puppet 7.8.0 → 7.9.0

data/spec/unit/ssl/ssl_provider_spec.rb

@@ -505,28 +505,30 @@ describe Puppet::SSL::SSLProvider do
       }.to raise_error(Puppet::Error, /The client certificate is missing from/)
     end
 
-    it 'loads the private key and client cert' do
-      ssl_context = subject.load_context
+    context 'loading private keys', unless: RUBY_PLATFORM == 'java' do
+      it 'loads the private key and client cert' do
+        ssl_context = subject.load_context
 
-      expect(ssl_context.private_key).to be_an(OpenSSL::PKey::RSA)
-      expect(ssl_context.client_cert).to be_an(OpenSSL::X509::Certificate)
-    end
+        expect(ssl_context.private_key).to be_an(OpenSSL::PKey::RSA)
+        expect(ssl_context.client_cert).to be_an(OpenSSL::X509::Certificate)
+      end
 
-    it 'loads a password protected key and client cert' do
-      FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'encrypted-key.pem'), File.join(Puppet[:privatekeydir], 'signed.pem'))
+      it 'loads a password protected key and client cert' do
+        FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'encrypted-key.pem'), File.join(Puppet[:privatekeydir], 'signed.pem'))
 
-      ssl_context = subject.load_context(password: '74695716c8b6')
+        ssl_context = subject.load_context(password: '74695716c8b6')
 
-      expect(ssl_context.private_key).to be_an(OpenSSL::PKey::RSA)
-      expect(ssl_context.client_cert).to be_an(OpenSSL::X509::Certificate)
-    end
+        expect(ssl_context.private_key).to be_an(OpenSSL::PKey::RSA)
+        expect(ssl_context.client_cert).to be_an(OpenSSL::X509::Certificate)
+      end
 
-    it 'raises if the password is incorrect' do
-      FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'encrypted-key.pem'), File.join(Puppet[:privatekeydir], 'signed.pem'))
+      it 'raises if the password is incorrect' do
+        FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'encrypted-key.pem'), File.join(Puppet[:privatekeydir], 'signed.pem'))
 
-      expect {
-        subject.load_context(password: 'wrongpassword')
-      }.to raise_error(Puppet::SSL::SSLError, /Failed to load private key for host 'signed': Could not parse PKey/)
+        expect {
+          subject.load_context(password: 'wrongpassword')
+        }.to raise_error(Puppet::SSL::SSLError, /Failed to load private key for host 'signed': Could not parse PKey/)
+      end
     end
   end
 

data/spec/unit/type/exec_spec.rb

@@ -239,6 +239,19 @@ RSpec.describe Puppet::Type.type(:exec) do
     expect(dependencies.collect(&:to_s)).to eq([Puppet::Relationship.new(tmp, execer).to_s])
   end
 
+  it "should be able to autorequire files mentioned in the array command" do
+    foo = make_absolute('/bin/foo')
+    catalog = Puppet::Resource::Catalog.new
+    tmp = Puppet::Type.type(:file).new(:name => foo)
+    execer = Puppet::Type.type(:exec).new(:name => 'test array', :command => [foo, 'bar'])
+
+    catalog.add_resource tmp
+    catalog.add_resource execer
+    dependencies = execer.autorequire(catalog)
+
+    expect(dependencies.collect(&:to_s)).to eq([Puppet::Relationship.new(tmp, execer).to_s])
+  end
+
   describe "when handling the path parameter" do
     expect = %w{one two three four}
     { "an array"                                      => expect,
@@ -346,7 +359,13 @@ RSpec.describe Puppet::Type.type(:exec) do
   end
 
   shared_examples_for "all exec command parameters" do |param|
-    { "relative" => "example", "absolute" => "/bin/example" }.sort.each do |name, command|
+    array_cmd = ["/bin/example", "*"]
+    array_cmd = [["/bin/example", "*"]] if [:onlyif, :unless].include?(param)
+
+    commands = { "relative" => "example", "absolute" => "/bin/example" }
+    commands["array"] = array_cmd
+
+    commands.sort.each do |name, command|
       describe "if command is #{name}" do
         before :each do
           @param = param
@@ -379,45 +398,44 @@ RSpec.describe Puppet::Type.type(:exec) do
   end
 
