.github/SECURITY.md

@@ -0,0 +1,3 @@
+# Vox Pupuli Security Policy
+
+Our vulnerabilities reporting process is at https://voxpupuli.org/security/

.msync.yml

@@ -1 +1 @@
-modulesync_config_version: '2.12.0'
+modulesync_config_version: '3.0.0'

.rubocop.yml

@@ -528,6 +528,9 @@ RSpec/RepeatedDescription:
 RSpec/NestedGroups:
   Enabled: False
 
+RSpec/MultipleExpectations:
+  Enabled: false
+
 # this is broken on ruby1.9
 Layout/IndentHeredoc:
   Enabled: False

.travis.yml

@@ -1,4 +1,5 @@
 ---
+os: linux
 dist: bionic
 language: ruby
 cache: bundler
@@ -7,7 +8,7 @@ before_install:
   - bundle --version
 script:
   - 'bundle exec rake $CHECK'
-matrix:
+jobs:
   fast_finish: true
   include:
   - rvm: 2.4.4
@@ -68,7 +69,7 @@ notifications:
       - "chat.freenode.org#voxpupuli-notifications"
 deploy:
   provider: puppetforge
-  user: puppet
+  username: puppet
   password:
     secure: "WcBaQ0iem0kLmgOHvOEYOsgAk6eFZcSJ/6AisPhS4Ty9gxaEcytE8if2d9ThOItRRua5XGAPk7WbYmTa/cy/EsH0LYwSDdP2eagI95CnmryGya5TShKwUMv1ETUOBFucRYxtcOo7URnTMe2d6IpxEazuZ87cwGLUV5taBRkEvkw="
   on:

CHANGELOG.md

@@ -4,6 +4,27 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
+## [v9.0.0](https://github.com/voxpupuli/puppet-r10k/tree/v9.0.0) (2020-07-28)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-r10k/compare/v8.3.0...v9.0.0)
+
+**Breaking changes:**
+
+- \[Issue \#530\] Removes dependence on puppetlabs-git [\#531](https://github.com/voxpupuli/puppet-r10k/pull/531) ([chadh](https://github.com/chadh))
+
+**Implemented enhancements:**
+
+- webhook: support verification of X-Gitlab-Token header [\#529](https://github.com/voxpupuli/puppet-r10k/pull/529) ([kenyon](https://github.com/kenyon))
+
+**Closed issues:**
+
+- Remove dependence on old puppetlabs-git module [\#530](https://github.com/voxpupuli/puppet-r10k/issues/530)
+- webhook: add support for verifying X-Gitlab-Token [\#528](https://github.com/voxpupuli/puppet-r10k/issues/528)
+
+**Merged pull requests:**
+
+- modulesync 3.0.0 & puppet-lint updates  [\#533](https://github.com/voxpupuli/puppet-r10k/pull/533) ([bastelfreak](https://github.com/bastelfreak))
+
 ## [v8.3.0](https://github.com/voxpupuli/puppet-r10k/tree/v8.3.0) (2020-04-30)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-r10k/compare/v8.2.0...v8.3.0)

Gemfile

@@ -11,9 +11,9 @@ def location_for(place, fake_version = nil)
 end
 
 group :test do
-  gem 'voxpupuli-test', '>= 1.0.0',  :require => false
-  gem 'coveralls',                   :require => false
-  gem 'simplecov-console',           :require => false
+  gem 'voxpupuli-test', '~> 2.0',  :require => false
+  gem 'coveralls',                 :require => false
+  gem 'simplecov-console',         :require => false
 end
 
 group :development do

README.md

@@ -10,15 +10,20 @@
 #### Table of Contents
 
 1. [Overview](#overview)
-2. [Module Description - What the module does and why it is useful](#module-description)
-3. [Setup - The basics of getting started with r10k](#setup)
+1. [Module Description - What the module does and why it is useful](#module-description)
+1. [Setup - The basics of getting started with r10k](#setup)
+    * [Prefix Example](#prefix-example)
     * [What r10k affects](#what-r10k-affects)
-    * [Setup requirements](#setup-requirements)
+    * [Setup Requirements](#setup-requirements)
     * [Beginning with r10k](#beginning-with-r10k)
-4. [Usage - Configuration options and additional functionality](#usage)
-5. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
-5. [Limitations - OS compatibility, etc.](#limitations)
-6. [Development - Guide for contributing to the module](#development)
+    * [Using an internal gem server](#using-an-internal-gem-server)
+    * [Mcollective Support](#mcollective-support)
+1. [Webhook Support](#webhook-support)
+1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
+1. [Limitations - OS compatibility, etc.](#limitations)
+1. [Support](#support)
+1. [Development - Guide for contributing to the module](#development)
+1. [Running tests](#running-tests)
 
