puppet 6.7.2-universal-darwin → 6.8.0-universal-darwin

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (89) hide show
  1. checksums.yaml +4 -4
  2. data/CODEOWNERS +9 -9
  3. data/Gemfile +1 -1
  4. data/Gemfile.lock +7 -7
  5. data/install.rb +3 -21
  6. data/lib/puppet/application/agent.rb +17 -13
  7. data/lib/puppet/application/device.rb +10 -0
  8. data/lib/puppet/defaults.rb +21 -6
  9. data/lib/puppet/face/facts.rb +1 -1
  10. data/lib/puppet/face/parser.rb +3 -2
  11. data/lib/puppet/forge.rb +19 -4
  12. data/lib/puppet/indirector/certificate/file.rb +1 -0
  13. data/lib/puppet/indirector/certificate/rest.rb +1 -0
  14. data/lib/puppet/indirector/certificate_request/file.rb +1 -0
  15. data/lib/puppet/indirector/certificate_request/memory.rb +1 -0
  16. data/lib/puppet/indirector/certificate_request/rest.rb +1 -0
  17. data/lib/puppet/indirector/key/file.rb +1 -0
  18. data/lib/puppet/indirector/key/memory.rb +1 -0
  19. data/lib/puppet/module_tool/applications/installer.rb +0 -3
  20. data/lib/puppet/network/http/factory.rb +1 -11
  21. data/lib/puppet/pops/lookup/key_recorder.rb +18 -0
  22. data/lib/puppet/pops/lookup/lookup_adapter.rb +7 -0
  23. data/lib/puppet/pops/lookup.rb +1 -0
  24. data/lib/puppet/provider/file/posix.rb +5 -0
  25. data/lib/puppet/provider/nameservice.rb +10 -3
  26. data/lib/puppet/provider/package/apt.rb +1 -1
  27. data/lib/puppet/provider/package/dpkg.rb +17 -3
  28. data/lib/puppet/provider/service/launchd.rb +20 -5
  29. data/lib/puppet/provider/service/systemd.rb +5 -10
  30. data/lib/puppet/provider/user/pw.rb +12 -3
  31. data/lib/puppet/provider/user/user_role_add.rb +4 -0
  32. data/lib/puppet/provider/user/useradd.rb +25 -11
  33. data/lib/puppet/ssl/certificate.rb +2 -0
  34. data/lib/puppet/ssl/host.rb +3 -0
  35. data/lib/puppet/ssl/key.rb +2 -0
  36. data/lib/puppet/util/http_proxy.rb +17 -3
  37. data/lib/puppet/util/monkey_patches.rb +0 -16
  38. data/lib/puppet/util/selinux.rb +5 -1
  39. data/lib/puppet/util/windows/security.rb +2 -0
  40. data/lib/puppet/util/windows/sid.rb +1 -0
  41. data/lib/puppet/version.rb +1 -1
  42. data/lib/puppet/x509/cert_provider.rb +13 -15
  43. data/locales/puppet.pot +77 -65
  44. data/man/man5/puppet.conf.5 +20 -4
  45. data/man/man8/puppet-agent.8 +24 -7
  46. data/man/man8/puppet-apply.8 +1 -1
  47. data/man/man8/puppet-catalog.8 +1 -1
  48. data/man/man8/puppet-config.8 +1 -1
  49. data/man/man8/puppet-describe.8 +1 -1
  50. data/man/man8/puppet-device.8 +1 -1
  51. data/man/man8/puppet-doc.8 +1 -1
  52. data/man/man8/puppet-epp.8 +1 -1
  53. data/man/man8/puppet-facts.8 +1 -1
  54. data/man/man8/puppet-filebucket.8 +1 -1
  55. data/man/man8/puppet-generate.8 +1 -1