   shared_examples_for "all exec command parameters that take arrays" do |param|
-    describe "when given an array of inputs" do
-      before :each do
-        @test = Puppet::Type.type(:exec).new(:name => @executable)
-      end
+    [
+      %w{one two three},
+      [%w{one -a}, %w{two, -b}, 'three']
+    ].each do |input|
+      context "when given #{input.inspect} as input" do
+        let(:resource) { Puppet::Type.type(:exec).new(:name => @executable) }
 
-      it "should accept the array when all commands return valid" do
-        input = %w{one two three}
-        expect(@test.provider).to receive(:validatecmd).exactly(input.length).times.and_return(true)
-        @test[param] = input
-        expect(@test[param]).to eq(input)
-      end
+        it "accepts the array when all commands return valid" do
+          input = %w{one two three}
+          allow(resource.provider).to receive(:validatecmd).exactly(input.length).times.and_return(true)
+          resource[param] = input
+          expect(resource[param]).to eq(input)
+        end
 
-      it "should reject the array when any commands return invalid" do
-        input = %w{one two three}
-        expect(@test.provider).to receive(:validatecmd).with(input.first).and_return(false)
-        input[1..-1].each do |cmd|
-          expect(@test.provider).to receive(:validatecmd).with(cmd).and_return(true)
+        it "rejects the array when any commands return invalid" do
+          input = %w{one two three}
+          allow(resource.provider).to receive(:validatecmd).with(input[0]).and_return(true)
+          allow(resource.provider).to receive(:validatecmd).with(input[1]).and_raise(Puppet::Error)
+
+          expect { resource[param] = input }.to raise_error(Puppet::ResourceError, /Parameter #{param} failed/)
         end
-        @test[param] = input
-        expect(@test[param]).to eq(input)
-      end
 
-      it "should reject the array when all commands return invalid" do
-        input = %w{one two three}
-        expect(@test.provider).to receive(:validatecmd).exactly(input.length).times.and_return(false)
-        @test[param] = input
-        expect(@test[param]).to eq(input)
+        it "stops at the first invalid command" do
+          input = %w{one two three}
+          allow(resource.provider).to receive(:validatecmd).with(input[0]).and_raise(Puppet::Error)
+
+          expect(resource.provider).not_to receive(:validatecmd).with(input[1])
+          expect(resource.provider).not_to receive(:validatecmd).with(input[2])
+          expect { resource[param] = input }.to raise_error(Puppet::ResourceError, /Parameter #{param} failed/)
+        end
       end
     end
   end
 
   describe "when setting command" do
     subject { described_class.new(:name => @command) }
-    it "fails when passed an Array" do
-      expect { subject[:command] = [] }.to raise_error Puppet::Error, /Command must be a String/
-    end
-
     it "fails when passed a Hash" do
-      expect { subject[:command] = {} }.to raise_error Puppet::Error, /Command must be a String/
+      expect { subject[:command] = {} }.to raise_error Puppet::Error, /Command must be a String or Array<String>/
     end
   end
 
@@ -759,6 +777,35 @@ RSpec.describe Puppet::Type.type(:exec) do
           end
         end
 
+        context 'with an array of arrays with multiple items' do
+          before do
+            [true, false].each do |check|
+              allow(@test.provider).to receive(:run).with([@pass, '--flag'], check).
+                and_return(['test output', @pass_status])
+              allow(@test.provider).to receive(:run).with([@fail, '--flag'], check).
+                and_return(['test output', @fail_status])
+              allow(@test.provider).to receive(:run).with([@pass], check).
+                and_return(['test output', @pass_status])
+              allow(@test.provider).to receive(:run).with([@fail], check).
+                and_return(['test output', @fail_status])
+            end
+          end
+          it "runs if all the commands exits non-zero" do
+            @test[param] = [[@fail, '--flag'], [@fail], [@fail, '--flag']]
+            expect(@test.check_all_attributes).to eq(true)
+          end
+
+          it "does not run if one command exits zero" do
+            @test[param] = [[@pass, '--flag'], [@pass], [@fail, '--flag']]
+            expect(@test.check_all_attributes).to eq(false)
+          end
+
+          it "does not run if all command exits zero" do
+            @test[param] = [[@pass, '--flag'], [@pass], [@pass, '--flag']]
+            expect(@test.check_all_attributes).to eq(false)
+          end
+        end
+
         it "should emit output to debug" do
           Puppet::Util::Log.level = :debug
           @test[param] = @fail

