From 824f0a54a2cac76bcaa82acbed54fea598ddbb7d Mon Sep 17 00:00:00 2001 From: Jesse Reynolds Date: Thu, 18 Aug 2016 23:09:32 +0930 Subject: [PATCH 01/26] support removal of keystore file if password incorrect --- README.md | 19 +++--- lib/puppet/provider/java_ks/keytool.rb | 20 ++++--- lib/puppet/type/java_ks.rb | 10 ++++ .../keystore_failed_password_spec.rb | 60 +++++++++++++++++++ .../truststore_failed_password_spec.rb | 60 +++++++++++++++++++ spec/unit/puppet/type/java_ks_spec.rb | 7 ++- 6 files changed, 160 insertions(+), 16 deletions(-) create mode 100644 spec/acceptance/keystore_failed_password_spec.rb create mode 100644 spec/acceptance/truststore_failed_password_spec.rb diff --git a/README.md b/README.md index 549b53fe..235d6927 100644 --- a/README.md +++ b/README.md @@ -51,10 +51,11 @@ java_ks { 'puppetca:keystore': } java_ks { 'broker.example.com:/etc/activemq/broker.ks': - ensure => latest, - certificate => '/etc/puppet/ssl/certs/broker.example.com.pe-internal-broker.pem', - private_key => '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem', - password => 'puppet', + ensure => latest, + certificate => '/etc/puppet/ssl/certs/broker.example.com.pe-internal-broker.pem', + private_key => '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem', + password => 'albatros', + password_fail_reset => true, } ~~~ @@ -66,7 +67,7 @@ To have a Java application server use a specific certificate for incoming connec The java_ks module supports multiple certificates with different keystores but the same alias by implementing Puppet's composite namevar functionality. Titles map to namevars via `$alias:$target` (alias of certificate, colon, on-disk path to the keystore). If you create dependencies on these resources you need to remember to use the same title syntax outlined for generating the composite namevars. -*Note about composite namevars:* +*Note about composite namevars:* The way composite namevars currently work, you must have the colon in the title. This is true *even if you define name and target parameters.* The title can be `foo:bar`, but the name and target parameters must be `broker.example.com` and `/etc/activemq/broker.ks`. If you follow convention, it will do as you expect and correctly create an entry in the broker.ks keystore with the alias of broker.example.com. @@ -91,7 +92,7 @@ Takes intermediate certificate authorities from a separate file from the server Valid options: absent, present, latest. Latest verifies md5 certificate fingerprints for the stored certificate and the source file. Default: present. #####`name` -*Required.* Identifies the entry in the keystore. This will be converted to lowercase. Valid options: string. Default: undef. +*Required.* Identifies the entry in the keystore. This will be converted to lowercase. Valid options: string. Default: undef. #####`password` This password is used to protect the keystore. If private keys are also protected, this password will be used to attempt to unlock them. Valid options: String. Must be 6 or more characters. This cannot be used together with `password_file`, but *you must pass at least one of these parameters.* Default: undef. @@ -99,6 +100,10 @@ This password is used to protect the keystore. If private keys are also protecte #####`password_file` Sets a plaintext file where the password is stored. Used as an alternative to `password`. This cannot be used together with `password`, but *you must pass at least one of these parameters.* Valid options: String to the plaintext file. Default: undef. +#### `password_fail_reset` + +If the supplied password does not succeed in unlocking the keystore file, then **delete** the keystore file and create a new one. Default: `false` + #####`destkeypass` The password you want to set to protect the key in the keystore. @@ -139,6 +144,6 @@ Developed against IBM Java 6 on AIX. Other versions may be unsupported. Development ----------- -Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. +Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. For more information, see our [module contribution guide.](https://docs.puppetlabs.com/forge/contributing.html) diff --git a/lib/puppet/provider/java_ks/keytool.rb b/lib/puppet/provider/java_ks/keytool.rb index 7bbbab62..2b50943e 100644 --- a/lib/puppet/provider/java_ks/keytool.rb +++ b/lib/puppet/provider/java_ks/keytool.rb @@ -82,12 +82,12 @@ def import_jceks tmpder = Tempfile.new("#{@resource[:name]}.") to_der(tmpder.path) cmd = [ - command_keytool, - '-importcert', '-noprompt', - '-alias', @resource[:name], - '-file', tmpder.path, - '-keystore', @resource[:target], - '-storetype', storetype + command_keytool, + '-importcert', '-noprompt', + '-alias', @resource[:name], + '-file', tmpder.path, + '-keystore', @resource[:target], + '-storetype', storetype ] cmd << '-trustcacerts' if @resource[:trustcacerts] == :true cmd += [ '-destkeypass', @resource[:destkeypass] ] unless @resource[:destkeypass].nil? @@ -110,7 +110,13 @@ def exists? run_command(cmd, false, tmpfile) tmpfile.close! return true - rescue + rescue => e + if e.message =~ /password was incorrect/i + # we have the wrong password for the keystore. so delete it if :password_fail_reset + if @resource[:password_fail_reset] == :true + File.delete(@resource[:target]) + end + end return false end end diff --git a/lib/puppet/type/java_ks.rb b/lib/puppet/type/java_ks.rb index b96e120a..835c5a39 100644 --- a/lib/puppet/type/java_ks.rb +++ b/lib/puppet/type/java_ks.rb @@ -104,6 +104,16 @@ def insync?(is) keystore. This cannot be used together with :password, but you must pass at least one of these parameters.' end + newparam(:password_fail_reset) do + desc "If the supplied password does not succeed in unlocking the + keystore file, then delete the keystore file and create a new one. + Default: false." + + newvalues(:true, :false) + + defaultto :false + end + newparam(:destkeypass) do desc 'The password used to protect the key in keystore.' diff --git a/spec/acceptance/keystore_failed_password_spec.rb b/spec/acceptance/keystore_failed_password_spec.rb new file mode 100644 index 00000000..38bbe775 --- /dev/null +++ b/spec/acceptance/keystore_failed_password_spec.rb @@ -0,0 +1,60 @@ +require 'spec_helper_acceptance' + +describe 'managing java keystores without a correct password', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do + case fact('osfamily') + when "Solaris" + keytool_path = '/usr/java/bin/' + resource_path = "['/usr/java/bin/','/opt/puppet/bin/']" + when "AIX" + keytool_path = '/usr/java6/bin/' + resource_path = "['/usr/java6/bin/','/usr/bin/']" + else + resource_path = "undef" + end + it 'creates a keystore' do + pp = <<-EOS + java_ks { 'puppetca:keystore': + ensure => latest, + certificate => "/tmp/ca.pem", + target => '/etc/keystore_failed_password.ts', + password => 'coraline', + trustcacerts => true, + path => #{resource_path}, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'verifies the keystore' do + shell("#{keytool_path}keytool -list -v -keystore /etc/keystore.ts -storepass coraline") do |r| + expect(r.exit_code).to be_zero + expect(r.stdout).to match(/Your keystore contains 1 entry/) + expect(r.stdout).to match(/Alias name: puppetca/) + expect(r.stdout).to match(/CN=Test CA/) + end + end + + it 'recreates a keystore if password fails' do + pp = <<-EOS + java_ks { 'puppetca:keystore': + ensure => latest, + certificate => "/tmp/ca.pem", + target => '/etc/keystore_failed_password.ts', + password => 'bobinsky', + password_fail_reset => true, + trustcacerts => true, + path => #{resource_path}, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'verifies the keystore' do + shell("#{keytool_path}keytool -list -v -keystore /etc/keystore.ts -storepass bobinsky") do |r| + expect(r.exit_code).to be_zero + expect(r.stdout).to match(/Your keystore contains 1 entry/) + expect(r.stdout).to match(/Alias name: puppetca/) + expect(r.stdout).to match(/CN=Test CA/) + end + end +end diff --git a/spec/acceptance/truststore_failed_password_spec.rb b/spec/acceptance/truststore_failed_password_spec.rb new file mode 100644 index 00000000..9ff73e57 --- /dev/null +++ b/spec/acceptance/truststore_failed_password_spec.rb @@ -0,0 +1,60 @@ +require 'spec_helper_acceptance' + +describe 'managing java truststores without a correct password', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do + case fact('osfamily') + when "Solaris" + keytool_path = '/usr/java/bin/' + resource_path = "['/usr/java/bin/','/opt/puppet/bin/']" + when "AIX" + keytool_path = '/usr/java6/bin/' + resource_path = "['/usr/java6/bin/','/usr/bin/']" + else + resource_path = "undef" + end + it 'creates a truststore' do + pp = <<-EOS + java_ks { 'puppetca:truststore': + ensure => latest, + certificate => "/tmp/ca.pem", + target => '/etc/truststore_failed_password.ts', + password => 'coraline', + trustcacerts => true, + path => #{resource_path}, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'verifies the truststore' do + shell("#{keytool_path}keytool -list -v -keystore /etc/truststore.ts -storepass coraline") do |r| + expect(r.exit_code).to be_zero + expect(r.stdout).to match(/Your keystore contains 1 entry/) + expect(r.stdout).to match(/Alias name: puppetca/) + expect(r.stdout).to match(/CN=Test CA/) + end + end + + it 'recreates a truststore if password fails' do + pp = <<-EOS + java_ks { 'puppetca:truststore': + ensure => latest, + certificate => "/tmp/ca.pem", + target => '/etc/truststore_failed_password.ts', + password => 'bobinsky', + password_fail_reset => true, + trustcacerts => true, + path => #{resource_path}, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'verifies the truststore' do + shell("#{keytool_path}keytool -list -v -keystore /etc/truststore.ts -storepass bobinsky") do |r| + expect(r.exit_code).to be_zero + expect(r.stdout).to match(/Your keystore contains 1 entry/) + expect(r.stdout).to match(/Alias name: puppetca/) + expect(r.stdout).to match(/CN=Test CA/) + end + end +end diff --git a/spec/unit/puppet/type/java_ks_spec.rb b/spec/unit/puppet/type/java_ks_spec.rb index 5b222160..74d4032f 100644 --- a/spec/unit/puppet/type/java_ks_spec.rb +++ b/spec/unit/puppet/type/java_ks_spec.rb @@ -29,7 +29,7 @@ describe 'when validating attributes' do - [:name, :target, :private_key, :certificate, :password, :password_file, :trustcacerts, :destkeypass].each do |param| + [:name, :target, :private_key, :certificate, :password, :password_file, :trustcacerts, :destkeypass, :password_fail_reset].each do |param| it "should have a #{param} parameter" do expect(Puppet::Type.type(:java_ks).attrtype(param)).to eq(:param) end @@ -82,7 +82,7 @@ jks[:name] = 'APP.EXAMPLE.COM' expect(Puppet::Type.type(:java_ks).new(jks)[:name]).to eq(jks_resource[:name]) end - + it 'should have :false value to :trustcacerts when parameter not provided' do expect(Puppet::Type.type(:java_ks).new(jks_resource)[:trustcacerts]).to eq(:false) end @@ -119,6 +119,9 @@ }.to raise_error(Puppet::Error, /length 6/) end + it 'should have :false value to :password_fail_reset when parameter not provided' do + expect(Puppet::Type.type(:java_ks).new(jks_resource)[:password_fail_reset]).to eq(:false) + end end describe 'when ensure is set to latest' do From cb2f676ad94041c4762ce7ae782c5999833c9c9d Mon Sep 17 00:00:00 2001 From: Jesse Reynolds Date: Sat, 13 May 2017 13:00:16 +0930 Subject: [PATCH 02/26] fix path to /etc/keystore_failed_password.ts in acceptance tests --- spec/acceptance/keystore_failed_password_spec.rb | 4 ++-- spec/acceptance/truststore_failed_password_spec.