puppet 6.7.2-universal-darwin → 6.8.0-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CODEOWNERS +9 -9
- data/Gemfile +1 -1
- data/Gemfile.lock +7 -7
- data/install.rb +3 -21
- data/lib/puppet/application/agent.rb +17 -13
- data/lib/puppet/application/device.rb +10 -0
- data/lib/puppet/defaults.rb +21 -6
- data/lib/puppet/face/facts.rb +1 -1
- data/lib/puppet/face/parser.rb +3 -2
- data/lib/puppet/forge.rb +19 -4
- data/lib/puppet/indirector/certificate/file.rb +1 -0
- data/lib/puppet/indirector/certificate/rest.rb +1 -0
- data/lib/puppet/indirector/certificate_request/file.rb +1 -0
- data/lib/puppet/indirector/certificate_request/memory.rb +1 -0
- data/lib/puppet/indirector/certificate_request/rest.rb +1 -0
- data/lib/puppet/indirector/key/file.rb +1 -0
- data/lib/puppet/indirector/key/memory.rb +1 -0
- data/lib/puppet/module_tool/applications/installer.rb +0 -3
- data/lib/puppet/network/http/factory.rb +1 -11
- data/lib/puppet/pops/lookup/key_recorder.rb +18 -0
- data/lib/puppet/pops/lookup/lookup_adapter.rb +7 -0
- data/lib/puppet/pops/lookup.rb +1 -0
- data/lib/puppet/provider/file/posix.rb +5 -0
- data/lib/puppet/provider/nameservice.rb +10 -3
- data/lib/puppet/provider/package/apt.rb +1 -1
- data/lib/puppet/provider/package/dpkg.rb +17 -3
- data/lib/puppet/provider/service/launchd.rb +20 -5
- data/lib/puppet/provider/service/systemd.rb +5 -10
- data/lib/puppet/provider/user/pw.rb +12 -3
- data/lib/puppet/provider/user/user_role_add.rb +4 -0
- data/lib/puppet/provider/user/useradd.rb +25 -11
- data/lib/puppet/ssl/certificate.rb +2 -0
- data/lib/puppet/ssl/host.rb +3 -0
- data/lib/puppet/ssl/key.rb +2 -0
- data/lib/puppet/util/http_proxy.rb +17 -3
- data/lib/puppet/util/monkey_patches.rb +0 -16
- data/lib/puppet/util/selinux.rb +5 -1
- data/lib/puppet/util/windows/security.rb +2 -0
- data/lib/puppet/util/windows/sid.rb +1 -0
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509/cert_provider.rb +13 -15
- data/locales/puppet.pot +77 -65
- data/man/man5/puppet.conf.5 +20 -4
- data/man/man8/puppet-agent.8 +24 -7
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/integration/provider/service/systemd_spec.rb +7 -5
- data/spec/integration/type/file_spec.rb +28 -0
- data/spec/unit/application/device_spec.rb +26 -0
- data/spec/unit/face/facts_spec.rb +9 -0
- data/spec/unit/face/parser_spec.rb +17 -5
- data/spec/unit/forge/module_release_spec.rb +66 -31
- data/spec/unit/module_tool/applications/installer_spec.rb +0 -9
- data/spec/unit/network/http/factory_spec.rb +27 -5
- data/spec/unit/provider/package/dpkg_spec.rb +84 -4
- data/spec/unit/provider/service/launchd_spec.rb +28 -0
- data/spec/unit/provider/service/systemd_spec.rb +14 -0
- data/spec/unit/provider/user/pw_spec.rb +37 -0
- data/spec/unit/provider/user/useradd_spec.rb +42 -0
- data/spec/unit/transaction_spec.rb +18 -0
- data/spec/unit/util/http_proxy_spec.rb +24 -1
- data/spec/unit/x509/cert_provider_spec.rb +1 -1
- metadata +4 -7
- data/ext/windows/eventlog/Rakefile +0 -32
- data/ext/windows/eventlog/puppetres.dll +0 -0
- data/ext/windows/eventlog/puppetres.mc +0 -18