data/spec/unit/type/file/source_spec.rb

@@ -263,7 +263,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
 
           expect(@resource[:owner]).to eq(100)
           expect(@resource[:group]).to eq(200)
-          expect(@resource[:mode]).to eq("173")
+          expect(@resource[:mode]).to eq("0173")
 
           # Metadata calls it checksum and checksum_type, we call it content and checksum.
           expect(@resource[:content]).to eq(@metadata.checksum)
@@ -280,7 +280,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
 
           expect(@resource[:owner]).to eq(1)
           expect(@resource[:group]).to eq(2)
-          expect(@resource[:mode]).to eq('173')
+          expect(@resource[:mode]).to eq('0173')
           expect(@resource[:content]).not_to eq(@metadata.checksum)
           expect(@resource[:checksum]).not_to eq(@metadata.checksum_type.to_sym)
         end
@@ -317,7 +317,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
 
             expect(@resource[:owner]).to eq(100)
             expect(@resource[:group]).to eq(200)
-            expect(@resource[:mode]).to eq("173")
+            expect(@resource[:mode]).to eq("0173")
           end
 
           it "copies the remote owner" do
@@ -335,7 +335,7 @@ describe Puppet::Type.type(:file).attrclass(:source), :uses_checksums => true do
           it "copies the remote mode" do
             @source.copy_source_values
 
-            expect(@resource[:mode]).to eq("173")
+            expect(@resource[:mode]).to eq("0173")
           end
         end
 

data/spec/unit/type/tidy_spec.rb

@@ -280,6 +280,13 @@ describe tidy do
         @ager.tidy?(@basepath, @stat)
       end
 
+      it "should return true if the specified age is 0" do
+        @tidy[:age] = "0"
+        expect(@stat).to receive(:mtime).and_return(Time.now)
+
+        expect(@ager).to be_tidy(@basepath, @stat)
+      end
+
       it "should return false if the file is more recent than the specified age" do
         expect(@stat).to receive(:mtime).and_return(Time.now)
 

data/spec/unit/util/ldap/connection_spec.rb

@@ -29,7 +29,7 @@ describe Puppet::Util::Ldap::Connection do
     allow(LDAP::Conn).to receive(:new).and_return(@ldapconn)
     allow(LDAP::SSLConn).to receive(:new).and_return(@ldapconn)
 
-    @connection = Puppet::Util::Ldap::Connection.new("host", "port")
+    @connection = Puppet::Util::Ldap::Connection.new("host", 1234)
   end
 
 
@@ -39,31 +39,31 @@ describe Puppet::Util::Ldap::Connection do
     end
 
     it "should allow specification of a user and password" do
-      expect { Puppet::Util::Ldap::Connection.new("myhost", "myport", :user => "blah", :password => "boo") }.not_to raise_error
+      expect { Puppet::Util::Ldap::Connection.new("myhost", 1234, :user => "blah", :password => "boo") }.not_to raise_error
     end
 
     it "should allow specification of ssl" do
-      expect { Puppet::Util::Ldap::Connection.new("myhost", "myport", :ssl => :tsl) }.not_to raise_error
+      expect { Puppet::Util::Ldap::Connection.new("myhost", 1234, :ssl => :tsl) }.not_to raise_error
     end
 
     it "should support requiring a new connection" do
-      expect { Puppet::Util::Ldap::Connection.new("myhost", "myport", :reset => true) }.not_to raise_error
+      expect { Puppet::Util::Ldap::Connection.new("myhost", 1234, :reset => true) }.not_to raise_error
     end
 
     it "should fail if ldap is unavailable" do
       expect(Puppet.features).to receive(:ldap?).and_return(false)
 