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/acceptance/keystore_failed_password_spec.rb b/spec/acceptance/keystore_failed_password_spec.rb index 38bbe775..4349fa46 100644 --- a/spec/acceptance/keystore_failed_password_spec.rb +++ b/spec/acceptance/keystore_failed_password_spec.rb @@ -26,7 +26,7 @@ end it 'verifies the keystore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/keystore.ts -storepass coraline") do |r| + shell("#{keytool_path}keytool -list -v -keystore /etc/keystore_failed_password.ts -storepass coraline") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -50,7 +50,7 @@ end it 'verifies the keystore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/keystore.ts -storepass bobinsky") do |r| + shell("#{keytool_path}keytool -list -v -keystore /etc/keystore_failed_password.ts -storepass bobinsky") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) diff --git a/spec/acceptance/truststore_failed_password_spec.rb b/spec/acceptance/truststore_failed_password_spec.rb index 9ff73e57..bf4b3d8a 100644 --- a/spec/acceptance/truststore_failed_password_spec.rb +++ b/spec/acceptance/truststore_failed_password_spec.rb @@ -26,7 +26,7 @@ end it 'verifies the truststore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/truststore.ts -storepass coraline") do |r| + shell("#{keytool_path}keytool -list -v -keystore /etc/truststore_failed_password.ts -storepass coraline") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -50,7 +50,7 @@ end it 'verifies the truststore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/truststore.ts -storepass bobinsky") do |r| + shell("#{keytool_path}keytool -list -v -keystore /etc/truststore_failed_password.ts -storepass bobinsky") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) From 3ec75a5298670223953e58f94e1611ac32212fde Mon Sep 17 00:00:00 2001 From: Helen Campbell Date: Tue, 23 May 2017 13:55:00 +0100 Subject: [PATCH 03/26] (MODULES-4833) Update to Puppet version dependancy --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 616f18bf..98541918 100644 --- a/metadata.json +++ b/metadata.json @@ -99,7 +99,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 3.0.0 < 5.0.0" + "version_requirement": ">= 4.7.0 < 5.0.0" } ], "description": "Uses a combination of keytool and Ruby openssl library to manage entries in a Java keystore." From 38e50ef95ff53debc25e20f826d0aab8b3362fd9 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Mon, 26 Jun 2017 14:13:02 -0700 Subject: [PATCH 04/26] (MODULES-5144) Prep for puppet 5 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 98541918..b2fb11fa 100644 --- a/metadata.json +++ b/metadata.json @@ -99,7 +99,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 4.7.0 < 5.0.0" + "version_requirement": ">= 4.7.0 < 6.0.0" } ], "description": "Uses a combination of keytool and Ruby openssl library to manage entries in a Java keystore." From 326200555ae033e2de19dbceedb3d267bb3db3c4 Mon Sep 17 00:00:00 2001 From: James Pogran Date: Fri, 30 Jun 2017 10:26:28 -0400 Subject: [PATCH 05/26] (MODULES-5117) Fix java install on windows in acceptance This commit fixes installing java on windows in the acceptance tests by moving the installation logic to the spec_helper_acceptance so that java is always installed when needed, and removes basic_spec.rb because having the installation logic in one spec file means all spec files must be run in order to have a properly setup environment. This commit also migrates the java install from using windows_java to puppetlabs-chocolatey. This follows a standard at Puppet to use chocolatey in acceptance to setup an environment. --- spec/acceptance/basic_spec.rb | 21 --------------------- spec/spec_helper_acceptance.rb | 22 ++++++++++++++++++---- 2 files changed, 18 insertions(+), 25 deletions(-) delete mode 100644 spec/acceptance/basic_spec.rb diff --git a/spec/acceptance/basic_spec.rb b/spec/acceptance/basic_spec.rb deleted file mode 100644 index 5ba5141b..00000000 --- a/spec/acceptance/basic_spec.rb +++ /dev/null @@ -1,21 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'prep nodes', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do - it 'requires java', :unless => ["Solaris", "AIX"].include?(fact('osfamily')) do - java_source = ENV['JAVA_DOWNLOAD_SOURCE'] || "http://download.oracle.com/otn-pub/java/jdk/7u67-b01/jdk-7u67-windows-x64.exe" - java_major, java_minor = (ENV['JAVA_VERSION'] || '7u67').split('u') - pp = <<-EOS -if $::osfamily !~ /windows/ { - class { 'java': } -} else { - windows_java::jdk{'JDK #{java_major}u#{java_minor}': - ensure => 'present', - install_name => 'Java SE Development Kit #{java_major} Update #{java_minor} (64-bit)', - source => '#{java_source}', - install_path => 'C:\\Java\\jdk1.#{java_major}.0_#{java_minor}', - } -} - EOS - apply_manifest(pp, :catch_failures => true) - end -end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index e3135c09..f4faceb6 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -101,9 +101,21 @@ def create_certs(host, tmpdir) copy_module_to(host, :source => proj_root, :module_name => 'java_ks') #install java if windows if host['platform'] =~ /windows/i - on host, puppet('module install cyberious-windows_java') + on host, puppet('module install puppetlabs-chocolatey') + pp = <<-EOS +include chocolatey +package { 'jdk8': + ensure => installed, + provider => 'chocolatey' +} + EOS + apply_manifest_on(host, pp) else on host, puppet('module', 'install', 'puppetlabs-java'), {:acceptable_exit_codes => [0, 1]} + pp = <<-EOS +class { 'java': } + EOS + apply_manifest_on(host, pp) end end end @@ -111,7 +123,7 @@ def create_certs(host, tmpdir) RSpec.shared_context 'common variables' do before { - java_major, java_minor = (ENV['JAVA_VERSION'] || '7u67').split('u') + java_major, java_minor = (ENV['JAVA_VERSION'] || '8u131').split('u') @ensure_ks = 'latest' @temp_dir = '/tmp/' @resource_path = "undef" @@ -127,10 +139,12 @@ def create_certs(host, tmpdir) @target = '/etc/truststore.ts' when 'windows' @ensure_ks = 'present' - @keytool_path = "C:/Java/jdk1.#{java_major}.0_#{java_minor}/bin/" + # C:/Program Files/Java/jdk1.8.0_131/bin/keytool -list -v -keystore c:/chain_key.ks -storepass puppet + # C:/Program\ Files/Java/jdk1.#{java_major}.0_#{java_minor}/bin/ + @keytool_path = "C:/Program Files/Java/jdk1.#{java_major}.0_#{java_minor}/bin/" @target = 'c:/truststore.ts' @temp_dir = 'C:/tmp/' - @resource_path = "['C:/Java/jdk1.#{java_major}.0_#{java_minor}/bin/']" + @resource_path = "['C:/Program\ Files/Java/jdk1.#{java_major}.0_#{java_minor}/bin/']" end } end From 75855c2f9fe52ddf8930e6896c8b66babb81fb5b Mon Sep 17 00:00:00 2001 From: James Pogran Date: Fri, 30 Jun 2017 10:30:57 -0400 Subject: [PATCH 06/26] (MODULES-5117) Fix java path in acceptance tests This commit fixes the path to java because the jdk package installed by chocolatey uses 'C:\Program Files' instead of a custom path. The spaces cause errors, so we properly quote them in order for the command to work. --- spec/acceptance/chain_key_spec.rb | 4 ++-- spec/acceptance/destkeypass_spec.rb | 4 ++-- spec/acceptance/keystore_failed_password_spec.rb | 5 +++-- spec/acceptance/keystore_spec.rb | 4 ++-- spec/acceptance/private_key_spec.rb | 2 +- spec/acceptance/truststore_failed_password_spec.rb | 6 ++++-- spec/acceptance/truststore_spec.rb | 2 +- 7 files changed, 15 insertions(+), 12 deletions(-) diff --git a/spec/acceptance/chain_key_spec.rb b/spec/acceptance/chain_key_spec.rb index 306588b9..31485bee 100644 --- a/spec/acceptance/chain_key_spec.rb +++ b/spec/acceptance/chain_key_spec.rb @@ -26,7 +26,7 @@ end it 'verifies the private key' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Alias name: broker\.example\.com/) expect(r.stdout).to match(/Entry type: (keyEntry|PrivateKeyEntry)/) @@ -61,7 +61,7 @@ end it 'verifies the private key' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Alias name: broker\.example\.com/) expect(r.stdout).to match(/Entry type: (keyEntry|PrivateKeyEntry)/) diff --git a/spec/acceptance/destkeypass_spec.rb b/spec/acceptance/destkeypass_spec.rb index 9df9ce72..7f194d08 100644 --- a/spec/acceptance/destkeypass_spec.rb +++ b/spec/acceptance/destkeypass_spec.rb @@ -31,7 +31,7 @@ end it 'can make a cert req with the right password' do - shell("#{@keytool_path}keytool -certreq -alias broker.example.com -v "\ + shell("\"#{@keytool_path}keytool\" -certreq -alias broker.example.com -v "\ "-keystore #{target} -storepass testpass -keypass testkeypass") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/-BEGIN NEW CERTIFICATE REQUEST-/) @@ -39,7 +39,7 @@ end it 'cannot make a cert req with the wrong password' do - shell("#{@keytool_path}keytool -certreq -alias broker.example.com -v "\ + shell("\"#{@keytool_path}keytool\" -certreq -alias broker.example.com -v "\ "-keystore #{target} -storepass testpass -keypass qwert", :acceptable_exit_codes => 1) end diff --git a/spec/acceptance/keystore_failed_password_spec.rb b/spec/acceptance/keystore_failed_password_spec.rb index 4349fa46..f547e9fb 100644 --- a/spec/acceptance/keystore_failed_password_spec.rb +++ b/spec/acceptance/keystore_failed_password_spec.rb @@ -1,6 +1,7 @@ require 'spec_helper_acceptance' describe 'managing java keystores without a correct password', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do + include_context 'common variables' case fact('osfamily') when "Solaris" keytool_path = '/usr/java/bin/' @@ -26,7 +27,7 @@ end it 'verifies the keystore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/keystore_failed_password.ts -storepass coraline") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/keystore_failed_password.ts -storepass coraline") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -50,7 +51,7 @@ end it 'verifies the keystore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/keystore_failed_password.ts -storepass bobinsky") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/keystore_failed_password.ts -storepass bobinsky") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) diff --git a/spec/acceptance/keystore_spec.rb b/spec/acceptance/keystore_spec.rb index 602e99c8..1a0b2613 100644 --- a/spec/acceptance/keystore_spec.rb +++ b/spec/acceptance/keystore_spec.rb @@ -28,7 +28,7 @@ end it 'verifies the keystore' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -77,7 +77,7 @@ end it 'verifies the keystore' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 2 entries/) expect(r.stdout).to match(/Alias name: puppetca/) diff --git a/spec/acceptance/private_key_spec.rb b/spec/acceptance/private_key_spec.rb index 6f61bc56..9b37dd45 100644 --- a/spec/acceptance/private_key_spec.rb +++ b/spec/acceptance/private_key_spec.rb @@ -26,7 +26,7 @@ end it 'verifies the private key' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Alias name: broker\.example\.com/) expect(r.stdout).to match(/Entry type: (keyEntry|PrivateKeyEntry)/) diff --git a/spec/acceptance/truststore_failed_password_spec.rb b/spec/acceptance/truststore_failed_password_spec.rb index bf4b3d8a..52373147 100644 --- a/spec/acceptance/truststore_failed_password_spec.rb +++ b/spec/acceptance/truststore_failed_password_spec.rb @@ -1,6 +1,8 @@ require 'spec_helper_acceptance' describe 'managing java truststores without a correct password', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do + include_context 'common variables' + case fact('osfamily') when "Solaris" keytool_path = '/usr/java/bin/' @@ -26,7 +28,7 @@ end it 'verifies the truststore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/truststore_failed_password.ts -storepass coraline") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/truststore_failed_password.ts -storepass coraline") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -50,7 +52,7 @@ end it 'verifies the truststore' do - shell("#{keytool_path}keytool -list -v -keystore /etc/truststore_failed_password.ts -storepass bobinsky") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/truststore_failed_password.ts -storepass bobinsky") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) diff --git a/spec/acceptance/truststore_spec.rb