| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- SID methods can really standalone on their own, and
should for the sake of sanity / code maintenance. Adjust all
callsites (including specs) accordingly.
- Make SID methods into static module_functions since they're
already stateless
|
|
- Move Windows ADSI code out of puppet/util and into
puppet/util/windows
- Update namespace from Puppet::Util::ADSI to
Puppet::Util::Windows::ADSI
- Add module / class definitions for ADSI to util/windows.rb
to prevent tests from blowing up on non-Windows
- Moving Puppet.features.microsoft_windows? checks to top of
user and group provider tests for ADSI
- Update all dependent code, remove unnecessary references
|
|
- Previously, calling Puppet::Util::ADSI::Group.exists? for a
well-known group SID would return false, because the WinNT:// style
URI used to find the group would not examine / lookup the SID, but
would instead create a broken Uri that the underlying OS could not
understand
- Now, the given group name is checked to see if it's a SID before the
Uri is constructed, and a SID style Uri is created where appropriate
Paired-with: Joshua Partlow <jpartlow@puppetlabs.com>
|
|
This reverts commit cf4501c7a97c106994c2ef81756c2081f56feeef, reversing
changes made to fcf482aa85708fe20f38cd96d6d92fc58ee78cf6.
|
|
- Previously, calling Puppet::Util::ADSI::Group.exists? for a
well-known group SID would return false, because the WinNT:// style
URI used to find the group would not examine / lookup the SID, but
would instead create a broken Uri that the underlying OS could not
understand
- Now, the given group name is checked to see if it's a SID before the
Uri is constructed, and a SID style Uri is created where appropriate
|
|
* stable: (240 commits)
(#22847) Restrict WMI group / user queries
(maint) Explicit vcloud paths for pe nodes
(#22324) Disable puppet listen on master/agent nodes
(docs) Clarify Windows' handling of primary groups
(maint) Coppy in the node configurations and pre-suite for pe test runs
(maint) Remove stale vagrant support
(#22324) Confine external_ca_support test not to run on PE
(#22324) Loosen the host regex for package apply test on debian
(maint) Fix default secs for destroy preserved hosts task
(maint) Default xml output for beaker runs.
(maint) Remove typo '3' in module_utils
(maint) Check jenkins queueItem as well for a pending job
(#22324) Puppet cert generate tests do not clear master ssl dir
(#22324) Reports submission test checks puppetdb on pe runs
(#22810) Fix rpm provider query method
(#22804) Check for encoding support more robustly
(#22324) Determine user/group from puppet configuration
(#22324) Confine puppet manages own configuration test not to run on pe
(#22324) Remove redundant without_installed_modules test
(#22324) Fix modules/install/already_installed tests for pe
...
Conflicts:
acceptance/tests/databinding/hiera/auto_lookup_for_class_parameters.rb
acceptance/tests/databinding/hiera/bind_data_with_puppet_backend.rb
Resolved in favor of master having removed these tests in 75ab42.
|
|
- Querying win32_useraccount or win32_group on a domain can yield
a large request to AD for user / group objects, that may number in
the tens of thousands in large organizations
- This can cause a lot of stress on AD and the network to retrieve all
of these results, which are ultimately unused in the existing code
anyhow
- The solution involves simply restricting the queries to the local
machine
|
|
Previously, the `members_to_s` message included the SID string which was
difficult to read when the group has more than a few members.
Also, given a manifest with a fully qualified member:
members => ['.\Administrator']`
The resulting `members changed` message contained:
BUILTIN\.\Administrator
This is because `Win32::Security::SID#account` returns the value originally
passed to the constructor, .\Administrator. This doesn't actually affect the
group membership, since we always use the SID string in the ADSI connection
string, e.g. WinNT://S-1-5-32-*
This commit changes the message to prefer the domain component from the
resolved sid, e.g SID#domain, instead of the value the user entered, as the
former is the canonical version.
