| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Disables the b64_zlib_yaml format if zlib cannot be loaded.
I've added a --no-zlib to make it possible to test this on a single
machine, but it might also be useful if someone finds themselves failing
to connect to a server that doesn't have zlib installed.
FactHandler' format is still hard-coded to YAML rather than using
facts.class.default_format
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Make sure that we don't try to do anything to webrick until it has
really started.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Clean up warning messages so that they don't fail when run inside the
test class.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
No message was being displayed on the server if a file could not be
opened by the file server.
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace this message that looks like an error
debug: Format s not supported for Puppet::FileServing::Metadata; has not implemented method 'from_s'
with
debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppetd.rb
lib/puppet/parser/ast/leaf.rb
lib/puppet/util/rdoc/parser.rb
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit c702f76b271515e9c42dcb923d379fbfac4c83cd and turns it
into a documentation only fix. As it turns out, ENV should have never been
used at all, as the Rack docs say nothing about it *and* Passenger's
behaviour in 2.2.3 + 2.2.4 was completely broken and still is half-way broken
in 2.2.5 (but is OK with the Rack specs).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This modifies `supported_formats` to warn when the
`preferred_serialization_format` setting is invalid (and ignored in
favor of the default value).
I built the tests for this behavior alongside the existing
FormatHandler tests for *valid* `preferred_serialization_format` values
(and did some restructuring to extract common setup code to `before`
blocks).
Signed-off-by: Bruce Williams <bruce@codefluency.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
been parsed
When fixing #2424, we were adding a global allow (ie allow(*)) to
the plugins/modules mount.
Unfortunately global allow always win against any other rules that
can be defined in fileserver.conf.
This patch makes sure we add those global allow entries only if
we didn't get any rules from fileserver.conf
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| | |
This was deprecated in commit 1cfb0215 and was keeping puppetd from starting in listen mode.
Signed-off-by: John A. Barbuto <jbarbuto@corp.sourceforge.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
less often
This is not the right fix, but more a hackish workaround.
Since 0.25, the facts are transmitted as GET parameters when a
node asks for a catalog. Most proxies or webserver have a size limit
which is sometimes reached. In this case the request is denied
and the node can't get its catalog.
The idea is to compress facts (some non-scientific studies show a
57% fact size decrease for an average node) when transmitting
those when asking for a catalog.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |/
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bundeling and renaming the pure ruby json library to addresses a
number of cross version serliaization bugs (#2615, et al).
This patch adds a subset of the files from the json_pure gem to
lib/puppet/external/pson (renamed to avoid conflicts with rails) so
that we will always have a known-good erialization format available.
The pure ruby json gem as distibuted defers to the compiled version
if it is installed. This is problematic in some circumstances so the
files that have been brought over have been modified to always and
only use the bundled version.
It's a large patch, so here's a breakdown of the change categories:
The majority of the lines are only marginally interesting:
* The json lib itself (in lib/puppet/external/pson) make up the bulk
of the lines.
* Renaming of json to pson make up the second largest group.
Somewhat more interesting are the following, which can be located by
searching the diffs for the indicated strings:
* Adjusting tests to reflect the changes
* Changing the encoding/decoding behavior so that nested structures
(e.g. resources) don't serialize as escaped strings. This should
make it much easier to process the results with external tools, if
needed. Search for "to_pson" and "to_pson_data_hash"
* Cleaning up the envelope/metadata
* Now provides a document_type (as opposed to a ruby class name) by
using a symple registration scheme instead of constant lookup
(search for "document_type")
* Added an api_version (search for "api_version")
* Added a hash for document metadata (search for "metadata")
* Removing the yaml monkeypatch and instead disabling yaml serialization
on ruby 1.8.1 in favor of pson (search for "yaml")
* Cleaning up the json/rails feature interaction (they're now totally
independent) (search for "feature")
|
| |
|
|
|
|
|
|
|
|
| |
There was a race condition between the layers (SSL vs. TCP/IP) that
permitted the creation of non-functional connections when webrick
managed the connection. This patch moves the responsibility into
our code via the provided callbacks and makes sure the socket is
valid before accepting the connection.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was an API compatibility problem with mongrel's HTTPResponse.start()
method between Mongrel 1.0.x and 1.1.x (the number of parameters changed).
The older version does not provide the option to set the response header
message which was used (redundantly with the response body) to return the
error message when the HTTP response was signaling an error.
In order to suport the older version the call was wrapped with a fallback
and the coresponding code in the other rest implementations was adjusted
to always send the error message in the response body. Then the rest
terminus was adjusted to pull the message from the response body (if it
is present) rather than from the header (which is only used as a fallback
for dealing with older puppetmasters), and the tests were augmeted to
verify this behaviour.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Partial refactoring to clean up the case in the ticket (host
name containing dots, begining and ending with a digit, was
mistaken for an IP address) and a range of related edge cases.
Stopped short of a full refactoring (put off to 0.26 as #2623)
Added tests for numerous edge cases.
This also fixes the issue raised in #2570.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |
|
|
|
|
|
| |
notes fixes specific issue by eliminating the specal case for
opaque strings which caused them to be strings when everything else
was arrays; adds nots and pending tests where FQDN support could be
added but stops short of a full refactor.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was a "There's A Hole In The Bucket" problem caused when trying
to establish a connection to get a certificate before there was
a certificate with which to establish the connection, ad
infinitum. The solution was to test for the presence of the
CA cert as well as the host cert before attempting to use them.