  56. data/man/man8/puppet-help.8 +1 -1
  57. data/man/man8/puppet-key.8 +1 -1
  58. data/man/man8/puppet-lookup.8 +1 -1
  59. data/man/man8/puppet-man.8 +1 -1
  60. data/man/man8/puppet-module.8 +1 -1
  61. data/man/man8/puppet-node.8 +1 -1
  62. data/man/man8/puppet-parser.8 +1 -1
  63. data/man/man8/puppet-plugin.8 +1 -1
  64. data/man/man8/puppet-report.8 +1 -1
  65. data/man/man8/puppet-resource.8 +1 -1
  66. data/man/man8/puppet-script.8 +1 -1
  67. data/man/man8/puppet-ssl.8 +1 -1
  68. data/man/man8/puppet-status.8 +1 -1
  69. data/man/man8/puppet.8 +2 -2
  70. data/spec/integration/provider/service/systemd_spec.rb +7 -5
  71. data/spec/integration/type/file_spec.rb +28 -0
  72. data/spec/unit/application/device_spec.rb +26 -0
  73. data/spec/unit/face/facts_spec.rb +9 -0
  74. data/spec/unit/face/parser_spec.rb +17 -5
  75. data/spec/unit/forge/module_release_spec.rb +66 -31
  76. data/spec/unit/module_tool/applications/installer_spec.rb +0 -9
  77. data/spec/unit/network/http/factory_spec.rb +27 -5
  78. data/spec/unit/provider/package/dpkg_spec.rb +84 -4
  79. data/spec/unit/provider/service/launchd_spec.rb +28 -0
  80. data/spec/unit/provider/service/systemd_spec.rb +14 -0
  81. data/spec/unit/provider/user/pw_spec.rb +37 -0
  82. data/spec/unit/provider/user/useradd_spec.rb +42 -0
  83. data/spec/unit/transaction_spec.rb +18 -0
  84. data/spec/unit/util/http_proxy_spec.rb +24 -1
  85. data/spec/unit/x509/cert_provider_spec.rb +1 -1
  86. metadata +4 -7
  87. data/ext/windows/eventlog/Rakefile +0 -32
  88. data/ext/windows/eventlog/puppetres.dll +0 -0
  89. data/ext/windows/eventlog/puppetres.mc +0 -18
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e37f78bdb2bb4c71f4302ae7a4868fb892e48cacaae5550d362ff7bbc5d2e2d5
4
- data.tar.gz: e26741edd0ed42842461e2045de4d4b0d86681d87fa7d1788e17033fd41b22ed
3
+ metadata.gz: 6499c686c4bf854eadd79ed655461b3e64e9ba7a9bf9164728717c8e69679748
4
+ data.tar.gz: 34fff83b7811ccf9bf0cec90ab5c6fb4d4251b2cfeaa5331d8d6fb01860db2ff
5
5
  SHA512:
6
- metadata.gz: ad6b08a5e46c208230ff970289ba60ecc14d353c350d5665b7c3313d6d5d89f9a4a70e6394345ee76e3d741ca1ca973a81a88ed38644208a31b95a4f6026c195
7
- data.tar.gz: a3cc0b4a465313780d9a70f7b8bf1c42048cd974e7914c976dace9b999295446e91d18896e9b904223dd3daec6c4c94b064d7ec1629d07734858ed291e666fcb
6
+ metadata.gz: d856db8d30bc8a77198998525cfb5dea36db856096862ffba21cc2d8792de03c8575b8e5dc065f6351412f5c081f6a8b8e537750f58f0f95022dec218c0d882f
7
+ data.tar.gz: 36f03ab60e5ffe8126c4dafcae83cfe51bf3798fd460077b468bedea14c135d52f681867f99a013aea266a5bc6e84124f698527b214a060b06c7653f670c9815
data/CODEOWNERS CHANGED
@@ -1,15 +1,15 @@
1
1
  # default to platform-core
2
2
  * @puppetlabs/platform-core
3
3
 
