| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This is because these methods are also used for deserialization from
other formats than PSON. The method for serializing a object is called
to_data_hash, so makes sense to call this from_data_hash.
|
|
This commit does several things, all in order to make authorizing API V2
requests a bit easier:
* Renames /v2 to /v2.0, which was chosen because it doesn't conflict
with a legal environment name in the V1 API.
* Adds route chaining so that a handler can deal with a request
prefixed with /v2.0 and then continue on to another route
* Changes how calls to authorization are handled so that full paths
are checked rather than indirection/key pairs.
* Introduces an authorization step in the /v2.0 request chain. This is
currently limited to only handle GET requests (seen as find in
auth.conf).
|
|
This entire test often failed, or hung, because of networking problems.
We get coverage for what it is doing either through unit tests or
through full-system tests that run the webrick server.
|
|
I also took the liberty of adding a add_raw_stanza helper function. It
doesn't really do much, but it seems like a good idea to me to keep the specs
as clean as possible. Maybe having two separate cases for allow &
allow_ip is a bit overzealous, but I guess the overhead is minimal.
|
|
The Puppet::Network::Server had a lot of the same code as the
Puppet::Daemon (closing filehandles, managing a pidfile for locking).
There was a comment in the Server class that indicated that it was not
even clear if the duplicate code was being used.
It turns out that the code was being used, but was incorrect. By turning
on debug and watching the log output of the master, you were able to see
that the close_streams was happening twice, as you would expect by
following the code paths. There is no need for this to happen. In
addition the pidfile is managed twice. This was discovered by
instrumenting the code with a debug statement and noticing that the
pidfile was locked 3 times (one from the server, one from the daemon,
and one more from an unclear location).
Removing all of this turns Puppet::Network::Server into a simple wrapper
around the WeBrick code, reduces the overhead for daemonizing, and
clarifes the pid as lockfile ownership.
|
|
The Puppet::Network::Server class seems to have atrophied over time.
There are multiple redundant or unused code paths in it.
This commit removes the "registration" facility for the network server
to handle certain indirections. There were no users of these outside of
the tests and there is no functionality that they provided. The only
thing the registration of indirection names did was check to see if such
an indirection existed. I believe that at one point these had been meant
to act as a per-server handling facility (as indicated by one of the
test names), but they no longer serve such a purpose.
|
|
PSON is always available and so the pson feature was only used for the
side-effect of requiring the pson files. This commit deprecates the pson
feature and moves the requires to the puppet.rb file so that PSON is
available early on.
|
|
Previously, all of the tests were being skipped because
`Puppet.features.mongrel?` is always false. These tests are no longer
valid as the source it's trying to test has been deleted.
|
|
Without this patch Ruby 1.9 is still complaining loudly about trying to
parse the spec files. The previous attempt to clean up this problem in
edc3ddf works for Ruby 1.8 but not 1.9.
I'd prefer to remove the shebang lines entirely, but doing so will cause
encoding errors in Ruby 1.9. This patch strives for a happy middle
ground of convincing Ruby it is actually working with Ruby while not
confusing it to think it should exec() to rspec.
This patch is the result of the following command run against the source
tree:
find spec -type f -print0 | \
xargs -0 perl -pl -i -e 's,^\#\!\s?/(.*)rspec,\#! /usr/bin/env ruby,'
|
|
This moves from using an args hash to required positional arguments for
Puppet::Network::HTTP::WEBrick. Doing this revealed several places where
ignored arguments were passed in, including tests that implied these arguments
were necessary.
|
|
Puppet::Network::Server had a weird reimplementation of required arguments, so
this just uses the built-in language feature of required arguments to methods.
|
|
This was only used to choose between WEBrick and Mongrel for the built-in
server. Since we've removed Mongrel it is now useless.
Paired with: Andy Parker <andy@puppetlabs.com>
|
|
This makes the built-in server always use WEBrick. For anything more
sophisticated you must set up an external server using Rack.
Paired with: Andy Parker <andy@puppetlabs.com>
|
|
This pulls parsing and file management out of the AuthConfig class. It
introduces the AuthConfigParser class which is responsible for parsing and
returning a new AuthConfig instance. Reloading the AuthConfig from a changed
auth.conf is pulled out into Puppet::Network::Authorization, which already had
partial responsibility for this.
Paired-with: Jeff McCune <jeff@puppetlabs.com>
|
|
Since the underlying classes have been merged it doesn't make sense to have
separate spec files.
