| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The validation for the ca_location option on the certificate
application continued to hang around on the application long
after the face realized its potential to take responsibility
for itself. This change moves (and adds) validation code as
appropriate into the Face.
Reviewed-By: Matt Robinson
|
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Ruby 1.8.7 is fairly lax about various bits of introspection, including that
we can't tell much about what arguments a block takes. Ruby 1.9.2 makes it
possible to do this, though.
Meanwhile, the Faces system uses this to make sure that scripts and actions
take the right set of arguments, to avoid surprises: failing early and
explicitly is better than failing at runtime.
Which, in final turn, exposes that I forgot to accept the right arguments in a
couple of my testing actions for Faces, but didn't notice because 1.8.7
doesn't check that, and I didn't test on 1.9.2.
|
| | | |\ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Now that we enforce that options must be declared, the model we exposed in the
Ruby API (but not the CLI facade) was that you could pass additional arguments
to the indirection method by passing them as unknown options doesn't work.
Instead, explicitly declare an option, `extra`, that accepts the final
argument to be passed direct to the indirection. This makes things work
smoothly, as well as making it possible (once you can input a hash on the
command line) to invoke extra arguments from the facade too...
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Rather than printing directly, we should return the data from the Action and
allow the facade to route that to the user directly.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Rewrite the process of validating and updating the options to fully reflect
the contract - we fail if there are unknown options passed, report nicely
errors of duplicate names, pass only the canonical names to the action code,
and generally enforce nicely.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Rather than having multiple, separate operations that modify and validate the
arguments to an action, a single pass makes sense. This also means less walks
across the set of data, and a few less expensive method calls in Ruby.
Additionally, we work on a duplicate of the arguments hash rather than
directly modifying the original. Because everything we do is at the top level
key/value mapping, this is sufficient to isolate the original.
While mostly theoretical, we now don't mutilate the hash passed in, so the
user won't get nastily surprised by the fact that we could have done so.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Part of the "social contract" of Faces, Actions and Options is that the
metadata we collect is authoritative: it covers everything that is possible.
In the initial release we didn't enforce that around options. If you passed
an unknown option in the hash, we just silently ignored it in validation and
made it available down in the action.
Now, instead, we enforce that rule. If you pass an unknown option we raise an
error and complain; anything that gets to the action will be listed in the set
of inspectable options.
Cases that depended on this behaviour to pass arbitrary content in the hash
should be rewritten to move that content down a level: take a hash value for
one option, and use that for your free content.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When we invoke an action, we parse a set of options. These have a canonical
name, and optionally a set of aliases. For example, :bar might have :b as an
alias to allow a short name to be given.
Previously we would just pass this on as received; if you passed :bar you got
:bar, and if you passed :b you got :b. This works, but means that every
action has to write the same code to extract the appropriate version of an
option from whatever set of aliases might be passed.
Now, instead, we centralize that and always pass options as their canonical
name to the action code. This makes it simpler to work with. (This happens
before any validation, or other user-supplied, code to simplify everything
that handles options.)
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | |\ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
When we define an action on an older version of a Face, we must be sure to
directly load the core of that version, not just define it with the external
Action(s) that it had.
Otherwise we break our contract, which is that any core Actions for a specific
version will be available to your external Action for as long as we support
that core version.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
When we first touch a Face, we load all the available Actions from disk.
Given they define themselves against a specific version of a Face, they are
automatically available tied to the correct version; this makes it trivially
possible to locate those on demand and return them.
Now, we have the ability to find and, consequently, invoke Actions on older
versions of Faces. We don't load enough context, though: the older face will
only have external Actions defined, not anything core.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
As part of moving to load actions first, and their associated face, when
invoked from the command line, it makes sense to push the logic for finding
the action and face down into the Puppet::Face implementation.
This means that we can change the logic there without needing to update the
public part of the CLI implementation, and that any further facades can use
the same, correct, logic to locate the action for the face.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This test ensures, among other things, that we get a log message. If that
fails, we were trying to call a random method on nil; making that an assertion
means that we get a nice message rather than a failure that needs decoding.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
* feature/master/8272-windows_service_support:
Add basic service provider for Windows
Regexp escape substituted commands in Windows wrapper script
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This provider allows us to query the system state through "puppet
resource", and manage the ensure, and enabled properties of services on
Windows.
