| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
Removal of the hiera2 bindings code exposed the fact that the test for
logstash logging doesn't require JSON even though it uses it. This adds
a line to require JSON so that it is available when the test runs.
|
|
- Previously tests were writing to the shared
%ALLUSERSPROFILE%\PuppetLabs\puppet directory, and would blow
up if this directory did not exist
- Because this directory was shared from one run to the next, failing
tests could be masked by data generated / used by a locally installed
Puppet
- The stubbing of FileSystem::File.exist? to return true was causing
some tests to treat files like c:\dev\null\foo to attempt to be
loaded, which would cause these tests to fail in isolation, but not
when run within the suite
- Had to change some doc specs under Ruby 1.9 / OSX to verify a value
instead of asserting a method was called, to prevent a stack overflow
- In some unit tests, the process of reading / writing settings caused
issues with test loading, so Puppet.settings.use has been stubbed
|
|
The monolithic settings infrastructure is really hard to work with. In
order to implement the functionality for puppet config print to reliably
be able to print the value of any given section of the configuration I
need to be able to split it apart from the very static structure that
exists inside puppet. This takes a step in that direction by starting
the process of extracting the lookup logic into smaller classes.
|
|
|
|
According to https://github.com/tenderlove/psych/issues/149, Syck and
Psych return false when ::YAML.load_file tries to parse an empty file.
Since Puppet::Indirector::Yaml#find calls Puppet::Util::Yaml.load_file
directly, we can't change the semantics of what it returns.
Instead we allow the caller to explicitly specify what the default value
should be.
|
|
(maint) Handle empty or malformed JSON lockfiles
|
|
Given a directory owned by Administrators and group None, and with DACL:
NT AUTHORITY\SYSTEM:(I)(OI)(CI) 0x1f01ff
BUILTIN\Administrators:(I)(OI)(CI) 0x1f01ff
WIN-QP47VOHA2P4\albert:(I)(OI)(CI) 0x1f01ff
where the ACE for the owner is inherited (I). If puppet changed the owner to
Users, it would copy all of the inherited ACEs as-is. But the new owner
would not have any privileges, even though the old owner did. The same is
true for group.
This commit ensures that if we see an inherited ACE for the old owner, that
we prepend a new explicit ACE, whose type (allow or deny), flags and mask
grant/deny the same access as the inherited ACE did.
Note that not all flags are valid when setting an ACE, e.g. INHERITED_ACE is
only something you can read, not set.
As a result of this change, when puppet changes the owner from Administrators
to Users the dacl will have the following ACE prepended to the list, with
the existing inherited ACEs copied as-is:
BUILTIN\Users:(OI)(CI) 0x1f01ff
Note that the new ACE has the same mask as the old one, and has the object
and container inherit flags set.
|
|
Creates objects for modeling windows security descriptors, access control
lists, and access control entries.
|
|
This deprecates run_and_capture from SUIDManager for
Puppet::Util::Execution.execute(). Run and capture is returning $CHILDSTATUS
where execute returns an exit status as part of output. This means that run and
capture could have potential issues when being used, especially with Windows
which is known to have issues due to the truncation of exit codes greater than
256.
|
|
If a JSON lockfile was empty or had malformed JSON, it would raise a
PSON::ParserError and could lead to application failures with an unclear
cause. This commit changes the JSON lockfile behavior to treat empty or
malformed file contents to be nil and generate warnings when the file
contents are malformed JSON.
|
|
|
|
Previously, we made assumptions about the layout of the CERT_CONTEXT
structure, specifically that PCERT_INFO (pointer to CERT_CONTEXT) was an
unsigned 32-bit integer ('L'), and magically accessed the size of the
returned structure as arr[2]. We were also memcpy 40-bytes which was
larger than the size of the CERT_CONTEXT structure in both x86 and x64 and
was the cause of infrequent segmentation faults.
This commit uses FFI to define the layout of the CERT_CONTEXT structure, uses
named fields, e.g. [:cbCertEncoded], to access offsets within the structure,
and uses the FFI::Pointer#null? method to check for NULL pointer.
Note that we use FFI::Pointer and not MemoryPointer, because the
CertEnumCertificatesInStore function is responsible for freeing the
previous CERT_CONTEXT pointer, not us.
Also in the motto of "don't stub what you don't own" it exercises the Win32
APIs to make the tests more meaningful.
|
|
The ProcessOutput class was lonely over in the puppet/process directory.
Not only did it have the wrong name, but it had no friends. This moves
it to Puppet::Util::Execution so that it can be with its friends and
also gives it some more documentation and a public tag so that others
can know how great it is.
|
|
This fixes the incorrect exitstatus being returned when a process
is run on Windows. There is an outstanding bug with Ruby
(https://bugs.ruby-lang.org/issues/8083) where it truncates the
exit codes to one byte values. Due to this an exit code of 3010
is currently truncated to 194.
Puppet accurately receives the exit code but was then ignoring
that and only returning the output. $CHILD_STATUS was then being
queried, and due to the aforementioned bug, was returning the
truncated return code. This means that anything above 256 would
be returned incorrectly.
