puppet 7.4.1 → 7.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (73) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +19 -13
  3. data/lib/puppet/application/ssl.rb +11 -0
  4. data/lib/puppet/defaults.rb +8 -0
  5. data/lib/puppet/environments.rb +16 -1
  6. data/lib/puppet/ffi/windows/api_types.rb +1 -1
  7. data/lib/puppet/file_system/memory_file.rb +8 -1
  8. data/lib/puppet/file_system/windows.rb +2 -0
  9. data/lib/puppet/http/factory.rb +4 -0
  10. data/lib/puppet/network/http.rb +5 -2
  11. data/lib/puppet/network/http/api.rb +10 -6
  12. data/lib/puppet/network/http/api/master.rb +3 -2
  13. data/lib/puppet/network/http/api/master/v3.rb +2 -25
  14. data/lib/puppet/network/http/api/master/v3/environments.rb +2 -33
  15. data/lib/puppet/network/http/api/server.rb +10 -0
  16. data/lib/puppet/network/http/api/server/v3.rb +39 -0
  17. data/lib/puppet/network/http/api/server/v3/environments.rb +48 -0
  18. data/lib/puppet/pops/parser/lexer2.rb +0 -4
  19. data/lib/puppet/pops/validation/checker4_0.rb +0 -1
  20. data/lib/puppet/settings/environment_conf.rb +1 -0
  21. data/lib/puppet/util/monkey_patches.rb +7 -0
  22. data/lib/puppet/util/windows/adsi.rb +46 -0
  23. data/lib/puppet/util/windows/principal.rb +9 -2
  24. data/lib/puppet/util/windows/sid.rb +4 -2
  25. data/lib/puppet/version.rb +1 -1
  26. data/man/man5/puppet.conf.5 +10 -2
  27. data/man/man8/puppet-agent.8 +1 -1
  28. data/man/man8/puppet-apply.8 +1 -1
  29. data/man/man8/puppet-catalog.8 +1 -1
  30. data/man/man8/puppet-config.8 +1 -1
  31. data/man/man8/puppet-describe.8 +1 -1
  32. data/man/man8/puppet-device.8 +1 -1
  33. data/man/man8/puppet-doc.8 +1 -1
  34. data/man/man8/puppet-epp.8 +1 -1
  35. data/man/man8/puppet-facts.8 +1 -1
  36. data/man/man8/puppet-filebucket.8 +1 -1
  37. data/man/man8/puppet-generate.8 +1 -1
  38. data/man/man8/puppet-help.8 +1 -1
  39. data/man/man8/puppet-lookup.8 +1 -1
  40. data/man/man8/puppet-module.8 +1 -1
  41. data/man/man8/puppet-node.8 +1 -1
  42. data/man/man8/puppet-parser.8 +1 -1
  43. data/man/man8/puppet-plugin.8 +1 -1
  44. data/man/man8/puppet-report.8 +1 -1
  45. data/man/man8/puppet-resource.8 +1 -1
  46. data/man/man8/puppet-script.8 +1 -1
  47. data/man/man8/puppet-ssl.8 +5 -1
  48. data/man/man8/puppet.8 +2 -2
  49. data/spec/integration/application/plugin_spec.rb +1 -1
  50. data/spec/integration/http/client_spec.rb +12 -0
  51. data/spec/integration/indirector/direct_file_server_spec.rb +1 -3
  52. data/spec/integration/parser/collection_spec.rb +10 -0
  53. data/spec/integration/util/windows/adsi_spec.rb +18 -0
  54. data/spec/integration/util/windows/principal_spec.rb +21 -0
  55. data/spec/integration/util/windows/registry_spec.rb +6 -0
  56. data/spec/unit/application/facts_spec.rb +5 -5
  57. data/spec/unit/application/ssl_spec.rb +23 -0
  58. data/spec/unit/environments_spec.rb +164 -88
  59. data/spec/unit/file_system_spec.rb +9 -0
  60. data/spec/unit/http/factory_spec.rb +19 -0
  61. data/spec/unit/network/http/api/master_spec.rb +38 -0
  62. data/spec/unit/network/http/api/{master → server}/v3/environments_spec.rb +2 -2
  63. data/spec/unit/network/http/api/{master → server}/v3_spec.rb +19 -19
  64. data/spec/unit/network/http/api_spec.rb +11 -11
  65. data/spec/unit/pops/parser/lexer2_spec.rb +0 -4
  66. data/spec/unit/pops/validator/validator_spec.rb +20 -43
  67. data/spec/unit/util/windows/sid_spec.rb +6 -0
  68. metadata +11 -16
  69. data/spec/lib/matchers/include.rb +0 -27
  70. data/spec/lib/matchers/include_spec.rb +0 -32