b/spec/acceptance/truststore_spec.rb index 031daa60..4a5f73a2 100644 --- a/spec/acceptance/truststore_spec.rb +++ b/spec/acceptance/truststore_spec.rb @@ -25,7 +25,7 @@ end it 'verifies the truststore' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) From 5bf9f5afe17a9163925f95f680752c65ddabeaa8 Mon Sep 17 00:00:00 2001 From: Eric Putnam Date: Thu, 6 Jul 2017 14:41:52 -0700 Subject: [PATCH 07/26] (MODULES-5187) mysnc puppet 5 and ruby 2.4 --- .travis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 4981b259..0c6f904c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,10 +22,10 @@ matrix: script: bundle exec rake beaker services: docker sudo: required - - rvm: 2.3.1 + - rvm: 2.4.0 bundler_args: --without system_tests - env: PUPPET_GEM_VERSION="~> 4.0" - - rvm: 2.1.7 + env: PUPPET_GEM_VERSION="~> 5.0" + - rvm: 2.1.9 bundler_args: --without system_tests env: PUPPET_GEM_VERSION="~> 4.0" notifications: From 1302a805c4b8950780fa092ab121beb998db70d4 Mon Sep 17 00:00:00 2001 From: James Pogran Date: Thu, 6 Jul 2017 12:17:10 -0400 Subject: [PATCH 08/26] (MODULES-5117) Clean out/fix os-specific testing This commit refactors OS specific parameters to be more maintainable. Instead if have many case statements, a common target and target_dir is used. --- spec/acceptance/chain_key_spec.rb | 46 +++++-------------- spec/acceptance/destkeypass_spec.rb | 14 +----- .../keystore_failed_password_spec.rb | 32 +++++-------- spec/acceptance/keystore_spec.rb | 8 +--- spec/acceptance/private_key_spec.rb | 9 +--- .../truststore_failed_password_spec.rb | 28 ++++------- spec/acceptance/truststore_spec.rb | 10 +--- spec/acceptance/unsupported_spec.rb | 17 ++----- spec/spec_helper_acceptance.rb | 12 ++--- 9 files changed, 46 insertions(+), 130 deletions(-) diff --git a/spec/acceptance/chain_key_spec.rb b/spec/acceptance/chain_key_spec.rb index 31485bee..e8da4319 100644 --- a/spec/acceptance/chain_key_spec.rb +++ b/spec/acceptance/chain_key_spec.rb @@ -5,12 +5,7 @@ describe 'managing combined java chain keys', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - case fact('osfamily') - when "windows" - target = 'c:/chain_combined_key.ks' - else - target = '/etc/chain_combined_key.ks' - end + target = "#{@target_dir}chain_combined_key.ks" it 'creates a private key with chain certs' do pp = <<-EOS java_ks { 'broker.example.com:#{target}': @@ -39,12 +34,7 @@ describe 'managing separate java chain keys', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - case fact('osfamily') - when "windows" - target = 'c:/chain_key.ks' - else - target = '/etc/chain_key.ks' - end + target = "#{@target_dir}chain_key.ks" it 'creates a private key with chain certs' do pp = <<-EOS java_ks { 'broker.example.com:#{target}': @@ -74,28 +64,21 @@ describe 'managing non existent java chain keys in noop', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - case fact('osfamily') - when "windows" - target = 'c:/noop_chain_key.ks' - temp_dir = 'C:/tmp/' - else - target = '/etc/noop_chain_key.ks' - temp_dir = '/tmp/' - end + target = "#{@target_dir}noop_chain_key.ks" it 'does not create a new keystore in noop' do pp = <<-EOS - $filenames = ["#{temp_dir}noop_ca.pem", - "#{temp_dir}noop_chain.pem", - "#{temp_dir}noop_privkey.pem"] + $filenames = ["#{@temp_dir}noop_ca.pem", + "#{@temp_dir}noop_chain.pem", + "#{@temp_dir}noop_privkey.pem"] file { $filenames: ensure => file, content => 'content', } -> java_ks { 'broker.example.com:#{target}': ensure => latest, - certificate => "#{temp_dir}noop_ca.pem", - chain => "#{temp_dir}noop_chain.pem", - private_key => "#{temp_dir}noop_privkey.pem", + certificate => "#{@temp_dir}noop_ca.pem", + chain => "#{@temp_dir}noop_chain.pem", + private_key => "#{@temp_dir}noop_privkey.pem", password => 'puppet', path => #{@resource_path}, } @@ -107,7 +90,7 @@ end # verifies the dependent files are missing - ["#{temp_dir}noop_ca.pem", "#{temp_dir}noop_chain.pem", "#{temp_dir}noop_privkey.pem"].each do |filename| + ["#{@temp_dir}noop_ca.pem", "#{@temp_dir}noop_chain.pem", "#{@temp_dir}noop_privkey.pem"].each do |filename| describe file("#{filename}") do it { should_not be_file } end @@ -122,12 +105,7 @@ describe 'managing existing java chain keys in noop', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - case fact('osfamily') - when "windows" - target = 'c:/noop2_chain_key.ks' - else - target = '/etc/noop2_chain_key.ks' - end + target = "#{@target_dir}noop2_chain_key.ks" it 'does not create a new keystore in noop' do pp = <<-EOS java_ks { 'broker.example.com:#{target}': @@ -148,4 +126,4 @@ describe file("#{target}") do it { should_not be_file } end -end \ No newline at end of file +end diff --git a/spec/acceptance/destkeypass_spec.rb b/spec/acceptance/destkeypass_spec.rb index 7f194d08..5d720fbd 100644 --- a/spec/acceptance/destkeypass_spec.rb +++ b/spec/acceptance/destkeypass_spec.rb @@ -1,19 +1,8 @@ require 'spec_helper_acceptance' -hostname = default.node_name - describe 'password protected java private keys', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - - let(:confdir) { default['puppetpath'] } - let(:modulepath) { default['distmoduledir'] } - - case fact('osfamily') - when "windows" - target = 'c:/private_key.ks' - else - target = '/etc/private_key.ks' - end + target = "#{@target_dir}destkeypass.ks" it 'creates a password protected private key' do pp = <<-EOS @@ -43,5 +32,4 @@ "-keystore #{target} -storepass testpass -keypass qwert", :acceptable_exit_codes => 1) end - end diff --git a/spec/acceptance/keystore_failed_password_spec.rb b/spec/acceptance/keystore_failed_password_spec.rb index f547e9fb..4a181910 100644 --- a/spec/acceptance/keystore_failed_password_spec.rb +++ b/spec/acceptance/keystore_failed_password_spec.rb @@ -2,32 +2,24 @@ describe 'managing java keystores without a correct password', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - case fact('osfamily') - when "Solaris" - keytool_path = '/usr/java/bin/' - resource_path = "['/usr/java/bin/','/opt/puppet/bin/']" - when "AIX" - keytool_path = '/usr/java6/bin/' - resource_path = "['/usr/java6/bin/','/usr/bin/']" - else - resource_path = "undef" - end + target = "#{@target_dir}keystore_failed_password.ts" + it 'creates a keystore' do pp = <<-EOS java_ks { 'puppetca:keystore': - ensure => latest, - certificate => "/tmp/ca.pem", - target => '/etc/keystore_failed_password.ts', + ensure => #{@ensure_ks}, + certificate => "#{@temp_dir}ca.pem", + target => '#{target}', password => 'coraline', trustcacerts => true, - path => #{resource_path}, + path => #{@resource_path}, } EOS apply_manifest(pp, :catch_failures => true) end it 'verifies the keystore' do - shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/keystore_failed_password.ts -storepass coraline") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass coraline") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -38,20 +30,20 @@ it 'recreates a keystore if password fails' do pp = <<-EOS java_ks { 'puppetca:keystore': - ensure => latest, - certificate => "/tmp/ca.pem", - target => '/etc/keystore_failed_password.ts', + ensure => #{@ensure_ks}, + certificate => "#{@temp_dir}ca.pem", + target => '#{target}', password => 'bobinsky', password_fail_reset => true, trustcacerts => true, - path => #{resource_path}, + path => #{@resource_path}, } EOS apply_manifest(pp, :catch_failures => true) end it 'verifies the keystore' do - shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/keystore_failed_password.ts -storepass bobinsky") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass bobinsky") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) diff --git a/spec/acceptance/keystore_spec.rb b/spec/acceptance/keystore_spec.rb index 1a0b2613..6391a9be 100644 --- a/spec/acceptance/keystore_spec.rb +++ b/spec/acceptance/keystore_spec.rb @@ -2,13 +2,7 @@ describe 'managing java keystores', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - - case fact('osfamily') - when 'windows' - target = 'c:/tmp/keystore.ks' - else - target = '/etc/keystore.ks' - end + target = "#{@target_dir}keystore.ks" describe 'basic tests' do it 'should create a keystore' do diff --git a/spec/acceptance/private_key_spec.rb b/spec/acceptance/private_key_spec.rb index 9b37dd45..17d93779 100644 --- a/spec/acceptance/private_key_spec.rb +++ b/spec/acceptance/private_key_spec.rb @@ -1,15 +1,8 @@ require 'spec_helper_acceptance' -hostname = default.node_name - describe 'managing java private keys', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - case fact('osfamily') - when 'windows' - target = 'c:/private_key.ts' - else - target = '/etc/private_key.ts' - end + target = "#{@target_dir}private_key.ts" it 'creates a private key' do pp = <<-EOS diff --git a/spec/acceptance/truststore_failed_password_spec.rb b/spec/acceptance/truststore_failed_password_spec.rb index 52373147..afa762f5 100644 --- a/spec/acceptance/truststore_failed_password_spec.rb +++ b/spec/acceptance/truststore_failed_password_spec.rb @@ -2,33 +2,23 @@ describe 'managing java truststores without a correct password', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - - case fact('osfamily') - when "Solaris" - keytool_path = '/usr/java/bin/' - resource_path = "['/usr/java/bin/','/opt/puppet/bin/']" - when "AIX" - keytool_path = '/usr/java6/bin/' - resource_path = "['/usr/java6/bin/','/usr/bin/']" - else - resource_path = "undef" - end + target = "#{@target_dir}truststore_failed_password.ts" it 'creates a truststore' do pp = <<-EOS java_ks { 'puppetca:truststore': ensure => latest, - certificate => "/tmp/ca.pem", - target => '/etc/truststore_failed_password.ts', + certificate => "#{@temp_dir}ca.pem", + target => "#{target}", password => 'coraline', trustcacerts => true, - path => #{resource_path}, + path => #{@resource_path}, } EOS apply_manifest(pp, :catch_failures => true) end it 'verifies the truststore' do - shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/truststore_failed_password.ts -storepass coraline") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass coraline") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) @@ -40,19 +30,19 @@ pp = <<-EOS java_ks { 'puppetca:truststore': ensure => latest, - certificate => "/tmp/ca.pem", - target => '/etc/truststore_failed_password.ts', + certificate => "#{@temp_dir}ca.pem", + target => "#{target}", password => 'bobinsky', password_fail_reset => true, trustcacerts => true, - path => #{resource_path}, + path => #{@resource_path}, } EOS apply_manifest(pp, :catch_failures => true) end it 'verifies the truststore' do - shell("\"#{@keytool_path}keytool\" -list -v -keystore /etc/truststore_failed_password.ts -storepass bobinsky") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass bobinsky") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Your keystore contains 1 entry/) expect(r.stdout).to match(/Alias name: puppetca/) diff --git a/spec/acceptance/truststore_spec.rb b/spec/acceptance/truststore_spec.rb index 4a5f73a2..fa84f4df 100644 --- a/spec/acceptance/truststore_spec.rb +++ b/spec/acceptance/truststore_spec.rb @@ -2,20 +2,14 @@ describe 'managing java truststores', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do include_context 'common variables' - - case fact('osfamily') - when "windows" - target = 'c:/truststore.ts' - else - target = '/etc/truststore.ts' - end + target = "#{@target_dir}truststore.ts" it 'creates a truststore' do pp = <<-EOS java_ks { 'puppetca:truststore': ensure => #{@ensure_ks}, certificate => "#{@temp_dir}ca.pem", - target => '#{target}', + target => "#{target}", password => 'puppet', trustcacerts => true, path => #{@resource_path}, diff --git a/spec/acceptance/unsupported_spec.rb b/spec/acceptance/unsupported_spec.rb index d2091a2d..59a15c59 100644 --- a/spec/acceptance/unsupported_spec.rb +++ b/spec/acceptance/unsupported_spec.rb @@ -1,25 +1,16 @@ require 'spec_helper_acceptance' describe 'unsupported distributions and OSes', :if => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do - case fact('osfamily') - when "Solaris" - keytool_path = '/usr/java/bin/' - resource_path = "['/usr/java/bin/','/opt/puppet/bin/','/usr/bin/']" - when "AIX" - keytool_path = '/usr/java6/bin/' - resource_path = "['/usr/java6/bin/','/opt/puppet/bin/']" - else - resource_path = "undef" - end + include_context 'common variables' it 'should fail' do pp = <<-EOS java_ks { 'puppetca:keystore': ensure => latest, - certificate => "/tmp/ca.pem", - target => '/etc/keystore.ks', + certificate => "#{@temp_dir}ca.pem", + target => "#{@target_dir}unsupported.ks", password => 'puppet', trustcacerts => true, - path => #{resource_path}, + path => #{@resource_path}, } EOS expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/unsupported os/) diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index f4faceb6..fd22e0be 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -125,26 +125,22 @@ class { 'java': } before { java_major, java_minor = (ENV['JAVA_VERSION'] || '8u131').split('u') @ensure_ks = 'latest' - @temp_dir = '/tmp/' @resource_path = "undef" - @target = '/etc/truststore.ts' + @target_dir = '/etc/' + @temp_dir = '/tmp/' case fact('osfamily') when "Solaris" @keytool_path = '/usr/java/bin/' @resource_path = "['/usr/java/bin/','/opt/puppet/bin/']" - @target = '/etc/truststore.ts' when "AIX" @keytool_path = '/usr/java6/bin/' @resource_path = "['/usr/java6/bin/','/usr/bin/']" - @target = '/etc/truststore.ts' when 'windows' @ensure_ks = 'present' - # C:/Program Files/Java/jdk1.8.0_131/bin/keytool -list -v -keystore c:/chain_key.ks -storepass puppet - # C:/Program\ Files/Java/jdk1.