puppet 7.4.1 → 7.5.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (73) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +19 -13
  3. data/lib/puppet/application/ssl.rb +11 -0
  4. data/lib/puppet/defaults.rb +8 -0
  5. data/lib/puppet/environments.rb +16 -1
  6. data/lib/puppet/ffi/windows/api_types.rb +1 -1
  7. data/lib/puppet/file_system/memory_file.rb +8 -1
  8. data/lib/puppet/file_system/windows.rb +2 -0
  9. data/lib/puppet/http/factory.rb +4 -0
  10. data/lib/puppet/network/http.rb +5 -2
  11. data/lib/puppet/network/http/api.rb +10 -6
  12. data/lib/puppet/network/http/api/master.rb +3 -2
  13. data/lib/puppet/network/http/api/master/v3.rb +2 -25
  14. data/lib/puppet/network/http/api/master/v3/environments.rb +2 -33
  15. data/lib/puppet/network/http/api/server.rb +10 -0
  16. data/lib/puppet/network/http/api/server/v3.rb +39 -0
  17. data/lib/puppet/network/http/api/server/v3/environments.rb +48 -0
  18. data/lib/puppet/pops/parser/lexer2.rb +0 -4
  19. data/lib/puppet/pops/validation/checker4_0.rb +0 -1
  20. data/lib/puppet/settings/environment_conf.rb +1 -0
  21. data/lib/puppet/util/monkey_patches.rb +7 -0
  22. data/lib/puppet/util/windows/adsi.rb +46 -0
  23. data/lib/puppet/util/windows/principal.rb +9 -2
  24. data/lib/puppet/util/windows/sid.rb +4 -2
  25. data/lib/puppet/version.rb +1 -1
  26. data/man/man5/puppet.conf.5 +10 -2
  27. data/man/man8/puppet-agent.8 +1 -1
  28. data/man/man8/puppet-apply.8 +1 -1
  29. data/man/man8/puppet-catalog.8 +1 -1
  30. data/man/man8/puppet-config.8 +1 -1
  31. data/man/man8/puppet-describe.8 +1 -1
  32. data/man/man8/puppet-device.8 +1 -1
  33. data/man/man8/puppet-doc.8 +1 -1
  34. data/man/man8/puppet-epp.8 +1 -1
  35. data/man/man8/puppet-facts.8 +1 -1
  36. data/man/man8/puppet-filebucket.8 +1 -1
  37. data/man/man8/puppet-generate.8 +1 -1
  38. data/man/man8/puppet-help.8 +1 -1
  39. data/man/man8/puppet-lookup.8 +1 -1
  40. data/man/man8/puppet-module.8 +1 -1
  41. data/man/man8/puppet-node.8 +1 -1
  42. data/man/man8/puppet-parser.8 +1 -1
  43. data/man/man8/puppet-plugin.8 +1 -1
  44. data/man/man8/puppet-report.8 +1 -1
  45. data/man/man8/puppet-resource.8 +1 -1
  46. data/man/man8/puppet-script.8 +1 -1
  47. data/man/man8/puppet-ssl.8 +5 -1
  48. data/man/man8/puppet.8 +2 -2
  49. data/spec/integration/application/plugin_spec.rb +1 -1
  50. data/spec/integration/http/client_spec.rb +12 -0
  51. data/spec/integration/indirector/direct_file_server_spec.rb +1 -3
  52. data/spec/integration/parser/collection_spec.rb +10 -0
  53. data/spec/integration/util/windows/adsi_spec.rb +18 -0
  54. data/spec/integration/util/windows/principal_spec.rb +21 -0
  55. data/spec/integration/util/windows/registry_spec.rb +6 -0
  56. data/spec/unit/application/facts_spec.rb +5 -5
  57. data/spec/unit/application/ssl_spec.rb +23 -0
  58. data/spec/unit/environments_spec.rb +164 -88
  59. data/spec/unit/file_system_spec.rb +9 -0
  60. data/spec/unit/http/factory_spec.rb +19 -0
  61. data/spec/unit/network/http/api/master_spec.rb +38 -0
  62. data/spec/unit/network/http/api/{master → server}/v3/environments_spec.rb +2 -2
  63. data/spec/unit/network/http/api/{master → server}/v3_spec.rb +19 -19
  64. data/spec/unit/network/http/api_spec.rb +11 -11
  65. data/spec/unit/pops/parser/lexer2_spec.rb +0 -4
  66. data/spec/unit/pops/validator/validator_spec.rb +20 -43
  67. data/spec/unit/util/windows/sid_spec.rb +6 -0
  68. metadata +11 -16
  69. data/spec/lib/matchers/include.rb +0 -27
  70. data/spec/lib/matchers/include_spec.rb +0 -32
