puppet 7.26.0-x86-mingw32 → 7.28.0-x86-mingw32

data/spec/unit/application/ssl_spec.rb

@@ -171,6 +171,50 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
     end
   end
 
+  context 'when generating a CSR' do
+    let(:csr_path) { Puppet[:hostcsr] }
+    let(:requestdir) { Puppet[:requestdir] }
+
+    before do
+      ssl.command_line.args << 'generate_request'
+    end
+
+    it 'generates an RSA private key' do
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'generates an EC private key' do
+      Puppet[:key_type] = 'ec'
+      File.unlink(Puppet[:hostprivkey])
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'registers OIDs' do
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
+
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+    end
+
+    it 'saves the CSR locally' do
+      expects_command_to_pass(%r{Generated certificate request in '#{csr_path}'})
+
+      expect(Puppet::FileSystem).to be_exist(csr_path)
+    end
+
+    it 'accepts dns alt names' do
+      Puppet[:dns_alt_names] = 'majortom'
+
+      expects_command_to_pass
+
+      csr = Puppet::SSL::CertificateRequest.new(name)
+      csr.read(csr_path)
+      expect(csr.subject_alt_names).to include('DNS:majortom')
+    end
+  end
+
   context 'when downloading a certificate' do
     before do
       ssl.command_line.args << 'download_cert'
@@ -347,6 +391,11 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
     end
 
+    it 'raises if we have extra args' do
+      ssl.command_line.args << 'hostname.example.biz'
+      expects_command_to_fail(/Extra arguments detected: hostname.example.biz/)
+    end
+
     context 'when deleting local CA' do
       before do
         ssl.command_line.args << '--localca'

data/spec/unit/file_system/path_pattern_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'puppet_spec/files'
 require 'puppet/file_system'
+require 'puppet/util'
 
 describe Puppet::FileSystem::PathPattern do
   include PuppetSpec::Files
@@ -132,6 +133,20 @@ describe Puppet::FileSystem::PathPattern do
                                          File.join(dir, "found_two")])
   end
 
+  it 'globs wildcard patterns properly' do
+    # See PUP-11788 and https://github.com/jruby/jruby/issues/7836.
+    pending 'JRuby does not properly handle Dir.glob' if Puppet::Util::Platform.jruby?
+
+    dir = tmpdir('globtest')
+    create_file_in(dir, 'foo.pp')
+    create_file_in(dir, 'foo.pp.pp')
+
+    pattern = Puppet::FileSystem::PathPattern.absolute(File.join(dir, '**/*.pp'))
+
+    expect(pattern.glob).to match_array([File.join(dir, 'foo.pp'),
+                                         File.join(dir, 'foo.pp.pp')])
+  end
+
   def create_file_in(dir, name)
     File.open(File.join(dir, name), "w") { |f| f.puts "data" }
   end

data/spec/unit/functions/split_spec.rb

@@ -50,4 +50,10 @@ describe 'the split function' do
   it 'should handle pattern in Regexp Type form with missing regular expression' do
     expect(split('ab',type_parser.parse('Regexp'))).to eql(['a', 'b'])
   end
+
+  it 'should handle sensitive String' do
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), ',')).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), /,/)).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+    expect(split(Puppet::Pops::Types::PSensitiveType::Sensitive.new('a,b'), type_parser.parse('Regexp[/,/]'))).to be_a(Puppet::Pops::Types::PSensitiveType::Sensitive)
+  end
 end

data/spec/unit/indirector/catalog/compiler_spec.rb

@@ -271,6 +271,23 @@ describe Puppet::Resource::Catalog::Compiler do
         expect(catalog).to have_resource('Stage[main]')
       end
 