#{java_major}.0_#{java_minor}/bin/ @keytool_path = "C:/Program Files/Java/jdk1.#{java_major}.0_#{java_minor}/bin/" - @target = 'c:/truststore.ts' - @temp_dir = 'C:/tmp/' @resource_path = "['C:/Program\ Files/Java/jdk1.#{java_major}.0_#{java_minor}/bin/']" + @target_dir = 'c:/' + @temp_dir = 'C:/tmp/' end } end From 9651a11d9227bc8396dab32e8439cbdf507e3cd3 Mon Sep 17 00:00:00 2001 From: Glenn Sarti Date: Thu, 27 Jul 2017 15:10:17 -0700 Subject: [PATCH 09/26] (maint) modulesync 915cde70e20 --- Gemfile | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/Gemfile b/Gemfile index 46cb2eac..a9f0161c 100644 --- a/Gemfile +++ b/Gemfile @@ -33,13 +33,13 @@ ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments minor_version = "#{ruby_version_segments[0]}.#{ruby_version_segments[1]}" group :development do - gem "puppet-module-posix-default-r#{minor_version}", :require => false, :platforms => "ruby" - gem "puppet-module-win-default-r#{minor_version}", :require => false, :platforms => ["mswin", "mingw", "x64_mingw"] - gem "puppet-module-posix-dev-r#{minor_version}", :require => false, :platforms => "ruby" - gem "puppet-module-win-dev-r#{minor_version}", :require => false, :platforms => ["mswin", "mingw", "x64_mingw"] - gem "json_pure", '<= 2.0.1', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') - gem "fast_gettext", '1.1.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') - gem "fast_gettext", :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "puppet-module-posix-default-r#{minor_version}", :require => false, :platforms => "ruby" + gem "puppet-module-win-default-r#{minor_version}", :require => false, :platforms => ["mswin", "mingw", "x64_mingw"] + gem "puppet-module-posix-dev-r#{minor_version}", :require => false, :platforms => "ruby" + gem "puppet-module-win-dev-r#{minor_version}", '0.0.7', :require => false, :platforms => ["mswin", "mingw", "x64_mingw"] + gem "json_pure", '<= 2.0.1', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "fast_gettext", '1.1.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') end group :system_tests do @@ -50,6 +50,7 @@ group :system_tests do gem "beaker-rspec", *location_for(ENV['BEAKER_RSPEC_VERSION']) gem "beaker-hostgenerator", *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION']) gem "beaker-abs", *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1') + gem "puppet-blacksmith", '~> 3.4', :require => false end gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION']) From a9fcd3737ff47b64cb1086a6bc3bafaf7b2d32e7 Mon Sep 17 00:00:00 2001 From: Glenn Sarti Date: Sun, 30 Jul 2017 20:09:54 -0700 Subject: [PATCH 10/26] (MODULES-5357) Pin JDK installation pacakge to 8.0.144 Previously the acceptance tests installed JDK from the chocolatey pacakge repo however the version of the installed pacakges was not enforced and the calculation for the Java path then fails as it is expected java 8u131. This commit pins the JDK8 pacakged to the latest 8u141 in the chocolatey repo and updates the java version logic with the new version number. --- spec/spec_helper_acceptance.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index fd22e0be..1648ee52 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -105,7 +105,7 @@ def create_certs(host, tmpdir) pp = <<-EOS include chocolatey package { 'jdk8': - ensure => installed, + ensure => '8.0.144', provider => 'chocolatey' } EOS @@ -123,7 +123,7 @@ class { 'java': } RSpec.shared_context 'common variables' do before { - java_major, java_minor = (ENV['JAVA_VERSION'] || '8u131').split('u') + java_major, java_minor = (ENV['JAVA_VERSION'] || '8u144').split('u') @ensure_ks = 'latest' @resource_path = "undef" @target_dir = '/etc/' From f6f0b31109d4279ee2537e378ae74369ed4a5883 Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Thu, 17 Aug 2017 14:49:48 +0100 Subject: [PATCH 11/26] (MODULES-5501) - Remove unsupported Ubuntu Removing older version of Ubuntu that are not supported by the module. --- metadata.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/metadata.json b/metadata.json index b2fb11fa..16ee56d0 100644 --- a/metadata.json +++ b/metadata.json @@ -63,8 +63,6 @@ { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ - "10.04", - "12.04", "14.04", "16.04" ] From a7e3c2a7a54fec21dbe3d12e88b34227e9f704f5 Mon Sep 17 00:00:00 2001 From: Hailee Kenney Date: Mon, 18 Sep 2017 14:56:18 -0700 Subject: [PATCH 12/26] (maint) modulesync 892c4cf --- CONTRIBUTING.md | 222 +++++++++++++++++++++++++++----------------- locales/config.yaml | 1 + 2 files changed, 139 insertions(+), 84 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 990edba7..1a9fb3a5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,63 +1,75 @@ -Checklist (and a short version for the impatient) -================================================= +# Contributing to Puppet modules - * Commits: +So you want to contribute to a Puppet module: Great! Below are some instructions to get you started doing +that very thing while setting expectations around code quality as well as a few tips for making the +process as easy as possible. - - Make commits of logical units. +### Table of Contents - - Check for unnecessary whitespace with "git diff --check" before - committing. +1. [Getting Started](#getting-started) +1. [Commit Checklist](#commit-checklist) +1. [Submission](#submission) +1. [More about commits](#more-about-commits) +1. [Testing](#testing) + - [Running Tests](#running-tests) + - [Writing Tests](#writing-tests) +1. [Get Help](#get-help) - - Commit using Unix line endings (check the settings around "crlf" in - git-config(1)). +## Getting Started - - Do not check in commented out code or unneeded files. +- Fork the module repository on GitHub and clone to your workspace - - The first line of the commit message should be a short - description (50 characters is the soft limit, excluding ticket - number(s)), and should skip the full stop. +- Make your changes! - - Associate the issue in the message. The first line should include - the issue number in the form "(#XXXX) Rest of message". +## Commit Checklist - - The body should provide a meaningful commit message, which: +### The Basics - - uses the imperative, present tense: "change", not "changed" or - "changes". +- [x] my commit is a single logical unit of work - - includes motivation for the change, and contrasts its - implementation with the previous behavior. +- [x] I have checked for unnecessary whitespace with "git diff --check" - - Make sure that you have tests for the bug you are fixing, or - feature you are adding. +- [x] my commit does not include commented out code or unneeded files - - Make sure the test suites passes after your commit: - `bundle exec rspec spec/acceptance` More information on [testing](#Testing) below +### The Content - - When introducing a new feature, make sure it is properly - documented in the README.md +- [x] my commit includes tests for the bug I fixed or feature I added - * Submission: +- [x] my commit includes appropriate documentation changes if it is introducing a new feature or changing existing functionality + +- [x] my code passes existing test suites - * Pre-requisites: +### The Commit Message - - Make sure you have a [GitHub account](https://github.com/join) +- [x] the first line of my commit message includes: - - [Create a ticket](https://tickets.puppet.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppet.com/browse/) you are patching for. + - [x] an issue number (if applicable), e.g. "(MODULES-xxxx) This is the first line" + + - [x] a short description (50 characters is the soft limit, excluding ticket number(s)) - * Preferred method: +- [x] the body of my commit message: - - Fork the repository on GitHub. + - [x] is meaningful - - Push your changes to a topic branch in your fork of the - repository. (the format ticket/1234-short_description_of_change is - usually preferred for this project). + - [x] uses the imperative, present tense: "change", not "changed" or "changes" - - Submit a pull request to the repository in the puppetlabs - organization. + - [x] includes motivation for the change, and contrasts its implementation with the previous behavior -The long version -================ +## Submission + +### Pre-requisites + +- Make sure you have a [GitHub account](https://github.com/join) + +- [Create a ticket](https://tickets.puppet.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppet.com/browse/) you are patching for. + +### Push and PR + +- Push your changes to your fork + +- [Open a Pull Request](https://help.github.com/articles/creating-a-pull-request-from-a-fork/) against the repository in the puppetlabs organization + +## More about commits 1. Make separate commits for logically separate changes. @@ -104,37 +116,32 @@ The long version GitHub has some pretty good [general documentation](http://help.github.com/) on using their site. They also have documentation on - [creating pull requests](http://help.github.com/send-pull-requests/). + [creating pull requests](https://help.github.com/articles/creating-a-pull-request-from-a-fork/). In general, after pushing your topic branch up to your repository on GitHub, you can switch to the branch in the GitHub UI and click "Pull Request" towards the top of the page in order to open a pull request. + 3. Update the related JIRA issue. - 3. Update the related GitHub issue. - - If there is a GitHub issue associated with the change you + If there is a JIRA issue associated with the change you submitted, then you should update the ticket to include the location of your branch, along with any other commentary you may wish to make. -Testing -======= +# Testing -Getting Started ---------------- +## Getting Started -Our puppet modules provide [`Gemfile`](./Gemfile)s which can tell a ruby -package manager such as [bundler](http://bundler.io/) what Ruby packages, +Our Puppet modules provide [`Gemfile`](./Gemfile)s, which can tell a Ruby package manager such as [bundler](http://bundler.io/) what Ruby packages, or Gems, are required to build, develop, and test this software. -Please make sure you have [bundler installed](http://bundler.io/#getting-started) -on your system, then use it to install all dependencies needed for this project, -by running +Please make sure you have [bundler installed](http://bundler.io/#getting-started) on your system, and then use it to +install all dependencies needed for this project in the project root by running ```shell -% bundle install +% bundle install --path .bundle/gems Fetching gem metadata from https://rubygems.org/........ Fetching gem metadata from https://rubygems.org/.. Using rake (10.1.0) @@ -148,7 +155,7 @@ Your bundle is complete! Use `bundle show [gemname]` to see where a bundled gem is installed. ``` -NOTE some systems may require you to run this command with sudo. +NOTE: some systems may require you to run this command with sudo. If you already have those gems installed, make sure they are up-to-date: @@ -156,26 +163,27 @@ If you already have those gems installed, make sure they are up-to-date: % bundle update ``` -With all dependencies in place and up-to-date we can now run the tests: +## Running Tests + +With all dependencies in place and up-to-date, run the tests: + +### Unit Tests ```shell % bundle exec rake spec ``` -This will execute all the [rspec tests](http://rspec-puppet.com/) tests -under [spec/defines](./spec/defines), [spec/classes](./spec/classes), -and so on. rspec tests may have the same kind of dependencies as the -module they are testing. While the module defines in its [Modulefile](./Modulefile), +This executes all the [rspec tests](http://rspec-puppet.com/) in the directories defined [here](https://github.com/puppetlabs/puppetlabs_spec_helper/blob/699d9fbca1d2489bff1736bb254bb7b7edb32c74/lib/puppetlabs_spec_helper/rake_tasks.rb#L17) and so on. +rspec tests may have the same kind of dependencies as the module they are testing. Although the module defines these dependencies in its [metadata.json](./metadata.json), rspec tests define them in [.fixtures.yml](./fixtures.yml). -Some puppet modules also come with [beaker](https://github.com/puppetlabs/beaker) -tests. These tests spin up a virtual machine under -[VirtualBox](https://www.virtualbox.org/)) with, controlling it with -[Vagrant](http://www.vagrantup.com/) to actually simulate scripted test -scenarios. In order to run these, you will need both of those tools -installed on your system. +### Acceptance Tests + +Some Puppet modules also come with acceptance tests, which use [beaker][]. These tests spin up a virtual machine under +[VirtualBox](https://www.virtualbox.org/), controlled with [Vagrant](http://www.vagrantup.com/), to simulate scripted test +scenarios. In order to run these, you need both Virtualbox and Vagrant installed on your system. -You can run them by issuing the following command +Run the tests by issuing the following command ```shell % bundle exec rake spec_clean @@ -183,35 +191,81 @@ You can run them by issuing the following command ``` This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml), -install puppet, copy this module and install its dependencies per [spec/spec_helper_acceptance.rb](./spec/spec_helper_acceptance.rb) +install Puppet, copy this module, and install its dependencies per [spec/spec_helper_acceptance.rb](./spec/spec_helper_acceptance.rb) and then run all the tests under [spec/acceptance](./spec/acceptance). -Writing Tests -------------- +## Writing Tests + +### Unit Tests -XXX getting started writing tests. +When writing unit tests for Puppet, [rspec-puppet][] is your best friend. It provides tons of helper methods for testing your manifests against a +catalog (e.g. contain_file, contain_package, with_params, etc). It would be ridiculous to try and top rspec-puppet's [documentation][rspec-puppet_docs] +but here's a tiny sample: -If you have commit access to the repository -=========================================== +Sample manifest: -Even if you have commit access to the repository, you will still need to -go through the process above, and have someone else review and merge -in your changes. The rule is that all changes must be reviewed by a -developer on the project (that did not write the code) to ensure that -all changes go through a code review process. +```puppet +file { "a test file": + ensure => present, + path => "/etc/sample", +} +``` + +Sample test: -Having someone other than the author of the topic branch recorded as -performing the merge is the record that they performed the code -review. +```ruby +it 'does a thing' do + expect(subject).to contain_file("a test file").with({:path => "/etc/sample"}) +end +``` +### Acceptance Tests + +Writing acceptance tests for Puppet involves [beaker][] and its cousin [beaker-rspec][]. A common pattern for acceptance tests is to create a test manifest, apply it +twice to check for idempotency or errors, then run expectations. + +```ruby +it 'does an end-to-end thing' do + pp = <<-EOF + file { 'a test file': + ensure => present, + path => "/etc/sample", + content => "test string", + } + + apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) + +end + +describe file("/etc/sample") do + it { is_expected.to contain "test string" } +end -Additional Resources -==================== +``` -* [Getting additional help](http://puppet.com/community/get-help) +# If you have commit access to the repository -* [Writing tests](https://docs.puppet.com/guides/module_guides/bgtm.html#step-three-module-testing) +Even if you have commit access to the repository, you still need to go through the process above, and have someone else review and merge +in your changes. The rule is that **all changes must be reviewed by a project developer that did not write the code to ensure that +all changes go through a code review process.** -* [General GitHub documentation](http://help.github.com/) +The record of someone performing the merge is the record that they performed the code review. Again, this should be someone other than the author of the topic branch. +# Get Help + +### On the web +* [Puppet help messageboard](http://puppet.com/community/get-help) +* [Writing tests](https://docs.puppet.com/guides/module_guides/bgtm.html#step-three-module-testing) +* [General GitHub documentation](http://help.github.com/) * [GitHub pull request documentation](http://help.github.com/send-pull-requests/) + +### On chat +* Slack (slack.puppet.com) #forge-modules, #puppet-dev, #windows, #voxpupuli +* IRC (freenode) #puppet-dev, #voxpupuli + + +[rspec-puppet]: http://rspec-puppet.com/ +[rspec-puppet_docs]: http://rspec-puppet.com/documentation/ +[beaker]: https://github.com/puppetlabs/beaker +[beaker-rspec]: https://github.com/puppetlabs/beaker-rspec diff --git a/locales/config.yaml b/locales/config.yaml index c97fe78e..e03d88fa 100644 --- a/locales/config.yaml +++ b/locales/config.yaml @@ -22,4 +22,5 @@ gettext: # Patterns for +Dir.glob+ used to find all files that might contain # translatable content, relative to the project root directory source_files: + - './lib/**/*.rb' From fc94c6c51c139d0a0e3d30478ba7cdfc98e0241c Mon Sep 17 00:00:00 2001 From: tphoney Date: Thu, 21 Sep 2017 12:39:50 +0100 Subject: [PATCH 13/26] Rubocop cleanup of java_ks type --- lib/puppet/type/java_ks.rb | 40 ++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/lib/puppet/type/java_ks.rb b/lib/puppet/type/java_ks.rb index 465dcdac..562ef122 100644 --- a/lib/puppet/type/java_ks.rb +++ b/lib/puppet/type/java_ks.rb @@ -3,7 +3,6 @@ accomplish the same alias spread across multiple target keystores.' ensurable do - desc 'Has three states: present, absent, and latest. Latest will compare the on disk SHA1 fingerprint of the certificate to that in keytool to determine if insync? returns true or false. We redefine @@ -26,7 +25,6 @@ end def insync?(is) - @should.each do |should| case should when :present @@ -40,7 +38,7 @@ def insync?(is) end end - return false + false end defaultto :present @@ -147,14 +145,14 @@ def insync?(is) # Support both arrays and colon-separated fields. def value=(*values) - @value = values.flatten.collect { |val| + @value = values.flatten.map { |val| val.split(File::PATH_SEPARATOR) }.flatten end end newparam(:keytool_timeout) do - desc "Timeout for the keytool command in seconds." + desc 'Timeout for the keytool command in seconds.' defaultto 120 end @@ -178,35 +176,35 @@ def value=(*values) def self.title_patterns [ [ - /^([^:]+)$/, + %r{^([^:]+)$}, [ - [ :name ] - ] + [:name], + ], ], [ - /^(.*):([a-z]:(\/|\\).*)$/i, + %r{^(.*):([a-z]:(/|\\).*)$}i, [ - [ :name ], - [ :target ] - ] + [:name], + [:target], + ], ], [ - /^(.*):(.*)$/, + %r{^(.*):(.*)$}, [ - [ :name ], - [ :target ] - ] - ] + [:name], + [:target], + ], + ], ] end validate do - if value(:password) and value(:password_file) - self.fail "You must pass either 'password' or 'password_file', not both." + if value(:password) && value(:password_file) + raise Puppet::Error, "You must pass either 'password' or 'password_file', not both." end - unless value(:password) or value(:password_file) - self.fail "You must pass one of 'password' or 'password_file'." + unless value(:password) || value(:password_file) + raise Puppet::Error, "You must pass one of 'password' or 'password_file'." end end end From 5325496ff928971381fe64b78df3d683c882515b Mon Sep 17 00:00:00 2001 From: Sander Cornelissen Date: Wed, 27 Sep 2017 14:17:51 +0200 Subject: [PATCH 14/26] Fix java 9 support --- lib/puppet/provider/java_ks/keytool.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/java_ks/keytool.rb b/lib/puppet/provider/java_ks/keytool.rb index 6a4d060f..2e7332ca 100644 --- a/lib/puppet/provider/java_ks/keytool.rb +++ b/lib/puppet/provider/java_ks/keytool.rb @@ -161,7 +161,11 @@ def current tmpfile = password_file output = run_command(cmd, false, tmpfile) tmpfile.close! - current = output.scan(/Certificate fingerprints:\n\s+MD5: .*\n\s+SHA1: (.*)/)[0][0] + if output.include? 'MD5:' + current = output.scan(/Certificate fingerprints:\n\s+MD5: .*\n\s+SHA1: (.*)/)[0][0] + else + current = output.scan(/Certificate fingerprints:\n\s+SHA1: (.*)/)[0][0] + end return current end end From a8bdb416059f787fc51294ab2f2a11216b946e2f Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Tue, 9 May 2017 15:00:12 +0100 Subject: [PATCH 15/26] Add support for importing PKCS12 certificates. New ':source_password' param to provide PKCS12 password. Added unit and acceptance tests. --- lib/puppet/provider/java_ks/keytool.rb | 45 +++++++++++++++++-- lib/puppet/type/java_ks.rb | 12 ++++- spec/acceptance/pkcs12_spec.rb | 38 ++++++++++++++++ spec/spec_helper_acceptance.rb | 3 ++ .../puppet/provider/java_ks/keytool_spec.rb | 38 ++++++++++++++++ spec/unit/puppet/type/java_ks_spec.rb | 28 +++++++----- 6 files changed, 149 insertions(+), 15 deletions(-) create mode 100644 spec/acceptance/pkcs12_spec.rb diff --git a/lib/puppet/provider/java_ks/keytool.rb b/lib/puppet/provider/java_ks/keytool.rb index 6a4d060f..fc628f80 100644 --- a/lib/puppet/provider/java_ks/keytool.rb +++ b/lib/puppet/provider/java_ks/keytool.rb @@ -54,13 +54,23 @@ def get_password def password_file pword = get_password + source_pword = sourcepassword tmpfile = Tempfile.new("#{@resource[:name]}.") if File.exists?(@resource[:target]) and not File.zero?(@resource[:target]) - tmpfile.write("#{pword}\n#{pword}") + if !source_pword.nil? + contents = "#{pword}\n#{source_pword}" + else + contents = "#{pword}\n#{pword}" + end else - tmpfile.write("#{pword}\n#{pword}\n#{pword}") + if !source_pword.nil? + contents = "#{pword}\n#{pword}\n#{source_pword}" + else + contents = "#{pword}\n#{pword}\n#{pword}" + end end + tmpfile.write(contents) tmpfile.flush tmpfile end @@ -85,6 +95,20 @@ def import_ks pwfile.close! if pwfile.is_a? Tempfile end + def import_pkcs12 + cmd = [ + command_keytool, + '-importkeystore', '-srcstoretype', 'PKCS12', + '-destkeystore', @resource[:target], + '-srckeystore', certificate + ] + + pwfile = password_file + run_command(cmd, @resource[:target], pwfile) + pwfile.close! if pwfile.is_a? Tempfile + + end + def import_jceks tmpder = Tempfile.new("#{@resource[:name]}.") to_der(tmpder.path) @@ -134,6 +158,15 @@ def latest # Return value must be different to provider.current to signify a possible trigger event. if Puppet[:noop] and !File.exists?