puppet 7.25.0-universal-darwin → 7.27.0-universal-darwin

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +1 -1
  3. data/Gemfile.lock +28 -28
  4. data/ext/project_data.yaml +2 -2
  5. data/lib/puppet/application/ssl.rb +42 -7
  6. data/lib/puppet/application.rb +5 -1
  7. data/lib/puppet/defaults.rb +1 -5
  8. data/lib/puppet/functions/split.rb +28 -1
  9. data/lib/puppet/http/client.rb +12 -5
  10. data/lib/puppet/node/environment.rb +6 -4
  11. data/lib/puppet/pops/evaluator/deferred_resolver.rb +20 -3
  12. data/lib/puppet/pops/time/timespan.rb +1 -1
  13. data/lib/puppet/provider/package/apt.rb +1 -1
  14. data/lib/puppet/provider/package/dnf.rb +1 -1
  15. data/lib/puppet/provider/package/yum.rb +1 -1
  16. data/lib/puppet/ssl/oids.rb +1 -0
  17. data/lib/puppet/util/execution.rb +7 -2
  18. data/lib/puppet/util/windows/adsi.rb +7 -0
  19. data/lib/puppet/util/windows/sid.rb +4 -2
  20. data/lib/puppet/version.rb +1 -1
  21. data/lib/puppet/x509/cert_provider.rb +6 -2
  22. data/man/man5/puppet.conf.5 +2 -2
  23. data/man/man8/puppet-agent.8 +1 -1
  24. data/man/man8/puppet-apply.8 +1 -1
  25. data/man/man8/puppet-catalog.8 +1 -1
  26. data/man/man8/puppet-config.8 +1 -1
  27. data/man/man8/puppet-describe.8 +1 -1
  28. data/man/man8/puppet-device.8 +1 -1
  29. data/man/man8/puppet-doc.8 +1 -1
  30. data/man/man8/puppet-epp.8 +1 -1
  31. data/man/man8/puppet-facts.8 +1 -1
  32. data/man/man8/puppet-filebucket.8 +1 -1
  33. data/man/man8/puppet-generate.8 +1 -1
  34. data/man/man8/puppet-help.8 +1 -1
  35. data/man/man8/puppet-lookup.8 +1 -1
  36. data/man/man8/puppet-module.8 +1 -1
  37. data/man/man8/puppet-node.8 +1 -1
  38. data/man/man8/puppet-parser.8 +1 -1
  39. data/man/man8/puppet-plugin.8 +1 -1
  40. data/man/man8/puppet-report.8 +1 -1
  41. data/man/man8/puppet-resource.8 +1 -1
  42. data/man/man8/puppet-script.8 +1 -1
  43. data/man/man8/puppet-ssl.8 +5 -1
  44. data/man/man8/puppet.8 +2 -2
  45. data/spec/integration/application/apply_spec.rb +14 -0
  46. data/spec/integration/http/client_spec.rb +16 -0
  47. data/spec/integration/type/exec_spec.rb +13 -0
  48. data/spec/unit/application/ssl_spec.rb +49 -0
  49. data/spec/unit/defaults_spec.rb +2 -40
  50. data/spec/unit/file_system/path_pattern_spec.rb +15 -0
  51. data/spec/unit/functions/split_spec.rb +6 -0
  52. data/spec/unit/ssl/certificate_signer_spec.rb +17 -0
  53. data/spec/unit/ssl/ssl_provider_spec.rb +2 -2
  54. data/spec/unit/util/execution_spec.rb +1 -0
  55. data/spec/unit/util/windows/adsi_spec.rb +25 -0
  56. metadata +5 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cf10acc98cb500b908ada5a4236457cc830e9ed2924ebbe99591df6b7e8f32fb
4
- data.tar.gz: e40ee61974f8f663f5b0323afc43bd3af34379ea36b1fb5bb5d281ee3ec5ecaf
3
+ metadata.gz: 1c8e68ee599ed861726eab93a5c562c4b78b4ac8dedb858b463e42d0f227fc08
4
+ data.tar.gz: 682f12641fdef56f5a9966bd9ceb3ef5c4040b8fbc78cb2047b95b6f1e9d4249
5
5
  SHA512:
6
- metadata.gz: dff0ccd810c4b4081a16f386f0c4216c4a224d07c5d0abb1764a3f1b5e62916b2dbf6b333538c2ee7b31391728f33f15dbba9061f56964671daf60e233efa429
7
- data.tar.gz: 46263dbea786c3cc662a16a030a623d037dfaf4da1fde47cb55e1fec7960f8272c79ea3cda1e7cee16e77f776e64c36296f06e092356e1975b5706dbae094be6
6
+ metadata.gz: d06c4acb947c364b0d03acac6b8460633fa10f0003da26a46ab6c75885b2fc5a5449ef8e498763a21a025368ae4f21a0b5583f647220e683c4319bb0e1486ed4
7
+ data.tar.gz: 5babca90f6a026d264cc36c681b5a7de11955801b52ca25f64185106c8997429546caa3c66a906a177c3ec32261e303ab382f6bcc35b545f37a0e32bc7089c51
data/Gemfile CHANGED
@@ -35,7 +35,7 @@ group(:features) do
35
35
  end
36
36
 