  71. data/spec/unit/pops/parser/parse_application_spec.rb +0 -13
  72. data/spec/unit/pops/parser/parse_capabilities_spec.rb +0 -23
  73. data/spec/unit/pops/parser/parse_site_spec.rb +0 -43
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1dc7fca54856073eca2fb108213f2870e9d9cbe9c176bf4c0ff1820182aa1487
4
- data.tar.gz: 0e73ef249f8a19167ba68b84e3d8ddf2a5fcf82a5689d7955ed777feff43c5cf
3
+ metadata.gz: d0c46be8ea84f210c98907f78f8fa7e67ddfe3500e77a8a1ab503f28f1887285
4
+ data.tar.gz: e237a260fc5fb15474bd6713dad901fc7af6199d3da584aadb3c15cbff45886b
5
5
  SHA512:
6
- metadata.gz: 313206ed5d0288d41c429eaef41b6507afd490298ff4b549bae911dffcbd06c2a1579329e4cf9ae94d5a1c2888d981c51730ec38450298cfd63b35f07cd34ca3
7
- data.tar.gz: a9204bfb79227de4126b352a12dce922723de2910c621ebfa28e220756440c3b76f34d4e489e7c5d898a93a9f79297c044ac3bb8dff420279493dc8f75098a1a
6
+ metadata.gz: 8cea314360893199a90e60d9da0a393f7caae00ec554bfa643d4b66a254d1a71a520eb5f0fd4b28adec1869c1ac693362613aea38c747c3c7b9f75f8af720bea
7
+ data.tar.gz: 9df0489d6c2160814c17c28af8b151aa81175fb8919e4d80552733ad7657e22147da2743ac6780f786481d923f7f2e6044b88fc80ec9c570105b63f5ac1c1d85
data/Gemfile.lock CHANGED
@@ -1,7 +1,18 @@
1
+ GIT
2
+ remote: git://github.com/ciprianbadescu/packaging
3
+ revision: 5f8d2bda941abfeeb8fb1731c9b1dd4d108f5d33
4
+ branch: maint/windows-signing
5
+ specs:
6
+ packaging (0.99.49.171.g5f8d2bd)
7
+ artifactory (~> 2)
8
+ csv (= 3.1.5)
9
+ rake (>= 12.3)
10
+ release-metrics
11
+
1
12
  PATH
2
13
  remote: .
3
14
  specs:
4
- puppet (7.4.1)
15
+ puppet (7.5.0)
5
16
  CFPropertyList (~> 2.2)
6
17
  concurrent-ruby (~> 1.0)
7
18
  deep_merge (~> 1.0)
@@ -33,7 +44,7 @@ GEM
33
44
  hocon (~> 1.3)
34
45
  thor (>= 1.0.1, < 2.0)
35
46
  fast_gettext (1.1.2)
36
- ffi (1.14.2)
47
+ ffi (1.15.0)
37
48
  gettext (3.2.9)
38
49
  locale (>= 2.0.5)
39
50
  text (>= 1.3.0)
@@ -43,10 +54,10 @@ GEM
43
54
  locale
44
55
  hashdiff (1.0.1)
45
56
  hiera (3.6.0)
46
- hiera-eyaml (3.2.0)
47
- highline (~> 1.6.19)
57
+ hiera-eyaml (3.2.1)
58
+ highline
48
59
  optimist
49
- highline (1.6.21)
60
+ highline (2.0.3)
50
61
  hocon (1.3.1)
51
62
  hpricot (0.8.6)
52
63
  json-schema (2.8.1)
@@ -59,11 +70,6 @@ GEM
59
70
  multi_json (1.15.0)
60
71
  mustache (1.1.1)
61
72
  optimist (3.0.1)
62
- packaging (0.99.75)
63
- artifactory (~> 2)
64
- csv (= 3.1.5)
65
- rake (>= 12.3)
66
- release-metrics
67
73
  parallel (1.20.1)
68
74
  parser (2.7.2.0)
69
75
  ast (~> 2.4.1)
@@ -115,7 +121,7 @@ GEM
115
121
  unicode-display_width (~> 1.0, >= 1.0.1)
116
122
  rubocop-i18n (1.2.0)
117
123
  rubocop (~> 0.49.0)
118
- ruby-prof (1.4.2)
124
+ ruby-prof (1.4.3)
119
125
  ruby-progressbar (1.11.0)
120
126
  scanf (1.0.0)
121
127
  semantic_puppet (1.0.3)
@@ -123,7 +129,7 @@ GEM
123
129
  thor (1.1.0)
124
130
  unicode-display_width (1.7.0)
125
131
  vcr (5.1.0)
126
- webmock (3.11.2)
132
+ webmock (3.12.1)
127
133
  addressable (>= 2.3.6)
128
134
  crack (>= 0.3.2)
129
135
  hashdiff (>= 0.4.0, < 2.0.0)
@@ -142,7 +148,7 @@ DEPENDENCIES
142
148
  memory_profiler
143
149
  minitar (~> 0.9)
144
150
  msgpack (~> 1.2)
145
- packaging (~> 0.99)
151
+ packaging!
146
152
  pry
147
153
  puppet!
148
154
  puppet-resource_api (~> 1.5)
@@ -74,6 +74,9 @@ ACTIONS
74
74
  `--localca` is specified, then also remove this host's local copy of the
75
75
  CA certificate(s) and CRL bundle. if `--target CERTNAME` is specified, then
76
76
  remove the files for the specified device on this host instead of this host.
77
+
78
+ * show:
79
+ Print the full-text version of this host's certificate.
77
80
  HELP
78
81
  end
79
82
 