 ## Overview
 
@@ -58,7 +63,6 @@ class { 'r10k':
 ### What r10k affects
 
 * Installation of the r10k `gem`
-* Installation of git
 * Installation of ruby when not using an existing ruby stack i.e. when using `puppet_gem`
 * Management of the `r10k.yaml` in /etc
 * Installation and configuration of a sinatra app when using the [webhook](#webhook-support).
@@ -86,14 +90,15 @@ You can override this by passing the `version` parameter.
 
 ### Setup Requirements
 
-r10k connects via ssh and does so silently in the background, this typically requires ssh keys to be deployed in advance of configuring
-r10k. This includes the known host ( public ) key of the respective git server, and the user running r10k's private key used to authenticate
-git/ssh during background runs.
+r10k connects via ssh and does so silently in the background, this typically requires ssh keys to be deployed in advance of configuring r10k. This includes the known host ( public ) key of the respective git server, and the user running r10k's private key used to authenticate git/ssh during background runs.  If you are going to use git repos to retrieve modules, you also need git installed.
 
-Here is an example of deploying the ssh keys needed for r10k to connect to a repo called puppet/control on a gitlab server.
-This is helpful when you need to automatically deploy new masters
+Here is an example of deploying the git package and ssh keys needed for r10k to connect to a repo called puppet/control on a gitlab server.  This is helpful when you need to automatically deploy new masters
 
 ```puppet
+package { 'git':
+  ensure => installed,
+}
+
 #https://docs.puppetlabs.com/references/latest/type.html#sshkey
 sshkey { 'your.internal.gitlab.server.com':
   ensure => present,
@@ -251,7 +256,7 @@ class { '::r10k::mcollective':
 }
 ```
 
-### Install mcollective support for post receive hooks
+#### Install mcollective support for post receive hooks
 Install the `mco` command from the puppet enterprise installation directory i.e.
 ```shell
 cd ~/puppet-enterprise-3.0.1-el-6-x86_64/packages/el-6-x86_64
@@ -280,7 +285,7 @@ and copy the certs to somewhere that is readable by the respective user.
 ~~~
 _Note: PE2 only requires the .mcollective file as the default auth was psk_
 
-### Removing the mcollective agent
+#### Removing the mcollective agent
 
 ```puppet
 class { 'r10k::mcollective':
@@ -289,7 +294,7 @@ class { 'r10k::mcollective':
 ```
 This will remove the mcollective agent/application and ddl files from disk. This likely would be if you are migrating to Code manager in Puppet Enterprise.
 
-# Webhook Support
+## Webhook Support
 
 ![alt tag](https://gist.githubusercontent.com/acidprime/be25026c11a76bf3e7fb/raw/44df86181c3e5d14242a1b1f4281bf24e9c48509/webhook.gif)
 For version control systems that use web driven post-receive processes you can use the example webhook included in this module.
@@ -398,6 +403,7 @@ git_webhook { 'web_post_receive_webhook_for_module' :
   provider     => 'github',
 }
 ```
+
 ### Webhook Bitbucket Example
 This is an example of using the webhook with Atlassian Bitbucket (former Stash).
 Requires the `external hooks` addon by https://marketplace.atlassian.com/plugins/com.ngs.stash.externalhooks.external-hooks/server/overview
@@ -451,6 +457,23 @@ class { 'r10k::webhook':
 }
 ```
 
