| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL::Digest.hexdigest is not available on older ruby versions.
This patch accesses directly to the digest instead (which hopefully
support hexdigest).
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds several things:
* certificate fingerprinting in --list mode
* a puppetca action called "--fingerprint" to display fingerprints
of given certificates (or all including CSR)
* a --fingerprint puppetd option to display client certificates
* each time a CSR is generated, its fingerprint is displayed in the log
It is also possible to use --digest in puppetca and puppetd to specify a specific digest
algorithm.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| | |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| | |
This reverts commit a9fb82b0026e75a670fec553b17de3b0f091c2a5.
An older branch was pulled
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This refactors how reports, catalogs, configurers, and transactions
are all related - the Configurer class manages the report, both
creating and sending it, so the transaction is now just responsible
for adding data to it. I'm still a bit uncomfortable of the coupling
between transactions, the report, and configurer, but it's better than
it was.
This also fixes #2944 and #2973.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
| |
| |
| | |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
| |
| |
| | |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Selinux modules files also ends in ".pp".
Puppetdoc tries to parse them as if they are regular puppet files and
then fails.
This patch makes sure puppetdoc tells RDoc to exclude parsing .pp
files in the modules files section.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
When the definition/hostclass/node AST types were removed, the
parentclass method was renamed to 'parent'.
This patch fixes the incorrect rdoc usage (and some deeper
integration test so that it won't happen again).
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds two things:
* certificate fingerprinting in --list mode
* a puppetca action called "--fingerprint" to display fingerprints
of given certificates
It is also possible to use --digest to specify a specific digest
algorithm.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
As the ticket says:
"the certificates would still be valid even if cleaned,
therefore, it makes more sense revoke them instead."
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |\|
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/ssl/host.rb
spec/spec_helper.rb
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This family of errors could appear because Puppet parses every line in
fstab into resources, even lines that are not specifically managed by
Puppet, and fstab files are much more permissive than Puppet in what
constitutes a valid mount.
This change makes several fields optional that were previously mandatory.
Also, it ignores lines in fstab that have fewer than the required number
of parameters.
Includes a more readable regex than the previous patch.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Merged the "freebsd_special" pattern into the other crontab records,
since its definition was incomplete
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The 'service' type was testing to see if init script directories exist
too early, causing failures if you expected to be able to create those
directories via puppet.
This patch moves that logic into the 'init' provider.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We create temporary files in /tmp/ with predictable names. These
could be used by an attacker to DoS a box by setting a symlink to
some other file (say, /etc/shadow) and waiting for us to overwrite
it.
The minimalistic solution employed by this patch is to wrap all such
file writing with a paranoid wrapper that:
1) Check to see if the target exists
2) Issues a warning if it was a symlink
3) Deletes it
4) Waits (0.1 seconds if it was a file, 5 seconds if it was a symlink)
5) Opens the file with EXCL, which will fail if the file has come back.
If this succeeds (as it normally will) it has exactly the same semantics
as the original code (a must, as we are right at a release boundary).
However, under no circumstances will it follow a preexisting symlink (the
operating system guarantees this with EXCL) so the danger of an exploit
has been converted into the possibility of a failure, with an appropriate
warning.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fix for #2940 resulted in a behavior change that could be seen as a
bug. This was consistent with many of the other providers (see #3000)
but was not the desired behavior.
This patch enhances the patch for #2940 to return {:ensure => :absent} as
the present state in the case that the failure was due to the package not
being installed (as opposed to a source/index failure, etc.). The other
possibility would have been {:ensure => :purged}.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fix for #2994 had been refined to only checksum links when @links was set
to :follow to make the tests pass, but this caused partial reintroduction of
the original issue since information about the source (the real file vs.
followed link distinction) isn't available client side and thus there are
paths on which @links winds up :managed when it had originally been :followed.
In these cases the checksum is needed but not produced.
Consequently, this patch relaxes the condition, and always tries to produce a
checksum, with a rescue guard to gracefully handle cases where this is not
possible (e.g. broken links).
|
| | |
| |
| |
| |
| |
| | |
Closing stdout and stderr would sometimes cause failures when a program
that is executed with squelched output tries to write to them. This
reverts to the previous behavior of reopening them to /dev/null.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
There was an intermittent bug in Puppet::Parser::Resource::Reference,
during initialization, and object could sometimes have its title set
before its type is set. This prevented the title from going through
type-specific canonicalization.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
This solves some SELinux issues with programs such as mount being denied
from writing to temporary files and removes a race condition with
temporary file creation.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The first patch for #2994, to which this is an extension, exposed
the fact that checksums were not being included in the metadata
for followed links; checksums are needed for managing the contents
of files that are represented on the server as links (links => follow).
This patch adds checksums for followed links and tests to confirm that
it works as expected.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We don't actually rely on iconv's UTF-8 support, so its absence
shouldn't cause the PSON feature to fail on system (e.g. HPUX)
where it isn't fully implemented.
This change exposed a dependency on library load order that was causing
Puppet::Util::Log to raise an error. I've removed the dependency of
Puppet::Type from Puppet::Util::Log.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
Due to problems introduced on HP-UX (See #2997)
This reverts commit 6ab2453d966d1d48e12d8a8cec34b9e460597d04.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
We don't actually rely on iconv's UTF-8 support, so its absence
shouldn't cause the PSON feature to fail on system (e.g. HPUX)
where it isn't fully implemented.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Attempting to call a constructed method name with a nil component
(the checksum type in this case) causes an unhelpful error message
in a case where either 1) the results were not needed anyway or 2)
a more useful error message would otherwise be generated. It also
opens (at least hypothetically) then possibility that some unrelated
method (in this case "_file" would be called if it existed.
|
| | |
| |
| |
| | |
It looks like something got lost during transition to host_aliases.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The core bug here was a regression introduced by my IPv6 patch.
Wildcarded domains are stored as ["com","reductivelabs","*"] but
the code in question was assuming it was in normal order.
Added tests to prevet recurrence.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rather than just creating a new featureless resource for cases like:
ralsh host localhost.localdomain
(and the analogous cases with other parsed resources such as ssh keys, etc),
we first check to see if the appropriate provider can find a resource with
the requested name. If so, we use it; if not we fall back to the featureless
form.
There are a number of potential shortcomings with this fix:
* It may not be particularly performant if there are many resources to
be parsed.
* It always (and only) checks the first provider; perhaps it should try
all providers of the appropriate type.
* It only checks the name property, and not any aliases or host_aliases.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| | |
| |
| |
| |
| |
| | |
These are a grab-bag of code simplification changes I made in
the process of figuring out what was going on with #2881; they
should all be absolutely behavior neutral.
|
| | |
| |
| |
| |
| | |
When I changed the alias property of hosts to host_aliases I missed
these changes in the parsed file provider.
|
| | |
| |
| |
| |
| |
| |
| | |
This logic had a bug where it would not insert data if it had just been
deleted.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
