Permalink
Browse files

Merge remote-tracking branch 'upstream/3.x'

* upstream/3.x:
  Updated manpages, CHANGELOG, puppet.spec, puppet.rb for 2.7.16rc1.
  (maint) Update README.md w/ min Facter ver
  (#8858) Explicitly set SSL peer verification mode.
  Test SSL setup code, not our stubbing of it.
  (#14723) Fix http report description
  • Loading branch information...
zaphod42 committed Jun 6, 2012
2 parents f701097 + aa82915 commit 5c33cab7f4f9e1f985b1526f135b5b2b16ca0269
Showing with 114 additions and 97 deletions.
  1. +8 −10 CHANGELOG
  2. +1 −1 README.md
  3. +7 −3 conf/redhat/puppet.spec
  4. +17 −8 lib/puppet/network/http_pool.rb
  5. +1 −1 lib/puppet/reports/http.rb
  6. +80 −74 spec/unit/network/http_pool_spec.rb
View
@@ -109,13 +109,17 @@ c01cac9 (#13204) Don't ignore missing PATH.augnew files
7d27cd2 Use :as_platform in the smf service spec
876785a Use :as_platform in the redhat service spec
-2.7.15rc4
+2.7.16rc1
===
+3a06246 (#8858) Explicitly set SSL peer verification mode.
+cd4bee8 Test SSL setup code, not our stubbing of it.
+ff052b8 (maint) Add mailmap to identify contributors
+8dda6c2 (#14723) Fix http report description
+ebf5386 Remove EL-related test changes from this commit.
+2aea708 Revert changes to symbolic_modes.rb -- this test should indeed be pending (it should eventually work on Windows).
+b601bb4 Update acceptance tests to use confine instead of skip_test loops
0788ea2 (#14615) Exclude helperscripts in gentoo service provider
be6062c Apply commit from master that varies ports during tests
-
-2.7.15rc3
-===
a45942b (#14297) Don't remove tty1 or rsyslog during upstart acceptance
466ab49 (#14297) Define agent in upstart acceptance test
f5d1f74 (#14297) Update upstart provider acceptance tests
@@ -126,15 +130,9 @@ b9ed026 (#14297) Update spec tests for upstart provider
91827e8 (#14297) Handle upstart services better
3541db6 (#14343) Lookup in correct inherited scope
2d83e22 (Maint) Added test for fully qualified variable
-
-2.7.15rc2
-===
c6e006e (#8174) Allow defines to reference topscope
e27adf4 Evaluate node classes either in top or node scope
a3d51b2 Removed topscope being overridden by node
-
-2.7.15rc1
-===
53e0057 Use internal domain name for module tool tests
f4ba59e Use absolute_path in module install spec
ead9d25 (Maint) Color console output when the win32console gem is installed
View
@@ -30,7 +30,7 @@ Generally, you need the following things installed:
available separately. You could probably just compile and install that one
library, though.
-* Facter => 1.5.1 (available via your package manager or from the [Facter site](http://puppetlabs.com/projects/facter)).
+* Facter => 2.0.0 (available via your package manager or from the [Facter site](http://puppetlabs.com/projects/facter)).
License
-------
View
@@ -12,9 +12,9 @@ Summary: A network tool for managing many disparate systems
License: ASL 2.0
URL: http://puppetlabs.com
#Source0: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz
-Source0: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc4.tar.gz
+Source0: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc1.tar.gz
#Source1: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz.asc
-Source1: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc4.tar.gz.asc
+Source1: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc1.tar.gz.asc
Group: System Environment/Base
@@ -69,7 +69,7 @@ The server can also function as a certificate authority and file server.
%prep
#%setup -q -n %{name}-%{version}
-%setup -q -n %{name}-%{version}rc4
+%setup -q -n %{name}-%{version}rc1
patch -s -p1 < conf/redhat/rundir-perms.patch
@@ -162,6 +162,7 @@ echo "D /var/run/%{name} 0755 %{name} %{name} -" > \
%{_mandir}/man8/puppet-apply.8.gz
%{_mandir}/man8/puppet-catalog.8.gz
%{_mandir}/man8/puppet-describe.8.gz
+%{_mandir}/man8/puppet-ca.8.gz
%{_mandir}/man8/puppet-cert.8.gz
%{_mandir}/man8/puppet-certificate.8.gz
%{_mandir}/man8/puppet-certificate_request.8.gz
@@ -266,6 +267,9 @@ fi
rm -rf %{buildroot}
%changelog
+* Wed Jun 06 2012 Matthaus Litteken <matthaus@puppetlabs.com> - 2.7.16-0.1rc1
+- Update for 2.7.16rc1, added generated manpages
+
* Fri Jun 01 2012 Matthaus Litteken <matthaus@puppetlabs.com> - 3.0.0-0.1rc3
* Puppet 3.0.0rc3 Release
@@ -11,14 +11,23 @@ def self.ssl_host
# Use cert information from a Puppet client to set up the http object.
def self.cert_setup(http)
- # Just no-op if we don't have certs.