  71. data/spec/unit/pops/parser/parse_application_spec.rb +0 -13
  72. data/spec/unit/pops/parser/parse_capabilities_spec.rb +0 -23
  73. data/spec/unit/pops/parser/parse_site_spec.rb +0 -43
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1dc7fca54856073eca2fb108213f2870e9d9cbe9c176bf4c0ff1820182aa1487
4
- data.tar.gz: 0e73ef249f8a19167ba68b84e3d8ddf2a5fcf82a5689d7955ed777feff43c5cf
3
+ metadata.gz: d0c46be8ea84f210c98907f78f8fa7e67ddfe3500e77a8a1ab503f28f1887285
4
+ data.tar.gz: e237a260fc5fb15474bd6713dad901fc7af6199d3da584aadb3c15cbff45886b
5
5
  SHA512:
6
- metadata.gz: 313206ed5d0288d41c429eaef41b6507afd490298ff4b549bae911dffcbd06c2a1579329e4cf9ae94d5a1c2888d981c51730ec38450298cfd63b35f07cd34ca3
7
- data.tar.gz: a9204bfb79227de4126b352a12dce922723de2910c621ebfa28e220756440c3b76f34d4e489e7c5d898a93a9f79297c044ac3bb8dff420279493dc8f75098a1a
6
+ metadata.gz: 8cea314360893199a90e60d9da0a393f7caae00ec554bfa643d4b66a254d1a71a520eb5f0fd4b28adec1869c1ac693362613aea38c747c3c7b9f75f8af720bea
7
+ data.tar.gz: 9df0489d6c2160814c17c28af8b151aa81175fb8919e4d80552733ad7657e22147da2743ac6780f786481d923f7f2e6044b88fc80ec9c570105b63f5ac1c1d85
data/Gemfile.lock CHANGED
@@ -1,7 +1,18 @@
1
+ GIT
2
+ remote: git://github.com/ciprianbadescu/packaging
3
+ revision: 5f8d2bda941abfeeb8fb1731c9b1dd4d108f5d33
4
+ branch: maint/windows-signing
5
+ specs:
6
+ packaging (0.99.49.171.g5f8d2bd)
7
+ artifactory (~> 2)
8
+ csv (= 3.1.5)
9
+ rake (>= 12.3)
10
+ release-metrics
11
+
1
12
  PATH
2
13
  remote: .
3
14
  specs:
4
- puppet (7.4.1)
15
+ puppet (7.5.0)
5
16
  CFPropertyList (~> 2.2)
6
17
  concurrent-ruby (~> 1.0)
7
18
  deep_merge (~> 1.0)
@@ -33,7 +44,7 @@ GEM
33
44
  hocon (~> 1.3)
34
45
  thor (>= 1.0.1, < 2.0)
35
46
  fast_gettext (1.1.2)
36
- ffi (1.14.2)
47
+ ffi (1.15.0)
37
48
  gettext (3.2.9)
38
49
  locale (>= 2.0.5)
39
50
  text (>= 1.3.0)
@@ -43,10 +54,10 @@ GEM
43
54
  locale
44
55
  hashdiff (1.0.1)
45
56
  hiera (3.6.0)
46
- hiera-eyaml (3.2.0)
47
- highline (~> 1.6.19)
57
+ hiera-eyaml (3.2.1)
58
+ highline
48
59
  optimist
49
- highline (1.6.21)
60
+ highline (2.0.3)
50
61
  hocon (1.3.1)
51
62
  hpricot (0.8.6)
52
63
  json-schema (2.8.1)
@@ -59,11 +70,6 @@ GEM
59
70
  multi_json (1.15.0)
60
71
  mustache (1.1.1)
61
72
  optimist (3.0.1)
62
- packaging (0.99.75)
63
- artifactory (~> 2)
64
- csv (= 3.1.5)
65
- rake (>= 12.3)
66
- release-metrics
67
73
  parallel (1.20.1)
68
74
  parser (2.7.2.0)
69
75
  ast (~> 2.4.1)
@@ -115,7 +121,7 @@ GEM
115
121
  unicode-display_width (~> 1.0, >= 1.0.1)
116
122
  rubocop-i18n (1.2.0)
117
123
  rubocop (~> 0.49.0)
118
- ruby-prof (1.4.2)
124
+ ruby-prof (1.4.3)
119
125
  ruby-progressbar (1.11.0)
120
126
  scanf (1.0.0)
121
127
  semantic_puppet (1.0.3)
@@ -123,7 +129,7 @@ GEM
123
129
  thor (1.1.0)
124
130
  unicode-display_width (1.7.0)
125
131
  vcr (5.1.0)
126
- webmock (3.11.2)
132
+ webmock (3.12.1)
127
133
  addressable (>= 2.3.6)
128
134
  crack (>= 0.3.2)
129
135
  hashdiff (>= 0.4.0, < 2.0.0)
@@ -142,7 +148,7 @@ DEPENDENCIES
142
148
  memory_profiler
143
149
  minitar (~> 0.9)
144
150
  msgpack (~> 1.2)
145
- packaging (~> 0.99)
151
+ packaging!
146
152
  pry
147
153
  puppet!
148
154
  puppet-resource_api (~> 1.5)
@@ -74,6 +74,9 @@ ACTIONS
74
74
  `--localca` is specified, then also remove this host's local copy of the
75
75
  CA certificate(s) and CRL bundle. if `--target CERTNAME` is specified, then
76
76
  remove the files for the specified device on this host instead of this host.
77
+
78
+ * show:
79
+ Print the full-text version of this host's certificate.
77
80
  HELP
78
81
  end
79
82
 