37
37
  group(:test) do
38
- gem "ffi", require: false
38
+ gem "ffi", '1.15.5', require: false
39
39
  gem "json-schema", "~> 2.0", require: false
40
40
  gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
41
41
  gem "rspec", "~> 3.1", require: false
data/Gemfile.lock CHANGED
@@ -1,6 +1,6 @@
1
1
  GIT
2
2
  remote: https://github.com/puppetlabs/packaging
3
- revision: 87a3396077f06e2341ad19e6fcd15f7c14ec02f9
3
+ revision: 8adf33f59cc443c311c5d5d70c6ba2084625ceea
4
4
  branch: 1.0.x
5
5
  specs:
6
6
  packaging (0)
@@ -15,7 +15,7 @@ GIT
15
15
  PATH
16
16
  remote: .
17
17
  specs:
18
- puppet (7.25.0)
18
+ puppet (7.27.0)
19
19
  CFPropertyList (~> 2.2)
20
20
  concurrent-ruby (~> 1.0)
21
21
  deep_merge (~> 1.0)
@@ -31,27 +31,29 @@ GEM
31
31
  remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
32
32
  specs:
33
33
  CFPropertyList (2.3.6)
34
- addressable (2.8.4)
34
+ addressable (2.8.5)
35
35
  public_suffix (>= 2.0.2, < 6.0)
36
36
  apt_stage_artifacts (0.11.0)
37
37
  docopt
38
38
  artifactory (3.0.15)
39
39
  ast (2.4.2)
40
+ base64 (0.1.1)
40
41
  coderay (1.1.3)
41
42
  concurrent-ruby (1.2.2)
42
43
  crack (0.4.5)
43
44
  rexml
44
- csv (3.2.6)
45
+ csv (3.2.7)
45
46
  declarative (0.0.20)
46
47
  deep_merge (1.2.2)
47
48
  diff-lcs (1.5.0)
48
- digest-crc (0.6.4)
49
+ digest-crc (0.6.5)
49
50
  rake (>= 12.0.0, < 14.0.0)
50
51
  docopt (0.6.1)
51
- facter (4.4.0)
52
+ facter (4.5.0)
52
53
  hocon (~> 1.3)
53
54
  thor (>= 1.0.1, < 2.0)
54
- faraday (2.7.6)
55
+ faraday (2.7.11)
56
+ base64
55
57
  faraday-net_http (>= 2.0, < 3.1)
56
58
  ruby2_keywords (>= 0.0.4)
57
59
  faraday-net_http (3.0.2)
@@ -64,7 +66,7 @@ GEM
64
66
  fast_gettext (~> 1.1.0)
65
67
  gettext (>= 3.0.2, < 3.3.0)
66
68
  locale
67
- google-apis-core (0.11.0)
69
+ google-apis-core (0.11.1)
68
70
  addressable (~> 2.5, >= 2.5.1)
69
71
  googleauth (>= 0.16.2, < 2.a)
70
72
  httpclient (>= 2.8.1, < 3.a)
@@ -91,10 +93,9 @@ GEM
91
93
  google-cloud-core (~> 1.6)
92
94
  googleauth (>= 0.16.2, < 2.a)
93
95
  mini_mime (~> 1.0)
94
- googleauth (1.5.2)
96
+ googleauth (1.8.1)
95
97
  faraday (>= 0.17.3, < 3.a)
96
98
  jwt (>= 1.4, < 3.0)
97
- memoist (~> 0.16)
98
99
  multi_json (~> 1.11)
99
100
  os (>= 0.9, < 2.0)
100
101
  signet (>= 0.16, < 2.a)
@@ -111,34 +112,33 @@ GEM
111
112
  addressable (>= 2.4)
112
113
  jwt (2.7.1)
113
114
  locale (2.1.3)
114
- memoist (0.16.2)
115
115
  memory_profiler (1.0.1)
116
116
  method_source (1.0.0)
117
- mini_mime (1.1.2)
117
+ mini_mime (1.1.5)
118
118
  minitar (0.9)
119
- msgpack (1.7.1)
119
+ msgpack (1.7.2)
120
120
  multi_json (1.15.0)
121
121
  mustache (1.1.1)
122
- optimist (3.0.1)
122
+ optimist (3.1.0)
123
123
  os (1.1.4)
124
124
  parallel (1.23.0)
125
- parser (3.2.2.3)
125
+ parser (3.2.2.4)
126
126
  ast (~> 2.4.1)
127
127
  racc
128
128
  pry (0.14.2)
129
129
  coderay (~> 1.1)
130
130
  method_source (~> 1.0)
131
- public_suffix (5.0.1)
132
- puppet-resource_api (1.8.14)
131
+ public_suffix (5.0.3)
132
+ puppet-resource_api (1.9.0)
133
133
  hocon (>= 1.0)
134
134
  puppetserver-ca (2.6.0)
135
135
  facter (>= 2.0.1, < 5)
136
136
  racc (1.5.2)
137
137
  rainbow (3.1.1)
138
138
  rake (13.0.6)
139
- rdiscount (2.2.7)
139
+ rdiscount (2.2.7.1)
140
140
  rdoc (6.3.3)
141
- regexp_parser (2.8.1)
141
+ regexp_parser (2.8.2)
142
142
  release-metrics (1.1.0)
143
143
  csv
144
144
  docopt
@@ -147,7 +147,7 @@ GEM
147
147
  trailblazer-option (>= 0.1.1, < 0.2.0)
148
148
  uber (< 0.2.0)
149
149
  retriable (3.1.2)
150
- rexml (3.2.5)
150
+ rexml (3.2.6)
151
151
  ronn (0.7.3)
152
152
  hpricot (>= 0.8.2)
153
153
  mustache (>= 0.7.0)
@@ -164,10 +164,10 @@ GEM
164
164
  rspec-its (1.3.0)
165
165
  rspec-core (>= 3.0.0)
166
166
  rspec-expectations (>= 3.0.0)
167
- rspec-mocks (3.12.5)
167
+ rspec-mocks (3.12.6)
168
168
  diff-lcs (>= 1.2.0, < 2.0)
169
169
  rspec-support (~> 3.12.0)
170
- rspec-support (3.12.0)
170
+ rspec-support (3.12.1)
171
171
  rubocop (1.28.0)
172
172
  parallel (~> 1.10)
173
173
  parser (>= 3.1.0.0)
@@ -186,18 +186,18 @@ GEM
186
186
  ruby2_keywords (0.0.5)
187
187
  scanf (1.0.0)
188
188
  semantic_puppet (1.1.0)
189
- signet (0.17.0)
189
+ signet (0.18.0)
190
190
  addressable (~> 2.8)
191
191
  faraday (>= 0.17.5, < 3.a)
192
192
  jwt (>= 1.5, < 3.0)
193
193
  multi_json (~> 1.10)
194
194
  text (1.3.1)
195
- thor (1.2.2)
195
+ thor (1.3.0)
196
196
  trailblazer-option (0.1.2)
197
197
  uber (0.1.0)
198
- unicode-display_width (2.4.2)
198
+ unicode-display_width (2.5.0)
199
199
  vcr (5.1.0)
200
- webmock (3.18.1)
200
+ webmock (3.19.1)
201
201
  addressable (>= 2.8.0)
202
202
  crack (>= 0.3.2)
203
203
  hashdiff (>= 0.4.0, < 2.0.0)
@@ -209,7 +209,7 @@ PLATFORMS
209
209
 