4
- # platform-os
5
- /lib/puppet/type/group @puppetlabs/platform-os
6
- /lib/puppet/type/package @puppetlabs/platform-os
7
- /lib/puppet/type/service @puppetlabs/platform-os
8
- /lib/puppet/type/user @puppetlabs/platform-os
9
- /lib/puppet/provider/group @puppetlabs/platform-os
10
- /lib/puppet/provider/package @puppetlabs/platform-os
11
- /lib/puppet/provider/service @puppetlabs/platform-os
12
- /lib/puppet/provider/user @puppetlabs/platform-os
4
+ # Night's Watch
5
+ /lib/puppet/type/group @puppetlabs/night-s-watch
6
+ /lib/puppet/type/package @puppetlabs/night-s-watch
7
+ /lib/puppet/type/service @puppetlabs/night-s-watch
8
+ /lib/puppet/type/user @puppetlabs/night-s-watch
9
+ /lib/puppet/provider/group @puppetlabs/night-s-watch
10
+ /lib/puppet/provider/package @puppetlabs/night-s-watch
11
+ /lib/puppet/provider/service @puppetlabs/night-s-watch
12
+ /lib/puppet/provider/user @puppetlabs/night-s-watch
13
13
 
14
14
  # language
15
15
  /lib/puppet/datatypes @puppetlabs/language
data/Gemfile CHANGED
@@ -23,7 +23,7 @@ group(:features) do
23
23
  gem 'hiera-eyaml', require: false
24
24
  gem 'hocon', '~> 1.0', require: false
25
25
  # requires native libshadow headers/libs
26
- # gem 'libshadow', '~> 1.0', require: false, platforms: [:ruby]
26
+ #gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
27
27
  gem 'minitar', '~> 0.6', require: false
28
28
  gem 'msgpack', '~> 1.2', require: false
29
29
  gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- puppet (6.7.2)
4
+ puppet (6.8.0)
5
5
  CFPropertyList (~> 2.2)
6
6
  facter (>= 2.4.0, < 4)
7
7
  fast_gettext (~> 1.1)
@@ -28,7 +28,7 @@ GEM
28
28
  gettext (3.2.9)
29
29
  locale (>= 2.0.5)
30
30
  text (>= 1.3.0)
31
- gettext-setup (0.30)
31
+ gettext-setup (0.31)
32
32
  fast_gettext (~> 1.1.0)
33
33
  gettext (>= 3.0.2)
34
34
  locale
@@ -47,11 +47,11 @@ GEM
47
47
  memory_profiler (0.9.14)
48
48
  method_source (0.9.2)
49
49
  minitar (0.8)
50
- msgpack (1.3.0)
50
+ msgpack (1.3.1)
51
51
  multi_json (1.13.1)
52
52
  mustache (1.1.0)
53
53
  optimist (3.0.0)
54
- packaging (0.99.36)
54
+ packaging (0.99.38)
55
55
  artifactory (~> 2)
56
56
  rake (~> 12.3)
57
57
  parallel (1.17.0)
@@ -64,7 +64,7 @@ GEM
64
64
  public_suffix (3.1.1)
65
65
  puppet-resource_api (1.8.6)
66
66
  hocon (>= 1.0)
67
- puppetserver-ca (1.3.2)
67
+ puppetserver-ca (1.4.0)
68
68
  facter (>= 2.0.1, < 4)
69
69
  racc (1.4.9)
70
70
  rainbow (2.2.2)
@@ -103,7 +103,7 @@ GEM
103
103
  unicode-display_width (~> 1.0, >= 1.0.1)
104
104
  rubocop-i18n (1.2.0)
105
105
  rubocop (~> 0.49.0)
106
- ruby-prof (0.18.0)
106
+ ruby-prof (1.0.0)
107
107
  ruby-progressbar (1.10.1)
108
108
  safe_yaml (1.0.5)
109
109
  semantic_puppet (1.0.2)
@@ -149,4 +149,4 @@ DEPENDENCIES
149
149
  yard
150
150
 
151
151
  BUNDLED WITH
152
- 1.16.5
152
+ 1.17.3
data/install.rb CHANGED
@@ -62,24 +62,6 @@ def do_configs(configs, target, strip = 'conf/')
62
62
  ocf = File.join(InstallOptions.config_dir, cf.gsub(/#{strip}/, ''))
63
63
  FileUtils.install(cf, ocf, {:mode => 0644, :preserve => true, :verbose => true})
64
64
  end
65
-
66
- if $operatingsystem == 'windows'
67
- src_dll = 'ext/windows/eventlog/puppetres.dll'
68
- dst_dll = File.join(InstallOptions.bin_dir, 'puppetres.dll')
69
- FileUtils.install(src_dll, dst_dll, {:mode => 0644, :preserve => true, :verbose => true})
70
-
71
- require 'win32/registry'
72
- include Win32::Registry::Constants
73
-
74
- begin
75
- Win32::Registry::HKEY_LOCAL_MACHINE.create('SYSTEM\CurrentControlSet\services\eventlog\Application\Puppet', KEY_ALL_ACCESS | 0x0100) do |reg|
76
- reg.write_s('EventMessageFile', dst_dll.tr('/', '\\'))
77
- reg.write_i('TypesSupported', 0x7)
78
- end
79
- rescue Win32::Registry::Error => e
80
- warn "Failed to create puppet eventlog registry key: #{e}"
81
- end
82
- end
83
65
  end
84
66
 