This also adds support for a new enabled value of 'manual' on Windows
only. With this we support the three major start types for services on
Windows, with the following mapping of enabled to start type:
true => Automatic
false => Disabled
manual => Manual (Demand)
We use the win32-service gem to provide access to the Windows APIs for
our operations. This does add a new gem requirement for running Puppet
on Windows, but we were already requiring some gems from the same suite
that win32-service is a part of.
When referring to a service, the simple service name must be used,
instead of the display name. For example, "snmptrap", instead of
"SNMP Trap".
All system services are reported in 'puppet resource service',
including those started prior to run level 3 (system, device drivers,
etc.). These services should probably not be managed, without careful
thought and planning.
This currently does not support being able to move a service from
{enabled => false, ensure => stopped} to {enabled => true, ensure =>
running} (or enabled => manual) in a single Puppet run, since Puppet
currently always tries to sync ensure before any other property.
Because of this, the puppet run will fail every time, and the service
must first be managed as {ensure => stopped, enabled => true} (or
enabled => manual), before it can be managed as running and automatic
start or manual start.
Reviewed by: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Because Windows file paths can (and do) contain '\', they can end up
being interpreted as back-references on the substitution side of gsub.
Since this is not at all what is intended, we use Regexp.escape to quote
them.
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
|
| | |\ \ \ \ \ \ \
| | | |/ / / / /
| | |/| | | | |
| | | | | | | |
| | | | | | | | |
* 2.7.x:
Confine password disclosure acceptance test to hosts with required libraries
|
| | | |\ \ \ \ \ \
| | | |_|/ / / /
| | |/| | | / /
| | | | |_|/ /
| | | |/| | | |
* 2.6.x:
Confine password disclosure acceptance test to hosts with required libraries
|
| | | | |\ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
* confine_shadow_acceptance_tests:
Confine password disclosure acceptance test to hosts with required libraries
|
| | | | |/ / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The useradd provider has the requirement that ruby-shadow[1] be
installed to be able to manage passwords.
On systems where we would use the useradd provider and this library
has not been installed we don't bother running the test, since we will
never be able to see the output we are testing.
[1] http://ttsky.net/ruby/
Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>
Reviewed-by: Dominic Maraglia <dominic@puppetlabs.com>
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
These methods aren't available until Ruby 1.8.6 (Dir.mktmpdir) and Ruby 1.8.7
(Object#tap).
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | |\ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
We have removed every usage of cached_attr in which the attribute needs to be
manually expired. Thus, the only meaningful behavior provided by
Puppet::Util::Cacher is expiration based on TTLs. This commit reworks the
cacher to only support that behavior.
Rather than accepting an options hash, of which :ttl is the only available
option, cached_attr now requires a second argument, which is the TTL.
TTLs are now used to compute expirations, which are stored and used for
expiring values. Previously, we stored a timestamp and used it and the TTL to
determine whether the attribute was expired. This had the potentially
undesirable side effect that the lifetime of a cached attribute could be
extended after its insertion by modifying the TTL setting for the cache. Now,
the lifetime of an attribute is determined when it is set, and is thereafter
immutable, aside from deliberately re-setting the expiration for that
particular attribute.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This class was previously using a cached_attr for its 'localhost' attribute,
representing the Puppet::SSL::Host entry corresponding to the cert in
Puppet[:certname]. We now no longer expire this attribute. This has the effect
that a change to certname during the lifetime of an agent will not be reflected
in the certificate it uses. If this behavior is desired, it will need to be
reimplemented another way.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
In the past, Puppet::Util::Autoload used a cached_attr for its 'searchpath'.
However, it no longer does that, so its references to Puppet::Util::Cacher are
unnecessary.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Previously, indirections were storing their termini in a cached_attr, so that
they could be easily cleared for tests. Because this provides no value outside
of testing, we instead simply create an attr_reader for termini, and expire
them manually in tests.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Types and parameters were registering their catalog as their expirer, so that
the catalog could expire them between uses. However, because catalogs are never
reused (and neither are types or parameters), there is no need to expire
anything. Thus, we remove the entire cleanup/expire logic from catalog, type,
and parameter.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
These values needn't be cached_attrs, because they can be managed manually.
'stat' does need to be cached, so that we avoid statting the file for each
property we want to check from disk. The 'content' attribute of 'source' also
needs to be cached, because it's retrieved from the server, which we certainly
don't want to do multiple times.