(certificate) return 'latest' + elsif storetype == :pkcs12 + cmd = [ + command_keytool, + '-list', '-keystore', certificate, + '-storetype', 'PKCS12', '-storepass', sourcepassword + ] + output = run_command(cmd) + latest = output.scan(/\(SHA1\):\s+(.*)/)[0][0] + return latest else cmd = [ command_keytool, @@ -173,8 +206,10 @@ def create import_ks elsif certificate.nil? and !private_key.nil? raise Puppet::Error, 'Keytool is not capable of importing a private key without an accomapaning certificate.' - elsif storetype == "jceks" + elsif storetype == :jceks import_jceks + elsif storetype == :pkcs12 + import_pkcs12 else cmd = [ command_keytool, @@ -224,6 +259,10 @@ def chain @resource[:chain] end + def sourcepassword + @resource[:source_password] + end + def storetype @resource[:storetype] end diff --git a/lib/puppet/type/java_ks.rb b/lib/puppet/type/java_ks.rb index 465dcdac..8ad69285 100644 --- a/lib/puppet/type/java_ks.rb +++ b/lib/puppet/type/java_ks.rb @@ -72,9 +72,9 @@ def insync?(is) newparam(:storetype) do desc 'Optional storetype - Valid options: ' + Valid options: , ' - newvalues(:jceks) + newvalues(:jceks, :pkcs12) end newparam(:private_key) do @@ -159,6 +159,10 @@ def value=(*values) defaultto 120 end + newparam(:source_password) do + desc "The source keystore password" + end + # Where we setup autorequires. autorequire(:file) do auto_requires = [] @@ -208,5 +212,9 @@ def self.title_patterns unless value(:password) or value(:password_file) self.fail "You must pass one of 'password' or 'password_file'." end + + if value(:storetype) == :pkcs12 and value(:source_password).nil? + self.fail "You must provide 'source_password' when using a 'pkcs12' storetype." + end end end diff --git a/spec/acceptance/pkcs12_spec.rb b/spec/acceptance/pkcs12_spec.rb new file mode 100644 index 00000000..fa705f7f --- /dev/null +++ b/spec/acceptance/pkcs12_spec.rb @@ -0,0 +1,38 @@ +require 'spec_helper_acceptance' + +hostname = default.node_name + +describe 'managing java pkcs12', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do + include_context 'common variables' + case fact('osfamily') + when 'windows' + target = 'c:/pkcs12.ks' + else + target = '/etc/pkcs12.ks' + end + + it 'creates a private key with chain' do + pp = <<-EOS + java_ks { 'Leaf Cert:#{target}': + ensure => #{@ensure_ks}, + certificate => "#{@temp_dir}leaf.p12", + storetype => 'pkcs12', + password => 'puppet', + path => #{@resource_path}, + source_password => 'pkcs12pass' + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'verifies the private key and chain' do + shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + expect(r.exit_code).to be_zero + expect(r.stdout).to match(/Alias name: leaf cert/) + expect(r.stdout).to match(/Entry type: (keyEntry|PrivateKeyEntry)/) + expect(r.stdout).to match(/Certificate chain length: 3/) + expect(r.stdout).to match(/^Serial number: 5$.*^Serial number: 4$.*^Serial number: 3$/m) + end + end +end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index e3135c09..b8fe53a9 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -76,6 +76,8 @@ def create_certs(host, tmpdir) leaf.not_after = leaf.not_before + 360 leaf.sign(key_chain2, OpenSSL::Digest::SHA256.new) + pkcs12 = OpenSSL::PKCS12.create("pkcs12pass", "Leaf Cert", key_leaf, leaf, [chain2, chain]) + create_remote_file(host, "#{tmpdir}/privkey.pem", key.to_pem) create_remote_file(host, "#{tmpdir}/ca.pem", ca.to_pem) create_remote_file(host, "#{tmpdir}/ca2.pem", ca2.to_pem) @@ -83,6 +85,7 @@ def create_certs(host, tmpdir) create_remote_file(host, "#{tmpdir}/leafkey.pem", key_leaf.to_pem) create_remote_file(host, "#{tmpdir}/leaf.pem", leaf.to_pem) create_remote_file(host, "#{tmpdir}/leafchain.pem", leaf.to_pem + chain2.to_pem + chain.to_pem) + create_remote_file(host, "#{tmpdir}/leaf.p12", pkcs12.to_der) end diff --git a/spec/unit/puppet/provider/java_ks/keytool_spec.rb b/spec/unit/puppet/provider/java_ks/keytool_spec.rb index 9387283c..5c312131 100644 --- a/spec/unit/puppet/provider/java_ks/keytool_spec.rb +++ b/spec/unit/puppet/provider/java_ks/keytool_spec.rb @@ -142,6 +142,44 @@ ) provider.import_ks end + + end + end + + describe 'when importing a pkcs12 file' do + let(:params) do + { + :title => 'app.example.com:/tmp/testing.jks', + :name => 'app.example.com', + :target => '/tmp/application.jks', + :password => 'puppet', + :certificate => '/tmp/testing.p12', + :storetype => 'pkcs12', + :source_password => 'password', + :provider => described_class.name + } + end + + let(:resource) do + Puppet::Type.type(:java_ks).new(params) + end + + let(:provider) do + resource.provider + end + + describe '#import_pkcs12' do + it 'should support pkcs12 source' do + pkcs12 = resource.dup + pkcs12[:storetype] = 'pkcs12' + provider.expects(:run_command).with([ + 'mykeytool', '-importkeystore', '-srcstoretype', 'PKCS12', + '-destkeystore', pkcs12[:target], + '-srckeystore', '/tmp/testing.p12' + ], any_parameters + ) + provider.import_pkcs12 + end end end diff --git a/spec/unit/puppet/type/java_ks_spec.rb b/spec/unit/puppet/type/java_ks_spec.rb index a391c223..7928051c 100644 --- a/spec/unit/puppet/type/java_ks_spec.rb +++ b/spec/unit/puppet/type/java_ks_spec.rb @@ -5,16 +5,16 @@ before do @app_example_com = { - :title => 'app.example.com:/tmp/application.jks', - :name => 'app.example.com', - :target => '/tmp/application.jks', - :password => 'puppet', - :destkeypass => 'keypass', - :certificate => '/tmp/app.example.com.pem', - :private_key => '/tmp/private/app.example.com.pem', + :title => 'app.example.com:/tmp/application.jks', + :name => 'app.example.com', + :target => '/tmp/application.jks', + :password => 'puppet', + :destkeypass => 'keypass', + :certificate => '/tmp/app.example.com.pem', + :private_key => '/tmp/private/app.example.com.pem', :private_key_type => 'rsa', - :storetype => 'jceks', - :provider => :keytool + :storetype => 'jceks', + :provider => :keytool } @provider = stub('provider', :class => Puppet::Type.type(:java_ks).defaultprovider, :clear => nil) Puppet::Type.type(:java_ks).defaultprovider.stubs(:new).returns(@provider) @@ -30,7 +30,7 @@ describe 'when validating attributes' do - [:name, :target, :private_key, :private_key_type, :certificate, :password, :password_file, :trustcacerts, :destkeypass, :password_fail_reset].each do |param| + [:name, :target, :private_key, :private_key_type, :certificate, :password, :password_file, :trustcacerts, :destkeypass, :password_fail_reset, :source_password].each do |param| it "should have a #{param} parameter" do expect(Puppet::Type.type(:java_ks).attrtype(param)).to eq(:param) end @@ -137,6 +137,14 @@ it 'should have :false value to :password_fail_reset when parameter not provided' do expect(Puppet::Type.type(:java_ks).new(jks_resource)[:password_fail_reset]).to eq(:false) end + + it 'should fail if :source_password is not provided for pkcs12 :storetype' do + jks = jks_resource.dup + jks[:storetype] = 'pkcs12' + expect { + Puppet::Type.type(:java_ks).new(jks) + }.to raise_error(Puppet::Error, /You must provide 'source_password' when using a 'pkcs12' storetype/) + end end describe 'when ensure is set to latest' do From 389ffa721786f20d2525912b5374ac568072cee8 Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Tue, 24 Oct 2017 17:51:53 +0100 Subject: [PATCH 16/26] Update metadata This includes the removal of Sles 10, Debian 6 and Windows 2003. Debian 9 has been added. --- metadata.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/metadata.json b/metadata.json index 16ee56d0..accddad3 100644 --- a/metadata.json +++ b/metadata.json @@ -47,7 +47,6 @@ { "operatingsystem": "SLES", "operatingsystemrelease": [ - "10 SP4", "11 SP1", "12" ] @@ -55,9 +54,9 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "6", "7", - "8" + "8", + "9" ] }, { @@ -84,7 +83,6 @@ { "operatingsystem": "Windows", "operatingsystemrelease": [ - "Server 2003 R2", "Server 2008 R2", "Server 2012", "Server 2012 R2", From ee85d0e10230bda0f6b2d4e111b337abb2d95c2f Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Mon, 30 Oct 2017 17:21:39 +0000 Subject: [PATCH 17/26] (MODULES-5814) - Removing Windows 8 Microsoft no longer supports Windows 8 as an OS. --- metadata.json | 1 - 1 file changed, 1 deletion(-) diff --git a/metadata.json b/metadata.json index accddad3..3b7cec28 100644 --- a/metadata.json +++ b/metadata.json @@ -87,7 +87,6 @@ "Server 2012", "Server 2012 R2", "7", - "8", "8.1" ] } From 5dec48765be728460c90faee57f680974dbbd028 Mon Sep 17 00:00:00 2001 From: tphoney Date: Fri, 10 Nov 2017 12:50:20 +0000 Subject: [PATCH 18/26] FM-6517 On SLES we do not have pkcs12 installed --- spec/acceptance/pkcs12_spec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/spec/acceptance/pkcs12_spec.rb b/spec/acceptance/pkcs12_spec.rb index fa705f7f..318488a2 100644 --- a/spec/acceptance/pkcs12_spec.rb +++ b/spec/acceptance/pkcs12_spec.rb @@ -2,7 +2,8 @@ hostname = default.node_name -describe 'managing java pkcs12', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do +# SLES by default does not support this form of encyrption. +describe 'managing java pkcs12', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) || fact('operatingsystem') == 'SLES') do include_context 'common variables' case fact('osfamily') when 'windows' From a12a274e00166c1ac0d81b6ae7a2446048d5b25e Mon Sep 17 00:00:00 2001 From: Michael T Lombardi Date: Tue, 14 Nov 2017 20:01:48 -0600 Subject: [PATCH 19/26] (FM-6547) Pin JDK installation package to 8.0.152 Previously the acceptance tests installed JDK from the chocolatey package repo and pinned the version to `8.0.144`; however, that package now fails to install due to a 404 error in the download. This commit updates the version pin to `8.0.152`, which is the latest stable release and which installs correctly. --- spec/spec_helper_acceptance.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index c964a75f..bbe89f36 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -108,7 +108,7 @@ def create_certs(host, tmpdir) pp = <<-EOS include chocolatey package { 'jdk8': - ensure => '8.0.144', + ensure => '8.0.152', provider => 'chocolatey' } EOS @@ -126,7 +126,7 @@ class { 'java': } RSpec.shared_context 'common variables' do before { - java_major, java_minor = (ENV['JAVA_VERSION'] || '8u144').split('u') + java_major, java_minor = (ENV['JAVA_VERSION'] || '8u152').split('u') @ensure_ks = 'latest' @resource_path = "undef" @target_dir = '/etc/' From 9500d39d697e24d4bc43e227b0e64ef13da872ae Mon Sep 17 00:00:00 2001 From: Michael T Lombardi Date: Tue, 14 Nov 2017 20:05:09 -0600 Subject: [PATCH 20/26] (FM-6547) Fix shell string in pkcs12 test The shell string in the it block of the pkcs12 acceptance tests does not include escaped quoting around the path to `keytool` prior to this commit. This causes a failure on windows because the path includes a space. This commit wraps the path to keytool in escaped quotes to resolve the issue. --- spec/acceptance/pkcs12_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/acceptance/pkcs12_spec.rb b/spec/acceptance/pkcs12_spec.rb index 318488a2..75ce3cf1 100644 --- a/spec/acceptance/pkcs12_spec.rb +++ b/spec/acceptance/pkcs12_spec.rb @@ -28,7 +28,7 @@ end it 'verifies the private key and chain' do - shell("#{@keytool_path}keytool -list -v -keystore #{target} -storepass puppet") do |r| + shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r| expect(r.exit_code).to be_zero expect(r.stdout).to match(/Alias name: leaf cert/) expect(r.stdout).to match(/Entry type: (keyEntry|PrivateKeyEntry)/) From 6536057bd191a7f59131510671749828133bfbdc Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Wed, 15 Nov 2017 11:14:29 +0000 Subject: [PATCH 21/26] Adding appveyor config file --- appveyor.yml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 appveyor.yml diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 00000000..7e05880b --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,52 @@ +version: 1.1.x.