85
67
  def do_bins(bins, target, strip = 's?bin/')
@@ -140,12 +122,12 @@ def check_prereqs
140
122
  facter_version = Facter.version.to_f
141
123
  if facter_version < MIN_FACTER_VERSION
142
124
  puts "Facter version: #{facter_version}; minimum required: #{MIN_FACTER_VERSION}; cannot install"
143
- exit -1
125
+ exit (-1)
144
126
  end
145
127
  end
146
128
  rescue LoadError
147
129
  puts "Could not load #{pre}; cannot install"
148
- exit -1
130
+ exit (-1)
149
131
  end
150
132
  }
151
133
  end
@@ -266,7 +248,7 @@ def prepare_installation
266
248
  require 'win32/dir'
267
249
  rescue LoadError => e
268
250
  puts "Cannot run on Microsoft Windows without the win32-process, win32-dir & win32-service gems: #{e}"
269
- exit -1
251
+ exit (-1)
270
252
  end
271
253
  end
272
254
 
@@ -124,31 +124,35 @@ configuration and apply it.
124
124
  USAGE NOTES
125
125
  -----------
126
126
  'puppet agent' does its best to find a compromise between interactive
127
- use and daemon use. Run with no arguments and no configuration, it will
128
- go into the background, attempt to get a signed certificate, and retrieve
129
- and apply its configuration every 30 minutes.
127
+ use and daemon use. If you run it with no arguments and no configuration, it
128
+ goes into the background, attempts to get a signed certificate, and retrieves
129
+ and applies its configuration every 30 minutes.
130
130
 
131
- Some flags are meant specifically for interactive use -- in particular,
131
+ Some flags are meant specifically for interactive use --- in particular,
132
132
  'test', 'tags' and 'fingerprint' are useful.
133
133
 
134
- '--test' does a single run in the foreground with verbose logging, then exits.
135
- It will also exit if it can't get a valid catalog. The exit code after running
136
- with '--test' is 0 if the catalog was successfully applied, and 1 if the run
137
- either failed or wasn't attempted (due to another run already in progress).
134
+ '--test' runs once in the foreground with verbose logging, then exits.
135
+ It also exits if it can't get a valid catalog. `--test` includes the '--detailed-exitcodes' option by default and exits with one of the following exit codes:
136
+
137
+ * 0: The run succeeded with no changes or failures; the system was already in the desired state.
138
+ * 1: The run failed, or wasn't attempted due to another run already in progress.
139
+ * 2: The run succeeded, and some resources were changed.
140
+ * 4: The run succeeded, and some resources failed.
141
+ * 6: The run succeeded, and included both changes and failures.
138
142
 
139
143
  '--tags' allows you to specify what portions of a configuration you want
140
144
  to apply. Puppet elements are tagged with all of the class or definition
141
145
  names that contain them, and you can use the 'tags' flag to specify one
142
146
  of these names, causing only configuration elements contained within
143
147
  that class or definition to be applied. This is very useful when you are
144
- testing new configurations -- for instance, if you are just starting to
148
+ testing new configurations --- for instance, if you are just starting to
145
149
  manage 'ntpd', you would put all of the new elements into an 'ntpd'
146
150
  class, and call puppet with '--tags ntpd', which would only apply that
147
151
  small portion of the configuration during your testing, rather than
148
152
  applying the whole thing.
149
153
 
150
- '--fingerprint' is a one-time flag. In this mode 'puppet agent' will run
151
- once and display on the console (and in the log) the current certificate
154
+ '--fingerprint' is a one-time flag. In this mode 'puppet agent' runs
155
+ once and displays on the console (and in the log) the current certificate
152
156
  (or certificate request) fingerprint. Providing the '--digest' option
153
157
  allows to use a different digest algorithm to generate the fingerprint.
154
158
  The main use is to verify that before signing a certificate request on
@@ -192,8 +196,8 @@ generated by running puppet agent with '--genconfig'.
192
196
  Enable full debugging.
193
197
 