@@ -142,11 +145,19 @@ HELP
142
145
  end
143
146
  @machine.ensure_client_certificate
144
147
  Puppet.notice(_("Completed SSL initialization"))
148
+ when 'show'
149
+ show(certname)
145
150
  else
146
151
  raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
147
152
  end
148
153
  end
149
154
 
155
+ def show(certname)
156
+ password = @cert_provider.load_private_key_password
157
+ ssl_context = @ssl_provider.load_context(certname: certname, password: password)
158
+ puts ssl_context.client_cert.to_text
159
+ end
160
+
150
161
  def submit_request(ssl_context)
151
162
  key = @cert_provider.load_private_key(Puppet[:certname])
152
163
  unless key
@@ -1033,6 +1033,14 @@ EOT
1033
1033
  certificate revocation checking and does not attempt to download the CRL.
1034
1034
  EOT
1035
1035
  },
1036
+ :ciphers => {
1037
+ :default => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256',
1038
+ :type => :string,
1039
+ :desc => "The list of ciphersuites for TLS connections initiated by puppet. The
1040
+ default value is chosen to support TLS 1.0 and up, but can be made
1041
+ more restrictive if needed. The ciphersuites must be specified in OpenSSL
1042
+ format, not IANA."
1043
+ },
1036
1044
  :key_type => {
1037
1045
  :default => 'rsa',
1038
1046
  :type => :enum,
@@ -225,6 +225,9 @@ module Puppet::Environments
225
225
  private
226
226
 
