| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.
This commit ensures puppet will not downgrade to SSLv3 by setting the
`OpenSSL::SSL::OP_NO_SSLv3` bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".
[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
|
|
Previously, puppet's webrick server did not specify which ciphersuites
it would accept. Depending on the ruby and openssl, the default set of
ciphersuites is:
$ ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]'
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Note that "ALL:!ADH" does not exclude AECDH, and the default param
string includes "LOW", e.g. DES-CBC-SHA.
This commit updates the webrick ciphersuites to match the value used
in passenger in commit 204b2974b. The resulting ciphersuites are:
[["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
["CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
["AES256-SHA", "TLSv1/SSLv3", 256, 256],
["CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
["AES128-SHA", "TLSv1/SSLv3", 128, 128]]
|
|
Webrick will now reject SSLv3 connections. If an SSL client tries to
connection with SSLv3, webrick+openssl will issue an sslv3 alert
handshake failure.
|
|
The :undef symbol was still leaking all over the place internally. This
caused type inference to sometimes end up with Runtime[ruby, Symbol]. By
using nil instead of :undef, everything can be much more
straightforward. Once the code removal for puppet 4 comes into play even
more oddities around how resource parameters are handled can be
performed.
|
|
The lookup function only works when the future parser is in effect. This
changes the spec tests to turn on the future parser.
|
|
(PUP-3401) Fix type calculations of "all Patterns"
|
|
In order to ensure that we don't encounter this issue again, add
a test case to environments_spec to ensure that the cache is being
properly cleared.
Additionally, fix a small bug in environment's list method where
a string should been converted to a symbol.
|
|
ffrank/ticket/3.7.x/PUP-3357-purge-unnamed-ssh-keys
(PUP-3357) purge unnamed ssh keys
|
|
Add an integration test with an ssh keyfile in which two keys have no name
and make sure that both are successfully purged.
|
|
Just makes sure that the user type and ssh_authorized_keys provider
generate pseudo-names for keys following the same pattern.
|
|
The type calculator did not correctly compute assignability for
a non parameterized Pattern. Such a Pattern is equal to "any string",
and is thus assignable from any other Pattern, Enum or String.
This was missing in the calculator and this resulted in Pattern neither
being equal to, less than, or greater than parameterized patterns.
|
|
(PUP-3201) Treat :undef as PNilType
|
|
The test of behavior when a module directory is specified as part of an
environment but is missing on disk was hidden inside another test. This
splits it out and calls out that the behavior is that the directory is
simply ignored.
|
|
When a previous commit changed from get() to get!() the agent stopped
being able to use an environment that is available on the master, but
not available locally. I had misread the code and missed a trailing
`&&`. This caused me to think that the environment lookup in this case
was required, where in fact it is still optional.
This changes the structure of the code to make it much clearer that the
environment is optional, changes from get!() to get(), and adds some
tests around these code paths.
|
|
(PUP-3244) ENC ignores missing directory environments
|
|
This removes a function that was provided by the super class.
|
|
Before this commit the Puppet::Environments::Cached#get! was not needed
as it was defined in a parent class. Puppet::Environments::Combined#get!
now calls get! in environment objects instead of assuming how get!
should work.
This commit also refactors areas in the code where
Puppet::Environments::EnvironmentNotFound was raised after calling get
in favor of the new get! method.
|
|
This removes a function that was provided by the super class.
|
|
For PUP-2857 :undef was changed from being a PNilType to a PRuntimeType.
This stopped the undef literal in the language from being able to be
assigned to Optional parameters. However, this only happened when the
undef was the default expression for the parameter.
|
|
* pr/3146:
(maint) Modify other uses of get() to get!()
(PUP-3244) Add Puppet::Environment::Directories#get! method
(PUP-3244) Validate Environment Before Setting
(PUP-3244) Acceptance Tests for Nonexistent Environments
(PUP-3244) ENC ignores missing directory environments
Closes GH-3146
|
|
When a pkg certificate is in it's last 30 days before expiration, the
pkg tools emit a warning message so you can get a new certificate for
some operations. The 'latest' method issues a 'pkg -Hn <package>' which
trips this warning message, but the message was unexpected and 'latest'
would raise, failing the catalog application.