- return false unless FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
-
- http.cert_store = ssl_host.ssl_store
- http.ca_file = Puppet[:localcacert]
- http.cert = ssl_host.certificate.content
- http.verify_mode = OpenSSL::SSL::VERIFY_PEER
- http.key = ssl_host.key.content
+ if FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
+ http.cert_store = ssl_host.ssl_store
+ http.ca_file = Puppet[:localcacert]
+ http.cert = ssl_host.certificate.content
+ http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ http.key = ssl_host.key.content
+ else
+ # We don't have the local certificates, so we don't do any verification
+ # or setup at this early stage. REVISIT: Shouldn't we supply the local
+ # certificate details if we have them? The original code didn't.
+ # --daniel 2012-06-03
+
+ # Ruby 1.8 defaulted to this, but 1.9 defaults to peer verify, and we
+ # almost always talk to a dedicated, not-standard CA that isn't trusted
+ # out of the box. This forces the expected state.
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ end
end
# Retrieve a cached http instance if caching is enabled, else return
@@ -7,7 +7,7 @@
desc <<-DESC
Send report information via HTTP to the `reporturl`. Each host sends
its report as a YAML dump and this sends this YAML to a client via HTTP POST.
- The YAML is the `report` parameter of the request."
+ The YAML is the body of the request.
DESC
def process
@@ -14,122 +14,128 @@
end
describe "when managing http instances" do
- def stub_settings(settings)
- settings.each do |param, value|
- Puppet.settings.stubs(:value).with(param).returns(value)
- end
- end
-
- before do
+ before :each do
# All of the cert stuff is tested elsewhere
Puppet::Network::HttpPool.stubs(:cert_setup)
end
it "should return an http instance created with the passed host and port" do
- http = stub 'http', :use_ssl= => nil, :read_timeout= => nil, :open_timeout= => nil, :started? => false
- Net::HTTP.expects(:new).with("me", 54321, nil, nil).returns(http)
- Puppet::Network::HttpPool.http_instance("me", 54321).should equal(http)
+ http = Puppet::Network::HttpPool.http_instance("me", 54321)
+ http.should be_an_instance_of Net::HTTP
+ http.address.should == 'me'
+ http.port.should == 54321
end
it "should enable ssl on the http instance" do
- Puppet::Network::HttpPool.http_instance("me", 54321).instance_variable_get("@use_ssl").should be_true
+ Puppet::Network::HttpPool.http_instance("me", 54321).should be_use_ssl
end
- it "should set the read timeout" do
- Puppet::Network::HttpPool.http_instance("me", 54321).read_timeout.should == 120
- end
+ context "proxy and timeout settings should propagate" do
+ subject { Puppet::Network::HttpPool.http_instance("me", 54321) }
+ before :each do
+ Puppet[:http_proxy_host] = "myhost"
+ Puppet[:http_proxy_port] = 432
+ Puppet[:configtimeout] = 120
+ end
- it "should set the open timeout" do
- Puppet::Network::HttpPool.http_instance("me", 54321).open_timeout.should == 120
+ its(:open_timeout) { should == Puppet[:configtimeout] }
+ its(:read_timeout) { should == Puppet[:configtimeout] }
+ its(:proxy_address) { should == Puppet[:http_proxy_host] }
+ its(:proxy_port) { should == Puppet[:http_proxy_port] }
end
- it "should create the http instance with the proxy host and port set if the http_proxy is not set to 'none'" do
- stub_settings :http_proxy_host => "myhost", :http_proxy_port => 432, :configtimeout => 120
- Puppet::Network::HttpPool.http_instance("me", 54321).open_timeout.should == 120
+ it "should not set a proxy if the value is 'none'" do
+ Puppet[:http_proxy_host] = 'none'
+ Puppet::Network::HttpPool.http_instance("me", 54321).proxy_address.should be_nil
end
it "should not cache http instances" do
- stub_settings :http_proxy_host => "myhost", :http_proxy_port => 432, :configtimeout => 120
- old = Puppet::Network::HttpPool.http_instance("me", 54321)
- Puppet::Network::HttpPool.http_instance("me", 54321).should_not equal(old)
+ Puppet::Network::HttpPool.http_instance("me", 54321).
