Kenyon Ralph [Sat, 22 Apr 2023 18:51:29 +0000 (11:51 -0700)]
(MODULES-10831) key is expired if all subkeys are expired
Previously, subkeys were not considered at all in the determination of
whether a key was expired. Now this looks at all of the subkeys, and if
they are all expired, considers the whole key expired.
Gavin Patton [Wed, 22 Mar 2023 06:22:27 +0000 (06:22 +0000)]
"This change pins the puppetlabs-puppet_agent module to v4.12.1. Previosuly the fixutre was configured to pull from main. Given the recent changes when moving towards puppet8 main is unsafe."
Prior to this commit, one of our updates (https://github.com/puppetlabs/puppetlabs-apt/pull/1052)
implemented a regex validation for ppa packages that were to be
installed. However, this validation did not account for resource
names that were dotted.
This commit aims to fix this bug in our validation process so that it
works as intended.
Paula Muir [Tue, 20 Dec 2022 11:54:57 +0000 (11:54 +0000)]
(bugfix) - Declare minimum Puppet version 6.24.0
In codebase hardening efforts the commands are passed as an array, but this feature was only introduced in Puppet 6.24.01. This raises the minimum version to match, since it's no longer possible to use the module on anything older.
jordanbreen28 [Thu, 13 Oct 2022 12:10:57 +0000 (13:10 +0100)]
(CONT-173) - Updating deprecated facter instances
Prior to this PR, this module contained instances of Facter::Util::Resolution.exec and Facter::Util::Resolution.which, which are deprecated.
This PR aims to replace these exec helpers with their supported Facter::Core::Execution counterparts.
This PR:
- Replaced all Facter::Util::Resolution instances with corresponding Facter::Core::Execution exec helpers
Fix rubucop linting error
This commit corrects an error identified by rubocop in spec testing.
Prior to this commit, ppa_spec.rb did not test the recently implemented
validation for resource names.
This commit aims to implement some test cases to make sure that valid
resource names are allowed while invalid or malicious resource names do
not work.
Prior to this commit, one of our recent module updates introduced a
regex validation step for the resource names in our ppa.pp manifest
which would raise an issue if a valid resource name contained a dot (.).
This commit aims to slightly adjust the regex validation so that it
allows for dotted resource names. This PR should fix issue #1057.
david22swan [Wed, 24 Aug 2022 10:59:05 +0000 (11:59 +0100)]
(GH-cat-9) Update module to match current syntax standard
Module is now in compliance with the following rules:
- optional_default
- strict_indent
- unquoted_string_in_case
- parameter_documentation
- relative_classname_inclusion
- no-top_scope_facts-check
- no-top_scope_variable-check
- variable_scope
The below exception has been left in place:
- disable_anchor_resource
Craig Gumbley [Mon, 22 Aug 2022 10:23:56 +0000 (10:23 +0000)]
(GH-1055) Fix hardcoded cache path
Prior to this commit the cache path used to create the script file resource
was hardcoded to /opt/puppetlabs/puppet/cache.
This commit fixes that by using the `puppet_vardir` fact provided by stdlib so
that we will always get the correct path for the OS that is executing the code.
Additionally, if for some reason the `puppet_vardir` fact is not available we
will fall back to `tmp`.
Craig Gumbley [Thu, 11 Aug 2022 15:20:36 +0000 (15:20 +0000)]
Harden PPA defined type
Prior to this commit there was a possibility that malformed strings
could be passed as the resources name. This could lead to unsafe
executions on a remote system.
This was also a possibility for the options parameter as it was
constrained to a string.
In addition, commands were not properly broken out in to arrays of
arguments when passed to the exec resource.
This commit fixes the above by adding validation to the resource name
ensuring that the given ppa name conforms to expectation. Also, commands
are now broken down in to arrays of arguments appropriately. This ensures
safer execution on the remote system.
Given that the options parameter, passed as a raw string, could lead to
unsafe code execution it was reasonable to change the accepted type to
an `Optional[Array[String]]. This means that an array of options can now
be passed to the exec resource inside the original command.
Craig Gumbley [Thu, 11 Aug 2022 20:13:11 +0000 (20:13 +0000)]
Harden apt-mark defined type
Prior to this commit the title parameter of this defined
type was not properly validated. This means that it could have been
possible to use a resource title outside of the normal bounds of
a package name.
Additionally the `onlyif` and `command` parameter values were
interpolated strings meaning that it may have been possible to
execute unsafe code on the remote system.
This commit fixes the above issues by adding a regex to check that the
resource title is a valid apt package name and also breaks out the
`onlyif` and `command` parameter values in to arrays of args ensuring
that the commands executed in a safe manor on the remote system.
The exception in this commit is the `unless_cmd`. This has not been
broken out in to an array of args due to the requirement of the command.
This is a reasonable trade of however due to the fact that action is
created from known enum values and title would be pre-validated.
This is also explained in mark.pp:20.
In Ruby 3.0 net-ftp changed from a bundled gem to a default gem. This
means it may not be available, such as when running unit tests.
Since ftp is becoming less and less common, this changes net-ftp to be
an optional dependency. Users who do need ftp support should ensure the
gem is installed.