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6499c686c4bf854eadd79ed655461b3e64e9ba7a9bf9164728717c8e69679748
|
4
|
+
data.tar.gz: 34fff83b7811ccf9bf0cec90ab5c6fb4d4251b2cfeaa5331d8d6fb01860db2ff
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d856db8d30bc8a77198998525cfb5dea36db856096862ffba21cc2d8792de03c8575b8e5dc065f6351412f5c081f6a8b8e537750f58f0f95022dec218c0d882f
|
7
|
+
data.tar.gz: 36f03ab60e5ffe8126c4dafcae83cfe51bf3798fd460077b468bedea14c135d52f681867f99a013aea266a5bc6e84124f698527b214a060b06c7653f670c9815
|
data/CODEOWNERS
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
# default to platform-core
|
2
2
|
* @puppetlabs/platform-core
|
3
3
|
|
4
|
-
#
|
5
|
-
/lib/puppet/type/group @puppetlabs/
|
6
|
-
/lib/puppet/type/package @puppetlabs/
|
7
|
-
/lib/puppet/type/service @puppetlabs/
|
8
|
-
/lib/puppet/type/user @puppetlabs/
|
9
|
-
/lib/puppet/provider/group @puppetlabs/
|
10
|
-
/lib/puppet/provider/package @puppetlabs/
|
11
|
-
/lib/puppet/provider/service @puppetlabs/
|
12
|
-
/lib/puppet/provider/user @puppetlabs/
|
4
|
+
# Night's Watch
|
5
|
+
/lib/puppet/type/group @puppetlabs/night-s-watch
|
6
|
+
/lib/puppet/type/package @puppetlabs/night-s-watch
|
7
|
+
/lib/puppet/type/service @puppetlabs/night-s-watch
|
8
|
+
/lib/puppet/type/user @puppetlabs/night-s-watch
|
9
|
+
/lib/puppet/provider/group @puppetlabs/night-s-watch
|
10
|
+
/lib/puppet/provider/package @puppetlabs/night-s-watch
|
11
|
+
/lib/puppet/provider/service @puppetlabs/night-s-watch
|
12
|
+
/lib/puppet/provider/user @puppetlabs/night-s-watch
|
13
13
|
|
14
14
|
# language
|
15
15
|
/lib/puppet/datatypes @puppetlabs/language
|
data/Gemfile
CHANGED
@@ -23,7 +23,7 @@ group(:features) do
|
|
23
23
|
gem 'hiera-eyaml', require: false
|
24
24
|
gem 'hocon', '~> 1.0', require: false
|
25
25
|
# requires native libshadow headers/libs
|
26
|
-
#
|
26
|
+
#gem 'ruby-shadow', '~> 2.5', require: false, platforms: [:ruby]
|
27
27
|
gem 'minitar', '~> 0.6', require: false
|
28
28
|
gem 'msgpack', '~> 1.2', require: false
|
29
29
|
gem 'rdoc', '~> 6.0', require: false, platforms: [:ruby]
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
puppet (6.
|
4
|
+
puppet (6.8.0)
|
5
5
|
CFPropertyList (~> 2.2)
|
6
6
|
facter (>= 2.4.0, < 4)
|
7
7
|
fast_gettext (~> 1.1)
|
@@ -28,7 +28,7 @@ GEM
|
|
28
28
|
gettext (3.2.9)
|
29
29
|
locale (>= 2.0.5)
|
30
30
|
text (>= 1.3.0)
|
31
|
-
gettext-setup (0.
|
31
|
+
gettext-setup (0.31)
|
32
32
|
fast_gettext (~> 1.1.0)
|
33
33
|
gettext (>= 3.0.2)
|
34
34
|
locale
|
@@ -47,11 +47,11 @@ GEM
|
|
47
47
|
memory_profiler (0.9.14)
|
48
48
|
method_source (0.9.2)
|
49
49
|
minitar (0.8)
|
50
|
-
msgpack (1.3.
|
50
|
+
msgpack (1.3.1)
|
51
51
|
multi_json (1.13.1)
|
52
52
|
mustache (1.1.0)
|
53
53
|
optimist (3.0.0)
|
54
|
-
packaging (0.99.
|
54
|
+
packaging (0.99.38)
|
55
55
|
artifactory (~> 2)
|
56
56
|
rake (~> 12.3)
|
57
57
|
parallel (1.17.0)
|
@@ -64,7 +64,7 @@ GEM
|
|
64
64
|
public_suffix (3.1.1)
|
65
65
|
puppet-resource_api (1.8.6)
|
66
66
|
hocon (>= 1.0)
|
67
|
-
puppetserver-ca (1.
