puppet 2.7.17 → 2.7.18

data/CHANGELOG

@@ -1,3 +1,19 @@
+2.7.18
+===
+d804782 Reject directory traversal in store report processor
+fd44bf5 Tighten permissions on classfile, resourcefile, lastrunfile, and lastrunreport.
+4d7c9fd Use "inspect" when listing certificates
+bd2820e Don't allow the creation of SSL objects with invalid certnames
+f341962 Validate CSR CN and provided certname before signing
+38c5a4e Add specs for selector terminuses of file_{content,metadata}
+9e920a8 Fix whitespace inside parentheses
+2d01c2b Use head method to determine if file is in file bucket
+40ee670 Always use the local file_bucket on master
+d881b4b Fail more gracefully when finding module files if no file is specified
+20ab0e9 Reject file requests containing ..
+10f6cb8 Add Selector terminus for file_content/file_metadata
+ab9150b Deprecate IP-based authentication
+
 2.7.17
 ===
 30d89d3 (maint) Add symlink stub to gentoo service provider spec

data/conf/redhat/puppet.spec

@@ -5,7 +5,7 @@
 %global confdir conf/redhat
 
 Name:           puppet
-Version:        2.7.17
+Version:        2.7.18
 #Release:        0.1rc1.2%{?dist}
 Release:        1%{?dist}
 Summary:        A network tool for managing many disparate systems
@@ -289,6 +289,9 @@ fi
 rm -rf %{buildroot}
 
 %changelog
+* Mon Jul 9 2012 Moses Mendoza <moses@puppetlabs.com> - 2.7.18-1
+- Update for 2.7.18
+
 * Tue Jun 19 2012 Matthaus Litteken <matthaus@puppetlabs.com> - 2.7.17-1
 - Update for 2.7.17
 

data/lib/puppet.rb

@@ -24,7 +24,7 @@ require 'puppet/util/run_mode'
 # it's also a place to find top-level commands like 'debug'
 
 module Puppet
-  PUPPETVERSION = '2.7.17'
+  PUPPETVERSION = '2.7.18'
 
   def Puppet.version
     PUPPETVERSION

data/lib/puppet/application/master.rb

@@ -163,8 +163,6 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
 
   def main
     require 'etc'
-    require 'puppet/file_serving/content'
-    require 'puppet/file_serving/metadata'
 
     xmlrpc_handlers = [:Status, :FileServer, :Master, :Report, :Filebucket]
 
@@ -205,9 +203,7 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
     end
   end
 
-  def setup
-    raise Puppet::Error.new("Puppet master is not supported on Microsoft Windows") if Puppet.features.microsoft_windows?
-
+  def setup_logs
     # Handle the logging settings.
     if options[:debug] or options[:verbose]
       if options[:debug]
@@ -223,14 +219,22 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
     end
 
     Puppet::Util::Log.newdestination(:syslog) unless options[:setdest]
+  end
 
-    exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
-
-    Puppet.settings.use :main, :master, :ssl, :metrics
+  def setup_terminuses
+    require 'puppet/file_serving/content'
+    require 'puppet/file_serving/metadata'
 
     # Cache our nodes in yaml.  Currently not configurable.
     Puppet::Node.indirection.cache_class = :yaml
 
+    Puppet::FileServing::Content.indirection.terminus_class = :file_server
+    Puppet::FileServing::Metadata.indirection.terminus_class = :file_server
+
+    Puppet::FileBucket::File.indirection.terminus_class = :file
+  end
+
+  def setup_ssl
     # Configure all of the SSL stuff.
     if Puppet::SSL::CertificateAuthority.ca?
       Puppet::SSL::Host.ca_location = :local
@@ -240,4 +244,18 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
       Puppet::SSL::Host.ca_location = :none
     end
   end
+
+  def setup
+    raise Puppet::Error.new("Puppet master is not supported on Microsoft Windows") if Puppet.features.microsoft_windows?
+
+    setup_logs
+
+    exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
+
+    Puppet.settings.use :main, :master, :ssl, :metrics
+
+    setup_terminuses
+
+    setup_ssl
+  end
 end