210
210
  DEPENDENCIES
211
211
  diff-lcs (~> 1.3)
212
- ffi
212
+ ffi (= 1.15.5)
213
213
  gettext-setup (~> 0.28)
214
214
  hiera-eyaml
215
215
  hocon (~> 1.0)
@@ -238,4 +238,4 @@ DEPENDENCIES
238
238
  yard
239
239
 
240
240
  BUNDLED WITH
241
- 2.4.12
241
+ 2.4.20
@@ -40,11 +40,11 @@ gem_platform_dependencies:
40
40
  CFPropertyList: '~> 2.2'
41
41
  x86-mingw32:
42
42
  gem_runtime_dependencies:
43
- ffi: ['> 1.9.24', '< 2']
43
+ ffi: '1.15.5'
44
44
  minitar: '~> 0.9'
45
45
  x64-mingw32:
46
46
  gem_runtime_dependencies:
47
- ffi: ['> 1.9.24', '< 2']
47
+ ffi: '1.15.5'
48
48
  minitar: '~> 0.9'
49
49
  bundle_platforms:
50
50
  universal-darwin: all
@@ -59,6 +59,11 @@ ACTIONS
59
59
  the CSR. Otherwise a new key pair will be generated. If a CSR has already
60
60
  been submitted with the given `certname`, then the operation will fail.
61
61
 
62
+ * generate_request:
63
+ Generate a certificate signing request (CSR). If
64
+ a private and public key pair already exist, they will be used to generate
65
+ the CSR. Otherwise a new key pair will be generated.
66
+
62
67
  * download_cert:
63
68
  Download a certificate for this host. If the current private key matches
64
69
  the downloaded certificate, then the certificate will be saved and used
@@ -136,9 +141,21 @@ HELP
136
141
  unless cert
137
142
  raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
138
143
  end
144
+ when 'generate_request'
145
+ generate_request(certname)
139
146
  when 'verify'
140
147
  verify(certname)
141
148
  when 'clean'
149
+ possible_extra_args = command_line.args.drop(1)
150
+ unless possible_extra_args.empty?
151
+ raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
152
+ Extra arguments detected: %{args}
153
+ Did you mean to run:
154
+ puppetserver ca clean --certname <name>
155
+ Or:
156
+ puppet ssl clean --target <name>
157
+ END
158
+ end
142
159
  clean(certname)
143
160
  when 'bootstrap'
144
161
  if !Puppet::Util::Log.sendlevel?(:info)
@@ -162,13 +179,7 @@ HELP
162
179
  def submit_request(ssl_context)
163
180
  key = @cert_provider.load_private_key(Puppet[:certname])
164
181
  unless key
165
- if Puppet[:key_type] == 'ec'
166
- Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
167
- key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
168
- else
169
- Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
170
- key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
171
- end
182
+ key = create_key(Puppet[:certname])
172
183
  @cert_provider.save_private_key(Puppet[:certname], key)
173
184
  end
174
185
 
@@ -187,6 +198,20 @@ HELP
187
198
  raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
188
199
  end
189
200
 
201
+ def generate_request(certname)
202
+ key = @cert_provider.load_private_key(certname)
203
+ unless key
204
+ key = create_key(certname)
205
+ @cert_provider.save_private_key(certname, key)
206
+ end
207
+
208
+ csr = @cert_provider.create_request(certname, key)
209
+ @cert_provider.save_request(certname, csr)
210
+ Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
211
+ rescue => e
212
+ raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
213
+ end
214
+
190
215
  def download_cert(ssl_context)
191
216
  key = @cert_provider.load_private_key(Puppet[:certname])
192
217
 
