.msync.yml

@@ -1 +1 @@
-modulesync_config_version: '0.20.0'
+modulesync_config_version: '0.20.1'

CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not impact the functionality of the module.
 
+## [v5.0.1](https://github.com/voxpupuli/puppet-r10k/tree/v5.0.1) (2017-04-06)
+[Full Changelog](https://github.com/voxpupuli/puppet-r10k/compare/v5.0.0...v5.0.1)
+
+**Closed issues:**
+
+- Migrate r10k module to Vox Pupuli [\#290](https://github.com/voxpupuli/puppet-r10k/issues/290)
+
+**Merged pull requests:**
+
+- puppet-lint: fix arrow\_on\_right\_operand\_line [\#357](https://github.com/voxpupuli/puppet-r10k/pull/357) ([bastelfreak](https://github.com/bastelfreak))
+- Create sanitize\_input helper method for strings sent to run\_command method. [\#356](https://github.com/voxpupuli/puppet-r10k/pull/356) ([xraystyle](https://github.com/xraystyle))
+- Use styleguide compliant syntax for sshkey example. [\#353](https://github.com/voxpupuli/puppet-r10k/pull/353) ([kallies](https://github.com/kallies))
+- Fix webhook slack\_username parameter handling [\#350](https://github.com/voxpupuli/puppet-r10k/pull/350) ([alexbrett](https://github.com/alexbrett))
+- Webhook Background mode [\#349](https://github.com/voxpupuli/puppet-r10k/pull/349) ([luckyraul](https://github.com/luckyraul))
+
 ## [v5.0.0](https://github.com/voxpupuli/puppet-r10k/tree/v5.0.0) (2017-03-07)
 [Full Changelog](https://github.com/voxpupuli/puppet-r10k/compare/v4.2.0...v5.0.0)
 
@@ -13,6 +28,7 @@ These should not impact the functionality of the module.
 
 **Merged pull requests:**
 
+- Release 5.0.0 [\#347](https://github.com/voxpupuli/puppet-r10k/pull/347) ([rnelson0](https://github.com/rnelson0))
 - r10k.yaml contents indentation is incorrect [\#345](https://github.com/voxpupuli/puppet-r10k/pull/345) ([Kotty666](https://github.com/Kotty666))
 - Update yaml location for \>PE3 [\#343](https://github.com/voxpupuli/puppet-r10k/pull/343) ([rnelson0](https://github.com/rnelson0))
 - replace all validate functions with datatypes [\#341](https://github.com/voxpupuli/puppet-r10k/pull/341) ([bastelfreak](https://github.com/bastelfreak))

README.md

@@ -95,11 +95,11 @@ This is helpful when you need to automatically deploy new masters
 
 ```puppet
 #https://docs.puppetlabs.com/references/latest/type.html#sshkey
-sshkey { "your.internal.gitlab.server.com":
+sshkey { 'your.internal.gitlab.server.com':
   ensure => present,
-  type   => "ssh-rsa",
-  target => "/root/.ssh/known_hosts",
-  key    => "...+dffsfHQ=="
+  type   => 'ssh-rsa',
+  target => '/root/.ssh/known_hosts',
+  key    => '...+dffsfHQ==',
 }
 
 # Resource git_webhook is provided by https://forge.puppet.com/abrader/gms
@@ -520,7 +520,18 @@ curl -d '
   }' http://puppet-master.example:8088/payload
 ```
 
+### Docker
 
+If you are building your image with the puppet, you need to prevent the webhook process from starting as a daemon.
+
+The following is an example of declaring the webhook without a background mode
+
+```puppet
+class { '::r10k::webhook':
+  . . .
+  background  => false  
+}
+```
 
 ## Reference
 

manifests/install/gem.pp

@@ -9,18 +9,18 @@
     'include': {
       include ::ruby
       include ::ruby::dev
-      Class['::ruby']    ->
-      Class['ruby::dev'] ->
-      Anchor['r10k::ruby_done']
+      Class['::ruby']
+      -> Class['ruby::dev']
+      -> Anchor['r10k::ruby_done']
     }
     'declare': {
       class { '::ruby':
         rubygems_update => false,
       }
       include ::ruby::dev
-      Class['::ruby'] ->
-      Class['::ruby::dev'] ->
-      Anchor['r10k::ruby_done']
+      Class['::ruby']
+      -> Class['::ruby::dev']
+      -> Anchor['r10k::ruby_done']
     }
     default: {
       #This catches the 'ignore' case, and satisfies the 'default' requirement
@@ -37,10 +37,10 @@
     include ::make
     include ::gcc
 
-    Anchor['r10k::ruby_done'] ->
-    Class['gcc']       ->
-    Class['make']      ->
-    Package['r10k']
+    Anchor['r10k::ruby_done']
+    -> Class['gcc']
+    -> Class['make']
+    -> Package['r10k']
   }
 
 }

manifests/params.pp

@@ -124,6 +124,7 @@
   $webhook_client_cfg            = '/var/lib/peadmin/.mcollective'
   $webhook_use_mco_ruby          = false
   $webhook_protected             = true
+  $webhook_background            = true
   $webhook_github_secret         = undef
   $webhook_discovery_timeout     = 10
   $webhook_client_timeout        = 120

manifests/webhook.pp

@@ -3,6 +3,7 @@
   $ensure           = true,
   $user             = $r10k::params::webhook_user,
   $group            = $r10k::params::webhook_group,
+  $background       = $r10k::params::webhook_background,
   $bin_template     = $r10k::params::webhook_bin_template,
   $service_template = $r10k::params::webhook_service_template,
   $service_file     = $r10k::params::webhook_service_file,
@@ -37,6 +38,11 @@
     false => 'stopped',
   }
 