This patch modifies existing tests to pass with the new code (by
stubbing out the additional FileTests) and adds a new test which
catches the original problem.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though Puppet never transmist a charset information in its
response/request content-type, some proxy (especially Apache with the
infamous AddDefaultCharset configuration) may add this "incorrect"
information.
This patch makes sure that only the mime-type is used when looking
for the format associated with a response or a request.
The patch also provides a better error message when the client or server
code is fed with a request whose mime-type can not be mapped to a known
format.
It also fixes a typo noticed by the original reporter.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
Fix #2386, by checking either Request.env or ENV for the SSL environment
variables. This is necessary as Passenger 2.2.3 changed the location of
these vars, even though the Rack spec says nothing about ENV or these
variables.
|
| |
|
|
| |
specification conformance)
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem is that URI.escape by default doesn't escape '+' (and
some other characters). But some web framework (at least webrick)
unescape the query string behind Puppet's back changing all '+'
to spaces corrupting facts containing '+' characters (like base64
encoded values).
The current fix makes sure we use CGI.escape for all query string
parameters. Indirection keys/path are still using URI escaping because
this part of the URI format shouldn't be handled like query string
parameters (otherwise '/' url separators are encoded which changes
the uri path).
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Sam Livingston-Gray <geeksam@gmail.com>
|
| |
|
|
|
|
|
|
| |
When the PUT body is large enough that Mongrel::HTTPRequest#body returns a StringIO object instead of a String. StringIO#to_s then returns "<StringIO#8236987299>" instead of the string contents.
When that string is passed to YAML it returns false which is then passed to save_object without any real time checking.
This is a combination of patches from Jordan Curzon and Ricky Zhou.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
opaque strings
This patch removes the limitation of allow/deny which were
only matching ip addresses or hostname (or pattern of).
It makes sure any kind of string can be matched (by strict
equality) while still keeping the old behaviour.
Opaque strings can only contains: alphanumeric characters, -
_ and @.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were two problems:
* server->client communications is using Content-Type with the
direct format name instead of the format mime-type.
* client->server communications is not using Content-Type to
send the format of the serialized object. Instead it is using the
first member of the Accept header. The Accept header is usually
reserved for the other side, ie what the client will accept
when the server will respond.
This patch makes sure s->c communication contains correct Content-Type
headers.
This patch also adds a Content-Type header containing the mime-type of
the object sent by the client when saving.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
| |
Earlier ruby 1.8 versions do not have start_with? for Strings.
Found by John Barbuto.
|
| |
|
|
| |
Signed-off-by: Jordan Curzon <curzonj@gmail.com>
|
| |
|
|
|
|
|
|
| |
Mongrel::HttpRequest.query_parse outputs a params hash with nil
keys given certain query strings. Network::HTTP::Handler.decode_params
needs to check the incoming values.
Signed-off-by: Jordan Curzon <curzonj@gmail.com>
|
| |
|
|
|
|
| |
We just add a bit of information to the exception.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Also making some log messages more informative.
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Mongrel puppet code uses REMOTE_ADDR to set the ip address which will
be use to authenticate the client access.
Since mongrel is always used in a proxy mode with Puppet, REMOTE_ADDR
is always the address of the proxy (usually 127.0.0.1), which defeats
the purpose.
With this changeset, the mongrel code now uses the X-Forwarded-For
HTTP header value if it is passed over the REMOTE_ADDR.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Fixes #2268 "Rack::RewindableInput is not a valid input stream."
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, when you created a module you had to specify
the path. Now Module instances can use the module path
to look up their paths, and there are methods for determining
whether the module is present (if the path is present).
Also cleaned up the methods for figuring out what's in
the module (plugins, etc.).
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
The Server class has all of the logic now,
instead of doing weird things in the defaults.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This lays the ground: a wrapper for the REST handler, and an application
confirming to the Rack standard. Also includes a base class for Rack
handlers, as RackREST will not stay the only one, and there needs to be
a central place where client authentication data can be checked.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because of ruby bug:
http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&aid=8886
and
http://redmine.ruby-lang.org/issues/show/1331
YAML dump of hashes using ruby objects as keys is incorrect leading
to an error when deserializing the YAML in puppetd.
The error is easy to correct by a post-process fix-up of
the generated YAML, which transforms:
&id004 !ruby/object:Puppet::Relationship ?
to the correct:
? &id004 !ruby/object:Puppet::Relationship
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change, unauthenticated REST requests where inconditionnaly
allowed, as long as they were to the certificate terminus.
This could be a security hole, so now the REST requests, authenticated
or unauthenticated are all submitted to the REST authorization
layer.
The default authorizations now contains directives to allow unauthenticated
requests to the various certificate terminus to allow new hosts.
The conf/auth.conf file has been modified to match such defaults.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
unauthenticated request
Introduces a new auth.conf directive (auth or authenticated) which
takes an argument (on,yes/off,no/all,any).
This can be used to restrict an ACL to only some state of
authentication of a REST request, or any.
If no auth directive is given, the ACL will only trigger for
authenticated requests.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to raise an AuthorizationException at the same place
we check the authorization instead of in an upper level to be
able to spot where the authorization took place in the exception
backtrace.
Moreover, this changes also makes Rights::allowed? to return
the matching acl so that the upper layer can have a chance to
report which ACL resulted in the match.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
| |
With the help of the new auth.conf directive 'environment',
any ACL can now be restricted to a specific environment.
Omission of the directive means that the ACL will apply
to all the defined environment.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