@@ -285,4 +310,14 @@ END
285
310
  def create_route(ssl_context)
286
311
  @session.route_to(:ca, ssl_context: ssl_context)
287
312
  end
313
+
314
+ def create_key(certname)
315
+ if Puppet[:key_type] == 'ec'
316
+ Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
317
+ OpenSSL::PKey::EC.generate(Puppet[:named_curve])
318
+ else
319
+ Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
320
+ OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
321
+ end
322
+ end
288
323
  end
@@ -503,8 +503,12 @@ class Application
503
503
  runtime_info = {
504
504
  'puppet_version' => Puppet.version,
505
505
  'ruby_version' => RUBY_VERSION,
506
- 'run_mode' => self.class.run_mode.name,
506
+ 'run_mode' => self.class.run_mode.name
507
507
  }
508
+ unless Puppet::Util::Platform.jruby_fips?
509
+ runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
510
+ runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
511
+ end
508
512
  runtime_info['default_encoding'] = Encoding.default_external
509
513
  runtime_info.merge!(extra_info) unless extra_info.nil?
510
514
 
@@ -3,11 +3,7 @@ require_relative '../puppet/util/platform'
3
3
  module Puppet
4
4
 
5
5
  def self.default_diffargs
6
- if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
7
- ""
8
- else
9
- "-u"
10
- end
6
+ '-u'
11
7
  end
12
8
 
13
9
  def self.default_digest_algorithm
@@ -35,6 +35,21 @@ Puppet::Functions.create_function(:split) do
35
35
  param 'Type[Regexp]', :pattern
36
36
  end
37
37
 
38
+ dispatch :split_String_sensitive do
39
+ param 'Sensitive[String]', :sensitive
40
+ param 'String', :pattern
41
+ end
42
+
43
+ dispatch :split_Regexp_sensitive do
44
+ param 'Sensitive[String]', :sensitive
45
+ param 'Regexp', :pattern
46
+ end
47
+
48
+ dispatch :split_RegexpType_sensitive do
49
+ param 'Sensitive[String]', :sensitive
50
+ param 'Type[Regexp]', :pattern
51
+ end
52
+
38
53
  def split_String(str, pattern)
39
54
  str.split(Regexp.compile(pattern))
40
55
  end
@@ -46,4 +61,16 @@ Puppet::Functions.create_function(:split) do
46
61
  def split_RegexpType(str, pattern)
47
62
  str.split(pattern.regexp)
48
63
  end
49
- end
64
+
65
+ def split_String_sensitive(sensitive, pattern)
66
+ Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
67
+ end
68
+
69
+ def split_Regexp_sensitive(sensitive, pattern)
70
+ Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
71
+ end
72
+
73
+ def split_RegexpType_sensitive(sensitive, pattern)
74
+ Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
75
+ end
76
+ end
@@ -367,6 +367,7 @@ class Puppet::HTTP::Client
367
367
  apply_auth(request, basic_auth) if redirects.zero?
368
368
 
369
369
  # don't call return within the `request` block
370
+ close_and_sleep = nil
370
371
  http.request(request) do |nethttp|
371
372
  response = Puppet::HTTP::ResponseNetHTTP.new(request.uri, nethttp)
372
373
  begin
@@ -380,12 +381,14 @@ class Puppet::HTTP::Client
380
381
  interval = @retry_after_handler.retry_after_interval(request, response, retries)
381
382
  retries += 1
382
383
  if interval
383
- if http.started?
384
- Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
385
- http.finish
384
+ close_and_sleep = proc do
385
+ if http.started?
386
+ Puppet.debug("Closing connection for #{Puppet::HTTP::Site.from_uri(request.uri)}")
387
+ http.finish
388
+ end
389
+ Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
390
+ ::Kernel.sleep(interval)
386
391
  end
387
- Puppet.warning(_("Sleeping for %{interval} seconds before retrying the request") % { interval: interval })
388
- ::Kernel.sleep(interval)
389
392
  next
390
393
  end
391
394
  end
@@ -404,6 +407,10 @@ class Puppet::HTTP::Client
404
407
 
405
408
  done = true
406
409
  end
410
+ ensure
411
+ # If a server responded with a retry, make sure the connection is closed and then
412
+ # sleep the specified time.
413
+ close_and_sleep.call if close_and_sleep
407
414
  end
408
415
  end
409
416
 
@@ -591,10 +591,12 @@ class Puppet::Node::Environment
591
591
  if file == NO_MANIFEST
592
592
  empty_parse_result
593
593
  elsif File.directory?(file)
594
- parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
595
- parser.file = file_to_parse
596
- parser.parse
597
- end
594
+ # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
595
+ # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
596
+ parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
597
+ parser.file = file_to_parse
598
+ parser.parse
599
+ end
598
600
  # Use a parser type specific merger to concatenate the results
599
601
  Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
600
602
  else
@@ -9,7 +9,13 @@ class DeferredValue
9
9
  end
10
10
 
11
11
  def resolve
12
- @proc.call
12
+ val = @proc.call
13
+ # Deferred sensitive values will be marked as such in resolve_futures()
14
+ if val.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
15
+ val.unwrap
16
+ else
17
+ val
18
+ end
13
19
  end
14
20
  end
15
21
 
@@ -87,8 +93,12 @@ class DeferredResolver
87
93
  #
88
94
  if resolved.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
89
95
  resolved = resolved.unwrap
90
- unless r.sensitive_parameters.include?(k.to_sym)
91
- r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
96
+ mark_sensitive_parameters(r, k)
97
+ # If the value is a DeferredValue and it has an argument of type PSensitiveType, mark it as sensitive
98
+ # The DeferredValue.resolve method will unwrap it during catalog application
99
+ elsif resolved.is_a?(Puppet::Pops::Evaluator::DeferredValue)
100
+ if v.arguments.any? {|arg| arg.is_a?(Puppet::Pops::Types::PSensitiveType)}
101
+ mark_sensitive_parameters(r, k)
92
102
  end
93
103
  end
94
104
  overrides[ k ] = resolved
@@ -97,6 +107,13 @@ class DeferredResolver
97
107
  end
98
108
  end
99
109
 