194
198
  * --detailed-exitcodes:
195
- Provide extra information about the run via exit codes; only works if '--test'
196
- or '--onetime' is also specified. If enabled, 'puppet agent' will use the
199
+ Provide extra information about the run via exit codes; works only if '--test'
200
+ or '--onetime' is also specified. If enabled, 'puppet agent' uses the
197
201
  following exit codes:
198
202
 
199
203
  0: The run succeeded with no changes or failures; the system was already in
@@ -238,6 +238,7 @@ Licensed under the Apache 2.0 License
238
238
  libdir = Puppet[:libdir]
239
239
  vardir = Puppet[:vardir]
240
240
  confdir = Puppet[:confdir]
241
+ ssldir = Puppet[:ssldir]
241
242
  certname = Puppet[:certname]
242
243
 
243
244
  env = Puppet::Node::Environment.remote(Puppet[:environment])
@@ -267,15 +268,23 @@ Licensed under the Apache 2.0 License
267
268
  port = ":#{device_url.port}" if device_url.port
268
269
 
269
270
  # override local $vardir and $certname
271
+ Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
270
272
  Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
271
273
  Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
272
274
  Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
273
275
  Puppet[:certname] = device.name
274
276
  ssl_context = nil
275
277
 
278
+ # create device directory under $deviceconfdir
279
+ Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
280
+
276
281
  # this will reload and recompute default settings and create device-specific sub vardir
277
282
  Puppet.settings.use :main, :agent, :ssl
278
283
 
284
+ # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
285
+ optssldir = File.join(Puppet[:confdir], 'ssl')
286
+ Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
287
+
279
288
  unless options[:resource] || options[:facts] || options[:apply]
280
289
  # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
281
290
  # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
@@ -359,6 +368,7 @@ Licensed under the Apache 2.0 License
359
368
  Puppet[:libdir] = libdir
360
369
  Puppet[:vardir] = vardir
361
370
  Puppet[:confdir] = confdir
371
+ Puppet[:ssldir] = ssldir
362
372
  Puppet[:certname] = certname
363
373
  end
364
374
  end
@@ -572,6 +572,10 @@ module Puppet
572
572
  contains any characters with special meanings in URLs (as specified by RFC 3986
573
573
  section 2.2), they must be URL-encoded. (For example, `#` would become `%23`.)",
574
574
  },
575
+ :no_proxy => {
576
+ :default => "localhost, 127.0.0.1",
577
+ :desc => "List of domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value.",
578
+ },
575
579
  :http_keepalive_timeout => {
576
580
  :default => "4s",
577
581
  :type => :duration,
@@ -642,7 +646,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
642
646
 
643
647
  * With Puppet Server, you should refresh environments by calling the
644
648
  `environment-cache` API endpoint. See the docs for the Puppet Server
645
- administrative API.
649
+ [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
646
650
 
647
651
  Any value other than `0` or `unlimited` is deprecated, since most Puppet
648
652
  servers use a pool of Ruby interpreters which all have their own cache
@@ -929,17 +933,20 @@ EOT
929
933
  :desc => "Certificate authorities who issue server certificates. SSL servers will not be
930
934
  considered authentic unless they possess a certificate issued by an authority
931
935
  listed in this file. If this setting has no value then the Puppet master's CA
932
- certificate (localcacert) will be used."
936
+ certificate (localcacert) will be used.",
937
+ :hook => proc do |val|
938
+ Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
939
+ end
933
940
  },
934
941
  :ssl_server_ca_auth => {
935
942
  :type => :file,
936
943
  :mode => "0644",
937
944
  :owner => "service",
938
945
  :group => "service",
939
- :desc => "Certificate authorities who issue client certificates. SSL clients will not be
940
- considered authentic unless they possess a certificate issued by an authority
941
- listed in this file. If this setting has no value then the Puppet master's CA
942
- certificate (localcacert) will be used."
946
+ :deprecated => :completely,
947
+ :desc => "The setting is deprecated and has no effect. Ensure all root and
948
+ intermediate certificate authorities used to issue client certificates are
949
+ contained in the server's `cacert` file on the server."
943
950
  },
944
951
  :hostcrl => {
945
952
  :default => "$ssldir/crl.pem",
@@ -1516,6 +1523,14 @@ EOT
1516
1523
  apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
1517
1524
  or read them online at https://puppet.com/docs/puppet/latest/man/."
1518
1525
  },
1526
+ :deviceconfdir => {
1527
+ :default => "$confdir/devices",
1528
+ :type => :directory,
1529
+ :mode => "0750",
1530
+ :owner => "service",
1531
+ :group => "service",
1532
+ :desc => "The root directory of devices' $confdir.",
1533
+ },
1519
1534
  :server => {
1520
1535
  :default => "puppet",
1521
1536
  :desc => "The puppet master server to which the puppet agent should connect.",
@@ -81,7 +81,7 @@ Puppet::Indirector::Face.define(:facts, '0.0.1') do
81
81
  node: Puppet[:node_name_value],
82
82
  server: server})
83
83
 