data/lib/puppet/defaults.rb

@@ -599,14 +599,14 @@ EOT
     :client_datadir => {:default => "$vardir/client_data", :mode => "750", :desc => "The directory in which serialized data is stored on the client."},
     :classfile => { :default => "$statedir/classes.txt",
       :owner => "root",
-      :mode => 0644,
+      :mode => 0640,
       :desc => "The file in which puppet agent stores a list of the classes
         associated with the retrieved configuration.  Can be loaded in
         the separate `puppet` executable using the `--loadclasses`
         option."},
     :resourcefile => { :default => "$statedir/resources.txt",
       :owner => "root",
-      :mode => 0644,
+      :mode => 0640,
       :desc => "The file in which puppet agent stores a list of the resources
         associated with the retrieved configuration."  },
     :puppetdlog => { :default => "$logdir/puppetd.log",
@@ -713,11 +713,11 @@ EOT
       "Whether to send reports after every transaction."
     ],
     :lastrunfile =>  { :default => "$statedir/last_run_summary.yaml",
-      :mode => 0644,
+      :mode => 0640,
       :desc => "Where puppet agent stores the last run report summary in yaml format."
     },
     :lastrunreport =>  { :default => "$statedir/last_run_report.yaml",
-      :mode => 0644,
+      :mode => 0640,
       :desc => "Where puppet agent stores the last run report in yaml format."
     },
     :graph => [false, "Whether to create dot graph files for the different

data/lib/puppet/face/file/download.rb

@@ -35,7 +35,7 @@ Puppet::Face.define(:file, '0.0.1') do
         key = "#{type}/#{sumdata}"
 
         Puppet::FileBucket::File.indirection.terminus_class = :file
-        if Puppet::FileBucket::File.indirection.find(key)
+        if Puppet::FileBucket::File.indirection.head(key)
           Puppet.info "Content for '#{sum}' already exists"
           return
         end

data/lib/puppet/file_bucket/file.rb

@@ -8,13 +8,12 @@ class Puppet::FileBucket::File
   # There are mechanisms to save and load this file locally and remotely in puppet/indirector/filebucketfile/*
   # There is a compatibility class that emulates pre-indirector filebuckets in Puppet::FileBucket::Dipper
   extend Puppet::Indirector
-  require 'puppet/file_bucket/file/indirection_hooks'
-  indirects :file_bucket_file, :terminus_class => :file, :extend => Puppet::FileBucket::File::IndirectionHooks
+  indirects :file_bucket_file, :terminus_class => :selector
 
   attr :contents
   attr :bucket_path
 
-  def initialize( contents, options = {} )
+  def initialize(contents, options = {})
     raise ArgumentError.new("contents must be a String, got a #{contents.class}") unless contents.is_a?(String)
     @contents = contents
 
@@ -42,15 +41,15 @@ class Puppet::FileBucket::File
     "#{checksum_type}/#{checksum_data}"
   end
 
-  def self.from_s( contents )
-    self.new( contents )
+  def self.from_s(contents)
+    self.new(contents)
   end
 
   def to_pson
     { "contents" => contents }.to_pson
   end
 
-  def self.from_pson( pson )
-    self.new( pson["contents"] )
+  def self.from_pson(pson)
+    self.new(pson["contents"])
   end
 end

data/lib/puppet/file_serving/configuration.rb

@@ -64,7 +64,8 @@ class Puppet::FileServing::Configuration
 
     mount_name, path = request.key.split(File::Separator, 2)
 
-    raise(ArgumentError, "Cannot find file: Invalid path '#{mount_name}'") unless mount_name =~ %r{^[-\w]+$}
+    raise(ArgumentError, "Cannot find file: Invalid mount '#{mount_name}'") unless mount_name =~ %r{^[-\w]+$}
+    raise(ArgumentError, "Cannot find file: Invalid relative path '#{path}'") if path and path.split('/').include?('..')
 
     return nil unless mount = find_mount(mount_name, request.environment)
     if mount.name == "modules" and mount_name != "modules"

data/lib/puppet/file_serving/content.rb

@@ -1,14 +1,13 @@
 require 'puppet/indirector'
 require 'puppet/file_serving'
 require 'puppet/file_serving/base'
-require 'puppet/file_serving/indirection_hooks'
 