110
+ def mark_sensitive_parameters(r, k)
111
+ unless r.sensitive_parameters.include?(k.to_sym)
112
+ r.sensitive_parameters = (r.sensitive_parameters + [k.to_sym]).freeze
113
+ end
114
+ end
115
+ private :mark_sensitive_parameters
116
+
100
117
  def resolve(x)
101
118
  if x.class == @deferred_class
102
119
  resolve_future(x)
@@ -633,7 +633,7 @@ module Time
633
633
  position = -1
634
634
  fstart = 0
635
635
 
636
- str.codepoints do |codepoint|
636
+ str.each_codepoint do |codepoint|
637
637
  position += 1
638
638
  if state == STATE_LITERAL
639
639
  if codepoint == 0x25 # '%'
@@ -12,7 +12,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
12
12
  These options should be specified as an array where each element is either a
13
13
  string or a hash."
14
14
 
15
- has_feature :versionable, :install_options, :virtual_packages
15
+ has_feature :versionable, :install_options, :virtual_packages, :version_ranges
16
16
 
17
17
  commands :aptget => "/usr/bin/apt-get"
18
18
  commands :aptcache => "/usr/bin/apt-cache"
@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
9
9
  These options should be specified as an array where each element is either
10
10
  a string or a hash."
11
11
 
12
- has_feature :install_options, :versionable, :virtual_packages, :install_only
12
+ has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
13
13
 
14
14
  commands :cmd => "dnf", :rpm => "rpm"
15
15
 
@@ -15,7 +15,7 @@ Puppet::Type.type(:package).provide :yum, :parent => :rpm, :source => :rpm do
15
15
  This provider supports the `install_options` attribute, which allows command-line flags to be passed to yum.
16
16
  These options should be specified as an array where each element is either a string or a hash."
17
17
 
18
- has_feature :install_options, :versionable, :virtual_packages, :install_only
18
+ has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
19
19
 
20
20
  RPM_VERSION = Puppet::Util::Package::Version::Rpm
21
21
  RPM_VERSION_RANGE = Puppet::Util::Package::Version::Range
@@ -71,6 +71,7 @@ module Puppet::SSL::Oids
71
71
 
72
72
  ["1.3.6.1.4.1.34380.1.3.1", 'pp_authorization', 'Certificate Extension Authorization'],
73
73
  ["1.3.6.1.4.1.34380.1.3.13", 'pp_auth_role', 'Puppet Node Role Name for Authorization'],
74
+ ["1.3.6.1.4.1.34380.1.3.39", 'pp_cli_auth', 'Puppetserver CA CLI Authorization'],
74
75
  ]
75
76
 
76
77
  @did_register_puppet_oids = false
@@ -222,8 +222,12 @@ module Puppet::Util::Execution
222
222
  # Use non-blocking read to check for data. After each attempt,
223
223
  # check whether the child is done. This is done in case the child
224
224
  # forks and inherits stdout, as happens in `foo &`.
225
-
226
- until results = Process.waitpid2(child_pid, Process::WNOHANG) #rubocop:disable Lint/AssignmentInCondition
225
+ # If we encounter EOF, though, then switch to a blocking wait for
226
+ # the child; after EOF, IO.select will never block and the loop
227
+ # below will use maximum CPU available.
228
+
229
+ wait_flags = Process::WNOHANG
230
+ until results = Process.waitpid2(child_pid, wait_flags) #rubocop:disable Lint/AssignmentInCondition
227
231
 
228
232
  # If not done, wait for data to read with a timeout
229
233
  # This timeout is selected to keep activity low while waiting on
@@ -234,6 +238,7 @@ module Puppet::Util::Execution
234
238
  output << reader.read_nonblock(4096) if ready
235
239
  rescue Errno::EAGAIN
236
240
  rescue EOFError
241
+ wait_flags = 0
237
242
  end
238
243
  end
239
244
 
@@ -175,6 +175,13 @@ module Puppet::Util::Windows::ADSI
175
175
  sids = []
176
176
  adsi_child_collection.each do |m|
177
177
  sids << Puppet::Util::Windows::SID.ads_to_principal(m)
178
+ rescue Puppet::Util::Windows::Error => e
179
+ case e.code
180
+ when Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE, Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE
181
+ sids << Puppet::Util::Windows::SID.unresolved_principal(m.name, m.sid)
182
+ else
183
+ raise e
184
+ end
178
185
  end
179
186
 
180
187
  sids
@@ -6,8 +6,10 @@ module Puppet::Util::Windows
6
6
  extend FFI::Library
7
7
 
8
8
  # missing from Windows::Error
9
- ERROR_NONE_MAPPED = 1332
10
- ERROR_INVALID_SID_STRUCTURE = 1337
9
+ ERROR_NONE_MAPPED = 1332
10
+ ERROR_INVALID_SID_STRUCTURE = 1337
11
+ ERROR_TRUSTED_DOMAIN_FAILURE = 1788
12
+ ERROR_TRUSTED_RELATIONSHIP_FAILURE = 1789
11
13
 
12
14
  # Well Known SIDs
13
15
  Null = 'S-1-0'
@@ -6,7 +6,7 @@
6
6
  # Raketasks and such to set the version based on the output of `git describe`
7
7
 
8
8
  module Puppet
9
- PUPPETVERSION = '7.25.0'
9
+ PUPPETVERSION = '7.27.0'
10
10
 
11
11
  ##
12
12
  # version is a public API method intended to always provide a fast and
@@ -346,13 +346,17 @@ class Puppet::X509::CertProvider
346
346
  OpenSSL::X509::Request.new(pem)
347
347
  end
348
348
 