|
67
|
+
puppetserver-ca (1.4.0)
|
68
68
|
facter (>= 2.0.1, < 4)
|
69
69
|
racc (1.4.9)
|
70
70
|
rainbow (2.2.2)
|
@@ -103,7 +103,7 @@ GEM
|
|
103
103
|
unicode-display_width (~> 1.0, >= 1.0.1)
|
104
104
|
rubocop-i18n (1.2.0)
|
105
105
|
rubocop (~> 0.49.0)
|
106
|
-
ruby-prof (0.
|
106
|
+
ruby-prof (1.0.0)
|
107
107
|
ruby-progressbar (1.10.1)
|
108
108
|
safe_yaml (1.0.5)
|
109
109
|
semantic_puppet (1.0.2)
|
@@ -149,4 +149,4 @@ DEPENDENCIES
|
|
149
149
|
yard
|
150
150
|
|
151
151
|
BUNDLED WITH
|
152
|
-
1.
|
152
|
+
1.17.3
|
data/install.rb
CHANGED
@@ -62,24 +62,6 @@ def do_configs(configs, target, strip = 'conf/')
|
|
62
62
|
ocf = File.join(InstallOptions.config_dir, cf.gsub(/#{strip}/, ''))
|
63
63
|
FileUtils.install(cf, ocf, {:mode => 0644, :preserve => true, :verbose => true})
|
64
64
|
end
|
65
|
-
|
66
|
-
if $operatingsystem == 'windows'
|
67
|
-
src_dll = 'ext/windows/eventlog/puppetres.dll'
|
68
|
-
dst_dll = File.join(InstallOptions.bin_dir, 'puppetres.dll')
|
69
|
-
FileUtils.install(src_dll, dst_dll, {:mode => 0644, :preserve => true, :verbose => true})
|
70
|
-
|
71
|
-
require 'win32/registry'
|
72
|
-
include Win32::Registry::Constants
|
73
|
-
|
74
|
-
begin
|
75
|
-
Win32::Registry::HKEY_LOCAL_MACHINE.create('SYSTEM\CurrentControlSet\services\eventlog\Application\Puppet', KEY_ALL_ACCESS | 0x0100) do |reg|
|
76
|
-
reg.write_s('EventMessageFile', dst_dll.tr('/', '\\'))
|
77
|
-
reg.write_i('TypesSupported', 0x7)
|
78
|
-
end
|
79
|
-
rescue Win32::Registry::Error => e
|
80
|
-
warn "Failed to create puppet eventlog registry key: #{e}"
|
81
|
-
end
|
82
|
-
end
|
83
65
|
end
|
84
66
|
|
85
67
|
def do_bins(bins, target, strip = 's?bin/')
|
@@ -140,12 +122,12 @@ def check_prereqs
|
|
140
122
|
facter_version = Facter.version.to_f
|
141
123
|
if facter_version < MIN_FACTER_VERSION
|
142
124
|
puts "Facter version: #{facter_version}; minimum required: #{MIN_FACTER_VERSION}; cannot install"
|
143
|
-
exit -1
|
125
|
+
exit (-1)
|
144
126
|
end
|
145
127
|
end
|
146
128
|
rescue LoadError
|
147
129
|
puts "Could not load #{pre}; cannot install"
|
148
|
-
exit -1
|
130
|
+
exit (-1)
|
149
131
|
end
|
150
132
|
}
|
151
133
|
end
|
@@ -266,7 +248,7 @@ def prepare_installation
|
|
266
248
|
require 'win32/dir'
|
267
249
|
rescue LoadError => e
|
268
250
|
puts "Cannot run on Microsoft Windows without the win32-process, win32-dir & win32-service gems: #{e}"
|
269
|
-
exit -1
|
251
|
+
exit (-1)
|
270
252
|
end
|
271
253
|
end
|
272
254
|
|
@@ -124,31 +124,35 @@ configuration and apply it.
|
|
124
124
|
USAGE NOTES
|
125
125
|
-----------
|
126
126
|
'puppet agent' does its best to find a compromise between interactive
|
127
|
-
use and daemon use.