It also only prints the SID for each member when debugging is enabled.
|
|
- New #add_member_sid / #remove_member_sid methods do the heavy
lifting inside of Puppet::Util::ADSI::User to add / remove group
members instead of relying on string names
- Expose a new Puppet::Util::ADSI::User#sid method that returns
a Win32::Security::SID instance with account, domain, and raw SID
- Puppet::Util::ADSI::User#uri method now uses the #sid account and
domain to build a URI
- Since #uri now relies on #sid, which converts the binary value from
the #native_user.objectSID byte array, the @native_user is initially
populated by generating a throwaway uri built by parsing @name.
This prevents a circular reference. This effectively means the
original given @name is parsed and given to ADSI.connect, and on
connect, the raw SID generates a SID object. Alternatively, a SID
could have been generated by Win32::Security::SID first, its domain
and account values then used to retrieve @native_user.
Original semantics around @native_user were kept intact to prevent
breaking existing callers. In practice, this should have no effect.
- Due to dependence on Windows::Security, some tests are now run only
on Windows. This was a trade off where it would have been possible
to add an initializer param for @sid to Puppet::Util::ADSI::User, but
it seemed cleaner not to
|
|
Previously, we loaded entire WMI objects from the query, assuming they
were needed by the ADSI objects. But this was incorrect and never
worked.
Since we only need the User and Group names, we can select only those
fields.
|
|
execute for creates
|
|
expiry fix
This commit change the Puppet::Util::Libuser module to look for libuser.conf in its new /etc/puppet/provider/libuser.conf location. It also updates Puppet::Features::Libuser to only return true if the config file as well as the binaries are found.
Updated the useradd and groupadd specs to expect :execute when called from create to now have 2 parametes. A command and an options hash.
During my work on this feature I added an exipry getter since the builtin getter didn't retrieve the correct values. Before this patch was merged another commit came along that also set the proper getter. So I removed mine as it caused a conflict.
|
|
Puppet::Error now
|
|
identical to the existing providers
Performed exhaustive analysis of the differences between useradd/groupadd and luseradd/lgroupadd and coded around these differences to ensure that the useradd/groupadd providers behave identically with and without the forcelocal parameter being set. The only difference being a local account is always created and managed when forcelocal is set to true. The commands are very similar for the most part so there was not a huge need to diverge from the original code. In all but one of the cases that did arise the solution was to make a subsequent usermod or groupmod call after the luseradd/lgroupadd command. Since the usermod/groupmod commands will always act on local accounts first, this achieves the desired effect. The one case where a subsequent call would not suffice was the use of the allowdupe parameter. By default libuser will allow duplicate uid/gid where useradd/groupadd require an explicit -o. The work around was to manually do a local check for a duplicate if using the libuser library and not intending to allow duplicates. If a duplicate is found Puppet raises a DuplicateUID or DuplicateGID exception.
|
|
Puppet::Util::Libuser for better reuse of common code.
|
|
NSS database e.g. LDAP.
Some applications require local accounts and the useradd/groupadd commands currently used by the provider will not create a local account if they already exist remotely. The libuser commands luseradd/lgroupadd will allow a local name to duplicate a remote name. So these commands are used to force the local account creation. The libuser commands parse /etc/libuser.conf to determine which modules to use for creating users. Files must be the module used to get the desired local account managment. Because of this, it is necessary for Puppet to ship a libuser.conf file, which will only be used during a Puppet run, to ensure local account managment. The libuser.conf file used by the luseradd/lgroupadd commands can be overrideen by setting the environment variable LIBUSER_CONF. Which is what Puppet does to make sure its version of the configuration file is used
|
|
* upstream/2.7.x:
(#16581) Refactor code for sid validation
(#16581) Deprecate sid_for_account
(#16581) Use native Win32 APIs to resolve SIDs in file provider
(#16581) Use native Win32 APIs to resolve SIDs in providers
(#16581) Documentation changes
(#16581) Use win32-security gem to resolve SIDs
(#16581) Refactor code for converting string and binary sids
Conflicts:
Gemfile.lock
lib/puppet/util/windows.rb
|
|
Previously, the Windows user, group, and scheduled_task providers used WMI
to resolve SIDs, but it is very slow in a domain environment.