@@ -142,11 +145,19 @@ HELP
142
145
  end
143
146
  @machine.ensure_client_certificate
144
147
  Puppet.notice(_("Completed SSL initialization"))
148
+ when 'show'
149
+ show(certname)
145
150
  else
146
151
  raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
147
152
  end
148
153
  end
149
154
 
155
+ def show(certname)
156
+ password = @cert_provider.load_private_key_password
157
+ ssl_context = @ssl_provider.load_context(certname: certname, password: password)
158
+ puts ssl_context.client_cert.to_text
159
+ end
160
+
150
161
  def submit_request(ssl_context)
151
162
  key = @cert_provider.load_private_key(Puppet[:certname])
152
163
  unless key
@@ -1033,6 +1033,14 @@ EOT
1033
1033
  certificate revocation checking and does not attempt to download the CRL.
1034
1034
  EOT
1035
1035
  },
1036
+ :ciphers => {
1037
+ :default => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256',
1038
+ :type => :string,
1039
+ :desc => "The list of ciphersuites for TLS connections initiated by puppet. The
1040
+ default value is chosen to support TLS 1.0 and up, but can be made
1041
+ more restrictive if needed. The ciphersuites must be specified in OpenSSL
1042
+ format, not IANA."
1043
+ },
1036
1044
  :key_type => {
1037
1045
  :default => 'rsa',
1038
1046
  :type => :enum,
@@ -225,6 +225,9 @@ module Puppet::Environments
225
225
  private
226
226
 
227
227
  def create_environment(name)
228
+ # interpolated modulepaths may be cached from prior environment instances
229
+ Puppet.settings.clear_environment_settings(name)
230
+
228
231
  env_symbol = name.intern
229
232
  setting_values = Puppet.settings.values(env_symbol, Puppet.settings.preferred_run_mode)
230
233
  env = Puppet::Node::Environment.create(
@@ -350,7 +353,19 @@ module Puppet::Environments
350
353
 
351
354
  # @!macro loader_list
352
355
  def list
353
- @loader.list
356
+ # Evict all that have expired, in the same way as `get`
357
+ clear_all_expired
358
+
359
+ @loader.list.map do |env|
360
+ name = env.name
361
+ old_entry = @cache[name]
362
+ if old_entry
363
+ old_entry.value
364
+ else
365
+ add_entry(name, entry(env))
366
+ env
367
+ end
368
+ end
354
369
  end
355
370
 
356
371
  # @!macro loader_search_paths
@@ -20,7 +20,7 @@ module Puppet::FFI::Windows
20
20
 
21
21
  class ::FFI::Pointer
22
22
  NULL_HANDLE = 0
23
- WCHAR_NULL = "\0\0".encode('UTF-16LE').freeze
23
+ WCHAR_NULL = "\0\0".force_encoding('UTF-16LE').freeze
24
24
 
25
25
  def self.from_string_to_wide_string(str, &block)
26
26
  str = Puppet::Util::Windows::String.wide_string(str)
@@ -7,6 +7,13 @@ class Puppet::FileSystem::MemoryFile
7
7
  new(path, :exist? => false, :executable? => false)
8
8
  end
9
9
 