|
128
|
-
|
129
|
-
and
|
127
|
+
use and daemon use. If you run it with no arguments and no configuration, it
|
128
|
+
goes into the background, attempts to get a signed certificate, and retrieves
|
129
|
+
and applies its configuration every 30 minutes.
|
130
130
|
|
131
|
-
Some flags are meant specifically for interactive use
|
131
|
+
Some flags are meant specifically for interactive use --- in particular,
|
132
132
|
'test', 'tags' and 'fingerprint' are useful.
|
133
133
|
|
134
|
-
'--test'
|
135
|
-
It
|
136
|
-
|
137
|
-
|
134
|
+
'--test' runs once in the foreground with verbose logging, then exits.
|
135
|
+
It also exits if it can't get a valid catalog. `--test` includes the '--detailed-exitcodes' option by default and exits with one of the following exit codes:
|
136
|
+
|
137
|
+
* 0: The run succeeded with no changes or failures; the system was already in the desired state.
|
138
|
+
* 1: The run failed, or wasn't attempted due to another run already in progress.
|
139
|
+
* 2: The run succeeded, and some resources were changed.
|
140
|
+
* 4: The run succeeded, and some resources failed.
|
141
|
+
* 6: The run succeeded, and included both changes and failures.
|
138
142
|
|
139
143
|
'--tags' allows you to specify what portions of a configuration you want
|
140
144
|
to apply. Puppet elements are tagged with all of the class or definition
|
141
145
|
names that contain them, and you can use the 'tags' flag to specify one
|
142
146
|
of these names, causing only configuration elements contained within
|
143
147
|
that class or definition to be applied. This is very useful when you are
|
144
|
-
testing new configurations
|
148
|
+
testing new configurations --- for instance, if you are just starting to
|
145
149
|
manage 'ntpd', you would put all of the new elements into an 'ntpd'
|
146
150
|
class, and call puppet with '--tags ntpd', which would only apply that
|
147
151
|
small portion of the configuration during your testing, rather than
|
148
152
|
applying the whole thing.
|
149
153
|
|
150
|
-
'--fingerprint' is a one-time flag. In this mode 'puppet agent'
|
151
|
-
once and
|
154
|
+
'--fingerprint' is a one-time flag. In this mode 'puppet agent' runs
|
155
|
+
once and displays on the console (and in the log) the current certificate
|
152
156
|
(or certificate request) fingerprint. Providing the '--digest' option
|
153
157
|
allows to use a different digest algorithm to generate the fingerprint.
|
154
158
|
The main use is to verify that before signing a certificate request on
|
@@ -192,8 +196,8 @@ generated by running puppet agent with '--genconfig'.
|
|
192
196
|
Enable full debugging.
|
193
197
|
|
194
198
|
* --detailed-exitcodes:
|
195
|
-
Provide extra information about the run via exit codes; only
|
196
|
-
or '--onetime' is also specified. If enabled, 'puppet agent'
|
199
|
+
Provide extra information about the run via exit codes; works only if '--test'
|
200
|
+
or '--onetime' is also specified. If enabled, 'puppet agent' uses the
|
197
201
|
following exit codes:
|
198
202
|
|
199
203
|
0: The run succeeded with no changes or failures; the system was already in
|
@@ -238,6 +238,7 @@ Licensed under the Apache 2.0 License
|
|
238
238
|
libdir = Puppet[:libdir]
|
239
239
|
vardir = Puppet[:vardir]
|
240
240
|
confdir = Puppet[:confdir]
|
241
|
+
ssldir = Puppet[:ssldir]
|
241
242
|
certname = Puppet[:certname]
|
242
243
|
|
243
244
|
env = Puppet::Node::Environment.remote(Puppet[:environment])
|
@@ -267,15 +268,23 @@ Licensed under the Apache 2.0 License
|
|
267
268
|
port = ":#{device_url.port}" if device_url.port
|
268
269
|
|
269
270
|
# override local $vardir and $certname
|
271
|
+
Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
|
270
272
|
Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
|
271
273
|
Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
|
272
274
|
Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
|
273
275
|
Puppet[:certname] = device.name
|
274
276
|
ssl_context = nil
|
275
277
|
|
278
|
+
# create device directory under $deviceconfdir
|
279
|
+
Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
|
280
|
+
|
276
281
|
