| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
With the help of the new auth.conf directive 'environment',
any ACL can now be restricted to a specific environment.
Omission of the directive means that the ACL will apply
to all the defined environment.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
| |
The authorization system should stubbed to let all the rest tests
to succeed :-)
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new configuration file (and configuration
setting to set it).
Each REST request is checked against this configuration file, and is
either allowed or denied.
The configuration file has the following format:
path /uripath
method <methods>
allow <ip> or <name>
deny <ip> or <name>
or
path ~ <regex>
method <methods>
allow <ip> or <name>
deny <ip> or <name>
where regex is a ruby regex.
This last syntax allows deny/allow interpolation from
the regex captures:
path ~ /files[^/]+/files/([^/]+)/([^/])/
method find
allow $2.$1
If you arrange your files/ directory to have files in
'domain.com/host/', then only the referenced host will
be able to access their files, other hosts will be denied.
For instance:
files/reductivelabs.com/dns/...
files/reductivelabs.com/www/...
then only files in dns can be accessible by dns.reductivelabs.com
and so on...
If the auth.conf file doesn't exist puppet uses sane defaults that allows
clients to check-in and ask for their configurations...
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new set of directive to the authconfig
parser/file format:
path /uripath or patch ~ <regex>
This directive declares a new kind of ACL based on the uri path.
method save, find
This directive which is to be used under path directive restricts a
path ACL to only some REST verbs.
The ACL path system matches on path prefix possible, or
on regex matches (first match wins).
If no path are matching, then the authorization is not allowed.
The same if no ACL matches for the given REST verb.
The old namespace right matching still works as usual.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
| |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
| |
This isn't that great, but at least it provides
basic tuning of the format.
Also removing the catalog_format default, since it's
no longer used.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
Formats guarantee that symbols are used, so it makes sense
for the tests to do so.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the requirement of shared fact caching
on the servers, since the server responding to the catalog
request will receive the facts as part of the request.
The facts are serialized as a parameter to the request,
rather than each being set as a separate request parameter.
This hard-codes yaml as the serialization format for the
facts, because I couldn't get marshal to work and it's just not
as big a deal for such a small amount of data.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This can cause a huge speedup for large numbers of edges.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
| |
I missed some of the Catalog mentions, and its
constant changed.
I've also added tests so this will get caught
next time.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
At least, I think they're fixed; it's hard to test.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
Removing class methods and such, and switching to
relying solely on a setting for the queue configuration.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
Also working around a YAML bug in Ruby.
And fixing tests that were broken in a previous commit
in this rebase but not caught earlier.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This eventually will allow catalog storage ("storeconfigs") to be taken out of the critical request-handling path of puppetmasterd, such that:
* Puppet::Node::Catalog can be serialized to a message queue via the indirector's "save" method
* a separate process can use Puppet::Node::Catalog::Queue.subscribe to pick up these catalog objects as they come in and can save them to the database through the :active_record terminus
|
| |
|
|
| |
The queue abstract terminus allows the standard indirector behaviors to interact with a message queue broker, such that the indirector's "save" method writes the relevant model object out to a queue on the message broker. While the indirector's "find" method does not map to a message queue, the queue terminus class offers a "subscribe" method that allows for easy implementation of an event loop, receiving indirected objects saved to a queue as they come in.
|
| |
|
|
|
|
|
|
|
|
|
| |
implementation.
Puppet::Util::Queue provides queue client mix-in behaviors that enable easy queue client management for consumer classes. Some relevant behaviors include:
* standard Puppet instance loader behavior for loading queue client modules on-demand based on the client module specified by symbolic name
* singleton registry of known queue client types (based on symbol-to-class mappings from the instance loading behavior)
* simple interface for working with an actual queue client instance
Puppet::Util::Queue::Stomp wraps the Stomp::Client class to provide an initial queue client option supporting the Stomp messaging protocol. This defines the interface for all Puppet queue client plugins going forward.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Mix Puppet::Util::CacheAccumulator into an ActiveRecord-like class, and then for any
attribute in that class on which you are likely to call find_or_create_by_*, specify:
accumulates :foo
and instead of :find_or_create_by_foo use :accumulate_by_foo.
The class will cache known results keyed by values of :foo.
Do an initial bulk-lookup: class.accumulate_by_foo('foo1', 'foo2', 'foo3', 'foo4')
|
| |
|
|
|
|
|
|
| |
The database was automatically converting booleans
to strings, and value comparison was not working correctly
as a result.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This moves all code from the Parser class into
the ActiveRecord classes, and gets rid of
'ar_hash_merge'.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
We were previously missing some hooks for settings set
via the command-line, because different code paths were
being used.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is mostly a configuration change, with some
code getting removed.