10
+ def self.a_missing_directory(path)
11
+ new(path,
12
+ :exist? => false,
13
+ :executable? => false,
14
+ :directory? => true)
15
+ end
16
+
10
17
  def self.a_regular_file_containing(path, content)
11
18
  new(path, :exist? => true, :executable? => false, :content => content)
12
19
  end
@@ -18,7 +25,7 @@ class Puppet::FileSystem::MemoryFile
18
25
  def self.a_directory(path, children = [])
19
26
  new(path,
20
27
  :exist? => true,
21
- :excutable? => true,
28
+ :executable? => true,
22
29
  :directory? => true,
23
30
  :children => children)
24
31
  end
@@ -128,6 +128,8 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
128
128
  end
129
129
 
130
130
  current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
131
+ current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name) unless current_sid
132
+
131
133
  dacl = case mode
132
134
  when 0644
133
135
  dacl = secure_dacl(current_sid)
@@ -26,6 +26,10 @@ class Puppet::HTTP::Factory
26
26
 
27
27
  http = Puppet::HTTP::Proxy.proxy(URI(site.addr))
28
28
  http.use_ssl = site.use_ssl?
29
+ if site.use_ssl?
30
+ http.min_version = OpenSSL::SSL::TLS1_VERSION if http.respond_to?(:min_version)
31
+ http.ciphers = Puppet[:ciphers]
32
+ end
29
33
  http.read_timeout = Puppet[:http_read_timeout]
30
34
  http.open_timeout = Puppet[:http_connect_timeout]
31
35
  http.keep_alive_timeout = KEEP_ALIVE_TIMEOUT if http.respond_to?(:keep_alive_timeout=)
@@ -3,8 +3,11 @@ module Puppet::Network::HTTP
3
3
  HEADER_ENABLE_PROFILING = "X-Puppet-Profiling"
4
4
  HEADER_PUPPET_VERSION = "X-Puppet-Version"
5
5
 
6
- MASTER_URL_PREFIX = "/puppet"
7
- MASTER_URL_VERSIONS = "v3"
6
+ SERVER_URL_PREFIX = "/puppet"
7
+ SERVER_URL_VERSIONS = "v3"
8
+
9
+ MASTER_URL_PREFIX = SERVER_URL_PREFIX
10
+ MASTER_URL_VERSIONS = SERVER_URL_VERSIONS
8
11
 
9
12
  CA_URL_PREFIX = "/puppet-ca"
10
13
  CA_URL_VERSIONS = "v1"
@@ -18,18 +18,22 @@ class Puppet::Network::HTTP::API
18
18
  "Note that Puppet 3 agents aren't compatible with this version; if you're " +
19
19
  "running Puppet 3, you must either upgrade your agents to match the server " +
20
20
  "or point them to a server running Puppet 3.\n\n" +
21
- "Master Info:\n" +
21
+ "Server Info:\n" +
22
22
  " Puppet version: #{Puppet.version}\n" +
23
- " Supported /puppet API versions: #{Puppet::Network::HTTP::MASTER_URL_VERSIONS}\n",
23
+ " Supported /puppet API versions: #{Puppet::Network::HTTP::SERVER_URL_VERSIONS}\n",
24
24
  Puppet::Network::HTTP::Issues::HANDLER_NOT_FOUND)
25
25
  end)
26
26
  end
27
27
 
28
- def self.master_routes
29
- master_prefix = Regexp.new("^#{Puppet::Network::HTTP::MASTER_URL_PREFIX}/")
30
- Puppet::Network::HTTP::Route.path(master_prefix).
28
+ def self.server_routes
29
+ server_prefix = Regexp.new("^#{Puppet::Network::HTTP::SERVER_URL_PREFIX}/")
30
+ Puppet::Network::HTTP::Route.path(server_prefix).
31
31
  any.
32
- chain(Puppet::Network::HTTP::API::Master::V3.routes,
32
+ chain(Puppet::Network::HTTP::API::Server::V3.routes,
33
33
  Puppet::Network::HTTP::API.not_found)
34
34
  end
35
+
36
+ def self.master_routes
37
+ server_routes
38
+ end
35
39
  end
@@ -1,2 +1,3 @@
1
- module Puppet::Network::HTTP::API::Master
2
- end
1
+ require 'puppet/network/http/api/server'
2
+
3
+ Puppet::Network::HTTP::API::Master = Puppet::Network::HTTP::API::Server
@@ -1,26 +1,3 @@
1
- class Puppet::Network::HTTP::API::Master::V3
2
- require 'puppet/network/http/api/master/v3/environments'
3
- require 'puppet/network/http/api/indirected_routes'
1
+ require 'puppet/network/http/api/master'
2
+ require 'puppet/network/http/api/server/v3'
4
3
 