# this will reload and recompute default settings and create device-specific sub vardir
|
277
282
|
Puppet.settings.use :main, :agent, :ssl
|
278
283
|
|
284
|
+
# Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
|
285
|
+
optssldir = File.join(Puppet[:confdir], 'ssl')
|
286
|
+
Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
|
287
|
+
|
279
288
|
unless options[:resource] || options[:facts] || options[:apply]
|
280
289
|
# Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
|
281
290
|
# See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
|
@@ -359,6 +368,7 @@ Licensed under the Apache 2.0 License
|
|
359
368
|
Puppet[:libdir] = libdir
|
360
369
|
Puppet[:vardir] = vardir
|
361
370
|
Puppet[:confdir] = confdir
|
371
|
+
Puppet[:ssldir] = ssldir
|
362
372
|
Puppet[:certname] = certname
|
363
373
|
end
|
364
374
|
end
|
data/lib/puppet/defaults.rb
CHANGED
@@ -572,6 +572,10 @@ module Puppet
|
|
572
572
|
contains any characters with special meanings in URLs (as specified by RFC 3986
|
573
573
|
section 2.2), they must be URL-encoded. (For example, `#` would become `%23`.)",
|
574
574
|
},
|
575
|
+
:no_proxy => {
|
576
|
+
:default => "localhost, 127.0.0.1",
|
577
|
+
:desc => "List of domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value.",
|
578
|
+
},
|
575
579
|
:http_keepalive_timeout => {
|
576
580
|
:default => "4s",
|
577
581
|
:type => :duration,
|
@@ -642,7 +646,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
|
|
642
646
|
|
643
647
|
* With Puppet Server, you should refresh environments by calling the
|
644
648
|
`environment-cache` API endpoint. See the docs for the Puppet Server
|
645
|
-
administrative API.
|
649
|
+
[administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
|
646
650
|
|
647
651
|
Any value other than `0` or `unlimited` is deprecated, since most Puppet
|
648
652
|
servers use a pool of Ruby interpreters which all have their own cache
|
@@ -929,17 +933,20 @@ EOT
|
|
929
933
|
:desc => "Certificate authorities who issue server certificates. SSL servers will not be
|
930
934
|
considered authentic unless they possess a certificate issued by an authority
|
931
935
|
listed in this file. If this setting has no value then the Puppet master's CA
|
932
|
-
certificate (localcacert) will be used."
|
936
|
+
certificate (localcacert) will be used.",
|
937
|
+
:hook => proc do |val|
|
938
|
+
Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
|
939
|
+
end
|
933
940
|
},
|
934
941
|
:ssl_server_ca_auth => {
|
935
942
|
:type => :file,
|
936
943
|
:mode => "0644",
|
937
944
|
:owner => "service",
|
938
945
|
:group => "service",
|
939
|
-
:
|
940
|
-
|
941
|
-
|
942
|
-
|
946
|
+
:deprecated => :completely,
|
947
|
+
:desc => "The setting is deprecated and has no effect. Ensure all root and
|
948
|
+
intermediate certificate authorities used to issue client certificates are
|
949
|
+
contained in the server's `cacert` file on the server."
|
943
950
|
},
|
944
951
|
:hostcrl => {
|
945
952
|
:default => "$ssldir/crl.pem",
|
@@ -1516,6 +1523,14 @@ EOT
|
|
1516
1523
|
apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
|
1517
1524
|
or read them online at https://puppet.com/docs/puppet/latest/man/."
|
1518
1525
|
},
|
1526
|
+
:deviceconfdir => {
|
1527
|
+
:default => "$confdir/devices",
|
1528
|
+
:type => :directory,
|
1529
|
+
:mode => "0750",
|
1530
|
+
:owner => "service",
|
1531
|
+
:group => "service",
|
1532
|
+
:desc => "The root directory of devices' $confdir.",
|
1533
|
+
},
|
1519
1534
|
:server => {
|
1520
1535
|
:default => "puppet",
|
1521
1536
|
:desc => "The puppet master server to which the puppet agent should connect.",
|
data/lib/puppet/face/facts.rb
CHANGED
@@ -81,7 +81,7 @@ Puppet::Indirector::Face.define(:facts, '0.0.1') do
|
|
81
81
|
node: Puppet[:node_name_value],
|
82
82
|
server: server})
|
83
83
|
|
84
|
-
Puppet::Node::Facts.indirection.save(facts)
|
84
|
+
Puppet::Node::Facts.indirection.save(facts, nil, :environment => Puppet.lookup(:current_environment))
|
85
85
|
end
|
86
86
|
end
|
87
87
|
end
|
data/lib/puppet/face/parser.rb
CHANGED
@@ -42,7 +42,8 @@ Puppet::Face.define(:parser, '0.0.1') do
|
|
42
42
|
if files.empty?