227
227
  def create_environment(name)
228
+ # interpolated modulepaths may be cached from prior environment instances
229
+ Puppet.settings.clear_environment_settings(name)
230
+
228
231
  env_symbol = name.intern
229
232
  setting_values = Puppet.settings.values(env_symbol, Puppet.settings.preferred_run_mode)
230
233
  env = Puppet::Node::Environment.create(
@@ -350,7 +353,19 @@ module Puppet::Environments
350
353
 
351
354
  # @!macro loader_list
352
355
  def list
353
- @loader.list
356
+ # Evict all that have expired, in the same way as `get`
357
+ clear_all_expired
358
+
359
+ @loader.list.map do |env|
360
+ name = env.name
361
+ old_entry = @cache[name]
362
+ if old_entry
363
+ old_entry.value
364
+ else
365
+ add_entry(name, entry(env))
366
+ env
367
+ end
368
+ end
354
369
  end
355
370
 
356
371
  # @!macro loader_search_paths
@@ -20,7 +20,7 @@ module Puppet::FFI::Windows
20
20
 
21
21
  class ::FFI::Pointer
22
22
  NULL_HANDLE = 0
23
- WCHAR_NULL = "\0\0".encode('UTF-16LE').freeze
23
+ WCHAR_NULL = "\0\0".force_encoding('UTF-16LE').freeze
24
24
 
25
25
  def self.from_string_to_wide_string(str, &block)
26
26
  str = Puppet::Util::Windows::String.wide_string(str)
@@ -7,6 +7,13 @@ class Puppet::FileSystem::MemoryFile
7
7
  new(path, :exist? => false, :executable? => false)
8
8
  end
9
9
 
10
+ def self.a_missing_directory(path)
11
+ new(path,
12
+ :exist? => false,
13
+ :executable? => false,
14
+ :directory? => true)
15
+ end
16
+
10
17
  def self.a_regular_file_containing(path, content)
11
18
  new(path, :exist? => true, :executable? => false, :content => content)
12
19
  end
@@ -18,7 +25,7 @@ class Puppet::FileSystem::MemoryFile
18
25
  def self.a_directory(path, children = [])
19
26
  new(path,
20
27
  :exist? => true,
21
- :excutable? => true,
28
+ :executable? => true,
22
29
  :directory? => true,
23
30
  :children => children)
24
31
  end
@@ -128,6 +128,8 @@ class Puppet::FileSystem::Windows < Puppet::FileSystem::Posix
128
128
  end
129
129
 
130
130
  current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name)
131
+ current_sid = Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_sam_compatible_user_name) unless current_sid
132
+
131
133
  dacl = case mode
132
134
  when 0644
133
135
  dacl = secure_dacl(current_sid)
@@ -26,6 +26,10 @@ class Puppet::HTTP::Factory
26
26
 
27
27
  http = Puppet::HTTP::Proxy.proxy(URI(site.addr))
28
28
  http.use_ssl = site.use_ssl?
29
+ if site.use_ssl?
30
+ http.min_version = OpenSSL::SSL::TLS1_VERSION if http.respond_to?(:min_version)
31
+ http.ciphers = Puppet[:ciphers]
32
+ end
29
33
  http.read_timeout = Puppet[:http_read_timeout]
30
34
  http.open_timeout = Puppet[:http_connect_timeout]
31
35
  http.keep_alive_timeout = KEEP_ALIVE_TIMEOUT if http.respond_to?(:keep_alive_timeout=)
@@ -3,8 +3,11 @@ module Puppet::Network::HTTP
3
3
  HEADER_ENABLE_PROFILING = "X-Puppet-Profiling"
4
4
  HEADER_PUPPET_VERSION = "X-Puppet-Version"
5
5
 