-      expect { Puppet::Util::Ldap::Connection.new("host", "port") }.to raise_error(Puppet::Error)
+      expect { Puppet::Util::Ldap::Connection.new("host", 1234) }.to raise_error(Puppet::Error)
     end
 
     it "should use neither ssl nor tls by default" do
-      expect(LDAP::Conn).to receive(:new).with("host", "port").and_return(@ldapconn)
+      expect(LDAP::Conn).to receive(:new).with("host", 1234).and_return(@ldapconn)
 
       @connection.start
     end
 
     it "should use LDAP::SSLConn if ssl is requested" do
-      expect(LDAP::SSLConn).to receive(:new).with("host", "port").and_return(@ldapconn)
+      expect(LDAP::SSLConn).to receive(:new).with("host", 1234).and_return(@ldapconn)
 
       @connection.ssl = true
 
@@ -71,7 +71,7 @@ describe Puppet::Util::Ldap::Connection do
     end
 
     it "should use LDAP::SSLConn and tls if tls is requested" do
-      expect(LDAP::SSLConn).to receive(:new).with("host", "port", true).and_return(@ldapconn)
+      expect(LDAP::SSLConn).to receive(:new).with("host", 1234, true).and_return(@ldapconn)
 
       @connection.ssl = :tls
 
@@ -121,8 +121,8 @@ describe Puppet::Util::Ldap::Connection do
     end
 
     it "should use the :ldapport setting to determine the port" do
-      Puppet[:ldapport] = "456"
-      expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, "456", anything)
+      Puppet[:ldapport] = 456
+      expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, 456, anything)
       Puppet::Util::Ldap::Connection.instance
     end
 

data/spec/unit/util/ldap/manager_spec.rb

@@ -245,8 +245,8 @@ describe Puppet::Util::Ldap::Manager, :if => Puppet.features.ldap? do
     end
 
     it "should open the connection with its port set to the :ldapport" do
-      Puppet[:ldapport] = "28"
-      expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, "28", anything).and_return(@conn)
+      Puppet[:ldapport] = 28
+      expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, 28, anything).and_return(@conn)
 
       @manager.connect { |c| }
     end

data/spec/unit/util/windows/sid_spec.rb

@@ -131,38 +131,73 @@ describe "Puppet::Util::Windows::SID", :if => Puppet::Util::Platform.windows? do
       expect(subject.name_to_principal(unknown_name)).to be_nil
     end
 
+    it "should print a debug message if the account does not exist" do
+      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(unknown_name)
+    end
+
     it "should return a Puppet::Util::Windows::SID::Principal instance for any valid sid" do
       expect(subject.name_to_principal(sid)).to be_an_instance_of(Puppet::Util::Windows::SID::Principal)
     end
 
+    it "should not print debug messages for valid sid" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(sid)
+    end
+
+    it "should print a debug message for invalid sid" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('S-1-5-21-INVALID-SID')
+    end
+
     it "should accept unqualified account name" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM').sid).to eq(sid)
     end
 
+    it "should not print debug messages for unqualified account name" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('SYSTEM')
+    end
+
     it "should be case-insensitive" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM')).to eq(subject.name_to_principal('system'))
     end
 
+    it "should not print debug messages for wrongly cased account name" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('system')
+    end
+
     it "should be leading and trailing whitespace-insensitive" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM')).to eq(subject.name_to_principal(' SYSTEM '))
     end
 
+    it "should not print debug messages for account name with leading and trailing whitespace" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(' SYSTEM ')
+    end
+
     it "should accept domain qualified account names" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really AUTORITE NT\\Syst\u00E8me
       expect(subject.name_to_principal('NT AUTHORITY\SYSTEM').sid).to eq(sid)
     end
 