|
43
43
|
if not STDIN.tty?
|
44
44
|
Puppet[:code] = STDIN.read
|
45
|
-
|
45
|
+
error = validate_manifest(nil)
|
46
|
+
parse_errors['STDIN'] = error if error
|
46
47
|
else
|
47
48
|
manifest = Puppet.lookup(:current_environment).manifest
|
48
49
|
files << manifest
|
@@ -88,7 +89,7 @@ Puppet::Face.define(:parser, '0.0.1') do
|
|
88
89
|
[file, file_errors]
|
89
90
|
end.to_h
|
90
91
|
|
91
|
-
puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false), :pretty => true)
|
92
|
+
puts Puppet::Util::Json.dump(Puppet::Pops::Serialization::ToDataConverter.convert(data, rich_data: false, symbol_as_string: true), :pretty => true)
|
92
93
|
|
93
94
|
exit(1)
|
94
95
|
end
|
data/lib/puppet/forge.rb
CHANGED
@@ -172,7 +172,18 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
|
|
172
172
|
Puppet.warning "#{@metadata['name']} has been deprecated by its author! View module on Puppet Forge for more info." if deprecated?
|
173
173
|
|
174
174
|
download(@data['file_uri'], tmpfile)
|
175
|
-
|
175
|
+
checksum = @data['file_sha256']
|
176
|
+
if checksum
|
177
|
+
validate_checksum(tmpfile, checksum, Digest::SHA256)
|
178
|
+
else
|
179
|
+
checksum = @data['file_md5']
|
180
|
+
if checksum
|
181
|
+
validate_checksum(tmpfile, checksum, Digest::MD5)
|
182
|
+
else
|
183
|
+
raise _("Forge module is missing SHA256 and MD5 checksums")
|
184
|
+
end
|
185
|
+
end
|
186
|
+
|
176
187
|
unpack(tmpfile, tmpdir)
|
177
188
|
|
178
189
|
@unpacked_into = Pathname.new(tmpdir)
|
@@ -201,9 +212,13 @@ class Puppet::Forge < SemanticPuppet::Dependency::Source
|
|
201
212
|
end
|
202
213
|
end
|
203
214
|
|
204
|
-
def validate_checksum(file, checksum)
|
205
|
-
if
|
206
|
-
raise
|
215
|
+
def validate_checksum(file, checksum, digest_class)
|
216
|
+
if Facter.value(:fips_enabled) && digest_class == Digest::MD5
|
217
|
+
raise _("Module install using MD5 is prohibited in FIPS mode.")
|
218
|
+
end
|
219
|
+
|
220
|
+
if digest_class.file(file.path).hexdigest != checksum
|
221
|
+
raise RuntimeError, _("Downloaded release for %{name} did not match expected checksum %{checksum}") % { name: name, checksum: checksum }
|
207
222
|
end
|
208
223
|
end
|
209
224
|
|
@@ -51,9 +51,6 @@ module Puppet::ModuleTool
|
|
51
51
|
end
|
52
52
|
|
53
53
|
def run
|
54
|
-
# Disallow anything that invokes md5 to avoid un-friendly termination due to FIPS
|
55
|
-
raise _("Module install is prohibited in FIPS mode.") if Facter.value(:fips_enabled)
|
56
|
-
|
57
54
|
name = @name.tr('/', '-')
|
58
55
|
version = options[:version] || '>= 0.0.0'
|
59
56
|
|
@@ -25,17 +25,7 @@ class Puppet::Network::HTTP::Factory
|
|
25
25
|
def create_connection(site)
|
26
26
|
Puppet.debug("Creating new connection for #{site}")
|
27
27
|
|
28
|
-
|
29
|
-
|
30
|
-
unless Puppet::Util::HttpProxy.no_proxy?(site)
|
31
|
-
if Puppet[:http_proxy_host] == "none"
|
32
|
-
args << nil << nil
|
33
|
-
else
|
34
|
-
args << Puppet[:http_proxy_host] << Puppet[:http_proxy_port]
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
http = Net::HTTP.new(*args)
|
28
|
+
http = Puppet::Util::HttpProxy.proxy(URI(site.addr))
|
39
29
|
http.use_ssl = site.use_ssl?