Paired-with: Jeff McCune <jeff@puppetlabs.com>
|
|
Paired-with: Jeff McCune <jeff@puppetlabs.com>
|
|
This commit splits IP based authorization into its own keywords. The allow and
deny keywords no longer operate on IP addresses. The new keywords function
like allow and deny but operate exclusively on IPv4 and IPv6 addresses.
Back references are currently unsupported for allow_ip and deny_ip.
Without this patch there is a security related issue where Puppet could not
distinguish between a certificate name that contains an IP address (cert auth)
and an ip address itself being used to authenticate (ip based auth). This
patch fixes the problem by separating these out as described above.
Paired-with: Jeff McCune <jeff@puppetlabs.com>
|
|
There is no longer a meaningful distinction between REST authorization and
XMLRPC authorization. AuthConfig provided a base class for both XMLRPC and
REST. This is a problem because it makes the code difficult to understand in
a world where XMLRPC does not exist. This patch fixes the problem by merging
the behavior of the RestAuthConfig class into the AuthConfig class. The
AuthConfig class is now solely responsible for REST authorization.
Paired-with: Jeff McCune <jeff@puppetlabs.com>
|
|
* 2.7.x:
Use rspec 2.11 compatible block syntax
Conflicts:
spec/integration/faces/ca_spec.rb
spec/integration/network/server/mongrel_spec.rb
spec/unit/application_spec.rb
spec/unit/face/help_spec.rb
spec/unit/network/handler/fileserver_spec.rb
spec/unit/parser/functions/create_resources_spec.rb
spec/unit/provider/nameservice/directoryservice_spec.rb
spec/unit/type/file_spec.rb
spec/unit/type_spec.rb
|
|
In rspec 2.11, expectations on a block must take the form of expect...to or
lambda...should. Other combinations of those are no longer accepted. This
commit converts all mixed cases to use expect...to, as it seems to be the
preferred syntax now.
|
|
* 2.7.x: (26 commits)
Extract host validation in store report processor
Use cross-platform absolute paths in file_serving tests
(#15221) Create /etc/puppet/modules directory for puppet module tool
(Maint:) Fix bad doc strings for two settings ("wether")
Try again to avoid circular dependency in file indirections
Remove useless tests for Envelope
Clear deprecation warnings between tests
Avoid circular requirement in FileMetadata indirection
(Maint) Document common Windows issues
Update CHANGELOG lib/puppet.rb conf/redhat/puppet.spec for 2.7.18
Maint: Note in docs that the file type's "replace" attribute defaults to true
Reject directory traversal in store report processor
Tighten permissions on classfile, resourcefile, lastrunfile, and lastrunreport.
Use "inspect" when listing certificates
Don't allow the creation of SSL objects with invalid certnames
Validate CSR CN and provided certname before signing
Add specs for selector terminuses of file_{content,metadata}
Fix whitespace inside parentheses
Use head method to determine if file is in file bucket
Always use the local file_bucket on master
...
Conflicts:
CHANGELOG
conf/redhat/puppet.spec
lib/puppet.rb
lib/puppet/application/master.rb
lib/puppet/defaults.rb
lib/puppet/file_serving/terminus_selector.rb
lib/puppet/reports/store.rb
lib/puppet/test/test_helper.rb
spec/integration/file_serving/content_spec.rb
spec/integration/file_serving/metadata_spec.rb
spec/shared_behaviours/file_serving.rb
spec/unit/file_serving/terminus_selector_spec.rb
spec/unit/network/handler/ca_spec.rb
test/ral/manager/attributes.rb
|
|
Without this patch some spec files are using `ruby -S rspec` and others
are using `rspec`.
We should standardize on a single form of the interpreter used for spec
files.
`ruby -S rspec` is the best choice because it correctly informs editors
such as Vim with Syntastic that the file is a Ruby file rather than an
Rspec file.
|
|
This will need to be made explicit in a future version, so it's good to
get people to stop using it if possible.
|
|
This is basically a cherry-pick of
ceee8a185250bb6b5f52e56c7ed9457408b6cb0a
from master, which should provide enough variance in
the ports used for webrick/mongrel spec tests to
reduce or eliminate the transient "address already
in use" failures
|
|
Conflicts:
spec/integration/network/server/mongrel_spec.rb
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
This manually fixes up a pile of Puppet Module Tool conflicts by hand, related
to overlapping changes with nothing but textual translation. The rest of the
merge was smooth and simple.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
Without this patch some files exist in the tree that don't have trailing
newlines. This is annoying because perl -pli.bak -e will automatically
add a newline to every file it modifies in place. The files that
actually have modifications by the global search and replace need to be
separated from the files that only have newlines added.