+  $server_type = $background ? {
+    true  => 'WEBrick::Daemon',
+    false => 'WEBrick::SimpleServer',
+  }
+
   file { '/var/log/webhook/access.log':
     ensure => $ensure_file,
     owner  => $user,

metadata.json

@@ -2,7 +2,7 @@
   "author": "Vox Pupuli",
   "license": "Apache-2.0",
   "name": "puppet-r10k",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "operatingsystem_support": [
     {
       "operatingsystem": "RedHat",
@@ -64,7 +64,7 @@
       "name": "puppetlabs/gcc",
       "version_requirement": ">= 0.3.0 < 2.0.0"
     },
-        {
+    {
       "name": "puppet/make",
       "version_requirement": ">= 1.0.0 < 2.0.0"
     },

spec/acceptance/nodesets/docker/centos-7.yml

@@ -11,6 +11,7 @@ HOSTS:
     docker_cmd: '["/usr/sbin/init"]'
     docker_image_commands:
       - 'yum install -y crontabs initscripts iproute openssl sysvinit-tools tar wget which ss'
+      - 'systemctl mask getty@tty1.service'
 CONFIG:
   trace_limit: 200
   masterless: true

spec/acceptance/nodesets/docker/debian-8.yml

@@ -13,6 +13,7 @@ HOSTS:
       - 'echo deb http://ftp.debian.org/debian jessie-backports main >> /etc/apt/sources.list'
       - 'apt-get update && apt-get install -y cron locales-all net-tools wget'
       - 'rm -f /usr/sbin/policy-rc.d'
+      - 'systemctl mask getty@tty1.service getty-static.service'
 CONFIG:
   trace_limit: 200
   masterless: true

spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml

@@ -2,7 +2,7 @@
 # This file is managed via modulesync
 # https://github.com/voxpupuli/modulesync
 # https://github.com/voxpupuli/modulesync_config
-# 
+#
 # Additional ~/.fog config file with AWS EC2 credentials
 # required.
 #

spec/acceptance/nodesets/ec2/image_templates.yaml

@@ -7,7 +7,7 @@
 # Hint: image IDs (ami-*) for the same image are different per location.
 #
 AMI:
-  # Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type 
+  # Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type
   amazonlinux-2016091-eu-central-1:
     :image:
       :aio: ami-af0fc0c0

spec/acceptance/nodesets/ec2/rhel-73-x64.yml

@@ -2,7 +2,7 @@
 # This file is managed via modulesync
 # https://github.com/voxpupuli/modulesync
 # https://github.com/voxpupuli/modulesync_config
-# 
+#
 # Additional ~/.fog config file with AWS EC2 credentials
 # required.
 #

spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml

@@ -2,7 +2,7 @@
 # This file is managed via modulesync
 # https://github.com/voxpupuli/modulesync
 # https://github.com/voxpupuli/modulesync_config
-# 
+#
 # Additional ~/.fog config file with AWS EC2 credentials
 # required.
 #

spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml

@@ -2,7 +2,7 @@
 # This file is managed via modulesync
 # https://github.com/voxpupuli/modulesync
 # https://github.com/voxpupuli/modulesync_config
-# 
+#
 # Additional ~/.fog config file with AWS EC2 credentials
 # required.
 #

spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml

@@ -2,7 +2,7 @@
 # This file is managed via modulesync
 # https://github.com/voxpupuli/modulesync
 # https://github.com/voxpupuli/modulesync_config
-# 
+#
 # Additional ~/.fog config file with AWS EC2 credentials
 # required.
 #

templates/webhook.bin.erb

@@ -17,6 +17,7 @@ require 'json'
 require 'yaml'
 require 'cgi'
 require 'open3'
+require 'shellwords'
 
 WEBHOOK_CONFIG = '/etc/webhook.yaml'
 PIDFILE        = '/var/run/webhook/webhook.pid'
@@ -40,7 +41,7 @@ opts = {
   :Host           => $config['bind_address'],
   :Port           => $config['port'],
   :Logger         => $logger,
-  :ServerType     => WEBrick::Daemon,
+  :ServerType     => <%= @server_type %>,
   :ServerSoftware => $config['server_software'],
   :SSLEnable      => $config['enable_ssl'],
   :StartCallback  => Proc.new { File.open(PIDFILE, 'w') {|f| f.write Process.pid } },
@@ -102,6 +103,7 @@ end
       module_name = ( data['repository']['name'] ).sub(/^.*-/, '')
     end
 
+    module_name = sanitize_input(module_name)
     deploy_module(module_name)
   end
 
@@ -156,6 +158,7 @@ end
       $config['prefix']
     end
 
+    branch = sanitize_input(branch)
     # r10k doesn't yet know how to deploy all branches from a single source.
     # The best we can do is just deploy all environments by passing nil to
     # deploy() if we don't know the correct branch.
@@ -213,8 +216,8 @@ end
         slack_channel = '#default'
       end
 
-      if $config['slack_user']
-        slack_user = $config['slack_user']
+      if $config['slack_username']
+        slack_user = $config['slack_username']
       else
         slack_user = 'r10k'
       end
@@ -364,6 +367,16 @@ end
           end
       end
     end #end run_prefix_command
+
+
+    # :deploy and :deploy_module methods are vulnerable to shell
+    # injection. e.g. a branch named ";yes". Or a malicious POST request with
+    # "; rm -rf *;" as the payload. 
+    def sanitize_input(input_string)
+      sanitized = Shellwords.shellescape(input_string)
+      $logger.info("module or branch name #{sanitized} had to be escaped!") unless input_string == sanitized
+      sanitized
+    end
 
   end  #end helpers
 end