This commit simply ignores such certificate expiration warnings.
While I was in there, I split a very compact line of code across a couple
lines and added some spaces, in the name of readability.
|
|
PUP-3366 Fix issues with string/enum type assignable calculations
|
|
Previously, when checking if the `current` and `desired` triggers were
equivalent, we were silently deleting the `index` and `enabled` values from
the `current` trigger. If we later needed to delete the `current`
trigger, we would have lost its `index`, resulting in a call to
`Win32::TaskScheduler.delete_trigger(nil)` causing the error:
no implicit conversion from nil to integer
This commit ensure that we don't mutate the `current` or `desired` trigger.
|
|
(PUP-1165) Provide a default value for windows scheduled task trigger
|
|
This new function will return the directory environment or raise an
error if a directory environment does not exist. This gets rid of the
need to check if environments exist across the codebase before
continuing for the areas where we need.
|
|
Previously, the `#triggers` method on the scheduled task provider would
magically return single element or an array of multiple elements.
This commit changes the provider to always return an array, of possibly a
single element.
|
|
Previously, if a scheduled_task resource was created in the past, and
the desired value of the resource's trigger did not specify a
`start_date`, then puppet would think the resource was out of sync,
and attempt to delete the old trigger, and add the new one. This
process would repeat once per day, leading to spurious 'triggered
changed' messages, and reports.
This commit modifies the scheduled_task provider so that if the
desired value does not specify a `start_date`, then it will
effectively be ignored when comparing the current and desired
triggers.
|
|
The `enabled` and `index` trigger parameters are read-only, so they will be set
in the `current` trigger, but are not allowed in the `desired` trigger.
Previously, the `translate_hash_to_trigger` method performed validation based
on whether it was passed a `current` or `desired` trigger.
This commit moves the validation logic to the `validate_trigger` method, which
is only ever called with `desired` trigger values. It also allows the `index`
and `enabled` keys to be present in a trigger. This isn't an issue because they
are ignored for the purposes of determining if two triggers are the same.
The reason for this change, is because ultimately we don't want the
`translate_hash_to_trigger` method to mutate the `current` trigger, and this
commit makes it so that the `index` and `enabled` keys can be in the
`puppet_trigger` but will be ignored.
|
|
* pr/3136:
(PUP-3364) Improve the error message for numeric resource titles
|
|
This improves the error message when a numeric resource title is
used in a resource reference, or when a numeric attribute name is
referenced. The message used to be too generic, and used internal
Ruby types instead of puppet types in the message string.
|
|
hlindberg/PUP-3365_remove-deep-undef-mapping-in-3x-func-api
(PUP-3365) Change 3x deep map of undef to only do surface map
|
|
(PUP-3363) Make transformation of unparenthesized calls handle errors
|
|
After talking with Reid Vandewiele, it turns out that the problematic
behavior isn't directly the order of the classes themselves. Previous
assertions that there are possible conflicts from the classes when they
were done in one order or another are incorrect. The classes, when any
have parameters, are kept by the node in a hash keyed off of the class
name, which means that there is no possibility of them creating a
duplicate resource error.
The actual usecase comes down to *how* parameterized classes vs
unparameterized classes are often used. A parameterized class can often
be simply a set of shared data that the unparameterized classes depend
on (or inherit from) parameterized classes.
This modifies the test case for the reordering change to provide an
example of the use case here.
|
|
Without this patch classes declared from an ENC are evaluated in the
wrong order. This is a problem because classes declared without
parameters are evaluated prior to classes with parameters which causes
an Error: Duplicate declaration when the classes with parameters are
evaluated. According to the code comments for the
`evaluate_node_classes` method, the expected behavior is that classes
with an empty set of parameters will not conflict with classes that have
declared parameters.
|
|
Comparissons involving an unparentesized Enum were not correct
because an iteration with all? returns true if the set being
enumerated is empty.