We need a mechanism for invalidating the 'stat' after we've written the file,
so we use a special value :needs_stat, which essentially represented
"undefined". We use this rather than nil so that we can store a failed stat
if it occurs.
Because the content and metadata of our source file will never change, there is
no need to be able to similarly expire the values of those attributes.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The path attribute was being unnecessarily cached. The value is a LoadedFile
instance, which already knows how to check whether it needs to be reloaded. The
act of reparsing was being triggered separately from the cacher mechanism.
The comment indicated this value was only being cached so it could be easily
cleared for tests, but it wasn't being cleared for tests. Thus, there is no
reason for this attribute to be cached, so remove it.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Allowing the singleton_instance value to be expirable is unnecessary, because
there will never be a need for a different CA instance in the lifetime of a
master. Additionally, the master never expired its cache anyway. This was only
using the cacher so it could be expired for tests, so it can safely be removed.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The use of Puppet::Util::Cacher in this module was removed previously, and this
stray, unnecessary require was left around.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Allowing this value to be expirable is superfluous; it is only used on the
master, which never expires its cache. Additionally, it was providing partial
support for an event we don't fully support already (hostname and domain
changing during the lifetime of a master).
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This class was using Util::Cacher for its singleton instance, when that was
unnecessary. The FileServing::Configuration instance already manages whether or
not to reparse its config file, based on whether it has changed. Thus, there is
no need for it to be manually expired via the cacher.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | |\ \ \ \ \ \ \
| | |/ / / / / /
| |/| / / / / /
| | |/ / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
* 2.7.x:
(#7123) Make `find` the default action...
(#7123) Support runtime setting of 'default' on actions.
(#6787) Add `default_to` for options.
(#6857) Password disclosure when changing a user's password
|
| | | |\| | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
* 2.6.x:
(#6857) Password disclosure when changing a user's password
|
| | | | |\ \ \ \
| | | | |_|_|/
| | | |/| | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
'barn/tickets/2.6.x/6857-password-disclosure-when-changing-a-users-password' into 2.6.x
* barn/tickets/2.6.x/6857-password-disclosure-when-changing-a-users-password:
(#6857) Password disclosure when changing a user's password
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Make the should_to_s and is_to_s functions to return a form of 'redacted'.
Rather than send the password hash to system logs in cases of failure or
running in --noop mode, just state whether it's the new or old hash. We're
already doing this with password changes that work, so this just brings it
inline with those, albeit via a slightly different pair of methods.
|
| | | |\ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Part of the progress toward getting the `puppet status` invocation working
nicely is that it should default to invoking the `find` operation. This
implements that, using the new runtime default action facility.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Given the inheritance model for actions, we are sometimes going to need to set
them to 'default' at runtime, rather than during their static declaration.
Add tests to verify that this works correctly, and update the code to ensure
that happens. This gives up caching of the default action, but this should be
an extremely rare operation - pretty much only CLI invocation, really.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This implement support for options with default values, allowing faces to set
those values when not invoked. This can eliminate substantial duplicate code
from actions, especially when there are face-level options in use.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | |\| | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Array#count is not available in Ruby 1.8.5, so we need to use #length in these
specs for compatibility.
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| | | |/ / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This test was failing if the SSL indirections had previously been configured as
:ca. The was due to the fact that we are explicitly testing the
certificate_status :file terminus, which depends on the other SSL indirections
using corresponding termini. This spec wasn't appropriately ensuring they were
also set to :file, breaking that precondition, and causing failures.
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| | | |\ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The Puppet::SSL::CertificateAuthority::Interface class was an early prototype
heading toward building out a system like Faces. Now that we have done that,
this changeset ports the early code to a new face.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | |/ / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Our SSL inventory was able to find the serial number of a certificate by name,
but was incapable of living up to the contract it offered, that it would
actually report when a certificate was missing.
Now it returns `nil`, which is the same case as "no inventory", if the
certificate was not found, rather than accidentally returning the entire
inventory data as raw strings.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This introduces a class representing a semantic version, and
implementing a few of the most common uses of them: validation,
comparison, and finding the greatest available version matching
a range. This refactoring also allows us to easily expand our
matching of version ranges in the future, which is a big plus.
Reviewed-By: Daniel Pittman
|
| | | |\ \ \ \ \ |
|