349
- private
350
-
349
+ # Return the path to the cert related object (key, CSR, cert, etc).
350
+ #
351
+ # @param base [String] base directory
352
+ # @param name [String] the name associated with the cert related object
351
353
  def to_path(base, name)
352
354
  raise _("Certname %{name} must not contain unprintable or non-ASCII characters") % { name: name.inspect } unless name =~ VALID_CERTNAME
353
355
  File.join(base, "#{name.downcase}.pem")
354
356
  end
355
357
 
358
+ private
359
+
356
360
  def permissions_for_setting(name)
357
361
  setting = Puppet.settings.setting(name)
358
362
  perm = { mode: setting.mode.to_i(8) }
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPETCONF" "5" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPETCONF" "5" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  \fBThis page is autogenerated; any changes will get overwritten\fR
6
6
  .
7
7
  .SH "Configuration settings"
@@ -945,7 +945,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
945
945
  The HTTP User\-Agent string to send when making network requests\.
946
946
  .
947
947
  .IP "\(bu" 4
948
- \fIDefault\fR: \fBPuppet/7\.25\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
948
+ \fIDefault\fR: \fBPuppet/7\.27\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
949
949
  .
950
950
  .IP "" 0
951
951
  .
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-AGENT" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-AGENT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-agent\fR \- The puppet agent daemon
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-APPLY" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-APPLY" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-apply\fR \- Apply Puppet manifests locally
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-CATALOG" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-CATALOG" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-CONFIG" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-CONFIG" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-config\fR \- Interact with Puppet\'s settings\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-DESCRIBE" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-DESCRIBE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-describe\fR \- Display help about resource types
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-DEVICE" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-DEVICE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-device\fR \- Manage remote network devices
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-DOC" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-DOC" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-doc\fR \- Generate Puppet references
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-EPP" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-EPP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-FACTS" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-FACTS" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-facts\fR \- Retrieve and store facts\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-FILEBUCKET" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-FILEBUCKET" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-GENERATE" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-GENERATE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-HELP" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-HELP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-help\fR \- Display Puppet help\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-LOOKUP" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-LOOKUP" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-lookup\fR \- Interactive Hiera lookup
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-MODULE" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-MODULE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-NODE" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-NODE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-node\fR \- View and manage node definitions\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-PARSER" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-PARSER" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-parser\fR \- Interact directly with the parser\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-PLUGIN" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-PLUGIN" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-REPORT" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-REPORT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-report\fR \- Create, display, and submit reports\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-RESOURCE" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-RESOURCE" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-resource\fR \- The resource abstraction layer shell
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-SCRIPT" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-SCRIPT" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-SSL" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-SSL" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients
@@ -42,6 +42,10 @@ submit_request
42
42
  Generate a certificate signing request (CSR) and submit it to the CA\. If a private and public key pair already exist, they will be used to generate the CSR\. Otherwise a new key pair will be generated\. If a CSR has already been submitted with the given \fBcertname\fR, then the operation will fail\.
43
43
  .
44
44
  .TP
45
+ generate_request
46
+ Generate a certificate signing request (CSR)\. If a private and public key pair already exist, they will be used to generate the CSR\. Otherwise a new key pair will be generated\.
47
+ .
48
+ .TP
45
49
  download_cert
46
50
  Download a certificate for this host\. If the current private key matches the downloaded certificate, then the certificate will be saved and used for subsequent requests\. If there is already an existing certificate, it will be overwritten\.
47
51
  .
data/man/man8/puppet.8 CHANGED
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET" "8" "May 2023" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET" "8" "October 2023" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\fR
@@ -25,4 +25,4 @@ Specialized:
25
25
  catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
26
26
  .
27
27
  .P
28
- See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.25\.0
28
+ See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v7\.27\.0
@@ -755,5 +755,19 @@ class amod::bad_type {
755
755
  .and output(/Notify\[runs before file\]/).to_stdout
756
756
  .and output(/Validation of File.* failed: You cannot specify more than one of content, source, target/).to_stderr
757
757
  end
758
+
759
+ it "applies deferred sensitive file content" do
760
+ manifest = <<~END
761
+ file { '#{deferred_file}':
762
+ ensure => file,
763
+ content => Deferred('new', [Sensitive, "hello\n"])
764
+ }
765
+ END
766
+ apply.command_line.args = ['-e', manifest]
767
+ expect {
768
+ apply.run
769
+ }.to exit_with(0)
770
+ .and output(/ensure: changed \[redacted\] to \[redacted\]/).to_stdout
771
+ end
758
772
  end
759
773
  end
@@ -175,6 +175,22 @@ describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
175
175
  end
176
176
  end
177
177
 
178
+ context 'ensure that retrying does not attempt to read the body after closing the connection' do
179
+ let(:client) { Puppet::HTTP::Client.new(retry_limit: 1) }
180
+ it 'raises a retry error instead' do
181
+ response_proc = -> (req, res) {
182
+ res['Retry-After'] = 1
183
+ res.status = 503
184
+ }
185
+
186
+ https_server.start_server(response_proc: response_proc) do |port|
187
+ uri = URI("https://127.0.0.1:#{port}")
188
+ kwargs = {headers: {'Content-Type' => 'text/plain'}, options: {ssl_context: root_context}}
189
+ expect{client.post(uri, '', **kwargs)}.to raise_error(Puppet::HTTP::TooManyRetryAfters)
190
+ end
191
+ end
192
+ end
193
+
178
194
  context 'persistent connections' do
179
195
  it "detects when the server has closed the connection and reconnects" do
180
196
  Puppet[:http_debug] = true
@@ -75,6 +75,19 @@ describe Puppet::Type.type(:exec), unless: Puppet::Util::Platform.jruby? do
75
75
  end
76
76
  end
77
77
 