This commit changes the providers to use the `Puppet::Util::Windows::SID`
module instead, and has been observed to be 6000 times faster.
|
|
Without this patch Ruby 1.9 is still complaining loudly about trying to
parse the spec files. The previous attempt to clean up this problem in
edc3ddf works for Ruby 1.8 but not 1.9.
I'd prefer to remove the shebang lines entirely, but doing so will cause
encoding errors in Ruby 1.9. This patch strives for a happy middle
ground of convincing Ruby it is actually working with Ruby while not
confusing it to think it should exec() to rspec.
This patch is the result of the following command run against the source
tree:
find spec -type f -print0 | \
xargs -0 perl -pl -i -e 's,^\#\!\s?/(.*)rspec,\#! /usr/bin/env ruby,'
|
|
|
|
The groupadd and useradd spec will only work if groupadd / useradd are
the default provider for the group / user type.
Explicitly set the provider in the spec tests so they can e.g. also run
on MacOSX.
|
|
According to
http://nixdoc.net/man-pages/hp-ux/man1/groupadd.1m.html
http://docs.oracle.com/cd/E19963-01/html/821-1462/groupadd-1m.html
neither Solaris nor HP-UX support the -r switch to create system groups
so the groupadd provider should not claim to support system_groups on
these platforms.
|
|
It seams to be more reliable to work with real objects instead
|
|
Tests are now ordered by method, so if modifications have to be done
done in the provider code, it will be easier to track the according spec
tests that have to be changed.
|
|
Without this patch some spec files are using `ruby -S rspec` and others
are using `rspec`.
We should standardize on a single form of the interpreter used for spec
files.
`ruby -S rspec` is the best choice because it correctly informs editors
such as Vim with Syntastic that the file is a Ruby file rather than an
Rspec file.
|
|
Make the pw group provider on FreeBSD support managing group members.
Also readd the allowdupe feature since in testing on FreeBSD 7, 8
and 9 the -o flag to pw works as documented.
Add tests for the provider.
Reviewed-by: Patrick Carlisle <patrick@puppetlabs.com>
|
|
* ticket/2.7.x/9459-user-group-failures:
(#9459) Fix problems with Windows 'user' and 'group' providers.
Conflicts:
spec/unit/provider/user/windows_adsi_spec.rb
|
|
This commit implements the ID get-method for Windows 'user' and
'group' providers. Prior to this commit, 'puppet resource {user,group}'
would not return an id property for each resource. With this change,
the Windows user/group security identifier (SID) is provided as the id.
The uid and gid properties are read only. Setting these values is still
not supported for Windows providers, and attempting to set either
property will result in a failure message. Attempting to set the
user 'gid' or 'shell' properties will likewise fail.
Spec tests have been updated.
|
|
This commit corrects several problems with the Windows 'user' and
'group' providers, Puppet::Util::ADSI helper class.
The 'user' provider failed to add the username to the set of groups
specified in the 'groups' property when creating a new user, due to
the provider trying to enumerate a user's group membership before the
underlying ADSI user object was saved. Any group referenced in the
property must exist prior to creating the resource.
The 'group' provider failed to save a newly-created resource, due to a
missing 'flush' method, which in turn calls the
'Puppet::Util::ADSI.commit' (save) method. It also had the same
problem when creating a new group and trying to add members to it,
before the underlying ADSI group object was saved.
Windows does not allow user and groups to share the same name,
and when attempted the ADSI connection would throw a misleading
exception referring to an 'invalid moniker'. The 'user' provider will
now raise an error if it attempts to create a resource when a like-named
group already exists, and vice-versa.
