puppet.git/lib/puppet/network, branch ticket/master/7841 Puppet repo Merge branch '2.7.x' 2011-08-15T17:36:03+00:00 Matt Robinson matt@puppetlabs.com 2011-08-15T17:36:03+00:00 e7d5c7c1cd4109d7bb061a503f5da8777a1be66d * 2.7.x: (25 commits) (#4411) Explain that runinterval = 0 does not mean "never run" Maint: Fix missing option text in puppet agent and arrange options alphabetically (#8302) Improve documentation of exec providers (#7853) Clarify and complete docs for the tagmail report processor Maint: Mention that audit metaparameter will accept "all" Maint: Adjust wording for file type's content parameter Maint: Fix poor documentation for versioncmp function. maint: Fix case sensitive require maint: Add inspect app options to help maint: Fix inspect help Increment lib/puppet.rb VERSION string Updated CHANGELOG for 2.7.3rc1 (#4762) Ensure that clients on the moon can successfully connect. Add document outlining preferred contribution methods Add document outlining preferred contribution methods Add document outlining preferred contribution methods Revert "Merge branch 'vcsrepo'" Revert "Merge branch 'vcsrepo'" Updating CHANGELOG for 2.7.2rc3 (#8704) Give better errors for invalid fileserver.conf ... Manually Resolved Conflicts: lib/puppet/parser/functions/versioncmp.rb spec/integration/node/facts_spec.rb 
* 2.7.x: (25 commits)
  (#4411) Explain that runinterval = 0 does not mean "never run"
  Maint: Fix missing option text in puppet agent and arrange options alphabetically
  (#8302) Improve documentation of exec providers
  (#7853) Clarify and complete docs for the tagmail report processor
  Maint: Mention that audit metaparameter will accept "all"
  Maint: Adjust wording for file type's content parameter
  Maint: Fix poor documentation for versioncmp function.
  maint: Fix case sensitive require
  maint: Add inspect app options to help
  maint: Fix inspect help
  Increment lib/puppet.rb VERSION string
  Updated CHANGELOG for 2.7.3rc1
  (#4762) Ensure that clients on the moon can successfully connect.
  Add document outlining preferred contribution methods
  Add document outlining preferred contribution methods
  Add document outlining preferred contribution methods
  Revert "Merge branch 'vcsrepo'"
  Revert "Merge branch 'vcsrepo'"
  Updating CHANGELOG for 2.7.2rc3
  (#8704) Give better errors for invalid fileserver.conf
  ...

Manually Resolved Conflicts:
	lib/puppet/parser/functions/versioncmp.rb
	spec/integration/node/facts_spec.rb
(#4762) Ensure that clients on the moon can successfully connect. 2011-08-04T17:50:51+00:00 Daniel Pittman daniel@puppetlabs.com 2011-08-04T17:49:59+00:00 711344836aa1e469876fc511be14e8159e61b0b8 Previously, we only allowed Puppet Clients at a maximum distance of somewhere between 7,494 and 14,988 kilometers from the master, depending on the variance in local conditions. While this gave us good data security against hostile clients connecting from the dark side of the moon, real world testing shows the moon folks are likely to just take over a local staging host and attack that way. So, instead, allow clients sufficient time they should be comfortable able to connect to a master from the moon. We still refuse clients further out, like Mars, since it seems unlikely that Puppet management over that distance should work. We advise the manned Mars expedition to deploy a local Puppet Master to manage infrastructure in their base, and to watch out for the martians. 
Previously, we only allowed Puppet Clients at a maximum distance of somewhere
between 7,494 and 14,988 kilometers from the master, depending on the variance
in local conditions.

While this gave us good data security against hostile clients connecting from
the dark side of the moon, real world testing shows the moon folks are likely
to just take over a local staging host and attack that way.

So, instead, allow clients sufficient time they should be comfortable able to
connect to a master from the moon.  We still refuse clients further out, like
Mars, since it seems unlikely that Puppet management over that distance should
work.

We advise the manned Mars expedition to deploy a local Puppet Master to manage
infrastructure in their base, and to watch out for the martians.
(#8704) Give better errors for invalid fileserver.conf 2011-07-29T19:52:02+00:00 Matt Robinson matt@puppetlabs.com 2011-07-29T19:29:51+00:00 94f0b93b6065d1818f0f3b99d12d651655247c30 If you tried to just put an allow or deny line in the fileserver.conf without a mount point, you got a really confusing error message: lib/puppet/network/handler/fileserver.rb:285:in `readconfig': undefined method `info' for nil:NilClass (NoMethodError) Now instead we give an error saying no mount point was specified. Reviewed-by: Josh Cooper <josh@puppetlabs.com> 
If you tried to just put an allow or deny line in the fileserver.conf
without a mount point, you got a really confusing error message:

    lib/puppet/network/handler/fileserver.rb:285:in `readconfig': undefined method `info' for nil:NilClass (NoMethodError)

Now instead we give an error saying no mount point was specified.