This modifies the logic, and adds missing tests.
|
|
This fixes problems when a user enters commas where they are not
supposed to be. As a result, an expression will be parsed as being an
argument list for an unparenthesized function call. The transformation
logic for such calls did not take one case into account; a non call
followed by an argument list. e.g:
$a = 1,10
Which resulted in a strange AST model (a literal list with an assignment
and a 10).
This commit adds error checking and raising of an exception in the
transformation which is caught by parser_support and formatted into an
error - either about an illegal comma (when the LHS cannot possibly be
a call at all (as in the above exampel), or a more elaborate
message about that what could be a function call requires parentheses.
In order to enable positioning of the error message on the first comma
in the argumet list, the comma tokens were required in the expression
list fed to the transformer. Subsequently these tokens must be filtered
out by the transformation, and passed on in the raised exception (since
the receiver would otherwise not know which token that caused the
problem (it is nested inside the stucture it passes on to be
transformed).
Unparenthesized function calls are a very bad idea...
|
|
The tests had their own way of creating files and directories for
testing. All of these different ways of creating files and directories
already existed in PuppetSpec::Files. This unifies them.
|
|
|
|
Nodes can be classified through a local executable that prints YAML with
a node specification. This is enabled through the node_terminus=exec option.
Since PUP-2519, this setting would break `puppet apply`. Trying to apply
any manifest would lead to Puppet applying the default environment's site
manifest instead.
The reason for this is that the node terminus will include the current
environment's name in the node lookup result. This in turn makes Puppet
look up the environment per name. This is not the desired behavior, because
Application::Apply performs the lookup and further operations with a localized
environment that overrides the site manifest.
Solved by including the current environment object in the returned node object
instead of its name.
|
|
This changes the mapping of arguments to 3x function calls to not
map undef to empty strings except at the surface level. Other mappings
are still done as they are required for frozen strings, and values
having a type that is not supported by the 3x functions.
|
|
There were errors in the calculation of string/enum calculation.
Basically Enum == String, if String is size constrained then
Enum < String. This fixes this calculation.
There were no tests for this, they are now added.
|
|
Windows 2003 doesn't support symlinks, so the test would fail trying to
create one as a precondition for the test. Conditionally execute the
test on platforms that support symlinks.
|
|
zaphod42/issues/stable/pup-3190-cannot-load-4x-funcs-from-system
(PUP-3190) Don't assume puppet is in a lib dir
|
|
jpartlow/issue/stable/pup-3186-symlinked-production-envdir
(PUP-3186) Skip creation of symlinked default directory env
|
|
To provide a better out of the box user experience, Puppet will ensure
the existence of the default production directory environment. However
if this path has already been created as a symlink, the File resource
will ensure it is replaced with an empty directory.
Since an existing symlink is an indication that the user has already
made configuration changes, and the purpose of ensuring the existence of
the production directory environment is purely for assisting in new,
unmodified installations, this commit skips ensuring anything about the
production directory environment when a symlink is detected.
With Josh Partlow <jpartlow@puppetlabs.com>
|
|
Previously the test failed on windows, because we were expecting the
environment config_version to return on POSIX path. But on Windows it is
expanded based on the current drive.
Paired-with: Josh Partlow <joshua.partlow@puppetlabs.com>
|
|
|
|
(PUP-894) Be more lenient about CRL not yet valid errors
|
|
jpartlow/issue/stable/pup-3162-whitelist-environment-interpolation
(PUP-3162) Issue/stable/pup 3162 whitelist environment interpolation
|
|
Previously, the windows security_spec could fail if the same test was
executed in parallel, since the test assumed the account didn't exist.
This commit makes the names unique. The maximum length for local
user and groups accounts in 2003 is 20 and 256 characters[1],
respectively, and we remain below that limit in both cases.
[1] http://technet.microsoft.com/en-us/library/cc783323.aspx
|
