
|
190
|
+
File.unlink(Puppet[:hostprivkey])
|
191
|
+
|
192
|
+
expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
|
193
|
+
end
|
194
|
+
|
195
|
+
it 'registers OIDs' do
|
196
|
+
expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
|
197
|
+
|
198
|
+
expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
|
199
|
+
end
|
200
|
+
|
201
|
+
it 'saves the CSR locally' do
|
202
|
+
expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
|
203
|
+
|
204
|
+
expect(Puppet::FileSystem).to be_exist(csr_path)
|
205
|
+
end
|
206
|
+
|
207
|
+
it 'accepts dns alt names' do
|
208
|
+
Puppet[:dns_alt_names] = 'majortom'
|
209
|
+
|
210
|
+
expects_command_to_pass
|
211
|
+
|
212
|
+
csr = Puppet::SSL::CertificateRequest.new(name)
|
213
|
+
csr.read(csr_path)
|
214
|
+
expect(csr.subject_alt_names).to include('DNS:majortom')
|
215
|
+
end
|
216
|
+
end
|
217
|
+
|
174
218
|
context 'when downloading a certificate' do
|
175
219
|
before do
|
176
220
|
ssl.command_line.args << 'download_cert'
|
@@ -347,6 +391,11 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
|
|
347
391
|
expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
|
348
392
|
end
|
349
393
|
|
394
|
+
it 'raises if we have extra args' do
|
395
|
+
ssl.command_line.args << 'hostname.example.biz'
|
396
|
+
expects_command_to_fail(/Extra arguments detected: hostname.example.biz/)
|
397
|
+
end
|
398
|
+
|
350
399
|
context 'when deleting local CA' do
|
351
400
|
before do
|
352
401
|
ssl.command_line.args << '--localca'
|
data/spec/unit/defaults_spec.rb
CHANGED
@@ -3,46 +3,8 @@ require 'puppet/settings'
|
|
3
3
|
|
4
4
|
describe "Defaults" do
|
5
5
|
describe ".default_diffargs" do
|
6
|
-
|
7
|
-
|
8
|
-
allow(Facter).to receive(:value).with(:kernel).and_return("AIX")
|
9
|
-
end
|
10
|
-
|
11
|
-
describe "on 5.3" do
|
12
|
-
before(:each) do
|
13
|
-
allow(Facter).to receive(:value).with(:kernelmajversion).and_return("5300")
|
14
|
-
end
|
15
|
-
|
16
|
-
it "should be empty" do
|
17
|
-
expect(Puppet.default_diffargs).to eq("")
|
18
|
-
end
|
19
|
-
end
|
20
|
-
|
21
|
-
[ "",
|
22
|
-
nil,
|
23
|
-
"6300",
|
24
|
-
"7300",
|
25
|
-
].each do |kernel_version|
|
26
|
-
describe "on kernel version #{kernel_version.inspect}" do
|
27
|
-
before(:each) do
|
28
|
-
allow(Facter).to receive(:value).with(:kernelmajversion).and_return(kernel_version)
|
29
|
-
end
|
30
|
-
|
31
|
-
it "should be '-u'" do
|
32
|
-
expect(Puppet.default_diffargs).to eq("-u")
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
describe "on everything else" do
|
39
|
-
before(:each) do
|
40
|
-
allow(Facter).to receive(:value).with(:kernel).and_return("NOT_AIX")
|
41
|
-
end
|
42
|
-
|
43
|
-
it "should be '-u'" do
|
44
|
-
expect(Puppet.default_diffargs).to eq("-u")
|
45
|
-
end
|
6
|
+
it "should be '-u'" do
|
7
|
+
expect(Puppet.default_diffargs).to eq("-u")
|
46
8
|
end
|
47
9
|
end
|
48
10
|
|
@@ -1,6 +1,7 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
require 'puppet_spec/files'
|
3
3
|
require 'puppet/file_system'
|
4
|
+
require 'puppet/util'
|
4
5
|
|
5
6
|
describe Puppet::FileSystem::PathPattern do
|
6
7
|
include PuppetSpec::Files
|
@@ -132,6 +133,20 @@ describe Puppet::FileSystem::PathPattern do
|
|
132
133
|
File.join(dir, "found_two")])
|
133
134
|
end
|
134
135
|
|
136
|
+
it 'globs wildcard patterns properly' do
|
137
|
+
# See PUP-11788 and https://github.com/jruby/jruby/issues/7836.
|
138
|
+
pending 'JRuby does not properly handle Dir.glob' if Puppet::Util::Platform.jruby?
|
139
|
+
|
140
|
+
dir = tmpdir('globtest')
|
141
|
+
create_file_in(dir, 'foo.pp')
|
142
|
+
create_file_in(dir, 'foo.pp.pp')
|
143
|
+
|
144
|
+
pattern = Puppet::FileSystem::PathPattern.absolute(File.join(dir, '**/*.pp'))
|
145
|
+
|
146
|
+
expect(pattern.glob).to match_array([File.join(dir, 'foo.pp'),
|
147
|
+
File.join(dir, 'foo.pp.pp')])
|
148
|
+
end
|
149
|
+
|
135
150
|
def create_file_in(dir, name)
|
136
151
|
File.open(File.join(dir, name), "w") { |f| f.puts "data" }
|
137
152
|
end
|
@@ -50,4 +50,10 @@ describe 'the split function' do
|
|
50
50
|
it 'should handle pattern in Regexp Type form with missing regular expression' do
|
51
51
|
expect(split('ab',type_parser.parse('Regexp'))).to eql(['a', 'b'])
|
52
52
|
end
|
53
|
+
|
54
|
+
it 'should handle sensitive String' do
|
55
|
+
expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), ',')).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
56
|
+
expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), /,/)).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
57
|
+
expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), type_parser.parse('Regexp[/,/]'))).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
|
58
|
+
end
|
53
59
|
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe Puppet::SSL::CertificateSigner do