Also adding an extra require in Format;
Puppet::Provider requires Puppet::Provider::Confiner,
so the constant lookup is weird.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This provides the last piece of ActiveRecord integration.
It's pretty much just pass-through and *only* works
if you're storing Parser resources to the db.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
This is most of the way to replacing standard StoreConfigs
integration with the Indirector. We still need to convert
the Catalog and then change all of the integraiton points
(which is mostly the 'store' call in the Compiler).
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This fixes a ruby bug (http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&aid=8886)
that otherwise results in yaml producing text it can't read
back in.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
With the new 'strict_hostname_checking' option enabled,
the compiler will only search for the literal certificate
name in its list of nodes.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because we now pass catalogs around, rather than a tree
of resources, we no longer lose the metaparam information
in definitions and classes. Thus, we no longer need
to pass them down to contained resources.
Ideally we'd remove cascading of all metaparams (which is
ticket #1903) but 'schedule' and 'noop' are inherently
recursive but not in a way that the graph support can currently
easily solve, so that's going to have to wait for a later
release.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
for future proofing
update pkgdmg patch with feedback from dev-list
initial checking of pkgdmg package provider tests
clean up fail conditions to raise Puppet::Error instead
Finalized tests for pkgdmg provider
remove duplicate facter/util/plist require
|
| |
|
|
|
|
|
|
|
|
| |
We were already writing all specific files with
appropriate permissions; this change makes all of
the files that are part of a group (which largely
means files saved by puppetmasterd and puppetca)
are also written using the correct permissions.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since the introduction of fixing RSpec to 1.2.2, we don't
support anymore running RSpec directly ala:
ruby spec/unit/type.rb
or
spec/unit/type.rb
This patch fixes this.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The target generation was wrong, as it created some
strange target for isolated test files.
It now creates two types of targets:
* directory targets, like:
rake integration/network/server
or
rake unit/network
Those run all tests in a specific directory
* spec targets like:
rake unit:indirector:catalog:yaml
or
rake unit:parser:ast:definition
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
| |
This commit rips out all of the 'implicit resource' crap,
replacing it with a simple system that just skips
resources that the catalog says are in conflict.
Removes a bunch of code, and fixes the bug to boot.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
If the main terminus fails you get an exception, but
not if a cache terminus fails.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The way this class was testing edges was
causing them to appear adjacencies to appear magically,
because it was only testing that a hash had a key, not that
the value had any edges.
This fixes the infinite recursion mentioned in #2111.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |\ |
|
| | | |
|
| | |
| |
| |
| | |
versions.
|
| | |
| |
| |
| |
| | |
Tests were failing this patch makes the temporary directory in line with other
integration tests.
|
| | |
| |
| |
| | |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
bin/ralsh
lib/puppet/executables/client/certhandler.rb
lib/puppet/parser/functions/versioncmp.rb
lib/puppet/parser/resource/reference.rb
lib/puppet/provider/augeas/augeas.rb
lib/puppet/provider/nameservice/directoryservice.rb
lib/puppet/provider/ssh_authorized_key/parsed.rb
lib/puppet/type.rb
lib/puppet/type/file/checksum.rb
spec/integration/defaults.rb
spec/integration/transaction/report.rb
spec/unit/executables/client/certhandler.rb
spec/unit/indirector/ssl_rsa/file.rb
spec/unit/node/catalog.rb
spec/unit/provider/augeas/augeas.rb
spec/unit/rails.rb
spec/unit/type/ssh_authorized_key.rb
spec/unit/type/tidy.rb
test/executables/filebucket.rb
test/executables/puppetbin.rb
|
| | |
| |
| |
| |
| |
| |
| | |
This is a trivial fix but seems to crop up more often
than it should.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
| |
| |
| |
| |
| |
| | |
This commit depends on 7f291afdacf59f762c3b78481f5420ec8919e46d
(fixing #1629) which was cherry-picked from master.
Signed-off-by: Francois Deppierraz <francois@ctrlaltdel.ch>
|
| | |
| |
| |
| |
| | |
A refactoring of ssh_authorized_key parsed provider was needed and tests
were improved. flush method has been split for clarity.
|
| | |
| |
| |
| | |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| | |
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Some invalid numbers were treated as numbers and conversion to Integer
was failing returning 0 (for instance 0.24.7).
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | |
| |
| |
| |
| |
| |
| | |
They were throwing an exception when the 'is' value
was 'absent'.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