{build} +skip_commits: + message: /^\(?doc\)?.*/ +clone_depth: 10 +init: +- SET +- 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' +- 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' +- 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' +- 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' +environment: + matrix: + - PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VER: 21 + - PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VER: 21-x64 + - PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VER: 24 + - PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VER: 24-x64 + - PUPPET_GEM_VERSION: 4.7.1 + RUBY_VER: 21-x64 +matrix: + fast_finish: true +install: +- SET PATH=C:\Ruby%RUBY_VER%\bin;%PATH% +- ps: | + # AppVeyor appears to have OpenSSL headers available already + # which msys2 would normally install with: + # pacman -S mingw-w64-x86_64-openssl --noconfirm + # + if ( $(ruby --version) -match "^ruby\s+2\.4" ) { + Write-Output "Building OpenSSL gem ~> 2.0.4 to fix Ruby 2.4 / AppVeyor issue" + gem install openssl --version '~> 2.0.4' --no-ri --no-rdoc + } + + gem list openssl + ruby -ropenssl -e 'puts \"OpenSSL Version - #{OpenSSL::OPENSSL_VERSION}\"; puts \"OpenSSL Library Version - #{OpenSSL::OPENSSL_LIBRARY_VERSION}\"' +- bundle install --jobs 4 --retry 2 --without system_tests +- type Gemfile.lock +build: off +test_script: +- bundle exec puppet -V +- ruby -v +- bundle exec rake spec SPEC_OPTS='--format documentation' +notifications: +- provider: Email + to: + - nobody@nowhere.com + on_build_success: false + on_build_failure: false + on_build_status_changed: false From 730c63333bd0e0f2239fe1e0ed4f9ee9ca49caa4 Mon Sep 17 00:00:00 2001 From: Michael T Lombardi Date: Wed, 15 Nov 2017 08:19:30 -0800 Subject: [PATCH 22/26] (FM-6547) Fix unit tests on windows Prior to this commit, the unit tests for java_ks could never pass on windows due to use of linux paths and commands hard-coded. This commit adds a variable for the temp paths in both spec test files and guards against running tests that rely on linux commands on a windows machine. --- .../puppet/provider/java_ks/keytool_spec.rb | 46 +++++++++++-------- spec/unit/puppet/type/java_ks_spec.rb | 18 +++++--- 2 files changed, 39 insertions(+), 25 deletions(-) diff --git a/spec/unit/puppet/provider/java_ks/keytool_spec.rb b/spec/unit/puppet/provider/java_ks/keytool_spec.rb index 5c312131..c4a97310 100644 --- a/spec/unit/puppet/provider/java_ks/keytool_spec.rb +++ b/spec/unit/puppet/provider/java_ks/keytool_spec.rb @@ -3,14 +3,22 @@ describe Puppet::Type.type(:java_ks).provider(:keytool) do + let(:temp_dir) do + if Puppet.features.microsoft_windows? + ENV['TEMP'] + else + '/tmp/' + end + end + let(:global_params) do { - :title => 'app.example.com:/tmp/application.jks', + :title => "app.example.com:#{temp_dir}application.jks", :name => 'app.example.com', - :target => '/tmp/application.jks', + :target => "#{temp_dir}application.jks", :password => 'puppet', - :certificate => '/tmp/app.example.com.pem', - :private_key => '/tmp/private/app.example.com.pem', + :certificate => "#{temp_dir}app.example.com.pem", + :private_key => "#{temp_dir}private/app.example.com.pem", :storetype => 'jceks', :provider => described_class.name } @@ -38,7 +46,7 @@ :write => true, :flush => true, :close! => true, - :path => '/tmp/testing.stuff' + :path => "#{temp_dir}testing.stuff" ) Tempfile.stubs(:new).returns(tempfile) end @@ -51,7 +59,7 @@ end end - describe 'when running keystore commands' do + describe 'when running keystore commands', :if => ! Puppet.features.microsoft_windows? do it 'should call the passed command' do cmd = '/bin/echo testing 1 2 3' @@ -112,17 +120,17 @@ pkcs_double = BogusPkcs.new() pkcs_double.expects(:to_der) OpenSSL::PKCS12.expects(:create).with(resource[:password],resource[:name],'priv_obj','cert_obj',[]).returns(pkcs_double) - provider.to_pkcs12('/tmp/testing.stuff') + provider.to_pkcs12("#{temp_dir}testing.stuff") end end describe "#import_ks" do it 'should execute openssl and keytool with specific options' do - provider.expects(:to_pkcs12).with('/tmp/testing.stuff') + provider.expects(:to_pkcs12).with("#{temp_dir}testing.stuff") provider.expects(:run_command).with([ 'mykeytool', '-importkeystore', '-srcstoretype', 'PKCS12', '-destkeystore', resource[:target], - '-srckeystore', '/tmp/testing.stuff', + '-srckeystore', "#{temp_dir}testing.stuff", '-alias', resource[:name], ], any_parameters ) @@ -132,11 +140,11 @@ it 'should use destkeypass when provided' do dkp = resource.dup dkp[:destkeypass] = 'keypass' - provider.expects(:to_pkcs12).with('/tmp/testing.stuff') + provider.expects(:to_pkcs12).with("#{temp_dir}testing.stuff") provider.expects(:run_command).with([ 'mykeytool', '-importkeystore', '-srcstoretype', 'PKCS12', '-destkeystore', dkp[:target], - '-srckeystore', '/tmp/testing.stuff', + '-srckeystore', "#{temp_dir}testing.stuff", '-alias', dkp[:name], '-destkeypass', dkp[:destkeypass] ], any_parameters ) @@ -149,11 +157,11 @@ describe 'when importing a pkcs12 file' do let(:params) do { - :title => 'app.example.com:/tmp/testing.jks', + :title => "app.example.com:#{temp_dir}testing.jks", :name => 'app.example.com', - :target => '/tmp/application.jks', + :target => "#{temp_dir}application.jks", :password => 'puppet', - :certificate => '/tmp/testing.p12', + :certificate => "#{temp_dir}testing.p12", :storetype => 'pkcs12', :source_password => 'password', :provider => described_class.name @@ -175,7 +183,7 @@ provider.expects(:run_command).with([ 'mykeytool', '-importkeystore', '-srcstoretype', 'PKCS12', '-destkeystore', pkcs12[:target], - '-srckeystore', '/tmp/testing.p12' + '-srckeystore', "#{temp_dir}testing.p12" ], any_parameters ) provider.import_pkcs12 @@ -186,12 +194,12 @@ describe 'when creating entires in a keystore' do let(:params) do { - :title => 'app.example.com:/tmp/application.jks', + :title => "app.example.com:#{temp_dir}application.jks", :name => 'app.example.com', - :target => '/tmp/application.jks', + :target => "#{temp_dir}application.jks", :password => 'puppet', - :certificate => '/tmp/app.example.com.pem', - :private_key => '/tmp/private/app.example.com.pem', + :certificate => "#{temp_dir}app.example.com.pem", + :private_key => "#{temp_dir}private/app.example.com.pem", :provider => described_class.name } end diff --git a/spec/unit/puppet/type/java_ks_spec.rb b/spec/unit/puppet/type/java_ks_spec.rb index 7928051c..df9bfb9c 100644 --- a/spec/unit/puppet/type/java_ks_spec.rb +++ b/spec/unit/puppet/type/java_ks_spec.rb @@ -4,14 +4,20 @@ describe Puppet::Type.type(:java_ks) do before do + if Puppet.features.microsoft_windows? + @temp_dir = ENV['TEMP'] + else + @temp_dir = '/tmp/' + end + @app_example_com = { - :title => 'app.example.com:/tmp/application.jks', + :title => "app.example.com:#{@temp_dir}application.jks", :name => 'app.example.com', - :target => '/tmp/application.jks', + :target => "#{@temp_dir}application.jks", :password => 'puppet', :destkeypass => 'keypass', - :certificate => '/tmp/app.example.com.pem', - :private_key => '/tmp/private/app.example.com.pem', + :certificate => "#{@temp_dir}app.example.com.pem", + :private_key => "#{@temp_dir}private/app.example.com.pem", :private_key_type => 'rsa', :storetype => 'jceks', :provider => :keytool @@ -66,9 +72,9 @@ it "second half of title should not map to target parameter when target is supplied" do jks = jks_resource.dup - jks[:target] = '/tmp/some_other_app.jks' + jks[:target] = "#{@temp_dir}some_other_app.jks" expect(Puppet::Type.type(:java_ks).new(jks)[:target]).not_to eq(jks_resource[:target]) - expect(Puppet::Type.type(:java_ks).new(jks)[:target]).to eq('/tmp/some_other_app.jks') + expect(Puppet::Type.type(:java_ks).new(jks)[:target]).to eq("#{@temp_dir}some_other_app.jks") end it 'title components should map to namevar parameters' do From 4e79a9525a252d7c93c41b952eb9d7b3246fb2e9 Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Fri, 17 Nov 2017 08:18:50 +0000 Subject: [PATCH 23/26] (maint) - Updating flag to stop appveyor config from being deleted Planning on putting java_ks under windows management in modulesync. Therefore I want to keep the appveyor file to run tests against Windows on every merge. --- .sync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.sync.yml b/.sync.yml index 4e8aee51..9c53500f 100644 --- a/.sync.yml +++ b/.sync.yml @@ -1,3 +1,3 @@ --- appveyor.yml: - delete: true + delete: false From 51a45068f589905445b47b0ab7a302c34365869f Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Fri, 17 Nov 2017 12:17:12 +0000 Subject: [PATCH 24/26] Module sync 1d81b6a --- .travis.yml | 2 +- Gemfile | 83 +++++++++++++++++++++++++++- spec/acceptance/nodesets/default.yml | 22 +++++--- spec/spec_helper.rb | 5 +- 4 files changed, 101 insertions(+), 11 deletions(-) diff --git a/.travis.yml b/.travis.yml index 0c6f904c..38d22639 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,7 +22,7 @@ matrix: script: bundle exec rake beaker services: docker sudo: required - - rvm: 2.4.0 + - rvm: 2.4.1 bundler_args: --without system_tests env: PUPPET_GEM_VERSION="~> 5.0" - rvm: 2.1.9 diff --git a/Gemfile b/Gemfile index a9f0161c..e8318e5f 100644 --- a/Gemfile +++ b/Gemfile @@ -28,10 +28,20 @@ def location_for(place_or_version, fake_version = nil) end # Used for gem conditionals -supports_windows = false +supports_windows = true ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments minor_version = "#{ruby_version_segments[0]}.#{ruby_version_segments[1]}" +# The following gems are not included by default as they require DevKit on Windows. +# You should probably include them in a Gemfile.local or a ~/.gemfile +#gem 'pry' #this may already be included in the gemfile +#gem 'pry-stack_explorer', :require => false +#if RUBY_VERSION =~ /^2/ +# gem 'pry-byebug' +#else +# gem 'pry-debugger' +#end + group :development do gem "puppet-module-posix-default-r#{minor_version}", :require => false, :platforms => "ruby" gem "puppet-module-win-default-r#{minor_version}", :require => false, :platforms => ["mswin", "mingw", "x64_mingw"] @@ -62,6 +72,77 @@ gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION']) gem 'facter', *location_for(ENV['FACTER_GEM_VERSION']) if ENV['FACTER_GEM_VERSION'] gem 'hiera', *location_for(ENV['HIERA_GEM_VERSION']) if ENV['HIERA_GEM_VERSION'] +# For Windows dependencies, these could be required based on the version of +# Puppet you are requiring. Anything greater than v3.5.0 is going to have +# Windows-specific dependencies dictated by the gem itself. The other scenario +# is when you are faking out Puppet to use a local file path / git path. +explicitly_require_windows_gems = false +puppet_gem_location = gem_type(ENV['PUPPET_GEM_VERSION']) +# This is not a perfect answer to the version check +if puppet_gem_location != :gem || (ENV['PUPPET_GEM_VERSION'] && Gem::Version.correct?(ENV['PUPPET_GEM_VERSION']) && Gem::Requirement.new('< 3.5.0').satisfied_by?