Spec tests were updated to reflect code changes. Added expectation
sequence to ensure newly created users and groups are committed before
making the ADSI connection.
|
|
This provider, windows_adsi, uses the Puppet::Util::ADSI module to manage
groups. It can only manage group existence and memberships, but is fully
functional in those regards.
Based on work by: Joel Rosario <joel.r@.internal.directi.com>
Based on work by: Cameron Thomas <cameron@puppetlabs.com>
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
(cherry picked from commit 01f09f5f395bab66b90a4e81e958aa89025977b4)
|
|
For a while Luke, and other authors, injected a created tag, copyright
statement, and "All rights reserved" into every new file they added to the
Puppet project.
This isn't really true, and we have a global license covering the code, so
we have now stripped out all those old tags.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
|
|
* 2.6.x:
Updated CHANGELOG for 2.6.8rc1
(#2331) Remove darwinports pkg provider, replace with rewritten macports provider
Fixed #7082 - Added system support for groups
(#7018) Give more context on the service type's assumptions. Wording tweaks.
(#7018) explain internals better in service provider documentation
maint: Fix sqlite3 require to really be optional
maint: Fix sporadic sqlite error
(#6818) Stop from getting Rails 3 named_scope deprecation warning
(#6856) Copy dangling symlinks with 'links => manage' File resource.
Conflicts (Resolved manually):
lib/puppet/type/group.rb
spec/unit/indirector/facts/inventory_active_record_spec.rb
|
|
|
|
We now use a shebang of: #!/usr/bin/env rspec
This enables the direct execution of spec tests again, which was lost earlier
during the transition to more directly using the rspec2 runtime environment.
|
|
rspec2 automatically sets a bunch of load-path stuff we were by hand, so we
can just stop. As a side-effect we can now avoid a whole pile of stupid things
to try and include the spec_helper.rb file...
...and then we can stop protecting spec_helper from evaluating twice, since we
now require it with a consistent name. Yay.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
|
Doing a require to a relative path can cause files to be required more
than once when they're required from different relative paths. If you
expand the path fully, this won't happen. Ruby 1.9 also requires that
you use expand_path when doing these requires.
Paired-with: Jesse Wolfe
|
|
Replaced 106806 occurances of ^( +)(.*$) with
The ruby community almost universally (i.e. everyone but Luke, Markus, and the other eleven people
who learned ruby in the 1900s) uses two-space indentation.
3 Examples:
The code:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
becomes:
end
# Tell getopt which arguments are valid
def test_get_getopt_args
element = Setting.new :name => "foo", :desc => "anything", :settings => Puppet::Util::Settings.new
assert_equal([["--foo", GetoptLong::REQUIRED_ARGUMENT]], element.getopt_args, "Did not produce appropriate getopt args")
The code:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
becomes:
assert_equal(str, val)
assert_instance_of(Float, result)
end
# Now test it with a passed object
The code:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
becomes:
end
assert_nothing_raised do
klass[:Yay] = "boo"
klass["Cool"] = :yayness
end
|
|
Part 2 re-did the change on the spec files, which it shouldn't have.
|
|
Some spec files like active_record.rb had names that would confuse the
load path and get loaded instead of the intended implentation when the
spec was run from the same directory as the file.
Author: Matt Robinson <matt@puppetlabs.com>
Date: Fri Jun 11 15:29:33 2010 -0700
|
|
Some spec files like active_record.rb had names that would confuse the
load path and get loaded instead of the intended implentation when the
spec was run from the same directory as the file.
Author: Matt Robinson <matt@puppetlabs.com>
Date: Fri Jun 11 15:29:33 2010 -0700
|
|
Note that this only looks up ldap groups, at this point; if you want to set an
ldap user's primary group to a local group, you have to specify the GID.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
|
I've added a couple of tests for this bit of the user
and group useradd/groupadd providers, but I haven't migrated
the rest of the tests.
|
|
Previously, they failed if you tried to get them to autogenerate
an id, because they assumed that a result would be returned.
|
|
These providers use posixAccount and posixGroup.
This is a collapsed merge, fwiw.
|