+      # versioned environment directories can cause this
+      it 'allows environments with the same name but mismatched modulepaths' do
+        envs = Puppet.lookup(:environments)
+        env_server = envs.get!(:env_server)
+        v1_env = env_server.override_with({ modulepath: ['/code-v1/env-v1/'] })
+        v2_env = env_server.override_with({ modulepath: ['/code-v2/env-v2/'] })
+
+        @request.options[:check_environment] = "true"
+        @request.environment = v1_env
+        node.environment = v2_env
+
+        catalog = compiler.find(@request)
+
+        expect(catalog.environment).to eq('env_server')
+        expect(catalog).to have_resource('Stage[main]')
+      end
+
       it 'returns an empty catalog if asked to check the environment and they are mismatched' do
         @request.options[:check_environment] = "true"
         catalog = compiler.find(@request)

data/spec/unit/indirector/catalog/rest_spec.rb

@@ -25,6 +25,23 @@ describe Puppet::Resource::Catalog::Rest do
     expect(described_class.indirection.find(certname)).to be_a(Puppet::Resource::Catalog)
   end
 
+  it 'logs a notice when requesting a catalog' do
+    expect(Puppet).to receive(:notice).with("Requesting catalog from compiler.example.com:8140")
+
+    stub_request(:post, uri).to_return(**catalog_response(catalog))
+
+    described_class.indirection.find(certname)
+  end
+
+  it 'logs a notice when the IP address is resolvable when requesting a catalog' do
+    allow(Resolv).to receive_message_chain(:getaddress).and_return('192.0.2.0')
+    expect(Puppet).to receive(:notice).with("Requesting catalog from compiler.example.com:8140 (192.0.2.0)")
+
+    stub_request(:post, uri).to_return(**catalog_response(catalog))
+
+    described_class.indirection.find(certname)
+  end
+
   it "serializes the environment" do
     stub_request(:post, uri)
       .with(query: hash_including('environment' => 'outerspace'))

data/spec/unit/provider/package/appdmg_spec.rb

@@ -11,7 +11,7 @@ describe Puppet::Type.type(:package).provider(:appdmg) do
     before do
       fh = double('filehandle', path: '/tmp/foo')
       resource[:source] = "foo.dmg"
-      allow(described_class).to receive(:open).and_yield(fh)
+      allow(File).to receive(:open).and_yield(fh)
       allow(Dir).to receive(:mktmpdir).and_return("/tmp/testtmp123")
       allow(FileUtils).to receive(:remove_entry_secure)
     end

data/spec/unit/provider/package/dnf_spec.rb

@@ -42,6 +42,13 @@ describe Puppet::Type.type(:package).provider(:dnf) do
       allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return("8")
       expect(described_class).to be_default
     end
+
+    it "should be the default provider on Amazon Linux 2023" do
+      allow(Facter).to receive(:value).with(:osfamily).and_return(:redhat)
+      allow(Facter).to receive(:value).with(:operatingsystem).and_return(:amazon)
+      allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return("2023")
+      expect(described_class).to be_default
+    end
   end
 
   describe 'provider features' do

data/spec/unit/provider/package/dnfmodule_spec.rb

@@ -123,7 +123,7 @@ describe Puppet::Type.type(:package).provider(:dnfmodule) do
         provider.install
       end
 
-      it "should just enable the module if it has no default profile(missing groups or modules)" do
+      it "should just enable the module if it has no default profile (missing groups or modules)" do
         dnf_exception = Puppet::ExecutionFailure.new("Error: Problems in request:\nmissing groups or modules: #{resource[:name]}")
         allow(provider).to receive(:execute).with(array_including('install')).and_raise(dnf_exception)
         resource[:ensure] = :present
@@ -132,7 +132,17 @@ describe Puppet::Type.type(:package).provider(:dnfmodule) do
         provider.install
       end
 
-      it "should just enable the module if it has no default profile(broken groups or modules)" do
+      it "should just enable the module with the right stream if it has no default profile (missing groups or modules)" do
+        stream = '12.3'
+        dnf_exception = Puppet::ExecutionFailure.new("Error: Problems in request:\nmissing groups or modules: #{resource[:name]}:#{stream}")
+        allow(provider).to receive(:execute).with(array_including('install')).and_raise(dnf_exception)
+        resource[:ensure] = stream
+        expect(provider).to receive(:execute).with(array_including('install')).ordered
+        expect(provider).to receive(:execute).with(array_including('enable')).ordered
+        provider.install
+      end
+
+      it "should just enable the module if it has no default profile (broken groups or modules)" do
         dnf_exception = Puppet::ExecutionFailure.new("Error: Problems in request:\nbroken groups or modules: #{resource[:name]}")
         allow(provider).to receive(:execute).with(array_including('install')).and_raise(dnf_exception)
         resource[:ensure] = :present
@@ -141,6 +151,16 @@ describe Puppet::Type.type(:package).provider(:dnfmodule) do
         provider.install
       end
 