This removes the private method Puppet::Util::SUIDManager.run_and_capture()
in favor of a more simplified call to Puppet::Util::Execution.execute().
This was done as run_and_capture was only being called by
Puppet::Provider::Exec.run(). This also removes the call to $CHILD_STATUS
which may clear up some other race conditions with capturing the proper
$CHILD_STATUS.
Paired with Andrew Parker <andy@puppetlabs.com>
|
|
Conflicts:
lib/puppet/provider/package/windows.rb
|
|
into stable"
Reverting as this should have been targeted at 3.4.0 (on master).
This reverts commit 1f3ea533b06ccf5188f5dd371da722e7c84dc904, reversing
changes made to f4c7e8b7a67ae5ae60b0be12b97f12b6c3673291.
|
|
Conflicts:
lib/puppet/provider/package/windows.rb
|
|
The ProcessOutput class was lonely over in the puppet/process directory.
Not only did it have the wrong name, but it had no friends. This moves
it to Puppet::Util::Execution so that it can be with its friends and
also gives it some more documentation and a public tag so that others
can know how great it is.
|
|
The run_and_capture method was removed, so the tests aren't needed
anymore.
|
|
This fixes the incorrect exitstatus being returned when a process
is run on Windows. There is an outstanding bug with Ruby
(https://bugs.ruby-lang.org/issues/8083) where it truncates the
exit codes to one byte values. Due to this an exit code of 3010
is currently truncated to 194.
Puppet accurately receives the exit code but was then ignoring
that and only returning the output. $CHILD_STATUS was then being
queried, and due to the aforementioned bug, was returning the
truncated return code. This means that anything above 256 would
be returned incorrectly.
This removes the private method Puppet::Util::SUIDManager.run_and_capture()
in favor of a more simplified call to Puppet::Util::Execution.execute().
This was done as run_and_capture was only being called by
Puppet::Provider::Exec.run(). This also removes the call to $CHILD_STATUS
which may clear up some other race conditions with capturing the proper
$CHILD_STATUS.
Paired with Andrew Parker <andy@puppetlabs.com>
|
|
* ticket/master/19447-windows-symlinks-unlink-abstraction:
(#19447) Puppet::FileSystem::File.unlink
Closes GH-2063
|
|
joshcooper/ticket/master/21817-ignore-duplicate-certs
(#21817) Ignore duplicate certs
|
|
- All previous File.unlink calls go through the new FileSystem::File
abstraction so that the implementation can later be swapped for a
Windows specific one to support symlinks
|
|
- All previous File and FileTest calls to exist? or exists? go through
the new FileSystem::File abstraction so that the implementation can
later be swapped for a Windows specific one to support symlinks
|
|
- All calls to File class stat / lstat go through the new
FileSystem::File abstraction so that the implementation can later
be swapped for a Windows specific one to support symlinks
|
|
* upstream/stable:
(maint) Fix acceptance harness and tests for windows vcloud templates
(#22878) Scope call to CloseHandle
|
|
(#21241) Allow process priority to be specified
|
|
Previously, the win32-process gem used to extend Windows::Handle from the
windows-pr gem, so that the Process.CloseHandle method was available.
However, newer versions of the win32-process gem that are based on ffi, do
not extend Windows::Handle, so the Process.CloseHandle method is not defined.
This commit modifies puppet to call a version of CloseHandle which we
control, and therefore is guaranteed to exist.
|
|
improve tag performance
|
|
jpartlow/issue/master/22180-fix-rdoc-parsing-on-ruby-1.9
Issue/master/22180 fix rdoc parsing on ruby 1.9
|
|
RDoc 2+ has an RDoc::ClassModule.add_comment(comment,location) method
which is the preferred method of setting comments for a class. RDoc
shipping with Ruby 1.9 seems to fall back to using the @comment, which
is how rdoc1 handled this, but Ruby 2.0's rdoc seems to be stricter and
requires use of add_comment.
This patch overrides the add_comment method in our PuppetModule,
PuppetClass, PuppetNode code objects with a version compatible with
either rdoc1 or 2. It also tests for module level README comments being
incorporated.
|
|
There were a number of rdoc1 features (tracking of included, required
modules, realized virtual resources, all resources when :document_all
setting is true, and global variables) which had not been functioning
due to the parser wrapping statements in
Puppet::Parser::AST::BlockExpression instances now rather than
Puppet::Parser::AST::Array instances.
This is now fixed so that these areas are documented when using rdoc1.
Only included classes is documented in rdoc2, however. Documenting the
remaining elements would require writing a new renderer.
|
|
|
|
Tags were being stored in an array, which is inefficient as the number of tags
grows. This commit changes Puppet::Util::Tagging to store tags in a set. A new
class is added, Puppet::Util::TagSet, which subclasses the built in set while
allowing it to be compatible with the old serialization format.
|
|
* stable: (240 commits)
(#22847) Restrict WMI group / user queries
(maint) Explicit vcloud paths for pe nodes
(#22324) Disable puppet listen on master/agent nodes
(docs) Clarify Windows' handling of primary groups
(maint) Coppy in the node configurations and pre-suite for pe test runs
(maint) Remove stale vagrant support
(#22324) Confine external_ca_support test not to run on PE
(#22324) Loosen the host regex for package apply test on debian
(maint) Fix default secs for destroy preserved hosts task
(maint) Default xml output for beaker runs.