84
- Puppet::Node::Facts.indirection.save(facts)
84
+ Puppet::Node::Facts.indirection.save(facts, nil, :environment => Puppet.lookup(:current_environment))
85
85
  end
86
86
  end
87
87
  end
@@ -42,7 +42,8 @@ Puppet::Face.define(:parser, '0.0.1') do
42
42
  if files.empty?
43
43
  if not STDIN.tty?
44
44
  Puppet[:code] = STDIN.read
45
- parse_errors['STDIN'] = validate_manifest(nil)
45
+ error = validate_manifest(nil)
46
+ parse_errors['STDIN'] = error if error
46
47
  else
47
48
  manifest = Puppet.lookup(:current_environment).manifest
48
49
  files << manifest
@@ -88,7 +89,7 @@ Puppet::Face.define(:parser, '0.0.1') do
88
89
  [file, file_errors]
89
90
  end.to_h
90
91
 
91
- puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false), :pretty => true)
92
+ puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false, symbol_as_string: true), :pretty => true)
92
93
 
93
94
  exit(1)
94
95
  end
data/lib/puppet/forge.rb CHANGED
@@ -172,7 +172,18 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
172
172
  Puppet.warning "#{@metadata['name']} has been deprecated by its author! View module on Puppet Forge for more info." if deprecated?
173
173
 
174
174
  download(@data['file_uri'], tmpfile)
175
- validate_checksum(tmpfile, @data['file_md5'])
175
+ checksum = @data['file_sha256']
176
+ if checksum
177
+ validate_checksum(tmpfile, checksum, Digest::SHA256)
178
+ else
179
+ checksum = @data['file_md5']
180
+ if checksum
181
+ validate_checksum(tmpfile, checksum, Digest::MD5)
182
+ else
183
+ raise _("Forge module is missing SHA256 and MD5 checksums")
184
+ end
185
+ end
186
+
176
187
  unpack(tmpfile, tmpdir)
177
188
 
178
189
  @unpacked_into = Pathname.new(tmpdir)
@@ -201,9 +212,13 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
201
212
  end
202
213
  end
203
214
 
204
- def validate_checksum(file, checksum)
205
- if Digest::MD5.file(file.path).hexdigest != checksum
206
- raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum") % { name: name }
215
+ def validate_checksum(file, checksum, digest_class)
216
+ if Facter.value(:fips_enabled) && digest_class == Digest::MD5
217
+ raise _("Module install using MD5 is prohibited in FIPS mode.")
218
+ end
219
+
220
+ if digest_class.file(file.path).hexdigest != checksum
221
+ raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum %{checksum}") % { name: name, checksum: checksum }
207
222
  end
208
223
  end
209
224
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/indirector/ssl_file'
2
2
  require 'puppet/ssl/certificate'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Certificate::File < Puppet::Indirector::SslFile
5
6
  desc "Manage SSL certificates on disk."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/certificate'
2
2
  require 'puppet/indirector/rest'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Certificate::Rest < Puppet::Indirector::REST
5
6
  desc "Find certificates over HTTP via REST."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/indirector/ssl_file'
2
2
  require 'puppet/ssl/certificate_request'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::CertificateRequest::File < Puppet::Indirector::SslFile
5
6
  desc "Manage the collection of certificate requests on disk."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/certificate_request'
2
2
  require 'puppet/indirector/memory'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::CertificateRequest::Memory < Puppet::Indirector::Memory
5
6
  desc "Store certificate requests in memory. This is used for testing puppet."
6
7
  end
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/certificate_request'
2
2
  require 'puppet/indirector/rest'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::CertificateRequest::Rest < Puppet::Indirector::REST
5
6
  desc "Find and save certificate requests over HTTP via REST."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/indirector/ssl_file'
2
2
  require 'puppet/ssl/key'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Key::File < Puppet::Indirector::SslFile
5
6
  desc "Manage SSL private and public keys on disk."
6
7
 