-    it "should print a debug message on failures" do
-      expect(Puppet).to receive(:debug).with(/Could not retrieve raw SID bytes from 'NonExistingUser'/)
-      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
-      subject.name_to_principal('NonExistingUser')
+    it "should not print debug messages for domain qualified account names" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('NT AUTHORITY\SYSTEM')
     end
   end
 

data/spec/unit/util_spec.rb

@@ -142,9 +142,7 @@ describe Puppet::Util do
 
     # In 2.3, the behavior is mostly correct when external codepage is 65001 / UTF-8
     it "works around Ruby bug 8822 (which fails to preserve UTF-8 properly when accessing ENV) (Ruby >= 2.3.x) ",
-      :if => Puppet::Util::Platform.windows? do
-
-      raise 'This test requires a non-UTF8 codepage' if Encoding.default_external == Encoding::UTF_8
+      :if => Puppet::Util::Platform.windows? && RUBY_VERSION.to_f < 3 do
 
       withenv_utf8 do |utf_8_key, utf_8_value, codepage_key|
         # Ruby 2.3 fixes access by the original UTF-8 key, and behaves differently than 2.1

data/spec/unit/x509/cert_provider_spec.rb

@@ -223,7 +223,7 @@ describe Puppet::X509::CertProvider do
   end
 
   context 'when loading' do
-    context 'private keys' do
+    context 'private keys', unless: RUBY_PLATFORM == 'java' do
       let(:provider) { create_provider(privatekeydir: fixture_dir) }
       let(:password) { '74695716c8b6' }
 
@@ -298,6 +298,14 @@ describe Puppet::X509::CertProvider do
           expect(provider.load_private_key('ec-key')).to be_a(OpenSSL::PKey::EC)
         end
 
+        it 'returns an EC key from PKCS#8 format' do
+          expect(provider.load_private_key('ec-key-pk8')).to be_a(OpenSSL::PKey::EC)
+        end
+
+        it 'returns an EC key from openssl format' do
+          expect(provider.load_private_key('ec-key-openssl')).to be_a(OpenSSL::PKey::EC)
+        end
+
         it 'decrypts an EC key using the password' do
           ec = provider.load_private_key('encrypted-ec-key', password: password)
           expect(ec).to be_a(OpenSSL::PKey::EC)

data/tasks/generate_cert_fixtures.rake

@@ -40,6 +40,7 @@ task(:gen_cert_fixtures) do
   # 127.0.0.1.pem                     |   +- /CN=127.0.0.1 (with dns alt names)
   # tampered-cert.pem                 |   +- /CN=signed (with different public key)
   # ec.pem                            |   +- /CN=ec (with EC private key)
+  # oid.pem                           |   +- /CN=oid (with custom oid)
   #                                   |
   #                                   + /CN=Test CA Agent Subauthority
   #                                   |  |
@@ -49,7 +50,7 @@ task(:gen_cert_fixtures) do
   #
   # bad-basic-constraints.pem        /CN=Test CA (bad isCA constraint)
   #
-  # unknown-ca.pemm                  /CN=Unknown CA
+  # unknown-ca.pem                   /CN=Unknown CA
   #                                   |
   # unknown-127.0.0.1.pem             +- /CN=127.0.0.1
   #
@@ -103,6 +104,14 @@ task(:gen_cert_fixtures) do
   save(dir, '127.0.0.1.pem', signed[:cert])
   save(dir, '127.0.0.1-key.pem', signed[:private_key])
 
+  # Create an SSL cert with extensions containing custom oids
+  extensions = [
+    ['1.3.6.1.4.1.34380.1.2.1.1', OpenSSL::ASN1::UTF8String.new('somevalue'), false],
+  ]
+  oid = ca.create_cert('oid', inter[:cert], inter[:private_key], extensions: extensions)
+  save(dir, 'oid.pem', oid[:cert])
+  save(dir, 'oid-key.pem', oid[:private_key])
+
   # Create a leaf/entity key and cert for host "revoked", issued by "Test CA Subauthority"
   # and revoke the cert
   revoked = ca.create_cert('revoked', inter[:cert], inter[:private_key])