puppet 3.6.1 → 3.6.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 952f14811133b7d7bdfb1e2ea843e3da8f38a12c
+  data.tar.gz: b7e2b14ef818a11ec622252f9ca1b6ba75b12daf
+SHA512:
+  metadata.gz: 5dda05fc1e431d416eb81a9580e7ca9fd841b29c60caffb442c8846c7dc0e8e45d90a54bd692a82fd98a071af0d5c7be58e634a37dbb5b7bbb1977709b6c0f38
+  data.tar.gz: 1f6a6d2e3485201365b92850cf9567d4bebc6b5f6037ccfc42a694400a25dd61260bda654290ae899165f6b5436ac943674ed0ea9b048a8f9f99ee578701eb2e

data/bin/puppet

@@ -1,4 +1,8 @@
 #!/usr/bin/env ruby
 
+# For security reasons, ensure that '.' is not on the load path
+# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
+$LOAD_PATH.delete '.'
+
 require 'puppet/util/command_line'
 Puppet::Util::CommandLine.new.execute

data/ext/debian/puppetmaster-passenger.postinst

@@ -3,6 +3,7 @@
 set -e
 
 sitename="puppetmaster"
+apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
 
 # The debian provided a2* utils in Apache 2.4 uses "site name" as
 # argument, while the version in Apache 2.2 uses "file name".
@@ -14,7 +15,6 @@ sitename="puppetmaster"
 # This will end in tears…
 # Can be removed when we only support apache >= 2.4
 apache2_puppetmaster_sitename() {
-    apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
     if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
         echo "${sitename}.conf"
     else
@@ -49,6 +49,91 @@ update_vhost_for_passenger4() {
     fi
 }
 
+# In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
+# directives were specified then the specified file(s) would be checked when
+# establishing an SSL connection. Apache 2.4+ the SSLCARevocationCheck directive
+# was added to control how CRLs were checked when verifying a connection and had
+# a default value of none.  This means that Apache defaults to ignoring CRLs even
+# if paths are specified to CRL files.
+#
+# This function automatically uncomments the SSLCARevocationCheck directive when
+# the currently installed version of Apache is 2.4.
+update_vhost_for_apache24() {
+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
+        sed -r -i \
+            -e "/# SSLCARevocationCheck/s/# //" \
+        $tempfile
+    fi
+}
+
+# Update an existing vhost definition with the SSLCARevocationCheck directive
+# on Apache 2.4+. This scans an existing vhost file for the SSLCARevocationCheck
+# directive and adds it to the file after the SSLCARevocationFile directive.
+#
+# See https://tickets.puppetlabs.com/browse/PUP-2533 for more information.
+update_vhost_for_apache24_upgrade() {
+    APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
+
+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
+        if ! grep -q "^[[:space:]]*SSLCARevocationCheck" $APACHE2_SITE_FILE ; then
+            tempfile=$(mktemp)
+            sed -r \
+                -e "/SSLCARevocationFile/a\\        SSLCARevocationCheck chain" \
+                $APACHE2_SITE_FILE > $tempfile
+            mv $tempfile $APACHE2_SITE_FILE
+        fi
+    fi
+}
+
+
+create_initial_puppetmaster_vhost() {
+    # Check that puppet master --configprint works properly
+    # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
+    if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
+        echo "Puppet config print not working properly, exiting"
+        exit 1
+    fi
+
+    # Initialize puppetmaster CA and generate the master certificate
+    # only if the host doesn't already have any puppet ssl certificate.
+    # The ssl key and cert need to be available (eg generated) before
+    # apache2 is configured and started since apache2 ssl configuration
+    # uses the puppetmaster ssl files.
+    if [ ! -e "$(puppet master --configprint hostcert)" ]; then
+        puppet cert generate $(puppet master --configprint certname)
+    fi
+
+    # Setup apache2 configuration files
+    APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
+    if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
+        tempfile=$(mktemp)
+        sed -r \
+            -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
+            -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
+            -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
+            -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
+            -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
+            -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
+            -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
+            /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
+        update_vhost_for_passenger4
+        update_vhost_for_apache24
+        mv $tempfile "${APACHE2_SITE_FILE}"
+    fi
+
+    # Enable needed modules
+    a2enmod ssl
+    a2enmod headers
+    a2ensite ${sitename}
+    restart_apache2
+}
+
+update_existing_puppetmaster_vhost() {
+    if dpkg --compare-versions "${1}" lt "3.6.2~"; then
+        update_vhost_for_apache24_upgrade
+    fi
+}
+
 if [ "$1" = "configure" ]; then
 