78
+ context 'when an exec sends an EOF' do
79
+ let(:command) { ["/bin/bash", "-c", "exec /bin/sleep 1 >/dev/null 2>&1"] }
80
+
81
+ it 'should not take significant user time' do
82
+ exec = described_class.new :command => command, :path => ENV['PATH']
83
+ catalog.add_resource exec
84
+ timed_apply = Benchmark.measure { catalog.apply }
85
+ # In testing I found the user time before the patch in 4f35fd262e to be above
86
+ # 0.3, after the patch it was consistently below 0.1 seconds.
87
+ expect(timed_apply.utime).to be < 0.3
88
+ end
89
+ end
90
+
78
91
  context 'when command is a string' do
79
92
  let(:command) { "ruby -e 'File.open(\"#{path}\", \"w\") { |f| f.print \"foo\" }'" }
80
93
 
@@ -171,6 +171,50 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
171
171
  end
172
172
  end
173
173
 
174
+ context 'when generating a CSR' do
175
+ let(:csr_path) { Puppet[:hostcsr] }
176
+ let(:requestdir) { Puppet[:requestdir] }
177
+
178
+ before do
179
+ ssl.command_line.args << 'generate_request'
180
+ end
181
+
182
+ it 'generates an RSA private key' do
183
+ File.unlink(Puppet[:hostprivkey])
184
+
185
+ expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
186
+ end
187
+
188
+ it 'generates an EC private key' do
189
+ Puppet[:key_type] = 'ec'
190
+ File.unlink(Puppet[:hostprivkey])
191
+
192
+ expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
193
+ end
194
+
195
+ it 'registers OIDs' do
196
+ expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
197
+
198
+ expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
199
+ end
200
+
201
+ it 'saves the CSR locally' do
202
+ expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
203
+
204
+ expect(Puppet::FileSystem).to be_exist(csr_path)
205
+ end
206
+
207
+ it 'accepts dns alt names' do
208
+ Puppet[:dns_alt_names] = 'majortom'
209
+
210
+ expects_command_to_pass
211
+
212
+ csr = Puppet::SSL::CertificateRequest.new(name)
213
+ csr.read(csr_path)
214
+ expect(csr.subject_alt_names).to include('DNS:majortom')
215
+ end
216
+ end
217
+
174
218
  context 'when downloading a certificate' do
175
219
  before do
176
220
  ssl.command_line.args << 'download_cert'
@@ -347,6 +391,11 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
347
391
  expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
348
392
  end
349
393
 
394
+ it 'raises if we have extra args' do
395
+ ssl.command_line.args << 'hostname.example.biz'
396
+ expects_command_to_fail(/Extra arguments detected: hostname.example.biz/)
397
+ end
398
+
350
399
  context 'when deleting local CA' do
351
400
  before do
352
401
  ssl.command_line.args << '--localca'
@@ -3,46 +3,8 @@ require 'puppet/settings'
3
3
 
4
4
  describe "Defaults" do
5
5
  describe ".default_diffargs" do
6
- describe "on AIX" do
7
- before(:each) do
8
- allow(Facter).to receive(:value).with(:kernel).and_return("AIX")
9
- end
10
-
11
- describe "on 5.3" do
12
- before(:each) do
13
- allow(Facter).to receive(:value).with(:kernelmajversion).and_return("5300")
14
- end
15
-
16
- it "should be empty" do
17
- expect(Puppet.default_diffargs).to eq("")
18
- end
19
- end
20
-
21
- [ "",
22
- nil,
23
- "6300",
24
- "7300",
25
- ].each do |kernel_version|
26
- describe "on kernel version #{kernel_version.inspect}" do
27
- before(:each) do
28
- allow(Facter).to receive(:value).with(:kernelmajversion).and_return(kernel_version)
29
- end
30
-
31
- it "should be '-u'" do
32
- expect(Puppet.default_diffargs).to eq("-u")
33
- end
34
- end
35
- end
36
- end
37
-
38
- describe "on everything else" do
39
- before(:each) do
40
- allow(Facter).to receive(:value).with(:kernel).and_return("NOT_AIX")
41
- end
42
-
43
- it "should be '-u'" do
44
- expect(Puppet.default_diffargs).to eq("-u")
45
- end
6
+ it "should be '-u'" do
7
+ expect(Puppet.default_diffargs).to eq("-u")
46
8
  end
47
9
  end
48
10
 
@@ -1,6 +1,7 @@
1
1
  require 'spec_helper'
2
2
  require 'puppet_spec/files'
3
3
  require 'puppet/file_system'
4
+ require 'puppet/util'
4
5
 
5
6
  describe Puppet::FileSystem::PathPattern do
6
7
  include PuppetSpec::Files
@@ -132,6 +133,20 @@ describe Puppet::FileSystem::PathPattern do
132
133
  File.join(dir, "found_two")])
133
134
  end
134
135
 