This patch simply adds newlines to everything if they don't exist on the
last line.
Yes, the PNG's are perfectly fine with a trailing newline as well.
|
|
Now we have passing tests on Ruby 1.9, we can make all those tags go away and
enable the full suite. Now anything that fails should be treated like a real
failure, which is reasonable since this is a real and supported platform.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
When running more than one instance of the spec suite concurrently on a single
machine, the hard-coded listening ports in some of the integration tests could
lead to failures - when multiple suites hit the same tests at the same time.
This uses a port number based off the PID, which helps ensure we don't get
spurious failures from concurrency.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
The Mongrel tests on Ruby 1.9 were highly unreliable, sometimes failing
because they tried to bind a port that was already in use.
This turns out to be because the default shutdown mode is to asynchronously
stop workers - combined with the fact that our test made a TCP connection to
the service, but never actually completed the request.
That led to one thread that dangled, if the socket didn't close in a timely
fashion, and blocked up the listen port.
Instead, two things: first, wait for all threads to terminate (or 60 seconds
to pass) in the stop method, and second, use a full HTTP request to test, not
just a TCP connection with no content.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
Major changes include:
* support multiple config files (/etc/puppet, ~/.puppet). we no longer
use "run_mode" to determine the location of the config file.
* remove all references to application run_mode/state from defaults
* make the typing of settings a little more strict
* create a new setting type for directories, to make us a little less vulnerable to the terrible matching algorithm in FileSetting
|
|
This was adding a feature for pson inside of a block that already depended on
the pson feature. This seems unnecessary.
|
|
The XMLRPC code was left in place to ensure backward compatibility with
Puppet 0.24.x clients, but 0.24.x clients haven't been able to talk to
masters since 0.25.6 due to other bugs and incompatibilities.
Therefore, the XMLRPC code has been dead code for a long time and
removing it makes the codebase a lot easier to navigate.
Paired with Patrick Carlisle <patrick@puppetlabs.com>
|
|
TransObject and TransBucket were no longer used except as an intermediate form
when converting between Puppet::Resource and Puppet::Type::Resource. This
removes TransBucket and TransObject entirely and rewrites the conversion
(to_resource) so the intermediate to_trans call is unneeded. There was custom
logic in Puppet::Type::File#to_trans that was moved to a to_resource method.
Backward compatibility with 0.24.x has been broken for some time (0.25.5 is
the last release I've seen that works running a master with 0.24.x agents),
but we removed Network::Handler::Master which depended on TransObject. This is
the beginning of removing XMLRPC code (ticket #8296), which is what in theory
provided the 0.24.x backward compatibility.
Paired with Patrick Carlisle <patrick@puppetlabs.com>
|
|
We no longer use the xmlrpc client in 2.6, so this is dead code. Because
it depends on the legacy SSLCertificates code, which is also going away,
this code needs to be removed. We leave the server code for backward
compatibility with older clients.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
Ruby does not support creating symlinks on Windows (though Windows does
support them), and since the tidy spec test is designed to reproduce a
specific bug (as opposed to testing symlink functionality on Windows) it
has been disabled.
Ruby on Windows also does not support File.chmod, so the inspect spec
test has been disabled. The general issue of File.chmod on Windows is
something I know needs to be investigated.
Also disabled the cron spec test as this functionality will not be
supported on Windows (instead there will be task manager support).
Re-enable the autoload spec tests as those now pass on Windows (this is
probably due to the cacher changes recently made).
The inventory ssl spec is not supported on Windows and so is disabled.
However, while researching the failure, it was due to
Time.now.strftime("%Z") returning "Pacific Daylight Time" on Windows,
instead of "PDT" like it does on other platforms. As a result, the split
method was sometimes splitting in the wrong place.
As far as I can tell, the inventory code is only called from the CA (to
keep track of serial numbers for certs that it has issued). But it's
something to watch out for on Windows when calling strftime.
Webrick, fileserver and CA functionality are not supported on Windows so
these spec tests are disabled.
Also fix path issue with catalog spec.