5
- def self.wrap(&block)
6
- lambda do |request, response|
7
- Puppet::Network::Authorization.check_external_authorization(request.method, request.path)
8
-
9
- block.call.call(request, response)
10
- end
11
- end
12
-
13
- INDIRECTED = Puppet::Network::HTTP::Route.
14
- path(/.*/).
15
- any(wrap { Puppet::Network::HTTP::API::IndirectedRoutes.new } )
16
-
17
- ENVIRONMENTS = Puppet::Network::HTTP::Route.
18
- path(%r{^/environments$}).
19
- get(wrap { Environments.new(Puppet.lookup(:environments)) } )
20
-
21
- def self.routes
22
- Puppet::Network::HTTP::Route.path(%r{v3}).
23
- any.
24
- chain(ENVIRONMENTS, INDIRECTED)
25
- end
26
- end
@@ -1,34 +1,3 @@
1
- require 'puppet/util/json'
1
+ require 'puppet/network/http/api/master'
2
+ require 'puppet/network/http/api/server/v3/environments'
2
3
 
3
- class Puppet::Network::HTTP::API::Master::V3::Environments
4
- def initialize(env_loader)
5
- @env_loader = env_loader
6
- end
7
-
8
- def call(request, response)
9
- response.respond_with(200, "application/json", Puppet::Util::Json.dump({
10
- "search_paths" => @env_loader.search_paths,
11
- "environments" => Hash[@env_loader.list.collect do |env|
12
- [env.name, {
13
- "settings" => {
14
- "modulepath" => env.full_modulepath,
15
- "manifest" => env.manifest,
16
- "environment_timeout" => timeout(env),
17
- "config_version" => env.config_version || '',
18
- }
19
- }]
20
- end]
21
- }))
22
- end
23
-
24
- private
25
-
26
- def timeout(env)
27
- ttl = @env_loader.get_conf(env.name).environment_timeout
28
- if ttl == Float::INFINITY
29
- "unlimited"
30
- else
31
- ttl
32
- end
33
- end
34
- end
@@ -0,0 +1,10 @@
1
+ module Puppet
2
+ module Network
3
+ module HTTP
4
+ class API
5
+ module Server
6
+ end
7
+ end
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,39 @@
1
+ require 'puppet/network/http/api/server/v3/environments'
2
+ require 'puppet/network/http/api/indirected_routes'
3
+
4
+ module Puppet
5
+ module Network
6
+ module HTTP
7
+ class API
8
+ module Server
9
+ class V3
10
+
11
+ def self.wrap(&block)
12
+ lambda do |request, response|
13
+ Puppet::Network::Authorization.
14
+ check_external_authorization(request.method,
15
+ request.path)
16
+
17
+ block.call.call(request, response)
18
+ end
19
+ end
20
+
21
+ INDIRECTED = Puppet::Network::HTTP::Route.
22
+ path(/.*/).
23
+ any(wrap { Puppet::Network::HTTP::API::IndirectedRoutes.new } )
24
+
25
+ ENVIRONMENTS = Puppet::Network::HTTP::Route.
26
+ path(%r{^/environments$}).
27
+ get(wrap { Environments.new(Puppet.lookup(:environments)) } )
28
+
29
+ def self.routes
30
+ Puppet::Network::HTTP::Route.path(%r{v3}).
31
+ any.
32
+ chain(ENVIRONMENTS, INDIRECTED)
33
+ end
34
+ end
35
+ end
36
+ end
37
+ end
38
+ end
39
+ end
@@ -0,0 +1,48 @@
1
+ require 'puppet/util/json'
2
+
3
+ module Puppet
4
+ module Network
5
+ module HTTP
6
+ class API
7
+ module Server
8
+ class V3
9
+ class Environments
10
+
11
+ def initialize(env_loader)
12
+ @env_loader = env_loader
13
+ end
14
+
15
+ def call(request, response)
16
+ response.respond_with(200, "application/json", Puppet::Util::Json.dump({
17
+ "search_paths" => @env_loader.search_paths,
18
+ "environments" => Hash[@env_loader.list.collect do |env|
19
+ [env.name, {
20
+ "settings" => {
21
+ "modulepath" => env.full_modulepath,
22
+ "manifest" => env.manifest,
23
+ "environment_timeout" => timeout(env),
24
+ "config_version" => env.config_version || '',
25
+ }
26
+ }]
27
+ end]
28
+ }))
29
+ end
30
+
31
+ private
32
+
33
+ def timeout(env)
34
+ ttl = @env_loader.get_conf(env.name).environment_timeout
35
+ if ttl == Float::INFINITY
36
+ "unlimited"
37
+ else
38
+ ttl
39
+ end
40
+ end
41
+ end
42
+ end
43
+ end
44
+ end
45
+ end
46
+ end
47
+ end
48
+