(maint) Remove typo '3' in module_utils
(maint) Check jenkins queueItem as well for a pending job
(#22324) Puppet cert generate tests do not clear master ssl dir
(#22324) Reports submission test checks puppetdb on pe runs
(#22810) Fix rpm provider query method
(#22804) Check for encoding support more robustly
(#22324) Determine user/group from puppet configuration
(#22324) Confine puppet manages own configuration test not to run on pe
(#22324) Remove redundant without_installed_modules test
(#22324) Fix modules/install/already_installed tests for pe
...
Conflicts:
acceptance/tests/databinding/hiera/auto_lookup_for_class_parameters.rb
acceptance/tests/databinding/hiera/bind_data_with_puppet_backend.rb
Resolved in favor of master having removed these tests in 75ab42.
|
|
- Querying win32_useraccount or win32_group on a domain can yield
a large request to AD for user / group objects, that may number in
the tens of thousands in large organizations
- This can cause a lot of stress on AD and the network to retrieve all
of these results, which are ultimately unused in the existing code
anyhow
- The solution involves simply restricting the queries to the local
machine
|
|
* ticket/master/17031-windows-group-provider:
(#17031) Prefer the domain component from the resolved SID
(#17031) Use SIDs to modify ADSI group membership
(#17031) Puppet::Util::ADSI.sid_uri
(#17031) group type #insync? #is_to_s #should_to_s
(#17031) Parse ADSI usernames -> domain / account
(#17031) Add SID.name_to_sid_object
(#17031) Add SID.octet_string_to_sid_object
(maint) .gitignore add .idea
|
|
- New #add_member_sid / #remove_member_sid methods do the heavy
lifting inside of Puppet::Util::ADSI::User to add / remove group
members instead of relying on string names
- Expose a new Puppet::Util::ADSI::User#sid method that returns
a Win32::Security::SID instance with account, domain, and raw SID
- Puppet::Util::ADSI::User#uri method now uses the #sid account and
domain to build a URI
- Since #uri now relies on #sid, which converts the binary value from
the #native_user.objectSID byte array, the @native_user is initially
populated by generating a throwaway uri built by parsing @name.
This prevents a circular reference. This effectively means the
original given @name is parsed and given to ADSI.connect, and on
connect, the raw SID generates a SID object. Alternatively, a SID
could have been generated by Win32::Security::SID first, its domain
and account values then used to retrieve @native_user.
Original semantics around @native_user were kept intact to prevent
breaking existing callers. In practice, this should have no effect.
- Due to dependence on Windows::Security, some tests are now run only
on Windows. This was a trade off where it would have been possible
to add an initializer param for @sid to Puppet::Util::ADSI::User, but
it seemed cleaner not to
|
|
- Allow for creation of WinNT://<SID> style uris
|
|
- User names were previously naively accepted without checking if
they were qualified with a host or domain
|
|
- Simple wrapper around creating new SID instances
- Used to insulate tests from Win32::Security
- Existing name_to_sid now delegates to this method
|
|
It was hard to understand what this method was doing, and once I got it, I
noticed it wasn't quite doing what it claimed. (It was cheating -- grabbing the
indent of the second line with text and assuming that was the least common
indent. This meant you could break it by starting a doc fragment with a line of
text, two newlines, and an indented block of example code.)
This commit replaces it with something more clear and correct, as well as some
comments explaining what we expect it to do. We also trim trailing whitespace,
while we're at it; this costs some speed, but should make it even more
reliable/useful.
We also add tests for scrub in this commit, at spec/unit/util/docs_spec.rb.
|
|
- This will allow a WIN32OLE instance returned by the connect method
to convert its objectSID property (an octet stream / array of bytes)
to a standard user friendly SID object
|
|
This pull request implements logdest for puppet runs as using
a structured log format for logstash (json, eventlog, schema can be
found at https://logstash.jira.com/browse/LOGSTASH-675 ).
|
|
This commit adds a Puppet::Util::Limits module for specifying process
priority, and mixes the module into Puppet::Util::CommandLine. Since
the CommandLine is the application entry point for puppet it seemed
sensible to have it set the process priority there, and to have it done
as early as possible.
Another option would have been to set the priority in the base
Application, after the application-specific settings have been
initialized. But this would mean you couldn't set the process priority
when puppet executes an ExternalSubcommand-based application.
As it stands now, it's not possible to have different priorities for
different sections, e.g. agent vs master, in puppet's configuration
file.
|
|
Previously, SSL connections initiated by the puppet agent on windows, e.g
puppet module install, would cause the agent to terminate if the 'Root' store
on Windows contained duplicate certificates.
This commit ensures that we only add unique certificates to the X509 store.
Also, if we fail to add a certificate to the store, we issue a warning and
continue.
|
|
* upstream/stable:
(Maint) Stop asserting nothingness
(Maint) Don't keep Tempfile open while specs are running
(Maint) TestHelper already clears global state
|