(Gem::Version.new(ENV['PUPPET_GEM_VERSION'].dup))) + if Gem::Platform.local.os == 'mingw32' + explicitly_require_windows_gems = true + end + if puppet_gem_location == :gem + # If facterversion hasn't been specified and we are + # looking for a Puppet Gem version less than 3.5.0, we + # need to ensure we get a good Facter for specs. + gem "facter",">= 1.6.11","<= 1.7.5",:require => false unless ENV['FACTER_GEM_VERSION'] + # If hieraversion hasn't been specified and we are + # looking for a Puppet Gem version less than 3.5.0, we + # need to ensure we get a good Hiera for specs. + gem "hiera",">= 1.0.0","<= 1.3.0",:require => false unless ENV['HIERA_GEM_VERSION'] + end +end + +if explicitly_require_windows_gems + # This also means Puppet Gem less than 3.5.0 - this has been tested back + # to 3.0.0. Any further back is likely not supported. + if puppet_gem_location == :gem + gem "ffi", "1.9.0", :require => false + gem "win32-eventlog", "0.5.3","<= 0.6.5", :require => false + gem "win32-process", "0.6.5","<= 0.7.5", :require => false + gem "win32-security", "~> 0.1.2","<= 0.2.5", :require => false + gem "win32-service", "0.7.2","<= 0.8.8", :require => false + gem "minitar", "0.5.4", :require => false + else + gem "ffi", "~> 1.9.0", :require => false + gem "win32-eventlog", "~> 0.5","<= 0.6.5", :require => false + gem "win32-process", "~> 0.6","<= 0.7.5", :require => false + gem "win32-security", "~> 0.1","<= 0.2.5", :require => false + gem "win32-service", "~> 0.7","<= 0.8.8", :require => false + gem "minitar", "~> 0.5.4", :require => false + end + + gem "win32-dir", "~> 0.3","<= 0.4.9", :require => false + gem "win32console", "1.3.2", :require => false if RUBY_VERSION =~ /^1\./ + + # sys-admin was removed in Puppet 3.7.0+, and doesn't compile + # under Ruby 2.3 - so restrict it to Ruby 1.x + gem "sys-admin", "1.5.6", :require => false if RUBY_VERSION =~ /^1\./ + + # Puppet less than 3.7.0 requires these. + # Puppet 3.5.0+ will control the actual requirements. + # These are listed in formats that work with all versions of + # Puppet from 3.0.0 to 3.6.x. After that, these were no longer used. + # We do not want to allow newer versions than what came out after + # 3.6.x to be used as they constitute some risk in breaking older + # functionality. So we set these to exact versions. + gem "win32-api", "1.4.8", :require => false + gem "win32-taskscheduler", "0.2.2", :require => false + gem "windows-api", "0.4.3", :require => false + gem "windows-pr", "1.2.3", :require => false +else + if Gem::Platform.local.os == 'mingw32' + # If we're using a Puppet gem on windows, which handles its own win32-xxx gem dependencies (Pup 3.5.0 and above), set maximum versions + # Required due to PUP-6445 + gem "win32-dir", "<= 0.4.9", :require => false + gem "win32-eventlog", "<= 0.6.5", :require => false + gem "win32-process", "<= 0.7.5", :require => false + gem "win32-security", "<= 0.2.5", :require => false + gem "win32-service", "<= 0.8.8", :require => false + end +end # Evaluate Gemfile.local if it exists if File.exists? "#{__FILE__}.local" diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index dba339c4..6f602319 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -1,10 +1,18 @@ +--- HOSTS: - ubuntu-1404-x64: + windows2012-64-1: + pe_dir: + pe_ver: + pe_upgrade_dir: + pe_upgrade_ver: + hypervisor: vmpooler + platform: windows-2012-64 + ruby_arch: x64 + template: win-2012-x86_64 roles: - - agent - - default - platform: ubuntu-14.04-amd64 - hypervisor: vagrant - box: puppetlabs/ubuntu-14.04-64-nocm + - agent + - default CONFIG: - type: foss + nfs_server: none + consoleport: 443 + pooling_api: http://vmpooler.delivery.puppetlabs.net/ diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 05732d4f..c8080920 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,4 +1,4 @@ -#This file is generated by ModuleSync, do not edit. +# This file is generated by ModuleSync, do not edit. require 'puppetlabs_spec_helper/module_spec_helper' if Puppet::Util::Package.versioncmp(Puppet.version, '4.5.0') >= 0 @@ -12,5 +12,6 @@ # put local configuration and setup into spec_helper_local begin require 'spec_helper_local' -rescue LoadError +rescue LoadError => loaderror + puts "Could not require spec_helper_local: #{loaderror.message}" end From 8b78a7b8b793829aa84bd3f4bf38b4050c20de3b Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Thu, 30 Nov 2017 14:33:45 +0000 Subject: [PATCH 25/26] (FM-6588) - Modulesync e6d4a7d --- Gemfile | 79 ++++++--------------------------------------------------- 1 file changed, 8 insertions(+), 71 deletions(-) diff --git a/Gemfile b/Gemfile index e8318e5f..f62bc314 100644 --- a/Gemfile +++ b/Gemfile @@ -28,7 +28,6 @@ def location_for(place_or_version, fake_version = nil) end # Used for gem conditionals -supports_windows = true ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments minor_version = "#{ruby_version_segments[0]}.#{ruby_version_segments[1]}" @@ -72,76 +71,14 @@ gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION']) gem 'facter', *location_for(ENV['FACTER_GEM_VERSION']) if ENV['FACTER_GEM_VERSION'] gem 'hiera', *location_for(ENV['HIERA_GEM_VERSION']) if ENV['HIERA_GEM_VERSION'] -# For Windows dependencies, these could be required based on the version of -# Puppet you are requiring. Anything greater than v3.5.0 is going to have -# Windows-specific dependencies dictated by the gem itself. The other scenario -# is when you are faking out Puppet to use a local file path / git path. -explicitly_require_windows_gems = false -puppet_gem_location = gem_type(ENV['PUPPET_GEM_VERSION']) -# This is not a perfect answer to the version check -if puppet_gem_location != :gem || (ENV['PUPPET_GEM_VERSION'] && Gem::Version.correct?(ENV['PUPPET_GEM_VERSION']) && Gem::Requirement.new('< 3.5.0').satisfied_by?(Gem::Version.new(ENV['PUPPET_GEM_VERSION'].dup))) - if Gem::Platform.local.os == 'mingw32' - explicitly_require_windows_gems = true - end - if puppet_gem_location == :gem - # If facterversion hasn't been specified and we are - # looking for a Puppet Gem version less than 3.5.0, we - # need to ensure we get a good Facter for specs. - gem "facter",">= 1.6.11","<= 1.7.5",:require => false unless ENV['FACTER_GEM_VERSION'] - # If hieraversion hasn't been specified and we are - # looking for a Puppet Gem version less than 3.5.0, we - # need to ensure we get a good Hiera for specs. - gem "hiera",">= 1.0.0","<= 1.3.0",:require => false unless ENV['HIERA_GEM_VERSION'] - end -end - -if explicitly_require_windows_gems - # This also means Puppet Gem less than 3.5.0 - this has been tested back - # to 3.0.0. Any further back is likely not supported. - if puppet_gem_location == :gem - gem "ffi", "1.9.0", :require => false - gem "win32-eventlog", "0.5.3","<= 0.6.5", :require => false - gem "win32-process", "0.6.5","<= 0.7.5", :require => false - gem "win32-security", "~> 0.1.2","<= 0.2.5", :require => false - gem "win32-service", "0.7.2","<= 0.8.8", :require => false - gem "minitar", "0.5.4", :require => false - else - gem "ffi", "~> 1.9.0", :require => false - gem "win32-eventlog", "~> 0.5","<= 0.6.5", :require => false - gem "win32-process", "~> 0.6","<= 0.7.5", :require => false - gem "win32-security", "~> 0.1","<= 0.2.5", :require => false - gem "win32-service", "~> 0.7","<= 0.8.8", :require => false - gem "minitar", "~> 0.5.4", :require => false - end - - gem "win32-dir", "~> 0.3","<= 0.4.9", :require => false - gem "win32console", "1.3.2", :require => false if RUBY_VERSION =~ /^1\./ - - # sys-admin was removed in Puppet 3.7.0+, and doesn't compile - # under Ruby 2.3 - so restrict it to Ruby 1.x - gem "sys-admin", "1.5.6", :require => false if RUBY_VERSION =~ /^1\./ - - # Puppet less than 3.7.0 requires these. - # Puppet 3.5.0+ will control the actual requirements. - # These are listed in formats that work with all versions of - # Puppet from 3.0.0 to 3.6.x. After that, these were no longer used. - # We do not want to allow newer versions than what came out after - # 3.6.x to be used as they constitute some risk in breaking older - # functionality. So we set these to exact versions. - gem "win32-api", "1.4.8", :require => false - gem "win32-taskscheduler", "0.2.2", :require => false - gem "windows-api", "0.4.3", :require => false - gem "windows-pr", "1.2.3", :require => false -else - if Gem::Platform.local.os == 'mingw32' - # If we're using a Puppet gem on windows, which handles its own win32-xxx gem dependencies (Pup 3.5.0 and above), set maximum versions - # Required due to PUP-6445 - gem "win32-dir", "<= 0.4.9", :require => false - gem "win32-eventlog", "<= 0.6.5", :require => false - gem "win32-process", "<= 0.7.5", :require => false - gem "win32-security", "<= 0.2.5", :require => false - gem "win32-service", "<= 0.8.8", :require => false - end +if Gem::Platform.local.os == 'mingw32' + # If we're using a Puppet gem on windows, which handles its own win32-xxx gem dependencies (Pup 3.5.0 and above), set maximum versions + # Required due to PUP-6445 + gem "win32-dir", "<= 0.4.9", :require => false + gem "win32-eventlog", "<= 0.6.5", :require => false + gem "win32-process", "<= 0.7.5", :require => false + gem "win32-security", "<= 0.2.5", :require => false + gem "win32-service", "<= 0.8.8", :require => false end # Evaluate Gemfile.local if it exists From 2396a68cdb981b6f103148949f9bdeeaa263c727 Mon Sep 17 00:00:00 2001 From: Paula McMaw Date: Thu, 30 Nov 2017 10:09:37 +0000 Subject: [PATCH 26/26] (MODULES-6161) - Release Prep for 2.0.0 --- CHANGELOG.md | 33 +++++++++++++++++++++++++++++++++ metadata.json | 3 +-- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd8764ab..241a4c14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,34 @@ +## Supported Release [2.0.0] +### Summary +This is a roll up of maintainence changes, features and compatibility updates from throughout the year. This release is backwards incompatible because the Puppet version requirements have now changed with the lower Puppet version boundary jumping from 3.0.0 to 4.7.0 and we have removed vulnerable puppet3 support dependencies. + +### Added +- Debian 9 entry in 'metadata.json' +- Support for importing pkcs12 files by introducing a function called `import pkcs12` +- Support for removal of key store file on invalid password by introducing `password_fail_reset` + +### Changed +- Appveyor testing has been enabled +- General maintainence changes via modulessync +- Java-ks is now being managed in modulesync as a cross-platform module +- [FM-6547](https://tickets.puppetlabs.com/browse/FM-6547) - Pin JDK installation package to 8.0.152 for Windows +- pkcs12 acceptance tests no longer run on SLES +- CONTRIBUTING.md updates +- Travis ruby version to 2.4.0 and 2.1.9 +- Upper Puppet boundary to Puppet 6.0.0 +- Lower Puppet boundary to Puppet 4.7.0 + +### Fixed +- Unit test failures on Windows +- Java 9 support + +### Removed +- SLES 10 SP4 entry in 'metadata.json' +- Debian 6 entry in 'metadata.json' +- Windows Server 2003 R2 and Windows 8 entry in 'metadata.json' +- Ubuntu 10.04 and 12.04 entry in 'metadata.json' +- [FM-6588](https://tickets.puppetlabs.com/browse/FM-6588) - Remove vulnerable puppet3 support dependencies + ## Supported Release 1.6.0 ### Summary The keytool would hang on occasion for unexplained reasons, so keytool executions are wrapped in a timeout that defaults to 120 seconds and is configurable by the `keytool_timeout` parameter. @@ -167,3 +198,5 @@ Travis-CI support has also been added to improve testing. Fixes an issue with ibm java handling input from stdin on SLES + +[2.0.0]:https://github.com/puppetlabs/puppetlabs-java_ks/compare/1.6.0...2.0.0 diff --git a/metadata.json b/metadata.json index 3b7cec28..893f3d06 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-java_ks", - "version": "1.6.0", + "version": "2.0.0", "author": "puppetlabs", "summary": "Manage arbitrary Java keystore files", "license": "Apache-2.0", @@ -8,7 +8,6 @@ "project_page": "https://github.com/puppetlabs/puppetlabs-java_ks", "issues_url": "https://tickets.puppetlabs.com/browse/MODULES", "dependencies": [ - ], "data_provider": null, "operatingsystem_support": [