Reviewed-by: Josh Cooper <josh@puppetlabs.com>
Merge branch '2.7.x' 2011-07-26T23:15:38+00:00 Jacob Helwig jacob@puppetlabs.com 2011-07-26T23:15:38+00:00 5b167eba2b602f5c6c6c224790fa1eb56b239ad4 * 2.7.x: Deprecate RestAuthConfig#allowed? in favor of #check_authorization Fix #6026 - security file should support inline comments Fix #5010 - Allow leading whitespace in auth.conf Fix #5777 - rule interpolation broke auth.conf CIDR rules 
* 2.7.x:
  Deprecate RestAuthConfig#allowed? in favor of #check_authorization
  Fix #6026 - security file should support inline comments
  Fix #5010 - Allow leading whitespace in auth.conf
  Fix #5777 - rule interpolation broke auth.conf CIDR rules
Deprecate RestAuthConfig#allowed? in favor of #check_authorization 2011-07-26T21:04:28+00:00 Brice Figureau brice-puppet@daysofwonder.com 2011-05-31T18:01:36+00:00 7e6fc0d80ccd29f206c3b56960ee1eef3afc33a3 #allowed? was a poorly named method since it isn't actually a predicate method. Instead of returning a boolean, this methods throws an exception when the access is denied (in order to keep the full context of what ACE triggered the deny). Given that #allowed? was overriding the behavior from AuthConfig, we leave a version of #allowed? in place that will issue a deprecation warning before delegating to #check_authorization. Once support for XML-RPC agents is removed from the master, we will be able to remove this delegation, since there should no longer be a reason for a distinction between AuthConfig and RestAuthConfig. Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com> Signed-off-by: Jacob Helwig <jacob@puppetlabs.com> 
 #allowed? was a poorly named method since it isn't actually a predicate
method. Instead of returning a boolean, this methods throws an
exception when the access is denied (in order to keep the full context
of what ACE triggered the deny).

Given that #allowed? was overriding the behavior from AuthConfig, we
leave a version of #allowed? in place that will issue a deprecation
warning before delegating to #check_authorization.  Once support for
XML-RPC agents is removed from the master, we will be able to remove
this delegation, since there should no longer be a reason for a
distinction between AuthConfig and RestAuthConfig.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>
Fix #6026 - security file should support inline comments 2011-07-26T21:04:28+00:00 Brice Figureau brice-puppet@daysofwonder.com 2011-05-30T18:31:14+00:00 6401dfe5602fd39cc59ec1f1b3822110e4ad864a Auth.conf, namespaceauth.conf and fileserver.conf were not supporting trailing inlined comments. Also this commit fixes some indentation and error management. Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com> 
Auth.conf, namespaceauth.conf and fileserver.conf were not supporting
trailing inlined comments.
Also this commit fixes some indentation and error management.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Fix #5010 - Allow leading whitespace in auth.conf 2011-07-26T21:04:28+00:00 Brice Figureau brice-puppet@daysofwonder.com 2011-05-30T18:17:11+00:00 0c385f1fb436ab6f667693d347f711470305a019 The regex used to detect ACE is too lax and would allow trailing spaces to sneak in, which in turn would confuse the ACE parser. Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com> 
The regex used to detect ACE is too lax and would allow trailing
spaces to sneak in, which in turn would confuse the ACE parser.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Remove unused require 'puppet/util/cacher' from Network::HttpPool 2011-07-22T03:10:07+00:00 Nick Lewis nick@puppetlabs.com 2011-07-21T18:37:33+00:00 93299e90e231bb407923e3534a0e33d841b95355 The use of Puppet::Util::Cacher in this module was removed previously, and this stray, unnecessary require was left around. Reviewed-By: Jacob Helwig <jacob@puppetlabs.com> 
The use of Puppet::Util::Cacher in this module was removed previously, and this
stray, unnecessary require was left around.

Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
Remove Puppet::Network::HttpPool keep_alive handling 2011-07-19T22:47:03+00:00 Nick Lewis nick@puppetlabs.com 2011-07-19T22:19:10+00:00 185a666018c0cf0b2c497f655f942a82cd22e49e Keep alive has been disabled since 2008, and seems to have caused problems when it was enabled before then. Since there doesn't seem to be any push to get it working again, just remove it to simplify this code. This also allows us to entirely remove the usage of Puppet::Util::Cacher from HttpPool. Paired-With: Jacob Helwig <jacob@puppetlabs.com> 
Keep alive has been disabled since 2008, and seems to have caused problems when
it was enabled before then. Since there doesn't seem to be any push to get it
working again, just remove it to simplify this code.

This also allows us to entirely remove the usage of Puppet::Util::Cacher from
HttpPool.

Paired-With: Jacob Helwig <jacob@puppetlabs.com>
(#5966) Add support for hostname regular expressions in auth.conf 2011-05-31T16:12:15+00:00 Siim Põder siim.poder@skype.net 2011-01-21T12:26:37+00:00 c02126df4804b42ecaca2cdff675be9c4e24aa54 When hosting multiple applications (especially with different security levels), you may not want to allow every client to read all the files required for every other client. Currently it is possible to do this when your host and domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com. However, if you have a more flat naming convention, it is difficult to write these ACLs. This patch adds support for matching hostnames with regular expressions, thus extending the ACLs to allow: path /file_content/secrets/appserver allow /appserver[0-9]+.example.com$/ path /file_content/secrets/otherservice allow /^(test-)crazy[0-9]+.pattern.(com|net)$/ Signed-off-by: Josh Cooper <josh@puppetlabs.com> Reviewed-by: Jacob Helwig <jacob@puppetlabs.com> 
When hosting multiple applications (especially with different security levels),
you may not want to allow every client to read all the files required for
every other client. Currently it is possible to do this when your host and
domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com.

However, if you have a more flat naming convention, it is difficult to write
these ACLs. This patch adds support for matching hostnames with regular
expressions, thus extending the ACLs to allow:

path /file_content/secrets/appserver
allow /appserver[0-9]+.example.com$/

path /file_content/secrets/otherservice
allow /^(test-)crazy[0-9]+.pattern.(com|net)$/

Signed-off-by: Josh Cooper <josh@puppetlabs.com>
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>