6
- MASTER_URL_PREFIX = "/puppet"
7
- MASTER_URL_VERSIONS = "v3"
6
+ SERVER_URL_PREFIX = "/puppet"
7
+ SERVER_URL_VERSIONS = "v3"
8
+
9
+ MASTER_URL_PREFIX = SERVER_URL_PREFIX
10
+ MASTER_URL_VERSIONS = SERVER_URL_VERSIONS
8
11
 
9
12
  CA_URL_PREFIX = "/puppet-ca"
10
13
  CA_URL_VERSIONS = "v1"
@@ -18,18 +18,22 @@ class Puppet::Network::HTTP::API
18
18
  "Note that Puppet 3 agents aren't compatible with this version; if you're " +
19
19
  "running Puppet 3, you must either upgrade your agents to match the server " +
20
20
  "or point them to a server running Puppet 3.\n\n" +
21
- "Master Info:\n" +
21
+ "Server Info:\n" +
22
22
  " Puppet version: #{Puppet.version}\n" +
23
- " Supported /puppet API versions: #{Puppet::Network::HTTP::MASTER_URL_VERSIONS}\n",
23
+ " Supported /puppet API versions: #{Puppet::Network::HTTP::SERVER_URL_VERSIONS}\n",
24
24
  Puppet::Network::HTTP::Issues::HANDLER_NOT_FOUND)
25
25
  end)
26
26
  end
27
27
 
28
- def self.master_routes
29
- master_prefix = Regexp.new("^#{Puppet::Network::HTTP::MASTER_URL_PREFIX}/")
30
- Puppet::Network::HTTP::Route.path(master_prefix).
28
+ def self.server_routes
29
+ server_prefix = Regexp.new("^#{Puppet::Network::HTTP::SERVER_URL_PREFIX}/")
30
+ Puppet::Network::HTTP::Route.path(server_prefix).
31
31
  any.
32
- chain(Puppet::Network::HTTP::API::Master::V3.routes,
32
+ chain(Puppet::Network::HTTP::API::Server::V3.routes,
33
33
  Puppet::Network::HTTP::API.not_found)
34
34
  end
35
+
36
+ def self.master_routes
37
+ server_routes
38
+ end
35
39
  end
@@ -1,2 +1,3 @@
1
- module Puppet::Network::HTTP::API::Master
2
- end
1
+ require 'puppet/network/http/api/server'
2
+
3
+ Puppet::Network::HTTP::API::Master = Puppet::Network::HTTP::API::Server
@@ -1,26 +1,3 @@
1
- class Puppet::Network::HTTP::API::Master::V3
2
- require 'puppet/network/http/api/master/v3/environments'
3
- require 'puppet/network/http/api/indirected_routes'
1
+ require 'puppet/network/http/api/master'
2
+ require 'puppet/network/http/api/server/v3'
4
3
 
5
- def self.wrap(&block)
6
- lambda do |request, response|
7
- Puppet::Network::Authorization.check_external_authorization(request.method, request.path)
8
-
9
- block.call.call(request, response)
10
- end
11
- end
12
-
13
- INDIRECTED = Puppet::Network::HTTP::Route.
14
- path(/.*/).
15
- any(wrap { Puppet::Network::HTTP::API::IndirectedRoutes.new } )
16
-
17
- ENVIRONMENTS = Puppet::Network::HTTP::Route.
18
- path(%r{^/environments$}).
19
- get(wrap { Environments.new(Puppet.lookup(:environments)) } )
20
-
21
- def self.routes
22
- Puppet::Network::HTTP::Route.path(%r{v3}).
23
- any.
24
- chain(ENVIRONMENTS, INDIRECTED)
25
- end
26
- end
@@ -1,34 +1,3 @@
1
- require 'puppet/util/json'
1
+ require 'puppet/network/http/api/master'
2
+ require 'puppet/network/http/api/server/v3/environments'
2
3
 