|
40
30
|
http.read_timeout = Puppet[:http_read_timeout]
|
41
31
|
http.open_timeout = Puppet[:http_connect_timeout]
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# This class defines the private API of the Lookup Key Recorder support.
|
2
|
+
# @api private
|
3
|
+
#
|
4
|
+
class Puppet::Pops::Lookup::KeyRecorder
|
5
|
+
|
6
|
+
def initialize()
|
7
|
+
end
|
8
|
+
|
9
|
+
def self.singleton
|
10
|
+
@null_recorder ||= self.new
|
11
|
+
end
|
12
|
+
|
13
|
+
# Records a key
|
14
|
+
# (This implementation does nothing)
|
15
|
+
#
|
16
|
+
def record(key)
|
17
|
+
end
|
18
|
+
end
|
@@ -27,6 +27,8 @@ class LookupAdapter < DataAdapter
|
|
27
27
|
super()
|
28
28
|
@compiler = compiler
|
29
29
|
@lookup_options = {}
|
30
|
+
# Get a KeyRecorder from context, and set a "null recorder" if not defined
|
31
|
+
@key_recorder = Puppet.lookup(:lookup_key_recorder) { KeyRecorder.singleton }
|
30
32
|
end
|
31
33
|
|
32
34
|
# Performs a lookup using global, environment, and module data providers. Merge the result using the given
|
@@ -48,6 +50,11 @@ class LookupAdapter < DataAdapter
|
|
48
50
|
end
|
49
51
|
end
|
50
52
|
|
53
|
+
# Record that the key was looked up. This will record all keys for which a lookup is performed
|
54
|
+
# except 'lookup_options' (since that is illegal from a user perspective,
|
55
|
+
# and from an impact perspective is always looked up).
|
56
|
+
@key_recorder.record(key)
|
57
|
+
|
51
58
|
key = LookupKey.new(key)
|
52
59
|
lookup_invocation.lookup(key, key.module_name) do
|
53
60
|
if lookup_invocation.only_explain_options?
|
data/lib/puppet/pops/lookup.rb
CHANGED
@@ -8,6 +8,11 @@ Puppet::Type.type(:file).provide :posix do
|
|
8
8
|
include Puppet::Util::Warnings
|
9
9
|
|
10
10
|
require 'etc'
|
11
|
+
require 'puppet/util/selinux'
|
12
|
+
|
13
|
+
def self.post_resource_eval
|
14
|
+
Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
|
15
|
+
end
|
11
16
|
|
12
17
|
def uid2name(id)
|
13
18
|
return id.to_s if id.is_a?(Symbol) or id.is_a?(String)
|
@@ -173,9 +173,10 @@ class Puppet::Provider::NameService < Puppet::Provider
|
|
173
173
|
end
|
174
174
|
|
175
175
|
begin
|
176
|
-
|
176
|
+
sensitive = has_sensitive_data?
|
177
|
+
execute(self.addcmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
|
177
178
|
if feature?(:manages_password_age) && (cmd = passcmd)
|
178
|
-
execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
|
179
|
+
execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
|
179
180
|
end
|
180
181
|
rescue Puppet::ExecutionFailure => detail
|
181
182
|
raise Puppet::Error, _("Could not create %{resource} %{name}: %{detail}") % { resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
|
@@ -279,13 +280,19 @@ class Puppet::Provider::NameService < Puppet::Provider
|
|
279
280
|
self.class.validate(param, value)
|
280
281
|
cmd = modifycmd(param, munge(param, value))
|
281
282
|
raise Puppet::DevError, _("Nameservice command must be an array") unless cmd.is_a?(Array)
|
283
|
+
sensitive = has_sensitive_data?(param)
|
282
284
|
begin
|
283
|
-
execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment})
|
285
|
+
execute(cmd, {:failonfail => true, :combine => true, :custom_environment => @custom_environment, :sensitive => sensitive})
|
284
286
|
rescue Puppet::ExecutionFailure => detail
|
285
287
|
raise Puppet::Error, _("Could not set %{param} on %{resource}[%{name}]: %{detail}") % { param: param, resource: @resource.class.name, name: @resource.name, detail: detail }, detail.backtrace
|
286
288
|
end
|
287
289
|
end
|
288
290
|
|
291
|
+
#Derived classes can override to declare sensitive data so a flag can be passed to execute
|
292
|
+
def has_sensitive_data?(property = nil)
|
293
|
+
false
|
294
|
+
end
|
295
|
+
|
289
296
|
# From overriding Puppet::Property#insync? Ruby Etc::getpwnam < 2.1.0 always
|
290
297
|
# returns a struct with binary encoded string values, and >= 2.1.0 will return
|
291
298
|
# binary encoded strings for values incompatible with current locale charset,
|
@@ -8,7 +8,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
|
|
8
8
|
These options should be specified as an array where each element is either a
|
9
9
|
string or a hash."