     # Change the owner of the rack config.ru to be the puppet user
@@ -57,47 +142,12 @@ if [ "$1" = "configure" ]; then
     then
         dpkg-statoverride --update --add puppet puppet 0644 /usr/share/puppet/rack/puppetmasterd/config.ru
     fi
-    # Setup passenger configuration
-    if [ "$2" = "" ]; then
 
-        # Check that puppet master --configprint works properly
-        # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
-        if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
-            echo "Puppet config print not working properly, exiting"
-            exit 1
-        fi
-
-        # Initialize puppetmaster CA and generate the master certificate
-        # only if the host doesn't already have any puppet ssl certificate.
-        # The ssl key and cert need to be available (eg generated) before
-        # apache2 is configured and started since apache2 ssl configuration
-        # uses the puppetmaster ssl files.
-        if [ ! -e "$(puppet master --configprint hostcert)" ]; then
-            puppet cert generate $(puppet master --configprint certname)
-        fi
-
-        # Setup apache2 configuration files
-        APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
-        if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
-            tempfile=$(mktemp)
-            sed -r \
-                -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
-                -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
-                -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
-                -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
-                -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
-                -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
-                -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
-                /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
-            update_vhost_for_passenger4
-            mv $tempfile "${APACHE2_SITE_FILE}"
-        fi
-
-        # Enable needed modules
-        a2enmod ssl
-        a2enmod headers
-        a2ensite ${sitename}
-        restart_apache2
+    # Setup puppetmaster passenger vhost
+    if [ "$2" = "" ]; then
+        create_initial_puppetmaster_vhost
+    else
+        update_existing_puppetmaster_vhost $2
     fi
 
     # Fix CRL file on upgrade to use the CA crl file instead of the host crl.

data/ext/rack/example-passenger-vhost.conf

@@ -29,6 +29,10 @@ Listen 8140
         # If Apache complains about invalid signatures on the CRL, you can try disabling
         # CRL checking by commenting the next line, but this is not recommended.
         SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
+        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
+        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
+        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
+        # SSLCARevocationCheck chain
         SSLVerifyClient optional
         SSLVerifyDepth  1
         # The `ExportCertData` option is needed for agent certificate expiration warnings

data/lib/puppet/configurer/downloader.rb

@@ -25,8 +25,8 @@ class Puppet::Configurer::Downloader
     files
   end
 
-  def initialize(name, path, source, ignore = nil, environment = nil)
-    @name, @path, @source, @ignore, @environment = name, path, source, ignore, environment
+  def initialize(name, path, source, ignore = nil, environment = nil, source_permissions = :ignore)
+    @name, @path, @source, @ignore, @environment, @source_permissions = name, path, source, ignore, environment, source_permissions
   end
 
   def catalog
@@ -51,7 +51,7 @@ class Puppet::Configurer::Downloader
       :path => path,
       :recurse => true,
       :source => source,
-      :source_permissions => :ignore,
+      :source_permissions => @source_permissions,
       :tag => name,
       :purge => true,
       :force => true,

data/lib/puppet/configurer/plugin_handler.rb

@@ -17,7 +17,8 @@ module Puppet::Configurer::PluginHandler
           Puppet[:pluginfactdest],
           Puppet[:pluginfactsource],
           Puppet[:pluginsignore],
-          environment
+          environment,
+          :use
        )
        plugin_fact_downloader.evaluate
     end

data/lib/puppet/defaults.rb

@@ -58,6 +58,20 @@ module Puppet
       :type       => :enum,
       :values     => ["debug","info","notice","warning","err","alert","emerg","crit"],
       :desc       => "Default logging level",
+    },
+    :disable_warnings => {
+      :default => [],
+      :type    => :array,
+      :desc    => "A list of warning types to disable. Currently the only warning type that can be
+        disabled are deprecations, but more warning types may be added later.",
+      :hook      => proc do |value|
+        values = munge(value)
+        valid   = %w[deprecations]
+        invalid = values - (values & valid)
+        if not invalid.empty?
+          raise ArgumentError, "Cannot disable unrecognized warning types #{invalid.inspect}. Valid values are #{valid.inspect}."
+        end
+      end
     }
   )
 