3
- class Puppet::Network::HTTP::API::Master::V3::Environments
4
- def initialize(env_loader)
5
- @env_loader = env_loader
6
- end
7
-
8
- def call(request, response)
9
- response.respond_with(200, "application/json", Puppet::Util::Json.dump({
10
- "search_paths" => @env_loader.search_paths,
11
- "environments" => Hash[@env_loader.list.collect do |env|
12
- [env.name, {
13
- "settings" => {
14
- "modulepath" => env.full_modulepath,
15
- "manifest" => env.manifest,
16
- "environment_timeout" => timeout(env),
17
- "config_version" => env.config_version || '',
18
- }
19
- }]
20
- end]
21
- }))
22
- end
23
-
24
- private
25
-
26
- def timeout(env)
27
- ttl = @env_loader.get_conf(env.name).environment_timeout
28
- if ttl == Float::INFINITY
29
- "unlimited"
30
- else
31
- ttl
32
- end
33
- end
34
- end
@@ -0,0 +1,10 @@
1
+ module Puppet
2
+ module Network
3
+ module HTTP
4
+ class API
5
+ module Server
6
+ end
7
+ end
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,39 @@
1
+ require 'puppet/network/http/api/server/v3/environments'
2
+ require 'puppet/network/http/api/indirected_routes'
3
+
4
+ module Puppet
5
+ module Network
6
+ module HTTP
7
+ class API
8
+ module Server
9
+ class V3
10
+
11
+ def self.wrap(&block)
12
+ lambda do |request, response|
13
+ Puppet::Network::Authorization.
14
+ check_external_authorization(request.method,
15
+ request.path)
16
+
17
+ block.call.call(request, response)
18
+ end
19
+ end
20
+
21
+ INDIRECTED = Puppet::Network::HTTP::Route.
22
+ path(/.*/).
23
+ any(wrap { Puppet::Network::HTTP::API::IndirectedRoutes.new } )
24
+
25
+ ENVIRONMENTS = Puppet::Network::HTTP::Route.
26
+ path(%r{^/environments$}).
27
+ get(wrap { Environments.new(Puppet.lookup(:environments)) } )
28
+
29
+ def self.routes
30
+ Puppet::Network::HTTP::Route.path(%r{v3}).
31
+ any.
32
+ chain(ENVIRONMENTS, INDIRECTED)
33
+ end
34
+ end
35
+ end
36
+ end
37
+ end
38
+ end
39
+ end
@@ -0,0 +1,48 @@
1
+ require 'puppet/util/json'
2
+
3
+ module Puppet
4
+ module Network
5
+ module HTTP
6
+ class API
7
+ module Server
8
+ class V3
9
+ class Environments
10
+
11
+ def initialize(env_loader)
12
+ @env_loader = env_loader
13
+ end
14
+
15
+ def call(request, response)
16
+ response.respond_with(200, "application/json", Puppet::Util::Json.dump({
17
+ "search_paths" => @env_loader.search_paths,
18
+ "environments" => Hash[@env_loader.list.collect do |env|
19
+ [env.name, {
20
+ "settings" => {
21
+ "modulepath" => env.full_modulepath,
22
+ "manifest" => env.manifest,
23
+ "environment_timeout" => timeout(env),
24
+ "config_version" => env.config_version || '',
25
+ }
26
+ }]
27
+ end]
28
+ }))
29
+ end
30
+
31
+ private
32
+
33
+ def timeout(env)
34
+ ttl = @env_loader.get_conf(env.name).environment_timeout
35
+ if ttl == Float::INFINITY
36
+ "unlimited"
37
+ else
38
+ ttl
39
+ end
40
+ end
41
+ end
42
+ end
43
+ end
44
+ end
45
+ end
46
+ end
47
+ end
48
+