 # A class that handles retrieving file contents.
 # It only reads the file when its content is specifically
 # asked for.
 class Puppet::FileServing::Content < Puppet::FileServing::Base
   extend Puppet::Indirector
-  indirects :file_content, :extend => Puppet::FileServing::IndirectionHooks
+  indirects :file_content, :terminus_class => :selector
 
   attr_writer :content
 

data/lib/puppet/file_serving/metadata.rb

@@ -3,7 +3,6 @@ require 'puppet/indirector'
 require 'puppet/file_serving'
 require 'puppet/file_serving/base'
 require 'puppet/util/checksums'
-require 'puppet/file_serving/indirection_hooks'
 
 # A class that handles retrieving file metadata.
 class Puppet::FileServing::Metadata < Puppet::FileServing::Base
@@ -11,7 +10,7 @@ class Puppet::FileServing::Metadata < Puppet::FileServing::Base
   include Puppet::Util::Checksums
 
   extend Puppet::Indirector
-  indirects :file_metadata, :extend => Puppet::FileServing::IndirectionHooks
+  indirects :file_metadata, :terminus_class => :selector
 
   attr_reader :path, :owner, :group, :mode, :checksum_type, :checksum, :ftype, :destination
 

data/lib/puppet/file_serving/mount/modules.rb

@@ -5,6 +5,7 @@ require 'puppet/file_serving/mount'
 class Puppet::FileServing::Mount::Modules < Puppet::FileServing::Mount
   # Return an instance of the appropriate class.
   def find(path, request)
+    raise "No module specified" if path.to_s.empty?
     module_name, relative_path = path.split("/", 2)
     return nil unless mod = request.environment.module(module_name)
 
@@ -12,11 +13,9 @@ class Puppet::FileServing::Mount::Modules < Puppet::FileServing::Mount
   end
 
   def search(path, request)
-    module_name, relative_path = path.split("/", 2)
-    return nil unless mod = request.environment.module(module_name)
-
-    return nil unless path = mod.file(relative_path)
-    [path]
+    if result = find(path, request)
+      [result]
+    end
   end
 
   def valid?

data/lib/puppet/file_serving/{indirection_hooks.rb → terminus_selector.rb}

@@ -1,15 +1,12 @@
-require 'uri'
 require 'puppet/file_serving'
-require 'puppet/util'
 
 # This module is used to pick the appropriate terminus
 # in file-serving indirections.  This is necessary because
 # the terminus varies based on the URI asked for.
-module Puppet::FileServing::IndirectionHooks
+module Puppet::FileServing::TerminusSelector
   PROTOCOL_MAP = {"puppet" => :rest, "file" => :file}
 
-  # Pick an appropriate terminus based on the protocol.
-  def select_terminus(request)
+  def select(request)
     # We rely on the request's parsing of the URI.
 
     # Short-circuit to :file if it's a fully-qualified path or specifies a 'file' protocol.

data/lib/puppet/indirector/file_bucket_file/selector.rb

@@ -0,0 +1,49 @@
+require 'puppet/indirector/code'
+
+module Puppet::FileBucketFile
+  class Selector < Puppet::Indirector::Code
+    desc "Select the terminus based on the request"
+
+    def select(request)
+      if request.protocol == 'https'
+        :rest
+      else
+        :file
+      end
+    end
+
+    def get_terminus(request)
+      indirection.terminus(select(request))
+    end
+
+    def head(request)
+      get_terminus(request).head(request)
+    end
+
+    def find(request)
+      get_terminus(request).find(request)
+    end
+
+    def save(request)
+      get_terminus(request).save(request)
+    end
+
+    def search(request)
+      get_terminus(request).search(request)
+    end
+
+    def destroy(request)
+      get_terminus(request).destroy(request)
+    end
+
+    def authorized?(request)
+      terminus = get_terminus(request)
+      if terminus.respond_to?(:authorized?)
+        terminus.authorized?(request)
+      else
+        true
+      end
+    end
+  end
+end
+

data/lib/puppet/indirector/file_content/selector.rb

@@ -0,0 +1,30 @@
+require 'puppet/file_serving/content'
+require 'puppet/indirector/file_content'
+require 'puppet/indirector/code'
+require 'puppet/file_serving/terminus_selector'
+
+class Puppet::Indirector::FileContent::Selector < Puppet::Indirector::Code
+  desc "Select the terminus based on the request"
+  include Puppet::FileServing::TerminusSelector
+
+  def get_terminus(request)
+    indirection.terminus(select(request))
+  end
+
+  def find(request)
+    get_terminus(request).find(request)
+  end
+
+  def search(request)
+    get_terminus(request).search(request)
+  end
+
+  def authorized?(request)
+    terminus = get_terminus(request)
+    if terminus.respond_to?(:authorized?)
+      terminus.authorized?(request)
+    else
+      true
+    end
+  end
+end