136
+ it 'globs wildcard patterns properly' do
137
+ # See PUP-11788 and https://github.com/jruby/jruby/issues/7836.
138
+ pending 'JRuby does not properly handle Dir.glob' if Puppet::Util::Platform.jruby?
139
+
140
+ dir = tmpdir('globtest')
141
+ create_file_in(dir, 'foo.pp')
142
+ create_file_in(dir, 'foo.pp.pp')
143
+
144
+ pattern = Puppet::FileSystem::PathPattern.absolute(File.join(dir, '**/*.pp'))
145
+
146
+ expect(pattern.glob).to match_array([File.join(dir, 'foo.pp'),
147
+ File.join(dir, 'foo.pp.pp')])
148
+ end
149
+
135
150
  def create_file_in(dir, name)
136
151
  File.open(File.join(dir, name), "w") { |f| f.puts "data" }
137
152
  end
@@ -50,4 +50,10 @@ describe 'the split function' do
50
50
  it 'should handle pattern in Regexp Type form with missing regular expression' do
51
51
  expect(split('ab',type_parser.parse('Regexp'))).to eql(['a', 'b'])
52
52
  end
53
+
54
+ it 'should handle sensitive String' do
55
+ expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), ',')).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
56
+ expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), /,/)).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
57
+ expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), type_parser.parse('Regexp[/,/]'))).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
58
+ end
53
59
  end
@@ -0,0 +1,17 @@
1
+ require 'spec_helper'
2
+
3
+ describe Puppet::SSL::CertificateSigner do
4
+ include PuppetSpec::Files
5
+
6
+ let(:wrong_key) { OpenSSL::PKey::RSA.new(512) }
7
+ let(:client_cert) { cert_fixture('signed.pem') }
8
+
9
+ # jruby-openssl >= 0.13.0 (JRuby >= 9.3.5.0) raises an error when signing a
10
+ # certificate when there is a discrepancy between the certificate and key.
11
+ it 'raises if client cert signature is invalid', if: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
12
+ expect {
13
+ client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
14
+ }.to raise_error(OpenSSL::X509::CertificateError,
15
+ 'invalid public key data')
16
+ end
17
+ end
@@ -298,7 +298,7 @@ describe Puppet::SSL::SSLProvider do
298
298
  ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
299
299
  end
300
300
 
301
- it 'raises if client cert signature is invalid' do
301
+ it 'raises if client cert signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
302
302
  client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
303
303
  expect {
304
304
  subject.create_context(**config.merge(client_cert: client_cert))
@@ -337,7 +337,7 @@ describe Puppet::SSL::SSLProvider do
337
337
  end
338
338
  end
339
339
 
340
- it 'raises if intermediate CA signature is invalid' do
340
+ it 'raises if intermediate CA signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
341
341
  int = global_cacerts.last
342
342
  int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
343
343
 
@@ -29,6 +29,7 @@ describe Puppet::Util::Execution, if: !Puppet::Util::Platform.jruby? do
29
29
  allow(FFI::WIN32).to receive(:CloseHandle).with(thread_handle)
30
30
  else
31
31
  allow(Process).to receive(:waitpid2).with(pid, Process::WNOHANG).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
32
+ allow(Process).to receive(:waitpid2).with(pid, 0).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
32
33
  allow(Process).to receive(:waitpid2).with(pid).and_return([pid, double('child_status', :exitstatus => exitstatus)])
33
34
  end
34
35
  end
@@ -95,6 +95,31 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
95
95
  end
96
96
  end
97
97
 
98
+ describe '.get_sids' do
99
+ it 'returns an array of SIDs given two an array of ADSI children' do
100
+ child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
101
+ child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501')
102
+ allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator')
103
+ allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest')
104
+ sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2])
105
+ expect(sids).to eq(['Administrator', 'Guest'])
106
+ end
107
+
108
+ it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do
109
+ child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
110
+ allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE))
111
+ sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
112
+ expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
113
+ end
114
+
115
+ it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do
116
+ child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
117
+ allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE))
118
+ sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
119
+ expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
120
+ end
121
+ end
122
+
98
123
  describe Puppet::Util::Windows::ADSI::User do
99
124
  let(:username) { 'testuser' }
100
125
  let(:domain) { 'DOMAIN' }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppet
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.25.0
4
+ version: 7.27.0
5
5
  platform: universal-darwin
6
6
  authors:
7
7
  - Puppet Labs
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-06-13 00:00:00.000000000 Z
11
+ date: 2023-10-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter
@@ -2393,6 +2393,7 @@ files:
2393
2393
  - spec/unit/ssl/base_spec.rb
2394
2394
  - spec/unit/ssl/certificate_request_attributes_spec.rb
2395
2395
  - spec/unit/ssl/certificate_request_spec.rb
2396
+ - spec/unit/ssl/certificate_signer_spec.rb
2396
2397
  - spec/unit/ssl/certificate_spec.rb
2397
2398
  - spec/unit/ssl/digest_spec.rb
2398
2399
  - spec/unit/ssl/oids_spec.rb
@@ -2555,7 +2556,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
2555
2556
  - !ruby/object:Gem::Version
2556
2557
  version: 1.3.1
2557
2558
  requirements: []
2558
- rubygems_version: 3.4.12
2559
+ rubygems_version: 3.4.20
2559
2560
  signing_key:
2560
2561
  specification_version: 4
2561
2562
  summary: Puppet, an automated configuration management tool
@@ -3656,6 +3657,7 @@ test_files:
3656
3657
  - spec/unit/ssl/base_spec.rb
3657
3658
  - spec/unit/ssl/certificate_request_attributes_spec.rb
3658
3659
  - spec/unit/ssl/certificate_request_spec.rb
3660
+ - spec/unit/ssl/certificate_signer_spec.rb
3659
3661
  - spec/unit/ssl/certificate_spec.rb
3660
3662
  - spec/unit/ssl/digest_spec.rb
3661
3663
  - spec/unit/ssl/oids_spec.rb