Also several spec tests were creating tempfiles manually and calling
system("rm -rf ..."), these have been replaced with
PuppetSpec::Files.tmpdir.
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
(cherry picked from commit 75d2e62cab1de7677463c274892f8920cb7e0cbf)
|
|
We have removed every usage of cached_attr in which the attribute needs to be
manually expired. Thus, the only meaningful behavior provided by
Puppet::Util::Cacher is expiration based on TTLs. This commit reworks the
cacher to only support that behavior.
Rather than accepting an options hash, of which :ttl is the only available
option, cached_attr now requires a second argument, which is the TTL.
TTLs are now used to compute expirations, which are stored and used for
expiring values. Previously, we stored a timestamp and used it and the TTL to
determine whether the attribute was expired. This had the potentially
undesirable side effect that the lifetime of a cached attribute could be
extended after its insertion by modifying the TTL setting for the cache. Now,
the lifetime of an attribute is determined when it is set, and is thereafter
immutable, aside from deliberately re-setting the expiration for that
particular attribute.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
(cherry picked from commit d198fedf65e472b384666fc9ae3bef487852068a)
Conflicts:
spec/integration/node/facts_spec.rb
spec/unit/node_spec.rb
|
|
#allowed? was a poorly named method since it isn't actually a predicate
method. Instead of returning a boolean, this methods throws an
exception when the access is denied (in order to keep the full context
of what ACE triggered the deny).
Given that #allowed? was overriding the behavior from AuthConfig, we
leave a version of #allowed? in place that will issue a deprecation
warning before delegating to #check_authorization. Once support for
XML-RPC agents is removed from the master, we will be able to remove
this delegation, since there should no longer be a reason for a
distinction between AuthConfig and RestAuthConfig.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>
|
|
Auth.conf, namespaceauth.conf and fileserver.conf were not supporting
trailing inlined comments.
Also this commit fixes some indentation and error management.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
|
The regex used to detect ACE is too lax and would allow trailing
spaces to sneak in, which in turn would confuse the ACE parser.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
|
Due to the interpolation performed to support regex back-references,
various type of rules (mainly IP CIDR notations and wildcard hosts)
were not working anymore.
This patch adds an auth.conf integration test that covers most
of the various rules types.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
|
By running:
rspec spec --tag ~@fails_on_ruby_1.9.2
We can now just run the specs that pass under Ruby 1.9. Obviously in
the long term we want to have all the specs passing, but until then we
need notification when we regress. From now on new code will be
required to pass under Ruby 1.9, and Jenkins will give us email
notification if it doesn't or if we break something that was already
working.
Reviewed-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
We now use a shebang of: #!/usr/bin/env rspec
This enables the direct execution of spec tests again, which was lost earlier
during the transition to more directly using the rspec2 runtime environment.
|
|
rspec2 automatically sets a bunch of load-path stuff we were by hand, so we
can just stop. As a side-effect we can now avoid a whole pile of stupid things
to try and include the spec_helper.rb file...
...and then we can stop protecting spec_helper from evaluating twice, since we
now require it with a consistent name. Yay.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
|
Conflicts:
Rakefile
lib/puppet/resource/type_collection.rb
lib/puppet/simple_graph.rb
lib/puppet/transaction.rb
lib/puppet/transaction/report.rb
lib/puppet/util/metric.rb
spec/integration/indirector/report/rest_spec.rb
spec/spec_specs/runnable_spec.rb
spec/unit/configurer_spec.rb
spec/unit/indirector_spec.rb
spec/unit/transaction/change_spec.rb
|
|
The biggest change is that we no longer need to monkey patch rspec to
get confine behavior. Describe blocks can now be conditional like
confine used to be. "describe" blocks with "shared => true" are now
"shared_examples_for".
Paired-With: Nick Lewis
|
|
Doing a require to a relative path can cause files to be required more
than once when they're required from different relative paths. If you
expand the path fully, this won't happen. Ruby 1.9 also requires that
you use expand_path when doing these requires.
Paired-with: Jesse Wolfe
|
|
If you ran two tests in the following order:
spec spec/integration/network/server/webrick_spec.rb spec/unit/ssl/certificate_request_spec.rb
You got the following test failure:
Cannot save me; parent directory /dev/null/ssl/certificate_requests does not exist
Paired-with: Paul Berry
|
|
Replaced uses of the find, search, destroy, and expire methods on
model classes with direct calls to the indirection objects. This
change affects tests only.
|