+### GitLab Token Support
+GitLab webhooks [allow the use](https://gitlab.com/help/user/project/integrations/webhooks#secret-token)
+of a secret token value that gets sent in the header of the HTTP request. To have the webhook receiver
+verify the secret token value and perform the operation only if the sent value matches the configured
+value, use the following type of configuration:
+
+```puppet
+class { 'r10k::webhook::config':
+  protected        => false,
+  gitlab_token     => 'THISISTHEGITLABWEBHOOKSECRET',
+}
+
+class { 'r10k::webhook':
+  require => Class['r10k::webhook::config'],
+}
+```
+
 ### BitBucket Server Secret Support
 BitBucket webhooks allow the use of a secret value that gets hashed against the payload to pass a
 signature in the request X-Hub-Signature header. To support the secret with the webhook do the
@@ -547,8 +570,8 @@ git_webhook { 'web_post_receive_webhook' :
   provider     => 'gitlab',
 }
 
-
 ```
+
 ### Webhook FOSS support with MCollective
 
 Currently the webhook relies on existing certificates for its ssl configuration.
@@ -652,7 +675,6 @@ class { 'r10k::webhook::config':
 }
 ```
 
-
 ### Webhook Default Branch
 
 The default branch of the controlrepo is commonly called `production`. This value can be overridden if you use another default branch name, such as `master`.

examples/webhook/config.pp

@@ -1,14 +1,14 @@
 include r10k::webhook
 
-file {'/usr/local/bin/prefix_command.rb':
+file { '/usr/local/bin/prefix_command.rb':
   ensure => file,
   mode   => '0755',
   owner  => 'root',
   group  => '0',
   source => 'puppet:///modules/r10k/prefix_command.rb',
 }
 
-class {'r10k::webhook::config':
+class { 'r10k::webhook::config':
   prefix         => true,
   prefix_command => '/usr/local/bin/prefix_command.rb',
   enable_ssl     => false,

manifests/config.pp

@@ -72,7 +72,6 @@
   Optional[Integer[1]] $pool_size           = $r10k::params::pool_size,
   String $r10k_yaml_template                = 'r10k/r10k.yaml.erb',
 ) inherits r10k::params {
-
   if $sources == undef {
     $r10k_sources  = {
       'puppet' => {
@@ -87,7 +86,7 @@
   }
 
   if $configfile == '/etc/puppetlabs/r10k/r10k.yaml' {
-    file {'/etc/puppetlabs/r10k':
+    file { '/etc/puppetlabs/r10k':
       ensure => 'directory',
       owner  => $root_user,
       group  => $root_group,

manifests/init.pp

@@ -29,7 +29,6 @@
   Boolean $include_prerun_command                             = false,
   Boolean $include_postrun_command                            = false,
 ) inherits r10k::params {
-
   # Check if user is declaring both classes
   # Other classes like r10k::webhook is supported but
   # using both classes makes no sense unless given pe_r10k

manifests/install.pp

@@ -10,16 +10,15 @@
   $is_pe_server = $r10k::params::is_pe_server,
   Optional[String[1]] $gem_source = undef,
 ) inherits r10k::params {
-
   if $package_name == '' {
     case $provider {
       'openbsd': {
-                    if (versioncmp("${::kernelversion}", '5.8') < 0) { #lint:ignore:only_variable_string
-                      $real_package_name = 'ruby21-r10k'
-                    } else {
-                      $real_package_name = 'ruby22-r10k'
-                    }
-                  }
+        if (versioncmp("${::kernelversion}", '5.8') < 0) { #lint:ignore:only_variable_string
+          $real_package_name = 'ruby21-r10k'
+        } else {
+          $real_package_name = 'ruby22-r10k'
+        }
+      }
       default:   { $real_package_name = 'r10k' }
     }
   } else {
@@ -48,7 +47,7 @@
       # empty to value to the gem providers This code
       # converts an empty array to semi-standard gem options
       # This was previously undef but that caused strict var issues
-      if $provider in ['puppet_gem', 'gem' ] and $install_options == [] {
+      if $provider in ['puppet_gem', 'gem'] and $install_options == [] {
         $provider_install_options = ['--no-ri', '--no-rdoc']
       } else {
         $provider_install_options = $install_options
@@ -62,7 +61,6 @@
         source          => $gem_source,
         install_options => $provider_install_options,
       }
-
     }
     default: { fail("${module_name}: ${provider} is not supported. Valid values are: 'gem', 'puppet_gem', 'bundle', 'openbsd'") }
   }