@@ -356,7 +370,7 @@ module Puppet
       a file (such as manifests or templates) has changed on disk. #{AS_DURATION}",
     },
     :environment_timeout => {
-      :default    => "5s",
+      :default    => "3m",
       :type       => :ttl,
       :desc       => "The time to live for a cached environment. The time is either given #{AS_DURATION}, or
       the word 'unlimited' which causes the environment to be cached until the master is restarted."
@@ -414,6 +428,7 @@ module Puppet
       Setting a global value for config_version in puppet.conf is deprecated. Please set a
       per-environment value in environment.conf instead. For more info, see
       http://docs.puppetlabs.com/puppet/latest/reference/environments.html",
+      :deprecated => :allowed_on_commandline,
     },
     :zlib => {
         :default  => true,
@@ -897,7 +912,8 @@ EOT
       :type       => :directory,
       :desc       => "Used to build the default value of the `manifest` setting. Has no other purpose.
 
-        This setting is deprecated."
+        This setting is deprecated.",
+      :deprecated => :completely,
     },
     :manifest => {
       :default    => "$manifestdir/site.pp",
@@ -911,6 +927,7 @@ EOT
         environment's `manifests` directory as the main manifest, you can set
         `manifest` in environment.conf. For more info, see
         http://docs.puppetlabs.com/puppet/latest/reference/environments.html",
+      :deprecated => :allowed_on_commandline,
     },
     :code => {
       :default    => "",
@@ -998,6 +1015,7 @@ EOT
         default modulepath of `<ACTIVE ENVIRONMENT'S MODULES DIR>:$basemodulepath`,
         you can set `modulepath` in environment.conf. For more info, see
         http://docs.puppetlabs.com/puppet/latest/reference/environments.html",
+      :deprecated => :allowed_on_commandline,
     },
     :ssl_client_header => {
       :default    => "HTTP_X_CLIENT_DN",
@@ -1825,7 +1843,8 @@ EOT
         :desc     => "Where Puppet looks for template files.  Can be a list of colon-separated
           directories.
 
-          This setting is deprecated. Please put your templates in modules instead."
+          This setting is deprecated. Please put your templates in modules instead.",
+        :deprecated => :completely,
     },
 
     :allow_variables_with_dashes => {

data/lib/puppet/indirector/facts/facter.rb

@@ -55,7 +55,7 @@ class Puppet::Node::Facts::Facter < Puppet::Indirector::Code
         begin
           Puppet.info "Loading facts in #{fqfile}"
           ::Timeout::timeout(Puppet[:configtimeout]) do
-            load file
+            load File.join('.', file)
           end
         rescue SystemExit,NoMemoryError
           raise

data/lib/puppet/network/http/webrick/rest.rb

@@ -7,6 +7,10 @@ class Puppet::Network::HTTP::WEBrickREST < WEBrick::HTTPServlet::AbstractServlet
 
   include Puppet::Network::HTTP::Handler
 
+  def self.mutex
+    @mutex ||= Mutex.new
+  end
+
   def initialize(server)
     raise ArgumentError, "server is required" unless server
     register([Puppet::Network::HTTP::API::V2.routes, Puppet::Network::HTTP::API::V1.routes])
@@ -26,9 +30,12 @@ class Puppet::Network::HTTP::WEBrickREST < WEBrick::HTTPServlet::AbstractServlet
     params.merge(client_information(request))
   end
 
-  # WEBrick uses a service method to respond to requests.  Simply delegate to the handler response method.
+  # WEBrick uses a service method to respond to requests.  Simply delegate to
+  # the handler response method.
   def service(request, response)
-    process(request, response)
+    self.class.mutex.synchronize do
+      process(request, response)
+    end
   end
 
   def headers(request)

data/lib/puppet/node/environment.rb

@@ -479,6 +479,8 @@ class Puppet::Node::Environment
       self.manifest == other.manifest
   end
 