data/lib/puppet/indirector/file_metadata/selector.rb

@@ -0,0 +1,30 @@
+require 'puppet/file_serving/metadata'
+require 'puppet/indirector/file_metadata'
+require 'puppet/indirector/code'
+require 'puppet/file_serving/terminus_selector'
+
+class Puppet::Indirector::FileMetadata::Selector < Puppet::Indirector::Code
+  desc "Select the terminus based on the request"
+  include Puppet::FileServing::TerminusSelector
+
+  def get_terminus(request)
+    indirection.terminus(select(request))
+  end
+
+  def find(request)
+    get_terminus(request).find(request)
+  end
+
+  def search(request)
+    get_terminus(request).search(request)
+  end
+
+  def authorized?(request)
+    terminus = get_terminus(request)
+    if terminus.respond_to?(:authorized?)
+      terminus.authorized?(request)
+    else
+      true
+    end
+  end
+end

data/lib/puppet/network/authstore.rb

@@ -150,7 +150,16 @@ module Puppet
 
       # Does this declaration match the name/ip combo?
       def match?(name, ip)
-        ip? ? pattern.include?(IPAddr.new(ip)) : matchname?(name)
+        if ip?
+          if pattern.include?(IPAddr.new(ip))
+            Puppet.deprecation_warning "Authentication based on IP address is deprecated; please use certname-based rules instead"
+            true
+          else
+            false
+          end
+        else
+          matchname?(name)
+        end
       end
 
       # Set the pattern appropriately.  Also sets the name and length.
@@ -212,7 +221,6 @@ module Puppet
 
       # Convert the name to a common pattern.
       def munge_name(name)
-        # LAK:NOTE http://snurl.com/21zf8  [groups_google_com]
         # Change to name.downcase.split(".",-1).reverse for FQDN support
         name.downcase.split(".").reverse
       end

data/lib/puppet/reports/store.rb

@@ -2,6 +2,8 @@ require 'puppet'
 require 'fileutils'
 require 'tempfile'
 
+SEPARATOR = [Regexp.escape(File::SEPARATOR.to_s), Regexp.escape(File::ALT_SEPARATOR.to_s)].join
+
 Puppet::Reports.register_report(:store) do
   desc "Store the yaml report on disk.  Each host sends its report as a YAML dump
     and this just stores the file on disk, in the `reportdir` directory.
@@ -13,9 +15,11 @@ Puppet::Reports.register_report(:store) do
   def process
     # We don't want any tracking back in the fs.  Unlikely, but there
     # you go.
-    client = self.host.gsub("..",".")
+    if host =~ Regexp.union(/[#{SEPARATOR}]/, /\A\.\.?\Z/)
+      raise ArgumentError, "Invalid node name #{host.inspect}"
+    end
 
-    dir = File.join(Puppet[:reportdir], client)
+    dir = File.join(Puppet[:reportdir], host)
 
     if ! FileTest.exists?(dir)
       FileUtils.mkdir_p(dir)
@@ -42,17 +46,20 @@ Puppet::Reports.register_report(:store) do
       FileUtils.mv(f.path, file)
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
-      Puppet.warning "Could not write report for #{client} at #{file}: #{detail}"
+      Puppet.warning "Could not write report for #{host} at #{file}: #{detail}"
     end
 
     # Only testing cares about the return value
     file
   end
 
-  # removes all reports for a given host
+  # removes all reports for a given host?
   def self.destroy(host)
-    client = host.gsub("..",".")
-    dir = File.join(Puppet[:reportdir], client)
+    if host =~ Regexp.union(/[#{SEPARATOR}]/, /\A\.\.?\Z/)
+      raise ArgumentError, "Invalid node name #{host.inspect}"
+    end
+
+    dir = File.join(Puppet[:reportdir], host)
 
     if File.exists?(dir)
       Dir.entries(dir).each do |file|