manifests/install/bundle.pp

@@ -1,11 +1,8 @@
 # This class installs the r10k bundle
-class r10k::install::bundle(
+class r10k::install::bundle (
   $revision = 'master',
   $source   = 'https://github.com/adrienthebo/r10k.git',
-){
-
-  require git
-
+) {
   # The bundle install has prefix support as of writing this, I want bleeding edge.
   package { "${module_name}-bundle":
     ensure   => installed,
@@ -22,7 +19,7 @@
   exec { "${module_name}-install-via-bundle":
     command => 'bundle && bundle install --path /opt/ --binstubs /usr/local/bin/',
     cwd     => '/tmp/r10k',
-    require => [ Package["${module_name}-bundle"] , Vcsrepo["${module_name}-r10k-github"] ],
+    require => [Package["${module_name}-bundle"], Vcsrepo["${module_name}-r10k-github"]],
     unless  => 'bundle list | grep -q " r10k "',
     path    => $::path,
   }

manifests/install/gem.pp

@@ -3,8 +3,6 @@
   $manage_ruby_dependency,
   $version,
 ) {
-  require git
-
   case $manage_ruby_dependency {
     'include': {
       include ruby

manifests/install/puppet_gem.pp

@@ -1,6 +1,5 @@
 # This class links the r10k binary for Puppet FOSS 4.2 and up
 class r10k::install::puppet_gem {
-
   if versioncmp("${::puppetversion}", '4.2.0') >= 0 { #lint:ignore:only_variable_string
     file { '/usr/bin/r10k':
       ensure  => link,

manifests/mcollective/application.pp

@@ -1,13 +1,12 @@
 # Install the r10k mcollective application to a client
-class r10k::mcollective::application(
+class r10k::mcollective::application (
   $agent_name        = $r10k::params::mc_agent_name,
   $app_name          = $r10k::params::mc_app_name,
   $agent_ddl         = $r10k::params::mc_agent_ddl_name,
   $agent_path        = $r10k::params::mc_agent_path,
   $app_path          = $r10k::params::mc_application_path,
   $mc_service        = $r10k::params::mc_service_name,
 ) inherits r10k::params {
-
   require r10k
 
   File {
@@ -26,5 +25,4 @@
     path   => "${agent_path}/${agent_ddl}",
     source => "puppet:///modules/${module_name}/agent/${agent_ddl}",
   }
-
 }

manifests/params.pp

@@ -1,6 +1,5 @@
 # Reasonable defaults for all classes
-class r10k::params
-{
+class r10k::params {
   $package_name           = ''
   $version                = 'installed'
   $manage_modulepath      = false
@@ -61,7 +60,7 @@
   if fact('is_pe') == true or fact('is_pe') == 'true' {
     # < PE 4
     $is_pe_server      = true
-  }elsif is_function_available('pe_compiling_server_version') {
+  } elsif is_function_available('pe_compiling_server_version') {
     # >= PE 4
     $is_pe_server      = true
   }
@@ -121,7 +120,6 @@
   # prerun_command in puppet.conf
   $pre_postrun_command = "${r10k_binary} deploy environment -p"
 
-
   # Mcollective configuration static
   $mc_agent_name       = "${module_name}.rb"
   $mc_agent_ddl_name   = "${module_name}.ddl"
@@ -140,6 +138,7 @@
   $webhook_use_mco_ruby          = false
   $webhook_protected             = true
   $webhook_github_secret         = undef
+  $webhook_gitlab_token          = undef
   $webhook_bitbucket_secret      = undef
   $webhook_discovery_timeout     = 10
   $webhook_client_timeout        = 120

manifests/postrun_command.pp

@@ -3,7 +3,6 @@
   $command                          = $r10k::params::pre_postrun_command,
   Enum['present', 'absent'] $ensure = 'present',
 ) inherits r10k::params {
-
   ini_setting { 'r10k_postrun_command':
     ensure  => $ensure,
     path    => "${r10k::params::puppetconf_path}/puppet.conf",