|
10
10
|
|
11
|
-
has_feature :versionable, :install_options
|
11
|
+
has_feature :versionable, :install_options, :virtual_packages
|
12
12
|
|
13
13
|
commands :aptget => "/usr/bin/apt-get"
|
14
14
|
commands :aptcache => "/usr/bin/apt-cache"
|
@@ -5,7 +5,7 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
|
|
5
5
|
and not `apt`, you must specify the source of any packages you want
|
6
6
|
to manage."
|
7
7
|
|
8
|
-
has_feature :holdable
|
8
|
+
has_feature :holdable, :virtual_packages
|
9
9
|
|
10
10
|
commands :dpkg => "/usr/bin/dpkg"
|
11
11
|
commands :dpkg_deb => "/usr/bin/dpkg-deb"
|
@@ -45,16 +45,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
|
|
45
45
|
# Note: self:: is required here to keep these constants in the context of what will
|
46
46
|
# eventually become this Puppet::Type::Package::ProviderDpkg class.
|
47
47
|
self::DPKG_QUERY_FORMAT_STRING = %Q{'${Status} ${Package} ${Version}\\n'}
|
48
|
+
self::DPKG_QUERY_PROVIDES_FORMAT_STRING = %Q{'${Status} ${Package} ${Version} [${Provides}]\\n'}
|
48
49
|
self::FIELDS_REGEX = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*)$}
|
50
|
+
self::FIELDS_REGEX_WITH_PROVIDES = %r{^(\S+) +(\S+) +(\S+) (\S+) (\S*) \[.*\]$}
|
49
51
|
self::FIELDS= [:desired, :error, :status, :name, :ensure]
|
50
52
|
|
51
53
|
# @param line [String] one line of dpkg-query output
|
52
54
|
# @return [Hash,nil] a hash of FIELDS or nil if we failed to match
|
53
55
|
# @api private
|
54
|
-
def self.parse_line(line)
|
56
|
+
def self.parse_line(line, regex=self::FIELDS_REGEX)
|
55
57
|
hash = nil
|
56
58
|
|
57
|
-
match =
|
59
|
+
match = regex.match(line)
|
58
60
|
if match
|
59
61
|
hash = {}
|
60
62
|
|
@@ -116,6 +118,18 @@ Puppet::Type.type(:package).provide :dpkg, :parent => Puppet::Provider::Package
|
|
116
118
|
|
117
119
|
# list out our specific package
|
118
120
|
begin
|
121
|
+
if @resource.allow_virtual?
|
122
|
+
output = dpkgquery(
|
123
|
+
"-W",
|
124
|
+
"--showformat",
|
125
|
+
self.class::DPKG_QUERY_PROVIDES_FORMAT_STRING
|
126
|
+
).lines.find {|package| package.match(/\[.*#{@resource[:name]}.*\]/)}
|
127
|
+
if output
|
128
|
+
hash = self.class.parse_line(output,self.class::FIELDS_REGEX_WITH_PROVIDES)
|
129
|
+
Puppet.info("Package #{@resource[:name]} is virtual, defaulting to #{hash[:name]}")
|
130
|
+
@resource[:name] = hash[:name]
|
131
|
+
end
|
132
|
+
end
|
119
133
|
output = dpkgquery(
|
120
134
|
"-W",
|
121
135
|
"--showformat",
|