@@ -1,6 +1,7 @@
1
1
  require 'puppet/ssl/key'
2
2
  require 'puppet/indirector/memory'
3
3
 
4
+ # @deprecated
4
5
  class Puppet::SSL::Key::Memory < Puppet::Indirector::Memory
5
6
  desc "Store keys in memory. This is used for testing puppet."
6
7
  end
@@ -51,9 +51,6 @@ module Puppet::ModuleTool
51
51
  end
52
52
 
53
53
  def run
54
- # Disallow anything that invokes md5 to avoid un-friendly termination due to FIPS
55
- raise _("Module install is prohibited in FIPS mode.") if Facter.value(:fips_enabled)
56
-
57
54
  name = @name.tr('/', '-')
58
55
  version = options[:version] || '>= 0.0.0'
59
56
 
@@ -25,17 +25,7 @@ class Puppet::Network::HTTP::Factory
25
25
  def create_connection(site)
26
26
  Puppet.debug("Creating new connection for #{site}")
27
27
 
28
- args = [site.host, site.port]
29
-
30
- unless Puppet::Util::HttpProxy.no_proxy?(site)
31
- if Puppet[:http_proxy_host] == "none"
32
- args << nil << nil
33
- else
34
- args << Puppet[:http_proxy_host] << Puppet[:http_proxy_port]
35
- end
36
- end
37
-
38
- http = Net::HTTP.new(*args)
28
+ http = Puppet::Util::HttpProxy.proxy(URI(site.addr))
39
29
  http.use_ssl = site.use_ssl?
40
30
  http.read_timeout = Puppet[:http_read_timeout]
41
31
  http.open_timeout = Puppet[:http_connect_timeout]
@@ -0,0 +1,18 @@
1
+ # This class defines the private API of the Lookup Key Recorder support.
2
+ # @api private
3
+ #
4
+ class Puppet::Pops::Lookup::KeyRecorder
5
+
6
+ def initialize()
7
+ end
8
+
9
+ def self.singleton
10
+ @null_recorder ||= self.new
11
+ end
12
+
13
+ # Records a key
14
+ # (This implementation does nothing)
15
+ #
16
+ def record(key)
17
+ end
18
+ end
@@ -27,6 +27,8 @@ class LookupAdapter < DataAdapter
27
27
  super()
28
28
  @compiler = compiler
29
29
  @lookup_options = {}
30
+ # Get a KeyRecorder from context, and set a "null recorder" if not defined
31
+ @key_recorder = Puppet.lookup(:lookup_key_recorder) { KeyRecorder.singleton }
30
32
  end
31
33
 
32
34
  # Performs a lookup using global, environment, and module data providers. Merge the result using the given
@@ -48,6 +50,11 @@ class LookupAdapter < DataAdapter
48
50
  end
49
51
  end
50
52
 
53
+ # Record that the key was looked up. This will record all keys for which a lookup is performed
54
+ # except 'lookup_options' (since that is illegal from a user perspective,
55
+ # and from an impact perspective is always looked up).
56
+ @key_recorder.record(key)
57
+
51
58
  key = LookupKey.new(key)
52
59
  lookup_invocation.lookup(key, key.module_name) do
53
60
  if lookup_invocation.only_explain_options?
@@ -94,3 +94,4 @@ end
94
94
  end
95
95
 
96
96
  require_relative 'lookup/lookup_adapter'
97
+ require_relative 'lookup/key_recorder'
@@ -8,6 +8,11 @@ Puppet::Type.type(:file).provide :posix do
8
8
  include Puppet::Util::Warnings
9
9
 
10
10
  require 'etc'
11
+ require 'puppet/util/selinux'
12
+
13
+ def self.post_resource_eval
14
+ Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
15
+ end
11
16
 
12
17
  def uid2name(id)
13
18
  return id.to_s if id.is_a?(Symbol) or id.is_a?(String)
@@ -173,9 +173,10 @@ class Puppet::Provider::NameService < Puppet::Provider
173
173
  end
174
174
 