+      it "should just enable the module with the right stream if it has no default profile (broken groups or modules)" do
+        stream = '12.3'
+        dnf_exception = Puppet::ExecutionFailure.new("Error: Problems in request:\nbroken groups or modules: #{resource[:name]}:#{stream}")
+        allow(provider).to receive(:execute).with(array_including('install')).and_raise(dnf_exception)
+        resource[:ensure] = stream
+        expect(provider).to receive(:execute).with(array_including('install')).ordered
+        expect(provider).to receive(:execute).with(array_including('enable')).ordered
+        provider.install
+      end
+
       it "should just enable the module if enable_only = true" do
         resource[:ensure] = :present
         resource[:enable_only] = true

data/spec/unit/provider/service/systemd_spec.rb

@@ -18,7 +18,7 @@ describe 'Puppet::Type::Service::Provider::Systemd',
     Puppet::Util::Execution::ProcessOutput.new('', 0)
   end
 
-  osfamilies = [ 'archlinux', 'coreos' ]
+  osfamilies = [ 'archlinux', 'coreos', 'gentoo' ]
 
   osfamilies.each do |osfamily|
     it "should be the default provider on #{osfamily}" do
@@ -56,11 +56,13 @@ describe 'Puppet::Type::Service::Provider::Systemd',
     end
   end
 
-  it "should be the default provider on Amazon Linux 2.0" do
-    allow(Facter).to receive(:value).with(:osfamily).and_return(:redhat)
-    allow(Facter).to receive(:value).with(:operatingsystem).and_return(:amazon)
-    allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return("2")
-    expect(provider_class).to be_default
+  [ 2, 2023 ].each do |ver|
+    it "should be the default provider on Amazon Linux #{ver}" do
+      allow(Facter).to receive(:value).with(:osfamily).and_return(:redhat)
+      allow(Facter).to receive(:value).with(:operatingsystem).and_return(:amazon)
+      allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return("#{ver}")
+      expect(provider_class).to be_default
+    end
   end
 
   it "should not be the default provider on Amazon Linux 2017.09" do

data/spec/unit/ssl/certificate_signer_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe Puppet::SSL::CertificateSigner do
+  include PuppetSpec::Files
+
+  let(:wrong_key) { OpenSSL::PKey::RSA.new(512) }
+  let(:client_cert) { cert_fixture('signed.pem') }
+
+  # jruby-openssl >= 0.13.0 (JRuby >= 9.3.5.0) raises an error when signing a
+  # certificate when there is a discrepancy between the certificate and key.
+  it 'raises if client cert signature is invalid', if: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
+    expect {
+      client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
+    }.to raise_error(OpenSSL::X509::CertificateError,
+                     'invalid public key data')
+  end
+end

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -298,7 +298,7 @@ describe Puppet::SSL::SSLProvider do
       ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
     end
 
-    it 'raises if client cert signature is invalid' do
+    it 'raises if client cert signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
       client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
       expect {
         subject.create_context(**config.merge(client_cert: client_cert))
@@ -337,7 +337,7 @@ describe Puppet::SSL::SSLProvider do
       end
     end
 
-    it 'raises if intermediate CA signature is invalid' do
+    it 'raises if intermediate CA signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do
       int = global_cacerts.last
       int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
 

data/spec/unit/type/exec_spec.rb

@@ -252,6 +252,19 @@ RSpec.describe Puppet::Type.type(:exec) do
     expect(dependencies.collect(&:to_s)).to eq([Puppet::Relationship.new(tmp, execer).to_s])
   end
 
