Feature/master/pup 1840 tunable digest algorithm#2537
Merged
zaphod42 merged 14 commits intopuppetlabs:masterfrom Apr 30, 2014
adrienthebo:feature/master/pup-1840-tunable-digest-algorithm
Merged
Feature/master/pup 1840 tunable digest algorithm#2537zaphod42 merged 14 commits intopuppetlabs:masterfrom adrienthebo:feature/master/pup-1840-tunable-digest-algorithm
zaphod42 merged 14 commits intopuppetlabs:masterfrom
adrienthebo:feature/master/pup-1840-tunable-digest-algorithm
Conversation
|
CLA signed by all contributors. |
Contributor
|
These changes look complete to me. This pull request is indeed a better replacement for GH-2452. Do you think the setting should be called file_checksum_algorithm rather than digest_algorithm, to avoid terminology conflicts with the SSL parts of Puppet? |
Contributor
Author
|
I think that right now the only major use of the digest algorithm is in file checksumming, but I don't think it's limited to that. Given https://github.com/puppetlabs/puppet/pull/2453/files it's reasonable to see other components will need to use a digest algorithm so I think it's good to keep it generic. |
Contributor
|
Good point; I agree. Now I think the only thing in the way is the migration concerns (http://projects.puppetlabs.com/issues/8120#note-10). |
Contributor
There was a problem hiding this comment.
The type of this setting should be an enum that only allows the valid values.
|
CLA signed by all contributors. |
Contributor
Author
|
The changes made in this pull request are uncovering some very bad stubbing in |
Before this change, using a checksum algorithm required creating a class and including the Checksums module. Since there's no state required for the checksum methods, this was a silly thing to need to do. This commit makes the module extend itself, so that the methods can be invoked by doing `Puppet::Util::Checksums#method`. In the long run, this module should use the `module_function` declaration so that the checksum methods are private when included.
Without this patch applied, Puppet only performs checksums of files using the MD5 algorithm. MD5 is not available on hosts configured for FIPS 140-2 compliance, so Puppet fails. This patch adds a setting, settable in puppet.conf, whose name is digest_algorithm and whose value can be any checksum type known to Puppet::Util::Checksums. The setting indicates which digest algorithm should be used for performing checksums. (This patch does not contain the code that pays attention to the setting.) The value defaults to md5, so that if you do not set this setting yourself, Puppet will act like it always has before.
Without this patch, spec tests for pieces of the code having to do with checksums would have to be duplicated twice and contain repeated code. The patch adds the `using_checksums_describe` method, which can be used instead of the `describe` method to enclose spec tests where checksums are involved. This method only defined inside describe blocks where the `:uses_checksums => true` user metadata is given, to mitigate the risk of unintended changes to the behavior of spec tests not having to do with checksums. `using_checksums_describe` defines a group of examples, each having the given block as body. Each example happens with a different value set for `digest_algorithm`. Many `let`s are defined for use inside the spec test; foremost are `plaintext`, `checksum`, and `algo`. `plaintext` is some text; `checksum` is the checksum for this text under the present setting of `digest_algorithm`. `algo` contains the name of the digest algorithm in use. unset, `algo` is 'md5'. Code restructured and simplified by Adrien Thebo <adrien@puppetlabs.com>
Original code implemented by Jared Jennings <jared.jennings.ctr@us.af.mil>
Original code implemented by Jared Jennings <jared.jennings.ctr@us.af.mil>
Original code implemented by Jared Jennings <jared.jennings.ctr@us.af.mil>
…or file resources Without this patch, file resources will always try to checksum themselves using MD5. On FIPS 140-2 compliant hosts, this will fail. This patch adds sha256 as a permissible value for the File resource's checksum parameter, and makes the checksum parameter default to using the digest_algorithm, as set in the puppet.conf.
Puppet.settings.use isn't needed in these areas of code and we can rely on the setting having a value. Also by putting the validation on the setting itself no other areas need to validate it.
There isn't any need for the DEFAULT_DIGEST_ALGORITHM anymore since everything can use the setting.
Putting these values in shared context just makes it harder on any readers to track them down later. They are only used in 2 places and so can be put there.
Some of these tests were preserved simply because they are there. On closer inspection many were not needed because either they tested functionality that simply doesn't exist (and it isn't very useful to state that the functionality doesn't exist), stated the condition incorrectly and misleadingly, or are handled in other places.
Rather than mixing in methods that are then looked up we can make the code a little more readable by clarifying that it is getting methods from Puppet::Util::Checksum.
Contributor
Author
|
Okay, I think I'm happy with this pull request again. |
zaphod42
added a commit
that referenced
this pull request
Apr 30, 2014
…able-digest-algorithm Feature/master/pup 1840 tunable digest algorithm
adrienthebo
deleted the
feature/master/pup-1840-tunable-digest-algorithm
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This refactors GH-2452 into smaller commits and simplifies how tests are run with all digest algorithms.
This supersedes GH-2452.