+  alias eql? ==
+
   def hash
     [self.class, name, full_modulepath, manifest].hash
   end

data/lib/puppet/parser/ast.rb

@@ -125,6 +125,5 @@ require 'puppet/parser/ast/resource_override'
 require 'puppet/parser/ast/resource_reference'
 require 'puppet/parser/ast/resourceparam'
 require 'puppet/parser/ast/selector'
-require 'puppet/parser/ast/tag'
 require 'puppet/parser/ast/vardef'
 require 'puppet/parser/code_merger'

data/lib/puppet/parser/ast/collexpr.rb

@@ -56,7 +56,7 @@ class CollExpr < AST::Branch
     return match, code
   end
 
-  # Late binding evaluation of a collect expression (as done in 3x), but with proper Puppet Langauge
+  # Late binding evaluation of a collect expression (as done in 3x), but with proper Puppet Language
   # semantics for equals and include
   #
   def evaluate4x(scope)

data/lib/puppet/parser/functions.rb

@@ -17,8 +17,7 @@ module Puppet::Parser::Functions
   #
   # @api private
   def self.reset
-    @functions = Hash.new { |h,k| h[k] = {} }
-    @modules = Hash.new
+    @modules = {}
 
     # Runs a newfunction to create a function for each of the log levels
     Puppet::Util::Log.levels.each do |level|
@@ -44,7 +43,21 @@ module Puppet::Parser::Functions
   #
   # @api private
   def self.environment_module(env)
-    @modules[env.name] ||= Module.new
+    @modules[env.name] ||= Module.new do
+      @metadata = {}
+
+      def self.all_function_info
+        @metadata
+      end
+
+      def self.get_function_info(name)
+        @metadata[name]
+      end
+
+      def self.add_function_info(name, info)
+        @metadata[name] = info
+      end
+    end
   end
 
   # Create a new Puppet DSL function.
@@ -144,7 +157,9 @@ module Puppet::Parser::Functions
     environment_module(environment).send(:define_method, real_fname, &block)
 
     fname = "function_#{name}"
-    environment_module(environment).send(:define_method, fname) do |*args|
+    env_module = environment_module(environment)
+
+    env_module.send(:define_method, fname) do |*args|
       Puppet::Util::Profiler.profile("Called #{name}") do
         if args[0].is_a? Array
           if arity >= 0 and args[0].size != arity
@@ -162,7 +177,8 @@ module Puppet::Parser::Functions
     func = {:arity => arity, :type => ftype, :name => fname}
     func[:doc] = options[:doc] if options[:doc]
 
-    add_function(name, func, environment)
+    env_module.add_function_info(name, func)
+
     func
   end
 
@@ -239,17 +255,14 @@ module Puppet::Parser::Functions
     private
 
     def merged_functions(environment)
-      @functions[Puppet.lookup(:root_environment)].merge(@functions[environment])
-    end
+      root = environment_module(Puppet.lookup(:root_environment))
+      env = environment_module(environment)
 
-    def get_function(name, environment)
-      name = name.intern
-      merged_functions(environment)[name]
+      root.all_function_info.merge(env.all_function_info)
     end
 
-    def add_function(name, func, environment)
-      name = name.intern
-      @functions[environment][name] = func
+    def get_function(name, environment)
+      environment_module(environment).get_function_info(name.intern) || environment_module(Puppet.lookup(:root_environment)).get_function_info(name.intern)
     end
   end
 end

data/lib/puppet/parser/resource.rb

@@ -191,6 +191,17 @@ class Puppet::Parser::Resource < Puppet::Resource
     copy_as_resource.to_ral
   end
 
+  # Is the receiver tagged with the given tags?
+  # This match takes into account the tags that a resource will inherit from its container
+  # but have not been set yet.
+  # It does *not* take tags set via resource defaults as these will *never* be set on
+  # the resource itself since all resources always have tags that are automatically
+  # assigned.
+  #
+  def tagged?(*tags)
+    super || ((scope_resource = scope.resource) && scope_resource != self && scope_resource.tagged?(tags))
+  end
+
   private
 
   # Add default values from our definition.