+  it "skips autorequire for deferred commands" do
+    foo = make_absolute('/bin/foo')
+    catalog = Puppet::Resource::Catalog.new
+    tmp = Puppet::Type.type(:file).new(:name => foo)
+    execer = Puppet::Type.type(:exec).new(:name => 'test array', :command => Puppet::Pops::Evaluator::DeferredValue.new(nil))
+
+    catalog.add_resource tmp
+    catalog.add_resource execer
+    dependencies = execer.autorequire(catalog)
+
+    expect(dependencies.collect(&:to_s)).to eq([])
+  end
+
   describe "when handling the path parameter" do
     expect = %w{one two three four}
     { "an array"                                      => expect,

data/spec/unit/util/execution_spec.rb

@@ -29,6 +29,7 @@ describe Puppet::Util::Execution, if: !Puppet::Util::Platform.jruby? do
         allow(FFI::WIN32).to receive(:CloseHandle).with(thread_handle)
       else
         allow(Process).to receive(:waitpid2).with(pid, Process::WNOHANG).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
+        allow(Process).to receive(:waitpid2).with(pid, 0).and_return(nil, [pid, double('child_status', :exitstatus => exitstatus)])
         allow(Process).to receive(:waitpid2).with(pid).and_return([pid, double('child_status', :exitstatus => exitstatus)])
       end
     end

data/spec/unit/util/windows/adsi_spec.rb

@@ -95,6 +95,31 @@ describe Puppet::Util::Windows::ADSI, :if => Puppet::Util::Platform.windows? do
     end
   end
 
+  describe '.get_sids' do
+    it 'returns an array of SIDs given two an array of ADSI children' do
+      child1 = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      child2 = double('child2', name: 'Guest', sid: 'S-1-5-21-3882680660-671291151-3888264257-501')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child1).and_return('Administrator')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child2).and_return('Guest')
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child1, child2])
+      expect(sids).to eq(['Administrator', 'Guest'])
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning domain failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_DOMAIN_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+
+    it 'returns an array of SIDs given an ADSI child and ads_to_principal returning relationship failure' do
+      child = double('child1', name: 'Administrator', sid: 'S-1-5-21-3882680660-671291151-3888264257-500')
+      allow(Puppet::Util::Windows::SID).to receive(:ads_to_principal).with(child).and_raise(Puppet::Util::Windows::Error.new('', Puppet::Util::Windows::SID::ERROR_TRUSTED_RELATIONSHIP_FAILURE))
+      sids = Puppet::Util::Windows::ADSI::ADSIObject.get_sids([child])
+      expect(sids[0]).to eq(Puppet::Util::Windows::SID::Principal.new(child.name, child.sid, child.name, nil, :SidTypeUnknown))
+    end
+  end
+
   describe Puppet::Util::Windows::ADSI::User do
     let(:username)  { 'testuser' }
     let(:domain)    { 'DOMAIN' }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 7.26.0
+  version: 7.28.0
 platform: x86-mingw32
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-21 00:00:00.000000000 Z
+date: 2024-01-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -172,22 +172,16 @@ dependencies:
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
-      - !ruby/object:Gem::Version
-        version: 1.9.24
-    - - "<"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '2'
+        version: 1.15.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
-      - !ruby/object:Gem::Version
-        version: 1.9.24
-    - - "<"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '2'
+        version: 1.15.5
 - !ruby/object:Gem::Dependency
   name: minitar
   requirement: !ruby/object:Gem::Requirement
@@ -2413,6 +2407,7 @@ files:
 - spec/unit/ssl/base_spec.rb
 - spec/unit/ssl/certificate_request_attributes_spec.rb
 - spec/unit/ssl/certificate_request_spec.rb
+- spec/unit/ssl/certificate_signer_spec.rb
 - spec/unit/ssl/certificate_spec.rb
 - spec/unit/ssl/digest_spec.rb
 - spec/unit/ssl/oids_spec.rb
@@ -2575,7 +2570,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.4.12
+rubygems_version: 3.4.20
 signing_key: 
 specification_version: 4
 summary: Puppet, an automated configuration management tool
@@ -3676,6 +3671,7 @@ test_files:
 - spec/unit/ssl/base_spec.rb
 - spec/unit/ssl/certificate_request_attributes_spec.rb
 - spec/unit/ssl/certificate_request_spec.rb
+- spec/unit/ssl/certificate_signer_spec.rb
 - spec/unit/ssl/certificate_spec.rb
 - spec/unit/ssl/digest_spec.rb
 - spec/unit/ssl/oids_spec.rb