+ should_not equal Puppet::Network::HttpPool.http_instance("me", 54321)
end
end
- describe "when adding certificate information to http instances" do
- before do
- @http = mock 'http'
- [:cert_store=, :verify_mode=, :ca_file=, :cert=, :key=].each { |m| @http.stubs(m) }
- @store = stub 'store'
-
- @cert = stub 'cert', :content => "real_cert"
- @key = stub 'key', :content => "real_key"
- @host = stub 'host', :certificate => @cert, :key => @key, :ssl_store => @store
-
- Puppet[:confdir] = "/sometthing/else"
- Puppet.settings.stubs(:value).returns "/some/file"
- Puppet.settings.stubs(:value).with(:hostcert).returns "/host/cert"
- Puppet.settings.stubs(:value).with(:localcacert).returns "/local/ca/cert"
-
- FileTest.stubs(:exist?).with("/host/cert").returns true
- FileTest.stubs(:exist?).with("/local/ca/cert").returns true
-
- Puppet::Network::HttpPool.stubs(:ssl_host).returns @host
+ describe "when doing SSL setup for http instances" do
+ let :http do
+ http = Net::HTTP.new('localhost', 443)
+ http.use_ssl = true
+ http
end
- after do
- Puppet.settings.clear
- end
+ let :store do stub('store') end
- it "should do nothing if no host certificate is on disk" do
- FileTest.expects(:exist?).with("/host/cert").returns false
- @http.expects(:cert=).never
- Puppet::Network::HttpPool.cert_setup(@http)
- end
+ before :each do
+ Puppet[:hostcert] = '/host/cert'
+ Puppet[:localcacert] = '/local/ca/cert'
- it "should do nothing if no local certificate is on disk" do
- FileTest.expects(:exist?).with("/local/ca/cert").returns false
- @http.expects(:cert=).never
- Puppet::Network::HttpPool.cert_setup(@http)
+ cert = stub 'cert', :content => 'real_cert'
+ key = stub 'key', :content => 'real_key'
+ host = stub 'host', :certificate => cert, :key => key, :ssl_store => store
+ Puppet::Network::HttpPool.stubs(:ssl_host).returns(host)
end
- it "should add a certificate store from the ssl host" do
- @http.expects(:cert_store=).with(@store)
+ shared_examples "HTTPS setup without all certificates" do
+ subject { Puppet::Network::HttpPool.cert_setup(http); http }
- Puppet::Network::HttpPool.cert_setup(@http)
+ it { should be_use_ssl }
+ its(:cert) { should be_nil }
+ its(:cert_store) { should be_nil }
+ its(:ca_file) { should be_nil }
+ its(:key) { should be_nil }
+ its(:verify_mode) { should == OpenSSL::SSL::VERIFY_NONE }
end
- it "should add the client certificate" do
- @http.expects(:cert=).with("real_cert")
+ context "with neither a host cert or a local CA cert" do
+ before :each do
+ FileTest.stubs(:exist?).with(Puppet[:hostcert]).returns(false)
+ FileTest.stubs(:exist?).with(Puppet[:localcacert]).returns(false)
+ end
- Puppet::Network::HttpPool.cert_setup(@http)
+ include_examples "HTTPS setup without all certificates"
end
- it "should add the client key" do
- @http.expects(:key=).with("real_key")
+ context "with there is no host certificate" do
+ before :each do
+ FileTest.stubs(:exist?).with(Puppet[:hostcert]).returns(false)
+ FileTest.stubs(:exist?).with(Puppet[:localcacert]).returns(true)
+ end
- Puppet::Network::HttpPool.cert_setup(@http)
+ include_examples "HTTPS setup without all certificates"
end
- it "should set the verify mode to OpenSSL::SSL::VERIFY_PEER" do
- @http.expects(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+ context "with there is no local CA certificate" do
+ before :each do
+ FileTest.stubs(:exist?).with(Puppet[:hostcert]).returns(true)
+ FileTest.stubs(:exist?).with(Puppet[:localcacert]).returns(false)
+ end
- Puppet::Network::HttpPool.cert_setup(@http)
+ include_examples "HTTPS setup without all certificates"
end
- it "should set the ca file" do
- Puppet.settings.stubs(:value).returns "/some/file"
- FileTest.stubs(:exist?).with(Puppet[:hostcert]).returns true
+ context "with both the host and CA cert" do
+ subject { Puppet::Network::HttpPool.cert_setup(http); http }
- Puppet.settings.stubs(:value).with(:localcacert).returns "/ca/cert/file"
- FileTest.stubs(:exist?).with("/ca/cert/file").returns true
- @http.expects(:ca_file=).with("/ca/cert/file")
+ before :each do
+ FileTest.expects(:exist?).with(Puppet[:hostcert]).returns(true)
+ FileTest.expects(:exist?).with(Puppet[:localcacert]).returns(true)
+ end
- Puppet::Network::HttpPool.cert_setup(@http)
+ it { should be_use_ssl }
+ its(:cert_store) { should equal store }
+ its(:cert) { should == "real_cert" }
+ its(:key) { should == "real_key" }
+ its(:verify_mode) { should == OpenSSL::SSL::VERIFY_PEER }
+ its(:ca_file) { should == Puppet[:localcacert] }
end
it "should set up certificate information when creating http instances" do
- Puppet::Network::HttpPool.expects(:cert_setup).with { |i| i.is_a?(Net::HTTP) }
- Puppet::Network::HttpPool.http_instance("one", "two")
+ Puppet::Network::HttpPool.expects(:cert_setup).with do |http|
+ http.should be_an_instance_of Net::HTTP
+ http.address.should == "one"
+ http.port.should == 2
+ end
+
+ Puppet::Network::HttpPool.http_instance("one", 2)
end
end
end

0 comments on commit 5c33cab

Please sign in to comment.