|
4
|
+
include PuppetSpec::Files
|
5
|
+
|
6
|
+
let(:wrong_key) { OpenSSL::PKey::RSA.new(512) }
|
7
|
+
let(:client_cert) { cert_fixture('signed.pem') }
|
8
|
+
|
9
|
+
# jruby-openssl >= 0.13.0 (JRuby >= 9.3.5.0) raises an error when signing a
|
10
|
+
# certificate when there is a discrepancy between the certificate and key.
|
11
|
+
it 'raises if client cert signature is invalid', if: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
|
12
|
+
expect {
|
13
|
+
client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
14
|
+
}.to raise_error(OpenSSL::X509::CertificateError,
|
15
|
+
'invalid public key data')
|
16
|
+
end
|
17
|
+
end
|
@@ -298,7 +298,7 @@ describe Puppet::SSL::SSLProvider do
|
|
298
298
|
).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
|
299
299
|
end
|
300
300
|
|
301
|
-
it 'raises if client cert signature is invalid' do
|
301
|
+
it 'raises if client cert signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
|
302
302
|
client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
303
303
|
expect {
|
304
304
|
subject.create_context(**config.merge(client_cert: client_cert))
|
@@ -337,7 +337,7 @@ describe Puppet::SSL::SSLProvider do
|
|
337
337
|
end
|
338
338
|
end
|
339
339
|
|
340
|
-
it 'raises if intermediate CA signature is invalid' do
|
340
|
+
it 'raises if intermediate CA signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
|
341
341
|
int = global_cacerts.last
|
342
342
|
int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
343
343
|
|
@@ -29,6 +29,7 @@ describe Puppet::Util::Execution, if: !Puppet::Util::Platform.jruby? do
|
|
29
29
|
allow(FFI::WIN32).to receive(:CloseHandle).with(thread_handle)
|
30
30
|
else
|
31
31
|
allow(Process).to receive(:waitpid2).with(pid, Process::WNOHANG).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
|
32
|
+
allow(Process).to receive(:waitpid2).with(pid, 0).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
|
32
33
|
allow(Process).to receive(:waitpid2).with(pid).and_return([pid, double('child_status', :exitstatus => exitstatus)])
|
33
34
|
end
|
34
35
|
end
|
@@ -95,6 +95,31 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
|
|
95
95
|
end
|
96
96
|
end
|
97
97
|
|
98
|
+
describe '.get_sids' do
|
99
|
+
it 'returns an array of SIDs given two an array of ADSI children' do
|
100
|
+
child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
|
101
|
+
child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501')
|
102
|
+
allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator')
|
103
|
+
allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest')
|
104
|
+
sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2])
|
105
|
+
expect(sids).to eq(['Administrator', 'Guest'])
|
106
|
+
end
|
107
|
+
|
108
|
+
it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do
|
109
|
+
child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
|
110
|
+
allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE))
|
111
|
+
sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
|
112
|
+
expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
|
113
|
+
end
|
114
|
+
|
115
|
+
it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do
|
116
|
+
child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
|
117
|
+
allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE))
|
118
|
+
sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
|
119
|
+
expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
|
120
|
+
end
|
121
|
+
end
|
122
|
+
|
98
123
|
describe Puppet::Util::Windows::ADSI::User do
|
99
124
|
let(:username) { 'testuser' }
|
100
125
|
let(:domain) { 'DOMAIN' }
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppet
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.
|
4
|
+
version: 7.27.0
|
5
5
|
platform: universal-darwin
|
6
6
|
authors:
|
7
7
|
- Puppet Labs
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-10-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -2393,6 +2393,7 @@ files:
|
|
2393
2393
|
- spec/unit/ssl/base_spec.rb
|
2394
2394
|
- spec/unit/ssl/certificate_request_attributes_spec.rb
|
2395
2395
|
- spec/unit/ssl/certificate_request_spec.rb
|
2396
|
+
- spec/unit/ssl/certificate_signer_spec.rb
|
2396
2397
|
- spec/unit/ssl/certificate_spec.rb
|
2397
2398
|
- spec/unit/ssl/digest_spec.rb
|
2398
2399
|
- spec/unit/ssl/oids_spec.rb
|
@@ -2555,7 +2556,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
2555
2556
|
- !ruby/object:Gem::Version
|
2556
2557
|
version: 1.3.1
|
2557
2558
|
requirements: []
|
2558
|
-
rubygems_version: 3.4.
|
2559
|
+
rubygems_version: 3.4.20
|
2559
2560
|
signing_key:
|
2560
2561
|
specification_version: 4
|
2561
2562
|
summary: Puppet, an automated configuration management tool
|
@@ -3656,6 +3657,7 @@ test_files:
|
|
3656
3657
|
- spec/unit/ssl/base_spec.rb
|
3657
3658
|
- spec/unit/ssl/certificate_request_attributes_spec.rb
|
3658
3659
|
- spec/unit/ssl/certificate_request_spec.rb
|
3660
|
+
- spec/unit/ssl/certificate_signer_spec.rb
|
3659
3661
|
- spec/unit/ssl/certificate_spec.rb
|
3660
3662
|
- spec/unit/ssl/digest_spec.rb
|
3661
3663
|
- spec/unit/ssl/oids_spec.rb
|