175
175
  begin
176
- execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
176
+ sensitive = has_sensitive_data?
177
+ execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
177
178
  if feature?(:manages_password_age) && (cmd = passcmd)
178
- execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
179
+ execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
179
180
  end
180
181
  rescue Puppet::ExecutionFailure => detail
181
182
  raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
@@ -279,13 +280,19 @@ class Puppet::Provider::NameService < Puppet::Provider
279
280
  self.class.validate(param, value)
280
281
  cmd = modifycmd(param, munge(param, value))
281
282
  raise Puppet::DevError, _("Nameservice command must be an array") unless cmd.is_a?(Array)
283
+ sensitive = has_sensitive_data?(param)
282
284
  begin
283
- execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
285
+ execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
284
286
  rescue Puppet::ExecutionFailure => detail
285
287
  raise Puppet::Error, _("Could not set %{param} on %{resource}[%{name}]: %{detail}") % { param: param, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
286
288
  end
287
289
  end
288
290
 
291
+ #Derived classes can override to declare sensitive data so a flag can be passed to execute
292
+ def has_sensitive_data?(property = nil)
293
+ false
294
+ end
295
+
289
296
  # From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
290
297
  # returns a struct with binary encoded string values, and >= 2.1.0 will return
291
298
  # binary encoded strings for values incompatible with current locale charset,
@@ -8,7 +8,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
8
8
  These options should be specified as an array where each element is either a
9
9
  string or a hash."
10
10
 
11
- has_feature :versionable, :install_options
11
+ has_feature :versionable, :install_options, :virtual_packages
12
12
 
13
13
  commands :aptget => "/usr/bin/apt-get"
14
14
  commands :aptcache => "/usr/bin/apt-cache"
@@ -5,7 +5,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
5
5
  and not `apt`, you must specify the source of any packages you want
6
6
  to manage."
7
7
 
8
- has_feature :holdable
8
+ has_feature :holdable, :virtual_packages
9
9
 
10
10
  commands :dpkg => "/usr/bin/dpkg"
11
11
  commands :dpkg_deb => "/usr/bin/dpkg-deb"
@@ -45,16 +45,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
45
45
  # Note: self:: is required here to keep these constants in the context of what will
46
46
  # eventually become this Puppet::Type::Package::ProviderDpkg class.
47
47
  self::DPKG_QUERY_FORMAT_STRING = %Q{'${Status} ${Package} ${Version}\\n'}
48
+ self::DPKG_QUERY_PROVIDES_FORMAT_STRING = %Q{'${Status} ${Package} ${Version} [${Provides}]\\n'}
48
49
  self::FIELDS_REGEX = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*)$}
50
+ self::FIELDS_REGEX_WITH_PROVIDES = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*) \[.*\]$}
49
51
  self::FIELDS= [:desired, :error, :status, :name, :ensure]
50
52
 
51
53
  # @param line [String] one line of dpkg-query output
52
54
  # @return [Hash,nil] a hash of FIELDS or nil if we failed to match
53
55
  # @api private
54
- def self.parse_line(line)
56
+ def self.parse_line(line, regex=self::FIELDS_REGEX)
55
57
  hash = nil
56
58
 
57
- match = self::FIELDS_REGEX.match(line)
59
+ match = regex.match(line)
58
60
  if match
59
61
  hash = {}
60
62
 
@@ -116,6 +118,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
116
118
 
117
119
  # list out our specific package
118
120
  begin
121
+ if @resource.allow_virtual?
122
+ output = dpkgquery(
123
+ "-W",
124
+ "--showformat",
125
+ self.class::DPKG_QUERY_PROVIDES_FORMAT_STRING
126
+ ).lines.find {|package| package.match(/\[.*#{@resource[:name]}.*\]/)}
127
+ if output
128
+ hash = self.class.parse_line(output,self.class::FIELDS_REGEX_WITH_PROVIDES)
129
+ Puppet.info("Package #{@resource[:name]} is virtual, defaulting to #{hash[:name]}")
130
+ @resource[:name] = hash[:name]
131
+ end
132
+ end
119
133
  output = dpkgquery(
120
134
  "-W",
121
135
  "--showformat",